Internal Audit – Are You Ready for Your Next Regulatory Exam?

Now that we are well past the recent crisis, regulators are shifting focus from credit matters to other areas of the bank, including: information technology and cybersecurity, strategic planning, interest rate risk, compliance and the internal audit function, among others. This article highlights some issues raised by regulators with respect to internal audit during recent exams.

Regulatory guidance

If you want to self-assess your internal audit function prior to an exam, take another look at the interagency policy statement called The Internal Audit Function and Its Outsourcing that was issued in March 2003 (policy statement). This interagency guidance can be found on FDIC FIL 21-2003, Fed SR Letter 03-05 or OCC Bulletin 2003-12.

The Federal Reserve also issued clarifying guidance in 2013 in SR Letter 13-01 Supplemental Policy Statement on The Internal Audit Function and Its Outsourcing. This guidance is specifically applicable to institutions with total assets greater than $10 billion; however, keep the trickle-down effect in mind if your institution has less than $10 billion in total assets before you dismiss this guidance.

Renewed Regulatory Focus on Internal Audit

We did not see many comments from regulators on the internal audit function during the recent financial crisis, but that has changed. A supervisory examiner from one of the regulatory agencies recently asked, "Where was internal audit during the crisis?" Clearly, this is on their minds.