OCC Bulletin 2016-47 – Revised Comptroller’s Internal and External Audits Handbook Booklet and Rescissions
January 24, 2017
On December 30, 2016, the federal Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2016-47, Revised Comptroller’s Handbook Booklet and Rescissions. This Flash Report includes brief background information and summarizes changes made to the revised booklet on internal and external audits. The information contained herein is not intended as legal advice. Companies should seek the advice of legal counsel or other appropriate advisers on specific questions and practices as they relate to their unique circumstances.
What Is the Comptroller’s Handbook?
The OCC’s Comptroller’s Handbook consists of a series of booklets outlining the OCC’s policies, procedures, methodology and guidance for conducting their examinations of the financial institutions they regulate, which include national banks, federal savings associations, and federal branches and agencies of foreign banks. It is intended to inform OCC examiners and bankers alike about the areas subject to their examinations and the related risks and controls. The Comptroller’s Handbook is available on the OCC’s website at www.occ.gov.
What Section of the Comptroller’s Handbook Was Revised?
As announced in OCC Bulletin 2016-47, issued on December 30, 2016, the “Internal and External Audits” booklet within the Comptroller’s Handbook was revised. It replaces the previous version of the booklet issued in April 2003, as well as two sections of the Office of Thrift Supervision’s Examination Handbook: section 350, on external audit (issued in February 2002), and section 355, on internal audit (issued in April 2011).
Why Was the “Internal and External Audits” Booklet Revised?
The Comptroller’s Handbook is updated periodically to reflect changes in relevant statutes and regulations in the banking industry as well as changes in the OCC’s policies, procedures, methodology and guidance. Updates are also being made to incorporate guidance from the Examination Handbook as a result of the July 21, 2011, integration of the Office of Thrift Supervision (OTS) with the OCC.
What Revisions Were Made to the “Internal and External Audits” Booklet?
The overall structure of the “Internal and External Audits” booklet has not changed. The booklet remains organized into four parts: Introduction, Examination Procedures, Appendixes and References.
- The Introduction includes a great amount of detail on the OCC’s view of the characteristics and practices of effective internal and external audit programs as well as the principles and processes behind OCC reviews of the audit function. The Introduction previously included seven sections. No changes were made to the “OCC Assessment of Audit Functions” section. The other six sections were moved under new headings. The new structure of the Introduction now includes:
- Background – Overview with a new summary of the three lines of defense and expanded guidance on risk-based auditing and audit programs.
- Risks Associated with Internal and External Audit Functions – New subsection that describes risks inherent in both internal and external audit functions.
- Risk Management – Includes expanded risk-management guidance and supervisory expectations relating to the following areas that were included in the previous version of the booklet: Board and Management Oversight, Internal Audit Function, Outsourced Internal Audit and External Audit Function.
- OCC’s Assessment of Audit Functions – Includes guidance on completing an assessment of the bank’s audit function.
- The Examination Procedures are the OCC’s prescriptive procedures for conducting internal and external audit examinations. The examination procedures remain organized into various topics and underlying objectives. The procedures have been updated to be consistent with changes made to the Introduction section of the handbook.
- The Appendixes include reference materials and worksheets designed to further assist OCC examiners in evaluating the audit function. Notable changes include:
- A description of the types of audits and control reviews, previously included in the Introduction of the booklet, was added as an appendix.
- The Glossary and Abbreviations appendixes are new.
- The audit rating guidance, previously included in an appendix, was moved to the OCC Assessment of Audit Functions section within the Introduction.
- The Audit Function Questionnaire, previously included in an appendix, has been removed.
- References still include a list of applicable laws, regulations, and relevant OCC handbooks, bulletins and other guidance issued, as well as other standards and publications referenced throughout the booklet.
Since the last update to the handbook in 2003, there has been a significant change in the expectations of audit driven by changes in regulation as well as increased expectations from regulators and stakeholders. Updates the OCC made to the 2016 booklet largely compile the guidance and supervisory expectations that have been established over the last 13 years, with a majority of those changes focused on the eight years since the financial crisis of 2008. Notable changes to the Introduction section of the booklet include:
- Additional focus on the importance of the bank establishing an effective system of risk management as well as internal and external audit’s role in providing assurance that the system is in place and operating effectively
- Further clarification on risk-based auditing and the dynamic nature of the audit plan and risk assessment
- Internal audit’s role in challenging management’s strategic decisions
- Audit committee composition and responsibilities
- The chief auditor’s independence with respect to administrative reporting relationships
- Continuous auditing
- The dynamic nature of the audit plan and risk assessment
- Talent management
- Identification and reporting of the root cause of control deficiencies and thematic control issues
- Guidance on non-internal audit assurance activities.
