The Importance of the Consumer Compliance Internal Audit Function
Introduction
To ensure compliance with consumer protection laws and regulations, financial institutions must manage risk. This task has become especially important because of the new compliance requirements under the Dodd-Frank Wall Street Reform and Consumer Protection Act and the heightened public scrutiny of financial institutions since the financial crisis. Further, new technologies, product innovation, and the size and speed of transactions have transformed the banking landscape. This dynamic, complex environment makes it challenging for a bank to maintain a consumer compliance risk management program (compliance program) that effectively identifies, analyzes, and mitigates risks.
The internal control and audit functions are important, complementary tools for mitigating risks. Internal controls are “designed to provide reasonable assurance that the institution will achieve the following internal control objectives: efficient and effective operations, including safeguarding of assets; reliable financial reporting; and compliance with applicable laws and regulations.”1 The function of internal audit is to monitor and evaluate internal controls, risk management, and governance processes to ensure their effectiveness.2 This article explores the key aspects of the internal audit function and provides tips for enhancing it.
Consumer Compliance Internal Audit Fundamentals
The internal audit function is the responsibility of the board of directors (board) and senior management.3 This function may be formal, informal, committee-based, or outsourced. In addition, staff can be dedicated individuals or from other areas within the bank that are not being audited. The design of the internal audit function depends on the size of the institution.4
Regardless of the size, an effective internal audit function has several common characteristics. First, the bank’s board, or an audit committee of the board, and senior management must support and actively oversee the internal audit function. The internal audit function provides the board and senior management with analyses, findings, and corrective action recommendations on the activities, operations, and products tested. To that end, the internal audit function is a critical aspect of maintaining an environment of continual improvement.
“Clearly, senior management must take on a very active and involved role in risk management. Although this may seem somewhat obvious, a few recent cases demonstrate, unfortunately, that senior management may not always exercise proper oversight and may not have been as engaged as would have been wise. As supervisors, governance and controls is a key feature we look at in assessing risk management at an institution.”
Former Governor Randall S. Kroszner, “The Importance of Fundamentals in Risk Management,” at the American Bankers Association Spring Summit Meeting, Washington, D.C., March 11, 2008
Second, the internal audit function must be independent and be able to report objective evaluations and unbiased findings to the board or audit committee. To maintain objectivity and independence, the audit function should report directly to the board or audit committee and have the ability to escalate findings. Further, internal auditors should not have management or operational responsibilities that could result in a conflict of interests and hinder their independence. The internal audit function may be assigned to an officer with other nonaudit responsibilities who can maintain independence from the areas being audited. Without independence, the internal audit function’s ability to deliver an unbiased and objective audit report will be questioned.5
Third, the internal audit function must identify and evaluate the highest risks associated with the bank. The risk identification and evaluation process is one of the most important aspects of an effective internal audit function. The focus should be on inherent risks (such as product materiality and regulatory requirements) and controls to mitigate those risks (such as procedures, risk monitoring, secondary reviews, and audits). Further, the process should be dynamic and evolve as the bank takes on more or less risk. Thus, internal audit should periodically update control risk assessments to reflect changes in business lines, products, processes, systems of internal control, staff, platform systems, market expansion, and regulatory changes, and should also include external factors.
Fourth, management should prepare an audit plan, which provides the roadmap for the internal audit function. The audit plan should be risk-focused, with the areas selected for coverage and frequency based on the level of risk identified in the risk assessment. The plan should be approved by the board and consider all affiliates, business lines, and processes within the bank, including potential acquisitions and planned new products and services. On an annual basis, the plan should be revised, or the most significant risks should be evaluated.6
Finally, audit findings and management’s planned response should be communicated appropriately to the board or audit committee. This enhances their ability to provide oversight and ensure that the audit findings are resolved. Internal audit reports should be presented to members of senior management who are directly affected by the findings. Although the findings should be resolved promptly, a tracking mechanism, such as a report, that describes the findings, identifies the corrective action taken, and establishes timeframes for completion should be incorporated into this process. The resolution should correct the findings and, more importantly, address their root cause. Conversely, if findings remain unresolved, an escalation process should be employed to report them to higher management in the bank, such as to the board or audit committee, to ensure that senior management completes the corrective actions in a timely manner.
