While regulators fill in the details for the sprawling U.S. financial reform legislation, auditors look for road signs indicating which direction the new law will take their work.

Russell Jackson
Freelance Writer

The motivation behind the Dodd-Frank Wall Street Reform and Consumer Protection Act is clear. The law, passed by the U.S. Congress and signed by President Barack Obama in July 2010, aims to prevent future fiscal meltdowns like those that nearly sank the economy in the United States in the latter part of the past decade. Remember all the mortgage defaults? The investment bank bailouts? The 250-plus bank failures? The Madoff scandal? Dysfunctional governance processes, reward systems, lack of transparency, and the availability of cheap money, among other things, are representative root causes contributing to the money mess.

How Dodd-Frank attempts to tackle the problems that spawned it is relatively clear as well. In signing it, the president said the law exists to “promote the financial stability of the United States by improving accountability and transparency in the financial system, to end ‘too big to fail,’ to protect the American taxpayer by ending bailouts, [and] to protect consumers from abusive financial services practices.” It is wide-ranging legislation, says Scott White, vice president at M&M Consulting LLC in Windham, N.H., and chairman of The IIA’s Financial Services Advisory Board. “In some cases, Dodd-Frank fills in gaps in areas where regulation is lacking, like derivatives, hedge funds, and financial advisers,” White explains. “On the other hand, it takes major steps in creating the Consumer Financial Protection Bureau (CFPB) and changing the way banks are regulated.”

Companies in the financial services sector are directly in Dodd-Frank’s sights, but any company that lists on a U.S. public stock exchange is bound to many of the law’s mandates. “If the implementing regulations are enacted as the law was passed, Dodd-Frank likely will redefine the meaning of financial services regulation,” explains Dennis Hild, associate director in the Washington, D.C., office of consulting firm Crowe Horwath LLP. “It will basically require financial services companies to rethink their approaches to many of their financial products and, more so, how they will efficiently and effectively deal with compliance challenges.”

Carol Beaumier, executive vice president at consulting firm Protiviti Inc. in New York, notes that Dodd-Frank aims to reduce “systemic risk” in the financial system by regulating segments of the market that previously were not regulated — or that were subject to less-stringent or uneven regulation. And it’s supposed to provide additional protections to consumers and investors in their dealings with financial institutions and financial products. “The law attempts to address those objectives in a variety of ways,” Beaumier explains, “such as authorizing and empowering new regulatory bodies, restricting certain perceived risky activities, changing the way certain business is conducted, and reviewing and revising consumer and investor protection rules.”

A WORK IN PROGRESS

How all the various objectives of Dodd-Frank will play out remains murky at best. “The impact is totally unclear at the moment,” White says. “The major pieces of the Dodd-Frank reforms have not even been written, so we just don’t know enough about what might come out of it to make any judgment at the moment — and we probably will not know the impact until some time in 2012 and beyond.”

Dodd-Frank is a massive beast, even by federal law standards, weighing in at 2,300 pages, with about 350 future rule-making events, nearly 450 one-time studies, close to 75 reports, and an unknown number of new or revised regulations. The law establishes new regulatory agencies such as the CFPB, the Financial Stability Oversight Council, and the Office of Financial Research, as well as consolidates the Office of Thrift Supervision — a legacy agency from a past financial disaster — into the Office of the Comptroller of the Currency. Moreover, a comprehensive technical corrections bill is likely, Hild explains. Further, he notes, “the House Financial Services Committee, now GOP-controlled, will be introducing a number of measures to try and restrict some provisions and funding. And because the act is so sweeping, with so many moving parts and agencies involved, there is certainly potential for unintended consequences.”

Such consequences already exist, Beaumier points out. “The asset-backed securities market froze after the act’s passage,” she says, “when the rating agencies balked at the requirement that their ratings be included in marketing materials. The Securities and Exchange Commission (SEC) was forced to postpone the implementation of that requirement so the market could function.”

