north carolina risk management seminar 2015north carolina risk management seminar 2015 tuesday, may...
TRANSCRIPT
North Carolina Risk Management Seminar 2015 Tuesday, May 5, 2015
Grandover Resort, Greensboro, North Carolina _________________________________________________________________
8:30 am - 9:00 am Registration & Continental Breakfast 9:00 am - 9:10 am Opening Remarks Chris Purvis, Shareholder, Elliott Davis Decosimo 9:10 am – 10:00 am Developing an Effective Enterprise Risk Management Program Jay Brietz, Senior Manager, Elliott Davis Decosimo 10:00 am - 10:50 am Regulatory Compliance Hot Topics Matthew Cordell, Attorney, Ward & Smith, P.A. 10:50 am - 11:10 am Break 11:10 am - 12:00 pm Cybersecurity and Data Security: Richard Cook, Director, Elliott Davis Decosimo 12:00 pm - 1:00 pm Lunch 1:00 pm - 1:50 pm Regulatory Focus on Internal Audit Ryan Senegal, Examiner, Federal Deposit Insurance Corporation 1:50 pm - 2:40 pm Performing Model Validations: Interest Rate Risk/ Asset Liability Management Allowance for Loan Losses Bank Secrecy Act Melody Reed, Manager, Elliott Davis Decosimo Michael Koupal, Senior Manager, Elliott Davis Decosimo 2:40 pm - 2:50 am Break 2:50 pm - 4:00 pm Risk Management Roundtable Chris Purvis – Moderator Laura Kirk, SVP/Senior Audit Manager, First Citizens Bank Bill McKendry, Chief Enterprise Risk Officer, Bank of North Carolina Steve Setser, SVP/General Auditor, Select Bank 4:00 pm Course Evaluation and Wrap Up
Financial Services Shareholder Contact Information
Bob Beckwith, CPA Shareholder Direct: 864.552.4763 E-mail: [email protected]
Paul Pickett, CPA Shareholder Direct: 804.887.2256 E-mail: [email protected]
Garry A. Rank, CPA Shareholder Direct: 864.242.2638 E-mail: [email protected]
Barbara Rushing, CPA Shareholder Direct: 864.242.2625 E-mail: [email protected]
Jason Caskey, CPA Financial Services Practice Leader Direct: 803.255.1203 E-mail: [email protected]
Larry Felts, CPA Shareholder Direct: 615.376.1925 E-mail: [email protected]
Lee Haynes, CPA Shareholder Direct: 704.808.5208 E-mail: [email protected]
Andy Mitchell, CPA Shareholder Direct: 864.242.2691 E-mail: [email protected]
Beverly A. Seier, CPA, CPCU Shareholder Direct: 803.255.1214 E-mail: [email protected]
Bill Bossong, CPA, CBA Shareholder Direct: 803.255.1497 E-mail: [email protected]
George Noonan, CPA Shareholder Direct: 704.808.5293 E-mail: [email protected]
Christopher Purvis, CPA Shareholder Direct: 704-808-5216 E-mail: [email protected]
F INANCIAL SERVICES
el l iottdav is .com ©ElliottDavisDecosimoLLC©ElliottDavisDecosimoPLLC
F inanc ia l Ser v ices - 360° Industr y Perspect ive
ARE YOU. . .Concernedaboutrisk?Consideringamergeroracquisition?Interestedinpreservingyourcapital?Lookingforstrategiestomanageeffectivetaxrates?StrugglingtostayabreastofcomplexSECreportingandregulations?Searchingforaresourcetoassistwithever-changingaccountingstandards?
SOLUTIONS
Assurance• Auditservices• Riskassessment• Analyticalreviewprocedures• Evaluationofinternalcontrols
SEC Re lated Ser v ices• Preparationof10-Qsand10-Ks• SOX404documentationandtesting
Tax• Incometaxpreparationandplanning• Stateandlocaltaxservices• Taxestimates• Executivecompensationreview• Evaluationofdeferredtaxasset• Costsegregationstudies• Mergersandacquisitions
Non-Audit Ser v ices• Outsourcedinternalaudit• Externalloanreviews• Regulatorycomplianceaudits• BankSecrecyAct/anti-moneylaunderingmodelvalidation• Interestrateriskandliquiditytesting• Allowanceforloanlossvalidation• Day1valuationandDay2accountingservices• Informationsystemaudits• Informationsecurityreviews• SSAE16(SAS70)reports• Trustreviews
Acquired Loan Va luat ion Ser v ices
• ValuCast TM
The banking industry is complex and rapidly evolving. You deserve the right team with the right leadership to serve you. More than 120 financial institutions, large and small, depend on our Financial Services Practice for personal attention, industry experience and services including external and internal audit, SEC reporting, taxation and compliance. With a 60-year reputation and a team of more than 100 professionals serving financial institutions, we help banks operate stronger, wiser, better.
2015 NC Internal Audit & Risk Management Seminar
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Tuesday, May 5, 2015
Developing an Effective Enterprise Risk Management Program
Jay Brietz, CPA and CIA Senior Manager May 5, 2015
© Elliott Davis Decosimo, PLLC
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, PLLC
2
Agenda
© Elliott Davis Decosimo, PLLC
• Background • An ERM Framework • Roles in the Risk Assessment Process • Key Implementation Factors
3
Background
We perform risk assessments everyday…
…and we make risk-based decisions
4 © Elliott Davis Decosimo, PLLC
Background
Importance of the risk assessment • Critical part of the risk management
process and important planning tool for your bank
• Increased focus of regulators • Increased focus of rating agencies
Risk 101
5 © Elliott Davis Decosimo, PLLC
Background
• Risk concepts and terms: – Risk -vs- uncertainty – Definitions of risk – Myths about risks
6 © Elliott Davis Decosimo, PLLC
Background
What is the difference between risk and uncertainty?
7 © Elliott Davis Decosimo, PLLC
Background
COSO’s definition of risk…
The possibility that an event will occur and adversely affect the achievement of an objective.
8 © Elliott Davis Decosimo, PLLC
Background
Other definitions of risk…
A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. BusinessDictionary.com
9 © Elliott Davis Decosimo, PLLC
Background
The Economic Times describes risks…
Risks are of different types and originate from different situations. We have liquidity risk, sovereign risk, insurance risk, business risk, default risk, etc. Various risks originate due to the uncertainty arising out of various factors that influence an investment or a situation.
10 © Elliott Davis Decosimo, PLLC
Background
Myths about risk… • All risks are bad • Some risks are so bad…we should automatically
eliminate them (half-court shot, hole-in-one) • Playing it safe is always the safest answer • You cannot develop plans for the unknown
11 © Elliott Davis Decosimo, PLLC
Background
Other risk assessments that often feed into the banks ERM Model…
Enterprise Risk
Management
Internal Audit Risk
Assessment
Fraud Risk Assessment
IT Risk Assessment
Compliance Risk
Assessment
Other Risk Assessments
Our focus today
12 © Elliott Davis Decosimo, PLLC
Agenda
• Background • An ERM Framework • Roles in the Risk Assessment Process • Key Implementation Factors
13 © Elliott Davis Decosimo, PLLC
An ERM Framework
Credit
ERM 14 © Elliott Davis Decosimo, PLLC
An ERM Framework
COSO’s definition of Enterprise Risk Management…
A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
15 © Elliott Davis Decosimo, PLLC
An ERM Framework
COSO’s Enterprise Risk Management Integrated Framework
16
The eight components of the framework are interrelated…
© Elliott Davis Decosimo, PLLC
An ERM Framework
• Establishes a philosophy regarding risk management • Recognizes that unexpected as well as expected
events may occur • Establishes the entity’s risk culture • Considers all other aspects of how the organization’s
actions may affect its risk culture
17
Internal Environment
Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
An ERM Framework
• Is applied when management considers risks in the setting of objectives
• Forms the risk appetite of the entity, a high-level view of how much risk management and the board are willing to accept
• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite
18
Objective Setting
Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
An ERM Framework
• Differentiates risks and opportunities • Events that may have a negative impact represent
risks • Events that may have a positive impact represent
natural offsets (opportunities), which management channels back to strategy setting
• Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives
• Addresses how internal and external factors combine and interact to influence the risk profile
19
Event Identification
Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
An ERM Framework
• Allows an entity to understand the extent to which potential events might impact objectives
• Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to
measure the related objectives • Employs a combination of both qualitative and
quantitative risk assessment methodologies • Relates time horizons to objective horizons • Assesses risk on both an inherent and a residual
basis
20
Risk Assessment
Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
An ERM Framework
• Identifies and evaluates possible responses to risk • Evaluates options in relation to entity’s risk appetite,
cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood
• Selects and executes response based on evaluation of the portfolio of risks and responses
21
Risk Response
Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
An ERM Framework
• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out
• Occur throughout the organization, at all levels and in all functions
• Include application and general information technology controls
22
Control Activities
Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
An ERM Framework
• Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities
• Communication occurs in a broader sense, flowing down, across, and up the organization
23
Information & Communication
Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
An ERM Framework
• Effectiveness of the other ERM components is monitored through:
– Ongoing monitoring activities – Separate evaluations – A combination of the two
24
Monitoring
Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
Agenda
• Background • An ERM Framework • Roles in the ERM Process • Key Implementation Factors
25 © Elliott Davis Decosimo, PLLC
Roles in the ERM Process
Three lines of defense 1. Front line unit 2. Risk management, compliance, etc. 3. Internal audit, credit review, etc.
