EXECUTIVE SUMMARY

CAL FED’S INTERNAL AUDITORS MONITOR THE COMPANY’S risk profile and play a key role in identifying areas for risk management. Understanding the business operations can make the auditors a catalyst for change—with a prominent position as key risk advisers. THE COSO DEFINITION EXPANDS internal audit’s traditional testing of control activities, such as policies and procedures and approvals and reconciliations, to include four additional components that derive from the way management runs a business: control environment, risk assessment, information and communication and monitoring. AUDITORS NEED MORE THAN A LIST of controls to assess how management deals with risks. Some best practices for internal auditors to adopt are monitoring business activities and key performance indicators continuously, coordinating with other risk management functions, developing the audit plan based on risk priorities and getting involved in technology projects. AT CAL FED, THE CLIENT SERVICE TEAM IS RESPONSIBLE for reviewing the risk profiles of the entities assigned to it, completing the risk assessment with a report and developing/providing the appropriate audit services. Teams are chosen based on experience, geographic location and interests of their members and they can rotate audit assignments every two to three years. BUSINESS UNITS PROFIT FROM ongoing risk monitoring and the information exchange internal audit teams provide. The auditors can track progress, identify new opportunities, or ask questions without waiting for the formal audit to take place.

PAUL E. LINDOW, CPA, is senior vice-president and director of audit and regulatory risk management at California Federal Bank in San Francisco. His e-mail address is plindow@calfed.com. JILL D. RACE, CPA, is vice-president and audit manager at California Federal Bank’s West Sacramento office. Her e-mail address is jrace@calfed.com.

nternal auditors don’t just audit control activities, they also monitor a company’s risk profile and play a key role in identifying areas to improve risk management processes. However, if they don’t completely understand the risks of the business, internal auditors can perform only traditional checklist tasks. At California Federal Bank (Cal Fed) we helped our internal audit team transform itself into a catalyst for change as a key risk adviser. Our experience—as department head and audit manager—in taking an enterprise-wide view and adopting a more progressive approach to audits may serve as a model for other internal auditors to use to become a cornerstone of risk management in their own companies.

GETTING STARTED
In 1995 what is now Cal Fed (the country’s third largest thrift) set out to be a first-class West Coast financial institution. To make this happen, it needed to grow its retail and commercial banking franchises in California and Nevada and build itself into one of the country’s top mortgage servicers and a leader in indirect auto financing through its subsidiaries in Maryland and Texas. Achieving this goal required numerous acquisitions, conversions and integrations as well as the development of new business lines and products.

To identify risk areas and continuously monitor the company’s risk profile, we had to transform the internal audit department from its traditional role—performing checklist activities—to one that focused on corporate and business unit goals, strategies and risk management processes. To achieve this restructuring, we asked ourselves these fundamental questions:

How do we define internal control?

What best practices should we incorporate into audit’s evolving role?

How can internal audit become an integral part of risk management processes and maintain independence?

What should the department’s strategic plan be?

How should the audit group deliver its services and communicate its observations?

DEFINE INTERNAL CONTROL
Simply testing control activities under a traditional audit system gives internal auditors a very narrow focus—a significant problem with our former process. To help create an auditing methodology based on process improvement and continual risk assessment, we adopted the Committee of Sponsoring Organizations of the Treadway Commission’s definition of internal control and incorporated it into our mission statement. The COSO definition expands internal audit’s traditional testing of control activities, such as policies and procedures and approvals and reconciliations, to include four additional components that derive from the way management runs a business: control environment, risk assessment, information and communication and risk monitoring ( see “The COSO Framework: An Overview”). To integrate these components into our enterprise-wide risk management program, we informed the business area managers we planned to work with them to address risks based on the COSO objectives—namely, effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable law and regulations. To apply the COSO definition of internal control to our audit methods, we asked company executives for ways to improve and revise Cal Fed’s audit methodology. We had complete support from Cal Fed’s top management and the audit committee to overhaul our function and implement the COSO objectives, which we knew would—and, in fact, did—require implementation in stages over several years.

ADOPT BEST PRACTICES
To assess how well the company deals with risks, we needed more then a list of required controls. With the COSO model as a guide, we developed and incorporated the following “best practices” into the audit function.

Monitor business activities and key performance indicators continuously. As internal auditors we must keep abreast of what’s happening in the organization’s environment. We do this by attending executive committee meetings, obtaining important management reports and identifying and meeting with key department heads throughout the year. For example, the consumer lending unit had had no significant problems for a number of years, so we did not schedule it for a current year audit. However, because we maintained contact with its managers we discovered the area had a new business plan to increase volume and add more employees. Because of these changes we then scheduled the unit for an audit.

Coordinate with other risk management functions. In evaluating quality control, security, asset review and credit administration processes, we try to leverage the work of other departments where possible by reviewing the scope of their activity and considering their results in our approach. For example, rather than just using our own samples for testing, we examine the unit’s quality control program and selectively validate the results. We also can coordinate the timing of an audit with a department’s ongoing loan review, draw on its findings to determine which policy interpretations caused underwriting exceptions and suggest process improvements.

