QUESTION
The last few
months have been an upsetting time for our bank. We recently were criticized by
our regulator for a deficient internal audit. We were accused of being
understaffed and undereducated. They said we did not follow our own standard
procedures, did not conduct a timely audit, and they said that our directors
and officers could be liable for negligence and breach of fiduciary duties. The
head of our internal audit department quit, and two of her staff were fired. Now,
we are being left to pick up the pieces and get ready for another regulatory
review.
We feel
unprepared for it and would like you to come in and do an internal audit for
us, as the regulator would like an independent internal audit. We plan to retain your firm.
In the
meantime, I want to share this experience and ask you to provide some guidelines
to follow in the future. We do not want to go through anything like this mess
ever again.
So, what are some
pitfalls that we need to be watching out for in an internal audit?
ANSWER
It probably does
not assuage your sense of concern, but I will let you know a little-known fact:
many banks are ill-prepared for complying with the regulatory requirements of an internal audit. It takes quite a lot for a regulator to make a convincing
case that a bank’s directors and officers are liable
for negligence and breach of fiduciary duties.
Usually, the regulator will
undertake a supervisory examination of the bank to ensure it has a credible
case. Sometimes a federal agency will retain an independent banking consultant
to evaluate the legal and regulatory issues that may be subject to potential
administrative action.
I
suggest you contact us for the internal audit engagement soon.
Time is not on your
side! HERE is the contact link.
Regulators take
the position that internal audits are a primary control for proactively
identifying and remediating internal control weaknesses, including weaknesses
relating to loan underwriting and credit administration.
We often see a host of issues that need remediation as a result of an internal audit. Occasionally,
find repeated deficiencies, where the financial institution ignored findings or
left them in an unresolved status. These become red flags to examiners when
they conduct a regulatory review.
As to the
pitfalls, the list is more like a litany of potential deficiency issues. If I
set out to compile such a list, I could probably mention literally hundreds of
possible pitfalls. That said, I would like to give you some pragmatic takeaways
to prepare your institution for an internal audit. Here are but a few
suggestions.
- Internal auditors should not be charged with both audit and operational responsibilities in several areas, which diminishes their respective independence. Management may be held to a governance violation for allowing this kind of administrative defect.
- Auditors should always have the necessary knowledge and training to conduct certain audits effectively.
- Audit risk analysis and planning must ensure that the audit’s scope covers the range of criteria commensurate with risk. For instance, the rapid growth of a loan product, origination channel, or servicing platform is inherently prone to higher risk.
- In general, audits should be performed on time and concluded within reasonable timeframes.
- An internal audit should be scoured for a scope that is not sufficiently broad or deep enough to ensure reliable findings.
- Audit reports should provide at least a description of the scope of work performed, a determination of the underlying causes, a judgment about the significance of the findings, and conclusions regarding the severity and pervasiveness of findings.
- Importantly, a bank’s internal audit department must be tracking exceptions identified by outside entities, including recommendations made by regulators and other third parties, to ensure that such exceptions are appropriately corrected or scheduled for corrective action.
- Furthermore, I highly recommend that banks develop and implement (1) a comprehensive corporate-wide risk assessment program, (2) enhance their audit exception tracking, (3) better monitor corrective action plans, 4) revise its internal audit policies, and (5) fortify the oversight of the Audit Committee.
Jonathan Foxx Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
