NETBankAudit’s Internal Audit methodology is based on the updated 2013 COSO framework. This framework is specifically tailored to the client’s needs. In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control.
The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
In an “effective” internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives
These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels up, down and across the company. The entire system of internal control is monitored continuously, and problems are addressed timely.
Internal Audit Risk Assessment Process
As indicated by FFIEC guidance, the Board of Directors should establish an effective risk-based audit function. To facilitate this process, NETBankAudit will develop an internal audit risk assessment tailored to the client’s specific environment. The assessment will include all substantive activities and determine the frequency and depth of coverage.
Specifically, our risk-based internal audit assessment includes the following processes:
- Identification of the internal audit universe (all operating and financial systems, facilities, and personnel) including the business activities and processes within each of those categories
- Profiles of significant business units, departments, and product lines, or systems, and their associated business risks and control features, resulting in a document describing the structure of risk and controls throughout the institution
- A scoring system that ranks and evaluates business and control risks for significant business units, departments, and products
- Board and/or Audit Committee approval of risk assessments and annual risk-based audit plans that establish audit schedules, cycles, scope, and resource allocation
- Implementation of the internal audit plan through planning, execution, reporting, and follow-up
- Regular risk assessment re-evaluation and update for all significant business units, departments, and products or systems
- Our assessment methodology will provide the objective information necessary to properly prioritize the allocation of audit resources and comply with FFIEC guidance.
High-Level (Sample) Audit Schedule
A basic/minimal annual audit schedule is provided below. This audit coverage is provided for example purposes only. The risk-based audit process discussed above will garner a better understanding of the specific areas within client’s audit universe.
- Review of Enterprise Risk Management (ERM) and CAMELS regulatory performance
- Audit of Loan Processes includes ALLL and Compliance
- Audit of Deposit Processes includes Compliance
- Audit of ALCO – ALM/IRR/Liquidity/Investments
- Audit of Reconciliation Process
- Audit of Accounts Payable
- Audit of Human Resources and Payroll
- BSA/AML Compliance Audit
- IT General Internal Controls Audit
- Internal and External Network Vulnerability Assessment (i.e. Penetration Testing)
- Transactional Audits of Wire, ACH, Item Processing, and Internet Banking
- Branch Audits
Note: many of these services may have an impact in reducing the external auditor testing if they can be performed in accordance with PCAOB guidance.