Control Testing: Moving from Satisfactory to Strong

Control testing has typically been run out of a bank’s internal audit group, the Sarbanes-Oxley compliance team, a centralized control testing unit, or all of the above. Rarely has it been coordinated with real-time business risk assessments.

In the case of the Audit Department, the Chief Audit Executive develops an annual schedule for control testing, leveraging past reports to determine priorities. The Audit team also considers other risk factors, such as changes in the business’ products and external events. In an integrated organization, the Audit team may also perform the SOX or Federal Deposit Insurance Corp. Improvement Act control assessments, and apply this information when developing their schedule.

In most institutions, the business lines such as Consumer Lending, Wholesale Lending, and Information Technology have traditionally relied on the audit group to test their controls. Given the complexity and velocity of change, a once-a-year control test is not enough. The business needs to be more proactive in performing regular control assessments and control tests; getting involved only when there has been a control failure is too late. Let’s face it: the Audit team is typically not as close to the business as those who run it day in and day out.

It’s time for a change.

The Federal Reserve and Office of the Comptroller of the Currency have recognized the gap between audit teams and business lines. The Fed’s SR-13 identifies some of the gaps, and highlights the lack of integration that exists around risk assessments and control testing. A handful of banks have told me their regulators are digging deep into their control testing planning and prioritization and emphasizing the need for the business to take more ownership of these critical processes. The most common question being asked of the banks is this: “Why did you decide to test these controls and not those controls?”

So, how do we get business unit managers more actively involved in the monitoring of controls and risks? What are the obstacles that need to be addressed in order for them to play a more meaningful role in this process?

First, the tone at the top needs to change. Audit teams aren’t always willing to share information. It sounds archaic, but some audit departments prefer to keep the list of findings locked down in their department on a SharePoint site or in Excel. This makes it difficult to do any kind of analysis on risk integration and exposure across the company. When a control fails in one department, and that same control is considered “key” by another department, it is almost certain that the second group has no idea the control failed somewhere else.  

We need better information sharing.While the Audit department may take a business process view of their control testing, it isn’t always clear who gets the final report, and if all stakeholders associated with that business process have access to it. More importantly, other business units who rely on the same controls, but whose business process is not included in the audit, would certainly benefit from an assessment of the control effectiveness testing that was performed. Any report of examination issued by the primary regulators and its associated findings should not be held closely.

Technology can facilitate better information sharing, especially around risk information, while maintaining data security at the field level. High-powered data analytics can leverage control tests performed across the organization. Risk assessments can become more relevant, meaningful and actionable as a result of better risk data around loss events, past issues, and control tests, all of which can made available to the business units at the right time.

Sterling Savings Bank in Spokane, Wash., which recently won the GRC 20/20 Research 2013 GRC Value Award in the category of Enterprise GRC (governance, risk management and compliance), has driven compliance testing down to the business line. Every month, the business area control specialists execute a checklist defined by the head of compliance. This information is summarized and trended for the enterprise risk management committee and the board’s risk committee. 

Forward-thinking auditors are recognizing the opportunity to integrate risk assessments from the business units to inform their schedules. Many large banks are also in the process of rolling out risk control and self-assessment tools that enable risk and control assessments at the line of business, and at a very granular business unit level.

Where does your company stand on the GRC maturity curve? No doubt the front-page headlines on compliance fines are raising questions and causing concerns in boardrooms and C-Suites across the country. The regulators’ expectations have increased. In response, banks need to break down the information silos, leverage business risk assessments to drive control testing and test those controls that are aligned to emerging and pervasive enterprise risks. By appropriately leveraging the third line of defense, banks can move from “satisfactory” to “strong”.   

Susan Palm is vice president of industry solutions for MetricStream, a provider of enterprisewide governance, risk, compliance and quality management solutions.