6 Steps to Construct Your Internal Audit Program
by Sarah Harvey / June 2nd, 2015
Why is an internal audit program important?
The CFPB Examination Manual has become the ruling guidance for those in the collections space, and internal audit is a topic that can’t be taken too lightly. According to the manual, an effective compliance management system should have four interdependent control components:
- Board and management oversight
- Compliance program
- Response to consumer complaints
- Compliance Audit
When these four control components are strong and well-coordinated, a supervised entity should be successful at managing its compliance responsibilities and risks.
Let’s discuss the “compliance audit” component. Where exactly do you start with this?
We recommend you start with the following six core components of an internal audit program:
Step 1: Established Authority
The person in charge of performing the internal audit at your organization must have the established authority to do so. Without the necessary buy-in and support from the highest level of authority, you won’t have the authority or access to the information you need to get the work done.
Step 2: Operational Independence
This piece fits hand-in-hand with having established authority. You simply can’t audit your own work without a definite conflict of interest. The auditing party must not have any operational responsibility for this to be achieved. This may be seemingly difficult for smaller companies to accomplish, however, cross-training employees in different departments (such as accounting or HR) to audit another department is completely acceptable.
Step 3: Policies and Procedures
No audit can be successful without set policies and procedures dictating what and how to audit. Established policies and procedures need to outline the entire process. Fortunately, the policies and procedures you already have in place can serve as a type of QA that you can use as the basis for your audit. Are you doing what your policies and procedures say you’re doing? Are these processes adequate in mitigating risks?
Step 4: Framework of Controls
This piece is important for understanding what exactly you are looking for. What exactly should you be auditing? How often should you be auditing? Using a risk-based approach is key here to understanding where your risks are and making sure you have the right controls in place working to properly mitigate those risks. The audit process looks for ways to constantly improve upon the controls you already have in place. Understanding where and how your business deals with consumers, what consumers complain about, and all applicable laws are all key components to establishing a framework.
Step 5: Reporting Structure
Who does the internal audit department or staff report to? Communicating effectively the results of the audit is just as key as the actual audit itself. The distribution of the audit report should initially be disseminated to Executive Management as well as the Chief Compliance Officer.
Reporting to the appropriate personnel within the organization is important to ensuring that proper remediation steps are taken. The format of the report itself should take a couple of different forms:
- A high level executive summary version of the report should be available for those on the outside of the organization, such as clients and potential clients.
- A full-detailed version of the report should be available for distribution to all internally.
Step 6: Remediation Process
This final step is a review of the testing and the gaps that were found during the audit process. Steps taken to remediate any gaps should be tracked and documented to demonstrate what has been done to ensure the mitigation of any found risks.
Still have questions about developing your own internal audit program? Contact us today and let’s start building your internal audit program.
More Internal Audit Resources
5 Reasons Why Internal Audit is Important
Chief Compliance Officer Series: Constructing an Internal Audit Framework
