Facing a Headwind
Financial institution auditors are up against a host of challenges and must stay the course to effectively manage risk.
More than half of the participants in a recent PricewaterhouseCoopers webcast say their bank’s second line of defense is getting started on increased compliance testing but they have some work to do on that front. With regulatory expectations continually increasing and evolving in the banking industry, internal auditors need to be on point to facilitate their organization’s preparedness for future risks, according to expert panelists of the Preparing Today for Risks on the Horizon webcast.
“Oftentimes auditors are faulted for looking back at what happened and not looking forward to help their organization prepare for risks on the horizon,” says panelist Walter Smiechewicz, PwC managing director of risk assurance and banking and capital markets. While internal audit departments are doing risk assessments and planning for 2014, there are some key areas where they should focus.
Relationship managers have to hit their targets and numbers, even when loan growth is less than ideal, so there can be some slippage in pricing and underwriting standards that will put less profitable loans onto the bank’s balance sheet, Smiechewicz says. Bankers also may go after new lending products that pose unfamiliar risks.
Smiechewicz suggests that banks conduct an internal audit of:
- Loan pricing systems and governance around exception pricing.
- The loan review group, focusing on covenant protection and monitoring.
- New product risk and approval processes.
These challenges are causing bankers to make adjustments that could increase credit risks, so auditors should include these items on the audit schedule. “At this point in the credit cycle it’s critical that internal audit be vigilant in their oversight of auditing the credit function,” says panelist Kenneth Peyer, a managing director in the Financial Services Risk and Regulatory Practice at PwC. To add value, you need to raise your hand at the appropriate time if you see the function taking on more risk than was intended, he adds.
INTEREST RATE RISK
A bank’s investment portfolio, fiduciary book, and other asset management business lines are affected by low interest rates if treasurers adjust the investment policy, duration of their book, and credit ratings in which they are willing to invest. If there are adjustments to the investment policy, auditors are encouraged to ask what the reasoning is behind it, Smiechewicz says. They also should ask if the decision protocol around the potential of taking more risk on the investment book has been documented.
An internal audit of the bank’s investment portfolio and an increased focus on compliance during regularly scheduled audits of trust and fiduciary businesses will help assess the impact of the current interest rate environment.
There is a lot of regulatory interest in sound corporate and risk governance processes, which are central to planning, prioritizing, and allocating resources effectively. It’s important to present an independent view to executive management and the board of what internal audit sees from a corporate governance standpoint of areas that can be improved or are conflicting, not covered, or not as in-depth as they should be, Peyer says.
A recent consultative document from the Financial Stability Board, Principles for an Effective Risk Appetite Framework, gives specific guidance on the role of the CEO, chief financial officer, chief risk officer, and internal audit in this area. Regulatory bodies are increasing the scrutiny of the strength of organizations’ governance, internal audit, and level of resources in various lines of defense. To address this, auditors should conduct an internal audit of the broad area of corporate governance processes, including risk appetite, risk capacity, how strategic objectives work within the various business units and the metrics around them, according to the panelists.
When you look historically at compliance functions, internal auditors have typically been advisers, responsible for monitoring and interpreting laws and regulations, and then advising the organization on what it can do to comply. Supervisory Letter SR 08-8 on compliance risk, released during the 2008 credit crisis, emphasizes the need for effective risk management, monitoring, and testing programs to be in place, Smiechewicz says.
With the increased scrutiny, expectations, and demands for more compliance testing, internal audit needs to know its role in effectively evaluating compliance risks across the organization. Of the hundreds of regulations banks have to comply with, some of the hot ones include:
- Fair Debt Collection Practices Act.
- Anti-money Laundering/Bank Secrecy Act.
- Home Mortgage Disclosure Act andReal Estate Settlement Procedures Act.
- Gramm-Leach-Bliley Act and consumer financial privacy.
- Fair Credit Reporting Act.
- Consumer complaints regulations.
- Social Media: Consumer Compliance Risk Management Guidance.
STAY THE COURSE
When planning for 2014, auditors should make sure their audit plan aligns with the organization’s risk profile, that resources are being allocated to the right areas, and that staff has the appropriate expertise to be able to address the issues raised. More importantly, auditors should keep the audit committee informed of their analysis.
There’s an expectation that internal audit no longer provide just the facts from their audit work, but also provide management and the board with an independent perspective of the overall risk profile of the organization. That comes from attending meetings, keeping an eye on what’s going on in the news, reading regulatory reports, conducting interviews, and keeping a finger on the pulse of the organization. Providing this type of value-add information will help auditors face risks on the horizon.
To comment on this article, email FSA Times Editor Shannon Steffee.