26 © Elliott Davis Decosimo, PLLC
Roles in the ERM Process
Three lines of defense - Front line unit • Boots on the ground managers of risk • Must have the ability to identify, assess
and react to risks on a day-to-day basis • Own and manage the risks of their area • Incented to raise the flag
27 © Elliott Davis Decosimo, PLLC
Roles in the ERM Process
Three lines of defense – Risk Management
• Supports and guides the risk owners • Manages the risk framework • Monitors risk and compliance with
guidance via metrics and other measures
28 © Elliott Davis Decosimo, PLLC
Roles in the ERM Process
Three lines of defense – Internal Audit • Play an important role in monitoring
ERM, but should NOT have primary responsibility for its implementation or maintenance
• Assist management and the board or audit committee in the process by:
– Ongoing monitoring – Separate evaluations – Recommending improvements
29 © Elliott Davis Decosimo, PLLC
Agenda
• Background • An ERM Framework • Roles in the ERM Process • Key Implementation Factors
30 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
• Organizational design of the business • Establishing an ERM organization • Performing risk assessments • Determining overall risk appetite • Identifying risk responses • Communication of risk results • Monitoring • Oversight and periodic review by management • The last key implementation factor
31 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
Organizational Design of the Business • Strategies of the business • Key business objectives • Related objectives that cascade down the
organization from key business objectives • Assignment of responsibilities to organizational
elements and leaders (linkage)
32 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
Establishing an ERM Organization • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities
33 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
Example Organizational Structure
34
Board of Directors
Risk Management
(ERM) Internal Audit
Compliance
Enterprise Risk Management
Committee
Asset/Liability Risk Operational Risk
Fraud Risk Reputational Risk
Audit Committee
© Elliott Davis Decosimo, PLLC
Key Implementation Factors
Performing Risk Assessments • Identify the risk opportunities • Assess/measure the risks identified • Prioritize or rank the risks in order to form a risk
appetite strategy
35 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
Determining Overall Risk Appetite • Risk appetite is the amount of risk an entity is willing
to accept in order to attain appropriate or sought after returns
• Three components you should know before drafting a risk appetite:
– Strategic plan and organizational goals – Organizational risk profile – Risk thresholds – used to monitor exposure compared to
risk appetite
36 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
Determining Overall Risk Appetite Key questions in developing your risk appetite:
– What risks will the organization not accept? (e.g. environmental or quality compromises)
– What risks will the organization take on new initiatives? (e.g. new product lines)
– What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)
37 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
Identifying Risk Responses
38
Management’s response to risk
Avoidance Exiting the activities giving rise to the risk
Acceptance
No action is taken to affect risk likelihood or impact
Reduction Action taken to reduce the risk
likelihood or impact or both
Sharing Reducing the likelihood or impact by transferring or
sharing a portion of the risk
© Elliott Davis Decosimo, PLLC
Key Implementation Factors
39 Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC
Identifying Risk Responses
Control
Share Mitigate & Control or Avoid
Accept
High Risk
Medium Risk
Medium Risk
Low Risk
Low
High
High
I M P A C T
PROBABILITY
Key Implementation Factors
Communication of risk results • Dashboard of risks and related responses
(visual status of where key risks stand relative to risk tolerances)
• Flowcharts of processes with key controls noted • Narratives of business objectives linked to
operational risks and responses • List of key risks to be monitored or used • Management understanding of key business risk
responsibility and communication of assignments
40 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
Monitoring • Collect and display information • Perform analysis
- Risks are being properly addressed - Controls are working to mitigate risks
41 © Elliott Davis Decosimo, PLLC
Key Implementation Factors
What is the Secret Key Implementation Factor?
42
• This is not sprint, it is a marathon - How about a 5K - How about a half marathon - Get some wins and build
momentum • Develop a plan to get to the finish
line • Communicate your progress
© Elliott Davis Decosimo, PLLC
Additional Resources
North Carolina State’s ERM Initiative http://mgt.ncsu.edu/erm/
Institute of Internal Auditors http://www.theiia.org/
COSO http://www.coso.org/
• Embracing Enterprise Risk Management: Practical Approaches for Getting Started
• Developing Key Risk Indicators to Strengthen Enterprise Risk Management
43 © Elliott Davis Decosimo, PLLC
Additional Resources
AICPA: • ERM – Guide for Practical Implementation and Assessment Professional standards: • PCAOB Standards Nos. 8-15 – The Risk Assessment Standards • Auditing Standards – SAS Nos. 104-112 Publications: • Current Issues in Bank Auditing – Bank Research Associates • Bank Directors Magazine Federal Reserve Board: • www.bankdirectorsdesktop.com
44 © Elliott Davis Decosimo, PLLC
Questions
45 © Elliott Davis Decosimo, PLLC
Jay Brietz, CPA and CIA Email: [email protected] Phone: 704.808.5247 Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, PLLC
46
2015 NC Internal Audit & Risk Management Seminar
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Tuesday, May 5, 2015
© 2015 Matthew A. Cordell
Matthew A. CordellWard and Smith, P.A.P: 800.998.1102F: 919.277.9177 E: [email protected]
Legal and Compliance Risks: Hot Topics
2015 Annual Risk Management Seminar Sponsored by Elliott Davis Decosimo
May 5, 2015Greensboro, NC
Cybersecurity Risk(of course!)
• March 30 FFIEC Cybersecurity Guidance– Compromised Credentials
• Update Threat Assessment, Policies & Procedures• Third-party Vendors• Monitor Alerts• Limit Admin Access• Report to senior management and board• Training
– Destructive Malware
2
Home Mortgage Disclosure Act
• Easier to Define Covered Loans• Higher Reporting Threshold• New Data Points• More Frequent Reports for Large Banks• Reporting Format and Method are TBD• Final Rule Expected in 2015• Fair Lending
3
HUD/Legal Aid of NC
• Legal Aid Fair Housing Project began in 2011• $975,000 Private Enforcement Initiative (PEI)
Grant • Conducting "undercover investigations"
4
TILA/RESPA Integrated Disclosure
• August 1, 2015• Loan Estimate
– Beware seemingly incomplete loan applications; they may be “complete” under new rules.
• Closing Disclosure– Post-Closing Review– Record Retention
5
TILA/RESPA Integrated Disclosure
• Readiness Assessment– Do you have policies and
forms for pre-consummation and post-consummation disclosures?
– Are you tracking the new tolerances?
– Who needs to be trained?
6
FCRA
• Fair Credit Reporting Act seems to be a focus of CFPB and lawsuits.
• Reporting disputed debts• Partial payment reported as “paid in full”• Negative reporting on individual guarantors of
commercial loans
7
Auto Lending
• A "top priority" says CFPB's #2• CFPB extracted $56 million from
banks in the last two years• Now focused on nonbanks• NADA Model• Not just Fair Lending
8
UDAAP
• Ambiguity persists• What to do?
– Read the guidance– Monitor trends in
enforcement– Monitor public
statements by officials– Know your customers– Know your vendors– Watch your advertising
• Sensitive Areas– Overdrafts– Credit card add-ons– Payment processor
relationships– Fee Disclosures– "Free" claims– Contests– College students
9
Consumer Complaint Database
• Customer complaint narratives and documents to be posted beginning later this month
• Bank responses are limited to one of a limited number of standard responses
• Need to verify if complaining person is a customer within 15 days
10
BSA/AML
• Beneficial ownership– Identify– Verify– Nature & Purpose– Monitoring
• MSB– First National Bank of Delaware– North Dade CDFCU
11
Games and Contests
• Prize-Linked Savings Accounts SB 327 – Likely to pass– Similar to CU statute
• Lotteries prohibited• Raffles• Sweepstakes
12
Deposit
• Deposit Account Agreements– Arbitration clauses in consumer accounts
• CFPB report just released• Rules expected
– Do agreements match practices?– Do agreements explain customer's liability for
losses?
13
Prepaid Cards
• $100 billion U.S. market• Final rule expected soon• Periodic statements or online access• Error Resolution• Disclosures – Full and Summary• Credit features
– Ability to pay– Limits on liability– Error Resolution– Limits on interest, fees, payment periods– Limits on setoff rights
14
Other Hot Spots
• Linked products• Mortgage servicing and collection• College students• Social Media
15
16
LinkedIn.com/in/MattCordell
Twitter.com/MattCordell
Blogs: BizLawNC.comPrivacyLawNC.com
Keep up with me
Cybersecurity and Data Security
© Elliott Davis Decosimo, PLLC
Richard Cook Director IT Audit & Security
May 2015
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, LLC
Cybersecurity and Data Security
2
• Cybersecurity
•Data Security
Information Technology Topics for Today
© Elliott Davis Decosimo, LLC 3
• Cybersecurity Update for 2015
- Intel Security Report - 2015
- Kaspersky Carbanak Report - 2015
- Verizon’s Data Breach Investigations Report - 2015
• Common Themes
• Integrating Cybersecurity Responses into your Existing Programs
Cybersecurity Agenda
© Elliott Davis Decosimo, LLC 4
• Intel Report About Social Engineering
• Kaspersky Report on Carbanak
•Verizon Security Report
Cybersecurity Update - 2015
© Elliott Davis Decosimo, LLC 5
• People, processes and technology are needed to help mitigate risk
• Technology alone is not enough to protect users
- email is the most prevalent initial target
• 2015 and beyond, no slowdown in sight for social engineering attacks
- "The reality is that social-based attacks will continue for the foreseeable future."
Intel Security Report
© Elliott Davis Decosimo, LLC 6
Global Spam and Email Volume
© Elliott Davis Decosimo, LLC 7
Intel Security Report
© Elliott Davis Decosimo, LLC
• Launched an online quiz to show how easy it is to get people hooked on a social engineering phishing email
• Social engineering >> low-tech attack due to the limited technical resources required to execute
•Organizations must channel resources into education and cultural change
8
Kaspersky – Carbanak Report
© Elliott Davis Decosimo, LLC
•Attacks still active
•Motivation – Financial gain (not espionage or access to private information)
• Started with a spear phishing email that appeared to be legitimate banking communications
• Email attachments exploited Microsoft Office 2003, 2007, 2010 vulnerabilities
9
•Highly sophisticated once they gained ‘some’ access
• Important point >> Initial access was via phishing emails and then exploitation of known vulnerabilities
Kaspersky - Carbanak Report
© Elliott Davis Decosimo, LLC 10
• Phishability
•Not patching or using outdated systems
• Posting too much information about self or work
• Reusing passwords across sites
• Indiscriminate use of mobile media
• Lack of situational awareness (believing you are not a target)
•Accidental loss or disclosure of sensitive information
Verizon - Top Seven Human Risks
© Elliott Davis Decosimo, LLC 11
• 23% of recipients open phishing email and 11% click on the attachments
• 99.9% of the exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposures (CVE) was published
Verizon Security Report
© Elliott Davis Decosimo, LLC 12
Verizon Security Report – Attack Patterns
© Elliott Davis Decosimo, LLC
The first 4 account for 90% - and are all ‘People’ related
13
•Multi-frontal approach is mandatory
• Social Engineering is here to stay
- Human nature
•Virus Protection and Patching Programs
- As important as ever
•Monitoring tools – necessary, but not preventive
•Assessment tools
Common Themes
© Elliott Davis Decosimo, LLC 14
You already have…
• Information Security Program
• IT and Information Security (GLBA) Risk Assessments
• Incident Response Plan
• Business Continuity Plan
• Training Programs
• IT Strategic Plan
Integrating Cyber Security Responses
© Elliott Davis Decosimo, LLC 15
• It’s about integrating your: - Programs
- Training
- Response plans
- Effectiveness testing
• With your: - Employees
- Contractors
- Vendors
- Physical assets
What to Do Next
© Elliott Davis Decosimo, LLC 16
•Must be aware of your current security posture
- What do we have in place
- How does it all work/fit together
•Assessment – how do I know how we’re doing?
