ACUIA May 16, 2011 Risky Business: Risk Assessment at the Audit Level Bryan W. Mogensen, CPA,...

ACUIAMay 16, 2011

Risky Business: Risk Assessment at the Audit Level

Bryan W. Mogensen, CPA, Partner

© Clifton Gunderson LLP All rights reserved.

2


About Clifton Gunderson

• One of the nation’s largest certified public accounting firms

• Founded in 1960• More than 1,900 professionals

serving clients from 46 offices across the country

3


Credit Union Expertise

• Nationwide leader in providing auditing, consulting, tax, and valuation services for credit unions.

• Fifty-year track recorded of client success.

• Depth of experience – Credit Union clients range in asset size from $10 million to more than $20 billion.

4


Our Presenter

• Bryan has more than 15 years experience auditing credit unions and he has undertaken considerable continuing education related to these areas.

• In addition, he has experience in auditing credit unions and credit union related organizations, community banks, not-for-profit organizations and other small business’.

• On these engagements he is responsible for planning, supervising the audit staff, reviewing the work performed, and attending client and exit conferences.

• He also makes several presentations and attends various national credit union conferences and League annual meetings throughout the year.

Bryan W. Mogensen, CPA, Assurance Partner

5


Agenda

• Why are some credit unions in trouble today?– What were the common themes– What to expect from examiners going forward

• Enterprise Risk Assessment – the process • Enterprise Risk Assessment at the

Individual Audit Level, including:– Loan review– Regulatory compliance– Internal audit– IT security matters– Industry– Recent Accounting Matters

6


Why are some credit unions in trouble?

• Some common themes we have experienced:– Trends seem to be fairly consistent for many

troubled credit unions:• Concentration in other commercial real estate and

acquisition, development and construction loans• Concentration in indirect auto lending with high loan

to values (i.e. in excess of 125% upon issuance)• Concentration in residential real estate lending in

areas that experienced large increases then decreases in values coupled with economy

• Many experienced a period of tremendous growth fueled with non-core funding sources

7


• Weak lending and credit administration practices regarding MBLs:– High level of technical exceptions in

commercial and CRE portfolios– Policy exceptions – policies were adequate they

just didn’t follow them – overrides mainly for growth

– Lack of adequate documented site inspections


8


– Weak credit administration practices• Inadequate appraisals:

– Use of “as completed” vs “as is” appraisals • Inadequate analysis of borrower cash flows including

failure to properly calculate global debt service ratios– Placed too much reliance on net worth of guarantors– Net worth doesn’t make loan payments, cash does!

– Poorly designed incentive compensation systems.


9


• Weak lending and credit administration practices regarding auto or real estate lending:– Policy exceptions – policies were adequate they

just didn’t follow them – overrides mainly for growth

– Lack of or not following concentrations of portfolios based on net worth or loan portfolio

– Significant reliance on members ability to pay and/or collateral• Economy, gas prices, too much reliance on overtime

pay• Collateral value declines well beyond expectations

– Poorly designed incentive compensation systems.


10


– Board failed to provide adequate oversight to institution

– Ineffective risk management programs:• Loan review function failed to identify

deficiencies in the institution’s underwriting policies and procedures and individual credits until it was too late

– Inadequate asset liability/concentration policies and procedures


11


– Institutions failed to prepare allowance for loan losses calculation in accordance with GAAP and regulatory guidelines


12


What to Expect From Examiners Going Forward

• Expect examiners to be more critical!– Loans acquired through participation:

• Need to perform your own independent site inspection and analysis of borrower / guarantor cash flows

• Need to verify major assets and liabilities of guarantors

– Asset liability policy must include or require:• Monthly preparation of cash flow projections

analyzing inflows and outflows of cash at various intervals (suggest looking at 30, 60, 90 and 180 time periods)

– Projections should also include schedule of contingent funding sources (available balances under lines of credit, FHLB Advances, and federal funds).

