How banks can get audit fundamentals right

Sample sizes, audit frequency, scope—take some of the stress out of compliance audits by adhering to audit best practices.

By Mary Thorson Wright

When it comes to effective compliance auditing, community banks often have questions about fundamental issues. How should they sample for coverage? How can they gauge the frequency and scope of audits? What is the most efficient method of audit compliance? Using best practices can alleviate the stress of audits and contribute to the most efficient process and productive outcomes.

Timing is a key factor for planning and conducting efficient and effective compliance audits. “The audit schedule may be planned early and totally independent of the activities of the line of business (LOB) or compliance and could conflict with exams, internal monitoring or other review procedures,” says Barbara Boccia, senior director, U.S. advisory services and regulatory relations at Wolters Kluwer. “While the evaluation and conclusions of audit should be unbiased, alignment among audit, compliance and the LOB to orchestrate sequential or complementary processes can enhance efficiency, coverage and help alleviate the burden on the LOB.”

Take a Home Mortgage Disclosure Act (HMDA) scrub, for example. It doesn’t benefit the LOB if both audit and compliance monitoring are scrubbing the same data at the same time. Generally, the compliance monitoring schedule is nimbler than the approved annual audit schedule and may be adjusted to make better use of the time.

Sorting out inconsistencies

A compliance audit is a prime opportunity for compliance and the LOB to resolve apparent inconsistencies in bank procedures or methods of documentation. Boccia says, “What we see in compliance and audit generally is that audit has independent procedures and techniques that may result in findings that come as a surprise to the business and compliance. Many documents in a loan file might support a compliance data field. Bank procedures should be well-documented and consistent to evidence a standard practice. If audit findings are based on a different method, that’s an area that requires discussion and resolution.”

One HMDA example might be the action-taken date for a denied application. A consumer-purpose mortgage loan should have a dated adverse action notice, but a commercial mortgage loan would not necessarily have one. In either case, there may also be written documentation in the file of the date on which action was taken. If the standards are misaligned, then audit, compliance and the LOB should pursue a dialogue to sort out differences and reach a common understanding of the technical requirements and the method(s) acceptable for the bank to use to evidence compliance.

By regulation, function or product?

Many banks struggle with the choice of auditing compliance by regulation or by function or product. “For efficiency purposes,” says David Bequeaith, president and managing director of Bequeaith Banking Solutions, “we look at an institution primarily in a product or services perspective, using regulation-focused reviews for one-off areas like insider lending and existing flood-impacted properties. Whether audit is internal or external, time budgets generally don’t allow for redundant file opening and viewing.”

Based on risk and other factors underlying the compliance audit, consider whether it will be the most efficient to look many times in files for each requirement or to look once and cover the field. For most audits, the functional or product approach is most efficient. However, there may be times when a more targeted focus is called for, such as a relook for a past issue.

Audit should develop a compliance risk assessment to confirm the audit methodology is reasonable and the plan is consistent with the level of risk. Boccia says audit may rely on a compliance risk assessment prepared by the bank, but audit should independently validate the assumptions and conclusions.

Debating sample size

Sample size is a fluid concept in the community banking forum. Should the sample(s) cover each loan product, each loan officer, each indirect car loan partner and so on? “Sampling should be representative of the population, balanced by the risk factors present,” observes Boccia. How granular the samples need to be depends on risk and the universe. A consumer loan sample spread out over all consumer lending may not have the granularity needed to pinpoint issues specific to a product or service. Regulators have guidelines for sampling that describe statistical, judgmental and targeted sampling techniques that may be helpful.

“Think of effectiveness first and plan your compliance auditing around the residual risk identified in the compliance risk assessment,” she says. “Don’t be afraid to over- or under-weight areas based on that risk assessment. For example, we might look at higher risk, heavy transactional areas multiple times in a calendar year and only look at lower risk items every two years or let the line of business self-assess and monitor those lesser risks.” When planning the compliance audit, look at complaints, past problems, changes in the institution and the strength of internal controls.

Boccia notes that some regulatory issues transcend risk assessments or sampling, such as the Unfair, Deceptive, or Abusive Acts or Practices Act (UDAAP). “For UDAAP,” she advises, “it’s best to look at risk between the lines during every compliance audit.” UDAAP can be difficult to audit because it is subjective and may not be accompanied by a technical compliance violation, she adds.

Compliance risk management requires effective oversight. Using compliance audit best practices can help confirm that the bank is meeting its obligations for technical compliance, that ongoing monitoring is effective and that the program is achieving the desired outcomes.

Outsource or DIY?

Four things to consider when contemplating using a third-party compliance professional.

1. Expert advice and specialized skillsets

It’s hard to beat the broad perspective third-party compliance professionals gain from repeated experience with countless bank models, products and operations. Internal auditors typically perform assessments of core risk management activities and the internal control environment. But they may not have gained the experience necessary to perform compliance-specific assessment procedures.

2. Resource management

Bank compliance professionals often wear many hats, and using outsourced specialists can free up valuable time, allow better workload management and permit valuable internal resources to be diverted to core business activities.

3. Efficiency and cost management

Specialized compliance auditors generally offer quick audit start-up and execution and use mature, leading-edge methodologies and audit tools. Business costs can be contained with variable-cost arrangements that target the institution’s needs.

4. Objectivity

Outsourced compliance audits offer highly unbiased measurements of technical compliance and the effectiveness of the compliance program. Banks with a strong organic compliance audit function can benefit by periodically engaging a third-party team to help establish benchmarks for better performance.

Mary Thorson Wright, a former Federal Reserve examiner, is a financial writer in Virginia.