The document discusses the continuous program cycle for internal audit and monitoring compliance programs. It describes designing, implementing, checking, correcting, and reporting as the ongoing cycle. Key aspects discussed include establishing an annual monitoring plan, defining monitoring, testing, quality control and auditing. The presentation provides guidance on sampling techniques, rating control strength, documentation, corrective action plans, and reporting findings.
1. Washington Bankers Association
Executive Development Program
Audit and Compliance
Internal Audit and Monitoring:
The Continuous Program Cycle
Presenter:
David McCrea
U.S. Program Manager
Global Regulatory Compliance Team
Infosys Limited
3. Testing Your Controls
Use your Risk Assessment as the foundation
of your monitoring program.
• You have documented the controls to test
and can validate the control strength
ratings
• You know where your highest risks are so
you can prioritize your program.
4. Establishing Your Checking Plan
• You should set an annual monitoring / testing
plan with a goal of validating the effectiveness of
key controls at least annually.
– Riskier controls should be evaluated more frequently
– Validate stronger controls are working as planned
– Plan to test adequate and weak controls more vigorously
5. Definitions
• Quality Control – Evaluating a transaction for quality
(such as meeting compliance requirements) prior to
the transaction being consummated or closed, such
that errors made in the initial phases can be
corrected prior to the point of no return.
• Compliance Monitoring – The process of evaluating
reports, systems, analyses, customer complaint
trending, or other information in order to determine
strengths or weaknesses in the program/process.
• Audit – Independent review to ascertain the validity
and reliability of information; also to provide an
assessment of internal controls.
– The goal of an audit is to express an opinion of the person /
organization / system under evaluation based on work
done on a test basis.
6. Risk Detection Activities
Compliance
Dept Activities
Testing & Review
Monitoring
Activities
Other Detective
Controls
Quality Control
Audit
Regulators
Combined Activities Helps to Draw Conclusions about Overall Risk
7. Monitoring - characteristics
–Ongoing and Regular
–Typically dependent on business line
reports
–Results in self-detection of potential
weaknesses or violations
–Systemic weaknesses identified
–Typically more frequent than audits
8. Monitoring Examples
May take a variety of forms:
Periodic review or certification that duties were
performed;
Review of regular system-generated exception
reports;
Review of periodic ad hoc extract reports;
Review of consumer complaint trend data;
Review of reports of exam/review by Audit,
investors, regulators, due diligence firms, etc.
9. Testing / Review - characteristics
• Ongoing
• Flexible
• Self-detection of potential
weaknesses or violations
• Risk-based
• Quality Control – corrective
actions
10. Testing – Examples
May take the form of:
Review of transactional activity (think Reg
CC Hold Notices or TILA Disclosures); or
Verification of data against source
documents (think loan files against the
HMDA LAR);
Review of employee regulatory knowledge
through interviews.
Others?
11. Auditing - characteristics
–Independent
–More formal
–Validates the effectiveness of your
program – including your testing and
monitoring
–Internal or External
–Often relies on Compliance Review results
or compliance monitoring
13. Scope of Your Program
Monitoring and testing scope and frequency
should consider the following:
– Inherent Risk Rating
– Volume (number or amounts of items)
– Complexity of requirements:
• Number of endpoints,
• Difficulty of performance,
• Dependency on manual input or individual
performance.
– Historical reliability of control processes
14. Scope - continued
Monitoring and testing scope and frequency
should also consider internal / external
events:
– Change in law or regulations,
– Reorganization (change in responsibilities),
– Changes to process or system,
– Turnover and key staffing changes,
– New products, services, or jurisdictions.
– Customer complaints
15. Sampling
The basic purpose of sampling is to enable
the reviewer to draw an adequately reliable
conclusion about a “universe.”
The universe from which the sample is
chosen should have similar characteristics
The sample should include an adequate
number of transactions to which the
requirement applies.
16. The size of the sample depends on the
complexity of the regulations involved, the
bank’s circumstances and characteristics.
Must be large enough to determine the
cause and extent of noncompliance.
Be prepared to expand sample if
necessary.
Sampling
17. Sampling - Judgmental
Involves an in-depth analysis of only a portion of the
group and items are not selected randomly.
Using judgment and knowledge of policies, controls
and systems, reviewers identify the areas of greatest
exposure to select items for testing.
The time period selected for the sample must yield
enough items to provide the reviewer a
representative base for the product/process under
review (otherwise will need to extend time period).
18. Sampling-Statistical
Every member of the universe should
have an equal chance of being chosen.