• Quarterly preparation of sensitivity analysis on cash flow projections

– Look at four to five scenarios ranging from best to worst case

• Contingency funding plan with information on what triggers liquidity problems

13



– Need to provide segmentation information on any concentration in your loan portfolio (> 250% to 300% of the credit union’s total net worth): • For example, assume you have a concentration in

CRE loans:– Break out total of loans first by collateral type (i.e.

apartment complex, office building owner occupied, office building held for rental property, etc.) and then by loan to value ratio or seasoning of the loans

– You may need 2 to 3 subcategories for each collateral type

– Will require more capital if you have concentration in CRE loans above 250% to 300% of net worth:• Meeting the definition for a well capitalized credit

union may not be sufficient in the future

14



– Regulators focused on loans modified because the member is having financial difficulties (troubled debt restructuring or TDRs)• Need to calculate the net present value of future cash

flows• Need to consider re-default risk in FAS #5

calculations• If TDR becomes re-delinquent need to evaluate based

on collateral value

15



• Examiners have received a lot of criticism for not taking stringent enough action after identifying weaknesses.– Repeat violations, if significant, will almost

certainly lead to a 3 or 4 management rating– Expect more DOR, LUA, Orders to be issued

• NCUA may take preemptive action even if your credit union has enough capital to be considered “adequately capitalized”

• NCUA has also required net worth ratio to be higher than 7% (i.e. 8%) if deemed higher risk

16



– Also expect examiners to require credit unions who receive a 3 or 4 management rating be required to:• Prepare a formal assessment of the number of,

compensation paid to, and qualifications of the institution’s management team and/ or executive officers

• The examiners have assessed monetary penalties against the board of director members of failed banks– In one bank, each board member was

assessed a penalty equal to 20 percent of their calculated net worth

– Haven’t seen this in credit unions yet but it could happen?

17



• More closely, looking at the independence and quality of your risk management programs– They expect the board of directors to be very

involved in this process• Credit Unions falling under the Prompt

Corrective Action (PCA) regulations will be more closely monitored

• Plan should include detailed action items addressing how you will shrink the credit union, reduce overhead, improve net interest margins and improve risk management functions going forward

• Too many credit unions waste time fighting examiners vs. working with them to go forward

18


Enterprise Risk Management

• Comprehensive analysis of the risk profile of a Credit Union– Should include a narrative explaining how

transactions are processed; who does it, what approvals are needed, what controls are in place, etc.

– An analysis of the risks or the “what could go wrong” question

– Description of the internal audit procedures to be applied to monitor and evaluate the significant internal controls

– Evaluation of the risks of the area and assignment of an overall risk rating to the area, which in turn is used to determine the frequency of testing to be applied to the area

19

Business Risk Assessment Summary

Risk Rating

H=High65-100

M=Mod35-64

L = Low<35

Risk Factors >>> Stra

tegi

c

Tech

no

logy

Fin

anci

al

Re

pu

tati

on

Lega

l / C

om

pli

ance

Op

era

tio

n

Co

ntr

ol A

ctivi

tie

s

Cu

ltu

re

Exp

eri

en

ce /

Exp

erti

se

Leve

l of

Turn

ove

r

Ove

rall

Ris

k R

atin

g

Lines of Business

Investment Securitites Mod Low Mod Low Low Low High Mod Mod Low Mod

Lending High Low High Mod Mod Mod Mod Mod Mod Mod High

Other Financial Services - insurance and brokerage Mod Mod Mod Mod High Low Mod Mod Mod Low Mod

Branch, Teller and Customer Service Operations Mod Low Mod Mod High Low Mod Mod Low Mod Mod

Business Support Functions

Accounting and Financial Reporting Low Mod High Low Mod Low High Mod Mod Mod Mod

ACH & Wire Transfers Low Mod High Low Low Mod Mod Low Low Mod Mod

ATM & Debit Card Operations Low Mod Low Low Mod Low Mod Mod Low Mod Low

Deposit Operations Low Low Mod Low Mod Low Mod Low Low Low Low

Human Resources Low Low Mod Mod High Low Mod Low Low Low Mod

Information Technology Security Matters Mod Mod Mod Mod Mod Mod Mod Low Mod Low Mod

