Internal/External Audits

(1)

Internal/External Audits

Joint World Bank/Federal Reserve Joint World Bank/Federal Reserve System Seminar for Senior Bank System Seminar for Senior Bank

Supervisors Supervisors

Arthur Lindo Arthur Lindo

Federal Reserve Board Federal Reserve Board

(2)

2 2

Presentation Topics

•

• Internal Audit, Corporate Governance

Internal Audit, Corporate Governance

and Controls

•

• The Role of External Audit in Banking

The Role of External Audit in Banking

Supervision

•

(3)

3 3

Internal Audit, Corporate

Governance and Controls

•

• Effective internal control is a foundation

Effective internal control is a foundation

of safe and sound banking organizations

•

• Board of Directors and Senior Mgmt. are Board of Directors and Senior Mgmt. are responsible for effective internal controls responsible for effective internal controls

•

• Internal audit provides Directors &

Internal audit provides Directors &

Mgmt. with vital information on

•

• Control effectiveness & operational efficiencyControl effectiveness & operational efficiency

•

• Efforts may contribute to control certifications Efforts may contribute to control certifications under Sarbanes

(4)

4 4

Internal Audit, Corporate

Governance and Controls

•

• Direct lines of communication and

Direct lines of communication and

reporting are needed to Audit Committee

•

• Audit committee should approve scope of IA Audit committee should approve scope of IA activities, provide needed funding & oversight activities, provide needed funding & oversight •

(5)

5 5

Internal Audit, Corporate

Governance and Controls

•

• Primary Responsibility (SCARE)

Primary Responsibility (SCARE)

•

• Safeguarding of AssetsSafeguarding of Assets •

• Compliance with policies, plans, procedures, Compliance with policies, plans, procedures,

laws and regulations laws and regulations

•

• Accomplishment of established objectives and Accomplishment of established objectives and

goals for operations or programs goals for operations or programs

•

• Reliability and integrity of financial Reliability and integrity of financial

information information

•

(6)

6 6

US Internal Control Standards

•

• COSO

COSO

-

Internal audit is part of ongoing

monitoring of the internal control system

•

• COSO provides reasonable assurance

COSO provides reasonable assurance

based on the following objectives:

•

• Effectiveness and efficiency of operationsEffectiveness and efficiency of operations

•

• Reliability of financial reportingReliability of financial reporting

•

(7)

7 7

US Internal Control Standards

•

• COSO framework identifies five elements

COSO framework identifies five elements

of a system of internal control

•

• Control environmentControl environment

•

• Risk AssessmentsRisk Assessments

•

• Control ActivitiesControl Activities

•

• Information and CommunicationInformation and Communication

•

(8)

8 8

FDICIA 112 Requirements for

Management

•

• Applies to banks with assets over $500M

Applies to banks with assets over $500M

•

• Management assessment of internal

Management assessment of internal

controls over financial reporting

–

– management must state its responsibility for management must state its responsibility for

establishing and maintaining an adequate internal establishing and maintaining an adequate internal control structure and procedures for financial

control structure and procedures for financial reporting and

reporting and

–

– annually assess the effectiveness of the internal annually assess the effectiveness of the internal control structure and procedures for financial control structure and procedures for financial reporting

(9)

9 9

FDICIA 112 Requirements for

Management

•

• Management assessment of internal

Management assessment of internal

controls over insider loans and dividend

restrictions

•

• Requires mgmt to obtain an external

Requires mgmt to obtain an external

audit

•

• Other requirements

Other requirements

•

• Affects composition of bank audit committeesAffects composition of bank audit committees

•

(10)

10 10

Sarbanes

-

Oxley Act of 2002

Impact on Internal Audit

•

• Management assessment of internal

Management assessment of internal

controls

•

• extends the FDICIA 112 management extends the FDICIA 112 management

assessment to all publicly traded companies assessment to all publicly traded companies

–

– Applies to both domestic and foreign companies Applies to both domestic and foreign companies listed on US stock exchanges

listed on US stock exchanges •

• publicly traded banks with assets of $500 million publicly traded banks with assets of $500 million or more have applied this approach under

or more have applied this approach under FDICIA section 112 for past ten years

(11)

11 11

Sarbanes

-

Oxley Act of 2002

Other Impacts on Internal Audit

•

• Quarterly certification by CEO/CFO on

Quarterly certification by CEO/CFO on

significant changes in internal controls

•

• Now includes concept of disclosure controlsNow includes concept of disclosure controls

•

• Includes risk disclosures and other disclosures Includes risk disclosures and other disclosures (such as MD&A)

(such as MD&A) •

• Management will be including this in its review Management will be including this in its review of control adequacy, hence the internal auditor’s of control adequacy, hence the internal auditor’s role may expand in this area

(12)

12 12

Sarbanes

-

Oxley Act of 2002

Impact on Internal Audit

An auditor cannot provide certain services to an audit An auditor cannot provide certain services to an audit

client: client:

•

• Bookkeeping or other accounting records/financial statements Bookkeeping or other accounting records/financial statements services

services

•

• Financial information system design & implementationFinancial information system design & implementation

•

• Appraisal or valuation servicesAppraisal or valuation services

•

• Actuarial services; legal & expert services unrelated to the auditActuarial services; legal & expert services unrelated to the audit

