Audit and Compliance Program Cycle for Banking Executives

Washington Bankers Association Executive Development Program Audit and Compliance Internal Audit and Monitoring: The Continuous Program Cycle Presenter: David McCrea U.S. Program Manager Global Regulatory Compliance Team Infosys Limited

The Continuous Program Cycle Correcting & Reporting Designing Implementing & Checking

Testing Your Controls Use your Risk Assessment as the foundation of your monitoring program. You have documented the controls to test and can validate the control strength ratings You know where your highest risks are so you can prioritize your program.

Establishing Your Checking Plan You should set an annual monitoring / testing plan with a goal of validating the effectiveness of key controls at least annually. Riskier controls should be evaluated more frequently Validate stronger controls are working as planned Plan to test adequate and weak controls more vigorously

Definitions Quality Control Evaluating a transaction for quality (such as meeting compliance requirements) prior to the transaction being consummated or closed, such that errors made in the initial phases can be corrected prior to the point of no return. Compliance Monitoring The process of evaluating reports, systems, analyses, customer complaint trending, or other information in order to determine strengths or weaknesses in the program/process. Audit Independent review to ascertain the validity and reliability of information; also to provide an assessment of internal controls. The goal of an audit is to express an opinion of the person / organization / system under evaluation based on work done on a test basis.

Risk Detection Activities Compliance Dept Activities Testing & Review Other Detective Controls Quality Control Monitoring Activities Audit Regulators Combined Activities Helps to Draw Conclusions about Overall Risk

Monitoring - characteristics Ongoing and Regular Typically dependent on business line reports Results in self-detection of potential weaknesses or violations Systemic weaknesses identified Typically more frequent than audits

Monitoring Examples May take a variety of forms: Periodic review or certification that duties were performed; Review of regular system-generated exception reports; Review of periodic ad hoc extract reports; Review of consumer complaint trend data; Review of reports of exam/review by Audit, investors, regulators, due diligence firms, etc.

Testing / Review - characteristics Ongoing Flexible Self-detection of potential weaknesses or violations Risk-based Quality Control corrective actions

Testing Examples May take the form of: Review of transactional activity (think Reg CC Hold Notices or TILA Disclosures); or Verification of data against source documents (think loan files against the HMDA LAR); Review of employee regulatory knowledge through interviews. Others?

Auditing - characteristics Independent More formal Validates the effectiveness of your program including your testing and monitoring Internal or External Often relies on Compliance Review results or compliance monitoring

Checking Techniques Scoping Sampling Rating Control Strength Documentation

Scope of Your Program Monitoring and testing scope and frequency should consider the following: Inherent Risk Rating Volume (number or amounts of items) Complexity of requirements: Number of endpoints, Difficulty of performance, Dependency on manual input or individual performance. Historical reliability of control processes

Scope - continued Monitoring and testing scope and frequency should also consider internal / external events: Change in law or regulations, Reorganization (change in responsibilities), Changes to process or system, Turnover and key staffing changes, New products, services, or jurisdictions. Customer complaints

Sampling The basic purpose of sampling is to enable the reviewer to draw an adequately reliable conclusion about a universe. The universe from which the sample is chosen should have similar characteristics The sample should include an adequate number of transactions to which the requirement applies.

Sampling The size of the sample depends on the complexity of the regulations involved, the bank s circumstances and characteristics. Must be large enough to determine the cause and extent of noncompliance. Be prepared to expand sample if necessary.

Sampling - Judgmental Involves an in-depth analysis of only a portion of the group and items are not selected randomly. Using judgment and knowledge of policies, controls and systems, reviewers identify the areas of greatest exposure to select items for testing. The time period selected for the sample must yield enough items to provide the reviewer a representative base for the product/process under review (otherwise will need to extend time period).

Sampling-Statistical Every member of the universe should have an equal chance of being chosen. The time period selected for the sample must yield enough items to provide the reviewer a representative base for the product/process under review (otherwise will need to extend time period).

Control Strength Generally, internal controls with an exception rate of 5% or greater are typically considered ineffective. However, the regulatory environment may dictate a lower, perhaps 0% tolerance for example, matched pairs in fair lending testing. Exceptions and root causes should be discussed with the business unit management.

Control Strength A Strong Control has less than a __ % error rate. An Adequate Control has between a __% and __% error rate. A Weak Control exceeds an error rate of __%. Other quantitative measures of control effectiveness?

Re-evaluate Control Strength Control Effectiveness Rating Strong Adequate Moderate Moderate Moderate Low Low Residual Risk Rating High Moderate Low Low Weak High Moderate Low Inherent Rating Risk

Supporting Documentation Activities should be appropriately documented and the performance of the work adequately evidenced to facilitate third-party reviews by corporate compliance, internal/external audit, or regulatory examiners.

Corrective Action Plans Corrective Action Plan Elements Develop Steps to Remedy the Issue Assign Responsible Parties Establish a Time Frame

Corrective Action Plans - Tracking Establish a Tracking System Elements to Include: Executive Sponsor Observations Risk Ratings Source of Issue Target Date for Correction & Date of Completion Notification Issue Date Person Accountable for Execution Action Steps Comments Target Date Revisions

Corrective Action Determination Determine Root Cause Remember the old rule of asking why of each successive answer until you know the true root cause: Is it a policy flaw? An execution blunder? A training mishap? A systems defect?

Reporting: Definition and Purpose Reporting defined: The use of internally and/or externally generated data to provide ongoing, regular reporting to stakeholders on the state of the institution s compliance program. Risk management at each appropriate level Required reporting to Regulatory Agency, Community Groups, Investors, etc. Your company s specific needs are paramount.

Reporting to the Board Describe the general regulatory environment: Recent fines and penalties imposed on other institutions. New or revised rules that will impact operations and risk. Also detail your compliance program: Exam , Audit , or compliance monitoring results Corrective actions taken New compliance initiatives Employee training Community Development Supplemental information they have requested.