Audit Hot Topics: Internal Controls
Bank boards and executive teams face a number of risks in these challenging times. They may need to adapt their strong internal controls in response, as Mandi Simpson and Sal Inserra — both audit partners at Crowe — explain in this short video. You can find out more about the audit and accounting issues your bank should be addressing in their recent webinar with Bank Director CEO Al Dominick, where they discuss takeaways from the adoption of the current expected credit loss model (CECL) and issues related to the pandemic and economic downturn, including the impact of the Paycheck Protection Program and concerns around credit quality.
Click HERE to view the webinar.
Handling Today’s Top Risk Challenges
Cybersecurity and compliance are the top two areas of concern for the bank executives and directors responding to Bank Director’s 2017 Risk Practices Survey, sponsored by FIS. What are the best practices that boards should implement to mitigate these risks? In this video, Sai Huda of FIS highlights the survey results and details how boards can stay proactive.
- Cybersecurity and Compliance Gaps
- Five Cybersecurity Best Practices
- Three Ways to Strengthen Internal Controls
What Does the Wells Fargo Debacle Mean for Incentive-Based Compensation?
With all of the recent press coverage from the Wells Fargo & Co. phony account scandal, you’d have to be living in a cave not to have heard about it. As the details come to light, I’m certain it will be a test case for how not to design an incentive-based compensation program. But, does it mean that incentive-based compensation is a bad thing? In my opinion, a properly designed program can be well within the measure of safety and soundness, can create proper inducements for the appropriate segment of your workforce, and, can avoid creating the negative results that were realized by Wells Fargo.
In our firm, Bank Compensation Consulting, one of the most common short-term, incentive-based compensation designs has at its heart a deferral component. When a participant obtains a bonus based on achieving the goals set forth in the design, all or a portion of that bonus is deferred until some point in the future, say, five years from earning it. The deferral component accomplishes a number of goals. For one, it creates a reason for the participating employee to continue to remain employed with the bank If the employee leaves the bank prior to receiving the deferral amount, it is forfeited. Also, it allows the bank to comply with clawback rules requested by the regulators. Since the unvested portion has not yet been remitted, it can more easily be “clawed back” should there be a violation of terms outlined in the plan document.
Would this deferral design have helped in the Wells Fargo situation? As of this writing, the answer to that question is unclear. I will say that, when I consider how many years I’ve been working with banks and non-financial institutions to implement incentive-based compensation programs, and I consider how many of those haven’t had the result that Wells Fargo has, I think the answer is clear. As a CPA who did his requisite time at one of the large accounting firms, I have to ask myself questions like: What types of internal controls exist at Wells Fargo? What management oversight is in place to ensure an employee can’t easily create a fake account? Weren’t there ‘red flags’? Certainly, when your inventory is cash, there is always an element of temptation that some people simply cannot overcome. But, the sheer volume of the fraudulent accounts created indicates, at least to me, that at some level Wells Fargo management was sending the wrong message to the staffers involved. The corporate culture in the division of Wells Fargo where this took place must have played an enormous role.
The fact that an incentive-based compensation program existed shouldn’t mean that its utilization was the culprit that induced employees to create fraudulent accounts. For me and my colleagues, we feel that the malleability of such programs is extremely advantageous when trying to encourage certain actions by one or a group of employees. However, care and experience should be used when creating a safe and sound incentive-based compensation design.
You might just want to get inside a cave if you were an executive at Wells Fargo right now. Designing an effective and safe incentive-based compensation program and making sure it’s implemented correctly is one way to avoid the glare of bad publicity.
The Board’s Role in the Transition to CECL
This summer, the Financial Accounting Standards Board (FASB) completed its project on credit losses with the issuance of a new standard that brings one of the most significant changes to financial reporting that financial institutions have seen in decades: The incurred loss model for estimating credit losses will be replaced with a new model, the current expected credit loss (CECL) model. In many cases, the new credit loss calculations are expected to result in an increase in the allowance, and, thus, might have a significant impact on capital requirements. Banks will need sufficient time to prepare and adjust capital planning and capital management strategies.
Banks are educating themselves on the changes, and boards of directors should be aware of the challenges faced by the banks they oversee.
As with any major initiative, a successful transition to the new standard will require the active involvement of the audit committee, the board of directors, and senior management. Given the audit committee’s responsibility for overseeing financial reporting, it has a critical role to play in overseeing implementation.
