Some Items to Consider for Your Audit Scope, January 18, 2017



As you prepare your annual audit schedule, a task that can often seem mundane, there are significant opportunities to take charge and “change the game”.   The schedule is often set by focusing on the number of audits that must be completed within the year. The bulk of the planning attention goes to the task of scheduling the audits in a manner that is least disruptive.   There is often little attention paid to the construction of the components of the audit scope.   Consider building the scope of the audits around the results of your risk assessment and you can greatly enhance the effectiveness of the audit reports.

The Standard Menu

Outsourced internal audit firms design the scopes for the audits that they conduct based upon their knowledge of auditing, regulatory trends, best practices and the overall knowledge of their staff. This practice allows the firms to bring a wealth of experience and important information from outside of the financial institutions that they are reviewing.   When your audit firm presents you the scope that they propose it is based upon completely external actors and considerations. This is not a criticism of the firm, it is a standard practice.   However, setting of the scope for internal audits is really supposed to be a collaborative effort, and both the audit firm and your institution are best served by developing the scope for audits together, after all, who knows the strengths and weaknesses of your institution better than the management? To get the biggest bang for your buck, why not tie the audit scope into the results of your risk assessment?

The Risk Assessment and the Internal Audit

An effective risk assessment of your compliance program can be an excellent source document for various things including budgeting requests for additional resources and scoping of audits.   Completing the assessment includes considering the inherent risk at your institution, the internal controls that have been established to address risk and a determination of the residual risk.   The process is intended to be one of self-reflection and consideration of the areas of potential weakness. For those areas that have the potential to be a problem, the best practice is to make sure they are included in the scope of an audit. Audit firms are more than happy to work with the management of the institutions they are reviewing on developing a scope. One of the crucial goals of the audit is to uncover areas where there are weaknesses in internal controls. For example, in your risk assessment, you may have noted a large number or errors in disclosures for new accounts. This should be a focus for the internal auditors when the compliance audit is performed.

Root Causes

An area that is often overlooked in audits is a discussion of the root causes for findings. For every violation or a problem noted during an examination or audit, there is a reason the violation occurred. Ineffective training, incomplete written procedures, poor communication or incompetence are all possible causes of a finding. Getting feedback from the auditors on the root cause of a problem allows the remediation to be most effective. One of the main reasons for repeat findings is ineffective remediation.

Future or Strategic Risks

The environment for banking is going through significant change as fintech companies have begun to make inroads into the financial markets. Financial institutions should consider whether their current systems, business plans and infrastructure is well positioned to meet the annual goals. External audit firms can be a very good source of information for industry trends and ideas.   Building a consideration of both future and strategic risks into the scope of the audit can yield significant benefits.

Self-Policing and the New Compliance Ratings

One of the main reasons to expand the scope of your audits is to take advantage of the new compliance ratings systems that take effect in March of 2017. The new ratings will consider the Board and management oversight, strength of the compliance program as well as the potential for consumer harm. These new ratings will put an increased premium on an institutions ability to self-police potential violations. The ability of a financial institution to identify problems, determine the root cause and to remediate the problem will have a large impact of the overall rating of the institution. By setting the scope of your audits to help self -police, your institution can take full advantage of the new ratings system.


Pitfalls to Avoid When Developing a Fair Lending Assessment-Part Two

Pitfalls to Avoid When Developing a Risk Assessment for Fair Lending- Part Two

In part one of this series, we made the argument that an individual risk assessment should be performed for the area of Fair Lending.   When performing the risk assessment there are several pitfalls that must be avoided.

Policies and Procedures

The review of institutions’ policies and particularly, its procedures is a basic and critical part to any risk assessment in the area of Fair Lending.

Potential Pitfall:  Policies and procedures can be fully in compliance with regulatory requirements and still have the potential for Fair Lending issues.  Review of the policies and procedures must consider both compliance with the requirements of regulations and the impact on customers!

First, these documents should be reviewed to determine that all of the required information is up to date and correct.  In this review, it is important that regulatory requirements such as “grossing up” income[1] in credit decisions, spousal signature rules and Fair Lending principles are included.  This review should also include a review of procedures to ensure that they match policies.

The second phase of the review should be completed to ensure that policies and procedures do not present the possibility of disparate impact.  In this review, the goal is to review the policies and procedures to determine the level of discretion allowed and how this discretion can be checked against Fair Lending risk.  For example, do the procedures require documentation of delays in processing loans?  Do policies and procedures emphasize the need for secondary review?

