Part III: Remediation – Compliance Lessons from the Construction Industry

tools.jpgFinding A Problem Is One Thing, Fixing It Is Another

Not long ago, I visited an institution we’ll call “Flub Financial.” Flub’s compliance team was knowledgeable and experienced. Their well-executed audit program employed savvy auditors whose comprehensive coverage allowed Flub to easily detect problems. So why did Flub find itself in a multi-million dollar enforcement action? The reason:  Flub kept applying the same practices that had created the problems in the first place.

Management did little to correct the underlying issues. Worse, Flub’s directors exercised even less oversight because they assumed management took care of problems after the board was informed of deficiencies. Simply put, Flub failed to apply our third lesson from the construction industry: Maintenance and repairs are essential to preserving value.

Just as contractors are responsible for a well-built house, directors are accountable for ensuring the compliance program’s sound foundation, and overseeing its ability to detect deficiencies. Moreover, directors must ensure corrective actions are taken when weaknesses occur. Similar to preserving a house, an institution’s success depends on whether corrective actions are taken immediately.

Examiners, much like building inspectors, want to see things working properly. Has prompt action been taken to correct weaknesses noted in routine monitoring as well as during examinations? Do records show how problems were addressed with evidence of corrections made? Good answers to these questions are crucial, because without a proven methodology,   deficiencies may turn into large cracks.

There are three main aspects to successfully implementing corrective action:

1. Specifying and assigning corrective steps,

2. Confirming the correction occurred, and

3.  Following-up at appropriate intervals to ensure the correction’s effectiveness.

Specifying the Steps

To identify and assign corrective steps, the board must determine who, what and how. Who will ensure correction happens? What oversight and work steps are needed and what is the deadline for the correction? How will the assignee apprise the board of their results and how will the board monitor whether the correction worked, or if problems still persist?

It’s essential for the board to assign correction actions to executives, who have the necessary accountability and proper authority, rather than to a department. For example, listing the lending department as responsible leaves it unclear as to who is accountable for doing the work and confirming it was completed. Avoid this mistake by listing specific job titles or individuals. The institution must be able to recreate the chain of events so the board can validate the process, and examiners can confirm that proper repairs were made.

Confirming the Correction

The responsible party should report to the board when the correction is complete. The board should have a regular and predictable interval for these reports with standard formatting. It’s a best practice to require that managers provide evidence of the correction—in other words—trust, but verify. The implementing manager should conduct preliminary validation of the correction, and demonstrate through actions and evidence that the problem is fixed. This action assures directors that management has resolved the issue, not just given it the appropriate lip service.

Follow-up Reviews

Follow-up reviews should be conducted by compliance personnel, after corrective measures are implemented, at the proper timing. Reviews shouldn’t happen too soon because the board won’t be able to tell if the fix stuck. Often, a corrective measure validated within days after its application will seem to work beautifully. This is either because it worked, or because the change is fresh in the minds of staff and they haven’t had time to backslide into old ways.

A minimum interval of 90 days before verifying corrections allows enough time to gather trend and analytical information, and to see whether corrections withstood the test of time. Beware, however, of waiting too long. Problems may persist if the fix wasn’t properly applied at the outset. Imagine waiting a year before reviewing your fix, only to find that the wrong corrective actions were taken.

To recap, avoid these red flags of poor corrective action:

  • Failure to set specific correction standards
  • Failure to designate a single party ultimately responsible
  • Failure to confirm issues are resolved
  • Failure to keep records so when examiners ask how and why certain things were done, the action can be reconstructed and proved

Bottom line, it is simply not enough to have strong policies and procedures, even with a strong audit program that detects weaknesses. It’s crucial to have an equally strong protocol for swift and precise corrective actions. Just like preventive maintenance protects your home, a strong compliance program protects your institution’s value for the long term.

The Internal Auditor’s Role in Regulatory Compliance

risks.jpgThe compliance audit, like other audit activities, is intended to provide feedback to management and the audit committee about the control environment, ongoing compliance and conditions for potential risk. The compliance audit should evaluate the effectiveness of the compliance management program, including policies and procedures, training, monitoring and consumer complaint response. A financial institution’s audit committee should determine the scope of an audit and the frequency with which audits are conducted.

This topic is often a key component of regulatory compliance examination feedback, particularly when specific regulatory violations have occurred. We see examiners questioning institutions about their overall compliance program management and digging into the elements of policies and procedures, training, quality control assessment and the like. Overlying compliance program management is the role of internal audit. What was internal audit’s assessment of the institution’s compliance with individual regulations, and of the program overall?

Elements of a Compliance Management Program

Regulatory guidance and best practices have helped define which elements are necessary to help an organization mitigate risks associated with compliance.

Typically, the basic elements include:

  1. Designation of a compliance officer
  2. Policies
  3. Procedures (internal processes and controls)
  4. Regulatory change management
  5. Training
  6. Quality control (monitoring)
  7. Consumer complaint response process
  8. Audit

Historically, compliance has been viewed as an organizational stepchild rather than an essential core function of an organization. Integrating the compliance function into the culture of the business empowers those responsible for compliance with a framework to fulfill their mission. Successful integration encompasses shared communication and education about compliance-related responsibilities, which helps employees at all levels to understand their responsibilities.

The two elements of assessing the overall effectiveness of a compliance program are quality control and audit. Let’s expand more on those components.


The end goal of a quality control function is to monitor how well departmental policies and procedures are being executed. Ultimately, the function should be risk-based, focusing the most resources on the areas of greatest risk. An effectively designed quality control program has an employee–such as a supervisor or other employee independent of the originator of the activity–review an ongoing risk-based sample of the work performed in an applicable area. A quality control program should be designed to assess certain areas based on the residual risk exposure of non-compliance.

Completed quality control reviews should be aggregated and reported to the compliance officer for review. The compliance officer should assess applicable areas for overall effectiveness to identify any increasing trends within departments. This oversight allows management to allocate resources on a risk-based, quantifiable basis.

Finally, the compliance officer should provide a consolidated report to the board of directors or designated compliance committee for final oversight. The consolidated report should provide a broad overview of the organization’s compliance posture so the board can continue to provide big-picture, strategic direction.


The compliance audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like the quality control program, the compliance audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory landscape, errors or violations, problems in the past, employee turnover in the compliance department or line of business and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the compliance audit.

The compliance audit results should be provided in formal, detailed reports that outline findings and management’s action plan to resolve each finding. These audits should be conducted by an individual independent of the compliance management function and reported in the same format, manner, and protocol as the organization’s overall audit function. Auditing the compliance function should be conducted on a less frequent basis than the quality control program; timing of the audits can be on a rotational basis and supported by the results of the risk assessment process.

It should be noted that the compliance audit scope can and should cover all of the elements of the compliance management program, including training and quality control, and not be limited to detailed testing of compliance with regulations. The resulting audit reports should be presented directly to the audit committee, and all findings should be tracked for resolution.

Compliance Across the Board

The current regulatory environment requires a new business model for compliance that stretches to all facets of an organization. The role of internal audit can enhance the success of a compliance management program by providing informative feedback that enhances the program’s effectiveness and sustainability.