Recently, speakers from the Securities and Exchange Commission’s (SEC’s) Office of the Chief Accountant have emphasized the role that audit committees should have in implementing new significant accounting standards. In his speeches at Baruch College and the AICPA Bank Conference, Wes Bricker, interim chief accountant, addressed CECL implementation. Likewise, the federal financial institution regulatory agencies have addressed the role of the board in implementing the new credit loss standard. The agencies issued a joint statement on June 17, and in March the Federal Reserve System (Fed) released an article, “New Rules on Accounting for Credit Losses Coming Soon.” The speeches, joint statement, and article highlight tasks that boards of directors and audit committees may consider during transition, including:
- Evaluate management’s implementation plan, including the qualified resources allocated for execution.
- Monitor the progress of the implementation plan, including any concerns raised by the auditors or management that might affect future financial reporting.
- Understand the changes to the accounting policies that are required for implementation.
- Understand management’s transition to any new information systems, modeling methodologies, or processes that might be necessary to capture the data to implement the standard.
- Oversee any changes to internal control over financial reporting in transitioning to the new standard.
- Review impact assessments of the new standards, including impact on financial statements; key performance metrics, including credit loss ratios, that might be disclosed to investors outside the financial statements; regulatory capital; and other aspects of the organization such as compensation arrangements and tax-planning strategies.
- Understand management’s plan to communicate the impact of the new standard on key stakeholders, including the new disclosures required by the standards and disclosures made leading up to the adoption date. Those who file with the SEC will need to disclose information about standards effective in future periods, including the expected impact when adopted.
In evaluating management’s implementation plan, it is important to develop an understanding of management’s timeline for implementing the new standards and to be aware of the effective date. Recognizing that the definition of a public business entity (PBE) under FASB includes many financial service entities, the FASB split the definition to provide additional time for PBEs that are not SEC filers.
- For PBEs that are SEC filers, the standard is effective in fiscal years beginning after Dec. 15, 2019, and interim periods in those fiscal years. For calendar year-end SEC filers, it first applies to the March 31, 2020, interim financial statements.
- For PBEs that are not SEC filers, the standard is effective in fiscal years beginning after Dec. 15, 2020.
- For all other entities, the effective date includes fiscal years beginning after Dec. 15, 2020, and interim periods in fiscal years beginning after Dec. 15, 2021.
- Early adoption is permitted for all entities in fiscal years beginning after Dec. 15, 2018, and interim periods in those fiscal years. That means, any calendar year-end entity may adopt as early as the March 31, 2019, interim financial statements.
While those dates might seem somewhat distant, there really is no time to lose in preparing for the transition.
How to Get Ready for a Safety and Soundness Exam
There are few events in the life of a bank that are more important than a safety and soundness examination by the institution’s primary regulator. A passing grade means the bank will be able to execute its growth strategy, including acquisitions, product development and business expansion, with little interruption or objection from their regulator. Not only does a failing grade mean that bank’s major growth initiatives will probably be put on hold, but its management team will have to spend both time and money fixing the deficiencies—resources that otherwise would be spent on more productive pursuits. Gary Bronstein, a Washington, DC-based partner at Kilpatrick, Townsend & Stockton LLP, offers advice to bank management teams and boards for how to prepare for an exam in an edited conversation with Bank Director Editor in Chief Jack Milligan.
Preparing for a Safety and Soundness Examination
The first thing, which is probably the most important thing, is for management and the board to review any deficiencies or matters requiring attention from the prior exam and make sure those have been addressed. The regulators will verify and review the effectiveness of any corrective action taken after a prior exam. A few other things that are perhaps a little less pressing but still important to consider include any changes in the bank’s business activities since the last exam. You might want to take a look at your policies and procedures to make sure that those have been updated to reflect the new activities. For example, if the bank is engaging in a new lending activity or a new subsidiary activity, do the policies and procedures reflect what they’re doing? Also, if you’re expanding to new markets, that also may require a look at the policies and procedures.
It’s also important that you prepare your employees for the examination process. You ought to make sure that they’re aware of the exam, that it’s coming, what the schedule is, when the examiners will be there and where they’ll be located. Remind employees of simple things about office protocol that you might take for granted, such as not having business discussions in public areas where they may be overheard by an examiner, and not to leave documents laying around in conference rooms and photo copiers that examiners might have access to and that might contain sensitive information that you’re not ready to provide. Employees should be knowledgeable about the policies and procedures for which they’re responsible, because they may be asked to talk about it.