Much of the new guidance is sourced from OCC Bulletins, the OCC’s heightened standards for certain large banks (12 CFR Part 30), and internal audit guidance issued by the Basel Committee on Banking Supervision (BCBS). Although not specifically highlighted throughout the revised booklet, internal and external audit guidance from the Examination Handbook and changes by standard-setting bodies (the American Institute of Certified Public Accountants, the Committee of Sponsoring Organizations of the Treadway Commission, etc.) were also incorporated.
The Examination Procedures, Appendixes and References sections have also been expanded to incorporate more recent guidance from the BCBS, OCC Bulletins, and the OCC’s heightened standards for certain large banks.
The revised booklet includes a significant amount of new prescriptive guidance. All banking organizations are encouraged to review the guidance in totality and benchmark their internal audit policies, procedures and practices against this booklet. Where gaps are found, firms are encouraged to make any necessary enhancements in a timely manner to avoid regulatory criticism.
Below is a summary of the changes made to each section of the “Internal and External Audits” booklet’s Introduction, which is where the majority of the revisions were made.
Three Lines of Defense
A discussion on the three-lines-of-defense model for risk management was added, explaining each line’s role and responsibilities.
The following guidance was added to the discussion on risk-based auditing:
- Risk-based auditing is a methodology that links internal auditing to the bank’s overall risk-management framework.
- Risk-based auditing allows internal audit to provide assurance to the board that risk-management processes are managing risks effectively in relation to the bank’s risk appetite.
- The bank’s risk appetite should be commensurate with the bank’s size and complexity.
“Providing consultation and advisory services” was added to the description of what constitutes internal audit programs. The following examples of areas where consultation and advisory services may be provided were also added:
- New, expanded, or modified products and services
- Third-party risk management
- Significant bank projects and initiatives.
Risks Associated with Internal and External Audit Functions
This new section lists the eight categories of risk defined by the OCC for bank supervision purposes (i.e., credit, interest rate, liquidity, price, operational, compliance, strategic and reputation) and provides guidance on the following primary categories of risk associated with internal and external audit:
- Operational Risk – Operational risk is affected by the audit program, including decisions to outsource/co-source internal audit functions to third parties.
- Compliance Risk – Internal audit is responsible for testing the adequacy of and compliance with policies, procedures, processes and standards and are themselves subject to compliance requirements.
- Strategic Risk – Although internal audit cannot set bank policies or make business decisions, it can challenge management and provide useful insight and advice for setting objectives and strategic decision-making and can evaluate the quality and substance of management, governance structure and governance processes. Business-line risks may increase as a result of internal audit’s inability to provide independent assurance of strategic business decisions.
- Reputation Risk – Real or perceived deficiencies in audit practices, which include external, outsourced and co-sourced audit, or a lack of confidence in audit objectivity, may increase reputational risk.
Within this section, it states that audit functions are key components of managing risks at banks and that reduction in internal or external audit functions’ effectiveness can indirectly increase risk in all categories.
The introductory paragraph of this new section states that all banks should identify, measure, monitor and control risk by implementing an effective risk-management system appropriate for the size and complexity of its operations. Also, all banks should have an effective audit program that ideally consists of a full-time, continuous program of internal audit coupled with a sound external auditing program.
Board and Management Oversight
Board of Directors
The responsibilities of boards of directors have been expanded to include:
- Ensuring that audit programs test internal controls to identify thematic control issues across business activities or auditable entities and the root cause of any significant control issue.
- Consulting with internal audit, along with other relevant functional areas, as part of due diligence before introducing new, expanded or modified products or services.
Audit Committee Composition
This new section incorporates and consolidates requirements for audit committee composition included in 12 CFR 363.
Banks with Holding Companies
This section incorporates the OCC’s heightened standards for certain large banks, which outline when a bank holding company’s risk-governance framework, including the independent audit committee, may be used for those covered banks.
This section also incorporates requirements from 12 CFR 363, Appendix A.30 on bank audit committee composition and holding company relationships. Specifically, officers and employees of a top-tier or mid-tier holding company may not serve on the bank’s audit committee. Members of the holding company audit committee (if the bank uses this committee) must meet all membership requirements of the largest subsidiary bank subject to 12 CFR 363. When the bank maintains its own audit committee, members of the top-tier or any mid-tier holding company audit committee may serve on the bank audit committee if they are otherwise independent of management of the bank.