•

• Internal audit outsourcing servicesInternal audit outsourcing services

•

• Management functions or human resourcesManagement functions or human resources

•

• Broker or dealer, investment adviser, or investment banking servicesBroker or dealer, investment adviser, or investment banking services

•

• Any other service prohibited by the new public oversight boardAny other service prohibited by the new public oversight board

Audit committee may approve services in certain cases Audit committee may approve services in certain cases

(13)

13 13

Bank Audit Requirements

•

• Current bank audit requirements

Current bank audit requirements

•

• First 3 years after FDIC insuranceFirst 3 years after FDIC insurance •

• NewlyNewly--chartered national bankschartered national banks •

• Banks subject to SEC reporting requirementsBanks subject to SEC reporting requirements •

• Banks and bank holding companies (BHCs) Banks and bank holding companies (BHCs)

with assets over $500 million or that are SEC with assets over $500 million or that are SEC registrants

registrants

•

• Most U.S. banks have independent

Most U.S. banks have independent

audits

(14)

14 14

Role of External Auditors in

Banking Supervision

• •Supervisors must understand the

Supervisors must understand the

responsibility assumed by the auditor

•

• Management has Management has primary responsibility primary responsibility for financial for financial statements, not the auditors

statements, not the auditors

•

• Auditors do not have responsibility to detect Auditors do not have responsibility to detect allall fraud and violations of law or regulations

fraud and violations of law or regulations

•

• Under current rules, auditors may not be required to Under current rules, auditors may not be required to report certain problems

(15)

15 15

Role of External Auditors in

Banking Supervision

•

• External auditors seek to provide

External auditors seek to provide

reasonable assurance that financial

statements are free of material

misstatements by doing the following:

•

• Collect a sample of evidence that supports Collect a sample of evidence that supports

financial statement amounts and disclosures financial statement amounts and disclosures

•

• Assess the accounting principles used, Assess the accounting principles used,

significant mgmt. estimates, & F/S significant mgmt. estimates, & F/S presentation

presentation

•

(16)

16 16

Roles and Responsibilities of internal

and external audit and examinations

Attributes Internal Audit External Audit Examiners Works for: Board of Directors Bank Regulatory Agency Reports to: Varies…Board of Directors Audit committee/Boar d of Directors Regulatory Agencies

(17)

17 17

Roles and Responsibilities of internal

and external audit and examinations

Attributes Internal Audit External Audit Examiners Principal Objective : Describe the effectiveness of internal control Attest financial statements fairly present financial position

Rate the safety and soundness of bank Principal work product: Internal Audit

Report Audit Opinion

Examination Report

(18)

18 18

Roles and Responsibilities of internal

and external audit and examinations

Attributes Internal Audit External Audit Examiners Follow up: Written response to audit report Review management letter at next on site Response from management, or impose enforcement action Time

(19)

19 19

FDICIA 112 Requirements for

External Audit

•

• Auditor attestation on management

Auditor attestation on management

assessment of internal controls

•

• Auditor must adhere to all independence

Auditor must adhere to all independence

requirements of the SEC

(20)

20 20

Sarbanes

-

Oxley Act of 2002

Impact on External Audit

•

• Extends the FDICIA 112 attestation to all

Extends the FDICIA 112 attestation to all

publicly traded companies

•

• New independence rules

New independence rules

•

• Sec. 201. Prohibits 8Sec. 201. Prohibits 8--types of nontypes of non--audit Servicesaudit Services

•

• Sec. 202. Requires audit committee Sec. 202. Requires audit committee preapprovalpreapproval of all other non

of all other non--audit servicesaudit services

•

• Sec. 203. Requires audit partner rotation every Sec. 203. Requires audit partner rotation every 5

(21)

21 21

Sarbanes

-

Oxley Act of 2002

Impact on External Audit

•

• New independence rules (

New independence rules (

Con’t

)

•

• Sec. 204. Requires auditor to provide audit Sec. 204. Requires auditor to provide audit committees a report on

committees a report on

–

– all critical accounting policies andall critical accounting policies and

–

– alternative accounting treatmentsalternative accounting treatments •

• Sec. 206. Requires a 1Sec. 206. Requires a 1--year “cooling off” period year “cooling off” period for auditors seeking employment as CEO, CFO, for auditors seeking employment as CEO, CFO, Chief Accounting Officer, or Controller of a

Chief Accounting Officer, or Controller of a client

(22)

22 22

Basel Committee Focus

Going Forward

•

• Enhancing

Enhancing

international

accounting

and

auditing

standards

and

_and

practices

(23)

23 23

Basel Committee Activities

•

• External Audit projects, with IAASB

External Audit projects, with IAASB

•

• Enhanced bank external audit guidanceEnhanced bank external audit guidance

–

– IAPS 1004 IAPS 1004 -- Relationship of bank management, Relationship of bank management, auditors and supervisors

auditors and supervisors

–

– IAPS 1006 IAPS 1006 ---- Audits of commercial banksAudits of commercial banks

•

• Internal Audit projects

Internal Audit projects

•

• Final Basel IA guidance (August 2001) and Final Basel IA guidance (August 2001) and Survey (2002) of audit practices