A highly effective internal audit function depends on identifying the right people for the job, says John Gallagher, director of internal audit at $2.9 billion State Employees Federal Credit Union in Albany, N.Y.
“Go beyond looking at a specific skill set and instead look at core competencies,” says Gallagher, who addressed the CUNA Supervisory Committee and Internal Audit Conference.
He suggests designing short- and long-term development plans for staff based on four core competencies:
1. Communication. “Internal auditors tend to be introverts,” he says. “You must be comfortable speaking to people at all levels of an organization, not just hiding behind a piece of paper. You can teach almost anybody how to audit, but to really, truly understand the controls and the associated risks, you need to interact with people.”
2. Risk. The supervisory committee and internal auditors “need to be more risk-conscious," Gallagher says.
They must increase their emphasis on identifying, monitoring, and mitigating risk across all seven risk categories NCUA defines—as well as cybersecurity—and view risk through an enterprise-wide lens.
“Their role needs to be more advanced than it has been, not simply relying on the risk assessment by internal audit as the risk assessment for the organization as a whole,” he says.
Ask whether areas of risk lie outside the committee’s knowledge, and take outside perspectives into account when reviewing the audit process.
3. Alignment. Internal audit must expand its influence across the traditional three lines of defense, wherein leadership implements policy, senior management verifies execution of that policy, and internal audit assesses whether the credit union adequately adheres to that policy.
"We can’t change this linear relationship, but we can enhance it” by getting involved throughout the process,” Gallagher says.
Take the opportunity to educate leadership on the fallout and limitations of their controls, such as explaining that a management signature on a document doesn’t confirm someone followed policy generally, or addressed the details.
For instance, just because management approved a teller proof sheet, did they check whether a balance exceeded policy, or all of the monetary denominations matched?
“This represents a huge opportunity to sell yourselves as the knowledgeable experts,” Gallagher says. “We need to become bigger consultants behind an organization, especially when we think strategically.”
4. Data. Internal audit must continue to identify new sources of data and embrace analytics to assist in the audit process, improve efficiencies, and add value.
“The idea now and going forward is to get away from the traditional sampling techniques and actually be looking at 100% of the data,” Gallagher says.
In a business climate where shrinking resources put every function under increased budget scrutiny, internal auditors must recognize the need to promote their crucial role in maintaining credit union oversight, Gallagher says.
“Internal auditors are the worst sales people in the world. We do what we need to do, stick our nose to the grindstone and get it done,” says Gallagher. “Our industry is getting more complex, and we’re doing our job with the same number of people or less.”