Pub. 7 2018 Issue 1

19 s p r i n g | 2018 important to know what is expected of an internal auditor. They are required to be knowledgeable about all areas of your bank. Additionally, internal au- ditors need to know when they don’t have the expertise and must reach out to additional resources. They are the eyes and ears of the bank. So, to name just a few things your internal auditor needs to consider: • Risk Assessment • Audit plans, changes, staffing • Audit Program design • Control testing • Assessing deficiencies • Audit reports • Tracking findings • Independence • Competency • Advisory roles outside of assurance activities • “Quality Assurance Review (QAR)” every 5 years. Yes, this is when the internal auditors get audited. So, how does your auditor keep up with all of this in addition to keeping up with your organizational changes, growth, and expansion? Institute of Internal Auditors (IIA) - The IIA is an internationally recognized professional association that guides its members. It issues several Certi- fications related to internal audit, has overall standards for the performance of internal audit work, and provides extensive support for internal auditors. Training – With all this responsi- bility and often a certification or two to go with it, internal auditors need training. For example, an auditor with a CIA -Certified Internal Auditor designation needs an average of 40 continuing education credits per year. You want to ensure they get training that will continue to improve their skills while evolving your internal audit department. Outsourcing – If your internal audit department is outsourced, you don’t have to worry about all of this, right? Wrong, you can’t outsource the responsibility. You need to designate someone internally to manage the re- lationship. The FED started officially asking for supporting documentation of the review of outsourced audits. They are focusing on the responsibil- ity of management and the audit com- mittee to complete their due diligence ensuring the outsourced internal audits meet all the objectives noted in the engagement letters and comply with IIA and regulatory standards, including QARs. To prepare for this, follow these seven steps: 1. Create an Internal Audit Structure that is appropriate for the complexity and size of your institution. 2. Ensure that the Internal Audit Man- ager (or “Relationship Manager” when outsourced) is responsible for risk assessments, audit plans, audit programs, audit reports, audit staffing and audit quality regardless of wheth- er you use an outsourced vendor or not. You can delegate audit work, but NOT the responsibility. 3. Ensure the scope of the Audit Plan is consistent with the size, complexity, and risk of the institution’s activities. 4. Keep lines of communication open between the internal auditor, ex- ecutive management, and the audit committee. 5. Have a written contingency plan. 6. Manage your outsourced arrange- ments appropriately, knowing that the institution is ultimately responsible. 7. Ensure that your Internal Auditors and External Auditors are indepen- dent of each other. 8. Prepare for your Exam by knowing what the examiners will be asking for and why. Michelle Fowler, CPA, CIA, CISA, CRMA is the President and founder of Fowler & Company, LTD and has been providing InternalAudit Training and Consulting Services since 2001. She recently launched the InternalAudit CareerAcademy where internal auditors learn about the IIA’s Core Competencies, growth strategies, and best practices. Participants also receive mentoring by already successful auditors, model examples, proven templates and processes, networking, and periodic live and online forums with other auditors to discuss goals and gain clarity. Read more about the Academy at www.internalauditcareeracademy.com , read our blogs at www.fowlerandcompany.com or email Michelle at mfowler@ fowlerandcompany.com to set up a free consultation. You can’t outsource the responsibility. You need to designate someone internally to manage the relationship.