north carolina risk management seminar 2015north carolina risk management seminar 2015 tuesday, may...

North Carolina Risk Management Seminar 2015 Tuesday, May 5, 2015

Grandover Resort, Greensboro, North Carolina _________________________________________________________________

8:30 am - 9:00 am Registration & Continental Breakfast 9:00 am - 9:10 am Opening Remarks Chris Purvis, Shareholder, Elliott Davis Decosimo 9:10 am – 10:00 am Developing an Effective Enterprise Risk Management Program Jay Brietz, Senior Manager, Elliott Davis Decosimo 10:00 am - 10:50 am Regulatory Compliance Hot Topics Matthew Cordell, Attorney, Ward & Smith, P.A. 10:50 am - 11:10 am Break 11:10 am - 12:00 pm Cybersecurity and Data Security: Richard Cook, Director, Elliott Davis Decosimo 12:00 pm - 1:00 pm Lunch 1:00 pm - 1:50 pm Regulatory Focus on Internal Audit Ryan Senegal, Examiner, Federal Deposit Insurance Corporation 1:50 pm - 2:40 pm Performing Model Validations: Interest Rate Risk/ Asset Liability Management Allowance for Loan Losses Bank Secrecy Act Melody Reed, Manager, Elliott Davis Decosimo Michael Koupal, Senior Manager, Elliott Davis Decosimo 2:40 pm - 2:50 am Break 2:50 pm - 4:00 pm Risk Management Roundtable Chris Purvis – Moderator Laura Kirk, SVP/Senior Audit Manager, First Citizens Bank Bill McKendry, Chief Enterprise Risk Officer, Bank of North Carolina Steve Setser, SVP/General Auditor, Select Bank 4:00 pm Course Evaluation and Wrap Up

Financial Services Shareholder Contact Information

Bob Beckwith, CPA Shareholder Direct: 864.552.4763 E-mail: [email protected]

Paul Pickett, CPA Shareholder Direct: 804.887.2256 E-mail: [email protected]

Garry A. Rank, CPA Shareholder Direct: 864.242.2638 E-mail: [email protected]

Barbara Rushing, CPA Shareholder Direct: 864.242.2625 E-mail: [email protected]

Jason Caskey, CPA Financial Services Practice Leader Direct: 803.255.1203 E-mail: [email protected]

Larry Felts, CPA Shareholder Direct: 615.376.1925 E-mail: [email protected]

Lee Haynes, CPA Shareholder Direct: 704.808.5208 E-mail: [email protected]

Andy Mitchell, CPA Shareholder Direct: 864.242.2691 E-mail: [email protected]

Beverly A. Seier, CPA, CPCU Shareholder Direct: 803.255.1214 E-mail: [email protected]

Bill Bossong, CPA, CBA Shareholder Direct: 803.255.1497 E-mail: [email protected]

George Noonan, CPA Shareholder Direct: 704.808.5293 E-mail: [email protected]

Christopher Purvis, CPA Shareholder Direct: 704-808-5216 E-mail: [email protected]

F INANCIAL SERVICES

el l iottdav is .com ©ElliottDavisDecosimoLLC©ElliottDavisDecosimoPLLC

F inanc ia l Ser v ices - 360° Industr y Perspect ive

ARE YOU. . .Concernedaboutrisk?Consideringamergeroracquisition?Interestedinpreservingyourcapital?Lookingforstrategiestomanageeffectivetaxrates?StrugglingtostayabreastofcomplexSECreportingandregulations?Searchingforaresourcetoassistwithever-changingaccountingstandards?

SOLUTIONS

Assurance• Auditservices• Riskassessment• Analyticalreviewprocedures• Evaluationofinternalcontrols

SEC Re lated Ser v ices• Preparationof10-Qsand10-Ks• SOX404documentationandtesting

Tax• Incometaxpreparationandplanning• Stateandlocaltaxservices• Taxestimates• Executivecompensationreview• Evaluationofdeferredtaxasset• Costsegregationstudies• Mergersandacquisitions

Non-Audit Ser v ices• Outsourcedinternalaudit• Externalloanreviews• Regulatorycomplianceaudits• BankSecrecyAct/anti-moneylaunderingmodelvalidation• Interestrateriskandliquiditytesting• Allowanceforloanlossvalidation• Day1valuationandDay2accountingservices• Informationsystemaudits• Informationsecurityreviews• SSAE16(SAS70)reports• Trustreviews

Acquired Loan Va luat ion Ser v ices

• ValuCast TM

The banking industry is complex and rapidly evolving. You deserve the right team with the right leadership to serve you. More than 120 financial institutions, large and small, depend on our Financial Services Practice for personal attention, industry experience and services including external and internal audit, SEC reporting, taxation and compliance. With a 60-year reputation and a team of more than 100 professionals serving financial institutions, we help banks operate stronger, wiser, better.

2015 NC Internal Audit & Risk Management Seminar

© Elliott Davis Decosimo, LLC © Elliott Davis Decosimo, PLLC

Tuesday, May 5, 2015

Developing an Effective Enterprise Risk Management Program

Jay Brietz, CPA and CIA Senior Manager May 5, 2015

© Elliott Davis Decosimo, PLLC

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo.


2

Agenda


• Background • An ERM Framework • Roles in the Risk Assessment Process • Key Implementation Factors

3

Background

We perform risk assessments everyday…

…and we make risk-based decisions

4 © Elliott Davis Decosimo, PLLC

Background

Importance of the risk assessment • Critical part of the risk management

process and important planning tool for your bank

• Increased focus of regulators • Increased focus of rating agencies

Risk 101


Background

• Risk concepts and terms: – Risk -vs- uncertainty – Definitions of risk – Myths about risks


Background

What is the difference between risk and uncertainty?


Background

COSO’s definition of risk…

The possibility that an event will occur and adversely affect the achievement of an objective.


Background

Other definitions of risk…

A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. BusinessDictionary.com


Background

The Economic Times describes risks…

Risks are of different types and originate from different situations. We have liquidity risk, sovereign risk, insurance risk, business risk, default risk, etc. Various risks originate due to the uncertainty arising out of various factors that influence an investment or a situation.


