Ever get a sharp pebble in your shoe? If so, we wonder if you are in the group of people that stops to take the shoe off and dump the pebble out, or in the group that tries to keep on walking, hoping the pebble will shift and the pain will subside. While not exactly alike, many bankers sometimes tell us they feel auditors are similar to a sharp pebble in the shoe. Often, bankers will put auditors into the same category as bank examiners - welcome, but not that much. Community bankers would be better served by embracing auditors and examiners as part of the fabric of the industry. Given the risk inherent in banking these days, having a new fresh set of eyes review things can be a good way to help surface and mitigate issues before they get too big.
While some may have a hard time transitioning from "auditors are out to get me" to something more akin to "maybe these folks have expertise and suggestions that can help me improve my risk profile," we think every banker should try. Sure, some auditors and examiners are better than others, but each one may offer a suggestion that can improve long-term results and performance. Here are a few ways we suggest bankers consider to help make sure value is obtained from the auditing process:
First, the audit committee is responsible for identifying the risk areas of the institution's activities and assessing the extent of external auditing involvement needed. The committee is also responsible for determining what type of external auditing program will best meet the institution's needs. In setting the audit scope and process, the committee should consider factors including the size of the institution, nature of business and complexity of its operations. In addition, the committee may determine that additional audits are warranted to cover areas of particularly high risk or special concern.
Now that the audit committee has defined areas they want to have audited, management should begin preparing. Of all the factors required in an audit, preparation is probably the most important one to increase success. Banks should take the time to develop and document a plan that includes the scope, objectives, operations, an opening meeting and the overall program itself. Focusing in on risk areas and conducting reviews to identify opportunities for improvement are critical components of an effective risk management and control framework.
Next, everyone should clearly understand the audit scope. This portion should outline high level goals and objectives of the audit, as well as any specific controls or risks the bank wants to ensure are thoroughly reviewed. In short, the scope defines the parameters the auditor will use and includes expected deliverables, dates and distribution.
To be truly effective, audit teams should also be updated on any unique aspects of the bank's business. A review of any prior year work papers is mandatory, but background and additional information will help. Companies can give auditors a jump on things by providing them with access to senior management and a package of company data that includes any new products, processes or procedures.
A checklist should be created to help guide the process. The list should include information such as contacts, scope and objectives of each audit (since different ones can be going on at the same time). A project timeline should be updated and circulated regularly to bank management to keep everyone informed as the audit progresses. The audit schedule should be robust and there should be formal procedures in place for responding to criticisms or recommendations.
To be truly top performing, however, bankers should try to focus auditors on: specific activities to be reviewed; the adequacy and effectiveness of the bank's risk management and control framework (compared to a relevant reference point); significant risks to the entity; resources and operations (to ensure the potential impact of risks are kept to an acceptable level); and areas that could be improved.
Finally, there should be documented evidence of corrective actions taken by management. The audit should provide the tools to promote an effective and efficient operation, make certain the bank has reliable financial/regulatory reporting and ensure compliance with laws, regulations and internal policies.
Audits are part of banking and can be a powerful way for banks to improve profitability and performance. When used properly, audits can give community bankers the same feeling one gets after dumping a sharp rock out of a shoe.