Skip to main content
A CPA speaking and smiling with a young couple.

Considerations for the 2022 Internal Audit Plan

Financial institution’s audit plans must be responsive to risks such as errors, misstatement, and fraud.
banner background

Your risk assessments are complete. You have carefully designed a 2022 internal audit plan that is responsive to risk. The audit committee presentations are done and the audit plan is approved. Now the Federal Reserve is raising interest rates and inflation is impacting the economy. What additional factors must you consider now?

This article reviews items for consideration and potential modifications to your audit plan for 2022.

Risk Assessment Considerations

While COVID-19’s impact on banking operations may have been a boon for loan originations, rising interest rates and inflation could lead to a reversal of fortune as mortgage portfolios (and other loan segments) could decline and some borrowers may face credit issues. If the appropriate policies and procedures are not followed, these factors could increase the risk of errors, misstatement, and fraud at your organization. Your financial institution’s audit plan must be responsive to these risks.

Consider the following areas for potential changes in audit scope and focus:

  • Changes in focus for audit areas likely already in scope:
    • Credit Administration – Risk grading and problem loan identification are always a focus but have probably seemed less risky recently given the previous solid state of the economy. Risk grading controls and portfolio monitoring are critical now, with a focus on loans that have adjustable rates. Attention should also be paid to borrowers who could be impacted by the slowing down of the economy, such as retail and some service providers impacted by inflation. 
    • Allowance for Loan and Lease Losses – A) The assessment of qualitative factors is likely critical as financial institutions try to estimate losses. Qualitative factors will be used to account for incurred and expected losses, depending on which model (incurred losses or current expected credit losses) is currently in place. An increase in past due or classified/nonaccrual loans may impact the qualitative factors (especially for those institutions with a limited recent history of such loans). For CECL, is the impact of likely short-term future increases in rates included in the qualitative factors? B) Financial institutions will need to ensure controls around the identification of impaired loans (or individually evaluated loans for those under CECL) are in place. For institutions that have not yet adopted CECL, this includes procedures around the identification and recording of troubled debt restructurings (TDRs). C) For institutions that have adopted CECL and do not have a history of credit losses since the Great Recession, are controls in place to ensure that future losses are captured?
    • Interest Rate Risk – Increases in borrowing rates could impact a bank’s net interest margin. Ensure the bank’s processes around monitoring are occurring and stress testing exceptions are being discussed. Reviews of assumptions for IRR models should be documented. Are decay rates for non-maturing deposits (especially for deposits with currently low rates) and beta rates still reasonable? Should aggressive prepayment assumptions be reduced? Has the bank performed stress testing to ensure the appropriateness of the assumptions? Has the bank factored in the possibility that interest rates will continue to increase and the impact on net interest margin?  
    • Accounting and Financial Reporting – Month-end close and financial reporting processes likely have been modified given the trend toward remote working environments. Changes to processes and controls typically increase the risk of errors and misstatements.
    • Information Technology – Although by this point most financial institutions may have developed strategies to account for their workforce working remotely, the impact of the increased IT infrastructure demands and ability to sustain the demand should be monitored.
    • Information Security – Risks may arise from employees working from home. Procedures around security should be in place (such as processing wire transactions). The financial institution’s customers and employees also face increasing phishing attempts.
    • Loan and Deposit Operations – The impact of staffing shortages on operations could impact the segregation of duties. In addition, unfilled vacancies could hinder procedures around the appropriate approval level processes for transactions and accounts. 
  • Audit areas that may require reconsideration if not originally in scope:
    • Credit Administration – The economy was sound, and TDR volume was low when you designed your plan. Depending on the bank’s exposure to adjustable rates, more loans could be experiencing credit quality issues. Depending on the experience of the bank’s special asset and loan portfolio team, identification of TDRs and classified loans could be more difficult. A decline of loan applications due to higher interest rates inherently requires a closer examination of whether individuals are following credit approval processes. 
    • Mortgage Banking – Several aspects of the mortgage banking business are impacted including the following:
      • Monitoring indemnifications reserves to account for an increase in payment defaults
      • Managing the warehouse line due to tightening in investor purchases, increasing holding times of loans held for sale
  • Corporate Governance – Tone from the top is critical during these times. Board and board subcommittee oversight should remain strong and information and communication between those charged with governance and management must remain timely, accurate, and complete.
  • Investment Securities – Rising interest rates are impacting the value of previously issued bonds resulting in larger unrealized losses and requiring evaluation of permanent impairment and, for those that have adopted CECL, consideration of credit losses. Volatility in the market is also causing investments in equity securities to devalue. Investments in equity securities without readily determinable values will likely require a more robust analysis by management to determine impairment.
  • Impairment of intangibles  Potential depressed stock prices will likely cause banks to perform a more thorough analysis of goodwill to determine the existence of impairment.

Other Audit Plan Considerations

Interactions with management and process owners

Auditing in hybrid work environments has its own challenges. Here are several things that may help with this challenge: 

  • Plan ahead – You are used to planning ahead, but now, it is critical. Be forward-looking on the audit schedule and send requested items lists even further in advance than normal to give management as much time as possible to provide the information. Plan to meet with internal control and process owners in person as much as possible to observe those cues (body language, expressions) you may miss over the phone. At the very least, conduct as many walk-throughs as possible on camera.
  • Stay connected – Set up periodic meetings with auditees to discuss the status of the audits, requested information, and potential findings. Video conferencing is a great way to communicate with the added benefit of seeing your contact, which helps to feel connected and likely will result in a quicker response from your contact when you are unable to meet in person.

Use this as an opportunity to re-evaluate your process and add value to the financial institution

Changes in audit plans create opportunities for us to think creatively about how we will complete our audit plans. The silver lining could be that you decide to try new approaches or audit techniques you did not have the time or courage to implement in the past. You also may be seen by management as a sounding board for new processes being implemented.

  • Consider the use of computer-assisted audit techniques and data analytics to accomplish steps that previously were done on a more manual basis. If data mining and data analytics have not been part of your audit plan in the past, now may be your opportunity to use them.
  • Adding an element of unpredictability to your audit is a good way to keep management on their toes and to discover new ways your institution can improve. Test a process that you have not tested in a while or ask new questions.
  • Seize the opportunity to add value to your organization. Get involved in discussions with management with respect to how they plan to change their processes in the current working environment. How will they address an abrupt change in interest rates and the impact it will have on the institution and the company’s client base going forward. Help management think through the risks and what could go wrong. Consulting with management to ensure proper controls for a new process as it is being designed can mitigate the risks of issues arising later.

The audit plan must go on. There could be changes to the focus of some areas in scope and possibly the addition of new areas to the plan given your institution’s transactions and client base. Use the recent changes to the economy to rethink how you are completing your audits. Do not be afraid to try new ways to audit the same area. Let management know you are there to help by providing your perspective on risks and controls for the new way your bank is doing business.

Reach out to a financial services professional at Forvis Mazars or submit the Contact Us form below if you have questions.

 

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.