Item Processing Low Mod Mod Low Low Low Mod Mod Mod Mod Mod

Asset Liability Management High Low Mod Low Low Mod Mod Low Mod Low Mod

Loan Operations Low Low Mod Mod Mod Low Mod Mod Mod Mod Mod

Safe Deposit Boxes, Money Orders, Travelers Checks and Other Products & Services

Low Low Low Low Mod Mod Mod Low Mod Mod Mod

20


Three Year Internal Audit Plan

Description Overall Risk Assessment

2010 2011 2012

Accounting and Financial Reporting Moderate X X ACH and Wire Transfers Moderate (1) X X Other Financial Services including insurance and brokerage

Moderate X X

ATM and Debit Card Operations Low X Investment Securities Moderate X X Branch, Teller and CSR Operations Moderate (2) X X X Deposit Operations Low X Lending High X X X Lending Operations Moderate X Safe Deposit Boxes, Money Orders, Traveler Checks, and Other Products and Services

Low X

Human Resources Moderate X X Information Technology Security Matters Moderate (3) X X X Item Processing Moderate X Asset Liability Management Moderate X X Marketing Low X Regulatory Compliance Matters Moderate (4) X X X

1) As required for the credit union to continue to offer ACH services, the ACH procedures set forth by the National Automated Clearing House Association will be performed on an annual basis.

2) The main location of the credit union will be tested every other year while at least two other branch locations will be subject to testing on an annual basis. During the three year cycle all branch locations should be subject to testing at least once.

3) To comply with industry best practices and comply with Federal Financial Institution Examination Council recommendations a general controls review and intrusion test on the credit union’s Internet connection will be performed on an annual basis and a network penetration test once every three years or any time there is a major change in the credit union’s local area network configuration.

21


Effective Loan Review Program

• Loan review function must be independent of the lending function:– Loan review staff should not report to the

senior lending officer if this individual is also responsible for managing a portfolio of their own (i.e. loan quality control)

– Most credit unions have loan review staff report to the board, supervisory/audit committee, internal auditor, and/or the credit union’s chief lending officer or president

22



• Select a sample of loans to determine whether:– Sample should be in proportion to number and

balance of loans granted along with related risk• Annually should review at least 35% to 50% of the

total dollar amount of higher risk commercial and CRE loans

• Annually should review a sample of consumer loans (i.e. 50 to 100 loans)

– The related loan files contain the documentation required by credit union policy

– The loan documentation and note comply with credit union laws and regulations

23



– The loan is being administrated in accordance with the credit union’s loan policy and standard industry practices, for example:• Loans granted do not exceed policy concentrations• Site inspections and review of personal tax

returns/financial statements are performed on an annual basis as required by credit union policy for MBLs

– The risk rating assigned to the relationship is appropriate (MBL)• The review of consumer loans is focused on whether

the documentation in the loan file and the terms of the loan comply with the credit union’s loan policy.

– If evident, determine if the credit union’s underwriting policies and procedures are appropriate for risk

24


Indirect Lending

• Risks– Controls over auto system approvals

• Are parameters set too low and allow for ease of approvals by unqualified borrowers

• Income verification requirements• No or limited credit score data

– Controls over override controls• What is percentage of booked loans approved

by management• Is management approving all/most initial loan

cautions/denials – growth goals• Do you require dual approvals

25


Indirect Lending

• Risks– Concentrations

• With one/few dealers – kick-backs?• Approvals by one/few employees (over-rides)

– Qualifications for membership• Do these people qualify as members

– 100%+ financing and impact on equity• Do policies set limits for exposure on equity or

percentage of loans/assets

26


Indirect Lending• Impact on audit plan

– Do not test just for compliance with policies and procedures

– Concentrate on system or override flaws– Review charge-off/repossession files

• Evidence of power-booking– Are all items on invoice actually on auto

• Evidence of stated income over-statement– Test for compliance for:

• Concentrations• Qualifications• Exposures

27


Member Business Loans

Fundamentals are similar to other types of lending but:–More difficult financial analysis–More documentation is required–Higher risks to lender–Higher rewards to lender –Significant regulatory requirements

28



What Makes Business/Commercial Lending Different?– Underwriting/Loan officer knowledge

• The business is the applicant• The loan officer must understand the business

– Understanding source of repayment– Trend analysis, cash-flow projections, etc– Credit Risk much greater– Documentation requirements vastly

different– Follow-up and tracking– Regulations– Marketing

29



Is management monitoring the business lending program adequately? Key considerations: – Is the monitoring of the business lending

program formalized?• Written policy/procedures for performing the

oversight of the business lending program– Do the employees assigned to the

business lending program meet NCUA requirements with regard to skill and knowledge?