Credit Policies

Credit Policies are an area of particular concern in the Fair lending Assessment.  The review of credit policies should also be completed in two phases

Potential Pitfall: Credit policies should reflect the idea that the bank has made a reasoned decision about how it is meeting the credit needs of its community.  Policies that are fully compliant can become outdated quickly.  Review of credit policies should consider the changes in the assessment area and should reflect the business decisions of the Board.

Credit formulas and guidelines should be reviewed and validated independently to ensure that the data is valid.   Though these validations don’t need to be performed annually, it is a best practice to test the guidelines Vis a Vis adverse action trends at the bank.  Guidelines that yield an extremely high number of loan declines may need study and possibly adjustment.

In the second phase of the review, a comparison between the credit policies, the strategic plan of the bank and current economic data should be completed.  The purpose of this review is to determine that the bank’s credit policies and procedures match the credit needs of the community.   It is imperative that the Bank be able to document the business reasons for the list of products being offered.  For example, a decision by a Bank not to offer home equity loans when there is strong need for such loans in an assessment area, may be called into question during a Fair Lending examination.  A best practice is to have the economic data to demonstrate that these loans are not economically feasible at the bank, or that some other legitimate business reason exists for not making such loans.

Credit Decision Process

The credit decision process from the time of application to ultimately credit decision or withdrawal by the applicant should be assessed with an eye towards eliminating the ability of single bank employee from thwarting the will of the Board by engaging in illegal behavior

Potential Pitfall:  When reviewing adverse actions and withdrawals for timely notices, it is possible to overlook the warning signs of Fair Lending issues.

The review of adverse actions generally includes a check to make sure that notices are given within the timeframes required by Regulation B.  In addition a good review includes a check to determine that the information given is sufficient for the applicant to understand the issues that cause an adverse decision.   However, a best practice is also to review for Fair Lending ‘warning signs”.  For example, an extremely low rate of adverse actions is a strong indicator or pre-screening.  A high rate of withdrawals among protected groups is a strong indicator of discouragement.

It is a best practice to review the credit decision process to determine the ability of an individual to make credit decisions without oversight.  The more autonomy loan officers have, the more the system for secondary review should be empowered.

Lending Decisions

The traditional Fair Lending analysis focuses on a review of the approvals versus declines at the Bank.  A common practice is to review “matched pairs” which compares the low rated credit approvals with highly rated declines (loans that were barely declined).

Potential Pitfall:  If this is the heart of the analysis, then the bank is not getting the full story!  The analysis must look at the applicant’s total experience to ensure that all are getting the same considerations.

The analysis should consider:

  • Application to decision time-trends for members in protected classes
  • Comparative analysis- close decisions to approve versus decline
  • Pricing Analysis
  • Special considerations

o   Insufficient collateral frequently being given as a reason for decline

o   Large number of declines in a certain product area

  • High number of approvals versus a small number of declines

If all of the above is not part of the analysis that is being performed, then your bank may have potential Fair Lending issues that are going undetected.

Vendor Management

Financial institutions are charged with knowing and managing the results obtained from their vendors.  The regulatory agencies have made it clear that in every area from indirect auto lending to appraisals that they expect that financial institutions will monitor the results that they are getting from vendors.

Potential Pitfall:  If the review of the vendor ends with a background check, your institution may not be getting the full story.  The best practices require that the Bank pay attention to the results of the vendor’s efforts.  There has to be a general check that results are reasonable and consistent

The assessment must consider whether the results being produced are consistent and reliable.  For example, are appraisals being reviewed and compared to complaints?   Is it possible that certain appraisers consistently yield lower property values in certain income tracts?  Are flood insurance determinations being updated to match changes in the flood map?  The bank will be held accountable for the misbehavior of its vendors!

UDAAP Review

The risk assessment should include a review of the potential for UDAAP.  This is an area that is growing in scope and influence.

Potential Pitfall:  UDAAP is far reaching and can be easily overlooked.

The assessment should consider whether there is consistency in advertising and actual disclosures.  The risk assessment must look at the Bank’s products/operations from the point of view of the consumer.

Customer complaints are an area of focus for regulators.  Make sure that complaints are getting categorized and reported to the Board.  If no complaints have been received, there should be at least a policy and procedures in place to handle these once they do appear.


Many community banks use testimonials as part of their marketing.  The relationship with the community is after all, one of the strengths of being a community bank.

Potential Pitfall:   A risk assessment that exclusively covers direct compliance with Reg. Z and DD may overlook Fair Lending concerns in advertising.

Risk assessment should cover the reasons for the advertising and the markets that you are attempting to reach.  Has the bank considered expanding advertising to nontraditional communities?   Are there communities within the Bank’s assessment area that are left out of the advertising and marketing?