Fiduciary Audit Committee
No major changes were made to the guidance included in this section, which was previously included in the Supplemental Examination Procedures section of the 2003 booklet.
Audit Committee Responsibilities
General responsibilities of the audit committee have been expanded to include regulatory guidance issued since the 2003 version of the booklet, including:
- Ensuring that senior management establishes and maintains an adequate and effective internal control system and processes
- Ensuring that external auditor engagement letters and any related agreements for services do not contain any unsafe and unsound limitation of liability provisions before commencing engagement
- Establishing and maintaining procedures (also known as whistle-blower procedures) for bank employees to submit confidential and anonymous concerns to the committee about questionable accounting, internal accounting control or auditing matters. Procedures should be set up for timely investigation of complaints received and appropriate documentation retention.
Audit committee responsibilities for overseeing the internal audit function were also expanded to incorporate guidance issued by the OCC since the 2003 version of the booklet.
Audit Committee Charter
Guidance on the independence of the chief audit executive was added.
In managing the internal audit function, the revised booklet states that the chief auditor is responsible for control-risk assessments, audit plans, audit programs and audit reports.
Internal Audit Oversight and Structure
Guidance was added to this section regarding dual bank-reporting arrangements in which the chief auditor is functionally accountable to the audit committee but reports to another senior member of management on administrative matters.
Guidance was also added noting that banks that seek to coordinate the internal audit function with several risk-monitoring functions (e.g., loan review, market risk assessment and legal compliance departments) by establishing an administrative arrangement under one senior executive should do the following:
- Banks should ensure that the administrative reporting relationship is designed so as to not interfere with or hinder the chief auditor’s functional reporting to and ability to directly communicate with its audit committee.
- The audit committee should ensure that efforts to coordinate these monitoring functions do not result in the chief auditor compromising his or her independence.
- The chief auditor should have the ability to independently audit these other monitoring functions.
Internal Audit Charter
The revised booklet now includes a list of specific elements required in the Internal Audit Charter.
Board or Audit Committee Reports
There were no major changes to this guidance other than adding “the root cause of issues and their impact on the organization” to reports discussing significant accounting issues and regulatory reports and findings.
Outsourced Internal Audit Oversight Responsibilities
Guidance on outsourcing relationships contained in previous OCC material was incorporated into the handbook. Language was also added indicating that the OCC would encourage large, complex banks to perform the substantial majority of internal audit activities with in-house personnel.
Holding Company or Affiliate Party Services
Guidance was added in this section regarding situations where the bank employs audit services from its holding company or one of its affiliates and/or the bank chief auditor is associated with the bank’s holding company.
Internal Audit Function
References to 12 CFR 30, Appendix A, II.B and Appendix D, II.I were added that state the internal audit function should monitor the bank’s internal controls systems by ensuring that audit activities are performed by qualified persons. For certain larger banks, the board or an appropriate board committee should review and approve a written talent-management program for development.
A paragraph was added stating that internal audit should have ongoing communication with its stakeholders and be aware of and understand the bank’s strategic direction, objectives, products, services and processes, as well as relevant laws and regulations. The chief auditor should also develop an ongoing communication process with management to keep current on changing business and risk issues.
A paragraph with footnote was added relating to the safeguarding information in fulfilling internal audit responsibilities in compliance with the Gramm-Leach-Bliley Act (GLBA).
Risk-Based Auditing Program Design
Guidance from the “audit” booklet of the Federal Financial Institution Examination Council’s IT Examination Handbook was added: “Identify the institution’s data, application and operating systems, technology, facilities and personnel.”
Guidance on policies and procedures governing the internal audit program was incorporated into this section.
Audit Risk Assessment Methodology, Including Audit Universe and Audit Risk Assessment
This section of the booklet was expanded significantly and now includes specific, detailed guidance on the components of the risk-assessment methodology, considerations for identifying the audit universe, a list of major risk factors commonly used in the risk assessment, written guidelines on the use of risk-assessment tools or risk factors, etc.
It states that the bank’s risk-management framework, including any established risk-appetite levels set by management for the different activities or parts of the organization, should be taken into account in internal audit’s risk assessment. It also states that the internal audit function can leverage risk assessments conducted by other areas of the bank in establishing and maintaining its overall audit risk assessment and, when doing so, the internal audit function should apply independent judgment.
