Consumer Compliance Outlook: Third Quarter 2013

The Importance of the Consumer Compliance Internal Audit Function

By Mark D. Serlo, Managing Examiner, Federal Reserve Bank of Chicago


To ensure compliance with consumer protection laws and regulations, financial institutions must manage risk. This task has become especially important because of the new compliance requirements under the Dodd-Frank Wall Street Reform and Consumer Protection Act and the heightened public scrutiny of financial institutions since the financial crisis. Further, new technologies, product innovation, and the size and speed of transactions have transformed the banking landscape. This dynamic, complex environment makes it challenging for a bank to maintain a consumer compliance risk management program (compliance program) that effectively identifies, analyzes, and mitigates risks.

The internal control and audit functions are important, complementary tools for mitigating risks. Internal controls are “designed to provide reasonable assurance that the institution will achieve the following internal control objectives: efficient and effective operations, including safeguarding of assets; reliable financial reporting; and compliance with applicable laws and regulations.”1 The function of internal audit is to monitor and evaluate internal controls, risk management, and governance processes to ensure their effectiveness.2 This article explores the key aspects of the internal audit function and provides tips for enhancing it.

Consumer Compliance Internal Audit Fundamentals

The internal audit function is the responsibility of the board of directors (board) and senior management.3 This function may be formal, informal, committee-based, or outsourced. In addition, staff can be dedicated individuals or from other areas within the bank that are not being audited. The design of the internal audit function depends on the size of the institution.4

Regardless of the size, an effective internal audit function has several common characteristics. First, the bank’s board, or an audit committee of the board, and senior management must support and actively oversee the internal audit function. The internal audit function provides the board and senior management with analyses, findings, and corrective action recommendations on the activities, operations, and products tested. To that end, the internal audit function is a critical aspect of maintaining an environment of continual improvement.

“Clearly, senior management must take on a very active and involved role in risk management. Although this may seem somewhat obvious, a few recent cases demonstrate, unfortunately, that senior management may not always exercise proper oversight and may not have been as engaged as would have been wise. As supervisors, governance and controls is a key feature we look at in assessing risk management at an institution.”

Former Governor Randall S. Kroszner, “The Importance of Fundamentals in Risk Management,” at the American Bankers Association Spring Summit Meeting, Washington, D.C., March 11, 2008

Second, the internal audit function must be independent and be able to report objective evaluations and unbiased findings to the board or audit committee. To maintain objectivity and independence, the audit function should report directly to the board or audit committee and have the ability to escalate findings. Further, internal auditors should not have management or operational responsibilities that could result in a conflict of interests and hinder their independence. The internal audit function may be assigned to an officer with other nonaudit responsibilities who can maintain independence from the areas being audited. Without independence, the internal audit function’s ability to deliver an unbiased and objective audit report will be questioned.5

Third, the internal audit function must identify and evaluate the highest risks associated with the bank. The risk identification and evaluation process is one of the most important aspects of an effective internal audit function. The focus should be on inherent risks (such as product materiality and regulatory requirements) and controls to mitigate those risks (such as procedures, risk monitoring, secondary reviews, and audits). Further, the process should be dynamic and evolve as the bank takes on more or less risk. Thus, internal audit should periodically update control risk assessments to reflect changes in business lines, products, processes, systems of internal control, staff, platform systems, market expansion, and regulatory changes, and should also include external factors.

Fourth, management should prepare an audit plan, which provides the roadmap for the internal audit function. The audit plan should be risk-focused, with the areas selected for coverage and frequency based on the level of risk identified in the risk assessment. The plan should be approved by the board and consider all affiliates, business lines, and processes within the bank, including potential acquisitions and planned new products and services. On an annual basis, the plan should be revised, or the most significant risks should be evaluated.6

Finally, audit findings and management’s planned response should be communicated appropriately to the board or audit committee. This enhances their ability to provide oversight and ensure that the audit findings are resolved. Internal audit reports should be presented to members of senior management who are directly affected by the findings. Although the findings should be resolved promptly, a tracking mechanism, such as a report, that describes the findings, identifies the corrective action taken, and establishes timeframes for completion should be incorporated into this process. The resolution should correct the findings and, more importantly, address their root cause. Conversely, if findings remain unresolved, an escalation process should be employed to report them to higher management in the bank, such as to the board or audit committee, to ensure that senior management completes the corrective actions in a timely manner.

Outsourcing the Internal Audit Function

Some financial institutions, particularly smaller ones, outsource the internal audit function. When outsourcing, it is important to remember that an institution has a nondelegable duty to maintain an effective consumer compliance program; the institution — not its vendor — is the one ultimately held accountable. The 2003 interagency guidance discussed this issue at length and offered these recommendations for drafting an outsourcing contract for internal audit:

Enhancing the Consumer Compliance Internal Audit Function

Here are some suggestions for enhancing the consumer compliance internal audit function:

“Clearly, senior managers also need to ensure that they have proper understanding of the risks assumed by their firm, but this does not always happen. For example, we have seen some evidence that information was kept in silos within firms and not adequately distributed both vertically and horizontally within certain firms. This segregation prevented senior managers from developing an enterprise-wide perspective on risks to the whole entity. It meant that managers were not fully aware of the extent to which the risks of the different activities undertaken by the firm could, first, become correlated in times of stress and, second, result in high concentrations of risk exposures.”

Former Governor Randall S. Kroszner, “The Importance of Fundamentals in Risk Management,” at the American Bankers Association Spring Summit Meeting, Washington, D.C., March 11, 2008

As a final takeaway, here are a few questions to consider:

  1. What is the level of oversight activities provided by the board, audit committee, and senior management?
  2. Is the internal audit function appropriate for the bank based on its scope of activities, products, and operations?
  3. Do the knowledge and abilities of the internal audit function match the risk profile of the bank?
  4. Is the risk assessment comprehensive of all business lines and products so that it considers the regulatory requirements and identifies the corresponding procedures, internal controls, and risk management?
  5. Are internal audit plans determined by the risk assessment? Do the audit plan and risk assessment consider a product lifecycle evaluation?
  6. Does the internal audit function leverage the management information system’s capabilities of the bank’s software platforms?
  7. How are audit findings monitored and resolved? Is the root cause identified and addressed?


Regardless of the bank’s size and complexity, the internal audit function plays an important role in managing the risk profile with ongoing improvement in procedures, internal controls, and risk management. This article illustrates the importance of the consumer compliance internal audit function as well as ways to build on the fundamentals, especially in the changing banking landscape of new regulatory requirements and technologies. Specific issues and questions should be raised with your primary regulator.