Sound corporate governance. Transparency. Accountability to stakeholders. Superior enterprise risk management system. Internal control over financial reporting. Healthy financial condition.
The list of responsibilities for financial institutions goes on and on. Of course, it’s for good reason. A bank exposed to risk can impact thousands (if not hundreds of thousands) of lives.
The customers who use bank services on a regular basis have an unwavering belief in the security of the bank. Investors rely on banks to practice sound, risk-based decision-making. And staff members representing the bank expect their team to forge a reputation built on trustworthiness and stability.
The quality and effectiveness of a financial institution’s internal control system directly correlate with the soundness of the bank’s operations and ability to reduce risk to the lowest possible levels. Because internal controls are so heavily relied upon, the internal audit process plays a significant role within the organization.
Just as a quarterback relies on his front line to protect him from the 300-pound lineman bearing down, the board and bank management expect the internal audit department to have their backs when it comes to control risk and an unwanted sack from an external auditor.
What does an internal audit do in a bank?
Within the infrastructure of a financial institution, the board of directors and senior management hold the highest degree of obligation regarding internal controls. Not only must they develop and implement the internal control structure, but they are also required to monitor the controls, making sure they’re being used as they were designed.
A primary audit objective is to evaluate the control environment within the organization.
Ask any player, and they’ll tell you locker room morale often dictates how well a team plays on the field. It’s the responsibility of the coaching staff to determine the tone in the locker room, inspiring the team to execute the plays they practice week after week. So it is with a bank’s management and board of directors. They’re responsible for creating the tone at the top regarding the adoption and belief in the value of control activities.
The established control environment can also impact the effectiveness of an audit program.
What do you check in a bank audit?
During a bank audit, internal audit functions as both the offensive and the defensive line for the bank’s team.
On the offensive side, audit staff will:
- Identify general operations and specific internal controls that need improvement
- Verify compliance and confirm policies and procedures are up-to-date with any recent changes to laws and regulations
- Review the adequacy of risk management strategies
- Offer objective insight concerning the organization’s control environment
On the defensive side, audit activities include:
- Testing control activities for their effectiveness in mitigating risks in at least three major risk areas: credit risk, market risk, and operational risk
- Uncovering potential cybersecurity risks posed by new developments in information technology systems and associated risks
- Operating independently of all other bank functions to avoid conflict of interest and allow for in-depth scrutiny of processes susceptible to internal fraud
What is an internal audit checklist?
As part of the internal audit program, an internal audit checklist is a tool used by an auditor that’s as invaluable as a coach’s playbook. The checklist helps audit staff stay on track and ensures the audit plan is followed, leaving nothing uncovered.
What is included in an internal audit checklist for banks?
Audit activities vary based on the size of the bank, the risk profile, and the scope of an individual institution’s activities. An internal bank audit provides evaluations of the effectiveness of the internal control system, daily bank activities, and accounting systems.
Applying generally accepted auditing standards (GAAS), an internal audit checklist for banks covers:
- Internal controls over financial reporting
- Balance sheet audit
- Deposit operations
- Financial statement audit
- General ledger reconciliation
- Cash and due-from account reconciliation
- FDIC compliance information and documentation
- Liquidity risk management
- Lending practices and adherence to fair lending regulations
- Bank forms and documentation review
- Customer transactions review
- Credit card administration and security policies and procedures to name a few.
With so many possible formations, an internal audit checklist for banks could end up being reams of pages long.
How do you prepare an internal audit checklist?
Before developing a checklist, the audit committee, together with the board of directors and bank management, discuss and agree on the overall audit plan. The audit program typically breaks up the processes to be audited into manageable chunks, with the goal of the entire audit program being completed by year-end.
The best game strategies begin with the team discussing their opponents and identifying the players who present the biggest threat on the field. To determine the scope of an audit checklist, audit staff (often the audit manager) conduct internal control risk assessments for specific banking activities and associated risks. The internal audit checklist for bank processes is created based on the findings from the risk assessment.
When created according to best practices, an audit checklist allows the internal auditor to record findings, then easily prepare an audit report. Like studying game film after a loss, an internal auditor can review a comprehensive audit checklist to make suggestions for corrective actions should any control deficiencies be identified.
Financial institutions are highly regulated organizations. The amount of required internal audit work is enormous and complicated. Not only do auditors need to be proficient in audit procedures and understanding internal control systems, but they also need to be compliance experts.
The automation of the internal audit checklist for banks has helped many institutions streamline the internal audit function, allowing for more accurate, timely, and risk-based internal auditing.