Comprehensive Risk Management Services
You may not like risk … but if you’re a bank or a credit union, you’re in the business of assessing, assuming and managing it. And it comes in many different guises: interest rate and liquidity risk … credit risk … operational, legal, reputational and strategic risk. And they don’t of course exist in silos; controlling one may aggravate another. You don’t just need expertise in one area or another. You need a firm that can help you navigate the full spectrum of risks and address them in a coordinated, disciplined and cost-effective manner.
Our Cost-Effective Enterprise Risk Assessment
At AuditOne, we’re in the business of helping you manage your risk. Our Enterprise Risk Assessment (ERA) can help get you started. We analyze each operational function and use our proprietary risk-rating methodology to determine where and how your risk management and audit dollars can most effectively be deployed. We do this in a way that’s highly sensitive to the requirements and expectations of regulators – and to the fact that audit dollars are a scarce resource. Our format provides inherent risk ratings at a disaggregated level. For example, we don’t just look at Branch Operations, we drill down to all the major scope activities for an audit of that function (for example, new accounts, cash, security, safe deposit, etc.). This in-depth analysis allows us to provide recommendations not just as to what areas need auditing over the coming year but also the scope items that should be included. Our methodology a) risk-scores each area and activity, b) translates that score into a risk rating, and c) maps that rating to a recommended audit frequency based on our broad experience in the industry. Again, this is taken down to the level of the individual scope item within each audit. The ERA is performed with cost-effective sensitivity to identify opportunities to defer audits where feasible, or to trim their scope or otherwise economize. We recommend an ERA as an annual exercise – not only because the regulators have come to expect it, but more importantly because it allows banks to develop a risk-based internal audit plan, sensitive to any internal and external changes impacting the organization, in which audit dollars are allocated to where they’re most needed.
Sarbanes-Oxley Act and FDICIA 36
An ERA is a streamlined and cost-effective risk management tool. At the other end of the spectrum, in terms of complexity and granularity, are the Sarbanes-Oxley Act (“SOX”) requirements that public filers must meet and the FDICIA 36 requirements for larger institutions (> $1 billion assets). We have considerable experience with such reporting, both in the documentation and the testing phases. Most SOX institutions adopt a COSO-type approach, which is also what the FDIC recommends for meeting FDICIA 36 requirements. Documentation of the internal controls to be tested requires first going through a risk assessment of the institution – a similar though considerably more detailed exercise as compared to what’s described above for an ERA. SOX and FDICIA 36 require analyzing specific risks at a disaggregated level, then identifying the controls (key controls, plus back-up or compensating controls) on each risk. Rigorous documentation and validation requirements apply.
It can be expected that over time there will be rising demands for smaller, non-public institutions to be heading down this path. It will become a differentiator of well-managed, leading-edge players. And it will give management and the Board more comfort that the institution has positioned itself to minimize the risk of any given loss event and the amount that would be lost.
Informative, Risk-Based Reporting Format
To assist the Audit Committee, our risk-based approach to internal audit extends to our audit report format that provides more granular information on audit results. This increased granularity includes the above-mentioned inherent risk rating on all of the scope items for an audit, plus a four-point audit rating scale applied to each scope item within each audit. This more granular reporting has applications that go beyond audit planning:
- Staffing and other resource allocation (e.g., “Needs Improvement” means more attention must be paid before next year’s audit)
- Internal best practices (based on any units receiving Strong rating)
- Performance appraisal (rating managers on their unit’s audit results and how they compare to prior year)
All of our reports begin with a) a determination as to corrective action taken on each individual finding in the most recent examination and internal audit reports for the area in question, and b) an assessment of the completeness and adequacy of the applicable policy and procedures documents. The body of the report contains, for each individual scope item, a statement as to the audit steps or tests, including any sampling parameters. We also clearly identify any applicable regulatory guidance used in formulating our audit program.
Finally, we provide Priority Ratings (High, Moderate or Low) on all findings to help the Audit Committee in assessing the importance of each finding and to focus its attention on the higher-priority findings. This prioritization of findings not only helps the Audit Committee and senior management to monitor progress, but it is also the kind of prudent risk-management tool that regulators expect institutions to employ.
We encourage you to contact us to see a sample of our industry-leading audit reports.