EXECUTIVE
SUMMARY | CAL FED’S INTERNAL
AUDITORS MONITOR THE COMPANY’S
risk profile and play a key role
in identifying areas for risk management.
Understanding the business operations can
make the auditors a catalyst for
change—with a prominent position as key
risk advisers.
THE COSO DEFINITION
EXPANDS internal audit’s
traditional testing of control
activities, such as policies and
procedures and approvals and
reconciliations, to include four
additional components that derive from
the way management runs a business:
control environment, risk assessment,
information and communication and
monitoring.
AUDITORS NEED MORE
THAN A LIST of controls to
assess how management deals with risks.
Some best practices for internal
auditors to adopt are monitoring
business activities and key performance
indicators continuously, coordinating
with other risk management functions,
developing the audit plan based on risk
priorities and getting involved in
technology projects.
AT CAL FED, THE
CLIENT SERVICE TEAM IS RESPONSIBLE
for reviewing the risk profiles
of the entities assigned to it,
completing the risk assessment with a
report and developing/providing the
appropriate audit services. Teams are
chosen based on experience, geographic
location and interests of their members
and they can rotate audit assignments
every two to three years.
BUSINESS UNITS
PROFIT FROM ongoing risk
monitoring and the information exchange
internal audit teams provide. The
auditors can track progress, identify
new opportunities, or ask questions
without waiting for the formal audit to
take place. | PAUL E. LINDOW, CPA, is senior
vice-president and director of audit and
regulatory risk management at California
Federal Bank in San Francisco. His e-mail
address is plindow@calfed.com
. JILL D. RACE, CPA, is vice-president
and audit manager at California Federal
Bank’s West Sacramento office. Her e-mail
address is jrace@calfed.com
. |
nternal auditors don’t just audit
control activities, they also monitor a company’s
risk profile and play a key role in identifying
areas to improve risk management processes.
However, if they don’t completely understand the
risks of the business, internal auditors can
perform only traditional checklist tasks. At
California Federal Bank (Cal Fed) we helped our
internal audit team transform itself into a
catalyst for change as a key risk adviser. Our
experience—as department head and audit manager—in
taking an enterprise-wide view and adopting a more
progressive approach to audits may serve as a
model for other internal auditors to use to become
a cornerstone of risk management in their own
companies .
GETTING STARTED
In 1995 what is now Cal Fed (the country’s
third largest thrift) set out to be a first-class
West Coast financial institution. To make this
happen, it needed to grow its retail and
commercial banking franchises in California and
Nevada and build itself into one of the country’s
top mortgage servicers and a leader in indirect
auto financing through its subsidiaries in
Maryland and Texas. Achieving this goal required
numerous acquisitions, conversions and
integrations as well as the development of new
business lines and products. How the company
managed risk from all these changes was
critical to success. As audit
professionals, we needed to be able to
discern significant details of business
operations and look “through the
windshield” for oncoming risks while
communicating with operating managers in a
clear and timely manner. To achieve these
objectives and match our department’s
capabilities to the bank’s growth and
increasingly complex operations, we
overhauled the internal audit team and
expanded to 40 professionals from a group
of 15. Our department reports directly to
the audit committee and administratively
to the chief financial officer, with an
indirect line to the president. While
these reporting lines have not changed,
our internal auditors are now able to take
advantage of contact with the president.
Effectively used, these reporting
relationships ensure audit’s independence
and provide us with access to the top of
the organization with its big-picture
perspective. |
Traditional vs.
Progressive Approach
Internal
audit’s evolving
role
|
Traditional
|
Progressive
(best practices)
|
Audit focus |
Business focus
|
Transaction-based
| Process-based
|
Financial account
focus |
Customer focus
|
Compliance
objective |
Risk
identification,
process improvement
objective |
Policies and
procedures focus |
Risk management
focus |
Multiyear audit
coverage |
Continual-risk-reassessment
coverage |
Policy
adherence |
Change facilitator
|
Budgeted cost
center |
Accountability for
performance
improvement results
| Career
auditors |
Opportunities for
other management
positions |
Methodology:
Focus on policies,
transactions and
compliance |
Methodology: Focus
on goals, strategies
and risk management
processes
| | |
To identify risk areas and continuously monitor
the company’s risk profile, we had to transform
the internal audit department from its traditional
role—performing checklist activities—to one that
focused on corporate and business unit goals,
strategies and risk management processes. To
achieve this restructuring, we asked ourselves
these fundamental questions:
How do we define internal control?