Background

Myths about risk… • All risks are bad • Some risks are so bad…we should automatically

eliminate them (half-court shot, hole-in-one) • Playing it safe is always the safest answer • You cannot develop plans for the unknown


Background

Other risk assessments that often feed into the banks ERM Model…

Enterprise Risk

Management

Internal Audit Risk

Assessment

Fraud Risk Assessment

IT Risk Assessment

Compliance Risk

Assessment

Other Risk Assessments

Our focus today


Agenda

• Background • An ERM Framework • Roles in the Risk Assessment Process • Key Implementation Factors


An ERM Framework

Credit

ERM 14 © Elliott Davis Decosimo, PLLC

An ERM Framework

COSO’s definition of Enterprise Risk Management…

A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.


An ERM Framework

COSO’s Enterprise Risk Management Integrated Framework

16

The eight components of the framework are interrelated…


An ERM Framework

• Establishes a philosophy regarding risk management • Recognizes that unexpected as well as expected

events may occur • Establishes the entity’s risk culture • Considers all other aspects of how the organization’s

actions may affect its risk culture

17

Internal Environment

Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC

An ERM Framework

• Is applied when management considers risks in the setting of objectives

• Forms the risk appetite of the entity, a high-level view of how much risk management and the board are willing to accept

• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite

18

Objective Setting


An ERM Framework

• Differentiates risks and opportunities • Events that may have a negative impact represent

risks • Events that may have a positive impact represent

natural offsets (opportunities), which management channels back to strategy setting

• Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives

• Addresses how internal and external factors combine and interact to influence the risk profile

19

Event Identification


An ERM Framework

• Allows an entity to understand the extent to which potential events might impact objectives

• Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to

measure the related objectives • Employs a combination of both qualitative and

quantitative risk assessment methodologies • Relates time horizons to objective horizons • Assesses risk on both an inherent and a residual

basis

20

Risk Assessment


An ERM Framework

• Identifies and evaluates possible responses to risk • Evaluates options in relation to entity’s risk appetite,

cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood

• Selects and executes response based on evaluation of the portfolio of risks and responses

21

Risk Response


An ERM Framework

• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out

• Occur throughout the organization, at all levels and in all functions

• Include application and general information technology controls

22

Control Activities


An ERM Framework

• Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities

• Communication occurs in a broader sense, flowing down, across, and up the organization

23

Information & Communication


An ERM Framework

• Effectiveness of the other ERM components is monitored through:

– Ongoing monitoring activities – Separate evaluations – A combination of the two

24

Monitoring


Agenda

• Background • An ERM Framework • Roles in the ERM Process • Key Implementation Factors


Roles in the ERM Process

Three lines of defense 1. Front line unit 2. Risk management, compliance, etc. 3. Internal audit, credit review, etc.



Three lines of defense - Front line unit • Boots on the ground managers of risk • Must have the ability to identify, assess

and react to risks on a day-to-day basis • Own and manage the risks of their area • Incented to raise the flag



Three lines of defense – Risk Management

• Supports and guides the risk owners • Manages the risk framework • Monitors risk and compliance with

guidance via metrics and other measures



Three lines of defense – Internal Audit • Play an important role in monitoring

ERM, but should NOT have primary responsibility for its implementation or maintenance

• Assist management and the board or audit committee in the process by:

– Ongoing monitoring – Separate evaluations – Recommending improvements


Agenda

• Background • An ERM Framework • Roles in the ERM Process • Key Implementation Factors


Key Implementation Factors

• Organizational design of the business • Establishing an ERM organization • Performing risk assessments • Determining overall risk appetite • Identifying risk responses • Communication of risk results • Monitoring • Oversight and periodic review by management • The last key implementation factor



Organizational Design of the Business • Strategies of the business • Key business objectives • Related objectives that cascade down the

organization from key business objectives • Assignment of responsibilities to organizational

elements and leaders (linkage)



Establishing an ERM Organization • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities



Example Organizational Structure

34

Board of Directors

Risk Management

(ERM) Internal Audit

Compliance

Enterprise Risk Management

Committee

Asset/Liability Risk Operational Risk

Fraud Risk Reputational Risk

Audit Committee



Performing Risk Assessments • Identify the risk opportunities • Assess/measure the risks identified • Prioritize or rank the risks in order to form a risk

appetite strategy



Determining Overall Risk Appetite • Risk appetite is the amount of risk an entity is willing

to accept in order to attain appropriate or sought after returns

• Three components you should know before drafting a risk appetite:

– Strategic plan and organizational goals – Organizational risk profile – Risk thresholds – used to monitor exposure compared to

risk appetite



Determining Overall Risk Appetite Key questions in developing your risk appetite:

– What risks will the organization not accept? (e.g. environmental or quality compromises)

– What risks will the organization take on new initiatives? (e.g. new product lines)

– What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)



Identifying Risk Responses

38

Management’s response to risk

Avoidance Exiting the activities giving rise to the risk

Acceptance

No action is taken to affect risk likelihood or impact

Reduction Action taken to reduce the risk

likelihood or impact or both

Sharing Reducing the likelihood or impact by transferring or

sharing a portion of the risk



39 Source: COSO’s Enterprise Risk Management – Integrated Framework © Elliott Davis Decosimo, PLLC

Identifying Risk Responses

Control

Share Mitigate & Control or Avoid

Accept

High Risk

Medium Risk

Medium Risk

Low Risk

Low

High

High

I M P A C T

PROBABILITY


Communication of risk results • Dashboard of risks and related responses

(visual status of where key risks stand relative to risk tolerances)

• Flowcharts of processes with key controls noted • Narratives of business objectives linked to

operational risks and responses • List of key risks to be monitored or used • Management understanding of key business risk

responsibility and communication of assignments



Monitoring • Collect and display information • Perform analysis

- Risks are being properly addressed - Controls are working to mitigate risks



What is the Secret Key Implementation Factor?

