It’s the holiday season, and while that means joy for most people, family tensions for others, and extra spending for everyone, it also means an increased workload for those responsible for compliance.
That’s right: with all the holiday spending, alerts rise to their highest annual levels in this season. If that’s not stressful enough, compliance managers also have to reflect on the past year and look ahead to the coming year.
One of the concerns that can come up is the question of internal audits. Are you going to pass them next year? Internal audits are stressful. If you had a hard time controlling your compliance this year, you may already have done some research on how to get back in control next year. Like many compliance managers, you probably realize that your systems need modernizing. But it’s not easy to convince the board to grant you the budget needed for that investment. That’s where internal audit personnel can help you. They’re a powerful presence within the bank and they can make strong allies if you’re open to working with them.
The personal risks you face as a compliance manager are enough to keep you up at night. Repeatedly failing internal audits might cause you to lose your job. If that were to happen, it would be disastrous for your career. You might sometimes question this situation’s fairness. If the bank isn’t willing to invest in new technology, there isn’t much you can do, right? In actuality, if the bank thinks differently, it is all the more important to establish a strong collaborative relationship with the third line of defense. Animosity isn’t helpful in developing this sort of working relationship. The stronger your relationship with the audit department, the more freely you can explain to them what you’re struggling with and how you think the problems can be solved with appropriate budgetary allocations. At the same time, including your advice can make the audit report more powerful because instead of just identifying issues, the report can also contain recommendations for how to resolve those issues. This, in turn, can vastly speed up the process of making changes to your department since it eliminates the necessity of forming workgroups to discuss the problems and solutions.
Building a better relationship with internal auditors will not work if you have the preconceived notion that they’re out to get you. They’re not. They care just as much about sustaining your banks’ business as you do. In order to understand where they’re coming from, you have to appreciate their position and its difficulties.
To be fair, internal audits aren’t just stressful for those in the second line of defense. They’re stressful for everyone. Every line of defense has its own issues. These issues range from communication difficulties, unclear roles and a lack of awareness about how to handle risk in everyday decisions to a lack of transparency, working in silos and illogical or insufficient documentation. Some of these challenges can easily be overcome, making for a more robust defense model. Where should you focus your energy to improve your relationship with the internal audit department? We think that making improvements in the following areas will have the most impact.
It might seem like a no-brainer but we’re just going to put it out there: communication issues create almost all the problems between people (or in this case, lines of defense). You might think to yourself: “we communicate all the time with the other lines of defense and with everyone else at the bank, for that matter.” But sometimes, it’s that very communication overload that’s the issue. It’s actually comparable to how an excess of false positive security alerts can cause teams to miss the truly relevant ones. The same thing happens with email: when you send out too many emails, internal communications are deprioritized, and often postponed. Another facet of communication is that it needs to be adjusted to the recipient’s level. Just as you expect your alerts to include relevant information about business context, the information in your emails has to make sense to those in other departments. Remember, each of us is an expert in our own right, so information that seems obvious to you might not be to someone in a different department.
The opposite behavior can also be problematic: communicating too little. Don’t assume that questions will naturally find you. Some people tend to improvise and find solutions for themselves instead of asking questions. Also, if there are many personnel changes within a department, knowledge is diluted, and that includes knowledge about where to go to ask questions.
Find a way to optimize communication between you and the first and third lines of defense. It will solve an abundance of problems.
The issue of transparency lies in the realm of communication. It’s better to be transparent about your mistakes than to try to conceal them. Auditors will discover mishaps, and it’ll look much worse if you attempted to cover them up than if you’re honest about them. ‘Honesty is the best policy’ is a cliché, but it’s true that by being honest you build trust. And trust is very much needed if your goal is to create long-lasting positive relationships with members of the internal audit department. However, transparency isn’t important only in communications. It’s also critical when it comes to documentation.
A struggle for everyone in banking, documentation tends to be scattered across systems. Its storage is often illogical: frequently documentation is saved on local drives instead of centrally. And there can be issues with authorizations. The list of problems goes on.
If you’re able to document your work in a way that makes it easy for the third line of defense to complete their audits, those internal audits will take less time for you and your staff. It will also bring to light the strongest obstacles to compliance that you’re facing.
The audit trail is the most valuable source of documentation for compliance. However, the audit trails that outdated systems generate usually aren’t clear. Plus, the reporting options they offer aren’t very extensive. Reading those audit trails requires expertise, as does extracting reports from the system. But with your workload being as large as it is, your department probably doesn’t have experts to spare. A clearer and easier-to-follow audit trail will also empower the audit department, building trust between them and your department.
If you can strengthen your relationship with internal audit by letting go of any preconceived notions you may hold, improving communication, and being transparent, members of the internal audit department will begin to have the ability to see things from your point of view. Then you can share with them the information below about audit trails. It’s in everyone’s best interest since clear audit trails benefit them as much as you.
BusinessForensics’ solution, the W7 Standard, makes your audit trails as clear as day. When you apply the W7 Standard, an audit trail is automatically created and maintained throughout the process. Documentation to support your accountability will also be generated and maintained automatically.
The audit trail is created by answering the 7 ‘W’ questions, but instead of looking at the incident and the suspect, the questions are asked from the perspective of the researcher or case investigator. The questions that must be answered to create the audit trail are:
- What was done to arrive at the reasoning behind the case?
- Weight or proportionality of the sanctioning measures?
- When was the research done?
- Where were the facts used in the case acquired or found?
- Who was involved in the investigation?
- With what tools has the investigation been conducted or completed?
- Why does it explain the probable cause?
As an added benefit, you can create a report from this audit trail that, if and when it should be needed, will be easy to share with authorities such as the FIU. The W7 Standard will also help you conform with GDPR regulations, since the audit trail improves your overall ability to account for your findings for each case, especially related to the disclosure or private details, something that’s required by GDPR law.
The most important thing? It helps auditors understand everything you do with ease. They won’t need to be experts to follow the audit trail, and you won’t need to assign one of your experts to work with their team.
We’ve set up our software in a way that makes it easy to implement specific modules, such as the W7 Standard, in addition to your existing software. That way, you don’t need to invest time and money into replacing your current system with an entirely new solution.