- Scans – Internal and External
- Social Engineering assessments
- IT General Controls
Where Do I Stand?
© Elliott Davis Decosimo, LLC 17
•Does your Information Security training program adequately cover security awareness?
- Have you conducted testing of the program’s effectiveness?
•Does your Incident Response plan include provisions for cyber events (internal and external)?
- Do employees know how and when to report and respond to possible cyber events?
•Are your IT General Controls providing adequate coverage for anti-virus and patch management?
What do I need to Check
© Elliott Davis Decosimo, LLC 18
• State Bank Supervisors
• FFIEC
• FDIC
• ABA
• COSO
• COBIT
• ISACA
• Verizon Cybersecurity survey
Cybersecurity Resources, Tools, Frameworks
© Elliott Davis Decosimo, LLC 19
Conference of State Bank Supervisors
© Elliott Davis Decosimo, LLC
• Cybersecurity 101 – framework is organized according to the 5 core cybersecurity functions (presented at the 2015 Conference of State Bank Supervisors)
20
•Assesses an institution’s current practices and overall cybersecurity preparedness, with a focus on the following key areas:
- Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
FFIEC – Cybersecurity Assessment
© Elliott Davis Decosimo, LLC 21
• https://www.ffiec.gov/pdf/cybersecurity/2014_June_FFIEC-Cybersecurity-Assessment-Overview.pdf
• The FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) to collaborate
• The FFIEC is currently focusing on providing resources to support community institutions that may not have access to the resources available to larger institutions
FFIEC – Cybersecurity Assessment
© Elliott Davis Decosimo, LLC 22
•November 3, 2014 – Press release
• https://www.ffiec.gov/press/pr110314.htm
• Recommends that financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) https://www.fsisac.com/
• FS-ISAC is non-profit, information sharing forum established by the industry to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information
FFIEC
© Elliott Davis Decosimo, LLC 23
• The FDIC created “Cyber Challenge: A Community Bank Cyber Exercise” to encourage community banks to conduct short exercises or facilitated discussions around four operational risk-related scenarios. The “Cyber Challenge” is available at
- https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html
FDIC
© Elliott Davis Decosimo, LLC 24
•Vendor Management
• System Security/User Access Reviews
© Elliott Davis Decosimo, LLC
Data Security - Agenda
25
•Most financial institutions are doing a good job with vendor management review, however:
- Management should be sure to tie out the User Control Considerations (UCCs) to validate that these controls are in place
- Often times these controls are covered by other testing (management can leverage this testing), such as:
• FFIEC Internal Audit review
• FDICIA testing
• SOX testing
Data Security – Vendor Management
© Elliott Davis Decosimo, LLC 26
•Management should review their third party agreements to determine exactly who owns what processes. Consider:
- Does the third party host the productions servers or are they housed by the financial institution?
- Who is responsible for supporting the production servers, maintaining security (user provisioning), making changes to parameter settings (tolerances, system enforced approvals), adding of administrator access?
- There should be a very distinct delineation of responsibilities
- Management does not have the luxury of solely depending on the third party without understanding our responsibilities
Data Security – Vendor Management
© Elliott Davis Decosimo, LLC 27
• If the bank houses the systems on site, management must review the application, operating and database users
• Management be sure to review users to determine if the bank has any segregation of duties (SoD) of conflicts. If conflicts exist management should have mitigating controls (business process controls) to reduce the risk, such as:
- Reviewing master data changes (file maintenance changes, changes standing data, changes to customer information, changes to vendor information), review of GL entries, review of parameter changes.
Data Security – System Security
© Elliott Davis Decosimo, LLC 28
• To appropriately address SoD conflicts we should incorporate a risk based approach
•Management should consider SoD conflicts across systems (i.e. client setup and loan approval, vendor setup and vendor approval)
Data Security – System Security cont.
© Elliott Davis Decosimo, LLC 29
• Administrator Access – the riskiest access levels should receive the highest level of scrutiny
• All vendor accounts should be reviewed to ensure that access is appropriately restricted (are the vendors using a shared account?). Management should always want individual accountability
• All IT access to financial applications should be questioned
• Management should not use generic accounts or shared accounts if the users have access to production data
Data Security – User Access Reviews
© Elliott Davis Decosimo, LLC 30
• Management should always remember that the business owns the data while it is the IT group’s responsibility to secure the data
• The user access reviews should be performed by the business (not IT). It is okay to use ITs assistance
• If changes are noted during the User Access Reviews – management should determine the nature of the changes being requested. Is there some underlying reason why the changes are being requested? Does the bank have an inherent problem with their user provisioning process?
Data Security – User Access Reviews cont.
© Elliott Davis Decosimo, LLC 31
• If production systems are hosted by the financial institution – management should also review the operating system and database layers
- Direct access to the operating systems should be very limited. Be sure to review users that have local administrator access to the operating system (these would generally be IT users)
- Direct access to the production database should be the most restricted access. Every user with direct access to the database should be questioned (just being a member of the IT group is not sufficient support to have this high level of access)
Data Security – User Access Reviews cont.
© Elliott Davis Decosimo, LLC 32
- To emphasize one more time – the business is ultimately responsible for limiting access to the operating system and the database (as well as the application). There should be a business case for each user that has administrator or elevated access to the operating system and/or the database. Direct access to the database should be the most limited for all systems.
• In most instances – we see the IT group reviewing access to the operating system and database – if the access is being reviewed at all
• IT can facilitate the review – but the business should sign off on the review
Data Security – User Access Reviews cont.
© Elliott Davis Decosimo, LLC 33
• Third party access to systems should be logged and actively monitored if systems are hosted in house. A formal process should be in place (using a risk based approach, consider the approach of what can wrong?) to ensure that the vendor is not making unapproved changes to production data.
• Users should not review their own access rights
• In summary I challenge you with two questions - How do you know that only approved users have access to systems and that
their access is appropriate for their job functions?
- Do you have a process in place to identify if unapproved changes are occurring to production data?
Data Security – User Access Reviews cont.
© Elliott Davis Decosimo, LLC 34
Questions
© Elliott Davis Decosimo, LLC 35
Richard Cook [email protected]
704.808.5275
Bonnie Bastow [email protected]
704.808.5243
Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, LLC 36
2015 NC Internal Audit & Risk Management Seminar
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Tuesday, May 5, 2015
INTERNAL AUDIT
Elliott Davis Decosimo Michael P. Egan May 2015 Supervisory Examiner
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Overview
Back to Basics Approach Risk Assessments Audit Planning Audit Workprograms & Sampling
Methodology Deficiency Tracking & Validation
Guidance Staff Expertise and Ongoing Professional
Education Quality Control Programs
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Back to Basics
Hot Topic – Accountability Horizontal Review at Large Community
Banks in North Carolina and South Carolina $1B-$10B Develop Best Practices and identify
emerging risks
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Risk Assessments
Business line specific narrative regarding: Inherent risks
• High, Medium, and Low should have the same detail for every business line.
Any mitigating controls in place Any other components that may impact the
overall risk ratings Risk ratings should be defined and
correspond to an audit frequency.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Audit Planning
Comprehensive document approved by the Board/Audit Committee annually.
Timing and Frequency of Audits
Prior Audit Date and Rating
Individual or vendor responsible for audit
Large community banks project audit hours
Multi-Year Audit Plan Reassess when needed
Yes 30%
No 70%
Multi Year Audit Plan
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Potential Red Flags
Rapid growth Management or key employee turnover Recommendations are not effective in
prompting management corrective action Concentrations of assets with complex
valuation methods Basic internal control deficiencies Poor or absent documentation
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Workprograms
Expect more sampling at examinations Detailed scope Comprehensive procedures Sampling methodology Prior audit rating & findings Assess remediation efforts Risk-Focused versus Accounting-Based Regulatory Compliance
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Sampling Methodology
Review revealed sampling is generally guided by SOX testing requirements from vendors.
In some instances the sample sizes appeared very low with little or no narrative. ALLL:
• 15 impairment analyses worksheets or less than 9% Wires:
• 20 sampled over 12 month period or less than 3% of outgoing wires.