– What business lending reports are being monitored and by whom?

30



Key considerations: – Has a “watch list” process been

established?• Is it a formalized watch list program? • How were the watch list criteria determined?• Who is performing and who is monitoring and

challenging– Ongoing review and analysis of the

financial condition of the businesses for business loans• How is this being monitored?

– Audit work papers: Do they cover all pertinent audit criteria? (NCUA Examiners Guide)

31


Loan Participations

• Most loan participations are business loans

• Management should be monitoring these loans in similar fashion as their own business loans

• Many do not monitor as they should

32


Loan Participations

• Risks–Same risks typically like business

loans–Must monitor and document same

as business loans• Watch list

– Do not rely just on servicer as must do own independent analysis

• Financial analysis– Either do internally or evaluate servicers

analysis

33


Allowance For Loan Losses Calculation

• The credit union’s methodology for calculating the allowance for loan losses is in accordance with GAAP, is appropriate, considers all required elements, and follows policies and procedures

34



• We normally expect to see FAS 5 reserves for:– CRE loans - 1% to 3%– Residential RE loans – 0.5 to 2%– Adjust upwards or downwards (i.e. +/– 50 basis

points) for economic trends:• Quality of underwriting standards• Experience of lending staff• Local economic and real estate market conditions• Local unemployment• Etc

– Indirect auto loan portfolio to have higher loss ratio than direct auto programs

35



• For FAS 114 reserves we expect to see:– Specific reserves for all MBLs rated at

substandard or below– Residential RE loans specifically identified

• Delinquent• Modified• Those where LTV significantly above 100% and

borrowers credit score significantly dropped– Troubled debt restructured loans (TDRs)

36


ALLL

• Fundamental computation issues–Timeliness of loan charge-offs–Additional segmentation may be

needed–Need for consideration and

documentation of Q&E factors–Reserving for TDRs–Business loan risk rating

downgrades

37


Recent Issues w/ALLL

• Consumer loans–Still using short-term historical loss

rate• i.e. 12 months is standard• Consideration for some to go to 6 or 9

month based on recent trends– Be cautious

–No economic factor(s) addressed with rising loan delinquencies and/or charge-offs• Should have this documented to show

why you have or do not have present

38



• Real estate loans–Examiners want to see maximum

exposure in your portfolio• However cannot allow for all of this

exposure–Consider identifying where risk is in

portfolio and providing for those with high risk (i.e. LTV > 125%, current credit score declines by 100 or more, etc)

39



• Member business loans–No general reserves for performing

portfolio• Banks generally have 2-5%

– Inappropriate risk ratings• Expectation are to downgrade faster• Evaluate global debt service ratio• Evaluate expiring and remaining lease

terms/vacancy• Annual inspections

40



• Don’t forgot to prepare separate calculation for troubled debt restructured (TDR) loans:– Applies to all loans modified because the

borrower is experiencing financial hardship versus loans modified for competitive reasons

– Prepare a calculation of the net present value of the future cash flows due on the loans discounted using the loans original interest rate• Compare this net present value calculated amount to

the current unpaid balance of the loan to determine whether a TDR adjustment is needed

• Need to also apply an additional reserve to these TDR loans to account for risk that the borrower will default on the modified loan in the future

– Most common missed element of the allowance for loan losses calculation

41


Troubled Debt Restructurings (TDR)

• In April 2011, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update (ASU) No. 2011-02, Receivables (Topic 310): A Creditor's Determination of Whether a Restructuring Is a Troubled Debt Restructuring

• The ASU is effective for nonpublic entities, (including credit unions) for annual periods ending on or after December 15, 2012, and should be applied retrospectively to the beginning of the annual period of adoption

• The ASU was issued to help clarify what constitutes a concession and financial difficulty, in determining whether a restructuring is considered to be a Troubled Debt Restructuring (TDR)