Still, despite the uncertainty that characterizes Dodd-Frank at this point, the impact on internal audit departments is easy to predict: more of what they do currently, with the same restrictions on “owning” the programs they audit. For example, “it is critical that internal auditors stay educated on Dodd-Frank compliance activities and implementation early in the process,” Hild notes. “Internal auditors will need to understand any new systems or reporting mechanisms put in place as a result of Dodd-Frank and also will need to adapt their audit processes to meet evolving regulatory expectations.” That should sound familiar to most practitioners. This should resonate as well: Hild points out that Dodd-Frank compliance will likely be “almost a maddening exercise” for everyone involved. “Internal auditing might have a harder job than anyone,” he says, “because the compliance groups will have to try to figure out all of this over time and implement compliance programs; then internal auditors will have to develop audit programs for areas that will be going through rapid changes.”

And there may be new areas that internal auditing will have to address, too. For example, White points out, when the new consumer financial protection regulations are written, internal auditors likely will be involved in the implementation of their organization’s internal controls to comply with them. “I would hope that internal auditing would be working closely with the compliance community and risk managers within their organizations to ensure compliance with the new regulations, whatever they are,” he says.

A CHALLENGE FOR AUDITORS

Those familiar with Dodd-Frank emphasize that auditors won’t have to set up or manage any of the new programs created under the act. For example, the law will require some companies to establish board-level risk committees. Chief audit executives (CAEs) and their staffs will need to work with the members of those committees and may need to audit their compliance with the regulations that created them. Companies won’t be giving internal audit departments new jobs, new job descriptions, or significantly greater scope. Rather, Hild advises, internal audit departments will be “a valuable resource to new risk and compliance committees, and will need to do some preliminary audits of their companies’ implementation and compliance programs.” Internal audit departments, then, should figure out what their institutions need — and what input they can best provide to them. Beaumier adds that “internal audit plans will need to be fairly dynamic and flexible to accommodate the timing of final rulemakings by the various regulators. To do that, internal auditing will need to ensure that it has access to the appropriate competencies.”

Indeed, Hild says, if an internal audit department is well-established, well-connected, and well-respected, Dodd-Frank may further burnish its reputation. On the other hand, for many small, underfunded, and underappreciated departments, the law could add piles of work to their already-strained engagement calendar. “Internal audit departments with solid staffs and resources, and with the ability to stay ahead of the curve and adapt rapidly to changing compliance challenges, will be more likely to thrive,” Hild says. For others, though, Dodd-Frank will almost certainly require internal auditors to do much more of what they’re doing now, for colleagues they may not have worked directly with before, helping their companies gauge compliance with regulations that didn’t exist before. Some departments “just simply won’t have enough bodies or time initially to tackle it,” Hild comments. Those departments will need to beef up their regulatory expertise.

Some of that expertise can be gained through networking, Beaumier notes. “The ‘skill’ of internal audit departments to track and interpret regulatory requirements varies depending on the size and qualifications of the team,” she says. “In many companies, compliance, legal, and government relations departments are primarily charged with tracking regulatory developments and sharing them with the entire organization, so internal auditing needs to coordinate closely with those other functions.”

When internal expertise is lacking, experts recommend outsourcing to cover the gaps. Gary McGuire, vice president, internal audit, at Dallas-based Lennox Inc., notes that if his department is required to conduct risk or compensation audits, it will “need additional training and may need our co-sourcing partners to provide expertise and objectivity.” White says that could be common in the near future. “Depending on what the requirements are,” he explains, “smaller internal audit departments might find themselves resource-challenged. However, there are many options these days to acquire the right resources to perform specialized audits.”

WHISTLEBLOWER CONCERNS

One area where Dodd-Frank holds real potential to affect the work that internal auditors do is companies’ current whistleblower programs to fight fraud. Under the new law’s Section 922, the SEC must pay rewards to whistleblowers who provide original information about violations of federal securities laws that lead to successful enforcement actions resulting in more than US $1 million in penalties. Awards ranging from 10 percent to 30 percent of collected penalties are to be paid from an Investor Protection Fund that has US $452 million set aside for it.

Many organizations are concerned, though, that the proposed rules may interfere with or undermine a company’s internal whistleblower process. In written comments to the SEC, The IIA advises the commission to “explicitly require that whistleblowers first utilize their companies’ internal reporting processes to be eligible for receiving any award, unless the whistleblowers can show just cause to believe that the entities’ internal reporting processes were nonexistent or ineffective.”

