Internal Audit 101: This series explores the foundations of internal audit by industry, including basic definitions and concepts relative to auditors in specific sectors.
Bank Internal Audit Programs
According to the Office of the Comptroller of the Currency (OCC), which charters and regulates national banks in the United States, all banks should have an effective audit program, ideally a continuous internal audit program complemented by a sound external audit program. Bank internal audits assess the effectiveness of a bank’s policies, processes, personnel, and internal control systems created in the first and second lines of defense. Well-planned and executed internal audit programs are essential for effective risk management and provide the board and senior management with critical information to accurately attest to the adequacy of internal control in banks.*
*Per 12 CFR 30, internal control systems include internal controls and information systems.
Banking Internal Control: Checklist
In accordance with the Comptroller’s Handbook, internal audit should monitor a bank’s internal controls through the following activities, conducted in ongoing coordination with audit stakeholders:
- Evaluate the reliability, adequacy and effectiveness of internal controls (operated by the bank or a third party) that promote the safety and soundness of the banking institution.
- Ensure that internal controls result in timely and accurate recording of transactions and proper safeguarding of assets.
- Assess the bank’s compliance with laws and regulations and whether the bank adheres to established policies, procedures, and processes.
- Determine whether management is taking appropriate and timely measures to address control deficiencies and recommendations made in the audit report.
- Ensure audit activities are performed by qualified personnel.
Banking compliance risk is the risk to the current or projected financial condition and resilience of a bank arising from the violation of laws and regulations, or from non conformance with prescribed standards, ethics, and practices. Noncompliance with legal requirements or with safety standards may expose banks to consequences including increased regulatory penalties and compromising a bank’s reputation. Regulatory changes and increasing regulatory fines create incentive for banks to have strong compliance programs in place that continuously monitor risk. Internal audit plays an important role in bank compliance by testing whether a bank’s policies, procedures, processes, and standards are in compliance with applicable laws and regulations.
Banking Compliance Regulations
Since the advent of the internet and its convergence with business activities, the banking and finance industry has evolved to keep pace with the digitization of the modern world. One of the first and most influential examples was the Gramm-Leach-Bliley Act (GLBA) of 1999, which required all banks and financial institutions offering loan services, financial or investing advice, and/or insurance to disclose their information-sharing practices with their customers, with the option for customers to “opt-out.” Since then, the most common bank compliance requirements in the U.S. include (and are not limited to) the following:
The Comprehensive Capital Analysis and Review (CCAR) is an exercise performed annually by the largest banking organizations in the world. Under the oversight of the Federal Reserve, CCAR impacts Bank Holding Companies (BHCs) with at least $50B in total consolidated assets with tier 1 material portfolios. BHC’s that have less than $50B in total consolidated assets but greater than $10B aren’t off the hook, however. DFAST (Dodd–Frank Act Stress Testing), sometimes viewed as a “lighter” version of CCAR, requires banks and financial institutions with total consolidated assets of more than $10 billion to perform a CCAR-like exercise. There are three main aspects of CCAR/DFAST exercises that Internal Audit is responsible for overseeing the reliability and effectiveness of:
- Production and aggregation of the BHC’s current financial data, which can only include US-specific data.
- Projections of future performance of the bank generated through the use of models.
- Generation of the submission report that is sent to the Fed each year.
The General Data Protection Regulation is a European Union law that applies to any organization, including banks and financial institutions, that collects or processes personal data of individuals inside the EU, as well as EU citizens living around the world. Complying with GDPR, as well as the California Consumer Privacy Act of 2018 (CCPA) – often touted as the Californian equivalent of GDPR – has been a journey that has required cooperation across all 3 Lines of Defense for many organizations.
The Sarbanes-Oxley Act of 2002 requires that all public companies in the U.S. establish internal controls and financial reporting methods to ensure the adequacy of those controls. Another requirement for SOX compliance is that senior corporate officers personally certify that the company’s financial statements comply with SEC requirements.
The Federal Deposit Insurance Corporation (FDIC) Improvement Act requires banks that cross certain pre-defined asset size thresholds to comply with increasingly stringent requirements to report their financial data, including disclosing their savings account interest rates. FDICIA has additional requirements for banks and financial institutions based on their consolidated total assets, including intensive financial audits and annual reporting requirements.
Banking Compliance Certification
Obtaining a certification of compliance with frameworks such as the NIST Cybersecurity Framework (CSF) is a way for businesses to develop trust with customers and formally demonstrate compliance with a security framework or a regulatory mandate. While it is easy to view compliance as a necessary evil, undergoing the process of achieving a certification can be critical to driving business forward — as well as avoiding penalties, fines, and the reputational risk associated with negligence. To learn how to successfully prepare for security and compliance certifications, download our whitepaper below.
Managing your bank internal controls and compliance program using spreadsheets, email, and shared drives introduce a number of challenges and risks, from losing track of a piece of evidence needed for an audit, to an unremediated compliance gap. In addition to inefficiencies, a manual internal controls and compliance program can result in the following consequences:
- Failure to meet the minimum standards of a compliance requirement, resulting in negligence.
- Paying fines, damages, and legal fees, without any insurance reimbursement, as a result of negligence.
- Impact to the organization’s reputation and/or financial health as a result of negligence.
Leveraging Technology to Streamline Bank Internal Controls and Compliance
To avoid the risks associated with negligence, it is crucial to establish a sustainable foundation for your compliance program. To do so, identifying the right environment to house and maintain your internal controls and compliance data is key. While a homegrown system of spreadsheets, shared drives, and/or access databases may seem sufficient, this system can quickly become unmanageable as your internal controls and compliance data evolves. In contrast, choosing a purpose-built governance, risk, and compliance (GRC) software solution can enable you to:
- Easily scope the requirements of any certification.
- Centralize your compliance data in an environment that allows you to see across all your controls, and know which frameworks and requirements they map to.
- Streamline compliance activities across multiple frameworks to reduce repetitive administrative tasks.
- Easily update requirements and adopt additional compliance frameworks without losing centralization or impacting existing testing schedules.
- Facilitate certification readiness through automated readiness assessment surveys.
- Drive the actual certification process by enabling third party auditors to work in a centralized platform containing all relevant data.
Best Practices to Centralize and Automate Your Bank Audit and Compliance Program
- Establish strong internal controls systems in your bank.
- Approach banking compliance holistically vs. the old-fashioned, check-the-box audit approach.
- Promote ongoing, frequent coordination and communication between audit and compliance functions.
- Leverage enabling technology to centralize and automate audit and compliance activities.
To learn how AuditBoard can help you manage and streamline your bank internal audit and compliance program, fill out the form below.