internal/external audit and internal controls february 23, 2000 david dudley federal reserve bank of...
TRANSCRIPT
![Page 1: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/1.jpg)
Internal/External Audit and Internal Controls
February 23, 2000
David Dudley
Federal Reserve Bank of NY
![Page 2: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/2.jpg)
2
Outline of Presentation
Internal Control Concepts
Role of Internal and External Audit
![Page 3: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/3.jpg)
3
Definition of Internal Control
Internal control is a process effected by an entity’s Board of Directors and Senior Management and other personnel designed to provide reasonable assurance regarding three objectives and five components
![Page 4: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/4.jpg)
4
Three Objectivesof Internal Control
Effectiveness and efficiency of operations (including safeguarding of assets)
Reliability of financial reporting
Compliance with applicable laws and regulations
![Page 5: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/5.jpg)
5
Five Componentsof Internal Control
Control Environment - “tone at the top”
Risk Assessment - management’s identification of key risks
Control Activities - entity level and activity level
Information and Communication - internal and external
Monitoring - adequacy of controls over time
![Page 6: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/6.jpg)
6
Control Environment
Integrity and Ethical Values
Commitment to Competence
Management’s Philosophy/ Operating Style
Organizational Structure
Assignment of Authority and Responsibility
Board of Directors and/or Audit Committee Participation
Human Resources Policies and Procedures
![Page 7: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/7.jpg)
7
Risk Assessment Objectives
Identification and analysis of objectives
Activities to achieve objectives
Risk exposure
Management of risk exposure
![Page 8: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/8.jpg)
8
Control Activities
Two elements:– Policies– Procedures
![Page 9: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/9.jpg)
9
Types of Control Activities
Authorization or approval
VerificationReconciliationSegregation of dutiesOperating performance
reviewsSecurity of assets
Physical/logical security reviews
Supervisory reviewsTwo week vacation
policySystem checksLimitsReview of MIS data
![Page 10: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/10.jpg)
10
Information andCommunications
Identification
Capture
Exchange
![Page 11: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/11.jpg)
11
Monitoring
Ongoing Activities
Separate Evaluations
![Page 12: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/12.jpg)
12
Context of Controls
A function of Entity’s:– Size, organization, ownership– Nature of business– Diversity and complexity– Methods of transmitting, processing and
retaining information– Applicable laws and regulations
![Page 13: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/13.jpg)
13
Preventative vs.Detective Controls
Preventative - prevents undesirable events
Detective - detects errors and irregularities that have already occurred
![Page 14: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/14.jpg)
14
LimitationsSmall Offices
Collusion
Ignorance
Pace of business/Growth
Judgment
Cost
Management override
![Page 15: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/15.jpg)
15
International Emphasison Internal Controls
Basel Committee on Banking Supervision
Framework for the Evaluation of Internal Controls
– Policy Statement finalized September 1998
– Identifies Causes of Recent Banking Problems
![Page 16: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/16.jpg)
16
Internal Control Breakdowns - Basel Report ConclusionsLack of adequate management oversight and
accountability; failure to develop a strong control culture
Inadequate assessment of the risks of certain banking activities
Absence or failure of key control structures and activities
Inadequate communication of information between levels of management
Inadequate or ineffective audit programs and other monitoring activities
![Page 17: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/17.jpg)
17
Internal Control Breakdowns
Causes:– Inadequate evaluation of new business risks
– Insufficient segregation of duties
– Ineffective management oversight
– Absence of a separate monitoring mechanism
![Page 18: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/18.jpg)
18
Internal Control Breakdowns
Internal audit deficiencies– Untimely or piecemeal audits
– Ineffective follow-up
– Unfamiliarity with business procedures
– No training in sophisticated areas
![Page 19: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/19.jpg)
19
Framework for theEvaluation of Internal Controls
Purpose: To be used by bank regulators to evaluate internal control systems
Consists of thirteen general principles applicable to all banking institutions
![Page 20: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/20.jpg)
20
Thirteen Principles
Management Oversight (3)
– Board should approve strategies, policies and risk appetite
– Senior management should implement board strategies and policies
– Board and senior management should promote high ethical standards
![Page 21: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/21.jpg)
21
Thirteen Principles
Risk Recognition Assessment (1)– Senior management should identify and
evaluate risk factors
Control Activities and Segregation of Duties (2)– Control activities should be integral part of
daily activities of institution
– Senior management should ensure appropriate segregation of duties
![Page 22: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/22.jpg)
22
Thirteen Principles
Information and Communications (3)– Senior management should have adequate
and comprehensive data
– Senior management should create effective channels of communication for relevant information concerning significant activities
– Senior management should develop appropriate information systems for all activities
![Page 23: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/23.jpg)
23
Thirteen Principles
Monitoring Activities and Correcting Deficiencies (3)– Senior management should monitor
