7 best practices to help avoid audit missteps

traffic cones

Photo by A.J. Schokora/Stocksy

An audit tells a community bank whether it’s adhering to regulations and objectives. However, a lack of preparation and poor scoping techniques, among other factors, can lead to wasted time. Here’s how to ensure a helpful audit process.

By Mary Thorson Wright

Sound audit practices lead to sound audit results. An audit helps a community bank improve its processes, increase efficiency, mitigate or eliminate risk, and optimize its products and service lines. Errors or omissions committed in the audit process can derail its efficiency and effectiveness.

That’s why community banks and their internal or external auditors should follow these steps for a thorough and useful audit.

1. Prepare, prepare, prepare.

A pre-audit readiness assessment sets the stage for the onsite work and should include a preview of required policies, procedures and control evidence. The goal of this work is to identify potential control gaps and failures, test the soundness of the prescribed scope and test the appropriateness of the designated manpower and audit timeframe.

2. Set the scope.

The time, depth of review and number of relevant records designated for the audit are critical factors to planning. Poor scoping techniques may threaten success and create gaps in the findings and recommendations. The scope of the audit must consider the timeframe, which is generally a time period since the last audit of the function or area was last completed; the findings and recommendations of previous audits; and the people, processes and technology that support the subject function or area.

While it may seem that checking every transaction and file is ideal, that’s not the case. Auditors depend on samples of records to get information to project onto a larger population. Sampling errors may waste valuable resources needed to conduct the audit, inappropriately omit or give less prominence to areas of greater risk exposure or more substantive issues disproportionately to those of lower risk exposure, and create critical gaps in findings.

Data that’s representative is the key to effective and efficient sampling.

3. Use a representative sample.

Sampling is the process of examining a representative set of data that’s sufficient enough to gain a reasonable assurance about the entire set. In large community banks, statistical sampling may be a viable approach, while auditing in smaller banks may likely be achieved by employing a more judgmental sample. Data that’s representative is the key to effective and efficient sampling. Data, files, employee interviews, policies, procedures and other information must reach across departments, branch locations, products and relevant employees. Consider the potential effect on audit results if a community bank includes loans closed at only the main office in its sample, rather than all branches, or if the activities of third parties acting on the bank’s behalf are omitted from sampling and review.

4. Evaluate internal controls.

Internal controls are the backbone of a bank’s safety and soundness and compliance management. They rank high in importance in audits to validate the bank’s ability to not only achieve a high degree of conformance to rules, policies and standards, but to also maintain it. Missteps to avoid when evaluating internal controls include assuming the client has no controls without fully examining all written and unwritten practices; not understanding which controls are relevant to the audit; or stopping the audit process after determining whether controls exist without testing their relevance, effectiveness and the level of risk control they offer; not asking enough questions or interviewing enough staff related to the internal controls to fully understand all control practices.

5. Communicate constantly.

Miscommunication or a lack of communication between audit clients and auditors, whether internal or external, may be the most common failures in the audit process. Auditors should keep in mind that the audit is being done to help bank management achieve its goals. Clear two-way communication from the start of the process fosters stakeholder buy-in, helps reduce inefficiencies and has a direct impact on how well the reports are written and how useful the contents are. Maintaining open communication with the audit committee or its designated contacts throughout the process can greatly influence how receptive the client is and how the client responds to audit findings and recommendations.

6. Properly document.

Auditors must recognize that if the work isn’t documented, it’s not done. Community bankers understand, from an audit perspective, that most things that are not committed to writing don’t exist. The same could be said of the audit process and results. While robust audit procedures may be put into practice, complete and detailed documentation supports the comprehensiveness of the procedures employed and the validity of the findings and recommendations. Documentation should include clear explanations linking raw data, files, policies and procedures evaluated in the audit and their connections to results, conclusions and recommendations. The documentation must include results of risk assessments, how the risk assessments carry into the audit approach and the steps taken to validate the levels of risk. The audit report generally follows a certain standard format and runs the risk of becoming monotonous, reducing its effectiveness. To keep the reader’s attention, you must know the audience, use visuals when feasible, prepare a concise list of findings and be sensitive to areas that may require less technical explanations.

Knowledge about the latest software and techniques in the industry helps ensure the quality of auditors’ work.

7. Keep up with training.

While on-the-ground experience is a critical piece of auditor training, a lack of investment in training outside the process is not conducive to success on site. Banking is an ever-evolving industry, and knowledge about the latest software and techniques in the industry helps ensure the quality of auditors’ work and facilitates the flow of the audit process. Failure to maintain highly trained audit staff may result in damage to a third party’s reputation and reduces the usefulness of internal audit teams. A client should be prepared to provide background and context on bank practices, staff responsibilities and internal controls. However, the client should not need to train the audit team on governing requirements or the audit process.

To correct or enhance practices, avoid these pitfalls during an effective audit: failing to consider the appropriateness of written and unwritten internal controls; not determining root causes of errors and omissions; not fully documenting the audit procedures, findings and recommendations; and not setting the right tone for the conduct of the audit. Whether performed by internal or external auditors, the purpose of the process is to obtain reasonable assurance as to whether the bank is complying with regulatory rules, objectives and to determine the degree of efficacy with which the bank operates.

PPP audit pitfalls

Should a bank’s Small Business Administration’s (SBA) Paycheck Protection Program (PPP) lending be an audit and compliance review element? “As with anything related to banking, especially a process that is customer-facing, community banks will need to address documentation, procedure and review issues for their SBA PPP loans,” says Lindsay LaNore, ICBA group executive vice president and chief learning and experience officer.

Banks sped into the PPP to support business customers, and, while this was necessary, it did not afford banks time to carefully incorporate PPP activity into their overall audit and compliance review plans. “To get out ahead of future audits and internal reviews, community banks will benefit from taking time now to evaluate their operations, controls and origination practices,” LaNore says.

In many cases, banks were leveraging staff from all parts of the bank to process PPP loans. Lenders had to make quick decisions in the processing and origination of the PPP loan requests. It would be prudent for banks to review for consistent internal practices and handling of their PPP loan requests. Making PPP activity a part of a bank’s internal or external audit practices is a sensible decision.

Consistent application and process is important. Banks should also be considerate of regulatory compliance requirements that affect the PPP activity. Regulation B adverse action rules for business credit apply to PPP loan requests that were not approved, and banks will be required to retain documentation demonstrating their compliance. Application of fair lending laws is also required for all commercial loans insured by the SBA and are especially critical for banks that had multiple application channels and allowed lender discretion to play a role in the evaluation process. Importantly, banks should also evaluate whether they adhered to their complaint policy and procedures throughout the PPP process and ensure that proper escalation of such complaints occurred when necessary.

The bottom line for banks participating in the PPP is that the lending activity quickly became an integral part of business practices, making it subject to audit and compliance review and oversight. Even if a bank is participating in other SBA programs or has participated in the past, PPP lenders should evaluate policies, procedures, internal controls and monitoring practices.

Mary Thorson Wright, a former Federal Reserve examiner, is a writer in Virginia.