CFPB Watch: Audit Function (Part 4)
We have come to the final recap in the four-part CFPB Webinar Series. Today, our focus is The Audit Function. To dive deep into the audit function, review best practices for hiring and managing auditors, and identify what regulators need from your audit, you will hear from frequent speaker and author on consumer financial services law, and Hudson Cook LLP partner, Michael Benoit.
Compliance Audit Function & Structure
An audit is:
an independent, objective assurance and consulting activity to add value to and improve operations of your organization.
An audit will identify compliance weaknesses, enhance compliance, resolve and remediate deficiencies, and ensure compliance with internal controls. Michael shared that an organization has three lines of defense against regulatory action.
- The first line of defense is well-written, comprehensive policies and procedures that support your internal compliance needs and controls. [This defense should be familiar to you, if you have been following along on our recaps of the CFPB Webinar Series.]
- The second line of defense is a quality assurance process that works within the business operations to determine quality controls.
- The third line of defense is the audit function which is independent of operations (unlike quality assurance) and determines how well quality assurance functions.
The audit function is only as effective as its structure and its auditors
Hiring and Managing Auditors Do’s and (one) Don’t
If your organization is large enough to hire an auditor that person must possess time management skills, writing skills and interpersonal skills to effectively serve this function. Michael recommends:
- DO ask candidates scenario-based, open-ended questions in interviews.
- DO listen for concise, coherent and organized answers.
- DO get a sense of the candidate’s experience with critical events.
- DO ask the candidate to detail their experience with a critical incident.
- DO have them write out recommendations for specific actions that will lead to a satisfactory resolution in the interview.
Once you have a skilled, organized and clear communicator as an auditor, how do you ensure that this auditor is successful?
Answer:
- DO ensure that the audit acts outside the business function.
- DON’T have the auditor report to a manager in the business function being audited.
- DO make a dotted line to the board or executive (if you do not have a board) or senior decision maker. Michael advises to keep the auditor outside and independent from the line of business.
Now that you have an auditor and a reporting structure that ensures the auditing function is independent and objective, how do you ensure consistency? If you thought ‘written policies and procedures’ then, you were exactly right:
- DO have written policies and procedures that a) adhere to industry standards, b) have manager approval and c) a clear exception policy are really best practices for any type of audit.
Michael reminds us that auditors must possess the knowledge of industry standards in order to employ proper auditory techniques to do their jobs. They have to know how to conduct risk assessments. Auditors must report on their assessment of the problems, make recommendations on how best to correct them and identify the roles best able to fix the problems. Finally, auditors have to stay current with emerging risks, like data breaches, and regulatory changes. DO train your auditors.
Reminder: An audit systematically evaluates your risk management, your control environment and your governance processes. All audits must follow the same path to success.
The Audit Path
Assess the existing control environment of your organization that call for specific legal and compliance requirements →
Identify Risks to prioritize activity from highest risk to lowest →
Measure potential impact and likelihood of occurrence to determine how serious the risks are; (how much harm they could do) →
Actions to manage, mitigate, transfer, avoid or accept risk →
Follow up monitoring to show if the corrections are being adhered to and are really working and if not, →
Corrective action will be needed.
Without Risk, There Would Be No Audit
Practically speaking, dealers and finance organizations would much rather direct resources toward their bottom line. However, increasingly, rules and regulations such as, Equal Credit Opportunity Act, Adverse Action Notice Requirements, Fair Credit Reporting Act, Unfair Deceptive Acts and Practices, represent risks to the bottom line that no one can afford to ignore. Coming up next we dive deeper into risks to your business uncovered by an audit.
Map out Your Regulatory Compliance Obligations
Michael suggests starting on your audit path by getting the lay of the land by conducting a product and services inventory of your business. Next, identify the business process for each product or service. From there, map the regulatory compliance obligations to each of these business processes.
Now you’re ready for a gap analysis that determines whether each business process has an operational or regulatory compliance requirement and whether or not those business processes are hitting the mark. Auditors must be able to collaborate and communicate well with others, in order to identify weaknesses in current policies and procedures and in controls.
Know Your Risk Types
Michael points to four types of risk in the audit context: inherent, control, detection and residual. An inherent risk is naturally a part of doing business, like price and the risk of price discrimination. The second, a control risk, happens when a control falls short or fails to identify risks to a process such as, standards you are not meeting. A detection risk is mainly caused by human error during the audit such as, not pulling the correct sample data to test. The fourth, residual risk, is risk that exists after all has been done to detect and control risk.
Risk, risk everywhere but, is it here?
Further down the audit path we want to measure the likelihood of risk and determine the level of harm.
Likelihood of risk. A good place to start looking is at your internal controls, your policies and your procedures. To reduce risks, auditors interview people who can detail how they deal with a policy or procedure to provide an accurate picture of adherence to the policies and procedures in place. You will also want to review prior audit findings to help determine whether or not monitoring is detecting potential risks. Michael advises reviewing prior complaints data and past litigation to uncover detection risks or residual risks after corrections have been in place. Additionally, it is important to review litigation and guidance for industry-wide risk that could impact your organization.
What’s the harm? An audit will help identify the harm of risks. In most cases the company or customer will be harmed. The nature of the harm could be monetary damage, civil penalties, criminal penalties, or all of the above. Michael reminds us that the potential impact of risk depends on the organization.
Actions speak louder with clear words.
Now we come to the point in the audit path for recommendations for action in the audit report. The report has a summary of the findings that answer questions like: Are the policies and procedures in place and are they being followed? Were any weaknesses in the regulatory compliance or internal controls found? What were the deficiencies or gaps? The report reviews the audit function for success in meeting its audit mission, resources available to the audit function, and reliability or independence of the audit. The report will also include an audit plan to address risks. This audit plan may recommend an external audit, depending on the level of the risk. This report should be read by management and the board and referred to during monitoring of action items.
It is important to remember that the audit function is an essential part of the feedback loop to the board on how an organization’s three lines of defense against regulatory action are performing. Your path to compliance should now be clear.