overall effectiveness of internal controls
– Audit should perform effective and comprehensive audits
– Audit will ensure that internal control deficiencies promptly reported to management
![Page 24: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/24.jpg)
24
Thirteen Principles
Evaluation of Internal Control Systems by Supervisory Authorities (1)– Supervisors should require all banks to have
effective internal control systems
![Page 25: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/25.jpg)
25
Comprehensive Internal Controls
Key elements of internal controls:
– Adequate segregation of duties
– Independent testing - e.g., audit
– Appropriate to the type and level of risks
– Clear lines of authority and responsibility
– Appropriate reporting lines
![Page 26: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/26.jpg)
26
Role of External Audit
Macro Level
Depends upon services provided:– Financial Statement Audit – Directors Examination – Consulting
![Page 27: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/27.jpg)
27
Evaluation of External Audit
Depends upon the services provided
Review of financial statements and management letters
Discussion of key risks
Review of work papers
![Page 28: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/28.jpg)
28
Role of Internal Audit
Detail-oriented
An independent assessment of the effectiveness of internal controls
![Page 29: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/29.jpg)
29
Evaluation of Internal Audit
Overall effectiveness of the function:– Independence– Mission– Resources/qualifications/skills– Interaction with Senior Management
![Page 30: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/30.jpg)
30
Mission
Audit Charter– Roles, reporting lines and responsibilities
– Full access to all information
![Page 31: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/31.jpg)
31
Independence
Reporting line:– Domestic - Audit Committee of the Board of
Directors
– US branches and agencies of foreign banks - head office audit
– Administrative reporting line to Senior Management
Includes approval of the annual plan, salary, budgets and sign-off on the annual appraisal
![Page 32: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/32.jpg)
32
Audit Resources
Sufficiency of resources
Qualifications of staff
Skill level and training
![Page 33: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/33.jpg)
33
Interaction withSenior Management
Level of audit within the organization
Audit’s dealings with Senior Management
Prompt resolution of issues by management
![Page 34: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/34.jpg)
34
Quality Timeliness
Risk assessment methodology
Annual audit plan
Types of audit coverage
Audit programs
Audit reports and work papers
Audit follow-up
![Page 35: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/35.jpg)
35
Risk Assessment Methodology
Identification of key risks within the institution
Format of the methodology:– Risk-based– Qualitative and/or quantitative factors– Combination of risks and/or other factors
![Page 36: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/36.jpg)
36
Sample Factors - Risk Assessment
Credit riskMarket riskLiquidity riskOperations riskReputational riskLegal risk
Fraud riskTrading riskCredit and sales riskControl environmentReporting riskRevenue or expense
volatility
![Page 37: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/37.jpg)
37
Sample Factors - Risk Assessment
– Transactional values/volumes and changes
– Error impact– Nature of process– Reliance on data– Access to physical
assets– Economic or
political trends
– Quality of management or department head
– Staff quality and changes
– Degree of management judgment and quality of supervision
– Product changes– Legal/regulatory
impact
![Page 38: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/38.jpg)
38
Annual Audit Plan
Based upon the risk assessment methodology
Normally part of a multi-year cycle
Approved by the Board of Directors or head office audit
Quarterly - Updates to the plan
Detailed analysis of changes to the plan
![Page 39: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/39.jpg)
39
Types of Audit Coverage
Full scope audits
Control self-assessments
Key control or risk reviews
Targeted audits
Continuous monitoring
Conversion/system development audits/ data center and application reviews
![Page 40: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/40.jpg)
40
Audit Programs
Detailed programs for each auditable area
Completed during the first audit and subsequently updated
Coverage of key risks and controls in the area
Appropriate sampling methodology
![Page 41: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/41.jpg)
41
Audit Reports and Work Papers
Audit Reports
Detailed Analysis– executive summary– description of the work performed– analysis of conditions and/or rating
Audit Work Papers– proper documentation and cross-
referencing– appropriate narratives and conclusions
![Page 42: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/42.jpg)
42
Exception Follow-up
Tracking system or methodology– Issue/Problem, Status of corrective action,
Accountability, Timeframe
Head Office Commitment and Support
Significant items cleared in a timely manner– Progress, Approval
![Page 43: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/43.jpg)
43
Audit Outsourcing
The performance of internal audit activities by an external party such as a CPA firm.
Co-sourcing, contracting
Issues:– Independence, conflict of interest,work
management, understanding of the corporate culture, continuity
![Page 44: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/44.jpg)
44
Overall Evaluation of Internal Audit
Positive evaluation - determine extent of reliance on internal audit
Issues - include in the examination report
Annually - analyze changes in audit
![Page 45: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/45.jpg)
45
Relying upon External Audit
Nature of the work performed– Financial audits– Other control reviews– Outsourcing or Co-sourcing
![Page 46: Internal/External Audit and Internal Controls February 23, 2000 David Dudley Federal Reserve Bank of NY](https://reader036.vdocuments.mx/reader036/viewer/2022062409/5697c0091a28abf838cc7306/html5/thumbnails/46.jpg)
The End