Outsourcing the Internal Audit Function
Some financial institutions, particularly smaller ones, outsource the internal audit function. When outsourcing, it is important to remember that an institution has a nondelegable duty to maintain an effective consumer compliance program; the institution — not its vendor — is the one ultimately held accountable. The 2003 interagency guidance discussed this issue at length and offered these recommendations for drafting an outsourcing contract for internal audit:
- define the expectations and responsibilities under the contract for both parties
- set the scope and frequency of, and the fees to be paid for, the work to be performed by the vendor
- set the responsibilities for providing and receiving information, such as the type and frequency of reporting to senior management and directors about the status of contract work
- establish the process for changing the terms of the service contract, especially for expansion of audit work, if significant issues are found, and stipulations for default and termination of the contract
- state that internal audit reports are the property of the institution, that the institution will be provided with any copies of the related workpapers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the workpapers prepared by the outsourcing vendor
- specify the locations of internal audit reports and the related workpapers
- specify the period of time (for example, seven years) that vendors must maintain the workpapers
- state that outsourced internal audit services provided by the vendor are subject to regulatory review and that examiners will be granted full and timely access to the internal audit reports and related workpapers prepared by the outsourcing vendor
- prescribe a process (arbitration, mediation, or other means) for resolving disputes and for determining who bears the cost of consequential damages arising from errors, omissions, and negligence
- state that the outsourcing vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with regulatory independence guidance.7
Enhancing the Consumer Compliance Internal Audit Function
Here are some suggestions for enhancing the consumer compliance internal audit function:
- When the internal audit function is unable to identify the appropriate risks and measure their severity and impact, the bank is subjected to the risk that significant deficiencies exist within the procedures, internal controls, and risk management practices. The deficiencies may be small at first, but if they are not identified and addressed, they may become systemic in nature, resulting in a negative impact to consumers and the bank. Thus, the board should always monitor and assess the quality of work performed by the internal audit function, particularly given the changing regulatory landscape.
- The scope and frequency of internal audits should be driven by the comprehensive control risk assessment. The internal audit function should complete this assessment for all business lines and operational functions that are responsible for ensuring compliance with applicable laws and regulations, as appropriate. The risk assessment process can be severely constrained with fragmented or manual efforts by keeping risks in silos rather than providing a holistic view of risk. For example, if a bank’s risk assessment and risk reporting systems cannot aggregate risk data from all areas of the institution simultaneously and on a timely basis, the data generated by these systems may be erroneous. This disjointed risk reporting process could lead to incorrect identification of the areas of highest risk or even the possibility of failure to identify a risk. As a result, the risk assessment must be all-encompassing with timely reporting of risks in order to create a holistic view.
“Clearly, senior managers also need to ensure that they have proper understanding of the risks assumed by their firm, but this does not always happen. For example, we have seen some evidence that information was kept in silos within firms and not adequately distributed both vertically and horizontally within certain firms. This segregation prevented senior managers from developing an enterprise-wide perspective on risks to the whole entity. It meant that managers were not fully aware of the extent to which the risks of the different activities undertaken by the firm could, first, become correlated in times of stress and, second, result in high concentrations of risk exposures.”
Former Governor Randall S. Kroszner, “The Importance of Fundamentals in Risk Management,” at the American Bankers Association Spring Summit Meeting, Washington, D.C., March 11, 2008
- Typically, the audit plan includes business lines, operations, and products. In addition to these areas, the bank’s consumer compliance program should be audited. The assessment of the consumer compliance program is often overlooked, resulting in a limited evaluation of its adequacy. Validating the consumer compliance program demonstrates a strong control culture able to maintain ongoing compliance.
