Board Report: 2014-FMIC-B-014 September 30, 2014
The FMI Oversight group uses a risk-based planning process, as well as the PSR policy and Reserve Bank Financial Services operating circulars, for guidance when assessing wholesale financial services. However, the wholesale oversight team within the FMI Oversight group does not have comprehensive formal policies and procedures that guide the execution and documentation of its onsite review of wholesale financial services. We found that a small percentage of onsite review documentation was incomplete, and we noted a few instances in which the reviewer indicated that he or she did not understand what a review step meant. In addition, we generally did not see indications of a second-level review of onsite review documentation. The Standards for Internal Control in the Federal Government, issued by the Comptroller General of the United States, offers guidance related to documenting and supervising oversight activities and lists policies and procedures as control activities that enforce management’s directives. Additionally, the Internal Control—Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO),13 discusses policies and procedures as control activities to establish clear responsibility and accountability. While the FMI Oversight group has begun to formalize procedures, comprehensive formal policies and procedures are not yet available because the group’s enhanced review process is still evolving and the group had limited resources to support a formalization effort. We did not note any deficiencies regarding the efficiency and effectiveness of the FMI Oversight group’s onsite review activities; however, we believe formal written policies and procedures would help promote the quality and consistency of oversight and ensure that new staff members understand and meet their responsibilities more quickly. Further, incorporating guidance from the Standards for Internal Control in the Federal Government into a more formalized process, as appropriate, may yield benefits, including standardizing information capture to build institutional knowledge, refining subsequent onsite review activities, and enhancing support for findings.
The FMI Oversight group has informal procedures for review processes, and it uses policies such as the PSR policy and operating circulars to guide its review work and related assessments; however, the team does not have comprehensive formal policies and procedures that describe procedural steps for conducting the onsite review of wholesale financial services. The wholesale oversight team members provided us with the templates used for onsite examinations and were able to explain to us the informal process for the use of onsite documentation and for the selection of a subject-matter expert for a review, but they could not provide comprehensive formal procedures.
When conducting onsite reviews of wholesale financial services, the wholesale oversight team within the FMI Oversight group completes documentation, which includes interview guides and write-ups from interviews and meetings with WPO management, sample testing results for Wholesale Operations Site operations, and templates with various work steps. While work steps in the templates describe the onsite review activities to be completed, the team does not have written formal guidance for completing, maintaining, and approving those templates.
For our audit, the FMI Oversight group provided us 59 documents associated with the 2011 and 2012 wholesale financial service onsite reviews. Templates accounted for slightly less than one-third (18) of the 59 documents. We found that 8 of the 18 review templates were incomplete; there was no documentation to evidence that 37 of the 179 review steps included in these 8 templates were completed by an analyst. We also identified documentation for a few of the tests conducted during the 2011 review in which the analyst responded to a work step with an explanation that he or she did not understand what the work step meant. We did not find these issues with the remaining 41 documents. However, we did not see any indication of a system of formal second-level review for onsite review documentation, and we were unable to find records or evidence to support that a second-level review of the onsite review documentation took place.
The Standards for Internal Control in the Federal Government lists policies and procedures as control activities. Control activities are an important tool for ensuring that actions are taken to address risks that occur at all levels, and they include a wide range of diverse activities, such as approval, authorization, verification, and maintenance of records showing appropriate documentation. The Standards for Internal Control in the Federal Government states that policies and procedures ensure an entity’s accountability for achieving effective results. It further states that management is responsible for developing the detailed policies, procedures, and practices that are built into the agency’s operations. Additionally, the COSO framework discusses policies and procedures as control activities and states that policies establish what is expected and procedures put policies into action. Although the COSO framework acknowledges that unwritten policies can be effective in certain environments, it cautions that unwritten policies and procedures can be easier to circumvent and can be costly to the organization if there is turnover in personnel.
According to the FMI Oversight group, the group does not have a formal process for onsite review documentation or internal requirements for a second-level review of the documentation. The FMI Oversight group stated that its workpapers are used to inform and document the review write-up. FMI Oversight officials further explained that the incomplete steps we found were not applicable to the specific review procedures being conducted at that time. An FMI Oversight staff member stated that certain tests may not have made sense once the review team was onsite at the bank, and thus the reviewer may have left the work step blank or written that he or she did not understand the meaning of the work step. FMI Oversight group management also stated that the team has numerous meetings during and after the onsite review to ensure that needed work was performed during the review and to examine and verify any observations.
The FMI Oversight group has begun to establish procedures that include a working draft of an overview document of recurring responsibilities within the FMI Oversight function. According to an RBOPS official, the FMI Oversight group is currently defining policies and procedures. The ongoing evolution of review procedures and limited staff resources prevented the FMI Oversight group from formalizing all its policies and procedures. An FMI Oversight official stated that the group’s goal was to start formalizing policies and procedures in 2014.
While we recognize that RBOPS is not a traditional audit organization, we believe that the FMI Oversight group can improve its oversight by enhancing and formalizing its policies and procedures. Written policies and procedures specific to the oversight of wholesale financial services, including formalized review documentation procedures, can help ensure consistency within the team throughout the review process and in ongoing monitoring. Additional benefits include helping new staff to understand and meet their responsibilities more quickly. Further, we believe that a formal process that incorporates a second-level review of workpapers could ensure the completeness, quality, and consistency of work performed and concrete support or evidence for the review findings.
We recommend that the Director of RBOPS
The Director of RBOPS generally concurs with this recommendation. In her response, the Director noted that RBOPS is not a traditional audit organization and does not derive its oversight practices from conventional audit standards. The Director stated, however, that RBOPS agrees with the benefits associated with enhancing its oversight procedures and has initiated efforts to augment existing procedures and, if necessary, develop new procedures that guide its onsite reviews of wholesale financial services.
We believe that the actions described by RBOPS are responsive to our recommendation. The OIG intends to follow up on RBOPS’s actions to ensure that the recommendation is fully addressed.