42

• This is not sprint, it is a marathon - How about a 5K - How about a half marathon - Get some wins and build

momentum • Develop a plan to get to the finish

line • Communicate your progress


Additional Resources

North Carolina State’s ERM Initiative http://mgt.ncsu.edu/erm/

Institute of Internal Auditors http://www.theiia.org/

COSO http://www.coso.org/

• Embracing Enterprise Risk Management: Practical Approaches for Getting Started

• Developing Key Risk Indicators to Strengthen Enterprise Risk Management


Additional Resources

AICPA: • ERM – Guide for Practical Implementation and Assessment Professional standards: • PCAOB Standards Nos. 8-15 – The Risk Assessment Standards • Auditing Standards – SAS Nos. 104-112 Publications: • Current Issues in Bank Auditing – Bank Research Associates • Bank Directors Magazine Federal Reserve Board: • www.bankdirectorsdesktop.com


Questions


Jay Brietz, CPA and CIA Email: [email protected] Phone: 704.808.5247 Website: www.elliottdavis.com

Elliott Davis Decosimo ranks among the top 50 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com.


46

http://www.elliottdavis.com/

© 2015 Matthew A. Cordell

Matthew A. CordellWard and Smith, P.A.P: 800.998.1102F: 919.277.9177 E: [email protected]

Legal and Compliance Risks: Hot Topics

2015 Annual Risk Management Seminar Sponsored by Elliott Davis Decosimo

May 5, 2015Greensboro, NC

Cybersecurity Risk(of course!)

• March 30 FFIEC Cybersecurity Guidance– Compromised Credentials

• Update Threat Assessment, Policies & Procedures• Third-party Vendors• Monitor Alerts• Limit Admin Access• Report to senior management and board• Training

– Destructive Malware

2

Home Mortgage Disclosure Act

• Easier to Define Covered Loans• Higher Reporting Threshold• New Data Points• More Frequent Reports for Large Banks• Reporting Format and Method are TBD• Final Rule Expected in 2015• Fair Lending

3

HUD/Legal Aid of NC

• Legal Aid Fair Housing Project began in 2011• $975,000 Private Enforcement Initiative (PEI)

Grant • Conducting "undercover investigations"

4

TILA/RESPA Integrated Disclosure

• August 1, 2015• Loan Estimate

– Beware seemingly incomplete loan applications; they may be “complete” under new rules.

• Closing Disclosure– Post-Closing Review– Record Retention

5

TILA/RESPA Integrated Disclosure

• Readiness Assessment– Do you have policies and

forms for pre-consummation and post-consummation disclosures?

– Are you tracking the new tolerances?

– Who needs to be trained?

6

FCRA

• Fair Credit Reporting Act seems to be a focus of CFPB and lawsuits.

• Reporting disputed debts• Partial payment reported as “paid in full”• Negative reporting on individual guarantors of

commercial loans

7

Auto Lending

• A "top priority" says CFPB's #2• CFPB extracted $56 million from

banks in the last two years• Now focused on nonbanks• NADA Model• Not just Fair Lending

8

UDAAP

• Ambiguity persists• What to do?

– Read the guidance– Monitor trends in

enforcement– Monitor public

statements by officials– Know your customers– Know your vendors– Watch your advertising

• Sensitive Areas– Overdrafts– Credit card add-ons– Payment processor

relationships– Fee Disclosures– "Free" claims– Contests– College students

9

Consumer Complaint Database

• Customer complaint narratives and documents to be posted beginning later this month

• Bank responses are limited to one of a limited number of standard responses

• Need to verify if complaining person is a customer within 15 days

10

BSA/AML

• Beneficial ownership– Identify– Verify– Nature & Purpose– Monitoring

• MSB– First National Bank of Delaware– North Dade CDFCU

11

Games and Contests

• Prize-Linked Savings Accounts SB 327 – Likely to pass– Similar to CU statute

• Lotteries prohibited• Raffles• Sweepstakes

12

Deposit

• Deposit Account Agreements– Arbitration clauses in consumer accounts

• CFPB report just released• Rules expected

– Do agreements match practices?– Do agreements explain customer's liability for

losses?

13

Prepaid Cards

• $100 billion U.S. market• Final rule expected soon• Periodic statements or online access• Error Resolution• Disclosures – Full and Summary• Credit features

– Ability to pay– Limits on liability– Error Resolution– Limits on interest, fees, payment periods– Limits on setoff rights

14

Other Hot Spots

• Linked products• Mortgage servicing and collection• College students• Social Media

15

16

LinkedIn.com/in/MattCordell

Twitter.com/MattCordell

Blogs: BizLawNC.comPrivacyLawNC.com

Keep up with me

Cybersecurity and Data Security


Richard Cook Director IT Audit & Security

May 2015


© Elliott Davis Decosimo, LLC

Cybersecurity and Data Security

2

• Cybersecurity

•Data Security

Information Technology Topics for Today

© Elliott Davis Decosimo, LLC 3

• Cybersecurity Update for 2015

- Intel Security Report - 2015

- Kaspersky Carbanak Report - 2015

- Verizon’s Data Breach Investigations Report - 2015

• Common Themes

• Integrating Cybersecurity Responses into your Existing Programs

Cybersecurity Agenda


• Intel Report About Social Engineering

• Kaspersky Report on Carbanak

•Verizon Security Report

Cybersecurity Update - 2015


• People, processes and technology are needed to help mitigate risk

• Technology alone is not enough to protect users

- email is the most prevalent initial target

• 2015 and beyond, no slowdown in sight for social engineering attacks

- "The reality is that social-based attacks will continue for the foreseeable future."