Develop the audit plan based on risk priorities. Rather than scheduling audits according to a standard cycle of one-, two- or three-year rotations, we base frequency of audits on a business area’s risk factors, such as previous poor audit ratings or significant changes in personnel. This allows us to focus on the highest risk priorities within the company and to devote appropriate resources to new and changing areas. We also train managers to update their own risk assessment systems and methodologies—for example, by showing them how to implement steps to monitor quality control and segregation of duties.

Get involved in technology projects. As internal auditors we know we must be involved in activities such as systems development and conversions, process reengineering, new products and services, mergers and acquisitions and the analysis of new IT policies. At Cal Fed we look at controls before technology teams implement them and take steps to address IT risks rather than react to problems after they occur. For example, before management installed a new loan origination system, we identified supporting applications that would affect operational processes, business resumption plan requirements and network security issues, such as controlling user access and ensuring that supporting applications interacting with existing systems had proper controls. (For more information on this topic, see “Risky Business,” JofA, June02, page 65.)

We knew some of our auditors were more comfortable with traditional control activities, such as approval of journal entries, so we coached them to understand primary business objectives and related risks. Our audit managers accomplished this by regularly meeting with their teams throughout each stage in the audit, asking questions to foster each team’s understanding of business operations. For example, while conducting the electronic banking audit, the manager asked the team to explain how this business area generated revenue from debit card transactions and why the formulas used to determine its budget varied from the previous year.

Team members also participate in industry-related training to improve their knowledge of company issues. Before an audit, one of the team explains to area managers how to use the COSO framework to self-assess their internal controls and emphasizes that business and audit risks are really the same things. For example, following the COSO objectives of maintaining effective operations and adhering to compliance procedures, the manager of the electronic banking department set up a monthly certification process to ensure employees complied with policies to investigate unauthorized card use, thus improving controls.

BECOME PART OF THE PROCESS
While the close partnerships we have with the business areas and top management could lead to impaired objectivity, we follow certain guidelines to avoid this pitfall, taking care to act in an advisory capacity rather than exercise decision-making authority. Examples of how we used this approach in three of the company’s business units follow:

Loss management. The loss management unit is part of the retail operations division and coordinates efforts to reduce losses throughout Cal Fed, a significant responsibility given industry trends of increasing identity theft, loan fraud and robbery. In 1999 internal audit and the loss management unit brought managers together from retail banking, corporate security and information technology to form the operational risk management committee (ORMC). This group identifies and tracks ongoing initiatives such as identity-theft education and prevention using specially created spreadsheets. Internal audit actively participates in committee discussions, regularly conducts research and presents ORMC with benchmarking information.

The internal audit team reviewed the loss management area’s annual business plan and monthly status reports, which led to improvements in how the unit identifies underlying causes of large losses and how it will mitigate them in the future. Since these reports highlight the unit’s critical priorities, the review enables the team to get involved in key department actions, such as providing controls-consulting for upcoming projects.

Auto lending. Since Cal Fed grew through acquisition, internal audit had to be a bridge builder. For example, a few years ago our auto-lending subsidiary in Texas was considering how to fund its indirect auto loans more efficiently. At the same time the retail division in California was completing a project that would allow Cal Fed to generate automated clearinghouse transactions. Audit facilitated a meeting between the two groups, which led to a redesigned loan-funding process using more automation and increased cost savings.

The internal audit team also attends meetings between the subsidiary’s underwriting and loan service groups, participates in discussions and reviews reports of defaulted loans. By doing so, the team targets its testing to certain problem loans and further analyzes root causes of losses.

Wire transfers. To monitor high-risk systems enhancement initiatives, our internal auditors attend regular meetings as advisers to the project team. When Cal Fed’s wire transfer staff implemented systems enhancements to improve efficiency, several members of the audit team monitored installation of firewalls and reviewed authorization levels. The internal auditors for the wire transfer area also consulted on key programs, from training employees to detect suspicious wire transactions to helping them adapt to their internal customers’ changing needs. By focusing on major risks and improving our understanding of the unit’s data files, we conduct better and more comprehensive automated testing of transactions, thus reducing the time needed for the scheduled audit.

DEVELOP A STRATEGIC PLAN
To complete the integration of the COSO framework into Cal Fed’s audit processes, we developed a strategic plan that would

Provide for a mix of skill sets within our audit group.

Create the audit plan by identifying audit entities and performing a formal risk assessment.

Ensure our auditors update risk assessments and monitor the risk indicators on an ongoing basis.

Establish our team’s communication strategies and reporting formats.

To accomplish the first objective we assembled a new audit team with a mix of CPAs, MBAs and other business professionals. Their quality and experience were critical to achieving department aims. Instead of staffing the department largely with low- to mid-level professionals, we began with a smaller number of mid- to high-level employees. As part of the upgrade, we also changed job classifications and increased the skills needed to succeed.

