Compliance Emergency Room - Tracking Exam and Audit Findings
Best Practices for Tracking Exam & Audit Findings
An emergency room (ER) is a place where chaos is organized. Patients are triaged by need. Staff uses electronic records to keep medical histories. Interactions, tests and prescriptions are carefully tracked.
They’re designed this way because the stakes are high—no patient can be overlooked.
But what happens when a bank’s compliance program has an emergency? Too often, it doesn’t get the attention it needs, and the consequences can be dire.
I’m talking about findings—and how they can fall through the cracks, putting an institution at risk.
Whether it’s accidental or a systemic problem—life threatening or just a serious pain point—findings reveal the weaknesses in an institution’s compliance program. They are also an opportunity to improve operations and demonstrate to examiners that compliance is taken seriously. Unfortunately, this doesn’t always happen.
A Findings Flood
There’s no shortage of findings at financial institutions. Smart institutions regularly test the strength and accuracy of their compliance programs, uncovering issues as they go. The classic compliance model has four lines of defense: management and employees, internal audit, external audit and government review.
In an ideal world these exercises would come back clean, revealing a sound program with no weaknesses. But the truth is every institution has some areas of compliance that need work. In fact, it’s common for institutions to have findings in each of the four areas.
And that’s where the problem lies. On its own, one finding can be simple to track. A handful is manageable. But the more findings an institution has to juggle—and the more complex those findings are—the harder it is to keep everything straight.
And there is plenty to keep straight. Consider the frequency of bank reviews. Whether it’s Community Reinvestment Act, safety and soundness or a compliance or financial audit, there’s some type of review every 6 to 12 months. Add to that government findings and management and employee reports and tracking findings becomes an overwhelming task.
Failure to properly handle findings can cost an institution. Examiners expect institutions to take findings seriously. In worst-case scenarios, those that don’t may be prevented from raising capital or restricted in their banking activities.
That’s why every institution needs a compliance emergency room—a systematic, centralized system for tracking, remediating and documenting findings to ensure nothing gets lost in the shuffle. Best practices suggest that the system be:
- While findings vary in their size and importance, each finding must be handled consistently. Exceptions make for sloppy record keeping and increase the likelihood of it getting lost or forgotten.
- Every document, policy and procedure should be stored in one place. Staff shouldn’t maintain piecemeal files across the bank. That includes logs of all remediation activities.
- Well Documented. If an action isn’t documented, then in the eyes of regulators it didn’t happen. Document meetings, plans for resolving the issue and each step taken towards remediation.
- For every finding, make it clear who is responsible for overseeing the remediation plan. Document which tasks are assigned to which employees and carefully track each employee’s progress.
- Traceable with an audit trail. Keep a log of all activities, noting what was changed, when and by whom.
- Compliance teams face constant distractions as new findings emerge. Don’t let old findings get lost in the shuffle. Have a method in place to ensure the bank actively follows up on all known findings on a regular basis.
- Exam ready. When it comes to exam prep, institutions should be able to easily demonstrate all of its findings and how close the bank is to remedying the issue.
Before the explosion of Dodd-Frank regulations, most banks used manual processes to track findings—and it often worked. Institutions had enough staff to eke out a solution with Excel spreadsheets. But with less staff and more findings, this isn’t a viable approach anymore.
Spreadsheets are notorious for their inaccuracies, with multiple users editing them and saving separate versions. There are no logs to track who last updated files—if employees remember to update them at all. That’s because spreadsheets are inherently passive and unable to send reminders to keep the process moving. It’s a very unsophisticated product for a very high-risk process.
But when an institution has a structured method for tracking exam and audit findings, it not only reduces the risk of findings errors and material loss, it also improves efficiency—decreasing the internal workload.
The prescription for better tracking of exam and audit findings—while improving operational efficiency—is your own compliance emergency room. It’s great medicine for your compliance program.
Topics: Risk & Compliance, Integrated Risk Blog, Audits & Findings,