Academic journal article Journal of Accountancy

Beyond Traditional Audit Techniques

Academic journal article Journal of Accountancy

Beyond Traditional Audit Techniques

Article excerpt

Internal auditors don't just audit control activities, they also monitor a company's risk profile and play a key role in identifying areas to improve risk management processes. However, if they don't completely understand the risks of the business, internal auditors can perform only traditional checklist tasks. At California Federal Bank (Cal Fed) we helped our internal audit team transform itself into a catalyst for change as a key risk adviser. Our experience--as department head and audit manager--in taking an enterprise-wide view and adopting a more progressive approach to audits may serve as a model for other internal auditors to use to become a cornerstone of risk management in their own companies.

GETTING STARTED

In 1995 what is now Cal Fed (the country's third largest thrift) set out to be a first-class West Coast financial institution. To make this happen, it needed to grow its retail and commercial banking franchises in California and Nevada and build itself into one of the country's top mortgage servicers and a leader in indirect auto financing through its subsidiaries in Maryland and Texas. Achieving this goal required numerous acquisitions, conversions and integrations as well as the development of new business lines and products.

How the company managed risk from all these changes was critical to success. As audit professionals, we needed to be able to discern significant details of business operations and look "through the windshield" for oncoming risks while communicating with operating managers in a clear and timely manner. To achieve these objectives and match our department's capabilities to the bank's growth and increasingly complex operations, we overhauled the internal audit team and expanded to 40 professionals from a group of 15. Our department reports directly to the audit committee and administratively to the chief financial officer, with an indirect line to the president. While these reporting lines have not changed, our internal auditors are now able to take advantage of contact with the president. Effectively used, these reporting relationships ensure audit's independence and provide us with access to the top of the organization with its big-picture perspective.

To identify risk areas and continuously monitor the company's risk profile, we had to transform the internal audit department from its traditional role--performing checklist activities--to one that focused on corporate and business unit goals, strategies and risk management processes. To achieve this restructuring, we asked ourselves these fundamental questions:

* How do we define internal control?

* What best practices should we incorporate into audit's evolving role?

* How can internal audit become an integral part of risk management processes and maintain independence?

* What should the department's strategic plan be?

* How should the audit group deliver its services and communicate its observations?

DEFINE INTERNAL CONTROL

Simply testing control activities under a traditional audit system gives internal auditors a very narrow focus--a significant problem with our former process. To help create an auditing methodology based on process improvement and continual risk assessment, we adopted the Committee of Sponsoring Organizations of the Treadway Commission's definition of internal control and incorporated it into our mission statement. The COSO definition expands internal audit's traditional testing of control activities, such as policies and procedures and approvals and reconciliations, to include four additional components that derive from the way management runs a business: control environment, risk assessment, information and communication and risk monitoring (see "The COSO Framework: An Overview" on page 31). To integrate these components into our enterprise-wide risk management program, we informed the business area managers we planned to work with them to address risks based on the COSO objectives--namely, effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable law and regulations. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.