When your organization is under a regulatory consent order, you can expect that everyone involved in the validation and remediation process likely will rely heavily on your internal audit (IA) team. IA serves as an important communication and remediation touchpoint for both the board and the regulators during this critical process. For the board, internal auditors will need to monitor, test, and validate that management is complying with the company’s obligations under the order. Meanwhile, regulators will expect internal auditors to make sure the business honors all commitments in a timely, sustainable manner.
Very often, internal audit not only has to test and validate the remediation of the consent order, but it also receives criticism within the order. After all, if issues rose to the level of an enforcement action without being identified by the organization’s internal controls, then underlying weaknesses might have contributed to the problem.
If the consent order identifies issues in IA, your internal auditors will need to develop a plan to remediate the concerns. This plan should lay out how you will address each area of concern and how you’ll sustain the fixes in your ongoing internal controls.
In addition to this plan of corrective action, your internal audit team will need to create another plan that outlines how the organization will monitor, critically challenge, and ultimately validate the business team’s progress toward fulfilling the consent order requirements. To accomplish this task, you need to put in place the processes, resources, and logistics to test the remediation work that the rest of the organization is doing.
On top of all this, you’ve still got to deal with IA’s normal audit responsibilities, which can’t fall by the wayside. Essentially, your internal audit team now has two jobs: meeting your organization’s ongoing internal auditing requirements and validating compliance with the consent order. IA teams can quickly become overwhelmed in the churn that follows.