The time period selected for the sample
must yield enough items to provide the
reviewer a representative base for the
product/process under review
(otherwise will need to extend time
period).
19. Control Strength
Generally, internal controls with an exception rate of
5% or greater are typically considered ineffective.
However, the regulatory environment may dictate
a lower, perhaps 0% tolerance – for example,
matched pairs in fair lending testing.
Exceptions and root causes should be discussed with
the business unit management.
20. Control Strength
A Strong Control has less than a __ % error rate.
An Adequate Control has between a __% and __%
error rate.
A Weak Control exceeds an error rate of __%.
Other quantitative measures of control
effectiveness?
21. Re-evaluate Control Strength
Control Effectiveness Rating
Strong Adequate Weak
High Moderate Moderate High
Moderate Low Moderate Moderate
Inherent
Risk
Rating
Low Low Low Low
Residual Risk Rating
22. Supporting Documentation
Activities should be appropriately
documented and the performance of the
work adequately evidenced to facilitate
third-party reviews by corporate
compliance, internal/external audit, or
regulatory examiners.
23. Corrective Action Plans
• Corrective Action Plan Elements
– Develop Steps to Remedy the Issue
– Assign Responsible Parties
– Establish a Time Frame
24. Corrective Action Plans - Tracking
Establish a Tracking System
Elements to Include:
– Executive Sponsor
– Observations
– Risk Ratings
– Source of Issue
– Target Date for Correction & Date of Completion Notification
– Issue Date
– Person Accountable for Execution
– Action Steps
– Comments
– Target Date Revisions
25. Corrective Action Determination
• Determine Root Cause
• Remember the old rule of asking “why” of
each successive answer until you know the
true root cause:
Is it a policy flaw?
An execution blunder?
A training mishap?
A systems defect?
26. Reporting: Definition and Purpose
– Reporting defined:
The use of internally and/or externally generated data
to provide ongoing, regular reporting to stakeholders
on the state of the institution’s compliance program.
– Risk management at each appropriate level
– Required reporting to Regulatory Agency,
Community Groups, Investors, etc.
– Your company’s specific needs are paramount.
27. Reporting to the Board
Describe the general regulatory environment:
• Recent fines and penalties imposed on other
institutions.
• New or revised rules that will impact operations
and risk.
Also detail your compliance program:
• Exam , Audit , or compliance monitoring results
• Corrective actions taken
• New compliance initiatives
• Employee training
• Community Development
• Supplemental information they have requested.
Editor's Notes
9:00
Meg
20 minutes / 14 slides
1:00
1 minutes
This Morning:
Designing Your Program – Strategy and Goals
Risk Assessment Basics and Implementation
After Lunch:
Developing a Monitoring Program to Check your work
Corrective Action
Reporting your findings
Case Study Exercises throughout the day. By the end of today, you will have your virtual bank thought out.
1:00
2 min
Meg
30 minutes / 14 slides
Now that you have documented your controls and assigned a risk rating, it is time to verify that they are working the way you think they are.
3 min
1:05
The level of inherent risk drives:
Scope;
Frequency; and
Depth of testing and review.
Can test by BU, product or reg. Use your RA as a guidepost
BU – if all one control, similar products, larger bank (all regs that impact them): Resi, Sm Biz
Product – all one control, more complex environment (easier on them): 30 yr mtg
Reg – all one control, smaller shop (holistic view of controls): Flood
Group like regs together – look at a loan file for all (Regs B, C, P, Z, FCRA, etc.) RE Lending
Start with the highest inherent risk!
Any Q’s about setting up your plan?
3 min
1:08
Pre-Consummation / Preventative
QC
Stops the violation from occurring rather than just test to determine level of compliance when most issues simply cannot be corrected.
Before the loan closes or before the customer leaves
Risk Intolerant
Usually at BU level
EX: Reg CC hold notice reviewed by the ops manager before the customer leaves the teller window vs. two days later.
EX: Reg O daily OD reporting
Post-Consummation / Detective
Monitoring
Ongoing activities that give us a view into compliance without transaction testing:
A loan servicing report that shows how many loans have expired flood policies.
A branch hold notice log that shows which holds are still active and for how long
A BSA account report that shows any new accounts with the word “money” of “check” in the title.
An error resolution log that shows how long we’ve been investigating claims. Etc.
Testing
Transaction testing
1 min
1:09
We will focus on the activities that compliance typically performs: Monitoring and testing
2 min
1:11
BONUS: Often is an exception report—i.e.., those loans or accounts NOT meeting some criteria, (e.g. loans booked with no govt monitoring info) so you can see how many transactions in the whole population are in error—rather than just a sample as with file testing.
