Large banks and mid-tier banks have several. Small banks "have" one when the bank examiners show up. After conducting 321 projects for banks, I can definitely say I have met three internal auditors. Even though I invite every auditor to my work sessions, those three guys were in my face constantly. My kinda people. They would show up at interviews (not all, just select individuals) without notice. I wondered why. I found out at the end of the job. They still appear on my list of client references, even though they may pick me apart a bit. You can never please these guys and that's why they are highly effective auditors.Then, there were those auditors I met who were so passive that I wouldn't have known them from the marketing guy. These are two very transparent positions in most small banks, and that's not right.
If you want to know what the bank auditor's traditional duties and responsibilities are, go to the BAI. If you are interested in my version of the modern day bank auditor, read on.
The traditional auditor is supposed to report to the Board of Directors. I can see why. Any internal exec could be the crook. But I'm not satisfied that any bank board is equipped to know what the auditor is all about, or how they can use what he's telling them. What does a pharmacist know about financial irregularities. Crime prevention to him means locking the narcotics cabinet. And how effective is a stethoscope in detecting bank fraud? Will an MD be satisfied with an auditor's report that says procedures are in place to detect fraud? Will a real estate broker sign off on the underwriting rules associated with mortgage loans? His living depends on a 100 percent approval rate. Will a lawyer overreact to potential threats? His attitude is that everyone is guilty unless they hire him as their defense attorney. In my opinion, the typical directors are outsiders (that's good) with a personal interest in the bank (that's bad) and no skills for the job (that's a joke).
Auditors do an awful lot of checking. They send millions of confirmation notices to customers. That's like walking into a seminary and asking, "How many of you believe in God?" If anyone knows of a time when an audit confirmation has uncovered any wrong-doing, I'd like to hear about it.
Auditors should take a much broader look at protecting the bank's resources. For example, at least four areas are critical: lending practices, accounting procedures, IT systems, and screening of critical employees. The auditor should become the quintessential critic, cynic and naysayer. How many auditors were consulted about the viability of subprime mortgages? How many auditors have reviewed the bank's web site to test improprieties? How many auditors have hired a specialist security firm to conduct an intensive test of the entire issue of data security? If the auditor's answer is, "We use our external audit firm for that," then I believe it's not only Houston where "We have a problem."
In my opinion, the auditor should be more powerful, have broader coverage, become more authoritative with increased levels of chutzpah and execution privileges (of his programs, that is).
There must be hundreds of books written about bank auditing. I think it's time for one more, authored by Messrs. Prince, Mozilo, Killinger, Thompson, Perry, Daberko, and others on the way.