What best practices should we
incorporate into audit’s evolving role?
How can internal audit become an
integral part of risk management processes and
maintain independence?
What should the department’s
strategic plan be?
How should the audit group deliver
its services and communicate its observations?
DEFINE INTERNAL CONTROL
Simply testing control activities under a
traditional audit system gives internal auditors a
very narrow focus—a significant problem with our
former process. To help create an auditing
methodology based on process improvement and
continual risk assessment, we adopted the
Committee of Sponsoring Organizations of the
Treadway Commission’s definition of internal
control and incorporated it into our mission
statement. The COSO definition expands internal
audit’s traditional testing of control activities,
such as policies and procedures and approvals and
reconciliations, to include four additional
components that derive from the way management
runs a business: control environment, risk
assessment, information and communication and risk
monitoring ( see “ The COSO Framework: An
Overview ”). To integrate these components
into our enterprise-wide risk management program,
we informed the business area managers we planned
to work with them to address risks based on the
COSO objectives—namely, effectiveness and
efficiency of operations, reliability of financial
reporting and compliance with applicable law and
regulations. To apply the COSO definition of
internal control to our audit methods, we asked
company executives for ways to improve and revise
Cal Fed’s audit methodology. We had complete
support from Cal Fed’s top management and the
audit committee to overhaul our function and
implement the COSO objectives, which we knew
would—and, in fact, did—require implementation in
stages over several years.
ADOPT BEST PRACTICES
To assess how well the company deals with
risks, we needed more then a list of required
controls. With the COSO model as a guide, we
developed and incorporated the following “best
practices” into the audit function.
Monitor business activities and key
performance indicators continuously.
As internal auditors we must keep
abreast of what’s happening in the organization’s
environment. We do this by attending executive
committee meetings, obtaining important management
reports and identifying and meeting with key
department heads throughout the year. For example,
the consumer lending unit had had no significant
problems for a number of years, so we did not
schedule it for a current year audit. However,
because we maintained contact with its managers we
discovered the area had a new business plan to
increase volume and add more employees. Because of
these changes we then scheduled the unit for an
audit.
Coordinate with other risk management
functions. In evaluating quality
control, security, asset review and credit
administration processes, we try to leverage the
work of other departments where possible by
reviewing the scope of their activity and
considering their results in our approach. For
example, rather than just using our own samples
for testing, we examine the unit’s quality control
program and selectively validate the results. We
also can coordinate the timing of an audit with a
department’s ongoing loan review, draw on its
findings to determine which policy interpretations
caused underwriting exceptions and suggest process
improvements.
Develop the audit plan based on risk
priorities. Rather than
scheduling audits according to a standard cycle of
one-, two- or three-year rotations, we base
frequency of audits on a business area’s risk
factors, such as previous poor audit ratings or
significant changes in personnel. This allows us
to focus on the highest risk priorities within the
company and to devote appropriate resources to new
and changing areas. We also train managers to
update their own risk assessment systems and
methodologies—for example, by showing them how to
implement steps to monitor quality control and
segregation of duties.
Get involved in technology projects.
As internal auditors we know we must
be involved in activities such as systems
development and conversions, process
reengineering, new products and services, mergers
and acquisitions and the analysis of new IT
policies. At Cal Fed we look at controls before
technology teams implement them and take steps to
address IT risks rather than react to problems
after they occur. For example, before management
installed a new loan origination system, we
identified supporting applications that would
affect operational processes, business resumption
plan requirements and network security issues,
such as controlling user access and ensuring that
supporting applications interacting with existing
systems had proper controls. (For more information
on this topic, see “ Risky
Business ,” JofA, June02, page 65.)