Consumer Loans: • Random sample of 15 loans
– 4 Auto Reviews – 6 HELOCS – 5 Installments
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Deficiency Tracking
Responsibility for updating Guidance for validation efforts Next audit cycle may be up to 36 months Vary by significance
Maintaining closed issues to determine if there are repeat findings Track regulatory findings and
remediation
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Average Experience by Title
21
23
11
14
5
3 4 4
5
Average Audit Experience by Title
Chief Audit Executive Audit Manager
Audit Supervisor Senior Auditor II
Senior Auditor I Staff Auditor II
Staff Auditor I Audit Analyst
IT Analyst
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Audits per FTE participating in fieldwork
Average audit personnel in department is approximately six individuals Five completing fieldwork Average Assets per Auditor $500M-$992M
Average number of audits completed internally is 25 or approximately 75% Average Experience Professional Certifications, training,
and development plans
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Information Technology
Trust
BSA-AML
CRA
Compliance
Interest Rate Risk
ALLL
Loss Share
Acquired Loan Accounting
Mortgage QC
InformationTechnology Trust BSA-AML CRA Compliance Interest Rate
Risk ALLL Loss ShareAcquired
LoanAccounting
Mortgage QC
N/A 0% 33% 0% 0% 0% 0% 0% 33% 33% 0%Internal 17% 17% 17% 83% 67% 50% 50% 50% 33% 67%Outsourced 83% 50% 83% 17% 33% 50% 50% 17% 33% 33%
Specialized Audit Areas
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Quality Control Program
Audit activities are conducted in accordance with Standards for the Professional Practice of Internal Auditing
Assures compliance with Standards, Charter, Policies, Code of Ethics, practices, and regulatory requirements
Identifies methods to improve organizational operations
External assessment at least once every five years
QA Review, 16.67%
No QA Review, 83.33%
Quality Assurance
Review
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Potential QC Review Components
Budgeting and financial administration for internal audit
Maintenance and updating of the risk assessment and audit universe
Evaluation of long-range planning Audit tools and use of technology Training and development of staff Audit statistics and metrics used Review of summary reports Administration of deficiency tracking
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Emerging Areas
Internal Credit Review Function Internal Compliance Review Function Audit Department should assess the review functions
0%
25%
50%
75%
100%
A B C D E FIn-house 0% 100% 50% 0% 50% 75%# Staff 0 9 1 0 1 4
Credit Review
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Resources
Statement of Policy: Internal Audit and Its Outsourcing Part 363: Annual Independent Audits
and Reporting Requirements Various Practice Advisories from The
Institute of Internal Auditors
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Common ALLL issues/concerns include:
Improper use of or insufficient
support/documentation for environmental factors Expected Cash Flow Definition Historical Loss Look-Back Period Negative Provisions CECL
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
ALLL
Annual charge-off rates are calculated over a specified time period (e.g., three years or five years), which can vary based on a number of factors including the relevance of past periods’ experience to the current period or point in the credit cycle.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Credit Administration
Seven Ways Banks Are Relaxing Loan Terms Extend Fixed-Rate Pricing: Tweak Guarantees: Stretch Out Amortization: Raise the Leverage: Waive Fees: Lower Debt-Service Limits: Ease Collateral Requirements:
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Cybersecurity
The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." As part of cybersecurity, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Cyber Challenge: A Community Bank Cyber Exercise
Objectives: • Initiate discussion between financial institution management and staff on cyber-related issues and concerns. • Identify potential shortfalls in operational readiness capabilities. • Strengthen preparedness and response efforts to promote an institution’s resilience.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Cyber Challenge
Scenario Overview: Cyber Challenge consists of a DVD with
short video vignettes that present four unique scenarios for discussion. Challenge cards accompany each video vignette to facilitate discussions. Participants should play a video vignette and then respond to the associated challenge questions.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Cyber Challenge: A Community Bank Cyber Exercise
Objectives: • Initiate discussion between financial institution management and staff on cyber-related issues and concerns. • Identify potential shortfalls in operational readiness capabilities. • Strengthen preparedness and response efforts to promote an institution’s resilience.
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Cyber Challenge
The four vignette themes are: • Vignette #1 - Item Processing Failure •Vignette #2- Customer Account Takeover • Vignette #3 - Bank Internal Error/Phishing & Malware Problem. • Vignette #4 - Technology Service Provider Problem
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
Current Exam Issues
–Internal Audit –ALLL/TDR’s –Liquidity/Stress Testing –Interest Rate Risk –Lending Programs –Cyber Security-IT –BSA –Model Validation
FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION
QUESTIONS?
Model Risk Management
© Elliott Davis Decosimo, PLLC
Michael Koupal, CPA Senior Manager
Melody Reed, CRCM, CFSA Manager
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, PLLC
Disclaimer
Per the OCC Supervisory Guidance on Model Risk Management (OCC 2011-12)
A model consists of three components:
• Information input (which delivers assumptions and data to the model)
• Processing (which transforms inputs into estimates)
• Reporting (which translates estimates into useful business information)
© Elliott Davis Decosimo, PLLC
Model Definition
Model Risk occurs for two primary reasons:
1. The model may have fundamental errors and may produce inaccurate outputs Errors can occur at any point from design through implementation.
2. The model may be used incorrectly or inappropriately. Even a fundamentally sound model producing accurate outputs consistent with the design objective of the model may exhibit high model risk if it is misapplied or misused.
© Elliott Davis Decosimo, PLLC
Model Risk
• Model risk increases with greater model complexity, higher uncertainty about inputs and assumptions, broader use, and larger potential impact.
• Even with skilled modeling and robust validation, model risk cannot be eliminated, so other tools should be used to manage model risk effectively.
• establishing limits on model use
• monitoring model performance
• adjusting or revising models over time
• supplementing model results with other analysis and information
© Elliott Davis Decosimo, PLLC
Model Risk (Continued)
• Model validation is the set of processes and activities intended to verify that models are performing as expected, in line with their design objectives and business uses. Effective validation helps ensure that models are sound. It also identifies potential limitations and assumptions, and assesses their possible impact.
• All model components, including input, processing, and reporting, should be subject to validation; this applies equally to models developed in-house and to those purchased from or developed by vendors or consultants.
© Elliott Davis Decosimo, PLLC
Model Validation
• Validation involves a degree of independence from model development and use. Generally, validation should be done by people who are not responsible for development or use and do not have a stake in whether a model is determined to be valid.
• Staff doing validation should have the requisite knowledge, skills, and expertise. A high level of technical expertise may be needed because of the complexity of many models, both in structure and in application. These staff also should have a significant degree of familiarity with the line of business.
© Elliott Davis Decosimo, PLLC
Who should complete the validation?
• The range and rigor of validation activities conducted prior to first use of a model should be in line with the potential risk presented by use of the model.
• Validation activities should continue on an ongoing basis after a model goes into use, to track known model limitations and to identify any new ones.
• Validation is an important check on model use during periods of benign economic and financial conditions, when estimates of risk and potential loss can become overly optimistic, and when the data at hand may not fully reflect more stressed conditions.
• Banks should conduct a periodic review—at least annually but more frequently if warranted—of each model to determine whether it is working as intended and if the existing validation activities are sufficient. Such a determination could simply affirm previous validation work, suggest updates to previous validation activities, or call for additional validation activities.
© Elliott Davis Decosimo, PLLC
How Detailed? How Often?
• An effective validation framework should include three core elements:
- Evaluation of conceptual soundness, including developmental evidence (Quality of model design and construction)
- Ongoing monitoring, including process verification and benchmarking
- Outcomes analysis, including back-testing
© Elliott Davis Decosimo, PLLC
Key Elements of Comprehensive Validation
• Validation should ensure judgement exercised in model design and construction is well informed, carefully considered, and consistent with published research and sound industry practice
• How is this handled when model is outsourced?
• Can sensitivity analysis help evaluate?
- Sensitivity analysis – measuring the impact inputs have on model outputs
© Elliott Davis Decosimo, PLLC
Quality of design and construction
Michael Koupal, CPA
Email: [email protected]
Phone: 704.808.5211
Website: www.elliottdavis.com
Melody Reed, CRCM, CFSA
Email: [email protected]
Phone: 919.987.2776
Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, PLLC
BSA Models: Understanding and Maximizing the Backbone of Your AML Program
© Elliott Davis Decosimo, PLLC
Melody Reed, CRCM, CFSA Manager
• Purpose of the Model – Why do I need this?
• Key Areas of the Model
• Tuning – Did I Buy a Car?
•Understanding the Importance of the Model
© Elliott Davis Decosimo, PLLC
Objectives/ Areas to Cover
Manual Reports = Ineffective and Inefficient Monitoring
Regulators Make Us It’s the Right Thing To Do
© Elliott Davis Decosimo, PLLC
The “Why”
© Elliott Davis Decosimo, PLLC
Automated Monitoring
Before After
•Who has to understand how the model works? Isn’t that an IT thing?
•No – BSA Officers should understand the functionality of the model, including details about how the model is scoring and flagging transactions for additional review.
© Elliott Davis Decosimo, PLLC
Understanding the Model
“Alert”
• YellowHammer BSA = Worklist Item
• Banker’s Toolbox BAM = Report Item
• Fiserv’s FCRM = Alert
© Elliott Davis Decosimo, PLLC
Definition of Terms
• Customer Information
- Customer Due Diligence
- Customer Risk Scoring
- Ongoing Due Diligence
© Elliott Davis Decosimo, PLLC
Key Model Areas
• Suspicious Activity Monitoring
- Unusual Transactions
- Out of Pattern Behavior
- Transactions in High Risk Areas
© Elliott Davis Decosimo, PLLC
Key Model Areas (Continued)
Too Much Static or “Noise”
© Elliott Davis Decosimo, PLLC
Tuning – Like a Radio?
reduce the noise to get a clearer picture
© Elliott Davis Decosimo, PLLC
Tuning
Tighten the net…
… and loosen it.
© Elliott Davis Decosimo, PLLC
Tuning and Optimization
© Elliott Davis Decosimo, PLLC
T&O (Continued)
• Evaluate Coverage Based on Triggering Events
– Manual SAR Referrals
– Regulation Changes
– Bank M&A Activity
– New Products
– Enforcement Actions
• Evaluate Thresholds
– Dollar Amounts
– Transaction Frequency
• Challenge Customer Risk Scores
– New Markets
– High Risk Areas
•Model Validation
- OCC 2000-16: Model Validation
•Model Risk Management
- OCC 2011-12 and SR Letter 11-7: Model Risk Management
© Elliott Davis Decosimo, PLLC
Making Sure It Works
• Reviewing system parameters, settings, security and validating that the system is working
•Assessing the setup of the model to ensure appropriate coverage in terms of customer risk and transactional risk
• Reviewing parameters and thresholds to verify they are set in line with the Bank’s size and BSA risk profile
Elliott Davis Decosimo Approach
© Elliott Davis Decosimo, PLLC
• Independent Review
•Defined Responsibility
•Model Documentation
•Ongoing Validation
•Audit Oversight
Keys to Model Governance
© Elliott Davis Decosimo, PLLC
Melody Reed, CRCM, CFSA Email: [email protected]
Phone: 919.987.2776
Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, PLLC
Interest Rate Risk and Management
© Elliott Davis Decosimo, PLLC
Michael Koupal, CPA Senior Manager
• Interest Rate Risk
- What is IRR?