Approximately 30 to 90 days before the exam, the bank will receive what’s called a first day letter, which talks about the scope of the exam. That is to be taken seriously. It’s important to do your homework, relative to that letter and what’s in it. The other thing that’s worth looking at is each of the federal banking agencies have an examination manual that’s posted online. It sets forth the supervisory and examination objectives. That’s absolutely worth reviewing. It’s a good idea to appoint a point person at the bank who is responsible for handling all inquiries that arise during the exam. And when you gather information for examiners, keep a record of what you’ve gathered so that in case anything gets lost, you have a record of it.
The Importance of the Initial Meeting With the Examiners
It’s important to think in advance of an exam about the opening meeting that will take place with the examiners. It’s important to make a good first impression because that can set the tone for the exam. You should probably have your full executive team present for that. I don’t think it’s necessary to have board member at that initial meeting because most banks generally think of an exam, certainly at the initial stage, to be more of a management function, rather than a board function. It might be a good idea to have your compliance officer present, as well as key officers in charge of particular business units. You might start off the meeting by talking about issues that were raised during the prior exam and address those up front. Address some changes that have taken place at the bank since the last exam so that the examiners are well-informed of what has taken place. Set the ground rules for how this is going to unfold in terms of how long they’re going to be there, what days of the week and the person to contact.
Other Pre-Examination Considerations
Take care of logistics, such as where the examiners are going to sit. Make sure they have access to things that they need because that sets a nice tone. It’s a good idea to be proactive. Sometimes you have new examiners who are not familiar with your bank, so it’s a good idea to start off with a summary of your business, where you’re headed and what your control environment looks like. Also, you might consider self-identifying issues or problems, but don’t do that without being prepared to provide a remediation plan of how you’re going to deal with those issues.
And make sure your files are organized because it sets a bad tone if you’re having difficulty finding things and it takes a long time, so organize your files related to things you expect the examiners are going to look for.
Conducting a Mock Examination
Some banks conduct a mock regulatory examination, which may help you prepare for the process and identify areas to focus on. It could be performed by someone at the bank who is experienced in having gone through a number of exams, so they’re familiar with how the examination process takes place. Or you could use an outside consultant who walks you through an initial meeting, gets you prepared for issues that would typically arise during the exam. What happens if the examiner approaches you about X, Y or Z? How are you going to respond? What happens if you disagree with an examiner? Who’s going to be the spokesperson and how can you effectively address the disagreement?
Handling Difficulties as They Come Up During the Exam
Issues regularly come up during an exam. They could be tactical in nature. It might be the examiner taking a position that there’s been a regulatory violation. Is that based upon a law or regulation? It might not, in fact, be a violation, but there may be a disagreement. It might be a reasonable and understandable disagreement. It may not be. It may be a misunderstanding about something that the bank is doing that they’re actually not doing. It can be a mistake. Some of the examiners are inexperienced and like any person, an examiner can make a mistake. The question becomes, how do you proceed?
My first piece of advice for disagreeing with an examiner is this: Proceed with caution. The last thing you should do in communicating with the examiner is to dress that person down, or berate the person. I’ve seen that happen and things deteriorate quickly. That’s a bad idea in almost any scenario but it’s certainly a bad idea when you’re dealing with an examiner or regulator. You should never be condescending or disparaging. I think it’s important to be non-defensive, factual, unemotional and just set forth why you disagree. If it’s done in a constructive manner, it should go pretty well.
The importance of dealing with problems as they come up
Whether it’s a regulatory violation or some other significant issue that arises during the exam, the bank should make every effort to try to get it resolved, hopefully while the examiners are still there, but certainly before the examination report is issued. If it’s a regulatory violation, it’s a good idea to get the lawyers involved, whether it’s in-house or outside counsel, to get an opinion about whether or not the situation does rise to a regulatory violation and then address it head-on, but again in a constructive way. Hopefully, it can be solved by resolution as opposed to a heated argument.
The board’s role in preparing for a safety and soundness examination
The one thing the board can be doing all year long is to make sure that any discussions about board oversight of management is properly recorded in the minutes, because the examiners are going to look at the board minutes and I’ve heard it said on many occasions that from an examiner’s perspective, if it’s not in the minutes, it didn’t happen. That’s not to suggest that you should have a stenographer on hand to record every word, but it ought to be a fair summary of what discussions have taken place, particularly with respect to the prior exam. It’s important to have a record that these issues were discussed, that the exam was discussed, the response was discussed and questions were asked.
