How Internal Audit Can Improve Banking Compliance Efforts in 2021

Internal Audit 101: This series explores the foundations of internal audit by industry, including basic definitions and concepts relative to auditors in specific sectors


Bank Internal Audit Programs

According to the Office of the Comptroller of the Currency (OCC), which charters and regulates national banks in the United States, all banks should have an effective audit program, ideally a continuous internal audit program complemented by a sound external audit program. Bank internal audits assess the effectiveness of a bank’s policies, processes, personnel, and internal control systems created in the first and second lines of defense. Well-planned and executed internal audit programs are essential for effective risk management and provide the board and senior management with critical information to accurately attest to the adequacy of internal control in banks.*

*Per 12 CFR 30, internal control systems include internal controls and information systems.


Banking Internal Control: Checklist

In accordance with the Comptroller’s Handbook, internal audit should monitor a bank’s internal controls through the following activities, conducted in ongoing coordination with audit stakeholders: 

  • Evaluate the reliability, adequacy and effectiveness of internal controls (operated by the bank or a third party) that promote the safety and soundness of the banking institution. 
  • Ensure that internal controls result in timely and accurate recording of transactions and proper safeguarding of assets.
  • Assess the bank’s compliance with laws and regulations and whether the bank adheres to established policies, procedures, and processes.
  • Determine whether management is taking appropriate and timely measures to address control deficiencies and recommendations made in the audit report.
  • Ensure audit activities are performed by qualified personnel.

Banking Compliance

Banking compliance risk is the risk to the current or projected financial condition and resilience of a bank arising from the violation of laws and regulations, or from non conformance with prescribed standards, ethics, and practices. Noncompliance with legal requirements or with safety standards may expose banks to consequences including increased regulatory penalties and compromising a bank’s reputation. Regulatory changes and increasing regulatory fines create incentive for banks to have strong compliance programs in place that continuously monitor risk. Internal audit plays an important role in bank compliance by testing whether a bank’s policies, procedures, processes, and standards are in compliance with applicable laws and regulations.

Banking Compliance Regulations

Since the advent of the internet and its convergence with business activities, the banking and finance industry has evolved to keep pace with the digitization of the modern world. One of the first and most influential examples was the Gramm-Leach-Bliley Act (GLBA) of 1999, which required all banks and financial institutions offering loan services, financial or investing advice, and/or insurance to disclose their information-sharing practices with their customers, with the option for customers to “opt-out.” Since then, the most common bank compliance requirements in the U.S. include (and are not limited to) the following:

CCAR Compliance

The Comprehensive Capital Analysis and Review (CCAR) is an exercise performed annually by the largest banking organizations in the world. Under the oversight of the Federal Reserve, CCAR impacts Bank Holding Companies (BHCs) with at least $50B in total consolidated assets with tier 1 material portfolios. BHC’s that have less than $50B in total consolidated assets but greater than $10B aren’t off the hook, however. DFAST (Dodd–Frank Act Stress Testing), sometimes viewed as a “lighter” version of CCAR, requires banks and financial institutions with total consolidated assets of more than $10 billion to perform a CCAR-like exercise. There are three main aspects of CCAR/DFAST exercises that Internal Audit is responsible for overseeing the reliability and effectiveness of:

  1. Production and aggregation of the BHC’s current financial data, which can only include US-specific data.
  2. Projections of future performance of the bank generated through the use of models.
  3. Generation of the submission report that is sent to the Fed each year.

GDPR Compliance

The General Data Protection Regulation is a European Union law that applies to any organization, including banks and financial institutions, that collects or processes personal data of individuals inside the EU, as well as EU citizens living around the world. Complying with GDPR, as well as the California Consumer Privacy Act of 2018 (CCPA) – often touted as the Californian equivalent of GDPR – has been a journey that has required cooperation across all 3 Lines of Defense for many organizations.

SOX Compliance

The Sarbanes-Oxley Act of 2002 requires that all public companies in the U.S. establish internal controls and financial reporting methods to ensure the adequacy of those controls. Another requirement for SOX compliance is that senior corporate officers personally certify that the company’s financial statements comply with SEC requirements.

FDICIA Compliance

The Federal Deposit Insurance Corporation (FDIC) Improvement Act requires banks that cross certain pre-defined asset size thresholds to comply with increasingly stringent requirements to report their financial data, including disclosing their savings account interest rates. FDICIA has additional requirements for banks and financial institutions based on their consolidated total assets, including intensive financial audits and annual reporting requirements. 

