In recent years, many failures of community banks and other organizations have been attributed to a breakdown in core internal controls and the related increased operational risks. Whether your institution is a larger organization with growth plans and riskier lines of business or a smaller organization with difficulty in segregating duties or maintaining expertise for specialized areas, assessing risks and controls to assure they are effective for the culture and business mix of the institution is critical.
From a regulatory perspective, risk is the potential that events, expected or unanticipated, may have an adverse impact on the bank’s capital or earnings. To control risk and mitigate its impact on financial performance, all regulated institutions must have risk management systems that identify, measure, control, and monitor risks.
The board of directors must take steps to ensure that its risk management system is tailored to its specific needs and circumstances. Effective risk management requires an informed board, capable management, and appropriate staffing. It is critical that the board use management reports and other information systems to stay well informed and to assess risk within an institution.
Control Risk Assessment
To manage risk, institutions must first identify it, measure it accurately, that appropriate risk management, controls, and reporting systems are in place before the risks lead to potential problems for the institution. Managers should identify the risks inherent in the businesses and processes they manage, and determine what level of risk exposure is appropriate in consideration of the organization’s strategic goals. The affect of mitigating controls and monitoring processes on the inherent risks should be evaluated to determine if they are effective in achieving the designated level of risk. Consideration should also be given to expected changes in the institution’s business plan and whether new controls, or changes in existing controls, are appropriate to manage that level of risk.
Assessments should be routed upward within the institution to each level of management, with each new level of management considering the risks and controls under broader areas of responsibility. Ultimately, the results of the risk assessment process should be reported to the audit committee of the board of directors, to assure more effective corporate governance and communication among managers and with the board about the institution’s risk appetite, risk exposures, and risk controls. On a periodic, but minimally annual basis, the risk assessment should be updated to assure continued effective risk identification, assessment, and management.
Risk-Based Audit
Senior management is responsible for establishing and maintaining a system of internal controls within the financial institution. The board of directors or its audit committee is responsible to set the tone regarding the institution’s risk level, risk-taking and establishing an effective monitoring program. This includes assuring and validating that the internal control processes are effective. The regulators expect that each regulated financial institution have an internal audit function appropriate to its size and the nature and scope of its activities. Internal auditors are responsible for assuring management and the board of directors that internal controls are in place to manage or mitigate identified risks. A dedicated, independent, objective, and effective internal audit activity assists both management and the board in fulfilling their responsibilities to the shareholders and other constituencies.
The audit program should be based on the internal control risk assessment which has been completed by management. The schedule of work to be performed should be based on this risk assessment with priority given to those areas with higher risk ratings. Other areas may become high risk based on prior or subsequent significant audit findings, regulatory findings, or if it is otherwise determined that the area has problems managing risks in the business line or its processes.
Whether the audit resources needed to effect the audit program are employed by the organization or retained under an outsourcing arrangement, the internal audit function is responsible to independently and objectively determine whether risks are identified and measured appropriately, and to review and evaluate the bank’s activities to maintain or improve the efficiency and effectiveness of a bank’s risk management, internal controls, and corporate governance.
The results of independent reviews of operating areas should be routinely reported to executive management and the board of directors. Reports should provide information on matters of concern, identify related risks, and provide management with recommendations for improvements.
Contact us for more information on how we might assist you in your internal audit initiative. From risk assessment to conduct of internal audits to meet your scope requirements, we can tailor a program to your needs. Please contact Jackie Roesser, Senior Consultant and Manager of Internal Audit Services, at 1.800.525.9775, or
click here to send an Email.