- Although the audit plan should be risk-focused, it also should be comprehensive. If the examiners, internal auditors, external auditors, and internal compliance reviewers are all applying risk-focused procedures, it is possible that some areas are not being evaluated. All areas should be audited at varying degrees, with the scope and frequency being determined by the risk assessment. For example, a lower-risk area may not need to be audited on an annual basis, but it probably should be considered within an appropriate audit cycle. As a result, this approach reduces the possibility of areas going too long without an audit to validate the effectiveness of the bank’s procedures, internal controls, and risk management practices.
- The audit plan should include the deposit and loan platform systems as well as underwriting and pricing models. The internal auditor should ensure that the platform systems and models accurately reflect the bank’s practices and meet the regulatory requirements. Testing is especially important on new platforms and models as well as updates to existing ones. Further, upfront validation of the defaults and settings may reduce the number of transactions tested. For example, in verifying the rate adjustment settings upfront, the number of adjustable rate mortgages subjected to testing may be reduced since the adjustments are controlled by the system platform. If the defaults and settings are proven to be accurate in the beginning, then there is a high probability that they are in compliance. This approach can be used for many of the defaults and settings within the platform systems, which then may reduce transaction testing for technical compliance and allow for more focus on higher-risk areas.
- Internal audit functions should leverage technology as much as possible. Many platforms provide standard reports and allow new reports to be designed to assist in assessing the bank’s risk. These reports can help identify product or feature materiality to determine the universe, potential impact, and severity of the findings. For example, if an internal auditor identified concerns with adjustable rate mortgages resetting incorrectly, a report can be generated to determine the universe and impact on the portfolio. These types of reports make the process of identifying, analyzing, and resolving issues more efficient and precise.
- Documentation, documentation, and more documentation. This area does not receive a lot of attention and is often a secondary thought in the internal audit function process. Documentation provides an audit trail of the review and support for corrective action recommendations. Documentation should focus on the scope, level of testing, deviations, file expansions, impact of findings on the portfolio (such as restitution or file searches), and follow-up on corrective actions. Documentation is especially important when examiners are evaluating the adequacy of the internal audit function.
As a final takeaway, here are a few questions to consider:
- What is the level of oversight activities provided by the board, audit committee, and senior management?
- Is the internal audit function appropriate for the bank based on its scope of activities, products, and operations?
- Do the knowledge and abilities of the internal audit function match the risk profile of the bank?
- Is the risk assessment comprehensive of all business lines and products so that it considers the regulatory requirements and identifies the corresponding procedures, internal controls, and risk management?
- Are internal audit plans determined by the risk assessment? Do the audit plan and risk assessment consider a product lifecycle evaluation?
- Does the internal audit function leverage the management information system’s capabilities of the bank’s software platforms?
- How are audit findings monitored and resolved? Is the root cause identified and addressed?
Conclusion
Regardless of the bank’s size and complexity, the internal audit function plays an important role in managing the risk profile with ongoing improvement in procedures, internal controls, and risk management. This article illustrates the importance of the consumer compliance internal audit function as well as ways to build on the fundamentals, especially in the changing banking landscape of new regulatory requirements and technologies. Specific issues and questions should be raised with your primary regulator.
- 1 Federal Reserve Board, Office of the Comptroller of the Currency, and Office of Thrift Supervision, SR 03-5, Interagency Policy Statement on the Internal Audit Function and Its Outsourcing
(2003 Policy Statement), March 17, 2003, at p. 1, fn. 1
- 2 Board of Governors of the Federal Reserve System, SR 13-1/CA 13-1, Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing,
January 23, 2013, at p. 4 (Supplemental Policy)
- 3 2003 Policy Statement at p. 2
- 4 2003 Policy Statement at p. 2
- 5 2003 Policy Statement at p.5
- 6 Supplemental Policy at p.10
- 7 2003 Policy Statement at p. 8-9. For additional information on vendor risk management, see the article by Anthony Ricks and Timothy Stacy, “Vendor Risk Management,” Consumer Compliance Outlook, First Quarter 2011, and the Consumer Compliance Outlook Live webinar “Vendor Risk Management — Compliance Considerations,” May 2, 2012.