The Federal Reserve’s Supervisory Letter SR 13-1 provides additional guidance to financial institutions (FIs) on enhancing their internal audit practices, governance, and operational effectiveness. One of the key requirements under SR 13-1 is the Internal Audit (IA) Risk Opinion, which refers to the IA function’s assessment of the effectiveness of the institution’s risk management processes. This opinion helps the board of directors and senior management understand the institution’s risk profile and the adequacy and effectiveness of its risk management framework.
However, forming a robust IA Risk Opinion under SR 13-1 can be challenging due to the complexity and diversity of risk management processes across various risk dimensions, such as credit risk, market risk, operational risk, and compliance risk. Moreover, the IA function needs to maintain its independence and objectivity, help ensure data quality and availability, and communicate effectively with various stakeholders, including senior management, the board of directors, and regulators. FIs need to familiarize themselves with the requirements of SR 13-1 to effectively implement the IA Risk Opinion under SR 13-1 and enhance their overall risk management framework.
Supporting Data
The IA Risk Opinion under SR 13-1 involves evaluating the effectiveness of the institution’s risk management processes. To support this opinion, the IA function needs to collect and analyze various data elements that provide a comprehensive view of the institution’s risk management framework and its effectiveness. These data elements include:
- Risk assessment documentation: Comprehensive reports from business units, methodologies and criteria for risk identification, evaluation, and prioritization, and maintaining records of periodic reviews and updates.
- Internal audit reports: Past and follow-up audit reports on significant risk management issues, impact, remediation efforts, and special audit reports.
- Remediation plans and status updates: Detailed plans, progress reports, and evidence of reduced risk exposure and improved controls.
- Management reports: This includes minutes from risk management committee meetings, reports on key risk indicators and other risk metrics, and management’s risk self-assessment reports.
- Regulatory examination reports: Reports from regulatory examinations, correspondence with regulators, and documentation of regulatory findings and management’s responses.
- Policy and procedure documents: Risk management and IA policies and procedures, and documentation of changes made to policies and procedures as a result of risk assessments or audit findings.
- Training and awareness programs: Records of risk management training programs, attendance and completion of mandatory training sessions, and training materials.
- Incident and loss data: Data on operational risk incidents and losses, root cause analyses for significant incidents, and preventive changes to avoid the recurrence.
These data elements help the IA function form a holistic and objective view of the institution’s risk management practices and identify any gaps or weaknesses that need to be addressed.
Forming the Risk Opinion
Based on the supporting data, the IA function will need to form a clear and concise opinion on the overall adequacy and effectiveness of the institution’s risk management and internal control systems. To achieve this, the IA function should consider the following components:
- Aggregation of supporting data points: The IA function should aggregate the supporting data points based on their criticality and materiality and assign a rating to each data point. The rating should reflect each data point’s degree of risk exposure and control effectiveness. The IA function should then aggregate the ratings to form an overall rating for the institution’s risk management processes. Alternatively, the IA function can aggregate the supporting data points equally or default to the lowest rating among the data points.
- Summarization of critical findings and observations: The IA function should summarize the most critical findings and observations from the supporting data and highlight any significant issues or areas of concern. In addition, the IA function should highlight any differences between the second and third lines of defense views on risk analysis and explain the rationale for any discrepancies.
- Opinion statement: The IA function should provide a clear and concise opinion statement that reflects the overall rating and the summary of critical findings and observations. The opinion statement should indicate whether the institution’s risk management processes are comprehensive, effective, and appropriate for its risk profile and whether they comply with the regulatory requirements and expectations.
- Supporting data and documentation: The IA function should include supporting data and documentation to back up the findings and conclusions. This will add credibility to the opinion and help the stakeholders understand the basis and rationale for the opinion.
- Follow-up actions: The IA function should outline any follow-up actions required to help ensure that the recommendations are implemented and the risks are adequately managed. The IA function also should establish a process for monitoring the implementation of the recommendations and conducting follow-up reviews to verify the effectiveness of the corrective actions.
The IA Risk Opinion report should be communicated to the senior management and the board of directors at least annually and should be updated to reflect any changes in the risk environment or the regulatory requirements.
Profiles in Risk – Using SR 13-1
The IA Risk Opinion under SR 13-1 is a valuable tool to help FIs enhance their risk management practices and provide an independent and objective risk profile assessment.
By collecting and analyzing various supporting data elements, the IA function can form a robust and comprehensive opinion on the effectiveness of the institution’s risk management processes. This opinion helps the board of directors and senior management understand the institution’s risk profile and the adequacy and effectiveness of its risk management framework and take appropriate actions to address any issues or gaps.
Through this comprehensive view of a FI’s ability to monitor its risk profile, regulators can help ensure that FIs are resilient, compliant with regulations, and capable of identifying and mitigating potential risks. It also enables regulators to rely on IA’s work during supervisory reviews, helping enhance the overall stability and soundness of the financial system.
If you have any questions regarding the IA Risk Opinion or need assistance, please reach out to a professional at Forvis Mazars.