- Current Regulatory Focus
- Internal Control System
- Independent Review and Validation
© Elliott Davis Decosimo, PLLC
Overview
• Banks are in the business of managing IRR
- Repricing Risk: timing differences between coupon changes or cash flows of assets and liabilities
- Yield Curve Risk: non-parallel changes in yield curve
- Option Risk: cash flows change with embedded options (prepayment/extension, call options, runoff)
- Basis Risk: different indices with same maturity move at different pace
© Elliott Davis Decosimo, PLLC
What is IRR?
•Margin pressure is hindering meaningful earnings recovery
• Increases in long-term asset exposure to support yield coupled with surge in non-maturity deposits
• Fear of substantial deposit runoff (surge deposits and parked funds)
• Examiner focus on assumptions, sensitivity analysis, internal controls/validation
© Elliott Davis Decosimo, PLLC
Current Regulatory Focus
• Board established system of internal controls
- Corporate governance
- Compliance with policies and procedures
- Comprehensive measurement system
© Elliott Davis Decosimo, PLLC
Internal Control System
• Roles, responsibilities, and authority
•Adequate segregation of duties
• Inputs and measurements are accurate and complete
• Policy compliance
• Independent review and validation
•Management response and follow-up
• Size, nature, and complexity of institution should be incorporated in evaluating all aspects
© Elliott Davis Decosimo, PLLC
Effective Control Structure
• Review/Test
- Lines of authority
- Segregation of duties
- Corrective actions
- Compliance with risk limits
• Ensure staff compliance with procedures
© Elliott Davis Decosimo, PLLC
Adequacy and Compliance of Control System
•Data Integrity
- Is data accurate, complete, and useful?
- Source of data
•Data Input Controls
- Automatic vs. Manual input
- Reconciliation and review process
• Test Data Inputs
- Balance sheet
- Budgets/forecasts
- Assumptions
© Elliott Davis Decosimo, PLLC
Data Inputs
• Reasonableness
- Can compare to historical and current data
- If using peer or national data, should still determine if reasonable for your institution
- Should be based on expectations, not just budget
•Documentation
- Understandable format and includes all assumptions
- Basis for balance sheet predictions
- Conclusions and strategies developed based on identified risks
© Elliott Davis Decosimo, PLLC
Assumptions
• Sensitivity analysis
- Which factors are most important? (Stress Testing)
• Sufficiency of modeled scenarios
- Reasonable range of rate changes and models
• Board approval and understanding
© Elliott Davis Decosimo, PLLC
Assumptions
• Internal Models
- Significant amount of time required for validation process.
- Includes validation of model mechanics and mathematics.
• External Models
- Vendors normally provide validation results. Management should review and assess at least annually.
© Elliott Davis Decosimo, PLLC
Validation
• Compare Modeled vs. Actual Results
- Who should complete?
- Annually or quarterly?
- Should include rate vs volume variance
- Detailed enough to determine accuracy
•Were assumptions accurate?
- If not, has management identified changes for future modeling?
• Identify causes of differences
© Elliott Davis Decosimo, PLLC
Backtesting
• Report to Board/Audit Committee
- Testing details
- Findings summary
- Key assumptions
- Management’s responses
© Elliott Davis Decosimo, PLLC
Reporting
• FIL-52-96 - Joint Agency Policy Statement on Interest Rate Risk
- http://www.fdic.gov/news/news/financial/1996/fil9652.html
• FIL-2-2010 - Financial Institution Management of Interest Rate Risk
- http://www.fdic.gov/news/news/financial/2010/fil10002.html
• FIL-2-2012 - Interest Rate Risk Management: Frequently Asked Questions
- http://www.fdic.gov/news/news/financial/2012/fil12002.html
• FIL-46-2013 - Managing Sensitivity to Market Risk in a Challenging Interest Rate Environment
- https://www.fdic.gov/news/news/financial/2013/fil13046.html
© Elliott Davis Decosimo, PLLC
Guidance
Allowance for Loan and Lease Loss Validations
© Elliott Davis Decosimo, PLLC
Michael Koupal, CPA Senior Manager
This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.
© Elliott Davis Decosimo, PLLC
Title
• ASC 450 (FAS 5) General Reserve
- Historical Loss Factors
- Environmental Factors
• (Qualitative adjustments to historical loss rates)
- What if a migration analysis is used?
• ASC 310-10-35 (FAS 114) Specific Reserve
- Impaired Loans/Troubled Debt Restructures (“TDRs”)
© Elliott Davis Decosimo, PLLC
Overview
• Historical Loss Factors - Calculated using historical charge-offs by loan
pool over a designated time period
• Test loss factors by :
- (a) Recalculating the historical loss factor
• Subject a sample of current year charge offs to proper approval and recording
• Reconcile charge-offs / recoveries to allowance roll forward and GL
• Verify loss history is properly applied against average loan balances of proper pool
• Verify impaired loans are excluded from the outstanding average loan balances in the application of the loss factors in order to avoid layering
© Elliott Davis Decosimo, PLLC
General Reserve - ASC 450 (FAS 5)
• Historical Loss Factors
• Test loss factors by :
- (b) Evaluating the appropriateness ofthe historical loss period
• Usually between 8 quarters and 15 quarters is reasonable historical loss period
© Elliott Davis Decosimo, PLLC
General Reserve - ASC 450 (FAS 5)
•What happens if the Bank is using a migration analysis instead of a historical analysis for their general reserve?
- Need to gain an understanding of the migration to determine if the methodology is reasonable
- Recalculate at least a sample to determine if the system is working properly (trace/vouch)
- Great use of Excel
- If using third party system, see if they’ve already done a certification/validation on the model so you only have to focus on the input and outputs.
© Elliott Davis Decosimo, PLLC
Migration Analysis
• Environmental Factors
• Trends in delinquencies and impaired loans
• Levels and trends in recoveries and charge-offs
• Trends in volume and terms of loans
• Experience and ability of lending management and relevant staff
• National and local economic trends and conditions
• Credit concentrations
• Supportable/documented
• Reasonable
Environmental Factors
© Elliott Davis Decosimo, PLLC
• Impaired Loan
- Impairment occurs when it is probable that the entity will be unable to collect all amounts due according to the contractual terms of the receivable
- All amounts due according to the contractual terms means that both the contractual interest payments and the contractual principal payments will be collected as scheduled according to the receivable's contractual terms. Need not consider an insignificant delay or insignificant shortfall in amount of payments.
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
•Methods for calculating impairment
- Impairment calculated based on fair value of collateral
• For collateral dependent loans
- Impairment calculated based on present of expected future cash flows
• For non collateral dependent loans
- Fair Value (rarely used) © Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
• Collateral dependency
- Repayment is expected to be provided solely by the underlying collateral
• Should adjust for selling costs (taxes, repairs, agents, etc.)
- Repayments from proceeds of sale of collateral
- Cash flows from continued operation of collateral
• Apartment building, shopping mall
• Cash flows are derived solely from the property’s rental income
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
• Sale of underlying collateral
• It is important to: - Evaluate the professional qualifications of the appraiser
- Consider the date and age of the appraisal
- Obtain an understanding of the appraiser’s relationship to the client and consider the objectivity of the appraiser
- Obtain an understanding of the methods and assumptions used by the appraiser
- Make appropriate tests of data provided to the appraiser, including the legal description of the property and any other assumptions such as expected cash flows
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
• Impairment based on PV of expected cash flows
• Examine evidence that supports management’s expected cash flows. (For example, evidence might include borrower financial statements and income tax returns.)
• Consider contradictory evidence that suggests that management’s cash flow expectations are unreasonable.
- Contractual payment terms required under modified loan are not necessarily the best estimate of expected future cash flows
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
• Impairment based on PV of expected cash flows
• Compare the discount rate used in the cash flow calculation
to the loans original effective rate (not modified rate)
• Test the clerical accuracy of the cash flow calculation
• Consider default and prepayment assumptions
• Environmental factors – industry, geographical, economic, political
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
• Impairment based on PV of expected cash flows - Cash flows from other available sources (including guarantors)
must be more than nominal to conclude a loan is not collateral dependent
- E.g., cash flows generated by operation of a business or other source outside of lender’s security interest in the collateral
- Balloon payments
- Significant uncertainty may exist regarding the borrower’s ability to refinance/pay the loan off at maturity when contractual balloon payments are required
- Acceptable approach is to utilize the fair value of collateral (less costs to sell) as expected future cash flows at maturity
• Unless balloon payment amount is less than FV of collateral; in those cases, use the balloon payment
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
• Impairment based on PV of expected cash flows
- In general, GAAP does not allow impairment calculations to run beyond the contractual term
- Exceptions
• E.g., automatic renewal at maturity
• Regulators are open to possibility of adjusting the impairment measurement by a qualitative factor if quantifiable/objectively measured
- More accurately approximate the risk and economics of the relationship between the institution and borrower
- Key point is to have a well-documented workout plan if measuring impairment beyond contractual term
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
• Troubled Debt Restructuring • Loan modified by granting a concession on
- Rate
- Term/maturity extension
- Payment amount
- Interest or principal forgiveness
• For economic or legal reasons related to the borrowers financial difficulties
- Should be considered impaired and accounted for as an impaired loan in accordance with ASC 310-40
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
• Troubled Debt Restructuring • It is ok to pool, non-collateral dependent, insignificant loans?
• How would the reserve be calculated?