Caution: some of these reports may be generated infrequently (monthly) which could result in a lag of self-detection. You may require more frequent reporting for important issues. (e.g. high inherent risks)
NEXT: Examples
3 min
1:14
EX:loans closed without hazard insurance field completed
EX: new accounts boarded without CIP screens completed
EX: Reg CC holds / releases
EX: Reg D monthly transactions
EX: Reg B credit scoring exceptions
EX: Rescission Waivers
How many of you “monitor”?
Examples . . .
QUESTIONS on monitoring?
2 min
1:16
1. We will be using the terms “testing” and “review” interchangeably
Read above.
Could be a cooperative effort with the BU and Compliance
How many have testing at the BU level? At Compliance level?
Kinder, gentler audit – working as a team to fix rather than pointing out problems.
3 min
1:19
EX: loans closed without hazard insurance field completed
EX: new accounts boarded without CIP screens completed
EX: Reg CC holds / releases
EX: Reg D monthly transactions
EX: Reg E claims (none????)
EX: FL Comparative File Review
How many of you do testing?
Examples . . .
Questions on Testing?
1 min
1:20
Compliance is NOT independent
You may work with Audit to set up a plan. Or you may have things you would specifically like them to look at.
You should have a partnership.
Q: Any auditors in the house?
HOW
4 min
1:27
Annual plan but be flexible / Update RA then validate
READ ABOVE. Then:
Extraordinary focus on activities involving:
High potential for error (high likelihood);
Potentially significant adverse consequences (high impact / exposure);
Areas the regulatory agencies have emphasized a low tolerance for errors;
Transactions with previously identified errors; and
Trends of customer complaints.
Hi = 2x // Med = 1x // Lo = depends on resources
Residual Risk / Controls
Automated: verify annually
Manual: more frequent (higher error potential)
Verify corrective action
Juggle Annually
2 min
1:29
Upon request too
Regulator emphasis may change
View corrections before next exam
Be flexible
NOT when there is a new system or crunch time
Note: wait to test after new reg implemented or much mitigation
Customer Complaints
-- social media, marketing, fees, COTs
Any questions on monitoring / testing so far?
NEXT: Sampling. But first . . . .
Others?
2:00
Stu
40 minutes / 17 slides
Final bullet example: A random sample of closed loans yield a very small number with flood insurance. Therefore you need to pull a random sample of all loans in a flood zone.
FL: start with 1 month and go up or down depending on #
Note: verify u/w hasn’t changed
Reg CC Holds – 1 month or if infrequent, last 6 months
2 Kinds:
Judgmental
Statistical
U-Pick-Em
Reg O – you pick the files for me to review
Matched pair review
Based on Social Media
Examples where you’ve used this?
No surprises! Talk to the BU while you are testing and share the results. Don’t play Gotcha!
If you find problems, work together to find a solution.
FL: 0%
CC: 5 holds and 1 with an issue – expand the sample
More on root cause
Examples where you’ve used this?
Re-evaluate control strength ratings and residual risk.
We intentionally left this blank because there is no CORRECT answer for banks, but it will be dependent on your bank’s risk tolerance. Talk to your execs to determine.
Thoughts on %s?
EX 1: FL / SAR Reporting
Ex 2: Reg Z
Ex 3: X number of comments on social media
Questions or thoughts on testing?
Note this is 3 points. Is it enough?
We will have a class on this later this week.
3:10
Greggles
30 minutes / 16 slides
Definition here is related to ongoing and regular reporting. How many people know what to do if an emergency arises?
Performance or risk reporting is a targeted exercise---your info will vary according to the audience. How many people wrote the same way or content for their college history professor as they did for their mother?
Differentiate required reporting for agencies, community, etc
Most important point. The needs of your company (or constituency) are paramount!!
Example of meeting with my boss on reg basis…
New officer….15,000 people reporting to him, reg monthly report
Go through issues as always have done. List progress with OTS commitments and he is just stone faced.
Lying to me last six months about X?
Well, X was not about me—brought up by compliance examiner, but not compliance per my purview/job description.
He doesn’t care about what my job description says—he cares about his business—so you have to care.
There were at least two lesson I should have learned about his question.
I am his control function. He trust me to demonstrate integrity and honesty.
I need to report on what he wants to know, not only what I think he wants to know.
Meg
ABA has a training program which helps you report to the Board.
Cover the regulatory environment as well as your program.