MetaGovernance has worked extensively with government-sponsored entities (GSE) and commercial banks in remediating adverse examination and audit findings such as MRA. We find that a lack of data visibility and awareness of the true source of data is a common root cause. You can’t fix what you can’t see.
There are several different types and severities of adverse examination or audit findings. The Federal Housing Finance Agency (FHFA) provided a classification of Adverse Examination Findings in the Advisory Bulletin AB 2017-01. In this bulletin, they outline Matters Requiring Attention (MRA) that are prioritized based on severity. The most serious is called Critical Supervisory Matters which pose substantial risk to the safety and soundness of the regulated agency. Lesser infractions are categorized as deficiencies, recommendations, or violations.
The Securities and Exchange Commission (SEC) provides similar guidance in the form of scenarios that explain the differences between Significant Deficiency and a Material Weakness. A Significant Deficiency is less severe than a Material Weakness as it is unlikely to have a material impact on a company’s financial statement.
In many cases negative findings are a board-level problem threatening the reputation of the organization. It’s also costly. External audit fees can escalate upon closer examination, both immediately and for future monitoring several years out. Investors might lose confidence in the integrity of financial reports. The organization may face higher Directors and Officers (D&O) insurance. In extreme cases a company may also see its cost of funds increase to compensate for higher perceived risk.
The common approach to dealing with adverse examination and audit findings is to create a risk management framework for prevention, notification and remediation. Accounting and Risk Management (ARM) firms provide these consulting services, working directly with the client’s auditor, examiners and business units. Solutions from ARM firms include process reengineering and enhanced controls often driven by new rules and operating systems. However, this exercise alone will not solve your data visibility problem which typically lies outside the scope of business process improvement projects.
So how does MetaGovernance identify and fix the problem? It doesn’t have to involve a lot of heavy lifting. We prefer to use a fulcrum, defined as a “thing that plays a central or essential role in an activity, event or situation.” A proper fulcrum delivers the maximum benefit with the least force. For MetaGovernance clients, talking to the data is the fulcrum that reveals this true state, achieving total visibility and awareness of the source and definition of data used in financial reporting.
The best way to explain how this works is by example. We were working with a client organization that faced a complex remediation project involving multiple adverse findings. Business units, along with their internal and external auditors had spent years and millions of dollars defining and implementing operational process and Sarbanes-Oxley (SOX) control frameworks. Yet they continued to experience control failures due to overreliance on spreadsheets and uncertainties in the data. The client needed a set of fresh eyes to help diagnose the problem.
We immediately looked to the data and quickly determined the true system of record. We also followed the flow of data from the source to the reports being generated. In reality spreadsheets became the system of record and controls bypassed updates made outside of production systems. As a result there were discrepancies in data sourcing, even among staff who worked in the same departments. Some of the reports were verifiable while others were not. The client now knew why.
Once the problem was uncovered, we proposed permanent solutions that were integrated within the existing frameworks already in place. The data helped us to identify the problem. The fulcrum we used was a system of automated data controls.
A risk management framework is essential to maintaining the value and reputation of an organization. The majority of companies are having to retrofit their existing rules, procedures and reporting systems. A key element not to be overlooked in this process is ensuring data integrity across the enterprise.
You can fix what you can see. Our approach to risk management is designed to identify and solve the right problems. It all starts with talking to the data.