New concepts incorporated into the guidance within this section include the development of a written risk-scoring methodology, the dynamic nature of the risk assessment and identification of thematic control issues.
Overall Audit Plan
The guidance included in this section was also expanded significantly.
The introductory paragraph of this section highlights expectations for a dynamic audit plan and risk assessment. Specifically, the audit plan should take into account the bank’s risk profile, emerging risks and issues, and should be reviewed in the event there is a change in risk to determine whether planned audit coverage should be changed.
Additions to this section include a requirement that internal audit coverage reflect the identification of thematic control issues across the bank’s auditable entities. Also, the audit plan should require internal audit to evaluate the adequacy of and compliance with policies, procedures and processes established by front-line units and independent risk management under the risk-governance framework.
A list of typical items included in audit plans was provided. New items include:
- Staff assignments by audit (number, hours, outsourcer, auditor title)
- Anticipated timing and scope of relevant non-internal audit assurance coverage, such as a service-organization control (SOC) audit to attest controls at a third-party servicer.
Last, the booklet notes that the audit plan can be a multi-year approach, with the audit plan revised annually, or an approach that uses the audit risk framework to evaluate risks annually, focusing on the most significant risk. When using this latter approach, there should be a process to identify when a significant risk will not be audited in the specified time frame and to notify the audit committee and seek approval of any exceptions.
Audit Plan Changes
The theme of a dynamic audit plan is echoed in this section. The booklet states, “The audit planning process should be dynamic, allowing for change when necessary. The process should provide for modification of the internal audit plan to incorporate significant changes that are identified either through continuous monitoring or during an audit. The chief auditor should review and adjust the plan, as necessary, in response to changes in the bank’s risks, operations, programs, systems, and controls” and communicate significant changes to the audit committee.
Audit Plan Staffing
The updated booklet includes detailed guidance on audit plan staffing, including, for example, that the chief auditor assign internal audit staff according to the expertise and skills needed to execute a particular audit. In considering the qualifications of the internal audit staff assigned to a given audit, the chief auditor should look at the skills and expertise of the team collectively.
This section states that the residual risk score is most commonly used in assigning the audit cycle, taking into account mitigating controls, but describes instances when the inherent risk score should be used.
Audit Work Programs
This section was updated to reflect that audit work programs may include automated processes used by auditors to perform assurance activities and are generally housed within a technology-based tool. Further, the chief auditor should ensure they are properly maintained and that controls are in place to ensure integrity, confidentiality and availability.
This section was added to the booklet and describes the types of controls and types of control tests. It states that the control-testing approach employed should provide the appropriate level of assurance and take into consideration non-internal audit assurances.
Sampling Methods and Techniques
No changes were made to the guidance on sampling methods and techniques.
Assessing Deficiencies by Internal Audit
This section was added to the booklet and incorporates a number of concepts examiners have been emphasizing in recent years, including the requirement for the internal auditor to evaluate the risk severity of control design and operational deficiencies identified by both internal audit and bank management, perform a root-cause analysis to identify underlying causes of deficiencies, and assist in the identification of thematic control issues. Internal audit should apply the bank’s approved risk-scoring methodology when assigning the risk severity.
Internal Audit Continuous Auditing
This new section of the booklet states that internal audit is encouraged to use formal continuous auditing practices to:
- Support adjustments to the audit plan or universe as they occur as part of the internal audit risk-assessment process
- Monitor processes, transactions and accounts to enhance efficiency and effectiveness of internal audit efforts.
Also, computer-assisted audit techniques (CAATs) may assist in:
- Searching for irregularities in data files or extrapolating large amounts of data for further analysis
- Simplifying or automating the data-analysis process and help auditors highlight issues that warrant further consideration.
Internal audit policies and standards surrounding continuous auditing activities should be adequately documented. Critical issues identified through continuous auditing should be communicated to the audit committee.
Non-Internal Audit Assurance Activities
This new section describes non-internal audit assurance activities that may be performed by third parties, the bank’s holding company or other affiliates. Although they can help minimize the duplication of work and disruption to operations, provide audit coverage and conserve resources for high-risk processes, adequate policies and procedures should be established with guidance on evaluating non-internal audit assurance reports, including their source, the type of testing performed and the sampling methods employed. Additional support information, control-issue follow-up and internal audit reporting may be needed.
Internal Audit Reports
This section includes some additional requirements for audit reports. As stated in the OCC’s heightened standards, for certain large banks, the report should reflect an assessment of risk-management activities conducted by the front-line units and the independent risk-management function to identify and resolve issues in a timely manner. Also, the report should also address potential and emerging concerns.
