By Michael Thor, Leader of Protiviti’s North American Internal Audit Practice
Cory Gunderson, Global Leader, Financial Services
On December 30, the federal Office of the Comptroller of the Currency (OCC) issued OCC Bulletin 2016-47, Revised Comptroller’s Handbook Booklet and Rescissions. The handbook is the official field guide for federal bank examiners. The update consolidates 13 years of policy changes and guidance to create a single source of truth for all audit-related supervisory matters going forward.
Further, the bulletin expands the definition of internal audit to include consultation and advisory services, and emphasizes the internal auditor’s role in risk assessment and assurance.
Although the handbook is primarily intended for bank examiners to guide their supervisory review, it is a public document, which gives financial institutions the opportunity to review requirements and remediate gaps prior to an examination. In that sense, it serves as an open-book test.
At 152 pages, the bulletin is heavy reading. We published a Flash Report last month, which offers a high-level summary. Highlighted changes include policy and guidance related to:
- Additional focus on risk management and internal audit’s role in providing assurance that the system is in place and operating effectively
- Clarification of risk-based auditing and the need for dynamic audit plans and risk assessments
- Internal audit’s role in challenging management’s strategic decisions (effective challenge)
- Audit committee composition and responsibilities
- The chief auditor’s independence with respect to administrative reporting relationships
- Identification and reporting of the root cause of control deficiencies and thematic control issues
- Non-internal audit assurance activities
The bulletin also highlights the need for increased governance and oversight by boards and audit committees and the need for more robust policies and procedures around internal audit methodologies, including risk assessment, execution and reporting.
Much of the featured guidance is sourced from OCC Bulletins, the OCC’s heightened standards for certain large banks (12 CFR, Part 30), and internal audit guidance issued by the Basel Committee on Banking Supervision (BCBS). Changes by standard-setting bodies (the American Institute of Certified Public Accountants, The Committee of Sponsoring Organizations of the Treadway Commission, and more), were also incorporated.
There shouldn’t be any shocks here. These are things financial institutions have been hearing from their examination teams for years. The bulletin just brings everything under one umbrella.
Nor should anyone look to the bulletin for implementation instruction. Any changes in the bulletin are principles-based.
Taken as a whole, OCC Bulletin 2016-47 paints a picture of the escalating expectations and responsibilities placed on internal and external auditors, particularly in the years since the 2008 financial collapse. All this has happened over a span of several years, and it’s easy to miss the full scope of change, which only becomes apparent when everything is pulled together under one umbrella.
Read the full Flash Report here.