RSM Resources

The five steps your bank’s audit committee can take to organize a successful risk management plan

Prioritizing the many duties associated with risk management can seem daunting for today’s audit committees. Help your audit committee focus its efforts — pass along the following five steps to more effective risk management.

1.Establish confidence in the internal auditor. Your audit committee must understand and provide oversight of the internal audit process. It must also comprehend the operating philosophy of internal audit and set expectations for follow-up on report issues. Internal audit should be the monitoring mechanism for the committee. Its competence and experience is vital to maintaining a strong control environment.

2. Review the audit risk assessment. Typically conducted as a component of the internal audit, risk assessment begins by identifying significant operations areas and the individuals responsible for managing them. After the initial assessment,the internal auditor should meet with the department head to become familiar with the section’s undertaking, this generally involves review of the organizational chart and ensuing discussions with the audit committee and the president or CEO. After verifying areas of concentration, the head of internal audit should meet with individuals accountable for success in their respective areas. Meetings will help the internal auditor become familiar with every section’s undertaking, threats they are to manage and responsibilities connected to their function. The output from these discussions is an analysis that confirms the information gathered is in agreement with actual operations,identifies risks in that area and the related controls. 

3.Summarize findings. The internal auditor should recap the findings, determine the vulnerabilities — matching them with the departments they greatly impact —then rate the risks as high, moderate or low. Next, the internal controls associated with the identified risks should be rated as excellent, adequate or inadequate. The terminology for risk categories and controls may vary within each institution, but the focus is to properly allocate resources to effective internal audit coverage. Part of the assessment is an analysis of the volume of transactions, the complexity of these transactions and the threat of loss to the bank involved in the transactions. For example, once wire transfers depart your bank, basically, the money is gone, so susceptibilities linked with them are almost always high. In contrast, the controls connected with wire transfers are usually excellent, such as dual-person verification, call-back procedures,passwords and fund-availability confirmation. The combination of high risk,strong internal control processes and daily occurrence would lead the internal auditor to perform this review process annually.

4.Understand the internal control structure. The audit committee is responsible for the control environment and the effective operation of these controls.While banks of all sizes offer similar products and services, the control environment will differ in each bank because of:

• Operating philosophy
• Culture
• Experience of staff
• Ongoing education of employees
• Product mix
• Strength of management

These variables all impact the assessment, which means this process and outcome will be different for each bank. In the end, the audit committee will provide direction to internal audit regarding areas that need attention, as well as areas where monitoring is a lower priority.

5. Final review and agreement. Your audit committee and management team should review the audit risk assessment to ensure findings are accurate and complete. This risk assessment serves as the basis for determining the audit coverage and scope. It will also aid in deciding the extent of the audit procedures, as well as the frequency and number of hours required to provide the audit coverage.The audit committee and management should revisit the conclusions of the risk assessment at the end of the year so that amendments—if needed—can be made.

The risk assessment process should be updated every three years, or as often as any significant changes are made in the direction, product mix or philosophy of your institution. 

Note: For a more in-depth description of the risk assessment and the related control environment, consult with The Committee of Sponsoring Organizations of the Treadway Commission’s“Internal Control—Integrated Framework”. It’s used by most organizations as the standard for internal audit coverage and risk assessments.

Jennifer Ebert is a director with RSM McGladrey. For more information, contact her at jennifer.ebert@rsmi.com.