Publications & Resources

October/November 2007
Focus: Directors Issues

Seven Improvement Tips for the Directors Audit Committee

By Len Filppu

The Directors Audit Committee (DAC) plays a critical role in helping the bank manage risk, comply with the regulatory environment, and oversee corporate governance. But unexpected risk factors continually arise, regulatory focus and priorities shift, and standards of independence, responsibility and liability have never been higher. How can Directors Audit Committees ensure they are properly performing their multiple duties?

The answer is by conducting regular performance self-evaluations. Here are seven improvement tips that Directors Audit Committees can implement into their policies and procedures that will help assure ongoing high functioning success.

  1. Ensure an independent reporting structure for the internal auditor.
    In order to avoid any undue influence by bank management on the internal audit function, regulators and Sarbanes-Oxley guidelines require that internal audit be truly independent. The DAC should document that the internal auditor or coordinator reports directly to the DAC. Additionally, the internal auditor should have regularly scheduled special executive sessions with the DAC without bank management present, and the minutes of these sessions should be recorded.

  2. Follow up on regulatory and internal audit findings.
    Findings and recommendations from regularly scheduled internal audits should be acted upon in a prompt and systematic fashion. Penalties for repeat findings from regulatory examinations can be severe, resulting in loss of income and loss of regulatory trust. Findings and corrective actions should be tracked using a corrective action log or report that is regularly updated and presented to the DAC.

  3. Ensure the security of the bank’s Information Technology network.
    As information technology (IT) networks, interactive websites and online banking systems increasingly drive bank business, it is increasingly critical to ensure their security. Breaches to bank network security are damaging to reputations and can erode the trust of customers, third parties, and regulators. The DAC should insist upon an annual program that includes comprehensive IT internal auditing, internal and external penetration testing, and information security reporting. The DAC should also regularly review the minutes of the bank’s IT Steering Committee in order to stay abreast of technology planning and any changes that may impact risk.

  4. Provide thorough coverage of “hot” audit areas.
    Regulators periodically elevate their focus on high profile compliance, operations and financial reporting risk areas. Currently, these “hot” areas include the interest rate risk (IRR) process and especially IRR model back testing, allowance for loan and lease losses, and Bank Secrecy Act/Anti-Money Laundering. The DAC should insist the bank provide ongoing, internal audit coverage of these areas at an industry-standard frequency (suggest annually), allocate the appropriate scope and time to do the job right, and maintain written records of all audit reports, findings, work papers and corrective actions.

  5. Ensure the bank’s internal audit staff has the appropriate expertise and competence.
    Higher standards of responsibility and heightened regulatory scrutiny have propelled internal audit into a pivotally important risk management role within the bank. Those charged with maintaining the internal audit function must be knowledgeable about its specifics, ongoing changes in the rules, and acceptable industry standards. But since no one person can be an expert in all of today’s key banking risk areas, the internal audit staff should also be an insightful evaluator of independent, outsourced internal audit expertise that provides key coverage.

  6. Promote cross institutional communication and support between the internal audit and the bank’s risk management functions.
    Interaction and coordination between the bank’s risk management function and internal audit function helps reduce the bank’s overall risk. A great place to start is to share information and planning when the internal audit plan is developed. The DAC should also communicate the results of internal audit findings with the risk management function. Communication between risk management and internal audit will strengthen both functions.

  7. Directors Audit Committee members should educate themselves on their roles and responsibilities.
    It’s often difficult to stay ahead of change, but the combination of new Sarbanes-Oxley guidelines, tighter expectations by bank shareholders and regulators, and the increased chances for fines and regulatory sanctions demand that DAC members educate themselves on how to fulfill their fiduciary responsibilities. Ongoing reading of relevant articles from banking journals and online research, and attendance at training workshops and banking industry conferences, seminars and trade shows should be a routine aspect of each Directors Audit Committee member.

Len Filppu is executive vice president/director of operations for AuditOne LLC (www.audit-one.com), a San Jose, Calif.-based independent internal audit firm specializing in banks and their service providers throughout the United States . He can be reached at 408-980-8099.

Unauthorized reproduction of all or part of this material without the express written consent of the author is strictly prohibited. All rights reserved.