Intel Security Report


Global Spam and Email Volume


Intel Security Report


• Launched an online quiz to show how easy it is to get people hooked on a social engineering phishing email

• Social engineering >> low-tech attack due to the limited technical resources required to execute

•Organizations must channel resources into education and cultural change

8

Kaspersky – Carbanak Report


•Attacks still active

•Motivation – Financial gain (not espionage or access to private information)

• Started with a spear phishing email that appeared to be legitimate banking communications

• Email attachments exploited Microsoft Office 2003, 2007, 2010 vulnerabilities

9

•Highly sophisticated once they gained ‘some’ access

• Important point >> Initial access was via phishing emails and then exploitation of known vulnerabilities

Kaspersky - Carbanak Report


• Phishability

•Not patching or using outdated systems

• Posting too much information about self or work

• Reusing passwords across sites

• Indiscriminate use of mobile media

• Lack of situational awareness (believing you are not a target)

•Accidental loss or disclosure of sensitive information

Verizon - Top Seven Human Risks


• 23% of recipients open phishing email and 11% click on the attachments

• 99.9% of the exploited vulnerabilities were compromised more than a year after the Common Vulnerabilities and Exposures (CVE) was published

Verizon Security Report


Verizon Security Report – Attack Patterns


The first 4 account for 90% - and are all ‘People’ related

13

•Multi-frontal approach is mandatory

• Social Engineering is here to stay

- Human nature

•Virus Protection and Patching Programs

- As important as ever

•Monitoring tools – necessary, but not preventive

•Assessment tools

Common Themes


You already have…

• Information Security Program

• IT and Information Security (GLBA) Risk Assessments

• Incident Response Plan

• Business Continuity Plan

• Training Programs

• IT Strategic Plan

Integrating Cyber Security Responses


• It’s about integrating your: - Programs

- Training

- Response plans

- Effectiveness testing

• With your: - Employees

- Contractors

- Vendors

- Physical assets

What to Do Next


•Must be aware of your current security posture

- What do we have in place

- How does it all work/fit together

•Assessment – how do I know how we’re doing?

- Scans – Internal and External

- Social Engineering assessments

- IT General Controls

Where Do I Stand?


•Does your Information Security training program adequately cover security awareness?

- Have you conducted testing of the program’s effectiveness?

•Does your Incident Response plan include provisions for cyber events (internal and external)?

- Do employees know how and when to report and respond to possible cyber events?

•Are your IT General Controls providing adequate coverage for anti-virus and patch management?

What do I need to Check


• State Bank Supervisors

• FFIEC

• FDIC

• ABA

• COSO

• COBIT

• ISACA

• Verizon Cybersecurity survey

Cybersecurity Resources, Tools, Frameworks


Conference of State Bank Supervisors


• Cybersecurity 101 – framework is organized according to the 5 core cybersecurity functions (presented at the 2015 Conference of State Bank Supervisors)

20

•Assesses an institution’s current practices and overall cybersecurity preparedness, with a focus on the following key areas:

- Risk Management and Oversight

- Threat Intelligence and Collaboration

- Cybersecurity Controls

- External Dependency Management

- Cyber Incident Management and Resilience

FFIEC – Cybersecurity Assessment


• https://www.ffiec.gov/pdf/cybersecurity/2014_June_FFIEC-Cybersecurity-Assessment-Overview.pdf

• The FFIEC established the Cybersecurity and Critical Infrastructure Working Group (CCWIG) to collaborate

• The FFIEC is currently focusing on providing resources to support community institutions that may not have access to the resources available to larger institutions

FFIEC – Cybersecurity Assessment


https://www.ffiec.gov/pdf/cybersecurity/2014_June_FFIEC-Cybersecurity-Assessment-Overview.pdf








•November 3, 2014 – Press release

• https://www.ffiec.gov/press/pr110314.htm

• Recommends that financial institutions participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC) https://www.fsisac.com/

• FS-ISAC is non-profit, information sharing forum established by the industry to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information

FFIEC


https://www.ffiec.gov/press/pr110314.htm

https://www.fsisac.com/

• The FDIC created “Cyber Challenge: A Community Bank Cyber Exercise” to encourage community banks to conduct short exercises or facilitated discussions around four operational risk-related scenarios. The “Cyber Challenge” is available at

- https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html

FDIC


https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html

https://www.fdic.gov/regulations/resources/director/technical/cyber/cyber.html

•Vendor Management

• System Security/User Access Reviews


Data Security - Agenda

25

•Most financial institutions are doing a good job with vendor management review, however:

- Management should be sure to tie out the User Control Considerations (UCCs) to validate that these controls are in place

- Often times these controls are covered by other testing (management can leverage this testing), such as:

• FFIEC Internal Audit review

• FDICIA testing

• SOX testing

Data Security – Vendor Management


•Management should review their third party agreements to determine exactly who owns what processes. Consider:

- Does the third party host the productions servers or are they housed by the financial institution?

- Who is responsible for supporting the production servers, maintaining security (user provisioning), making changes to parameter settings (tolerances, system enforced approvals), adding of administrator access?

- There should be a very distinct delineation of responsibilities

- Management does not have the luxury of solely depending on the third party without understanding our responsibilities

Data Security – Vendor Management


• If the bank houses the systems on site, management must review the application, operating and database users

• Management be sure to review users to determine if the bank has any segregation of duties (SoD) of conflicts. If conflicts exist management should have mitigating controls (business process controls) to reduce the risk, such as:

- Reviewing master data changes (file maintenance changes, changes standing data, changes to customer information, changes to vendor information), review of GL entries, review of parameter changes.

Data Security – System Security


• To appropriately address SoD conflicts we should incorporate a risk based approach

•Management should consider SoD conflicts across systems (i.e. client setup and loan approval, vendor setup and vendor approval)

Data Security – System Security cont.


• Administrator Access – the riskiest access levels should receive the highest level of scrutiny

• All vendor accounts should be reviewed to ensure that access is appropriately restricted (are the vendors using a shared account?). Management should always want individual accountability

• All IT access to financial applications should be questioned

• Management should not use generic accounts or shared accounts if the users have access to production data

Data Security – User Access Reviews


• Management should always remember that the business owns the data while it is the IT group’s responsibility to secure the data

• The user access reviews should be performed by the business (not IT). It is okay to use ITs assistance

• If changes are noted during the User Access Reviews – management should determine the nature of the changes being requested. Is there some underlying reason why the changes are being requested? Does the bank have an inherent problem with their user provisioning process?

Data Security – User Access Reviews cont.