It is important that there be a tone at the top communicating that the examination process is important, and that begins with the board and the senior management team. As far as board involvement is concerned, certainly if it’s a troubled bank, the board is going to be more involved in the examination process and there’s the expectation that the board will be. With a healthy bank, you might have the chair of the audit committee be available as needed. Issues that may be discussed include the internal audit process and the internal controls environment. The audit committee chair is the most credible person to discuss those issues.
Managing the post-examination process
As always, management is on the front lines and the board is performing an oversight function. I think it’s important after the exam to have open lines of communication with the examiners, particularly with an issue that might be unresolved, because I think it’s important to vet those issues, provide additional information, and hopefully correct those issues before a final report is released, so that kind of back-and-forth communication between management and examiners is important. If there are any issues of significance, those ought to be brought to the board’s attention as soon as possible so that the board is aware of it. If they’re significant enough, the examiners are going to want to meet with the board, so the board needs to be well informed before any meeting takes place with the examiners.
The final report ought to be reviewed carefully and a well thought out plan for correcting any problems ought to be developed. The written response ought to be delivered in a non-defensive and factual way, without getting combative. I think it’s important not to over-commit to remediation and corrections because the last thing you want is to commit to doing something and you’re unable to deliver. It’s important at the board level that there be a written record of discussions about the exam process, the report, the response and it’s important that management fully report to the board about the issues that arose during the exam. The board ought to be engaged and ought to challenge management about the areas of concern that were raised during the process, because ultimately, the board is going to be held responsible if there are any repeat violations of issues raised during the exam.
What To Do To Prepare for a CFPB Examination
The Consumer Financial Protection Bureau’s exams are an open book text, but does your organization have the book? Obviously, there are subjective elements to every exam. But we do recommend doing your homework.
Read Up on What to Expect
The first document you need is entitled “Debt Collection Examination Procedures,” October 24, 2012, available on the CFPB website. There are a number of different ways to use the manual, but a critical task is to take each requirement in the manual and inventory all the ways your bank can answer: How can we prove that we are meeting this? What tangible evidence exists that we can put in front of an examiner?
The second document is the general CFPB Supervision and Examination Manual, from October 1, 2012. The full text is now over 900 pages long, so we recommend that banks start with the Risk Assessment Template. At a minimum, banks should consider two sections:
- Risk Assessment Template: We recommend that companies use this as a means of seeing the organization as the CFPB will. Where are the risk areas for potential consumer harm and how are you mitigating those risks?
- Part II.A. Compliance Management Systems (CMS): This covers the process used to identify regulatory changes, assess their impact on your organization, incorporate the changes into your regular processes and monitor compliance on an on-going basis.
Catch Up on Current Events
It can be challenging to stay abreast of CFPB developments: We recommend that those responsible for managing the examination read up on as much public information as possible about what the CFPB has been doing, including:
- The CFPB website often has speeches and Congressional testimony from its leadership. This often is a good source of information on what the CFPB is emphasizing and their areas of focus.
- The CFPB publishes a document two to three times per year entitled “Supervisory Highlights,” which summarizes issues they have seen and actions they have taken during their routine examinations. The actions summarized here and presented anonymously provide insight into common issues at regulated entities.
- Websites from CFPB watchers: Several law firms maintain very good web sites that track and comment on CFPB related developments.
Get All Hands on Deck
Some organizations see regulatory exams as a legal matter, others as compliance. We recommend mustering all internal resources which can assist, regardless of their normal duties. In addition to legal and compliance, this could include internal audit and operations. It is important that the team that will participate in the examination is involved right from initial planning through final resolution. We have seen situations where upfront planning is handled by a single function, for example the legal department, and the actual examination is given to another department, say compliance. This can lead to a bad handoff, poor communication and other problems.
Clients sometime ask us who should be available to work with the examiners. You want your “go to” people available. This may skip official reporting lines—often times the nominal head of function may not be the most knowledgeable about daily processing or issue resolution. It is in all participants’ interest to efficiently clear any preliminary issues raised during the examination.
Heal Thyself
Do you have the kind of organization where people can raise their hand when they see a problem, or is it the kind where bad news is suppressed? One of the authors of this article worked at a bank where quality metrics where a very large component of operations management’s performance evaluation, so operations management fought every issue that the internal Quality Assurance and Quality Control functions raised. Subsequently, the high quality metrics were overstated and the bank was surprised at the number and severity of issues raised by their regulator. Don’t underestimate the power of an executive sitting down with personnel a few levels below him or her and asking, “What do you think could burn us with the examiners coming in?
