Kane Garland

Complimentary Functions:  Credit Risk Review and Internal Audit

02/25/2025|Kane Garland|

One of the greatest challenges at many financial institutions is establishing the boundary between credit risk review (CRR) and internal audit (IA) functions.  This is especially poignant as regulatory guidance allows for a wide degree of variance based on the specific organizational structure, size and policies.  While some overlap may exist in credit review and audit activities, it is important to note that these two functions serve distinct purposes and have different, albeit complimentary, areas of focus.  These distinctions can, in very general terms, be summarized as follows:     

Credit Risk Review (CRR)

  1. Focus: Independently assesses credit risk management across the portfolio.
  2. Scope: Focuses specifically on the credit quality of individual loans, credit underwriting practices, adherence to credit policies and procedures, collateral valuation, and credit risk mitigation strategies.
  3. Reporting:  Most often directly to the Risk Committee of the Board of Directors although regulation permits other structures provided CRR remains completely independent of any entity/individual involved in the credit origination/adjudication processes.
  4. Audits:  CRR may be audited by the Internal Audit function provided it does not also report into the Internal Audit function.  If CRR does report through the internal Audit line, the firm should engage its external auditor or a qualified third-party auditor to review the function.

Internal Audit (IA)

  1. Focus:  Evaluates the effectiveness of an organization’s internal controls, risk management practices, and governance processes across the entire organization. 
  2. Scope:  Responsibility for operational, financial, compliance, credit and other risks within the institution, including the adequacy of internal controls, risk management frameworks, regulatory compliance, and the overall governance structure.
  3. Reporting:  Generally, reports directly to the Board of Directors and/or its Audit Committee.
  4. Audits:  Generally performed by the institution’s external auditor.

While CRR and IA functions have different responsibilities and should retain their respective independence, both function may coordinate efforts in areas of mutual interest, such as assessing the overall control environment, identifying systemic risk factors, or ensuring the integration of risk management practices across the organization.  Frequent collaboration can enhance the overall effectiveness of risk management  practices and provide a holistic view of the institution’s risk profile.  

Contact Kane Garland today to discover how we can assist with a seamless, collaborative integration of credit risk review into both your general risk management and internal audit frameworks.