Career paths for the team are varied: Business area professionals—from loan servicing, loan production, accounting or information technology—move into the department, and auditors transfer to other functions such as treasury, accounting and lending. This cross-training adds depth to the audit team’s consulting skills, enhances its ability to recruit and retain audit professionals and gives it increased understanding of risk analysis and controls in the business areas.

CREATE CLIENT SERVICE TEAMS
To achieve our objectives of formal risk assessments and continuous risk monitoring, we established client-service teams for specific departments or functions identified within each audit plan. These teams, typically consisting of three to seven individuals, review the risk profiles of the units assigned to them, compile the risk assessment data and develop the appropriate internal audit services. We choose the audit teams based on individual experience, geographic location and their own interests. For example, an employee who had a particular interest in the treasury function and hopes eventually to become a CFO was placed on the treasury audit, enhancing his professional development. Team members meet with their clients either monthly or quarterly. To expose our auditors to different business areas and help ensure their objectivity, they typically rotate audit assignments every two to three years. We constantly balance the need for team continuity with the need for career development and objectivity.

DELIVER SERVICES, COMMUNICATE FINDINGS
Our internal auditors use the results of their risk assessments and continuous monitoring of the various business areas to examine how each unit is responding to identified concerns and applying risk management procedures. This review also sets the parameters for the formal audit and determines its timing. We closely integrate our internal audit with that of the external auditors to permit areas to be examined simultaneously, which “helps to limit duplication of efforts and focus our resources on more complex and higher-risk areas,” says Renee Tucei, CPA and Cal Fed’s executive vice president and controller.

At Cal Fed we prepare a formal internal audit report to provide each business unit with conclusions and a balanced perspective (see “Sample Audit Report”). The report contains an opinion of a unit’s control structure and whether it effectively meets each of the three COSO objectives. An executive summary, which follows the opinion, provides a review of the business area’s purpose, major systems initiatives, key accomplishments and successes as well as the auditors’ observations. The audit team details its findings based on the applicable COSO components, with risk ratings of high, medium or low, and includes management action plans. To follow up, the auditors track their observations with a database software program they developed for this purpose and then report monthly to executive management and quarterly to the audit committee.

Sample Audit Report

Among Cal Fed’s business area managers who have benefited from continuous monitoring and information exchanges is Cristie Gerard, vice-president and head of loss management. “By sharing monthly status reports and the business plan, the auditors track progress, identify opportunities and contact the loss management unit with questions or concerns without waiting for a formal audit. Then the formal audit process can target areas from the business plan or status report and save time that would be spent answering questions about changes occurring in the business since the last audit,” says Gerard.

GAIN RESPECT
Convincing both business managers and top executives that our progressive approach to audits was a more reliable, efficient and effective risk management process for the organization than the traditional method was a critical goal for the audit department. We found that within three years, with a track record of services delivered, we had earned their respect, and all the members of our team had a seat at the various management committee/task force tables around the company. Richard Terzian, Cal Fed group executive vice-president and CFO confirms this: “The audit department’s success in winning over management can be attributed to its proactive involvement in continuously monitoring and identifying risks throughout the company. Also, its frequent and timely communication of audit issues to the appropriate levels of the organization ensures the right individuals take necessary and prompt corrective action.”

We know each audit project could be our last if the board is not satisfied with the level of service we provide. Consequently we issue to business areas audit recommendations that are forward-looking even if no risk problems are immediately apparent. Our advice to other audit teams who want to transform their audit model is to begin by establishing their vision and goals and then by hiring a professional team with diverse backgrounds. But they must understand that the overhaul will require implementation in stages over several years.

When audit teams integrate into other functions throughout the business and go beyond traditional methods, they have the ability to add value by offering better, more proactive audit services and improving an organization’s risk management strategies. With investors, regulators and the media placing companies under greater scrutiny in today’s climate, internal auditors can expect to have a more prominent role as champions of the risk management process.

In 1992 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control—Integrated Framework, whose primary objectives were to establish a common definition of internal control and provide a standard to help auditing professionals assess control systems and determine how to improve them. COSO defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting [and] compliance with applicable laws and regulations.”

COSO says internal control consists of five interrelated components that are derived from the way management runs a business and are integrated into the management process:

Control environment. The tone of the organization influences the control consciousness of its people. Examples include the integrity, ethical values and competence of employees; management’s philosophy; and input provided by the board of directors.

Risk assessment. Identification and analysis of risks relevant to achieving corporate goals, determination of how such risks should be managed and implementation of a process to address risks associated with change.

Control activities. Policies, procedures and processes that help ensure a company carries out management directives. Examples include approvals, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Information and communication. Communication within the company and with external parties such as customers, regulators and shareholders. For example, reports that contain operational, compliance or financial data or that share ideas or events across lines of business are generated from a company’s information systems.

Monitoring. Assessing the quality of a company’s internal control systems. This is done through ongoing monitoring of activities within the business unit and an independent evaluation of existing controls by auditors.