Trust, but Verify


Audit to check and balance the compliance management process

By Mary Thorson Wright

Back in the 1980s, President Ronald Reagan famously cited the Russian proverb “trust, but verify” as part of his negotiations to achieve a breakthrough in the first of several U.S.-Russian arms-control agreements. While the saying irritated the Russians to distraction, the phrase can be a useful reminder for the essential role that effective auditing plays in the compliance process.

Community bank compliance officers spend the lion’s share of their time executing compliance management programs by learning about and analyzing regulatory requirements, providing training on them and helping business units implement them. Executing compliance requirements can be overwhelming, but we’ve all met and been in awe of compliance officers who seem to have it all together. Their program works, and they never seem to miss deadlines or get unwelcome surprises in compliance examinations.

What’s their secret weapon? Trust, but verify.
Auditing for compliance verifies that a bank product, service or system complies with a regulation, rule or imposed condition. It brings valuable feedback to the table about whether a compliance program’s execution is sufficiently comprehensive and whether it is effective.

Last month, Independent Banker provided an overview of the compliance management system, or CMS, framework prescribed by the federal bank regulators for an effective bank compliance solution and how such a framework helps to maintain a compliance program and adapt it to new requirements. The CMS format is detailed enough to guide community banks through the essential elements to manage an effective program, but broad enough to allow each the flexibility to customize it in the context of the bank’s profile and performance. Flexibility to implement on an as-needed basis is a double-edged sword that puts the onus on bank management and compliance officers to establish the CMS and then confirm its effectiveness.

Appearances can be deceiving. A bank’s CMS may look impressive and may appear comprehensive on the surface, but is it effective? In compliance management, the process is only as effective as the bank’s efforts to

Regulations, rules and laws direct what must happen. Compliance training, policies and procedures spell out what should happen.

verify that the application and execution of the requirements are effective and sufficient.

Regulations, rules and laws direct what must happen. Compliance training, policies and procedures spell out what should happen. Monitoring on a periodic basis helps to identify sporadic errors or undesirable changes that may happen. The compliance audit function, when it is used consistently and in the proper scope, tests compliance processes and documentation, including the effectiveness of periodic monitoring (sometimes called checking the checker) over a specified period of time. It provides feedback on how often and to what extent compliance requirements are actually happening.

Plans for compliance auditing for a particular requirement or change should be an integral part of a CMS implementation process, and the timing of audits should be set to capture enough data about transactions, records or files to verify compliance. For instance, the TILA/RESPA Integrated Disclosure (TRID) rule became effective in October 2015. Several months of records of applications are now covered by the rule. When will your community bank audit for TRID compliance?

Audit plans need to give coverage but should be flexible enough to accommodate needs that arise. Audit results provide information to guide management on the structure of its compliance road map and proper resource allocation for corrective actions and future compliance. Compliance execution and compliance auditing need to be employed in a continuous circular process that closes the loop on the CMS and exposes any undiscovered problems.

According to the federal agencies’ description of a CMS, the compliance audit function helps a bank’s board of directors and management measure risk and “should review an institution’s compliance with Federal consumer financial laws and adherence to internal policies and procedures.”

Regardless of the technical regulatory issue, there are several key features that federal examiners look for in an effective compliance audit program, from which your bank can ask these questions to access and, if necessary, improve its compliance audit:

  • Question: Is the bank’s audit program sufficiently independent, and does it report to the board or a committee of the board?
  • Reasoning: The purpose of an audit is to provide an independent opinion to the board of directors that is not influenced by bank management. The value of the audit is directly related to whether it is unbiased and objective.

  • Question: Does the audit program address compliance with all applicable federal consumer financial laws?
  • Reasoning: The scope of any audit must be comprehensive enough to identify risk and to accomplish the objectives of the bank’s board of directors (i.e., full review of all compliance activities, review of a specific product, or review of a specific regulatory requirement)

  • Question: Is the audit component of the compliance management system strong, adequate or weak? Does it identify areas for further review based on gaps in audit coverage or confirm the accuracy of audit findings and reporting?
  • Reasoning: Executing and implementing compliance requirements without verifying completeness and accuracy lacks validity; auditing processes that are insufficient to accurately and comprehensively identify errors and risk also lack validity.

  • Question: Is the schedule and coverage of audit activities appropriate to the bank’s size, its consumer financial product offerings, and its manner of conducting its consumer financial products business?
  • Reasoning: To achieve the objectives of the board of directors, the audit schedule must be comprehensive in scope, flexible to accommodate changes, and relevant to the bank’s resources, organizational structure and business model.

  • Question: How are audit results and management responses communicated and administered? Do all appropriate compliance and business unit managers receive copies of audit reports?
  • Reasoning: Audit results are a useful tool to help management improve processes, procedures and records. Key stakeholders must be engaged to understand and participate in the audit responses and actions taken following the audit.

  • Question: Do the audit results lead to appropriate, timely corrective action?
  • Reasoning: Audit results without appropriate action is a waste of resources, and it does not support a culture of compliance in the bank.
  • An effective CMS program demands real checks and balances, and an effective compliance auditing process verifies the sufficiency of the bank’s functions and performers. Implement the CMS foundation and trust in team members to meet standards, but verify with checks and balances that processes, procedures and documentation reflect the intended results. Trust, but verify!

    Mary Thorson Wright, a former Federal Reserve manager, is a financial writer in Virginia.

    The CMS Framework Series

    This month’s feature “Trust, but Verify” is the second installment in a three-part series of articles in Independent Banker on the compliance management system framework outlined by federal regulatory guidance.
    See the first installment in the series, “The Full Framework” by Mary Thorson Wright, in the August issue of Independent Banker, available online at
    The magazine’s October issue will feature the third installment about the responsibilities and roles of senior managers and boards of directors in maintaining an effective compliance management system.