Performing a thorough, quality internal control risk assessment, documenting management internal controls, and identifying missing control points are rigorous tasks that all organizations, including financial institutions, are challenged with on an ongoing basis. Bank executives, regulators, boards of directors, and external auditors are all very invested in internal controls. Strong, well-thought-out internal controls are not just for Fortune 100 companies, they are also important for local community financial institutions.
However, before we “get back to the basics,” we must understand why a strong internal control system is necessary. Greed, poor management decisions, lack of appropriate oversight, crises, scandals, frauds, etc., have always been around and will always plague business. When problems become pervasive enough in the business sector, the government tends to step in. The Financial Institutions Reform, Recovery and Enforcement Act of 1989 (“FIRREA”) was adopted in response to the thrift and banking crisis of the 1980s. The Federal Deposit Insurance Corporation Improvement Act (FDICIA) was enacted in 1991 by Congress to address the thrift industry crisis. More recently, the Sarbanes-Oxley (“SOX”) Act of 2002 was enacted as a reaction to a number of major corporate and accounting scandals, including those affecting Enron, Tyco International, and WorldCom. All of this legislation leads to more regulation and oversight with the most recent Sarbanes-Oxley legislation really bringing internal control over financial reporting to the forefront of Americans’ minds.
Financial institution internal controls have always been in place but may not have been documented, efficiently constructed, or even clearly tied to organizational risk. However, the results of legislation, regulations, and compliance demands led financial institutions to create controls on top of controls. Controls were implemented primarily from a compliance perspective and tended to focus mainly on financial reporting (FDICIA and SOX) and tended to partially ignore the other aspects of control, specifically operational controls.
As FDICIA and SOX matured, financial institutions underwent control rationalization. It became apparent that time was being wasted on unnecessary controls: testing too many controls, testing non-key controls, and testing redundant controls. Financial institutions started to get back to the basics and really reviewed core operations and control frameworks to improve operation and process efficiencies. This allowed financial institutions to remove unnecessary controls, slimming down key control designations, increasing automated controls, and really looking into their processes, specific risks, and the controls covering such risks.
Controls, Controls, and More Controls
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls in 1992, revised it in 2013, and now it is considered the standard in measuring control system effectiveness. COSO defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives related to operations, reporting, and compliance.” Safety and soundness guidance requires you to have an internal control structure that is commensurate with the risk and profile of your financial institution. We also know from past history that “over-controlled” is not an effective use of resources and more is not always better. Having fewer key controls, but ones that are stronger and more comprehensive, is more efficient than just more controls.
There are different levels of internal controls. There are preventive (stronger) and detective controls as well as automated (stronger) and manual controls. Economics may not support automation or preventive controls since they are often more complex and burdensome to implement and often require several times the resources to establish up front; however, they are stronger controls. Therefore, as your institution performs its annual dive into risk and control frameworks, keep this in mind and change controls from detective to preventive if possible and automate when feasible. Also, do not forgot your operational controls.
Finally, there are mitigating/compensating controls. For smaller community banks with limited staffing, analytics can be used as a “super” mitigating control. Analytics may provide a review over the entire transaction history. For example, all loans are manually checked for accuracy when loaded into the loan system, or they should be. However, this is a manual process that is performed by humans and mistakes can be missed. Thus, management can independently monitor an entire loan portfolio with some analytic tests. One simple test is to review the entire portfolio of rates that are not in agreement with current or historical bank rates, or loans that are variable; ensuring they are tied to appropriate indices with floor, ceiling, and change information within the system.
Controls are critical to the success of all organizations. The more time, effort, and thought that go into the control universe, the more can be expected to come from such controls. Wipfli has assisted numerous clients with documenting existing control frameworks, identifying gaps, recommending and implementing controls, and testing and remediating controls. Furthermore, Wipfli has experience focusing on key risks and controls in companies, thereby adding value in compliance, reporting, operations, and strategy. Life is a journey not a destination; let Wipfli be your trusted guide.