Both ineffective and inefficient, management review controls are an impediment to a growing financial institution. As an audit team serving financial institutions, we get to see a variety of our clients’ internal control frameworks. Some have been in place for 50 years and others, at fast-growing, newer companies, are still maturing into a comprehensive control framework. While there are some degrees of variability in how controls are documented, we’re continually surprised that each of our clients have almost the exact same controls. We’ve always considered this to be a function of the following attributes:
- Groupthink: More than most other industries, financial institutions are cross-pollinators. Members of management take experiences from one employer to another, and much of their training is received from industry groups or consultants that also have perpetuated a “status-quo” mentality.
- Service provider limitations: The consolidation of technology processing systems has limited the ability of individual institutions to challenge the status quo.
As such, many rely heavily on management review controls (MRCs), which are almost always detective controls executed by staff to ensure their financial reporting is accurate.
An example of an MRC is the process by which a staff member verifies all critical changes to loan accounts are authorized and accurate. This control detects errors or unauthorized changes made by loan processing or operations teams during the loan boarding and maintenance processes. While this process is prevalent at all of our clients, it’s inherently flawed for the following reasons:
- System reports: System maintenance reports are often clunky and voluminous. These standard reports were designed by the core system providers to present all customer account-level changes, regardless of importance, which proved very challenging to use as organizations grow.
- Custom-built reports: Many clients have developed reporting on account-level changes using a secondary report writing software. While workarounds exist, they create significant burden on system administrators to ensure customized reports are complete and accurate and need to be tailored and tested every time changes are made to products or services.
- Human error: This process requires an employee to (1) understand what he/she is responsible for reviewing, (2) research whether each change was authorized and accurate, and (3) document his/her review. We identify many errors in both the execution and documentation of those three responsibilities of the control operator.
The solution is preventive application controls
The systems used by financial institutions are incredibly sophisticated software platforms and, yet, most financial institutions haven’t effectively controlled the ability to input or modify information that impacts financial reporting. Many institutions justify this lack of system control because they fear customer experience may be impacted. We can hear a chief operating officer say, “I can’t restrict the ability to change customer information because we have some customers that don’t use online banking.” Our response to that statement is, “Well, have you considered restricting bank-employee access to make changes to customer information for customers that do use online banking?” At a minimum, you’d have fewer changes that would require management review. If all customer account changes were required to be made by customers, you’d completely remove the risk of internal fraud related to this process and further justify the investments many have made in customer fraud detection systems. There are endless examples of application controls you could implement to reduce the risk of failure of MRCs; however, it’s up to bold management teams to sit down and consider what they could do to improve their internal control systems. There will always be a need for certain MRCs within a strong internal control system. The reliance upon such controls hasn’t kept up with changes in terms of business operations and technological investments.
Successful identification and implementation of preventive application controls can really move the needle in the following ways:
- More timely, reliable financial reporting: Errors won’t go undetected and processing time for changes made as a result of the MRCs is eliminated.
- Ability to scale operations: Removing some of the “process” within the production cycle allows financial institutions to scale without making additional investments in human capital.
As described above, there’s a strong case to be made that the implementation of automated application controls will positively impact the reliability of information and improve the bottom line. Management teams certainly need to weigh the benefits against some challenges, which will be created through the limitation of flexibility and potential impact to customer experience.
Don’t take our word for it. Here’s what the Institute of Internal Auditors says: “One of the most cost-effective and efficient approaches organizations use to manage [transactional] risks is … the use of controls that are inherent or embedded (e.g. three-way match on account payable invoices) into transaction support applications as well as controls that are configurable (e.g. accounts payable invoice tolerances).”
We encourage all financial institutions to recognize where they are reliant on MRCs and challenge their operations teams to identify where application controls could be developed to render certain MRCs obsolete. If your team needs help systemically reviewing your business processes, we can assist. Our team of cybersecurity and IT auditors are uniquely qualified to challenge the “status quo” to modernize your key controls and empower you to grow your financial institution profitably.