TOPICS

Thursday, December 26, 2019

Internal Audit - Pitfalls

QUESTION
The last few months have been an upsetting time for our bank. We recently were criticized by our regulator for a deficient internal audit. We were accused of being understaffed and undereducated. They said we did not follow our own standard procedures, did not conduct a timely audit, and they said that our directors and officers could be liable for negligence and breach of fiduciary duties. The head of our internal audit department quit, and two of her staff were fired. Now, we are being left to pick up the pieces and get ready for another regulatory review.

We feel unprepared for it and would like you to come in and do an internal audit for us, as the regulator would like an independent internal audit. We plan to retain your firm. 

In the meantime, I want to share this experience and ask you to provide some guidelines to follow in the future. We do not want to go through anything like this mess ever again.

So, what are some pitfalls that we need to be watching out for in an internal audit?

ANSWER
It probably does not assuage your sense of concern, but I will let you know a little-known fact: many banks are ill-prepared for complying with the regulatory requirements of an internal audit. It takes quite a lot for a regulator to make a convincing case that a bank’s directors and officers are liable for negligence and breach of fiduciary duties. 

Usually, the regulator will undertake a supervisory examination of the bank to ensure it has a credible case. Sometimes a federal agency will retain an independent banking consultant to evaluate the legal and regulatory issues that may be subject to potential administrative action.

I suggest you contact us for the internal audit engagement soon.

Time is not on your side! HERE is the contact link.
Regulators take the position that internal audits are a primary control for proactively identifying and remediating internal control weaknesses, including weaknesses relating to loan underwriting and credit administration.
We often see a host of issues that need remediation as a result of an internal audit. Occasionally, find repeated deficiencies, where the financial institution ignored findings or left them in an unresolved status. These become red flags to examiners when they conduct a regulatory review.
As to the pitfalls, the list is more like a litany of potential deficiency issues. If I set out to compile such a list, I could probably mention literally hundreds of possible pitfalls. That said, I would like to give you some pragmatic takeaways to prepare your institution for an internal audit. Here are but a few suggestions.
  • Internal auditors should not be charged with both audit and operational responsibilities in several areas, which diminishes their respective independence. Management may be held to a governance violation for allowing this kind of administrative defect.
  • Auditors should always have the necessary knowledge and training to conduct certain audits effectively.
  • Audit risk analysis and planning must ensure that the audit’s scope covers the range of criteria commensurate with risk. For instance, the rapid growth of a loan product, origination channel, or servicing platform is inherently prone to higher risk.
  • In general, audits should be performed on time and concluded within reasonable timeframes.
  • An internal audit should be scoured for a scope that is not sufficiently broad or deep enough to ensure reliable findings.
  • Audit reports should provide at least a description of the scope of work performed, a determination of the underlying causes, a judgment about the significance of the findings, and conclusions regarding the severity and pervasiveness of findings.
  • Importantly, a bank’s internal audit department must be tracking exceptions identified by outside entities, including recommendations made by regulators and other third parties, to ensure that such exceptions are appropriately corrected or scheduled for corrective action.
  • Furthermore, I highly recommend that banks develop and implement (1) a comprehensive corporate-wide risk assessment program, (2) enhance their audit exception tracking, (3) better monitor corrective action plans, 4) revise its internal audit policies, and (5) fortify the oversight of the Audit Committee.

Jonathan Foxx Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group