QUESTION
Although we're a small bank in the Midwest, we still are required to have policies and procedures that are similar to banks much larger than ours. However, our regulator has sent a letter notifying us that our corporate governance is not adequately implementing the "third line of defense." The letter also cited our need for "risk-based auditing."
We want to show that we are responding to the regulator by revising our corporate governance policy to acknowledge this third line of defense. And we want to include a reference to risk-based auditing. We hope you can provide some insight into how to revise our policy for these requirements.
What is the third line of defense?
What is risk-based auditing?
ANSWER
The term "corporate governance" is a general term that refers to the oversight of daily business activities. Specifically, the board of directors should be actively and attentively looking over the performance of senior executives to ensure daily operations are performed within the adopted policies and objectives of the institution.
Ultimately, the board of directors is responsible for the organization's performance. When delegating authority to senior management team members for day-to-day activities and decisions, the board should also require feedback and monitoring reports to assess executive performance. For the directors, it becomes a matter of setting high standards and ensuring they are maintained.
The process whereby governance directs auditing programs is essential to effective risk management and internal control systems. Effective internal and external audit programs are also a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control, among other things.
Here's a generalized three-step process involved in corporate governance:
1. The board of directors and senior management is responsible for establishing, maintaining, and operating effective audit programs. This responsibility must not be delegated.
2. Audit programs must be performed by independent, competent staff or external auditors who objectively evaluate the institution's control environment.
3. Examiners validate the adequacy of the institution's audit programs.
Regulators and investors evaluate corporate governance relating to audits. They will assess and draw conclusions about the adequacy of the overall audit function as part of every supervisory cycle or periodic review (i.e., Fannie Mae's MORA[i] audit). An assessment includes some level of audit validation, including verification procedures as necessary. The conclusions can significantly influence the institution's scope of other supervisory activities and investor relationship parameters. Where regulators are involved, examiners may expand supervisory activities in applicable areas if they identify significant concerns about the quality or extent of audit programs or the control environment.
Now, let's turn to the "three lines of defense." These three lines of defense form a model that explains governance and roles among an institution's business units, support functions, and audit functions from a risk management perspective. So, I will conjoin the term "line of defense" with the words "risk management activities" because they are conceptually and explicitly inherent.
· The first line of defense risk management activities occur at the frontline units[ii] where risks are created.
· The second line of defense risk management activities occur in an area or function separate from the frontline unit, sometimes referred to as "independent risk management."[iii] These oversee and assess the frontline units' risk management activities.
· The third line of defense risk management activities are usually called the "internal audit function." These risk management activities are primarily responsible for providing independent assurance and challenging the risk structure. The audit function assesses the effectiveness of the policies, processes, personnel, and control systems created in the first and second lines of defense.
Risk-Based Auditing is an approach to auditing an institution. This methodology links internal or external auditing to the overall risk management framework. The audit risk assessment is a process by which an auditor identifies and evaluates the quantity of the risks and the quality of its risk controls. The board, its audit committee, and the auditors use the results of the risk assessments to focus on the areas of greatest risk and to set priorities for audit work.
The audit function should not ignore areas that are rated low-risk. An effective risk-based audit program includes adequate audit coverage for the institution's auditable activities. The frequency and depth of each area's audit should vary according to the audit risk assessment. In risk-based auditing, the audit is meant to assure the board that risk management processes manage risks effectively concerning the risk appetite. The risk appetite must be commensurate with the institution's size and complexity.
Generally speaking, risk-based auditing seeks to report on at least the following risk management areas:
· objective, independent reviews and evaluations of bank activities, internal controls, and management information systems (MIS);
· adequate documentation of tests, findings, and any corrective actions;
· assistance in maintaining or improving the effectiveness of bank risk management processes, controls, and corporate governance;
· reasonable assurance about the accuracy and timeliness with which transactions are recorded and the accuracy and completeness of financial and regulatory reports; and
· validation and review of management actions to address material weaknesses.
Well-planned, properly structured auditing programs are essential to effective risk management and adequate internal control systems. Effective internal and external audit programs are also a critical defense against fraud and provide vital information to the board of directors about the effectiveness of internal control systems.
The high-level basis for the third line of defense is to provide a resource to assist internal auditors in their primary role to independently and objectively review and evaluate the institution's activities with respect to maintaining or improving the efficiency and effectiveness of its risk management, internal controls, and corporate governance.
The audit function does this by:
· Evaluating the reliability, adequacy, and effectiveness of accounting, operating, and administrative controls.
· Ensuring that internal controls result in prompt and accurate recording of transactions and proper safeguarding of assets.
· Determining that an institution complies with laws and regulations and adheres to established bank policies.
· Confirming that management is taking appropriate steps to address current and prior control deficiencies and audit report recommendations.
Whether the auditor is internal or external, auditors should clearly understand the institution's strategic direction, objectives, products, services, and processes to conduct these risk management activities. The auditors can then communicate findings to the board of directors, its audit committee, and senior management.
Additionally, auditors often have a role in merger, acquisition, and transition activities. This role may include helping the board and management evaluate safeguards and controls, including appropriate documentation and audit trails, during acquisition planning and implementation processes. Each of these roles, duties, and responsibilities are critical to the overall safety and soundness of the institution.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
[i] Lenders
that sell loans to GSEs such as Fannie Mae are subject to a Mortgage
Origination Risk Assessment (MORA) review, which includes assessing the
adequacy and effectiveness of the company’s internal audit function.
[ii] 12
CFR 30, Appendix D, at 6, “Front Line Unit”
[iii] 12
CFR 30, appendix D, at 7, “Independent Risk Management”