42



• Clarification of Concessions:• Indicators that CU granted

concession:–Borrower does not otherwise have

access to funds at a market rate for debt with similar risk characteristics as the restructured debt

43



–More than insignificant payment delays, insignificant payment delays that do not constitute a TDR:• Amount of the restructured payments

subject to the delay is insignificant relative to the unpaid principal or collateral value of the debt and will result in an insignificant shortfall in the contractual amount due

44



• Delay of restructured payment period is insignificant relative to any one of the following:

– Frequency of payments due under the debt– Debt's original contractual maturity– Debt's original expected duration

45



• Clarification of Financial Difficulty:• Indications of borrower financial difficulty:

– Borrower may have financial difficulty even though not currently in payment default with the CU

– Borrower is currently delinquent on any of its debt (with or outside of the CU)

– Borrower has declared/declaring bankruptcy– Substantial doubt as to whether the borrower

will continue to be a going concern (MBL)– CU forecasts cash flows will be insufficient to

service existing debt for foreseeable future

46



– Without modification, borrower cannot obtain funds from other sources at the same rate as a non-troubled borrower

• ASU also clarifies that a CU can no longer use the effective interest rate test as defined in Accounting Standards Codification (ASC) 470-60-55-10 in determining whether a restructuring constitutes a TDR

47



• All loans that are part of a TDR are considered “impaired loans”– It is probable that the CU will be unable

to collect all principal and interest payments as scheduled in the original contractual terms

• Therefore to be allowed for under FAS 114

48



• Regulatory Reporting on TDR– Delinquency on TDRs will normally be

reported on the Call Report consistent with the original loan contract terms

– Return the restructured debt to full payment status after 6-month period of demonstrated ability to repay consistent with the restructured terms

49



• Risks– Lending and accounting do not talk

therefore could have many TDRs not identified

– TDRs not reserved for properly• Reserve for difference between cash flows

based on discounted present value of original vs modified terms

• Additional reserves for re-default• Collateral based loans reserve for difference

between estimated value of collateral less costs to sell compared to the loan balance

– Not reported properly as delinquent loans

50


Regulatory Compliance Matters

51


Compliance Hot Topics

• Fair and Accurate Credit Transactions Act (FACTA) – Red Flag Rules

• Credit Card Act Changes• Reg E – Opt-In Rules for Overdrafts• Courtesy Pay Programs• Reg Z - Open End Lending Rules• BSA/OFAC/AML• Secondary Mortgagee HUD Audit

Requirements

52


Thoughts on Internal Audit

• Ensure that tickler system is used to track resolution of findings and recommendations:– Did management implement the

recommendations by the dates they committed to?

– The board of directors should review all reports issued by internal audit and the tickler report (at least quarterly for the tickler report)

– Ensure that your internal auditor is looking at both the design of the control is adequate and whether the control in place is operating as intended• Is there an alternative control which would be more

effective (more likely to detect the error) or more efficient (less costly)

53


Thoughts on Internal Audit

– Internal audit should also periodically perform studies to look for profit improvement opportunities for the institution (i.e. staffing levels, the process used to price products and services, and performing a comparison of the credit union’s interest rates and fees to its competitors and peer group)• Effective internal audit programs can and should

bring value to you credit union!

54


IT Risk Assessment

• High Risk – Remote Deposit Capture– ACH– Social Media Sites– Insider Threats

• Medium Risk– Vendor Management, Network Support– Email/Internet

55


Examiner Hot Buttons

• Weak IT Audit Schedule– IT policies not tied to IT risk assessment

• Facebook/LinkedIn• Remote Deposit Capture

– Benefit to member but higher risk if controls not in place

• Vendor Controls• Not Enough BCP Testing• Repeat Recommendations

56

External IT Review

• What’s Included?– General Controls

Review– Internal Vulnerability

Testing– External

Vulnerability/ Penetration Testing

– Ongoing Support• Do IT Right

57

Industry Issues

• ALM – interest rate risk– Currently CUs are generally very liquid

• Deposit growth far outpaced loan growth leading to increased liquidity

• Have open LOC, however many have been reduced

58

Industry Issues

• ALM – interest rate risk– Future ALM concerns

• Those with long-term assets coupled with short-term liabilities will be high risk