We knew some of our auditors were more
comfortable with traditional control activities,
such as approval of journal entries, so we coached
them to understand primary business objectives and
related risks. Our audit managers accomplished
this by regularly meeting with their teams
throughout each stage in the audit, asking
questions to foster each team’s understanding of
business operations. For example, while conducting
the electronic banking audit, the manager asked
the team to explain how this business area
generated revenue from debit card transactions and
why the formulas used to determine its budget
varied from the previous year. Team
members also participate in industry-related
training to improve their knowledge of company
issues. Before an audit, one of the team explains
to area managers how to use the COSO framework to
self-assess their internal controls and emphasizes
that business and audit risks are really the same
things. For example, following the COSO objectives
of maintaining effective operations and adhering
to compliance procedures, the manager of the
electronic banking department set up a monthly
certification process to ensure employees complied
with policies to investigate unauthorized card
use, thus improving controls.
BECOME PART OF THE PROCESS
While the close partnerships we have with
the business areas and top management could lead
to impaired objectivity, we follow certain
guidelines to avoid this pitfall, taking care to
act in an advisory capacity rather than exercise
decision-making authority. Examples of how we used
this approach in three of the company’s business
units follow:
Loss management. The loss
management unit is part of the retail operations
division and coordinates efforts to reduce losses
throughout Cal Fed, a significant responsibility
given industry trends of increasing identity
theft, loan fraud and robbery. In 1999 internal
audit and the loss management unit brought
managers together from retail banking, corporate
security and information technology to form the
operational risk management committee (ORMC). This
group identifies and tracks ongoing initiatives
such as identity-theft education and prevention
using specially created spreadsheets. Internal
audit actively participates in committee
discussions, regularly conducts research and
presents ORMC with benchmarking information.
The internal audit team reviewed the loss
management area’s annual business plan and monthly
status reports, which led to improvements in how
the unit identifies underlying causes of large
losses and how it will mitigate them in the
future. Since these reports highlight the unit’s
critical priorities, the review enables the team
to get involved in key department actions, such as
providing controls-consulting for upcoming
projects.
Auto lending. Since Cal
Fed grew through acquisition, internal audit had
to be a bridge builder. For example, a few years
ago our auto-lending subsidiary in Texas was
considering how to fund its indirect auto loans
more efficiently. At the same time the retail
division in California was completing a project
that would allow Cal Fed to generate automated
clearinghouse transactions. Audit facilitated a
meeting between the two groups, which led to a
redesigned loan-funding process using more
automation and increased cost savings. The
internal audit team also attends meetings between
the subsidiary’s underwriting and loan service
groups, participates in discussions and reviews
reports of defaulted loans. By doing so, the team
targets its testing to certain problem loans and
further analyzes root causes of losses.
Wire transfers. To monitor
high-risk systems enhancement initiatives, our
internal auditors attend regular meetings as
advisers to the project team. When Cal Fed’s wire
transfer staff implemented systems enhancements to
improve efficiency, several members of the audit
team monitored installation of firewalls and
reviewed authorization levels. The internal
auditors for the wire transfer area also consulted
on key programs, from training employees to detect
suspicious wire transactions to helping them adapt
to their internal customers’ changing needs. By
focusing on major risks and improving our
understanding of the unit’s data files, we conduct
better and more comprehensive automated testing of
transactions, thus reducing the time needed for
the scheduled audit.
DEVELOP A STRATEGIC PLAN
To complete the integration of the COSO
framework into Cal Fed’s audit processes, we
developed a strategic plan that would
Provide for a mix of skill sets
within our audit group.
Create the audit plan by identifying
audit entities and performing a formal risk
assessment.
Ensure our auditors update risk
assessments and monitor the risk indicators on an
ongoing basis.
Establish our team’s communication
strategies and reporting formats. To
accomplish the first objective we assembled a new
audit team with a mix of CPAs, MBAs and other
business professionals. Their quality and
experience were critical to achieving department
aims. Instead of staffing the department largely
with low- to mid-level professionals, we began
with a smaller number of mid- to high-level
employees. As part of the upgrade, we also changed
job classifications and increased the skills
needed to succeed. Career paths for the
team are varied: Business area professionals—from
loan servicing, loan production, accounting or
information technology—move into the department,
and auditors transfer to other functions such as
treasury, accounting and lending. This
cross-training adds depth to the audit team’s
consulting skills, enhances its ability to recruit
and retain audit professionals and gives it
increased understanding of risk analysis and
controls in the business areas.
