AuditOne Advisory: Examination Trends as of July 7, 2017

AuditOne Advisory

From Bud Genovese, Chairman

AuditOne LLC has compiled a summary of items regulators most often cited in their exams. Our goal is to present you with insight on examination trends and a heads up on possible vulnerabilities your financial institution may need to address. Our findings are derived from internal audits completed by AuditOne LLC in 2015 to 2016 where we verified the current status of prior examination findings. The article and data was produced by Kevin K. Watson, Co-CEO, Vanessa Sitthydeth, Audit Associate, and Aaron Faiola, Audit Associate, all with AuditOne LLC.

I hope you enjoy this article and share this with your colleagues having responsibilities related to any of the areas addressed, thank you, Bud

Examination Trends as of July 7, 2017

We want to share with you what we
have found to be the most often cited or newly emerging regulatory examination issues.  It is beneficial to know what examiners are fussing about, so that financial institutions can have a heads up on possible vulnerabilities their institution may have.  Our findings are derived from internal audits completed by AuditOne LLC in 2015 to 2016 where we verified the current status of prior examination findings.  The sample of examination reports is depicted in the following table and is focused especially on 2015.  At the time we calculated the results, many of the 2016 examination reports were not yet available to us, so naturally more of the reports in our sample were for examinations conducted in 2015.

The charts below illustrate the relative number of examination findings as organized by major functions for 2015 and 2016.  Those functions are Asset Liability Management, Bank Secrecy Act (BSA), Compliance, Credit Review, Electronic Funds Transfer, Information Technology and Security, and lastly Operations and Administration.

BSA by far is the area most often cited, followed by Asset Liability Management (ALM), and Information Technology and Security.  Why are those areas most popular with examiners?  To start off, BSA Programs are required to be appropriate for the risk profile of a financial institution, a concept that naturally involves a degree of subjectivity.   Many have commented on the difficulty of complying with regulations that are less than certain.  Another possibility is that the rapid escalation of examiner expectations for BSA have resulted in a shortfall of skilled BSA professionals. This would contribute to a lower quality of suspicious activity monitoring, leading to more exam issues.  Third, it might simply be that bankers and examiners are still climbing the learning curve and that BSA findings will start to level out.  For IT/IS, it is quite clear that the environment is driving the high levels of concern.  Cybercrime is on the rise and customer data is frequently disclosed on an unauthorized basis.  Finally, we have entered a rising interest rate environment that will have major implications for IRR,
liquidity, and investment risk.

For other categories such as Compliance, EFT and Operations/Administration, criticisms were less frequent, though there were particular elements of concern with each.  The tables in this article depict the most often cited typical areas within each of the functions.

The number one issue for BSA was customer due diligence (CDD).  For CDD, examiners frequently cited concerns with documentation of expected activity, customer risk rating and periodic enhanced due diligence.  These are consistent with FinCEN adding CDD as the Fifth Pillar in July 2016.

Criticisms for ALM were primarily for interest rate and liquidity risk.  Some of those citations were associated with model back testing, non-interest income scenarios, and liquidity stress test scenarios.  Examiners are concerned that much of the “surge” into banks of deposits since the economic downturn will flow back out of the banking system
when investment options with higher rates of return become available.  Also, there is concern that some FIs have taken on too much risk in their search for better yields by acquiring investments with longer durations.

The top areas of concern for information technology and security were business continuity planning (BCP), oversight, and information security programs.  BCP criticisms were most often associated with business impact analysis and annual testing.

EFT findings were mostly associated with wire transfers.  This is consistent with the larger transaction risk for wires as compared to other EFT channels.  There have been numerous attempts of large dollar wire transfer fraud against FIs and their customers.  Examiners were often concerned with written agreements, authority levels and reporting of audits.

As with IT/IS, governance was of high examiner concern for credit as well.  Governance weaknesses were noted for policy and training on new or specialty credit types.  Also, in some cases boards of directors were not receiving adequate reporting of exceptions and stress test results.  Loan risk identification criticisms were especially concerned with underwriting practices such as cash flow calculations.  Criticisms regarding the Allowance for Loan and Lease Losses (ALLL) have decreased significantly now that reserve surpluses are common and documentation has improved.

Because the time intervals for compliance examinations are typically two years, we don’t have many examination findings for the compliance function in our database.  However, one theme was dominant, which was for compliance program management.  This “governance” issue is consistent with what we have seen for other functional areas, with risk assessments and due diligence on outsourced product vendors being areas of frequent concern by examiners.

For Operations and Administration, governance was once again near the top of the list.  These criticisms often had to do with corrective action tracking reports, risk assessments, audit planning and Audit Committee minutes.  It is very apparent that while operational and market risks have been relatively low during this period of economic recovery, examiners have taken this opportunity to ensure FIs are well prepared for the next economic downturn.  Solid governance practices will help ensure that all the operational and compliance functions are in a state of readiness.

This article was a high-level summary of the results of our project with only selected examples of the examiner concerns.  If you would like a copy of our more detailed 90 page Power Point presentation, please contact Kevin Watson, Co-CEO at or (562) 802-3581.

This article and the supporting data were developed by Kevin K. Watson, Co-CEO, Vanessa Sitthydeth, Audit Associate and Aaron Faiola, Audit Associate, all with AuditOne LLC.

AuditOne LLC – Company Overview

AuditOne LLC provides independent risk management services to financial institutions. Our sole focus is providing internal audit and credit review services to the financial institution industry. We have experience with all regulatory authorities and offer a full selection of audit services comprising Credit Review/ALLL, BSA/Compliance, IT/Information Security, ACH rules Compliance, Operations, Network Tests, and Asset/Liability Management and various specialty areas. Our expertise is your edge. For more information on this article, please contact Kevin Watson at Contact Us and for information about all of our audit services see