• If production systems are hosted by the financial institution – management should also review the operating system and database layers

- Direct access to the operating systems should be very limited. Be sure to review users that have local administrator access to the operating system (these would generally be IT users)

- Direct access to the production database should be the most restricted access. Every user with direct access to the database should be questioned (just being a member of the IT group is not sufficient support to have this high level of access)



- To emphasize one more time – the business is ultimately responsible for limiting access to the operating system and the database (as well as the application). There should be a business case for each user that has administrator or elevated access to the operating system and/or the database. Direct access to the database should be the most limited for all systems.

• In most instances – we see the IT group reviewing access to the operating system and database – if the access is being reviewed at all

• IT can facilitate the review – but the business should sign off on the review



• Third party access to systems should be logged and actively monitored if systems are hosted in house. A formal process should be in place (using a risk based approach, consider the approach of what can wrong?) to ensure that the vendor is not making unapproved changes to production data.

• Users should not review their own access rights

• In summary I challenge you with two questions - How do you know that only approved users have access to systems and that

their access is appropriate for their job functions?

- Do you have a process in place to identify if unapproved changes are occurring to production data?



Questions


Richard Cook [email protected]

704.808.5275

Bonnie Bastow [email protected]

704.808.5243

Website: www.elliottdavis.com



mailto:[email protected]



INTERNAL AUDIT

Elliott Davis Decosimo Michael P. Egan May 2015 Supervisory Examiner

FEDERAL DEPOSIT INSURANCE CORPORATION FEDERAL DEPOSIT INSURANCE CORPORATION

Overview

Back to Basics Approach Risk Assessments Audit Planning Audit Workprograms & Sampling

Methodology Deficiency Tracking & Validation

Guidance Staff Expertise and Ongoing Professional

Education Quality Control Programs


Back to Basics

Hot Topic – Accountability Horizontal Review at Large Community

Banks in North Carolina and South Carolina $1B-$10B Develop Best Practices and identify

emerging risks

Presenter

Presentation Notes

The review focused on key elements of internal audit including the following items: assessment of the Audit Universe; review of the Risk Assessment Methodology and Modeling; adequacy of Internal Audit Workprograms; assessment of Audit Sampling Methodologies; assessment of Internal Audit Policies and Charters; evaluation of staff competence, adequacy of staffing levels, and training and development plans; adequacy of deficiency tracking and validation standards; determination of the level of Audit Committee involvement; review of outsourced internal and external audit engagements and vendor management; and, the effectiveness of quality assurance programs. To ensure audit procedures and standards were consistently applied, the same examiners performed each review.


Risk Assessments

Business line specific narrative regarding: Inherent risks

• High, Medium, and Low should have the same detail for every business line.

Any mitigating controls in place Any other components that may impact the

overall risk ratings Risk ratings should be defined and

correspond to an audit frequency.

Presenter

Presentation Notes

Some RA were outsourced and a majority were completed internally. Overwhelmingly, most RAs lack business-line specific narrative. The majority of prepared risk assessments listed various inherent risk categories; however, most assessments lacked any mitigating control factors. Generic examples of what would qualify for the ratings are described; however, the assessments lacked business-line specific narrative, detailing mitigating factors and any other components utilized to determine the level of risk for each auditable entity. In order to implement a more risk-focused audit plan, management should enhance the risk assessment process to include specific mitigating factors and controls, as well as more detailed inherent risk information.


Audit Planning

Comprehensive document approved by the Board/Audit Committee annually.

Timing and Frequency of Audits

Prior Audit Date and Rating

Individual or vendor responsible for audit

Large community banks project audit hours

Multi-Year Audit Plan Reassess when needed

Yes 30%

No 70%

Multi Year Audit Plan

Presenter

Presentation Notes

The Audit Plan should detail the timing and frequency of planned internal audit work, the individual or vendor responsible for conducting the audit, and prior audit ratings and dates. As some audit frequencies extend beyond one year, management should develop a multi-year audit plan to evaluate internal resources compared to the audit plan for upcoming year(s) and determine if co-sourcing or additional staffing is necessary. To aide in this process, internal audit hours are budgeted, tracked, and compared to the workload on the upcoming audit plan. Approximately 80 percent of the participating institutions project audit hours.


Potential Red Flags

Rapid growth Management or key employee turnover Recommendations are not effective in

prompting management corrective action Concentrations of assets with complex

valuation methods Basic internal control deficiencies Poor or absent documentation

Presenter

Presentation Notes

Internal auditors should also be assessing these factors to determine if additional audits or expanded procedures are warranted.


Workprograms

Expect more sampling at examinations Detailed scope Comprehensive procedures Sampling methodology Prior audit rating & findings Assess remediation efforts Risk-Focused versus Accounting-Based Regulatory Compliance


Sampling Methodology

Review revealed sampling is generally guided by SOX testing requirements from vendors.

In some instances the sample sizes appeared very low with little or no narrative. ALLL:

• 15 impairment analyses worksheets or less than 9% Wires:

• 20 sampled over 12 month period or less than 3% of outgoing wires.

Consumer Loans: • Random sample of 15 loans

– 4 Auto Reviews – 6 HELOCS – 5 Installments


Deficiency Tracking

Responsibility for updating Guidance for validation efforts Next audit cycle may be up to 36 months Vary by significance

Maintaining closed issues to determine if there are repeat findings Track regulatory findings and

remediation

Presenter

Presentation Notes

The review revealed Audit managers or auditors-in-charge are responsible for adding and removing findings as remediation is validated. Typically, remediation efforts are assessed as a part of the next regularly scheduled audit; however, the scheduled audit frequency may not require an audit for an extended period of time (i.e. 24-36 months), which may result the failure to test weaknesses identified prior to recording deficiencies as corrected. The Audit Committee should establish appropriate guidance for follow-up validation to ensure sufficient and timely corrective action. Of concern, in some instances, the audits do not appear to incorporate regulatory findings and/or outstanding regulatory guidance into the reviews. The Internal Audit Department has a breadth of knowledge and should track and validate remediation of regulatory findings.


