Internal Audits are a Necessity — Better Done In-House or Outsourced?

In the world of financial services, where institutions are governed by regulations and information security is of utmost importance, internal audits play a significant role in assuring an institution’s practices are aligned with business objectives, security protocols are in place and all regulations and government mandates are met.

The Institute of Internal Audits defines the process as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps improve risk management, security and controls by evaluating the procedures and processes of the organization.

The internal audit system at a community financial institution should be specifically designed to provide:

• Independence and objectivity
• Qualified personnel to conduct audits
• Adequate monitoring of internal controls
• The testing and review of information systems
• Documentation of tests, findings and corrective actions, and
• Verification that management and the board of directors reviewed the findings and addressed necessary changes.

The regular reviews are not just beneficial for institutions, they are also mandatory. Federal Financial Institution Examination Council (FFIEC) guidance dictates that financial institutions perform regular self-assessments or internal audits to “validate the adequacy and effectiveness of the control environment.” However, for many community financial institutions, the concept of performing the internal audit internally can be daunting due to the lack of personnel or in-house expertise, pushing many to identify the most effective third-party service provider to perform internal audit procedures.

In-House Internal Audits

Community financial institutions can choose to conduct internal audits themselves if they have an in-house auditor who is qualified, competent, independent from bank management and has a sense of objectivity. Ideally, a community financial institution has someone on staff with an accounting or business degree, professional industry experience, and the appropriate training to conduct a comprehensive, independent internal audit. One of the benefits of an in-house employee conducting the audit is the internal knowledge that person(s) has about the institution’s network and daily operations.

An in-house internal auditor must complete training conducted by industry organizations, such as the ICBA’s Community Banker University ®, to prove they understand the trends, issues, procedures and practices related to the financial services industry. Additionally, this demonstrates that the internal auditor function is taken seriously by the financial institution, which in turn, is important to government agencies and regulators.

Outsourcing

Smaller institutions that don’t have the budget or the staff to dedicate personnel to the internal auditor role must outsource this responsibility. While outsourcing this function can prove to be the most effective and efficient solution for any institution, selecting the right outsourced auditor can provide the additional benefit of helping maintain the overall health of an organization and better prepare a bank or credit union for its next regulatory examination.

Some of the advantages of outsourcing internal audits include:

• Access to a team with a high level of expertise that is not cost-effective to maintain in house
• Management has more time to work on strategic projects and focus on other revenue-generating activities
• Issues associated with staffing and competitive compensation for in-house employees are eliminated, and
• The issue of loss of objectivity is eliminated.

Whether done in-house or outsourced to a service provider, conducting internal audits is essential to ensure effective monitoring of security controls and to verify an institution’s ability to quickly correct significant IT and compliance vulnerabilities. At Safe Systems, our strategic advisors work with each client to perform quarterly self-assessments or internal audits to gauge IT performance and evaluate emerging risks to the institution. We also leverage this opportunity for the strategic advisor to educate bank personnel on new or changing government regulations to help the institution maintain compliance and be adequately prepared for IT audits and examinations.