- Search for TDRs
- Options for removing TDRs ASC 310-20 (FAS 91)
© Elliott Davis Decosimo, PLLC
Specific Reserves ASC 310-10-35 (FAS 114)
Michael Koupal, CPA Email: [email protected]
Phone: 704.808.5211
Website: www.elliottdavis.com
Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.
© Elliott Davis Decosimo, PLLC
Risk Management Roundtable
© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC
Moderator: Chris Purvis, Shareholder, Elliott Davis Decosimo Panelist: Laura Kirk, SVP/Senior Audit Manager, First Citizens Bank Bill McKendry, Chief Enterprise Risk Officer, Bank of North Carolina Steve Setser, SVP/General Auditor, Select Bank
Developing an Effective Enterprise Risk Management Program Jay Brietz, Senior Manager, Elliott Davis Decosimo With more than 20 years of experience in finance and accounting, Jay focuses on providing assurance and consulting services to financial institutions including external and internal audits, risk management, information technology and Sarbanes-Oxley compliance. Jay also leads the firm’s SSAE 16 – Service Organization Controls Reporting practice. Jay is both a certified public accounting and a certified internal auditor. His experience includes serving as senior compliance manager for a global banking institution, a business advisory senior manager for an international CPA firm, a managing consultant for a large technology and process consulting firm and a financial statement auditor for a Big Four accounting firm. Jay has written numerous articles on dealing with Sarbanes-Oxley, corporate governance and internal controls. He also was a principal contributor in COSO’s Guidance on Monitoring Internal Control Systems. Regulatory Compliance Hot Topics Matthew Cordell, Attorney, Ward & Smith P.A. Matt Cordell's practice encompasses a broad spectrum of business and regulatory matters, with a particular emphasis on financial institutions and financial services. He handles business transactions, securities offerings and reporting, mergers and acquisitions, corporate matters, lending and financing, consumer protection compliance, and privacy and information security issues for organizations of all sizes. Matt has been rated by his peers as being among the best in his fields of law, receiving the highest possible ratings in a number of peer surveys, and has been recognized by a number of organizations. He is an active leader in the legal profession, serving in various statewide leadership roles, including as Division Director of the Young Lawyers Division of the North Carolina Bar Association. Matt also enjoys contributing to his communities. He has devoted hundreds of hours to providing free ("pro bono publico") legal services, working with lawmakers on legislation and regulations, and education lawyers, bankers and the public on various legal and policy issues. Cybersecurity and Data Security Richard Cook, Director, Elliott Davis Decosimo Richard has 11 years of IT consulting/audit experience as an IT Risk Management professional primarily with Big Four and national firms. His main focus is providing IT related assurance, consulting, advisory and security services. He has an extensive IT services technical background and has executed engagements in the following industries: Financial Institutions (regional, community and De Novo banks) Manufacturing & Distribution, Healthcare, Retail, Agriculture and Grocery; his range of experience includes assessing IT environments of public (accelerated-SOX 404 and non-accelerated filers, including Fortune 500 companies) and private enterprises both large and small from an internal and external perspective. Also, he has significant experience implementing the PCAOB’s AS5 top-down risk-based approach for SEC registrants as well as implementing the updated COSO 2013 framework.
He has executed SOC1 and SOC2 engagements. In addition, Richard’s ERP experience includes: SAP, Oracle, JD Edwards, and PeopleSoft (Financials & HRMS) – operating systems: Unix/Linux, iSeries (AS/400), Windows Server and mainframe – and databases; Oracle, SQL, DB2, and Informix among others. Richard has worked with various frameworks including: COBIT, FFIEC, AICPA, PCAOB, COSO, and FISMA.
Regulatory Focus on Internal Audit Ryan Senegal, Examiner, Federal Deposit Insurance Corporation Ryan Senegal is a Supervisory Examiner with the FDIC. During his 15 years career he has experience working at examinations for small and large community banks and problem banks in the Chicago, IL and Charlotte, NC field offices. He helped oversee a horizontal review for internal audit at large community banks in North Carolina and South Carolina in 2013, is an accounting subject matter expert for the Charlotte Territory specializing in purchase accounting, and oversees training and development for the Charlotte Territory. He was named the Atlanta Region RMS Corporate Manager of the Year for 2012. He graduated with a BS in Business Administration from Central State University, Wilberforce OH. Performing Model Validations Melody Reed, Manager, Elliott Davis Decosimo Melody has more than a decade of experience performing internal audit and compliance services for financial institutions. She provides risk management services for financial institutions; including outsourced internal audit, regulatory compliance audits, regulatory compliance consulting, Bank Secrecy Act reviews, and SOX testing. Prior to joining Elliott Davis Decosimo, Melody held roles with a $20 billion regional bank in Raleigh, North Carolina, in Internal Audit and Corporate Governance, and was most recently the bank’s BSA Officer Michael Koupal, Senior Manager, Elliott Davis Decosimo Michael focuses on providing accounting and assurance services to clients in the financial institution industry sector. Prior to joining Elliott Davis Decosimo in September 2012, Michael was employed with Plante Moran, PLLC in Toledo, Ohio and served community banks throughout Michigan and Ohio. With approximately 10 years of experience in public accounting his experience includes working with community banks ranging in size from $100 million to more than $3 billion in assets. Michael’s external audit experience includes both private and public institutions, including SOX 404 and FDICIA requirements. Michael’s internal audit experience also includes private and public institutions, including assisting in determining and setting up key controls for SOX 404 and FIDICIA requirements. He also specializes in interest rate risk and liquidity risk management audits, Automated Clearing House (“ACH”) audits, and loan/credit reviews. Risk Management Roundtable Chris Purvis, Shareholder, Elliott Davis Decosimo Chris has more than nine years of accounting experience, including eight years in public accounting and one year in corporate accounting with a bank. Chris specializes in providing audit and consulting services for financial institutions. Prior to joining Elliott Davis in August 2009, Chris was employed as the Controller of American Founders Bank, a mid-sized community bank headquartered in Lexington, Kentucky. Chris' prior experience in public accounting was with BKD, LLP in Louisville, Kentucky and Dean, Dorton & Ford PSC in Lexington, Kentucky. Chris' primary focus in public accounting has been in providing services for community banks, including external audit, internal audit, regulatory compliance, external loan reviews, Bank Secrecy Act reviews and Interest Rate Risk testing. Chris leads the firm’s compliance consulting services group. Training relevant to compliance includes the North Carolina Bankers Association's Regulatory Compliance School.
Laura Kirk, SVP/ Senior Audit Manager, First Citizens Bank Laura Kirk has 38 years of internal bank auditing experience. Currently, she is employed with First Citizens Bank as a Senior Vice President / Senior Audit Manager. Prior to her seventeen years employment with FCB she was the Audit Director for United Carolina BancShares. Laura is a Certified Internal Auditor and a Certified Fraud Examiner. She is a cum laude graduate of Pfeiffer University, 1975, with a Bachelor of Arts majoring in Business Administration and Economics and a graduate of Pfeiffer University, 2003, with a Masters of Business Administration. Laura is also an honors graduate of The School for Bank Administration, 1988, majoring in Audit. She was the Institute of Internal Audit, Raleigh-Durham Chapter’s President in 2000 and still is active in the local chapter. Bill McKendry, Chief Enterprise Risk Officer, Bank of North Carolina Bill McKendry is an Executive Vice President and the Chief Enterprise Risk Officer for Bank of North Carolina. He has been with the Bank since 2011. Mr. McKendry has over 18 years of experience in the banking industry, including some of the largest financial institutions in the United States. Prior to joining the Bank, Mr. McKendry was most recently the Deputy General Auditor for First Citizens Bank. He is a graduate of the University of Notre Dame, with a MBA and an undergraduate Accounting degree. Steve Setser, SVP/ General Auditor, Select Bank Steve has worked in community banking since 2004, serving roles in internal audit and enterprise risk management. Steve began his career as a staff auditor with a bank headquartered in Eastern North Carolina. His initial focus was primarily on Information Security and Technology audits but responsibilities ultimately grew to include most bank functions, including SOX control testing. Steve was promoted to Internal Audit Director in 2008 and held that position until 2012 when he assumed the role of ERM Reporting Director. A merger in 2013 led to Steve being named the Manager of ERM, Privacy & Regulatory Reporting, which included oversight of an outsourced internal audit function along with key input into the development of an ERM program. In March 2014 Steve joined Select Bank & Trust as General Auditor and is responsible for management of the Bank’s audit function. Steve has a degree in Decision Science with a concentration in Management Information Systems from East Carolina University. He also earned his MBA from ECU – go Pirates! Steve is a graduate of the North Carolina Bankers Association’s School of Banking and has been a member of the Southeastern Chapter of the Financial Manager’s Society since 2004, including holding the chapter President role from May 2012 – December 2013. Steve is currently preparing to take the IIA’s CIA exam.