Average Experience by Title

21

23

11

14

5

3 4 4

5

Average Audit Experience by Title

Chief Audit Executive Audit Manager

Audit Supervisor Senior Auditor II

Senior Auditor I Staff Auditor II

Staff Auditor I Audit Analyst

IT Analyst

Presenter

Presentation Notes

Although strong leadership is provided by senior audit supervisors and CAEs, most of the fieldwork is performed by relatively new staff members. Notably, about 50% of each audit department maintains a professional certification or designation.


Audits per FTE participating in fieldwork

Average audit personnel in department is approximately six individuals Five completing fieldwork Average Assets per Auditor $500M-$992M

Average number of audits completed internally is 25 or approximately 75% Average Experience Professional Certifications, training,

and development plans

Presenter

Presentation Notes

Average of six audits per auditor; average of 6 audits outsourced or cosourced; average number of audits completed internally 26


0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

Information Technology

Trust

BSA-AML

CRA

Compliance

Interest Rate Risk

ALLL

Loss Share

Acquired Loan Accounting

Mortgage QC

InformationTechnology Trust BSA-AML CRA Compliance Interest Rate

Risk ALLL Loss ShareAcquired

LoanAccounting

Mortgage QC

N/A 0% 33% 0% 0% 0% 0% 0% 33% 33% 0%Internal 17% 17% 17% 83% 67% 50% 50% 50% 33% 67%Outsourced 83% 50% 83% 17% 33% 50% 50% 17% 33% 33%

Specialized Audit Areas

Presenter

Presentation Notes

Ongoing training is particularly important for internal auditors who perform specialized audits including, but not limited to the following areas: Information Technology, Trust, Bank Secrecy Act, and Loss Share/Acquisition Accounting reviews. Internal auditors not presently holding appropriate certifications are encouraged to pursue an educational program and/or individual study to obtain professional certification. You should anticipate examiners requesting workpapers for specialized audits to ensure the scope is sufficient. This is for informational purposes as many management teams inquired about how their peers were handling specialized audits.


Quality Control Program

Audit activities are conducted in accordance with Standards for the Professional Practice of Internal Auditing

Assures compliance with Standards, Charter, Policies, Code of Ethics, practices, and regulatory requirements

Identifies methods to improve organizational operations

External assessment at least once every five years

QA Review, 16.67%

No QA Review, 83.33%

Quality Assurance

Review

Presenter

Presentation Notes

New IIA Practice Advisory requires QC Program or Assessment, if Charters or Policies refer to IIA Standards.


Potential QC Review Components

Budgeting and financial administration for internal audit

Maintenance and updating of the risk assessment and audit universe

Evaluation of long-range planning Audit tools and use of technology Training and development of staff Audit statistics and metrics used Review of summary reports Administration of deficiency tracking


Emerging Areas

Internal Credit Review Function Internal Compliance Review Function Audit Department should assess the review functions

0%

25%

50%

75%

100%

A B C D E FIn-house 0% 100% 50% 0% 50% 75%# Staff 0 9 1 0 1 4

Credit Review

Presenter

Presentation Notes

As a result of the horizontal review, several areas of concern were identified. Four of the six participating institutions have begun developing an internal credit review program. Progress among these four institutions ranges from fully established to just developing the necessary framework. However, two of the four institutions have only one individual appointed to create the framework, establish processes and procedures (such as line-sheets, reporting, etc.), and review credits. Since the initial implementation, all four institutions have reduced the penetration performed by outsourced credit review vendors, despite the limited number of internal reviewers. A number of institutions are also establishing compliance framework to review the function internally. Compliance personnel complete these reviews in addition to their regular duties in two institution; however, this does not meet the independence standards for outstanding FDIC guidance and/or SEC guidance for publically traded institutions. The Internal Audit Department should assess both the internal credit review and compliance review functions to ensure consistency and compliance with policies and procedures. Additionally, if the bank has an incentive plan in place, the Internal Audit Department should evaluate the Plan’s structure and goals for the independent reviews, if any.


Resources

Statement of Policy: Internal Audit and Its Outsourcing Part 363: Annual Independent Audits

and Reporting Requirements Various Practice Advisories from The

Institute of Internal Auditors


Common ALLL issues/concerns include:

Improper use of or insufficient

support/documentation for environmental factors Expected Cash Flow Definition Historical Loss Look-Back Period Negative Provisions CECL


ALLL

Annual charge-off rates are calculated over a specified time period (e.g., three years or five years), which can vary based on a number of factors including the relevance of past periods’ experience to the current period or point in the credit cycle.


Credit Administration

Seven Ways Banks Are Relaxing Loan Terms Extend Fixed-Rate Pricing: Tweak Guarantees: Stretch Out Amortization: Raise the Leverage: Waive Fees: Lower Debt-Service Limits: Ease Collateral Requirements:


Cybersecurity

The National Institute of Standards and Technology defines cybersecurity as "the process of protecting information by preventing, detecting, and responding to attacks." As part of cybersecurity, institutions should consider management of internal and external threats and vulnerabilities to protect information assets and the supporting infrastructure from technology-based attacks.


Cyber Challenge: A Community Bank Cyber Exercise

Objectives: • Initiate discussion between financial institution management and staff on cyber-related issues and concerns. • Identify potential shortfalls in operational readiness capabilities. • Strengthen preparedness and response efforts to promote an institution’s resilience.


Cyber Challenge

Scenario Overview: Cyber Challenge consists of a DVD with

short video vignettes that present four unique scenarios for discussion. Challenge cards accompany each video vignette to facilitate discussions. Participants should play a video vignette and then respond to the associated challenge questions.


Cyber Challenge: A Community Bank Cyber Exercise

Objectives: • Initiate discussion between financial institution management and staff on cyber-related issues and concerns. • Identify potential shortfalls in operational readiness capabilities. • Strengthen preparedness and response efforts to promote an institution’s resilience.


Cyber Challenge

The four vignette themes are: • Vignette #1 - Item Processing Failure •Vignette #2- Customer Account Takeover • Vignette #3 - Bank Internal Error/Phishing & Malware Problem. • Vignette #4 - Technology Service Provider Problem


Current Exam Issues

–Internal Audit –ALLL/TDR’s –Liquidity/Stress Testing –Interest Rate Risk –Lending Programs –Cyber Security-IT –BSA –Model Validation


QUESTIONS?