Prepare Your People
Many of your organization’s resources participating in an examination are not individuals who routinely reach outside your organization. Few organizations would send a sales person out into the market to represent the company without preparation. However, we have observed an equivalent situation occur with unprepared resources have critical roles for examinations. Make sure that management prepares everyone who will participate.
While On Site
Anyone who has spent time as an auditor has experienced being put in dank, windowless basements. Have your organization treat the examiners like you would an important client that was coming in: have a welcome message in the lobby and have decent space for them. In short, they are human and like all humans are going to respond to any perceived disrespect.
There’s a New Framework for Internal Controls: What Boards Need to Know
The COSO framework, which stands for Committee of Sponsoring Organizations of the Treadway Commission, is used by most public companies when reporting on the effectiveness of their internal control over financial reporting in compliance with the Sarbanes-Oxley Act.
The organization, whose sponsoring members include the American Institute of CPAs and the Institute of Internal Auditors, released an updated version of its major guidance document in May of 2013, called Internal Control—Integrated Framework.
As a member of a bank board or audit committee, it is important to have an understanding of how these changes might impact your bank.
Banking regulators are putting more pressure on banks to diversify lending while simultaneously improving credit risk management and reporting, and they are also after banks to focus on IT security. The 2013 framework creates a more formal structure for designing and evaluating the effectiveness of internal controls by codifying the fundamental concepts associated with them. A set of 17 broad principles relating to internal controls, which were present but deeply buried in the earlier framework, now supplement the five components held over from the 1992 framework. These components and associated principles are:
-
Control environment
- Demonstrates commitment to integrity and ethical values
- Exercises oversight responsibility
- Establishes structure, authority and responsibility
- Demonstrates commitment to competence
- Enforces accountability
-
Risk assessment
- Specifies suitable objectives
- Identifies and analyzes risk
- Assesses fraud risk
- Identifies and analyzes significant change
-
Control activities
- Selects and develops control activities
- Selects and develops general controls over technology
- Deploys through policies and procedures
-
Information and communication
- Uses relevant information
- Communicates internally
- Communicates externally
-
Monitoring activities
- Conducts ongoing or separate evaluations
- Evaluates and communicates deficiencies
Entities must demonstrate compliance with the principles associated with each component above to conclude that the component is present and functioning.
Also new to the 2013 framework are 75 points of focus that relate to external financial reporting. These specific considerations relate to each principle above, principles such as “assesses fraud risk,” and are important characteristics to consider in determining whether the corresponding principle is, in COSO’s terms, “present and functioning.” Not all points of focus need be met to conclude that a principle is present and functioning.
A key first step is determining how the 2013 framework will affect your internal controls’ design, documentation and evaluation. While many businesses have an abundance of transaction controls but gaps in other areas, banks—which operate in a regulated environment with frequent examinations—are more likely to have implemented many of the entity-level and monitoring controls that other companies lack. Still, since some of these controls may not have previously been identified as key SOX controls, additional documentation may be necessary.
Your staff should begin by matching existing documented controls with the new principles and associated points of focus. Next, they should compare each principle and point of focus to your existing controls to assess whether the controls are sufficient to conclude that each principle is present and functioning. A fair amount of judgment is involved in determining which controls address a specific principle or point of focus, and undoubtedly there will be many relationships between your existing controls and the COSO principles and points of focus.
If you can conclude that the principles are covered, no further analysis is necessary. But if it appears a principle isn’t covered, your staff should determine whether the unmet principle or point of focus is due to an entirely missing control—an activity the institution doesn’t perform—or an undocumented control. Many apparent gaps are often the result of missing documentation, not necessarily missing controls.
At this point, staff should determine whether undocumented controls should be formally documented as part of your bank’s SOX program or if new controls are necessary to mitigate the missing controls. This is an important point and should be considered carefully. Although your SOX program may be based on the 2013 framework, not all points of focus need to be covered by a key SOX control.
The process of mapping your internal control documentation to the principles and points of focus and mapping each principle and point of focus to your documented controls will help you evaluate your mix of control activities, the levels at which activities are applied, and segregation of duties. This exercise will determine how close you are to complying with the COSO 2013 framework—and put you on the path to full compliance.