200 East Broad Street Suite 500 Greenville, SC 29601 Direct: 864.552.4763 Office: 864.242.3370 Fax: 864.241.5713 [email protected]
Robert Beckwith, CPA Shareholder Services: Tax | Industries: Financial Services Professional Overview Bob focuses on providing tax consulting services to clients in the financial services industry. Bob has more than 40 years of bank tax consulting and compliance experience, including 20 years at a Big Four accounting firm. He assists clients with financial reporting in accordance with FASB ASC 740 and planning and analysis of C corporation tax issues including mergers and acquisitions, tax benefit limitations upon Sec. 382 change-of-control, compensation and golden parachutes, and accounting methods and periods. Bob has served multi-billion dollar organizations, filing complex consolidated and multi-state returns. He also possesses expertise in planning for the election to be an S corporation bank and the resulting compliance issues. Education, Credentials and Special Training Certified Public Accountant M.S., Accounting, Colorado State University B.S., Business Administration with emphasis in accounting, University of Nebraska Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Thought Leadership Panelist, Bank Tax Institute Community Banking Panel Co-instructor, Co-Community Bank Tax Workshop
el l i ot td av is . co m © Elliott Davis Decosimo LLC
1901 Main Street Suite 900 Columbia, SC 29201 Direct: 803.255.1497 Office: 864.242.3370 Fax: 803.255.0733 [email protected]
William (Bill) J. Bossong, CPA, CBA Shareholder Financial Institutions Group Consulting Services: Consulting | Industries: Financial Services Professional Overview Bill has more than eight years of public accounting experience with an emphasis in financial institutions and SEC registrants. He leads the firm’s Financial Institution Consulting Practice for merger and acquisition matters. These services include due diligence projects, Day 1 valuations, Day 2 accounting, internal audits over other Day 2 providers, and accounting policy creation and review. This team has developed ValuCastTM, a proprietary solution designed to assist banks with Day 1 and 2 accounting in accordance with the Accounting Standards Codification (ASC). Bill has led numerous FDIC-assisted and whole bank valuation projects including valuing various net assets acquired to include but not limited to the loan portfolio, core deposit intangible, time deposits, borrowings and other long term debt, and share based payment awards. In addition to the Day 1 valuations and Day 2 experience, Bill and his team have assisted their clients by developing projection and other financial planning models and reports. Bill also has a significant amount of experience related to the Allowance for Loan and Lease Losses (ALLL) under ASC 450-20 and ASC 310-10 to include building an ALLL model for a large regional bank. Bill has also worked closely with the valuation team for various financial service line of business acquisitions to include leasing companies, mortgage companies, and broker dealer/investment companies. He provides consulting services to numerous clients ranging in size from $400 million in assets to over $20 billion in assets. Education, Credentials and Special Training Certified Public Accountant Certified Bank Auditor Master of Accountancy, University of South Carolina B.S., Accounting, University of South Carolina SEC Reporting, AICPA Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Civic and Community Activities Walk Team Captain, Juvenile Diabetes Research Foundation Board of Directors, Midlands March of Dimes Deacon and Former Member of the Finance Committee, First Baptist Church of Columbia
el l i ot td av is . co m © Elliott Davis Decosimo LLC
1901 Main Street Suite 900 Columbia, SC 29201 Direct: 803.255.1203 Office: 803.256.0002 Fax: 803.255.0714 [email protected]
R. Jason Caskey, CPA Shareholder and Financial Services Practice Leader Services: Assurance | Industries: Financial Services Professional Overview As leader of the firm’s Financial Services practice, Jason focuses on serving financial institutions and SEC registrants. With more than 24 years of experience, he serves community banking clients in both the private and public sector. Jason has assisted clients with public stock offerings, mergers and acquisitions, and SEC filings including comfort letters. In addition, he also serves clients with a number of consulting engagements including outsourced internal audit, external loan reviews and Bank Secrecy Act reviews. Jason recently completed six years as an elected member of the firm’s Executive Committee. He recently completed four years as the managing shareholder of the firm’s Columbia office. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of South Carolina University of Virginia National Banking School Professional Affiliations American Institute of Certified Public Accountants South Carolina and North Carolina Association of Certified Public Accountants State Bankers Associations in South Carolina, North Carolina, Georgia and Virginia Independent Bankers Association of South Carolina Civic and Community Activities Board of Directors and Audit Committee, United Way of the Midlands Board of Directors and Audit Committee, Navigating from Good to Great Board of Advisors and Audit Committee, USC Business Partnership Foundation Member, Greater Columbia Chamber of Commerce Finance Committee Deacon, First Baptist Church of Columbia Columbia Chamber of Commerce Committee of 100 Former Board of Directors and Audit Committee, Central Carolina Community Foundation Former Member Board of Directors, Children’s Trust of South Carolina Former Board of Directors, South Carolina Student Loan Corporation Former Board of Directors and Audit Committee, SC Economics Former Member Board of Trustees, Charleston Southern University Former Member Board of Directors, Juvenile Diabetes Research Foundation 2011 Heart Ball Chair, American Heart Association, Columbia 2008 Distinguished Young Alumnus, USC Moore School of Business Class of 2006 "20 Under 40,” The State
el l i ot td av is . co m © Elliott Davis Decosimo LLC
Roundabout Plaza 1600 Division Street, Suite 225 Nashville, TN 37203 Direct: 615-376-1925 Office: 615-292-7135 Fax: 615-292-7169 [email protected]
Larry Felts, CPA Shareholder Services: Assurance | Industries: Financial Institutions, Educational Services, Retail, Not-For-Profits, Manufacturing & Distribution Professional Overview Larry has more than 30 years of experience with both public and private company clients in industries such as manufacturing and distribution, higher education, financial services, retail, government and technology. He has extensive experience in SEC services, including initial and secondary public offerings, periodic reporting and client and audit committee advisory services. His experience with financial institutions has ranged from major public clients to many Tennessee community banks, credit unions and savings banks. Larry also assists clients with employee benefit plan audits. Education, Credentials and Special Training Certified Public Accountant B.S., Business Administration, University of Tennessee Professional Affiliations American Institute of Certified Public Accountants Tennessee Society of Certified Public Accountants Civic and Community Activities Advisory Board Member, Nashville Capital Network Board Member, Junior Achievement of East Tennessee Member, Leadership Knoxville Former President & Board Member, Junior Achievement of East Tennessee Former Board Member, United Way of Knoxville Former Chancellor’s Associate Member, University of Tennessee
el l i ot td av is . co m © Elliott Davis Decosimo LLC
700 East Morehead Street Suite 400 Charlotte, NC 28202 Direct: 704.808.5208 Office: 704.333.8881 Fax: 704.749.7908 [email protected]
Lee E. Haynes, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Lee has more than 20 years of combined experience in public accounting and accounting/management positions in publicly held companies. He has participated in the audits of larger entities, including multinational and multistate operations. Lee concentrates his time in the financial services industry serving both publicly traded as well as privately held community banks located in North Carolina, South Carolina and Virginia. In addition to financial services expertise, Lee has extensive experience with preparation of consolidated financial statements, Securities and Exchange Commission (SEC) filings and Sarbanes-Oxley compliance. This experience is complemented by Lee’s experience with engagements involving internal controls within an organization. Lee works on audits of the design and effectiveness of internal controls of service organizations under SSAE 16 (formerly SAS 70) SOC1 Type 1 and Type 2 engagements as well as AT101 SOC2 Type 1 and Type 2 engagements and has also overseen audits of internal control over financial reporting as required by Sarbanes-Oxley and FDICIA for audit clients as well as assisted in the design, documentation and implementation of internal control programs for non-audit clients. Education, Credentials and Special Training Certified Public Accountant B.A., Accounting, Furman University National Banking School, McIntire School of Commerce at the University of Virginia Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants South Carolina Association of Certified Public Accountants Georgia Society of Certified Public Accountants North Carolina Bankers Association South Carolina Bankers Association Virginia Bankers Association Independent Bankers Association of South Carolina Georgia Bankers Association
el l i ot td av is . co m © Elliott Davis Decosimo LLC
200 East Broad Street Suite 500 Greenville, SC 29601 Direct: 864.242.2691 Office: 864.242.3370 Fax: 864.241.5798 [email protected]
F. Andrew Mitchell, CPA Shareholder Services: Assurance, Consulting | Industries: Financial Services, Manufacturing & Distribution, Professional Services Professional Overview Andy focuses on providing clients with corporate strategy, transaction, finance and auditing services. With 40 years of accounting experience, including 20 years with a Big Four accounting firm, his extensive background includes significant work with public companies and merger and acquisition transactions in the financial services, professional services, manufacturing and distribution industry sectors. As an audit partner, Andy served numerous public company clients and was the partner for more than a dozen initial public offerings. He recently completed five years as an elected member of the firm’s Executive Committee and currently serves as the managing shareholder for the Greenville office assurance practice. Andy also served as chief financial officer for a publicly held company and two large private companies. In this capacity, he was responsible for all financial areas including accounting, acquisitions, budgeting, forecasting, credit, cash management, borrowings, information systems and stock offerings for these companies. Andy participated in the completion of an initial public offering and a secondary offering for the public company which owned numerous retail stores, then negotiated the sale of the company. He also participated in the acquisition of a large operating subsidiary in the aviation service industry where he was actively involved in the completion of an underwritten bond offering and subsequent registration of those securities. For the third company, he was responsible for the reorganization and ultimate sale of the company which was involved in the sale of hardware and software development and integration services for national retail chains. Since joining Elliott Davis Decosimo in 2004, Andy has been responsible for the formation and development of the firm’s transaction services practice and serving financial institutions as a client service shareholder, including several public reporting companies. Education, Credentials and Special Training Certified Public Accountant B.B.A., Accounting, University of Cincinnati Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Ohio Society of Certified Public Accountants