• Future rising rate environment• Decrease in net interest margins• If margins decrease:

– Where will earnings come from?– Industry already performed severe operating

cost cut-backs over past year(s)

59

Industry Issues

• ALM – interest rate risk– Does your credit union have a formal

established ALCO and is it meeting– Is management monitoring and

reporting this risk on at least quarterly basis• Shock balance sheet +/- 300, 400, 500

basis points– Should be used to measure:

• Interest rates offered• Concentrations of assets (long vs short

term)• Establish limits to reduce exposure

60

Industry Issues

• ALM – interest rate risk– Should have established policies and

procedures– Is management maintaining balance

sheet in according with these policies and procedures

61


REO

• Definition– Real estate acquired by a lender in whole

or partial satisfaction of debt owed• Typically through foreclosure or deed in lieu of

foreclosure, and• Held in inventory until sold

– REO does not include real property held for own business use or expansion

– Foreclosure means termination of all rights of a mortgagor or grantee in the property

62


REO

• How reported under GAAP:–Recorded at fair value less costs to

sell at the time of foreclosure• Typically current appraisal less 10%

costs to sell• Costs to sell are: broker commissions,

legal and title transfer fees, and closing costs

63


REO

• How reported under GAAP:– Initial write down (loss) posted

through the ALLL – loan charge-off–Reclassified from loans to foreclosed

(other) assets–After foreclosure each property must

be carried at the lower of (1) fair value less costs to sell or (2) cost

64


REO

• How reported under GAAP:– Management must evaluate the unsold

properties and determine if further write down to occur (further deterioration of properties value)

– Costs to retain (holding costs) – must be expensed as incurred• Property taxes• Utilities• HOA fees

65


REO

• How reported under GAAP:– Costs to improve property

• Capitalize only if increase sales value (new roof)

– Costs to finish construction• Capitalize up to fair value less costs to sell• Any costs above that must be expensed

– If rented during holding period• Recognize income on rental as operating

income (similar to renting own building)

66


REO

• How reported under GAAP:–Selling of foreclosures

• If loss report as non-operating loss• If gain – 5 possibilities for treatment

dependant on type of sales contract– Full accrual, installment, cost recovery,

reduced profit, and deposit– Most gains will be recognized immediately

as non-operating gain

67


REO

• Financial Statement Risk– Valuation

• Not written down to proper value• Overstating assets and understating

losses• Appraisal/BPO should not be more than 90

days old• Subsequent measurement if property not

sold– New appraisals or BPO needed

68


REO

• Financial Statement Risk– Classification

• Not reclassified to foreclosed assets– Overstating loans and understating other

assets/ foreclosed assets• Subsequent gains/losses posted through

ALLL vs. operations– Improper classification on income statement

• All expenses posted as operating expenses

69


REO

• Other Risks–Protection of Assets

• Segregation of duties– Approval of foreclosures– Tracking of REOs

» Are all REOs identified and listed– Maintenance of REOs and contracts– Sales of REOs

» Who sets and approves prices» Arms length transactions

70


REO

• Other Risks–Protection of Assets

• Additional loss when not warranted– Damage to property when holding– Selling at lower than market rates – fraud?– Contract approvals – to family/friends –

fraud?– Did CU file insurance claim for PMI for

losses• Title in CUs name• Property taxes and imsurance current

71


REO

• Internal Controls–Policy and/or procedures in place–Proper accounting in place–Proper tracking/monitoring of status–Marketing efforts to sell

72


REO

• Internal Controls–Proper segregation of duties over:

• Approval of foreclosure• Tracking and reporting of assets• Monitoring of title, taxes, insurance• Contracts going to bid• Acceptance of sales price

73


Questions

74


Thank You!

Bryan W. Mogensen, CPA

Clifton Gunderson LLP

602-604-3551

ACUIA May 16, 2011 Risky Business: Risk Assessment at the Audit Level Bryan W. Mogensen, CPA,...

Documents

Transcript of ACUIA May 16, 2011 Risky Business: Risk Assessment at the Audit Level Bryan W. Mogensen, CPA,...