PPP Loan Audits: How to Proactively Address Regulatory and Litigation Risk

When financial institutions were asked to help American small businesses survive the COVID-19 pandemic last year by implementing the Paycheck Protection Program (PPP), they answered the call in record time. An integral part of the CARES Act, PPP was instrumental in buoying the economy during COVID lockdowns.  

Encouraged by the Small Business Administration (SBA), FIs raced to originate these loans, which were in many cases necessary to keep the doors of small businesses open and paychecks in the pockets of employees struggling with COVID-related impacts.  The rapid pace was good for small business borrowers and displaced employees alike—but that haste is posing potentially significant regulatory and litigation risk to FI originators due to lapses in program oversight. 

Related: Fair Lending & PPP: Who Tells Your Story?

While FIs typically rely on internal audit to provide oversight and assurance services, the haste in PPP program implementation coupled with the displacement of audit resources due to COVID made this a challenging task. For smaller institutions without a dedicated internal audit department, it meant spending additional resources on external assurance providers. Some institutions relied on the second line to provide QC/QA, while others lacked the resources to undertake any risk mitigation activities at all.  While the forgiveness of PPP loans significantly lessened the potential credit risks of the program, there was no safe harbor to alleviate risks in other areas such as Bank Secrecy Act (BSA), Office of Foreign Assets Control (OFAC), fraud, Equal Credit Opportunity Act (ECOA), and Fair Credit Reporting Act (FCRA)—just to name a few.  

Now as PPP investigations and lawsuits emerge, it may be time to pay the piper, but PPP problems are not a foregone conclusion. Now is the time for FIs to evaluate (or re-evaluate) the control environment surrounding their PPP lending program—proactively surfacing PPP program lapses and remediating issues that present significant risks. 

Related: Download our free PPP Loan Forgiveness Worksheet 

Here are some of the questions management and the board should be asking and potential remediation activities. 

Questions for FIs with Internal Audit  

Ask: Did we update our audit universe to include PPP loans?  Did we amend our Audit Committee charter (as appropriate)?   

These are important considerations, as they will dictate the role that internal audit plays in assurance over the operational, legal, and regulatory elements of the institution’s PPP program.  They will also serve as evidence that senior management and the board acknowledged the risks of PPP lending and allocated resources to identify and remediate any lapses in program oversight. 

Ask: What is the scope of our PPP audit program?  Was this scope commensurate with the perceived risks at the time?  Should we re-evaluate the audit scope based on the current risk environment?   

As the risk landscape has changed significantly since the inception of PPP, it may be time to re-evaluate the risks and amend the audit scope to accommodate any significant changes in the risk landscape. 

Ask: What are the specific objectives of our PPP audit program?   

These may also have changed since the inception of the program.  While early audits may have focused on applications, a contemporary PPP audit program should be expanded to include tests of operational controls as well as testing of loan forgiveness applications and the required source documents. 

Ask: When selecting PPP loans for testing, what sample size and methodology did we use? Were the selection criteria appropriate given the risks as we now know them?  If not, should we re-evaluate this methodology based on the current risk environment?   

In addition to these concerns, commonalities across the PPP loan portfolio may be evaluated and included in the selection criteria (Ex: loans by dollar amount or by borrower characteristics (geography, minority-owned, size, industry, etc.)). 

Related: Are You Prepared to Defend Your PPP Lending?

FIs without Internal Audit 

Ask: Was second line testing (compliance, QC/QA) put in place for PPP loans?   

For smaller institutions that lack a true internal audit department, a reliance on second line testing may be sufficient depending on the identified inherent risks. However, concerns around second line testing scope, objectives, and selection criteria should be evaluated similar to the above. 

Ask: Was there any assurance or testing program in place for PPP lending?  If not, can we establish a program with our current level of internal resources and core competencies?   

This does not have to be strictly an internal audit function, especially for smaller institutions, if reasonable assurance can be provided by the second line.  The challenge is program development, which should be based upon the current risk environment associated with the PPP program as well as institution specific risks.  

Ask: Was an external party engaged for PPP audits? If so, what was their scope, objectives, and selection criteria?   

These criteria should be evaluated similar to the above, as the external third party is providing assurance services akin to the internal audit department. If a deficiency is noted in context of the current risk environment, the institution should consider expanding their engagement criteria (scope and objectives) accordingly. 

Mitigation Actions 

Regardless of how assurance/testing are conducted, FIs should focus on the results and any associated remediation.  There are a variety of remediation activities that may mitigate potential regulatory and/or litigation risks in this area, including: 

• Establishing a PPP program testing or assurance program if none was in place previously. 
• Conducting a back test using scope/objectives/criteria commensurate with the current PPP risk environment.
• Demonstrating ongoing compliance with relevant regulations, for example filing SARs for any identified suspicious activity. 
• Communicating exceptions and remediation activities with the appropriate regulatory authorities, as appropriate. 

Due to the evolving risk landscape of PPP lending programs, conducting testing and/or assurance activities are a key strategy for any institution seeking to mitigate legal and regulatory risks in this area.  As the PPP program (and hopefully COVID) winds down, we may echo the sentiment of SBA Associate Administrator Patrick Kelley, who recently said that we can “hopefully put PPP in the rearview mirror for the borrowers, for the lenders and for the agency.” Until then, this hope must be tempered with caution and the appropriate audit/testing methodology to surface and mitigate any of the lingering PPP program related risks.      

Need help getting started on your own PPP audit? Download this free checklist!