el l i ot td av is . co m © Elliott Davis Decosimo LLC
700 East Morehead Street Suite 400 Charlotte, NC 28202 Direct: 704.808.5293 Office: 704.333.8881 Fax: 704.749.7993 [email protected]
George Noonan, CPA Shareholder Services: Tax | Industries: Financial Services Professional Overview With more than 18 years of experience in public accounting, George has worked extensively in the banking and related industries. He provides his clients with a variety of services including tax planning and research, ASC 740 consultation, FIN 48 analysis, tax return preparation, quarterly estimate preparation, forecasts and projections. His experience includes tax preparation and consulting of numerous financial institutions. George has served multi-billion dollar financial institutions filing complex consolidated and multi-state income tax returns. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting and Finance, Wright State University Bank Tax Institute, Annually Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants North Carolina Bankers Association South Carolina Bankers Association
el l i ot td av is . co m © Elliott Davis Decosimo LLC
Riverfront Plaza West Tower, Suite 1000 901 E. Byrd Street Richmond, VA 23219 Direct: 804.887.2256 Office: 804.612.4380 Fax: 877.803.0432 [email protected]
Paul M. Pickett, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Paul focuses on providing professional accounting services to the financial services industry, specifically community banks. With more than 20 years of public accounting experience, he has served on audit engagements for more than 40 community banks and bank holding companies in Virginia, West Virginia, North Carolina and South Carolina. Paul has extensive knowledge of GAAP and SEC policies and assists clients with the preparation of consolidated financial statements, quarterly reviews and assistance with SEC filings and reporting, and merger and acquisition reporting. In addition, he serves as an instructor for a number of continuing education courses relating to financial institution accounting and auditing. Education, Credentials and Special Training Certified Public Accountant University of Virginia National Banking School and National Banking Conference,
American Institute of Certified Public Accountants B.B.A., Accounting, Radford University Professional Affiliations American Institute of Certified Public Accountants Virginia Society of Certified Public Accountants North Carolina Bankers Association Virginia Association of Community Banks Virginia Bankers Association West Virginia Bankers Association
el l i ot td av is . co m © Elliott Davis Decosimo LLC
700 East Morehead Street Suite 400 Charlotte, NC 28202 Direct: 704.808.5216 Office: 704.333.8881 Fax: 704.749.7916 [email protected]
Christopher R. Purvis, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Chris has more than a decade of experience providing audit and consulting services for financial institutions. Chris leads the firm’s Compliance Consulting Services group. Training relevant to compliance includes the North Carolina Bankers Association's Regulatory Compliance School. Prior to joining Elliott Davis Decosimo in August 2009, Chris was employed as the Controller of American Founders Bank, a mid-sized community bank headquartered in Lexington, Kentucky. Chris' prior experience in public accounting was with BKD, LLP in Louisville, Kentucky and Dean, Dorton & Ford PSC in Lexington, Kentucky. Chris' primary focus in public accounting has been in providing services for community banks, including external audit, internal audit, regulatory compliance, external loan reviews, Bank Secrecy Act reviews and Interest Rate Risk testing. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of Kentucky B.B.A., Finance, University of Kentucky General School of Banking, Kentucky Bankers Association Regulatory Compliance School, North Carolina Bankers Association Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants North Carolina Bankers Association Civic and Community Activities Board of Directors, Charlotte Steeplechase Association/Charlotte Queen’s Cup
el l i ot td av is . co m © Elliott Davis Decosimo LLC
200 East Broad Street Suite 500 Greenville, SC 29601 Direct: 864.242.2638 Office: 864.242.3370 Fax: 864.241.5819 [email protected]
Garry A. Rank, CPA Shareholder Services: Assurance | Industries: Financial Services, SEC Reporting Professional Overview Garry focuses on corporate auditing and accounting as well as consultation regarding governance, financial systems and internal controls. With more than 34 years of experience, his industry concentrations include financial services, manufacturing and Securities and Exchange Commission (SEC) reporting. Additional professional experience includes the management of complex engagements, mergers and acquisitions, projects involving subsidiary companies and the application of accounting and reporting standards. Education, Credentials and Special Training Certified Public Accountant Graduate, American Bankers Association, Business of Banking School B.S., Accounting, University of Akron Professional Affiliations American Institute of Certified Public Accountants, Center for Audit Quality Small
Firm Task Force South Carolina Bankers Association North Carolina Bankers Association Georgia Bankers Association Civic and Community Activities Past President and Past Treasurer, Habitat for Humanity of Greenville County Alumnus, Leadership Greenville, Greenville Chamber of Commerce Past President and Past Treasurer, Greenville Breakfast Rotary Club Thought Leadership Speaker on audit committee responsibilities
SCBA/FDIC Directors College, 2003-2012 NCBA Bank Directors Assembly, 2004, 2007-2012
Presentations on SEC, corporate governance and new accounting pronouncements Elliott Davis Decosimo CFO forum, 2003-2013
Authored various articles for publication regarding corporate governance, Sarbanes-Oxley Act of 2002 and ethics
el l i ot td av is . co m © Elliott Davis Decosimo LLC
200 East Broad Street Suite 500 Greenville, SC 29601 Direct: 864.242.2625 Office: 864.242.3370 Fax: 864.241.5830 [email protected]
Barbara S. Rushing, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Barbara focuses on providing services to SEC clients in the financial services industry. With more than 20 years of experience, including several years at a Big Four accounting firm, Barbara has extensive knowledge of GAAP and SEC policies. She works with SEC registrant clients with complex accounting issues, comment letters, stock offerings and merger and acquisition reporting. Barbara has serviced more than 40 public offerings. Barbara is Vice Chairperson of the Firm’s Assurance & Advisory Committee, a technical committee that oversees quality control policies and risk management of the Firm’s attest practice. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of South Carolina Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants
el l i ot td av is . co m © Elliott Davis Decosimo LLC
1901 Main Street Suite 900 Columbia, SC 29201 Direct: 803.255.1214 Office: 803.256.0002 Fax: 864.241.5808 [email protected]
Beverly A. Seier, CPA, CPCU Shareholder Services: Tax | Industries: Financial Services and Insurance Professional Overview With more than 20 years of experience, Bev focuses on serving financial institutions, insurance companies and SEC registrants. She provides both public and private clients with a wide range of services, including tax planning and compliance, ASC 740 and SSAP 101 tax provision consulting, federal and state audit examinations assistance, mergers and acquisitions tax planning and Sec. 382 change-in-control and 280G golden parachute studies. Prior to joining Elliott Davis Decosimo, Bev was a Tax Partner at a Northeast-based accounting firm. Education, Credentials and Special Training Certified Public Accountant Chartered Property Casualty Underwriter B.S., Business Administration/Accounting and Mathematics, magna cum laude, University of Mary Washington Professional Affiliations American Institute of Certified Public Accountants Pennsylvania Institute of Certified Public Accountants
el l i ot td av is . co m © Elliott Davis Decosimo LLC
North Carolina Internal Audit and Compliance Insights Tuesday, May 5, 2015
Grandover Resort Greensboro, North Carolina
Wayne Adams
North State Bank
Senior Vice President--Risk and Compliance Officer
J. Michelle Bailey
Trust Atlantic Bank
VP and Bank Controller
Bonnie Bastow
Elliott Davis Decosimo
Manager
Bennie Benge
Great State Bank
Internal Auditor
Jay Brietz
Elliott Davis Decosimo
Senior Manager
Jason Brodmerkel
Elliott Davis Decosimo
Manager
Kelly Brown
High Point Bank & Trust
Vice President
Drew Bryan
Elliott Davis Decosimo
Manager
Darlene Buchanan
Paragon Bank
AVP/Audit Officer
Jason Caskey
Elliott Davis Decosimo
Financial Services Practice Leader
Willie Closs
M&F Bank
Board Member
Ryan Collier
Elliott Davis Decosimo
Senior Consultant
Richard Cook
Elliott Davis Decosimo
Director
Matthew Cordell
Ward and Smith, P.A.
Attorney
Don Davis
Select Bank & Trust Company
Independent Loan Review Manager
Mildred Dixon
HomeTrust Bank
Internal Auditor
Anita Easter
First Community Bank
Board Director
Joy Fisher
Carolina Bank
SVP / Internal Audit & Enterprise Risk Manager
Christy Flynt
Sound Bank
SVP/ Chief Compliance Officer and Operating Office
Fred Gennari
Paragon Bank
Director of Internal Audit
Jeff Gordon
High Point Bank and Trust
Senior Auditor
Leslie Hambrick
Peoples Bank
First VP, Chief Internal Auditor
Chadwick Hammond
Lumbee Guaranty Bank
Chief Financial Officer
Lenaire Harrison
HomeTrust Bank
Staff Auditor II
Mary Hauser
First Citizens Bank
Staff Auditor II
Lee Haynes
Elliott Davis Decosimo
Shareholder
Jeremy Helms
Elliott Davis Decosimo
Senior
North Carolina Internal Audit and Compliance Insights Tuesday, May 5, 2015
Grandover Resort Greensboro, North Carolina
Lisa Herring
Four Oaks Bank
Senior Vice President, General Auditor
Carrie Hewitt
Yadkin Bank
Chief Auditor
TC Hinkle
Elliott Davis Decosimo
Manager
Betsy Hocutt
High Point Bank & Trust
Senior Auditor
Hilay Hoskins
Federal Deposit Insurance Coporation
Financial Institution Examiner
Anne Howard
TrustAtlantic Bank
Senior Vice President
Mike Kidd
NewBridge Bank
Director Corporate Audit Services and CRO
Laura Kirk
First Citizens Bank
SVP/ Senior Audit Manager
Sara Kollien
Wells Fargo & Company
Accounting, Governance & Oversight Consultant
Michael Koupal
Elliott Davis Decosimo
Senior Manager
Katie Lagasse
First Citizens Bank
Internal Audit
Kristin Lang
Carolina Premier Bank
Director
Amy Macari
Carolina Premier Bank
Chief Administrative Officer
Bill McKendry
Bank of North Carolina
Chief Enterprise Risk Officer
Becky Melton
Grayson National Bank
Chief Credit Officer
Scott Mercer
McGriff, Seibels & Williams, Inc.
Senior Vice President
Dan Metcalf
Old Town Bank
Controller
George Noonan
Elliott Davis Decosimo
Shareholder
Edward Payne
Taylorsville Savings Bank, SSB
Secretary/Treasurer, CFO
Chris Purvis
Elliott Davis Decosimo
Shareholder
Austin Ramsey
Elliott Davis Decosimo
Senior
Melody Reed
Elliott Davis Decosimo
Manager
Anna Robinson
Elliott Davis Decosimo
Practice Growth Coordinator
Nick Rossini
Yadkin Bank
Director of Risk Management
Ryan Senegal
Federal Deposit Insurance Corporation
Examiner
Steve Setser
Select Bank & Trust
VP, General Auditor
Kay Smith
Fidelity Bank
Chief Risk Officer
North Carolina Internal Audit and Compliance Insights Tuesday, May 5, 2015
Grandover Resort Greensboro, North Carolina
Regina Smtih
KS Bank
CFO
Alan Stapleton
Carolina Premier Bank
Controller
Cheryl Steed
High Point Bank & Trust
Vice President, Internal Audit
Ed Swing
Bank Consultant
Susan Thacker
Carter Bank &Trust
Auditor
Marshall Trull
Elliott Davis Decosimo
Senior
Rose Washofsky
Elliott Davis Decosimo
Business Development Director
Amy Watts
Union Bank & Trust Co
Chief Risk Officer
Josh White
Elliott Davis Decosimo
Senior Manager