SOURCE: marcus evans

marcus evans

December 11, 2015 16:21 ET

Building the Right Internal Audit System: Balancing Due Diligence & Risk Management

Interview with Steven Melletz, CPA, CIA, CGMA, Senior Vice President, Internal Audit, First Commonwealth Bank

NEW YORK, NY--(Marketwired - December 11, 2015) - The role of internal audit as the third line of defense is a vital position with increasing pressure and complexity in what internal audit must now evaluate and comply with from regulators. Internal audit is needed and expected to take on more responsibilities, fully comprehend unique business activities, as well as keep up with the demands without acquiring spiraling costs.

Steven, Senior Vice President, Internal Audit at First Commonwealth Bank, recently spoke with marcus evans about the importance of understanding the expectations from internal audit's major stakeholders:

How do you keep your executives "in the loop" on any policy/procedure/regulatory changes? What is the best way to introduce the concept of accountability for senior executives or board members?

SM: I keep my Chief Audit Executive in the loop on policy/procedural changes by email and/or face-to-face meetings. My CAE in return meets with our CEO when necessary. All are quite accessible for me. The best way to introduce the concept of accountability for senior bankers is by meeting with the said executives and then issuing in writing.

Many times, changes occur as a result of executive committee meetings which my CAE and/or I tend to sit in. We discuss the requirements of the Institute of Internal Auditors (IIA), COSO 2013, Regulators (SEC. PCAOB, Federal Reserve Bank/FDIC/OCC/State Department of Banking), and accounting pronouncements.

Also, we audit the policy and procedure process as well as whether the lines of businesses are following policies, procedures, and regulatory standards. A consultative approach is important here, because if there would be a violation, the auditor wants to work with the auditee on a solution.

Another way to introduce accountability is to have an Internal Audit charter in place as required by the IIA. The Internal Audit Charter is essential for stressing accountability.

Who determines which areas should be most heavily audited? Why is it important to have upper management involved in these decisions?

SM: All audits are risk-based. We perform a risk assessment which includes meeting with key executives, but also assessing risks. The risk assessment performed is based on answering some key questions and deriving risk scores for inherent risk, residual risk, etc. Once the audit areas are scored, then we decide which audits are mandatory and must be performed every year due to regulatory requirements. High risk audits would also be audited annually. The rest of the audits would go on a rotation basis (say medium high risk every 12-18 months and medium risk every 24-36 months with low risk audits potentially not audited and relying upon a second line of defense). This risk assessment should be re-evaluated as necessary, but at least annually.

This plan gets presented to the Executive Leadership Team and the Audit Committee. It is important to have Senior Management on board, for cooperation and scheduling purposes. Also, I am a consultative collaborative auditor, so I try to stress the need for process improvements or ways to make my auditees' lives easier. The Audit Committee should approve all audit plans per IIA guidance.

How does increased collaboration between all stakeholders affect the company's ability to manage risk?

SM: We have Board and Executive committees. For example, we are invited to a Board Risk Committee and an Enterprise Risk Committee where they discuss the Bank's risk. It is key because the executives (senior management) should be closest to the risks, they know the business. We are there for guidance as to whether the risks appear appropriate, if there are any changes in regulation or audit requirements, and more. This way, the business line is the first line of defense, the committees and risk management would be the second line of defense, and internal audit is the third line of defense. Also, other factors can play a factor such as budgeting. The risks can be mitigated, if not prevented sooner. It assists Internal Audit also as to where to concentrate efforts.

What is the benefit to having consistent communication with the Audit Committee?

SM: As Internal Auditors, we need to know what our expectations are from the Audit Committee. This can be from the Board's Risk Appetite (an official document) or how we are allocating resources. Consistent communication educates both sides (e.g. we provide some director training for them) and we get to see what they expect. Remember that we are trying to provide value added services as well as an assurance function. This is also true with Audit Committees.

Who defines expectations internally to support the due diligence process?

SM: This depends on what specific due diligence process. We receive our expectations from the Audit Committee, and our CEO. We request to attend due diligence trips during mergers and acquisitions. However, we also gauge management's expectations and also use audit programs to perform our functions. If asked to perform in M&A Due Diligence, we may receive our expectations from the person in charge of the particular team and then report to our lines of reporting. We make sure that accounting entries are completed properly and receive and review closing binders. It depends.

What engagement strategies and audit plans do you use to mitigate unforeseen risk?

SM: We use a risk-based audit plan. We consider the Board Risk Reports in performing our risk assessments. We also use the Corporate Fraud Risk Assessment as well as any information that we receive from various organizations. I don't think there is a specific type of audit plan or strategy that we use. It is baked into our audit plans as we create or adjust them.

There are also various resources where you can obtain sample audit plans that may also help. Another key is using a permanent file where you maintain specific materials from the past that are brought forward for each audit or are referenced to in each audit. It is also important to have a seat at the table at Board and Executive Committees. This is key because it is difficult to mitigate unforeseen risks when you don't have eyes and ears on what is happening in the organization. Outside of the organization, it is vital to attend roundtables and network with other organizations whether it is through your external auditors, the IIA, or self-grown groups (I am a member of one of these as a result of attending a conference).

Join Steven at the Internal Audit & Risk Assessment in Banking & Financial Services Conference, March 15-16, 2016 in New York, NY. View the conference agenda to check out Steven's case study topic. For more information, please contact Tyler Kelch, Digital Marketing Manager, marcus evans at 312.894.6310 or Tylerke@marcusevansch.com.

About marcus evans

Marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision- makers. Our global reach is utilized to attract over 30,000 speakers annually; ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.

Contact Information