We hear the question often. Why is an internal audit program important?
The CFPB Examination Manual has become the ruling guidance for those in the collections space, and internal audit is a topic that cannot be taken too lightly. According to the manual:
“An effective compliance management system commonly has four interdependent control components:
- Board and management oversight
- Compliance program
- Response to consumer complaints
- Compliance Audit
When all of the four control components are strong and well-coordinated, a supervised entity should be successful at managing its compliance responsibilities and risks.” (Pg. 35)
So, where exactly do you start? Here are the 6 core components of an Internal Audit Program:
The person in charge of performing the internal audit at your organization must have the established authority to do so. Without the necessary buy-in and support from the highest level of authority, you won’t have the authority or access to the information you need to get the work done.
This piece fits hand-in-hand with having established authority. You simply cannot audit your own work without a definite conflict of interest. The auditing party must not have any operational responsibility for this to be achieved. This may be seemingly difficult for smaller companies to accomplish, however, cross-training employees in different departments (such as accounting or HR) to audit another department is completely acceptable.
POLICIES AND PROCEDURES
No audit can be successful without set policies and procedures dictating what and how to audit. Established policies and procedures need to outline the entire process. Fortunately, the policies and procedures you already have in place can serve as a type of QA that you can use as the basis for your audit. Are you doing what your policies and procedures say you’re doing? Are these processes adequate in mitigating risks?
FRAMEWORK OF CONTROLS
This piece is important for understanding what exactly you are looking for. What exactly should you be auditing? How often should you be auditing? Using a risk based approach is key here to understanding where your risks are and making sure you have the right controls in place working to properly mitigate those risks. The audit process looks for ways to constantly improve upon the controls you already have in place. Understanding where and how your business deals with consumers, what consumers complain about, and all applicable laws are all key components to establishing a framework.
Who does the internal audit department or staff report to? Communicating effectively the results of the audit is just as key as the actual audit itself. The distribution of the audit report should initially be disseminated to Executive Management as well as the Chief Compliance Officer. Reporting to the appropriate personnel within the organization is important to ensuring that proper remediation steps are taken. The format of the report itself should take a couple of different forms. A high level executive summary version of the report should be available for those on the outside of the organization, such as clients and potential clients. A full-detailed version of the report should be available for distribution to all internally.
This final step is a review of the testing and the gaps that were found during the audit process. Steps taken to remediate any gaps should be tracked and documented to demonstrate what has been done to ensure the mitigation of any found risks.
Still have questions about developing your own Internal Audit Framework? Email me at firstname.lastname@example.org with any questions.
Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.