We do quite a few webinars here at Compli. Although every webinar focuses on a different topic, each follows a similar format: introduction, speaker presentation, attendee Q&A. We like to start by polling the audience, and our most recent webinar, Internal Audit Insider Tips, was no different.
But one detail of the poll stood out to us this time around. We asked the audience, “How would you characterize your internal audit program?” And we offered the following responses to choose from:
We saw a range of answers between B and E, which we expected, but at least one attendee chose A. That response, according to Michael Benoit, could have only come from someone at a financial services provider that is not subject to Consumer Financial Protection Bureau jurisdiction.
In other words, if you’re regulated by the CFPB, you need an internal audit program. You may not have one yet, it may be in its infancy, or it may be a work in progress, but that doesn’t change the fact that audits are an essential—not discretionary—aspect of fair lending compliance.
The next line of questioning, then, is “What is an audit, and what is the CFPB looking for?” I’ll leave those answers to Michael, whose words we adapted for this blog post:
What Is an Audit?
How Is It Different than Monitoring?
Another possible reason for that 1% could be confusion over the difference between what it means to monitor one’s compliance program and what it means to perform an audit. If you monitor for compliance changes—and implement those changes—why would you need to do an audit?
Monitoring and audits are two distinct processes. The monitoring function of your compliance program should be designed to identify weaknesses in your policies and procedures and give you the actionable insights to promptly identify and correct those weaknesses. Your compliance or legal department may monitor your program on an ongoing or frequent basis. Usually, it isn’t a particularly formal undertaking.
An audit, on the other hand, is a formal process. Audits occur less frequently, are more comprehensive than monitoring, and require a greater degree of independence on the part of those who conduct the process. An audit may be handled by an internal audit department or outside auditors but, regardless, it should be independent of the monitoring process your business or compliance personnel usually engage in.
Basically, your compliance department cannot police itself for audit purposes. An audit is a check and balance in your compliance program. In the CFPB’s perspective, a compliance audit is a report that allows a company’s board of directors (or the board’s designated committees) to determine the organization’s current level of compliance and consumer protection.
How Should an Audit Function?
When examining an organization’s audit function, the CFPB focuses less on operational issues and more on compliance with consumer finance laws. The agency wants to know:
- Are you complying with the federal financial laws?
- Do your policies and procedures comply with federal financial laws…
- …and are people adhering to those internal policies and procedures?
Broadly speaking, the CFPB is looking for evidence that your money is where your mouth is. Consider the extent to which you can demonstrate that your staff’s day-to-day behavior adheres to your written compliance policies. The trouble starts if a company has well-written policies and procedures, but when examiners walk around the office, they find the implementation lacking.
So, where does the CFPB typically look? The agency’s Supervision and Examination Manual is a great resource. The manual explains that examiners evaluate monitoring and audit programs to determine whether, considered together, those two programs are commensurate with each institution’s size, complexity, and risk profile. Specifically, examiners will be looking at the institution’s compliance monitoring practices, management information systems, and reporting compliance audit and internal control systems to make sure that these processes are comprehensive and timely, and successfully identify and measure material compliance risk.
Consider whether you are monitoring your programs proactively to identify procedural or training weaknesses in order to mitigate the chance of regulatory violations and if you’re making modifications and corrections in a timely manner. CFPB examiners rank an institution’s weaknesses by the level of risk—those that present the highest risk of consumer harm need to be addressed first—and expect the organizations they examine to do the same.
Additionally, CFPB examiners focus on…
- the scope of the audit, and whether it’s appropriate to the size of the organization;
- the way in which the organization implements necessary changes, and how quickly; and
- whether the audit program is sufficiently independent of the rest of the business, and that it reports up to the board, senior management, or a designated committee.
Next up: how often to conduct audits, how to improve audit efficiency, and more. Check back soon for the next part of this series!