How do you know if your ‘third line of defense’ is strong enough?
There’s a reason that internal auditors are called the third line of defense. They ensure your credit union’s operations are safe and compliant. But how do you know if your defense is strong enough? Regardless of whether your credit union has an internal audit function or uses an audit firm, an audit program needs five key elements. I’ve outlined them here.
1. Board Support and Access
First, reviewers must be able to objectively assess the operations of a credit union. When reporting to their boss or the executive team, employees can often be afraid to report egregious violations or other types of findings that uncover questionable management. Simply put, they don’t want to rat out their co-worker or risk losing their job for being the messenger. Policies to protect reviewers from retaliation must be in place, including termination of employment. Any type of disciplinary action taken against them should be reviewed by the board.
To facilitate their reviews, reviewers should also have the authority to communicate with business units and employees without gatekeeping or red tape. While executives are protective of their resources, reviews are like a health checkup. If you stop going to your primary doctor for check-ups, the results could be much worse.
Once reviews are complete, credit unions should report significant observations, findings and recommendations directly to the board. While it’s important to provide an opportunity to respond and clarify, that courtesy should never be interpreted as an invitation for business lines to obscure and modify a reviewer’s assessment.
2. Expertise and Training
Whether they are examining financial statements, regulatory compliance or operational risk, reviewers need to be knowledgeable. This may seem obvious, but a common complaint I hear from compliance officers is that they know more about compliance than the auditors themselves. Reviewers end up losing the respect and buy-in they need from those they audit.
Reviewers need appropriate training and understanding of the processes they assess—otherwise, the results of the review and the working relationships between the reviewer and the credit union will be lackluster. Reviewers may not be the authority on a specific regulation, but they should have access to specialists or the tools to understand what they are reviewing. That means they must be up to date with both regulatory and institutional changes.
The best reports are those that can objectively assess any business function. Unfortunately, human nature prevents most people from being able to objectively assess their own work. There’s even a term for this: illusory superiority. To counter this, peer reviews and other practices allow fresh, unbiased eyes to evaluate work.
The same idea can be applied to audits. The people who build a compliance program or craft policies, procedures and internal controls may not be able to judge their own work. That’s why regulators stress the need for independent auditors who can objectively assess the effectiveness of a program and deliver unbiased findings and recommendations.
4. A Foundation in the CU’s Risk Priorities
Credit unions are required to comply with thousands of laws, regulations and internal processes. However, resources are finite. Reviewers must take the same approach as all the functional federal regulators, allocating their resources to assess riskier practices or areas with a heightened risk for non-compliance or consumer harm. This means that the depth and frequency of a review should consider the level of risk.
Reviewers should not spend their time reinventing the wheel. A good practice is to review risk assessments, focusing on the areas where inherent risk is highest and audit the effectiveness of controls. If those controls are not mitigating the risk, this can have a dire impact on the institution.
5. Good Technology
From organizing files to planning reviews, technology makes reviewers more effective. Depending on the level of complexity, risk profile and size of the credit union, reviews can become unwieldy without the right tools.
A technology partner that understands the types of reviews or audits required by a credit union can be a valuable relationship. It should also support the credit union’s operations, foster collaboration, and make seamless the jobs of organizing and retaining documents and presenting and resolving findings.
Michael Berman is the founder/CEO of Ncontracts, one of the fastest-growing risk management companies in the financial services industry. He is also the author of The Upside of Risk: Turning Complex Burdens into Strategic Advantages for Financial Institutions, available on Amazon.