Home > Uncategorized > Internal Audit of Risk Management and Governance – from the Federal Reserve Supplemental Policy Statement

Internal Audit of Risk Management and Governance – from the Federal Reserve Supplemental Policy Statement

January 27, 2013

From the Board of Governors of the Federal Reserve System, a Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing (January 23, 2013),  Click Here.

There are several provisions relating to internal audit’s role in auditing risk management and governance which I found interesting and helpful.

I would disagree with the discussion which appears to assign board oversight of risk management to the audit committee.  Risk or uncertainty management should be an activity of the overall board function – of course I don’t disagree with delegating initial or concentrated oversight to a board committee like the audit committee (assuming that the audit committee has the time) or a risk committee, with the committee reporting to the full board for input, questions, evaluation and oversight.

The following are select provisions from the Supplemental Policy Statement relating to risk management and governance – and they got me to wondering: how are we doing on the status of achievement?



This policy statement is being issued by the Federal Reserve to supplement the guidance in the 2003 Interagency Policy Statement on the Internal Audit Function and its Outsourcing. . . . As a result of the supervisory experience during and following the recent financial crisis, Federal Reserve staff identified areas for improving regulated institutions’ internal audit functions. This supplemental policy statement addresses the characteristics, governance, and operational effectiveness of an institution’s internal audit function.

* * * *


The degree to which an institution implements the internal audit practices outlined in this policy statement will be considered in the Federal Reserve’s supervisory assessment of the effectiveness of an institution’s internal audit function as well as its safety and soundness and compliance with consumer laws and regulations. Moreover, the overall effectiveness of an institution’s internal audit function will influence the ability of the Federal Reserve to rely upon the work of an institution’s internal audit function.

* * * *

1. Enhanced Internal Audit Practices

An institution’s internal audit function should incorporate the following enhanced practices into their overall processes:

A. Risk Analysis

Internal audit should analyze the effectiveness of all critical risk management functions both with respect to individual risk dimensions (for example, credit risk), and an institution’s overall risk management function. The analysis should focus on the nature and extent of monitoring compliance with established policies and processes and applicable laws and regulations within the institution as well as whether monitoring processes are appropriate for the institution’s business activities and the associated risks.

* * * *

C.  Challenging Management and Policy

Internal audit should challenge management to adopt appropriate policies and procedures and effective controls. If policies, procedures, and internal controls are ineffective or insufficient in a particular line of business or activity, internal audit should report specific deficiencies to senior management and the audit committee with recommended remediation. Such recommendations may include restricting business activity in affected lines of business until effective policies, procedures, and controls are designed and implemented. Internal audit should monitor management’s corrective action and conduct a follow-up review to confirm that the recommendations of both internal audit and the audit committee have been addressed.

E.  Risk Tolerance

Internal audit should understand risks faced by the institution and confirm that the board of directors and senior management are actively involved in setting and monitoring compliance with the institution’s risk tolerance limits. Internal audit should evaluate the reasonableness of established limits and perform sufficient testing to ensure that management is operating within these limits and other restrictions.

F. Governance and Strategic Objectives

Internal audit should evaluate governance at all management levels within the institution, including at the senior management level, and within all significant business lines. Internal audit should also evaluate the adequacy and effectiveness of controls to respond to risks within the organization’s governance, operations, and information systems in achieving the organization’s strategic objectives. Any concerns should be communicated by internal audit to the board of directors and senior management.

2.  Internal Audit Function (Part I of the 2003 Policy Statement)

The primary objectives of the internal audit function are to examine, evaluate, and perform an independent assessment of the institution’s internal control system, and report findings back to senior management and the institution’s audit committee. An effective internal audit function within a financial institution is a vital means for an institution’s board of directors to maintain the quality of the internal control environment and risk management systems.

The guidance set forth in this section supplements the existing guidance in the 2003 Policy Statement by strongly encouraging internal auditors to adhere to professional standards, such as the IIA guidance. Furthermore, this section clarifies certain aspects of the IIA guidance and provides practices intended to increase the safety and soundness of institutions.

B.  Corporate Governance Considerations

Board of Directors and Senior Management Responsibilities

The board of directors and senior management are responsible for ensuring that the institution has an effective system of internal controls. As indicated in the 2003 Policy Statement, this responsibility cannot be delegated to others within the institution or to external parties. Further, the board of directors and senior management are responsible for ensuring that internal controls are operating effectively.

Audit Committee Responsibilities

An institution’s audit committee is responsible for establishing an appropriate internal audit function and ensuring that it operates adequately and effectively. The audit committee should be confident that the internal audit function addresses the risks and meets the demands posed by the institution’s current and planned activities. Moreover, the audit committee is expected to retain oversight responsibility for any aspects of the internal audit function that are outsourced to a third party.

The audit committee should provide oversight to the internal audit function. Audit committee meetings should be on a frequency that facilitates this oversight and generally should be held four times a year at a minimum, with additional meetings held by audit committees of larger financial institutions. Annually, the audit committee should review and approve internal audit’s charter, budget and staffing levels, and the audit plan and overall risk-assessment methodology. The committee approves the CAE’s hiring, annual performance evaluation, and compensation.

The audit committee and its chairperson should have ongoing interaction with the CAE separate from formally scheduled meetings to remain current on any internal audit department, organizational, or industry concerns. In addition, the audit committee should have executive sessions with the CAE without members of senior management present as needed.

The audit committee should receive appropriate levels of management information to fulfill its oversight responsibilities. At a minimum, the audit committee should receive the following data with respect to internal audit:

• Audit results with a focus on areas rated less than satisfactory;

• Audit plan completion status and compliance with report issuance timeframes;

• Audit plan changes, including the rationale for significant changes;

• Audit issue information, including aging, past-due status, root-cause analysis, and thematic trends;

• Information on higher-risk issues indicating the potential impact, root cause, and remediation status;

• Results of internal and external quality assurance reviews;

• Information on significant industry and institution trends in risks and controls;

• Reporting of significant changes in audit staffing levels;

• Significant changes in internal audit processes, including a periodic review of key internal audit policies and procedures;

• Budgeted audit hours versus actual audit hours;

• Information on major projects; and

• Opinion on the adequacy of risk management processes, including effectiveness of management’s self-assessment and remediation of identified issues (at least annually).

Role of the Chief Audit Executive

In addition to communicating and reporting to the audit committee on audit-related matters, the CAE is responsible for developing and maintaining a quality assurance and improvement program that covers all aspects of internal audit activity, and for continuously monitoring the effectiveness of the audit function. The CAE and/or senior staff should effectively manage and monitor all aspects of audit work on an ongoing basis, including any audit work that is outsourced.

* * * * *

Categories: Uncategorized