1. The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association of International Bank Auditors (AIBA) Conference June 9, 2011 Current Role of Internal Audit Presented by: Roseanne Farley, Examining Officer – Federal Reserve Bank of New York

2. 2 Internal Audit and the Current Control Environment  Key areas impacting Internal Audit’s Role:  Increased complexity of financial services  Changing and increasing role of supervision and regulation  Limits on budgets and resources  Increasing globalization of institutions, issues, and resources  Relationship of audit with key control functions

3. 3 Audit Issues Impacting Foreign Banking Institutions  Development of global audit processes, procedures, and systems  Location of staff and use of head office staff at overseas locations  Tailoring of audit processes and procedures to specific jurisdictions and legal requirements  The impact of cultural issues on audit coverage  The relationship of audit with senior management at head office and in the locality

4. 4 Evaluation of Internal Audit’s Independence and Staffing  Independence and Reporting Line  Jurisdictional issues and differences  Adequacy of reporting to head office audit and roll-up to audit committee  Adequacy of audit staffing – sufficient staff with expertise in key areas; potential use of outsourcing or co-sourcing; adequate on the job training  Evaluation of local vs. overseas staff participating in audits  Determine adequacy of resources through analysis of audit’s work  Annual staff skill gap assessment

5. 5 Internal Audit Processes  Sufficiency of audit processes  Identification of the audit universe  Internal audit methodology  Audit risk assessment and plan  Audit work – planning memo, scope, audit program, work papers, appropriate sample sizes, adequate documentation and cross- referencing  Audit reports  Audit tracking system

6. 6 Internal Audit Methodology  Establish auditable entities -  e.g. identify all legal entities, departments, corporate functions, geographic locations, committees – review at least once a year for changes  Analyze the risk of all auditable components using established risk factors  Determine the appropriate level of risk-  Establish a risk hierarchy using a standard format – usually high, medium and low

7. 7 Audit Risk Assessment and Plan  Identification of key risks within the institution separate from management  Format of the methodology:  Risk-based  Qualitative/quantitative factors  Combination of risks and other factors  Tailored to each institution  New plan developed every year  Normally part of a multi-year cycle - three or four years; some institutions using no cycle with high risk audited every year – need additional controls  Approved by the Audit Committee annually ◦ justification for canceling or delaying specific audits

8. 8 Audit Work  Audit Programs:  Detailed programs for each auditable area  Completed during the first audit and subsequently updated  Coverage of key risks and controls in the area – may be linked to self- assessment  Evidences sufficient knowledge of the business  Cross reference between risks, controls and audit tests  Audit Reports:  Detailed analysis of the entire audit including executive summary, detailed scope of planned audit, description of the work performed, analysis of conditions and/or rating, recommendations, management’s response (in most cases)

9. 9 Audit Tracking System  Tracking system- spreadsheet or automated  May identify issues by high, medium or low  Identifying trends and root causes  Methodology for clearance  Responses validated immediately or during next audit  Reporting and escalation for open issues  Significant items cleared in a timely manner

10. 10 Continuous Monitoring/Auditing  Continuous Monitoring  Techniques used by internal audit:  Regular meetings and discussions with management  Participation on committees  Review of self-assessment data  Used to determine changes to audit coverage  Continuous Auditing  Ongoing testing of key processes, risks, and controls  Used of automated tools to detect patterns of control issues

11. 11 Suggested Areas for Internal Audit Emphasis  Focus on systemic risk and both its impact on the institution and how the institution could create systemic risk in the financial services arena  Continued evaluation of governance and strategic processes  Compliance with all new rules and regulations  Emphasis on both individual business areas and cross-functional processes  Identification and escalation of thematic control issues

12. 12 Suggested Areas for Internal Audit Emphasis  MIS and infrastructure weaknesses and changes  Understanding management’s business strategy and risk tolerance – clear articulation  Focus on potential areas of fraud risk  Use of operational risk loss data to identify common control weaknesses

13. 13 Trends in Internal Audit  Most institutions still use a defined audit cycle  Increased emphasis on horizontal and targeted reviews  Use of enhanced continuous monitoring as a tool to identify emerging risks  Some increase in hiring due to additional demands on audit as a result of both the current environment and regulatory reform  Using Quality Assurance as a training tool  Global macro risk assessments identifying six or seven key areas impacting the institution

14. 14 Continued Areas of Audit Weakness  Insufficient documentation in several areas  risk assessment conclusions  rationale for deferring audit work in work papers  rationale for selecting a specific sample size  Additional date should be provided to head office audit or the Audit Committee  Lack of an internal Quality Assurance function or external Quality Assurance review  Insufficient sample sizes