By the same token, The Institute advocates increasing SEC awards to whistleblowers who have “suffered retaliation as a result of their good faith internal reporting.” Dodd-Frank prohibits retaliation against informants in the SEC program and provides for redress in the federal courts, the Atlanta law firm Troutman Sanders LLP points out in a Web post. Here, too, there are new risks for companies. In addition to bypassing internal compliance programs, employees may seek “protection under Dodd-Frank’s anti-retaliation provisions from discharge for their own work-related problems.”

If the SEC counters that possible trend by encouraging people to go first through their internal programs, Dodd-Frank’s impact on internal auditing will not be all that significant, Beaumier predicts. “But because of the environment and the possibility that somebody might decide it’s more attractive to circumvent the internal program, most companies will reinforce through more training and communications the existence of their internal programs,” she says. The required re-education and re-training would come from compliance and legal, the owners of the compliance and ethics programs, she adds. Internal auditing would be involved if there are complaints through the traditional whistleblower program, continuing to be integral to the investigation of fraud. Indeed, those departments may have more to investigate than before if the whistleblower bounty provisions fuel more allegations.

Another potential problem, notes the law firm McDermott Will & Emery, headquartered in Chicago, is whether whistleblower status should be conferred on individuals with “a duty of loyalty to the company or who have access otherwise to privileged or confidential information. In response, the SEC’s proposed rules would disallow whistleblower claims from outside counsel, independent auditors, and internal legal, audit, and compliance personnel.” For those personnel, the law firm’s Web post points out, “information submitted to the SEC may still qualify for a whistleblower claim if the entity did not disclose the information to the SEC ‘within a reasonable time or proceeded in bad faith.’”

 

Further, says Kevin LaCroix, an attorney and executive with OakBridge Insurance Services in Beachwood, Ohio, a company could face follow-on civil litigation from investors claiming that “the company’s senior managers failed to take appropriate steps to ensure the proper controls were in place or that investors were misled by the company’s statement about the company’s controls.”

But there, too, internal auditors probably have more questions than answers at this point. “It’s yet to be determined how the SEC will interpret the whistleblower rules,” notes James Rose, CAE at Humana Inc., in Louisville, Ky. In essence, the SEC likely will have to set up procedures for incentivizing and reimbursing whistleblowers to make sure it’s receiving appropriate tips and that they’re reporting to the commission and not just to company hotlines. But “the profession clearly has an interest in validating and, as needed, enhancing our companies’ own governance processes,” Rose says.

Internal audit departments, he adds, “don’t want the federal mechanisms to overshadow or harm companies’ own governance processes.” Internal auditing’s role will be to understand the final rulings from the SEC and help ensure that companies comply with both those rules and their own internal governance, he predicts.

BEING COMPLIANCE PROFICIENT

Indeed, any predictions about how Dodd-Frank will affect internal auditors are pure speculation at this point. The law does not restrict internal audit departments from doing anything they’ve been doing, nor does it specifically require them to do anything they are not doing now. But that could change. “The act provides the foundation,” Hild says, “but the details will be in the implementing regulations. There may be new requirements placed on internal audit departments.”

There may be new career opportunities for auditors as well. White points out that Dodd-Frank will impact the compliance community significantly and says that companies’ compliance officers may become more appreciated in their organizations than they are now. To the extent that internal auditors are, or can become, compliance proficient, he foresees, “they can enhance their personal value to the organization.”

Compliance is a different discipline, to be sure, and learning it would be akin to learning a new job for many practitioners. “A lot of internal auditors are compliance conversant,” White says. “To be an expert takes a whole different set of training.”

Those who don’t make the switch to compliance may find that Dodd-Frank brings new work and a new focus on the central role of internal auditing, but that it likely won’t change their status within their organizations. Beaumier puts it bluntly: “There is nothing in Dodd-Frank per se that is inherently going to elevate the importance and stature of compliance in organizations that don’t already recognize the value of the internal audit function.”

See "Getting A Head Start" to learn how one audit executive is getting a head start on Dodd-Frank.

 

 

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---