During the last 26 months I have completed over 30 AuditLink assessments related to compliance/audit spanning New York to Oregon. Throughout these reviews I am consistently amazed at the volume of busy work created out of ineffectual processes, policies, and system configurations sanctioned by a third party. The credit union creates work for the sake of work. When questioning the staff on their reasons for creating these processes, their most frequent response is “the auditor, attorney, consultant, or examiner told us we had too”. Each and every time my immediate response is, “Can you please give me the citation from the regulation which this is based upon”. I can count on one hand the number of times an actual citation has been garnered.
In some cases the examiner has pulled the wild card, Safety and Soundness. While difficult, the necessary tactic should be to discuss the situation with your examiner and insist that they defend their position with a sound rationale based solely on the credit union’s capital. The second occurs when an auditor or examiner states that a recommended process is simply best practice. At this juncture, credit union executives must evaluate the cost/benefit of adding additional work as well as the probability of risk to institutional reputation and/or capital. Armed with those facts is the time to determine if “best practice” translates to “best interest” of the credit union.
Interestingly enough I am not the only compliance professional offering this advice and making these same recommendations. One of the leading (and best) compliance attorneys in the country, Anthony Demagone, from NAFCU recently posted the following on his daily blog. Anthony gave me permission to post this citing as a back-up to my dissertation above. Read on………………
Posted: 22 Dec 2010 11:30 PM PST
Posted by Anthony Demangone
As we look toward 2011, I thought I’d spend the next week or so discussing some ideas that might help you in the coming year. Today, I’d like to talk about citations. Not the kind that you get for double-parking. I mean legal or regulatory citations that point to a specific part of a law, regulation, or guidance document.
If you hire an outside auditor, attorney, or other consultant, I’d demand that they provide a citation for every finding or recommendation. Each and every one. (You’re paying them, right?) And if they tell you something is a best practice, I’d follow up with this question: A best practice based on what? All too often, we get calls or emails from credit unions that are trying to understand a recommendation from an auditor or consultant who failed to provide a citation. So we spend 20 minutes or so trying to track down a citation to confirm the auditor’s position. And that assumes the auditor is correct. An outside consultant should have no problem providing a citation that is the basis for his or her opinion. (The only exception to this is the negative opinion. Example: NCUA does not regulate the color of your credit union’s logo. You can look as long as you want, but you won’t find a citation to support that position.)
Oh, and the same goes for examiners.
So, in 2011, ask for citations. It will help you verify that an auditor, consultant, attorney or examiner is correct. And it might force them to be a bit more judicious with their recommendations, knowing that they have to provide some legal or regulatory authority each time they tell you to do something.