Appeal of Matters Requiring Attention (Third Quarter 2012)
A community bank appealed two Matters Requiring Attention (MRAs) issued at the most recent examination. The examination found deficiencies with the bank’s (1) independent testing of Bank Secrecy Act (BSA)/Anti-Money Laundering (AML) and (2) consumer compliance audit and training functions. The BSA MRA noted deficiencies in four areas: (1) scope (scope was limited to the procedures prescribed by the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, weaknesses were identified in the breadth and depth of procedures used, and sample sizes were inadequate or not risk-based), (2) independence (auditor was directly involved in the BSA program), (3) audit reporting (BSA report failed to inform the board of the scope, procedures, and sampling used), and (4) timeliness (21 month lag between BSA audits). The consumer compliance MRA noted two deficiencies including limited audit reports and an inadequate compliance training program. In addition to these MRAs, the bank appealed other examination criticisms, including the use of the FFIEC BSA/AML Examination Manual as the independent testing scope and several reasons presented as the cause of the consumer compliance deficiencies, including the board’s failure to ensure the consultant performed certain duties as outlined in the contract. The bank also appealed the supervisory office’s proposed corrective actions to address the compliance deficiencies. These included requirements to ensure audit reports are adequate and establish a process to periodically review work papers to ensure all findings are included in the final compliance audit reports.
Regarding the BSA MRA, the board disagreed with the examination’s criticism of the auditor’s use of the FFIEC BSA/AML Examination Manual as the independent testing scope, stating these procedures were used throughout the industry. The board asserted sample sizes were risk based and therefore, commensurate with the low risk nature of the bank’s BSA activities. The appeal stated the consulting company was independent and did not participate in day-to-day operational activities. The appeal also asserted that the audit report format had been in use for numerous years without criticism, and the BSA audit was performed in each calendar year.
Regarding the consumer compliance MRA, the appeal asserted the supervisory office did not support its findings that the compliance audit reports were limited and findings were not brought forward. The appeal stated that the auditor purposely did not bring forward immaterial findings. In addition, while the bank agreed to develop a training program in response to examination findings, it disagreed that the board failed to ensure the consultant performed all duties required by the contract. The appeal asserted that the consultant abided by the contract in terms of performing quarterly audits, and the contract did not include a requirement to provide training or serve as a consultant. The bank’s appeal also noted the requirement to develop and maintain a resource library was outdated and not applicable.
The ombudsman reviewed the information submitted by the bank and the supervisory office. The FFIEC BSA/AML Examination Manual and the Comptroller’s “Internal and External Audit” and “Bank Supervision Process” Handbooks were used as standards for the analysis.
The Comptroller’s “Bank Supervision Process” Handbook states MRAs are practices that deviate from sound governance, internal controls, and risk management principles, which may adversely impact the bank’s earnings or capital, risk profile, or reputation, if not addressed; or result in substantive noncompliance with laws and regulations, internal policies or processes, or OCC supervisory guidance. Based upon an analysis of the information, the ombudsman found sufficient evidence to support the issuance of MRAs for both BSA and consumer compliance because the deficiencies were sufficiently significant to meet the OCC’s definition of an MRA. However, some details included in the MRAs were not fully supported; in those cases, as noted below, the ombudsman required the supervisory records to be amended.
BSA MRA: The ombudsman concurred with the issuance of this MRA and its associated corrective action for the board to implement a comprehensive, independent, and timely BSA/AML testing function.
As noted in the Background section above, the BSA MRA consisted of deficiencies in four areas. Regarding deficiencies in the BSA audit scope, the ombudsman concurred with this finding. The ombudsman found that limited or no testing in the areas of Office of Foreign Asset Control, Suspicious Activity Reporting, high risk customers, and the Customer Identification Program. The ombudsman found deficiencies with the scope, procedures, and sampling were due to the auditor’s failure to consistently and thoroughly document responses to procedures, perform substantive transaction testing, support conclusions, and report on all relevant areas.
The ombudsman concurred with the finding regarding the auditor’s lack of independence. The auditor’s involvement with risk assessment preparation compromised audit independence. Internal auditors must be independent of the activities they audit so that they can carry out their work freely and objectively.
The ombudsman concurred with the finding regarding audit report limitations. The BSA audit report lacked information about the scope, procedures, and sampling, which provides the basis to assess a vendor’s performance, proficiency, and compliance with the contract. Audit reports typically contain a summary of the purpose, objectives (breadth), scope (depth – the activities performed for a specific time period), detailed audit results, supported conclusions, ratings, root causes of weaknesses, recommendations, management’s response, and timeframe for corrective action. The auditor’s BSA and other compliance audit reports did not consistently contain these items.
The ombudsman also concurred with the finding regarding report timeliness. The last BSA report was not timely. A sound policy is for a bank to conduct independent testing every 12 to 18 months, commensurate with a bank’s BSA risk profile. However, an 18-month schedule is not necessarily reasonable for a low risk BSA bank which has high-risk customer accounts.
Notwithstanding the ombudsman’s concurrence with the issuance of the BSA MRA, the supervisory office did not fully support some of its conclusions. For instance, the ombudsman did not find that the bank’s use of the FFIEC BSA/AML Examination Manual was the basis for the supervisory office’s findings. The manual was produced for use by examiners; however, its use by auditors is not prohibited. The procedures should be adjusted based on the audit scope, transaction testing focus, and bank’s risk profile.
In addition, the ombudsman did not find adequate support for the supervisory office’s conclusions regarding the auditor’s involvement with high risk account establishment and monitoring, large cash item aggregation, account closure decisions, suspicious activity reports processing, or operating policy or procedure establishment.
Consumer Compliance MRA: The ombudsman concurred with the issuance of this MRA and its associated corrective action for the board to determine the adequacy of reports and periodically review compliance work papers.
As noted in the Background section above, the Consumer Compliance MRA consisted of deficiencies in two areas. The ombudsman concurred with the finding regarding audit report deficiencies. The auditor’s compliance audit reports did not consistently contain a summary of purpose, objectives, scope, detailed audit responses, supported conclusions, ratings, root causes of weaknesses, recommendations, etc. In addition, audits did not fully cover regulations such as BSA, Regulation D, Flood Disaster Protection Act, and Regulation E. Furthermore, the ombudsman concurred that certain findings were not included in the final audit report. It is the auditor’s responsibility to bring all exceptions forward and differentiate their materiality.
Regarding the compliance training program deficiencies, the supervisory office concluded the board failed to ensure the bank’s auditor performed certain contracted duties. The SO found limited performance of the following duties: (1) provide compliance training, (2) develop and maintain a compliance resources library, (3) complete quarterly compliance audits, and (4) serve as compliance consultant.
The ombudsman concurred with the supervisory office concerning the board’s failure to ensure the vendor conducted compliance training and developed and maintained a compliance resources library. The contract explicitly stated the vendor is to compile and maintain training materials, develop and maintain a library of compliance resources, and assist in or conduct training sessions for employees. However, the ombudsman reminded the bank, per OCC guidance, auditors should not be involved in the function being tested. For instance, if an auditor provides BSA training, then he or she should not audit the area of BSA training for reasons of independence.
However, concerning the board’s failure to ensure the vendor completed quarterly compliance audits and served as compliance consultant, the ombudsman concurred with the bank that these should not have been included in the MRA. The consultant performed quarterly audits and the contract did not require the vendor to serve as a compliance consultant.
The ombudsman notified the supervisory office to revise its records to reflect the changes noted above and encouraged the bank to continue to work with the supervisory office to correct identified deficiencies.