Bankers have had whiplash over the last five years with new regulations, delayed regulations, regulatory relief and changes to new rules within one year from the initial effective date. Now on top of all of the changes, there are two more significant developments. First, compliance examinations have changed and consumer harm is the new hot button which has caused banks to look at their compliance risk from a new perspective. Second, and perhaps the biggest shift in examination strategy, is the focus on the design and effectiveness of compliance management systems (CMS).
Every CMS contains processes and controls but all eyes are on independent audit. If any aspect of independent audit is considered inadequate, the risk an audit could be criticized rises exponentially. Examiners are now relying more on independent audit reports for transaction testing, which they previously performed themselves, unless they deem your audit to be inadequate and then they will perform their own transaction testing. The result: examinations get extended and examiners dig deeper. In any circumstance, if independent audit is deemed inadequate it can affect the management element of your CAMELS rating.
The entire independent audit process from scoping, planning, completing, reporting, responsiveness and Board and Management oversight beginning to end is being scrutinized. A comprehensive review of the entire life cycle of each specific audit is a prudent step to take. Here are a few tips to consider when reviewing the adequacy of the audit process.
Auditor engagements require detailed scoping documentation. If you have a multi‐year agreement for compliance audit, be sure you document a scoping conversation for each year. Provide the auditor with your internal compliance risk assessment; if you do not have one or it does not quantify compliance risk for purposes of developing risk‐based compliance audits, be sure the auditor has a resource to support the audit scope and depth of testing. Seek to ensure you can support not only which areas are included in the scope but also the laws, regulations or areas not included.
Audit reports and workpapers are the “holy grail.” Whether it is a lack of resources or expertise, all of the agencies are relying heavily on the independent audit function to perform much of the transaction testing relied upon during compliance, BSA/AML, Fair Lending/CRA, and Information Technology examinations. Expect the same scrutiny for the control and financial audits on the Safety and Soundness side of the bank. Ensure your auditor workpapers are available upon request and accessible by the examiners. Make sure the workpapers are reflective of the work spelled out in the scoping section of the engagement. Some auditors think that “less is more” in terms of workpapers. That is outdated thinking. If examiners don’t understand the workpapers or deem them inadequate, you may find yourself – along with your auditor – in a meeting with your regulator. Some auditors maintain workpapers and release them upon the examiner’s request. Ideally, workpapers should be in the hands of the banker.
Examiners now expect you to verify that the audit procedures and scope described in the engagement letter (EL) or statement of work were actually performed. In other words, audit your auditor. Document this review because chances are this is something that will come up during your next examination. Examiners are suggesting there be a documented review of the EL terms to ensure the work agreed upon was performed. TCA suggests that this review be provided to the Board and documented in the meeting minutes; this will help the Board and Management exhibit appropriate oversight of the audit process. This is a small but very important step to take.
The qualifications and experience of the independent auditor are also now under the spotlight. Many banks that relied upon their internal auditor have been criticized because the expectation is that the auditor knows more than the auditee. It is not possible for an internal auditor to be a subject matter expert for all audit topics. The goal of internal audit is to identify deficiencies in controls, and the audit must be designed to do so.
Audit is independent: don’t misunderstand the role of the auditor. Auditors are not examiners. Auditors do not have the luxury of deciding what findings to cite or not to cite. Auditors should present the findings, along with opinions about the risks that each finding may represent to the bank, so the Board and Audit Committee can make the best, risk‐based business decision regarding findings. The nature of audit is to identify weaknesses in controls or processes. Independence and objectivity are key for auditors. Sometimes your staff says the auditor was “too picky.” That’s what you want, and when staff complains that is good because you know you are getting value. Changing the intensity of an audit is dangerous because the Board should not let staff dictate scope or findings. That is not good governance. Any change made in response to “too picky” should be made by the Board or Audit Committee based on the Board’s risk appetite and tolerance.
Are the Board and Management prepared to respond to examiners if they criticize the thoroughness of the audit process? The goal of auditors is to ensure that you do not hear something from a regulator that you did not hear from your auditor. That is the standard for adequacy when regulators assess the comprehensiveness and effectiveness of independent audit. Also, auditors don’t have “ESP” so they don’t know what examiners will look at, so a good audit looks at a lot to cover any eventuality and to minimize surprises.
Regarding Audit Reports, it has been TCA’s belief that an Audit Report is written for three parties: the bank, the Regulators and (in our case) TCA. We also understand that we do not work for the government – we work for our clients and it is our intention to always remain independent and objective, but to work to ensure our reports provide the best opportunity to present the bank’s efforts from an appropriate, independent and objective perspective.
TCA understands evolving regulatory examiner expectations and we are constantly assessing and enhancing our processes to ensure our clients stay at least a half‐step ahead of your regulators’ expectations. Are your auditors working hard to ensure their efforts will be deemed adequate? If not, contact TCA for A Better Way.
Stay on the path . . . Jim