Model Risk Management


Michael Koupal, CPA Senior Manager

Melody Reed, CRCM, CFSA Manager



Disclaimer

Per the OCC Supervisory Guidance on Model Risk Management (OCC 2011-12)

A model consists of three components:

• Information input (which delivers assumptions and data to the model)

• Processing (which transforms inputs into estimates)

• Reporting (which translates estimates into useful business information)


Model Definition

Model Risk occurs for two primary reasons:

1. The model may have fundamental errors and may produce inaccurate outputs Errors can occur at any point from design through implementation.

2. The model may be used incorrectly or inappropriately. Even a fundamentally sound model producing accurate outputs consistent with the design objective of the model may exhibit high model risk if it is misapplied or misused.


Model Risk

• Model risk increases with greater model complexity, higher uncertainty about inputs and assumptions, broader use, and larger potential impact.

• Even with skilled modeling and robust validation, model risk cannot be eliminated, so other tools should be used to manage model risk effectively.

• establishing limits on model use

• monitoring model performance

• adjusting or revising models over time

• supplementing model results with other analysis and information


Model Risk (Continued)

• Model validation is the set of processes and activities intended to verify that models are performing as expected, in line with their design objectives and business uses. Effective validation helps ensure that models are sound. It also identifies potential limitations and assumptions, and assesses their possible impact.

• All model components, including input, processing, and reporting, should be subject to validation; this applies equally to models developed in-house and to those purchased from or developed by vendors or consultants.


Model Validation

• Validation involves a degree of independence from model development and use. Generally, validation should be done by people who are not responsible for development or use and do not have a stake in whether a model is determined to be valid.

• Staff doing validation should have the requisite knowledge, skills, and expertise. A high level of technical expertise may be needed because of the complexity of many models, both in structure and in application. These staff also should have a significant degree of familiarity with the line of business.


Who should complete the validation?

• The range and rigor of validation activities conducted prior to first use of a model should be in line with the potential risk presented by use of the model.

• Validation activities should continue on an ongoing basis after a model goes into use, to track known model limitations and to identify any new ones.

• Validation is an important check on model use during periods of benign economic and financial conditions, when estimates of risk and potential loss can become overly optimistic, and when the data at hand may not fully reflect more stressed conditions.

• Banks should conduct a periodic review—at least annually but more frequently if warranted—of each model to determine whether it is working as intended and if the existing validation activities are sufficient. Such a determination could simply affirm previous validation work, suggest updates to previous validation activities, or call for additional validation activities.


How Detailed? How Often?

• An effective validation framework should include three core elements:

- Evaluation of conceptual soundness, including developmental evidence (Quality of model design and construction)

- Ongoing monitoring, including process verification and benchmarking

- Outcomes analysis, including back-testing


Key Elements of Comprehensive Validation

• Validation should ensure judgement exercised in model design and construction is well informed, carefully considered, and consistent with published research and sound industry practice

• How is this handled when model is outsourced?

• Can sensitivity analysis help evaluate?

- Sensitivity analysis – measuring the impact inputs have on model outputs


Quality of design and construction

Michael Koupal, CPA

Email: [email protected]

Phone: 704.808.5211


Melody Reed, CRCM, CFSA

Email: [email protected]

Phone: 919.987.2776






BSA Models: Understanding and Maximizing the Backbone of Your AML Program


Melody Reed, CRCM, CFSA Manager

• Purpose of the Model – Why do I need this?

• Key Areas of the Model

• Tuning – Did I Buy a Car?

•Understanding the Importance of the Model


Objectives/ Areas to Cover

Manual Reports = Ineffective and Inefficient Monitoring

Regulators Make Us It’s the Right Thing To Do


The “Why”


Automated Monitoring

Before After

•Who has to understand how the model works? Isn’t that an IT thing?

•No – BSA Officers should understand the functionality of the model, including details about how the model is scoring and flagging transactions for additional review.


Understanding the Model

“Alert”

• YellowHammer BSA = Worklist Item

• Banker’s Toolbox BAM = Report Item

• Fiserv’s FCRM = Alert


Definition of Terms

• Customer Information

- Customer Due Diligence

- Customer Risk Scoring

- Ongoing Due Diligence


Key Model Areas

• Suspicious Activity Monitoring

- Unusual Transactions

- Out of Pattern Behavior

- Transactions in High Risk Areas


Key Model Areas (Continued)

Too Much Static or “Noise”


Tuning – Like a Radio?

reduce the noise to get a clearer picture


Tuning

Tighten the net…

… and loosen it.


Tuning and Optimization


T&O (Continued)

• Evaluate Coverage Based on Triggering Events

– Manual SAR Referrals

– Regulation Changes

– Bank M&A Activity

– New Products

– Enforcement Actions

• Evaluate Thresholds

– Dollar Amounts

– Transaction Frequency

• Challenge Customer Risk Scores

– New Markets

– High Risk Areas

•Model Validation

- OCC 2000-16: Model Validation

•Model Risk Management

- OCC 2011-12 and SR Letter 11-7: Model Risk Management


Making Sure It Works

• Reviewing system parameters, settings, security and validating that the system is working

•Assessing the setup of the model to ensure appropriate coverage in terms of customer risk and transactional risk

• Reviewing parameters and thresholds to verify they are set in line with the Bank’s size and BSA risk profile

Elliott Davis Decosimo Approach


• Independent Review

•Defined Responsibility

•Model Documentation

•Ongoing Validation

•Audit Oversight

Keys to Model Governance


Melody Reed, CRCM, CFSA Email: [email protected]

Phone: 919.987.2776






Interest Rate Risk and Management



• Interest Rate Risk

- What is IRR?

- Current Regulatory Focus

- Internal Control System

- Independent Review and Validation


Overview

• Banks are in the business of managing IRR

- Repricing Risk: timing differences between coupon changes or cash flows of assets and liabilities

- Yield Curve Risk: non-parallel changes in yield curve

- Option Risk: cash flows change with embedded options (prepayment/extension, call options, runoff)

- Basis Risk: different indices with same maturity move at different pace


What is IRR?