Banking Compliance Certification

Obtaining a certification of compliance with frameworks such as the NIST Cybersecurity Framework (CSF) is a way for businesses to develop trust with customers and formally demonstrate compliance with a security framework or a regulatory mandate. While it is easy to view compliance as a necessary evil, undergoing the process of achieving a certification can be critical to driving business forward — as well as avoiding penalties, fines, and the reputational risk associated with negligence. To learn how to successfully prepare for security and compliance certifications, download our white-paper below.


Managing your bank internal controls and compliance program using spreadsheets, email, and shared drives introduce a number of challenges and risks, from losing track of a piece of evidence needed for an audit, to an unmediated compliance gap. In addition to inefficiencies, a manual internal controls and compliance program can result in the following consequences: 

  • Failure to meet the minimum standards of a compliance requirement, resulting in negligence.
  • Paying fines, damages, and legal fees, without any insurance reimbursement, as a result of negligence. 
  • Impact to the organization’s reputation and/or financial health as a result of negligence.

Leveraging Technology to Streamline Bank Internal Controls and Compliance

To avoid the risks associated with negligence, it is crucial to establish a sustainable foundation for your compliance program. To do so, identifying the right environment to house and maintain your internal controls and compliance data is key. While a homegrown system of spreadsheets, shared drives, and/or access databases may seem sufficient, this system can quickly become unmanageable as your internal controls and compliance data evolves. In contrast, choosing a purpose-built governance, risk, and compliance (GRC) software solution can enable you to:

  1. Easily scope the requirements of any certification.
  2. Centralize your compliance data in an environment that allows you to see across all your controls, and know which frameworks and requirements they map to.
  3. Streamline compliance activities across multiple frameworks to reduce repetitive administrative tasks.
  4. Easily update requirements and adopt additional compliance frameworks without losing centralization or impacting existing testing schedules.
  5. Facilitate certification readiness through automated readiness assessment surveys.
  6. Drive the actual certification process by enabling third party auditors to work in a centralized platform containing all relevant data.

Best Practices to Centralize and Automate Your Bank Audit and Compliance Program

  1. Establish strong internal controls systems in your bank
  2. Approach banking compliance holistically vs. the old-fashioned, check-the-box audit approach. 
  3. Promote ongoing, frequent coordination and communication between audit and compliance functions. 
  4. Leverage enabling technology to centralize and automate audit and compliance activities.

Comments

Post a Comment

Popular posts from this blog

What is Accounting ?

What is Accounting ? Accounting has been hailed by many as the “language of business”. There are many quotations like “A pen is mightier than the sword but no match for the accountant” by Jonathan Glancey which tell us about the power and importance of accounting. The text book definition of accounting states that it includes recording, summarizing, reporting and analyzing financial data . Let us try and understand the components of accounting to understand what it really means: Recording The primary function of accounting is to make records of all the transactions that the firm enters into. Recognizing what qualifies as a transaction and making a record of the same is called bookkeeping. Bookkeeping is narrower in scope than accounting and concerns only the recording part. For the purpose of recording, accountants maintain a set of books. Their procedures are very systematic. Nowadays, computers have been deployed to automatically account for transactions as they happen. Summarizing
Read more

Audit Pro 411 How the Auditing can help companies?

Image
How Auditing can help companies?  https://auditpro411.com/services/ Auditing   is a means of evaluating the inefficiency of a  company's   internal controls. Retaining an effective system of internal controls is vital for the  Company's   aim, gaining trustworthy financial reporting on its operations, precluding fraud and misuse of its assets, and lessening its cost of capital. One of  the   biggest  advantages   of  a uditing   is that it offers assurances to  the   owners, investors, shareholders etc.  The   owners of  the   business will be assured about  the   accuracy of  their   books of accounts. Internal  audit   serves an  important   role for companies in fraud prevention. Recurring analysis of a company's operations and maintaining rigorous systems of internal controls can prevent and detect various forms of fraud and other accounting irregularities. Auditing is an independent examination of financial statements of an entity, whether profit-o
Read more

Information and Communication Technology (ICT) or Remote Auditing

Information and Communication Technology (ICT) or Remote Auditing What is ICT or Remote Auditing ? In these turbulent and uncertain times brought about by COVID-19, many questions have arisen concerning the availability and viability of conducting remote audits, also known as “ICT”.­­­ To help separate the facts from the fiction, Smithers has developed an ICT information sheet to help you understand what it is, the basics around how it works, and the questions that interested parties must answer before moving forward with this option. What is ICT auditing, exactly? It is defined as: “The use of technology for gathering, storing, retrieving, processing, analyzing, and transmitting information to optimize an audit’s effectiveness and efficiency, and to support and maintain the integrity of the audit process.” Some acceptable technologies for conducting these remote audits are, but not limited to: Smartphones, Tablets, and other Handheld Devices  Laptop and Desktop Computers  Video Camera
Read more