INTERNAL AUDIT Elliott Davis Decosimo May 2015 Michael P. Egan Supervisory Examiner
Overview Back to Basics Approach Risk Assessments Audit Planning Audit Workprograms & Sampling Methodology Deficiency Tracking & Validation Guidance Staff Expertise and Ongoing Professional Education Quality Control Programs
Back to Basics Hot Topic Accountability Horizontal Review at Large Community Banks in North Carolina and South Carolina $1B-$10B Develop Best Practices and identify emerging risks
Risk Assessments Business line specific narrative regarding: Inherent risks High, Medium, and Low should have the same detail for every business line. Any mitigating controls in place Any other components that may impact the overall risk ratings Risk ratings should be defined and correspond to an audit frequency.
Audit Planning Comprehensive document approved by the Board/Audit Committee annually. Timing and Frequency of Audits Prior Audit Date and Rating Individual or vendor responsible for audit Large community banks project audit hours Multi-Year Audit Plan Reassess when needed Multi Year Audit Plan No 70% Yes 30%
Potential Red Flags Rapid growth Management or key employee turnover Recommendations are not effective in prompting management corrective action Concentrations of assets with complex valuation methods Basic internal control deficiencies Poor or absent documentation
Workprograms Expect more sampling at examinations Detailed scope Comprehensive procedures Sampling methodology Prior audit rating & findings Assess remediation efforts Risk-Focused versus Accounting-Based Regulatory Compliance
Sampling Methodology Review revealed sampling is generally guided by SOX testing requirements from vendors. In some instances the sample sizes appeared very low with little or no narrative. ALLL: 15 impairment analyses worksheets or less than 9% Wires: 20 sampled over 12 month period or less than 3% of outgoing wires. Consumer Loans: Random sample of 15 loans 4 Auto Reviews 6 HELOCS 5 Installments
Deficiency Tracking Responsibility for updating Guidance for validation efforts Next audit cycle may be up to 36 months Vary by significance Maintaining closed issues to determine if there are repeat findings Track regulatory findings and remediation
Average Experience by Title 23 21 Chief Audit Executive Audit Manager 14 Audit Supervisor Senior Auditor II 11 Senior Auditor I Staff Auditor II Staff Auditor I Audit Analyst 5 3 4 4 5 IT Analyst Average Audit Experience by Title
Audits per FTE participating in fieldwork Average audit personnel in department is approximately six individuals Five completing fieldwork Average Assets per Auditor $500M-$992M Average number of audits completed internally is 25 or approximately 75% Average Experience Professional Certifications, training, and development plans
Specialized Audit Areas Mortgage QC Acquired Loan Accounting Loss Share ALLL Interest Rate Risk Compliance CRA BSA-AML Trust Information Technology Information Technology 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Trust BSA-AML CRA Compliance Interest Rate Risk ALLL Loss Share Acquired Loan Accounting Mortgage QC N/A 0% 33% 0% 0% 0% 0% 0% 33% 33% 0% Internal 17% 17% 17% 83% 67% 50% 50% 50% 33% 67% Outsourced 83% 50% 83% 17% 33% 50% 50% 17% 33% 33%
Quality Control Program Audit activities are conducted in accordance with Standards for the Professional Practice of Internal Auditing Assures compliance with Standards, Charter, Policies, Code of Ethics, practices, and regulatory requirements Identifies methods to improve organizational operations External assessment at least once every five years No QA Review, 83.33% Quality Assurance Review QA Review, 16.67%
Potential QC Review Components Budgeting and financial administration for internal audit Maintenance and updating of the risk assessment and audit universe Evaluation of long-range planning Audit tools and use of technology Training and development of staff Audit statistics and metrics used Review of summary reports Administration of deficiency tracking
Emerging Areas Credit Review 100% 75% 50% 25% 0% A B C D E F In-house 0% 100% 50% 0% 50% 75% # Staff 0 9 1 0 1 4 Internal Credit Review Function Internal Compliance Review Function Audit Department should assess the review functions
Resources Statement of Policy: Internal Audit and Its Outsourcing Part 363: Annual Independent Audits and Reporting Requirements Various Practice Advisories from The Institute of Internal Auditors
Common ALLL issues/concerns include: Improper use of or insufficient support/documentation for environmental factors Expected Cash Flow Definition Historical Loss Look-Back Period Negative Provisions CECL
ALLL Annual charge-off rates are calculated over a specified time period (e.g., three years or five years), which can vary based on a number of factors including the relevance of past periods experience to the current period or point in the credit cycle.
Credit Administration Seven Ways Banks Are Relaxing Loan Terms Extend Fixed-Rate Pricing: Tweak Guarantees: Stretch Out Amortization: Raise the Leverage: Waive Fees: Lower Debt-Service Limits: Ease Collateral Requirements:
Cybersecurity The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." As part of cybersecurity, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.
Cyber Challenge: A Community Bank Cyber Exercise Objectives: Initiate discussion between financial institution management and staff on cyberrelated issues and concerns. Identify potential shortfalls in operational readiness capabilities. Strengthen preparedness and response efforts to promote an institution s resilience.
Cyber Challenge Scenario Overview: Cyber Challenge consists of a DVD with short video vignettes that present four unique scenarios for discussion. Challenge cards accompany each video vignette to facilitate discussions. Participants should play a video vignette and then respond to the associated challenge questions.
Cyber Challenge: A Community Bank Cyber Exercise Objectives: Initiate discussion between financial institution management and staff on cyberrelated issues and concerns. Identify potential shortfalls in operational readiness capabilities. Strengthen preparedness and response efforts to promote an institution s resilience.
Cyber Challenge The four vignette themes are: Vignette #1 - Item Processing Failure Vignette #2- Customer Account Takeover Vignette #3 - Bank Internal Error/Phishing & Malware Problem. Vignette #4 - Technology Service Provider Problem
Current Exam Issues Internal Audit ALLL/TDR s Liquidity/Stress Testing Interest Rate Risk Lending Programs Cyber Security-IT BSA Model Validation
QUESTIONS?