Insights: Article

No Cookie Cutting- Best Practices for a Risk-Based Internal Audit Function

August 16, 2016

When it comes to an internal audit, one size does not fit all. Because you have different needs, policies, procedures, staffing, risks, risk appetites and other variables, your internal audit function should be as unique as your institution. In addition, your employees’ time is becoming more and more valuable, so your internal audit function should strive for more efficiency than ever before. A risk-based internal audit approach can give you both a unique and tailored approach to your internal audit function and increased efficiency.

Determine Your Risk Scores
A risk-based approach begins with the preparation of an annual risk assessment and internal audit plan. Through inquiries and observations, you assess risk across the general areas of the financial institution. Risks considered might include credit risk, liquidity risk, interest rate risk, legal risk and reputation risk. The goal of the risk assessment process is to assign a “risk score” to each general area of the institution, which is the basis for your annual internal audit plan. Areas that score higher in risk, such as loan administration and information technology, are tested more frequently by internal audit, perhaps on an annual basis. Those areas assigned lower risk scores, such as prepaid expenses or safe deposit boxes, are tested by internal audit less frequently, and may only be included in your internal audit plan on a tri-annual basis.

Tailor Your Approach
When you have your risk-based internal audit plan for the year defined, the internal auditor will then carry out the audits of the general areas of the institution according to the plan. It is important to incorporate a risk-based element when determining the internal audit procedures you will complete for a given area. High-risk areas require more controls and more internal audit testing to verify the controls exist and are operating effectively. Low-risk areas do not have as many internal controls in place; as a result, internal audit testing could be kept at a higher level. Audit programs should be tailored to your organization based on the area’s existing controls, the effectiveness of those controls, and previous regulatory exam or internal audit recommendations related to the particular area.

Risk-based Reporting
Once an audit of a given area is completed, a report should be submitted directly to the audit committee, board of directors, or supervisory committee detailing the findings, recommendations or observations. You can also incorporate a risk-based element into this reporting process. You can choose not to include all technical or isolated exceptions in your reports and report specific exceptions only to management. Try not to place too much emphasis on specific findings and exceptions in these written reports. Instead, address questions such as “What caused this exception?” or “What process needs to be enhanced so that this does not happen again?” This manner of reporting helps to ensure that the audit committee, board of directors, or supervisory committee understands the process improvements and the value that an internal audit department brings to the organization.

Latest Insights

September 18, 2018
Article
As the largest tax reform legislation in the past 30 years becomes reality, it is important to stay up-to-date on planning opportunities and how reform may impact you and your business. Our Tax Reform: Practical Insights examples aim to break down…
September 18, 2018
Tool
Get ahead of tax season with the Eide Bailly Tax Planning Guide. A supplemental strategy guide to help guide year-end and make the tax laws work for you.
September 18, 2018
Article
The SCOTUS Wayfair decision has prompted a new focus on state and local tax compliance. The decision to register, report, and comply is important.
September 17, 2018
Article
When an IRS Letter 226J is received, it is important to respond timely and with accurate information to eliminate, abate or reduce IRS calculated penalties
September 17, 2018
Firm News
Tom Goekeler, partner at Eide Bailly LLP, has been named chief practice officer of the South Central region, which currently covers our Oklahoma and Texas offices.
September 17, 2018
Article
The recent US Supreme Court decision that overturned Quill in the South Dakota v Wayfair case has many states making or considering law changes related to sales tax compliance for out-of-state sellers.
September 12, 2018
Article
The Tax Cuts and Jobs Act, signed December 22, 2017, significantly impacted inbound tax planning. Non-U.S. taxpayers doing business in the U.S. will need to consider the new tax laws.
September 12, 2018
Article
Applications have made a huge impact on our lives, allowing us to keep track of the complexities of our day-to-day and save for our futures. But it’s important to understand where we are laying our trust.
September 12, 2018
Article
The following steps outline key considerations for businesses as they work to comply with the new sales and use tax rules.