By Patti Dunn
At this point in time, if you are in the financial services industry you have been through more than a few audits over the last couple of years. You also have most likely strengthened your level of documentation and entire compliance management system. Where I have observed opportunity still exists to better prepare for and execute audits, whether the audits are from clients or regulatory agencies, is two main areas: staff audit preparation and audit preparation testing.
Several examples to consider in the area of staff audit preparation:
- Subject experts you are going to have present information and answer auditor questions should be thoroughly prepared. Just in the last few months, I can think of a number of situations where policy does not match the practice as described by the subject expert. This generally happens for two main reasons: either the policy and practice are not appropriately synced up and trained or the expert “adlibs” an answer to an auditor question.
- Auditors like to ask questions of employees outside the formal interview process. This can result in unfavorable outcomes because employees are not being adequately trained on policies and procedures for their work or employees make their own adjustments to work instructions. A couple of examples from recent audits include an employee stating that PII and confidential information are routinely at workstations in conflict with the company’s clean desk policy; and an employee producing their cell phone from their purse upon the auditor’s inquiry when the company policy stated that cell phones could not be brought into the facility by call center employees.
- Another situation that can develop from ad hoc auditor questions is employees feeling the need to answer the question even if it has nothing to do with their job responsibilities. This can result in the auditor receiving misinformation that requires considerable effort to unwind.
- A gap that I frequently observe is the lack of proof that a policy and procedure is actually in place and functioning as intended. Here are some examples of areas you should be auditing on a regular basis: State legal restrictions for manual and dialer processes, system and physical access logs, chart of State Disclosures on notices, and training logs. Out of date documents also happen more than one would think. I cannot count the times as an auditor I was presented a Licensing Chart showing expired licenses simply because it has not been kept up to date.
Suggestions for audit preparation beyond writing policy and procedure:
- “Practice makes perfect” – An effective method to help prepare your staff for auditor questions is to ask employees questions on an impromptu basis. Make this part of your daily routine. This approach helps you identify gaps in your policy implementation as well as makes employees more comfortable with answering questions from outside auditor staff. It is also important for employees to know not to answer questions outside their span of control as well as whom to refer the auditor to when this occurs.
- Preparation – Prior to an audit, the CCO and subject experts should have reviewed both the most recent version of the policies as well as verified what is occurring in actual practice.
- Training and Implementation – A formalized process should be in place to make sure all policy and procedures are translated into work instructions and incorporated in training materials as well as communicated and trained as appropriate.
Suggestions for compliance testing:
- “Prove it” – You may have heard this phrase during the course of an audit. It is important that when new policies and procedures are added that a log and/or audit process also be installed. Your CMS should provide the means to schedule audits and track all of these internal audits and logs.
- Mock audits – If you are not doing this, you should perform internal mock audits both for the CFPB modules and for key clients. Again, it helps identify gaps and it gets everyone more comfortable with and skilled at handling actual audits.
- Third party compliance stress testing – Have a third party take a look at your CMS system, organizational compliance structure and compliance culture on an annual basis. An unbiased, third set of eyes is essential to creating a strong compliance program.
Successful compliance audit outcomes are all about preparation: paper and people
Patti Dunn is President of The EDGE Consulting. The EDGE provides compliance consulting and auditing services to the ARM industry including creditor and debt buyer auditing and audit preparation services as well as being an approved DBA Certification auditor.