Ask the Auditors: Top Takeaways about Internal Auditing for Compliance and Risk Management
How are top audit professionals handling compliance and risk management? What are their biggest concerns? Where are they seeing success?
These were the questions at top of mind at our recent webinar, Ask Me Anything: Internal Auditors Tell All. Moderated by Paul Viancourt, Ncontracts VP Solutions Architect and a former credit union auditor, the webinar gave audit professionals a chance to ask their peers about their top audit concerns.
Mark Hutchinson, VP ERM & Internal Audit, Langley FCU
Gary Nakamaru, QA/QC Manager, Evergreen Home Loans
Laurel Sykes, EVP, Chief Risk & Compliance Officer, American Riviera Bank
Here are some of the key takeaways.
On balancing audit and compliance with independence
In addition to risk management, Sykes oversees both compliance and audit at her institution and jokes about being “a walking conflict of interest.” She first began to see scrutiny from the regulators about her dual role around $500 million in assets. By $1 billion in assets, the regulators really want to see separate people overseeing those functions, she says.
“With that third line of defense, regulators start to get nervous. You have to figure out controls to show independence.” For example, Gramm-Leach-Bliley requires user access controls to be independently tested. These results must be documented —not just an opinion.
“There are different ways to create independence even if you don’t have the bodies,” she says, suggesting doing as much as possible with the second line.
What are examiners looking at?
Audit panelists shared their recent experience with auditors, noting increased interest in IT audits and risk assessments.
Sykes noted that “Regulators coming down on IT audits.” Having the credentials to understand and engage with those audits is important. Hutchinson relayed that examiners were really concentrating on risk assessments.
The good news: Examiners seemed to have reasonable risk management and audit expectations based on the size of the financial institution.
“They were understanding of our size and complexity,” remarked Viancourt of his previous experience in audit at a small credit union. “They would review us in context of that.”
For example, the CU wasn’t always able to have dual controls over everything. Instead, it might have one strong control and could defend the decision.
The auditor panel offered their insights into and best practices for findings management:
Outline findings management in policies. Not all findings are equal, the auditor panelists agreed. They vary in severity and the speed at which they need to be addressed—and this shouldn’t be left up to chance.
Nakamaru says Evergreen Home Loans rates findings on a scale of 1 (top priority) to 5 (lowest priority) based on severity. This dictates the timeline for response, anywhere from within a week to two months. The mortgage company’s policies provide clear illustrations and guidelines for classifying findings. For example, a missing form is given a priority of 1 because the mortgage company recognizes that any future loans that were missing the same form would be considered a repeat violation.
Doing it right is better than doing it quickly. It’s important to have a relationship with the management team so that you understand how long it will take them to address and issue.
“I’d rather talk to examiners about why we didn’t complete something because we did the right thing rather than check a box and say we did it and leave it at that,” commented Hutchinson. “It’s doing the right thing, not just the fast thing. Remediation can take time.”
Systemic issues take longer to fix. Systemic issues can take longer to address thoroughly and should not be rushed. These are often multi-faceted problems that will involve tackling the problem from multiple angles.
Looking beyond training and procedures for solutions. Many audit reports automatically say that procedures need to be updated or staff needs to be trained. While procedures and training are important, they are not the root cause of every finding. Be thoughtful when it comes to assessing the cause and solution for findings. Never accept “We did training” as the answer.
Include retesting in the remediation timeframe. Don’t assume that your FI’s remediation plan worked. Make sure you re-test to ensure the problem is truly resolved. Build retesting into the timeframe for remediation. Many policies and procedures neglect this important step.
Want to hear more from our panel of top audit professionals? Our webinar is available to download now.
Related: Risk Management: Guide to Creating Reliable Risk Assessments