CREATE CLIENT SERVICE TEAMS
To achieve our objectives of formal risk
assessments and continuous risk monitoring, we
established client-service teams for specific
departments or functions identified within each
audit plan. These teams, typically consisting of
three to seven individuals, review the risk
profiles of the units assigned to them, compile
the risk assessment data and develop the
appropriate internal audit services. We choose the
audit teams based on individual experience,
geographic location and their own interests. For
example, an employee who had a particular interest
in the treasury function and hopes eventually to
become a CFO was placed on the treasury audit,
enhancing his professional development. Team
members meet with their clients either monthly or
quarterly. To expose our auditors to different
business areas and help ensure their objectivity,
they typically rotate audit assignments every two
to three years. We constantly balance the need for
team continuity with the need for career
development and objectivity.
DELIVER SERVICES, COMMUNICATE FINDINGS
Our internal auditors use the results of
their risk assessments and continuous monitoring
of the various business areas to examine how each
unit is responding to identified concerns and
applying risk management procedures. This review
also sets the parameters for the formal audit and
determines its timing. We closely integrate our
internal audit with that of the external auditors
to permit areas to be examined simultaneously,
which “helps to limit duplication of efforts and
focus our resources on more complex and
higher-risk areas,” says Renee Tucei, CPA and Cal
Fed’s executive vice president and controller.
At Cal Fed we prepare a formal internal
audit report to provide each business unit with
conclusions and a balanced perspective (see “
Sample Audit Report ”). The report
contains an opinion of a unit’s control structure
and whether it effectively meets each of the three
COSO objectives. An executive summary, which
follows the opinion, provides a review of the
business area’s purpose, major systems
initiatives, key accomplishments and successes as
well as the auditors’ observations. The audit team
details its findings based on the applicable COSO
components, with risk ratings of high, medium or
low, and includes management action plans. To
follow up, the auditors track their observations
with a database software program they developed
for this purpose and then report monthly to
executive management and quarterly to the audit
committee.
Sample Audit Report
|
| Among
Cal Fed’s business area managers who have
benefited from continuous monitoring and
information exchanges is Cristie Gerard,
vice-president and head of loss management. “By
sharing monthly status reports and the business
plan, the auditors track progress, identify
opportunities and contact the loss management unit
with questions or concerns without waiting for a
formal audit. Then the formal audit process can
target areas from the business plan or status
report and save time that would be spent answering
questions about changes occurring in the business
since the last audit,” says Gerard.
GAIN RESPECT
Convincing both business managers and top
executives that our progressive approach to audits
was a more reliable, efficient and effective risk
management process for the organization than the
traditional method was a critical goal for the
audit department. We found that within three
years, with a track record of services delivered,
we had earned their respect, and all the members
of our team had a seat at the various management
committee/task force tables around the company.
Richard Terzian, Cal Fed group executive
vice-president and CFO confirms this: “The audit
department’s success in winning over management
can be attributed to its proactive involvement in
continuously monitoring and identifying risks
throughout the company. Also, its frequent and
timely communication of audit issues to the
appropriate levels of the organization ensures the
right individuals take necessary and prompt
corrective action.” We know each audit
project could be our last if the board is not
satisfied with the level of service we provide.
Consequently we issue to business areas audit
recommendations that are forward-looking even if
no risk problems are immediately apparent. Our
advice to other audit teams who want to transform
their audit model is to begin by establishing
their vision and goals and then by hiring a
professional team with diverse backgrounds. But
they must understand that the overhaul will
require implementation in stages over several
years. When audit teams integrate into
other functions throughout the business and go
beyond traditional methods, they have the ability
to add value by offering better, more proactive
audit services and improving an organization’s
risk management strategies. With investors,
regulators and the media placing companies under
greater scrutiny in today’s climate, internal
auditors can expect to have a more prominent role
as champions of the risk management process. |