Strategic Plan

Examiners expect that the Bank has direct knowledge of the credit needs of the assessment area.  This should be considered as part of the risk assessment

Potential Pitfall:  Without considering the overall strategy of the Bank, it is difficult to get the full picture of how the bank is addressing Fair Lending within its community

The strategic plan is most often not considered as part of the Fair Lending assessment.  However, in many cases, the examiners will start considering an institutions strategy in offering products to its community as a consideration of Fair Lending effectiveness.

A Fair Lending risk assessment is a critical component of effective compliance management.

[1] See reg. B at 202.6(b) 5

Does Your Outsourced Audit Meet Regulatory Standards? Part Two

Does Your Internal Audit Scope Meet Regulatory Standards? 

A Two Part Series-Part TWO-Setting the Scope    

As we  noted in the first part of this series, the scope of the internal audit function at financial institutions has been an area of focus for  regulators.  In particular, regulators have focused on whether or not the scope of internal audits meets both regulatory standards and is appropriate in light of the overall risk profile of a financial institution.  It is the second of these two considerations that has most recently  caused findings and created concerns.    It is therefore, critical that the scope of audits reflect an understanding of the risks inherent at your financial institution.

Using Risk Assessments Effectively

The Federal Financial Institutions Examination Council (FFIEC”) issued a comprehensive policy statement on the audit process in 2003.  This statement is still the definitive regulatory guidance on the proper development and maintenance of the internal audit function for financial institutions.   The guidance states that risk assessments are a key component of internal audits.  A risk assessment is defined as follows:

A control risk assessment (or risk assessment methodology) documents the internal auditor’s understanding of the institution’s significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.[1]

At smaller institutions, there generally is not a full time internal auditor on staff.  This does not obviate the need for comprehensive and timely risk assessments.  Unfortunately, the risk assessment process is often overlooked.   The risk assessment should consider the following:

Past Examination and Audit Results

It goes without saying that the past can be a  prelude to the future.   Prior findings are an immediate indication of lack of effectiveness of internal controls.  It is important that the root cause of the finding or recommendations from regulators is identified and addressed.  Internal audits should coordinate with the risk assessment to test the effectiveness of the remediation.

Changes in Staff and Management

Change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, suppose the head of Note Operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to past procedures may become confused.  Change generally increases the possibility of findings or mistakes.   Your risk assessment should take into account the risks associated with changes and how best to address them.  In addition, this is an area that should be covered by internal audit as it presents a risk.

Changes in Products, Customers or Branches

It is also important that your risk assessment consider all  of the different aspects of changes that have occurred or will occur during the year.  Any new products or services, new vendors, and/or marketing campaigns that are designed to entice new types of customers are all changes that impact the overall risk profile of the institution.    The resources necessary to address these changes should also be a consideration for the internal audit.

Changes in Regulations

Over the past few years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact smaller institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that will affect your institution.  The internal audit scope should also consider whether the institution is prepared to meet changing regulatory requirements.

Monitoring systems in place

The information systems being employed to monitor the effectiveness of internal controls should be considered.  For many institutions, this system is comprised of word of mouth and the results of audits and examinations.  Information used by senior management and reported to the Board should be sufficient to allow credible challenges by the Board.[2]

Using the Risk assessment to Set Audit Scopes

Once a risk assessment is completed, the results should be directly tied to the internal audit schedule.   The FIIEC guidance points out the relationship between the internal audit plan and the risk assessment:

An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.[3]

The risk assessment should prioritize the potential for findings, while the audit scope should be developed to test mitigation steps made to reduce findings.

The criticism that is often raised about outsourced audit is that the scope is incomplete.  This is often the case because outsourced vendors have developed their scope based upon best practices, and their experiences at various institutions.  While this is obviously a best practice for the audit vendor, the problem is that it doesn’t always fit the individual institution.   Information from a comprehensive risk assessment should be incorporated into the scope of an internal audit.

In this manner, the auditor can best consider the areas of risk that are the highest priority at a particular institutions.  For example, when developing the scope for an independent audit of a BSA/AML program, the scope should include the most recent risk assessment.  Changes in the customer base, an increase in the overall risk profile of the bank or a change in personnel are all factors that should be included in the audit scope.  In addition, the auditor should consider whether current monitoring systems have the capability to properly monitor the additional level of risk.  Finally, the professional abilities of the BSA staff should be considered as they relate to additional risk.

Ultimately, it is the responsibility of the Board to ensure that the internal audit is effectively testing the strength of internal controls.

[1] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

[2] See for example, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations

[3] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

Your Partner in Balancing Compliance