Are Fintechs Regulator Ready? Part II: Internal Audit

As fintech companies move toward an application for an OCC charter, they will need to review their internal audit department to ensure it meets the requirements in 12 CFR 30 Appendix A, which states the institution should have an internal audit system that is commensurate to the size of the institution, nature and scope of its activities and that provides for adequate monitoring of the system of internal controls through an internal audit function.

In the instance where institution whose size, complexity or scope of operations does not warrant a full-scale internal audit function, a system of independent reviews of key internal controls may be used along the following dimension:

• Independence and objectivity;
• Qualified persons;
• Adequate testing and review of information systems;
• Adequate documentation of tests and findings and any corrective actions;
• Verification and review of management actions to address material weaknesses; and
• Review by the institution's audit committee or board of directors of the effectiveness of the internal audit systems

In many less regulated companies, internal audit is considered an essential element of the check and challenge environment. However, the structure and rigor of internal audit takes on a higher level of scrutiny in entities with banking charters in reference to audit coverage, documentation, reporting structure and methodology.

Since the financial crisis regulatory pressure on internal audit has increased. It is now not uncommon for regulators raise an issue, often called a Matter Requiring Attention (MRA), with audit after they have raised an MRA with a business unit. Through this action the regulator is really asking audit, “Why didn’t you catch this?” Many times, audit will need to conduct a review, or post mortem, to determine if they had coverage of that area and, if they did, why the issue was not identified. Audit will then need to document and report back to the regulator about the findings.

The regulatory expectation for banks requires that all controls be considered in scope and that high-risk auditable entities be tested annually versus most corporate internal audit departments, which generally use a three- to five-year audit cycle, where high risk controls are tested only every 36 months. Furthermore, those departments also may not even cover all the controls within the entity, with low risk controls being scoped out completely. Additionally, it is generally the chief auditor who modifies the audit plan with the approval from the audit committee. Under the new regime the failure to fully complete your audit plan for the year will most certainly bring a heightened level of regulatory oversight.

Over the past few years, regulators’ documentation expectations have increased. Regulators also expect all findings, whether positive or negative, to be fully documented. Auditors can be criticized for not sufficiently documenting passing opinions, as well as critical ones. Regulators carefully review audit ratings and can be critical if they believe audit has not rated the audits appropriately.

Regulatory expectations are that the chief auditors report directly to the audit committee and administratively to the CEO. In some corporate structures the chief auditor reports administratively to the CFO; regulators would generally find that structure violates the “Independence” requirement in Appendix A.

Finally, banking regulators focus on the process in which the audit department operates, and that needs to be fully documented and demonstrated. Regulators will expect a risk-based system that is commensurate with the size and complexity of the organization. As the entity gets larger and the risks become more complex, regulators expect the audit department’s methodology to grow and evolve to meet those challenges.

Some fintech companies may have well defined and highly sophisticated audit departments, while others may have departments more consistent with a regular corporate environment. In either situation, management will need to ensure the department has the audit cycle, documentation, reporting structure and methodology that can pass regulatory scrutiny. The OCC expectations for audit are high.