Internal audit: in-house or third-party?

An internal audit reveals opportunities for improvement across the board, making your community bank safer and more efficient. Take a look at the pros and cons of conducting an internal audit in-house versus outsourcing to a third-party firm.

By Mary Thorson Wright

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” —The Institute of Internal Auditors

The fiduciary responsibilities with which community banks are charged make internal audits a fact of life. These audits carry explicit and implied standards for both effectiveness of performance and the auditor’s qualifications. Regulatory agencies encourage institutions to incorporate professional standards, such as those of the Institute of Internal Auditors, into their audit architecture. Regulators scrutinize internal audit procedures and results, and the suitability and preparedness of the internal auditor.

A community bank’s internal audit system should provide for:

  • Adequate monitoring of internal controls
  • Independence and objectivity
  • Qualified persons to conduct internal audits
  • The testing and review of information systems
  • Documentation of tests, findings and corrective actions
  • Verification and review of management actions to address material weaknesses
  • Review by the bank’s audit committee or board of directors of the effectiveness of the internal auditing systems.

For community banks, which often operate with a smaller staff or more limited in-house expertise, two questions must be addressed: If internal audits are to be conducted in house, who should conduct them? And if the internal audits cannot or will not be conducted in house, how can the bank most effectively engage third-party service providers to perform internal audit procedures?

In-house internal audit
Community banks can conduct internal audits themselves, but only when the auditor has the qualifications, competency and independence from the management structure to act with objectivity.

In an ideal situation, a community bank might employ someone with an accounting or other business degree; his or her skill set and professional demeanor might dovetail with those required to conduct comprehensive, independent internal audits. Alternatively, a bank employee may have sufficient cumulative industry experience, background and training to conduct internal audits. The knowledge an in-house internal auditor can acquire about the workings of the bank can be a great benefit, and, if he or she has longevity with the bank, the historical perspective can be invaluable.

The in-house internal auditor should complete training to equip them with the knowledge and tools needed to successfully conduct and perform internal audits for banks. ICBA’s Community Banker University (CBU) offers two instructional programs covering internal auditing. Shirley Ringhand, vice president of certifications, seminars and the Bank Director Program for CBU, explains the difference. “The Auditing Certificate Program is a set of online, self-guided modules that result in a certificate of completion,” she says. “The program provides functional guidance and knowledge about internal audit.”

The Audit Institute, on the other hand, is a brick-and-mortar experience. “The Audit Institute is a two-week, on-site, formal classroom experience that allows students to network with peers and interact with highly qualified instructors,” Ringhand says. “The Audit Institute results in the Certified Community Bank Internal Auditor [CCBIA] designation, which is a professional credential for internal audit proficiency.”

“[CCBIA certification] sends the message that bank management and the auditor take the internal audit function seriously. Ongoing education for audit practices, hot topics and trends reinforces that message to the board, internal audit committee, management and examiners.”
—Thomas Danielson, CliftonLarsonAllen

Once a student achieves the CCBIA, the individual must obtain 30 Continuing Professional Education (CPE) credits involving any mix of live training, webinars and online education to be completed every two years to maintain the certification in good standing.

Benefits of certification

“Certification is evidence that an internal auditor has demonstrated basic proficiency in trends, issues and techniques as they relate to community banks,” says Thomas Danielson, principal of financial institutions at professional services firm CliftonLarsonAllen in Minneapolis, Minn. “It sends the message that bank management and the auditor take the internal audit function seriously. Ongoing education for audit practices, hot topics and trends reinforces that message to the board, internal audit committee, management and examiners.”

Danielson, who has been an instructor for the Auditing Institute
since 1995, observes, “In-house internal auditors who see the bank operations day-to-day, rather than only during periodic bank visits,
are often perceived as having a unique advantage over third-party internal auditors.”

He believes community bankers clearly recognize the advantages of in-house internal audit, due to the positive comments he hears from bank management and students attending the course, and because of the high rate with which banks send succeeding generations of internal auditors to the course.

Both Ringhand and Danielson cite numerous examples of positive feedback from student evaluations and discussions with students, including the value of the course content, networking opportunities, sharing commonalities among peers, audit program improvement and learning new job skills. It is common for students to attribute their course participation to board or audit committee encouragement.

Independence from day-to-day management of audited operations or regulatory implementation is essential to the internal audit function. Employees who oversee operations and regulatory implementation can participate in monitoring and reviews of the areas for which they have responsibility; however, the independence adds value and, for some areas, is legally required.

Because internal auditors must be at arm’s length from day-to-day operations, a full-time audit position is ideal. For banks without resources to support a full-time position, division of the internal audit responsibilities is possible; however, those banks may have limited staff sizes and fewer experienced, qualified candidates in house to perform internal audits.

Auditors should have the autonomy to plan and conduct the internal audits, determine the level of risk for any findings, and report to the board of directors or the board-appointed audit committee to ensure high-level oversight. Administrative reporting to executive management is important to communicate findings and discuss management actions; however, the auditor should report to the board or the audit committee without a filter or inappropriate influence from bank management.

Outsourced internal audit
Community banks may outsource the internal audit function to obtain expertise that is either not feasible or cost-effective organically, or to build more robust independence into the audit function. Community banks commonly use public accounting firms and other professional organizations for outsourced audit tasks. Outsourcing the internal audit function can be beneficial for community banks; however, they must be contracted with care and managed diligently.

When used in a prudent manner, outsourcing part or all of a community bank’s internal audits has advantages, including:

  • Accessing a level of expertise that is not practical or cost-effective to maintain in house
  • Shifting the fixed cost of employee compensation and benefits to the more variable cost of third-party service providers that can be engaged to accommodate special projects or fluctuating needs
  • Rotating auditing staff to help minimize actual or apparent loss of objectivity.

Outsourcing internal audit also has disadvantages that community banks may face, including:

  • Third-party providers will not initially have the familiarity with the bank’s organization, business model and staff that in-house auditors would have, which may affect audit effectiveness or cause frustration for bank staff.
  • Management must ensure the engagement letter for internal audit services is comprehensive and communication with the service provider is frequent to preclude misunderstandings. The engagement letter should be descriptive for the scope of the contract services to be provided and protect the bank from risk.
  • Management must be diligent to monitor the execution of the contract to ensure no internal audit weaknesses arise due to the outsourcing arrangement.

Whether internal audits are conducted in house or by third-party contractors, they bring rigor to a community bank’s risk management.

To maximize that return, community banks must be sure the right person or people manage the internal audit function, and that they have the full support of the board, audit committee and management.


Mary Thorson Wright is a writer in Virginia.

comments powered by Disqus
Top