To survive a consent order as an internal auditor, rely on strategy

Gary W. Lindsey, Shannon Moskal
3/31/2021
Survive a consent order as an internal auditor

When your financial services company receives a consent order or other enforcement action, it can be a heart-stopping experience, especially if it’s never dealt with anything similar before. Beyond the fines and penalties, the process of getting the order lifted often goes on for years, and the resources required for that process only add to the total cost.

The key to a successful consent order remediation and validation process involves creating a detailed, comprehensive strategy and staying on course.

When a consent order hits, internal audit often bears a heavy burden.

When a consent order hits, internal audit often bears a heavy burden

When your organization is under a regulatory consent order, you can expect that everyone involved in the validation and remediation process likely will rely heavily on your internal audit (IA) team. IA serves as an important communication and remediation touchpoint for both the board and the regulators during this critical process. For the board, internal auditors will need to monitor, test, and validate that management is complying with the company’s obligations under the order. Meanwhile, regulators will expect internal auditors to make sure the business honors all commitments in a timely, sustainable manner.

Very often, internal audit not only has to test and validate the remediation of the consent order, but it also receives criticism within the order. After all, if issues rose to the level of an enforcement action without being identified by the organization’s internal controls, then underlying weaknesses might have contributed to the problem.

If the consent order identifies issues in IA, your internal auditors will need to develop a plan to remediate the concerns. This plan should lay out how you will address each area of concern and how you’ll sustain the fixes in your ongoing internal controls.

In addition to this plan of corrective action, your internal audit team will need to create another plan that outlines how the organization will monitor, critically challenge, and ultimately validate the business team’s progress toward fulfilling the consent order requirements. To accomplish this task, you need to put in place the processes, resources, and logistics to test the remediation work that the rest of the organization is doing.

On top of all this, you’ve still got to deal with IA’s normal audit responsibilities, which can’t fall by the wayside. Essentially, your internal audit team now has two jobs: meeting your organization’s ongoing internal auditing requirements and validating compliance with the consent order. IA teams can quickly become overwhelmed in the churn that follows.

Managing the weight of a consent order starts with formulating a detailed plan.

Managing the weight of a consent order starts with formulating a detailed plan

As soon as your internal audit team knows about a consent order, you should begin developing the strategies and methodology that can help you manage the additional work. Your audit committee and senior IA leadership, working together, will need to outline the additional internal audit responsibilities and create a plan that incorporates those obligations. Regulators also will want to see that you’re testing the remediation efforts regularly throughout the life of the consent order.

Some of the remediation actions addressing the consent order might fall within the scope of regularly scheduled IA testing. But even then, it’s likely that your scheduled testing won’t move at the aggressive pace that’s required under a consent order. So, your strategy needs to consider the increased testing pace at each step of the process.

Make sure your plan addresses every aspect of the consent order and meets the regulator’s requirements.

Make sure your plan addresses every aspect of the consent order and meets the regulator’s requirements

Your strategic response to a consent order should consider the following actions:

  1. Examine your internal audit processes and determine necessary enhancements that will enable your IA work to pass regulators’ requirements as outlined in the consent order and fulfill regulatory expectations going forward.
  2. Build a detailed internal audit plan that allows for the testing, critical challenge, and validation of corrective action for each of the various sections and subsections of the consent order (this step might need to happen concurrently with step 1). Remember to account for sustainability testing. You’ll have to test your controls for operational effectiveness over a few months or more, even if the consent order seems to call for a one-time corrective action.
  3. Design the reporting templates and workpapers your regulators will receive. Regardless of which agency issued the enforcement action, regulators will have specific structural requirements for reporting that most likely differ from your typical reporting practices. So, you’ll need to design new reports and workpapers that match regulators’ requirements exactly.
  4. Set up a team with the resources and management structure you need to follow through on the internal audit plan. You can carve out resources from your existing internal audit team, but that might not be enough to manage all the validation activities required. So, you might need to hire additional personnel or connect with a third party who can provide auditing, remediation, and validation services.
  5. Map out the communication processes that will let the team handling ongoing IA responsibilities coordinate with your dedicated consent order validation team to minimize disruption on both sides.
  6. Create an internal audit plan timeline that aligns the internal audit plan you submitted to the deadlines you’ve received from regulators.
  7. Execute the internal audit work as described in your plan and according to your timeline.

There is no sugarcoating the situation under a consent order: Remediation and validation is a massive undertaking. Most importantly, you need to work closely with both your business team and the regulators as you build your strategy. Every consent order is different; the regulators most likely will outline specific remediation and reporting requirements, and your organization will need to comply.

Consent order remediation and validation fails when your organization gets caught up in the whirlwind.

During the tornado of activity and emotion that follows a consent order, your internal audit department will need to make a lot of critical decisions in quick succession. As an internal audit director or chief audit executive, you need to think through:

  • How your business team is responding to the order
  • What your regulators are asking for
  • How you’ll continue to fulfill the multiple auditing responsibilities that are now required of you

If your IA team only focuses on testing and execution without a long-term strategic vision, you’ll struggle to manage the complexity of the consent order remediation and validation process. And that’s when we see financial services companies stuck under consent orders for years without moving any closer to a resolution.

Let’s connect

Don’t let a consent order overwhelm you and set you adrift. Crowe has helped financial services companies of all sizes successfully navigate consent orders, and we know how to bring calm to the chaos.
Gary Lindsey - social
Gary W. Lindsey
Principal, Consulting
Shannon Moskal
Shannon Moskal
Principal, Consulting