Are Audit, Compliance, Policies and procedures analysts looking at everything? are they looking at the right things?

A couple of instances came to mind that inspired me to write about this subject.  I thought it to be of utmost importance in this new age of compliance, AML, Stratospheric fines, and the vast amount of regulatory changes and developed that have occurred in the past 14 years starting with the PATRIOT act.

The financial institute that I was working for at the time had just implemented a project to review every client relationship in its entirety  for KYC, and to satisfy regulatory KYC, AML standards. Additionally, they wanted to take the client screening to a level above what other financial institutions were doing, not only to cover themselves but in anticipation of further regulations that were likely to occur as a result of this project that federal regulators were observing.
The first instance was a result of not understanding the complex structure and operation of private equity. As most policies for KYC and AML state it is necessary to trace the revenue stream and identify the owners up to a certain percentage or that no single entity or natural person owns more than the percentage ceiling.
For a standard corporation this makes perfect sense and is somewhat easily obtained. so the breakdown was:

Policy matches regulations
Procedures allowed the systematic obtaining of this information and  Ownership is identified up to X%
Compliance reviews it and determines that all of the policies have been followed, all regulations have been followed, all information regarding the ownership was obtained, and the flow of assets real and monetary, as well as liabilities have been identified according to policy and regulation. Full risk analysis and all proper screening have been completed and the review is approved and complete..
Audit reviews the completed process and determines that the the process has been completed according to policies, procedures, and regulatory guidelines
According to the above scenario all seems OK, but this is where. the questions ":Are you looking at everything, and are you looking at the right things come into play, and the answer is no.
There is a laundry list of reasons but I will only touch on 2 major points that would be enough to stop the review before it even started.

First and foremost in a private equity structure the ownership is nearly irrelevant, the investors have little to no say at all with what happens to the company, there is typically no investment income recognized until the sale of the company. they throw money at a company and expect someone to throw 10 times that amount back in 10 years.

Secondly, The fund managers typically have ultimate control of the company and could dissolve the company and sell it's assets at any moment, yet the fund managers never even enter in this scenario.

Proper screening could have occurred had the project management team anticipated all of the different ownership and control structures of companies, consulted with the mergers and acquisition department, worked with the policies and procedure analysts and created a separate procedure for screening private equity owned clients. yet none of this was done so at every step of the review process it appeared that due diligence had been done and the screening was complete, when in fact none of the important screening had even been considered.

The second instance occurred with a procedure that had been followed for a long period of time and what was a seemingly simple procedure of applying loan payments to collateral backed term loan.
Policy stated that the payment must be applied to the loan according to the instructions from the customer or as our system states and applied as of the date received.
Procedures were to enter it into an automated system that calculates the principal and interest,  complete manual calculation to determine if the payment is correct and matches the system and apply it as of the date received.
Compliance only got involved when the procedure was written
Audit showed all payments made according to policy and procedure and applied correctly.
One morning the loan appeared on a report showing the collateral was insufficient.  The investigation that I initiated spanned 9 months and was ultimately resolved.

The policy and procedure for applying loan payments had never been periodically reviewed, nor had the systems that recorded the payments.  Through the investigation I discovered that the dependencies only reported when the collateral was insufficient, it did not alert that the loan had been overpaid for 4 years when the collateral to loan balance should have matched exactly.  Additionally I discovered that the credit agreement contained various formulas for rate changes depending on collateral amount and loan balance, not only was the system incapable of calculating this, but the task of alerting or scheduling the changes had never been assigned.
The only way I was able to resolve this was due to the customer having the proper controls in place and keeping a meticulous record of all aspects of their loan.

I hope the above examples have showed you and allow you to understand the importance of  "proper" Audit, Compliance, and ongoing repeated policies and procedures analysis.this is done as standard operating procedure for manufacturing, but they seem to be forgotten or dismissed in business and administration, but with a rapidly evolving and changing economic, cultural, and technological  society it is now more important than ever to ensure that these become an integral part of conducting and operating business.

Comments