A How-to for Auditors: Internal Audit Insider Tips, Part 2

A How-to for Auditors: Internal Audit Insider Tips, Part 2

, , , ,

Can you remember the last time you conducted an audit of your organization’s workforce compliance program? If you can’t remember, or if you’ve never gone through an audit, your financial services company could be in serious trouble.

This wasn’t always the case. Unfamiliarity with audits, David Keene told our audience during a recent webinar, “is very dangerous … in today’s political climate.” As the director of compliance at Sierra Auto Finance, a Certified Compliance & Ethics Professional, and a member of the National Automotive Finance Association, David has watched the consumer finance industry undergo several momentous transformations. Over his 37-year career, he has seen the power of regulators—from the Department of Justice to the Consumer Financial Protection Bureau—wax and wane with the introduction of new laws, processes, and technologies.

He’s also done a lot of audits—many of them in the last 10 years. Why more recently? These days, he said, “our landscape is changing quite a bit”:

“Until Dodd-Frank came along in 2008 and 2010, there wasn’t much need for compliance in this industry—nor did you ever hear the word. So, a lot of us pretty much started from scratch back then. And one of the things I’ve learned, and especially with one of my other certifications, is that the scope of compliance now is bigger than just the CFPB. We’ve been laser-focused on the CFPB for quite some time because they are the the keeper of the rules, but there are other federal agencies out there. And we’re seeing… a lot of the focus shift down to the state attorneys general and their regulatory departments.”

Last week, Michael Benoit took us through what the CFPB is looking for in an organization’s audit program. But what about those state agencies and attorneys general? David provides the answer and other insights in this week’s webinar recap:

5 Internal Audit Key Questions

Every organization must decide what kind of compliance department it wants to have. A large finance company may have a department that seems like a cast of thousands: a dedicated, law-driven platoon whose mere presence scares people into compliance.

But for a smaller organization, that team often looks more friendly and helpful versus punitive and domineering. Their mission is to ask: “What can we do to help you and the business become compliant with state and federal laws? How can we help you get where you need to be?” For organizations where people may wear many hats and resources are frequently scarce, this second approach is almost always the more effective one.

With that in mind, the first step is to set up your audit program. You can use the CFPB examination manual as your model, whether you’re directly regulated by the CFPB or not—either way, if you set it up and treat your company like you are regulated by the CFPB, you’ll be ahead of the game. If you ask what they ask, you can get your business ready for an outside audit.

Next, run through a “gapping exercise.” In every department—underwriting, funding, collections, and even loan servicing—you may have agents and personnel who use cheat sheets, tips, guidelines, and other shortcuts provided by management to do their jobs. Take those documents and compare them with your policies. If your operational documents don’t reflect your policy, it’s essentially unwritten and your policy becomes folklore: it’s a matter of what someone heard or said.

Consider these key questions:

1. Does the written policy adequately address all relevant federal and state regulations and laws?

To find out, gather together all the state laws and federal laws you can. Once you have a broad overview, test it against all of the business’s written policies. Make sure that the ways in which the organization collects debts, sends out deficiency letters, sends out notices to cure, and so on, are not only federally compliant but state compliant. A chart or a table can help you understand what’s relevant in different states. Letters and notices are typically the most challenging, in terms of determining whether the business is sending the right notices and sending them at the right times. Auditors should also pay close attention to lending and collections policies, as these are among the vulnerable for state requirements.

2. Does the business follow its own internal policy and procedure in the normal course of business?

Keep in mind that the burden of compliance rests with the business, not with the compliance department. A compliance department can’t write a policy and effectively, objectively, and independently audit that policy. Internal auditors should review the policy, go through its procedures, and make sure that business follows its own laws. If it doesn’t, it’s perfectly fine for the internal auditors, at the end of the audit, to recommend a policy change or to ask the business to take a second at the policy.   

3. Are there efficiencies or recommendations that could improve process flow or mitigate risk?

Beyond basic state and federal compliance, auditors can and should evaluate the efficiency of the business’s procedures, such as underwriting, phone calls, and so on. When you’re a dispassionate third-party, you may see a faster or better way to accomplish a business goal.  

 

4. Is there a plan in place to identify and correct deficiencies?

This is one of the most important pieces of an audit. At the conclusion of the audit, an auditor should have a formal corrective action plan to go through their findings, meet with the business leaders, and set realistic timelines. Afterward, the auditor and leadership should follow up to discuss the findings, make sure everyone agrees about the nature of the deficiencies, develop a corrective plan (with a timeline), and schedule another follow-up to review the successful implementation of the strategy.

5. What is the business doing right?

In addition to what needs to be changed, tell leadership what they’re doing right. In every one of David’s audits, he ends by giving the business credit where it’s due and communicating about their strengths. If you continue to do that, audits not only get easier, but they get better. Be positive, be consistent, and make sure that the business understands to take this seriously, and you will be successful in any internal audit.

Next up: how compliance automation can make audits easy and effective in organizations of any size. Check back soon for the next part of this series!

Brett Safford

Brett is a previous member of Compli’s Customer Success team, where she helped clients get the most out of their platform and achieve their unique goals. Brett's love for fabric and quilting means her family suffers from an overabundance of blankets. In the evenings Brett can be found cooking in the kitchen with a glass of red wine and Ella Fitzgerald on the record player.

→ Brett Safford

Related Posts




Phone: 866.356.1735
Support: 877.522.4276
Menu
Customer Login

Send this to friend