No changes were made to the guidance in this section.
Internal Audit Issues Tracking
This new section specifies that internal audit’s validation work should commence when an issue owner indicates that an issue is closed, but internal audit should not consider an issue closed until their validation work has been completed. As such, issue status reporting should distinguish between issues closed by the bank (which are pending validation) and issues closed by internal audit. The level of validation work performed by internal audit should be based on the issue’s risk severity. For higher-risk issues, internal audit should perform and document substantive testing and test associated internal controls over an appropriate period of time to ensure sustainability.
Various validation approaches are acceptable, but the validation approach taken should be adequately documented in internal audit’s policies and procedures. Internal audit’s issue-status reporting to the board or audit committee should include changes in issue ownership, target remediation dates, remediation plans or repeat audit issues. Multiple changes and repeat audit issues should trigger additional root-cause analysis of management’s ability and willingness to correct deficiencies and manage risks.
Quality Assurance and Improvement Programs
This section has been updated to include much more detail on the nature of internal audit’s quality assurance and improvement program, which include both internal and external assessments. Key performance indicators and key risk indicators should be well defined. The qualifications and independence of the individual/team performing the external assessment should be carefully assessed. The results and status of internal and external assessments performed should be reported to senior management and the audit committee at least annually.
Internal Audit Independence
The guidance on organizational independence in this section is duplicative of the guidance in the Internal Audit Oversight and Structure section on pp. 14–15 of the revised booklet. Additions to this section include that independence should also be managed at the individual auditor or audit activity level with appropriate written guidance. This may include policies that restrict internal audit staff from performing audit activities in the auditor’s previous employment areas for a set period and require a review or repeat of audit work, or both, for areas to which an internal auditor moved after the audit.
Internal Audit Competence
New guidance includes performing a skills assessment of the internal audit staff against the bank’s internal audit needs to identify skill gaps. The chief auditor should document a plan to address short- and long-term staffing needs and communicate such plans to the audit committee as part of the audit plan.
This section also includes guidance on internal audit professional-development programs and states that auditors should be aware of emerging risks related to the banking industry and relevant banking products and services. When the bank co-sources with a third party to obtain subject-matter expertise, knowledge should be transferred to current internal audit staff.
Advisory and Other Activities
This section has been updated to emphasize internal audit’s role in supporting the bank’s overall risk management. Internal audit should provide some degree of risk-management analysis or recommendations and execute this role during a bank’s merger, acquisition, corporate reorganizations and transition activities, as well as in due diligence of critical third-party relationships.
Retrospective Reviews, Preparedness Reviews and Look-Back Reviews
These new sections describe these three types of reviews, internal audit’s responsibility to perform and/or evaluate them, and reporting on the results to senior management and the bank board.
Outsourced Internal Audit
This section was updated to include more detailed guidance on the following with respect to internal audit outsourcing relationships – due diligence, written contracts and agreements, and quality of audit work performed by the third party.
External Audit Function
This section was updated to include more detailed guidance on the various aspects of the external audit function and incorporates AICPA, Public Company Accounting Oversight Board, and Securities and Exchange Commission standards and requirements included within 12 CFR 363.
OCC Assessment of Audit Functions
Few changes were made to the general guidance within this section of the booklet.
Specific sections were added describing the following types of supervisory reviews: corporate and risk-governance reviews, Part 363 Annual Reports reviews, centralized third-party audit reviews, and Sarbanes-Oxley Act Section 404 attestations.
The Use of Supplemental Procedures section includes the following additional situations in which examiners must consider expanding audit program examination procedures:
- Identification of significant operational or functional business area(s) not identified by audit
- Significant concerns about the adequacy of internal audit, the soundness of internal controls, or the integrity of financial or risk-management controls for an audited area
- Any of the following issues:
- Key account records are significantly or chronically out of balance
- Management is uncooperative or poorly manages the bank
- Management attempts to restrict access to bank records
- Significant accounting, audit or internal control deficiencies remain uncorrected from previous examinations or from one audit to the next
- Bank auditors are unaware of, or unable or unwilling to sufficiently explain, significant deficiencies
- Management engages in activities that raise questions about its integrity
- Repeated violations of law affect audit, internal controls or regulatory reports.
Managing Director and Americas Financial Services Practice Leader
U.S. Financial Services Internal Audit Practice Leader