Bank regulators issue Matters Requiring Immediate Attention1 and Matters Requiring Attention or Matters Requiring Board Attention2 (collectively referred to as MRAs) to financial institutions (FIs) to communicate supervisory concerns—such as a deviation from sound governance, internal controls and risk management principles, and/or noncompliance with laws and regulations—identified through the supervisory cycle.
In response, regulators expect bank management to implement corrective actions promptly and effectively to address the issues contained within each MRA. If bank management fails to address supervisory issues adequately, it may result in the bank’s regulatory rating being downgraded and/or enforcement actions being issued.
Subsequently, internal audit (IA) needs to assess the design and operating effectiveness of the corrective actions taken to determine whether the issue has been remediated and can be presented to the regulators as validated.
Develop an Action Plan
It is important for senior management and the board of directors to create a well-developed action plan that accomplishes the following:
- Addresses the concerns identified within an MRA, a report of examination or an enforcement action issued by the regulators
- Documents the corrective actions that will be implemented, identifies accountability and creates a time frame for addressing the corrective actions
- Easily discerns/tracks progress related to addressing the action items, contains notes/pertinent comments and identifies “off-track” action steps
More specifically, an action plan typically includes detailed action steps; key milestones; responsible parties; target start/completion dates; status, including a current status indicator (e.g., off track, at risk, on track); deliverables; and a notes/comments section to capture additional, relevant information.
Tracking and periodic reporting of action steps through completion helps prevent surprises or delays and keeps senior management and the board informed of progress, allowing them to oversee and manage the process effectively. Throughout the remediation process, management should ensure the following:
- Processes, activities and/or controls have been appropriately designed
- Processes, activities and/or controls are operating as intended and are sustainable (i.e., multiple cycles of a process, activity or control have occurred and the results are in line with expectations)
- Adequate documentation is maintained to support the actions taken
Test Design and Operating Effectiveness
Once management develops its action plan and implements the associated corrective actions, IA or another independent internal/external resource (collectively referred to as IA throughout this document), should validate the design of the corrective action. In addition, IA should validate the corrective action’s operating effectiveness, including if the action is sustainable. Given the consequences for noncompliance and the increased regulatory focus on IA and its related processes, it is critical to develop a comprehensive validation test plan based on a documented and well-defined validation structure.
In order to validate that a corrective action has been adequately addressed, IA must typically test the design as well as operating effectiveness of the actions taken by:
- Evaluating whether the documented action plan was comprehensive and implemented and, if not, if there is documentation to explain/support any modifications
- Reviewing all the steps taken and all supporting documentation gathered
- Performing sample testing as necessary
- Thoroughly documenting the actions taken, including all supporting work papers/documents, to substantiate effective implementation
When testing design effectiveness, IA must assess whether the corrective actions taken:
- Were in line with the documented action plan steps
- Identified the updated/new documentation, processes, systems and controls implemented to correct the identified deficiencies
- Were developed in line with regulatory requirements, regulatory expectations as well as documented policies/procedures; and all supporting documentation (e.g., all associated communications, approvals and/or trainings were maintained)
From an operating effectiveness standpoint, IA must assess whether controls are operating as designed and whether the controls are sustainable. This would generally require IA to perform sample testing (which is risk-based and consistent with its documented sampling methodology) of the controls and obtain documentary evidence that the enhanced controls are working as intended. Potential test procedures could include conducting direct observation (e.g., walk-throughs) of the control activity; inspecting supporting documentation (e.g., amended policies and procedures, meeting minutes); selecting a judgmental or statistical sample of the newly implemented processes/controls over multiple cycles of activity (e.g., generally three months, at a minimum if the process/control is performed monthly); and thoroughly documenting the rationale to support the operating effectiveness of corrective actions taken.
As the regulators have placed an increased emphasis on assessing the entire validation process, it is important for IA to capture all the validation test plan activities it has conducted comprehensively and consistently as well as maintain all supporting documentation, not just the end result of the validation.
Validate the Remediation Activities
Once management confirms that corrective actions have been fully addressed, either during the remediation process or upon completing the entire validation test plan process, IA should be formally notified. Once notified, IA typically allocates up to 90 days to assess the design and/or operating effectiveness of management’s remediation efforts and corrective actions. Therefore, it is critical that management and IA establish a well-developed process to communicate when an MRA is ready for partial or full IA validation activities to commence. This process should consider how questions should be asked/additional documentation should be requested, how answers/additional documentation will be provided and how a validation/nonvalidation decision will be communicated from IA to management.
In validating MRA remediation activities, IA typically takes one of three approaches. IA can:
- Validate design effectiveness first, starting with each individual subtask or action item that is associated with a corrective action item as deemed complete by the business
- Validate design effectiveness first, but after all associated subtasks or action items as deemed complete by the business
- Validate the overall completed remediation after both the design and process has been implemented and have undergone multiple cycles of activity to demonstrate operating effectiveness
In past experience, each of these approaches have been deemed acceptable by regulators. However, banks typically select the first or second option, even though they can initially be more expensive and time consuming. These approaches enable the bank to identify and correct issues on a timelier basis and, in the long run, can provide substantial time and cost savings if issues are identified and corrected in the design phase.
Regardless of the approach used during the validation process, ensuring the design and operating effectiveness of the new processes, controls and activities are critical in determining if corrective actions are fully implemented. Ultimately, each action item must be validated for the design or operating effectiveness to be deemed effective. If the design and/or operating effectiveness are deemed ineffective (i.e., the validation is failed), then the issue should be reopened and management should address those aspects of the corrective action that failed (i.e., there is no reason to go back and revalidate the action items/subtasks that have already been validated). Corrective actions are generally addressed after the documented remediation plan has been implemented and all remedial actions are implemented and operating as intended and are validated by IA. Some institutions utilize an IA quality assurance function to perform an additional review prior to signing off on IA’s validation report.
The validation concepts discussed above provide a road map for an FI to ensure its MRA corrective actions are designed reasonably to meet regulatory requirements/expectations and “hold up” to examiner scrutiny. By implementing this approach, management and IA can work collaboratively to implement, assess and validate management’s response to corrective actions. Further, an FI can demonstrate to senior management, its board and regulators that each corrective action designed to address an MRA has been subjected to a rigorous process and effectively addressed, documented to support the remedial activities conducted, assessed for sustainability and fully validated by an independent party. Doing so should enable senior management and the board to spend more of their time and energy focusing on customers, employees and stakeholders and managing the bank’s reputation, revenue and regulatory standing.
The authors would like to thank Deloitte Risk & Financial Advisory’s Linda Chang for her contributions to this piece.
- “Supervisory Considerations for the Communication of Supervisory Findings,” Board of Governors of the Federal Reserve, https://www.federalreserve.gov/supervisionreg/srletters/sr1313a1.pdf
- “Report of Examination Instructions,” Federal Deposit Insurance Corporation, https://www.fdic.gov/regulations/safety/manual/section16-1.pdf