•Margin pressure is hindering meaningful earnings recovery

• Increases in long-term asset exposure to support yield coupled with surge in non-maturity deposits

• Fear of substantial deposit runoff (surge deposits and parked funds)

• Examiner focus on assumptions, sensitivity analysis, internal controls/validation


Current Regulatory Focus

• Board established system of internal controls

- Corporate governance

- Compliance with policies and procedures

- Comprehensive measurement system


Internal Control System

• Roles, responsibilities, and authority

•Adequate segregation of duties

• Inputs and measurements are accurate and complete

• Policy compliance

• Independent review and validation

•Management response and follow-up

• Size, nature, and complexity of institution should be incorporated in evaluating all aspects


Effective Control Structure

• Review/Test

- Lines of authority

- Segregation of duties

- Corrective actions

- Compliance with risk limits

• Ensure staff compliance with procedures


Adequacy and Compliance of Control System

•Data Integrity

- Is data accurate, complete, and useful?

- Source of data

•Data Input Controls

- Automatic vs. Manual input

- Reconciliation and review process

• Test Data Inputs

- Balance sheet

- Budgets/forecasts

- Assumptions


Data Inputs

• Reasonableness

- Can compare to historical and current data

- If using peer or national data, should still determine if reasonable for your institution

- Should be based on expectations, not just budget

•Documentation

- Understandable format and includes all assumptions

- Basis for balance sheet predictions

- Conclusions and strategies developed based on identified risks


Assumptions

• Sensitivity analysis

- Which factors are most important? (Stress Testing)

• Sufficiency of modeled scenarios

- Reasonable range of rate changes and models

• Board approval and understanding


Assumptions

• Internal Models

- Significant amount of time required for validation process.

- Includes validation of model mechanics and mathematics.

• External Models

- Vendors normally provide validation results. Management should review and assess at least annually.


Validation

• Compare Modeled vs. Actual Results

- Who should complete?

- Annually or quarterly?

- Should include rate vs volume variance

- Detailed enough to determine accuracy

•Were assumptions accurate?

- If not, has management identified changes for future modeling?

• Identify causes of differences


Backtesting

• Report to Board/Audit Committee

- Testing details

- Findings summary

- Key assumptions

- Management’s responses


Reporting

• FIL-52-96 - Joint Agency Policy Statement on Interest Rate Risk

- http://www.fdic.gov/news/news/financial/1996/fil9652.html

• FIL-2-2010 - Financial Institution Management of Interest Rate Risk


• FIL-2-2012 - Interest Rate Risk Management: Frequently Asked Questions


• FIL-46-2013 - Managing Sensitivity to Market Risk in a Challenging Interest Rate Environment

- https://www.fdic.gov/news/news/financial/2013/fil13046.html


Guidance

http://www.fdic.gov/news/news/financial/1996/fil9652.html



https://www.fdic.gov/news/news/financial/2013/fil13046.html

Allowance for Loan and Lease Loss Validations





Title

• ASC 450 (FAS 5) General Reserve

- Historical Loss Factors

- Environmental Factors

• (Qualitative adjustments to historical loss rates)

- What if a migration analysis is used?

• ASC 310-10-35 (FAS 114) Specific Reserve

- Impaired Loans/Troubled Debt Restructures (“TDRs”)


Overview

• Historical Loss Factors - Calculated using historical charge-offs by loan

pool over a designated time period

• Test loss factors by :

- (a) Recalculating the historical loss factor

• Subject a sample of current year charge offs to proper approval and recording

• Reconcile charge-offs / recoveries to allowance roll forward and GL

• Verify loss history is properly applied against average loan balances of proper pool

• Verify impaired loans are excluded from the outstanding average loan balances in the application of the loss factors in order to avoid layering


General Reserve - ASC 450 (FAS 5)

• Historical Loss Factors

• Test loss factors by :

- (b) Evaluating the appropriateness ofthe historical loss period

• Usually between 8 quarters and 15 quarters is reasonable historical loss period


General Reserve - ASC 450 (FAS 5)

•What happens if the Bank is using a migration analysis instead of a historical analysis for their general reserve?

- Need to gain an understanding of the migration to determine if the methodology is reasonable

- Recalculate at least a sample to determine if the system is working properly (trace/vouch)

- Great use of Excel

- If using third party system, see if they’ve already done a certification/validation on the model so you only have to focus on the input and outputs.


Migration Analysis

• Environmental Factors

• Trends in delinquencies and impaired loans

• Levels and trends in recoveries and charge-offs

• Trends in volume and terms of loans

• Experience and ability of lending management and relevant staff

• National and local economic trends and conditions

• Credit concentrations

• Supportable/documented

• Reasonable

Environmental Factors


• Impaired Loan

- Impairment occurs when it is probable that the entity will be unable to collect all amounts due according to the contractual terms of the receivable

- All amounts due according to the contractual terms means that both the contractual interest payments and the contractual principal payments will be collected as scheduled according to the receivable's contractual terms. Need not consider an insignificant delay or insignificant shortfall in amount of payments.


Specific Reserves ASC 310-10-35 (FAS 114)

•Methods for calculating impairment

- Impairment calculated based on fair value of collateral

• For collateral dependent loans

- Impairment calculated based on present of expected future cash flows

• For non collateral dependent loans

- Fair Value (rarely used) © Elliott Davis Decosimo, PLLC


• Collateral dependency

- Repayment is expected to be provided solely by the underlying collateral

• Should adjust for selling costs (taxes, repairs, agents, etc.)

- Repayments from proceeds of sale of collateral

- Cash flows from continued operation of collateral

• Apartment building, shopping mall

• Cash flows are derived solely from the property’s rental income



• Sale of underlying collateral

• It is important to: - Evaluate the professional qualifications of the appraiser

- Consider the date and age of the appraisal

- Obtain an understanding of the appraiser’s relationship to the client and consider the objectivity of the appraiser

- Obtain an understanding of the methods and assumptions used by the appraiser

- Make appropriate tests of data provided to the appraiser, including the legal description of the property and any other assumptions such as expected cash flows



• Impairment based on PV of expected cash flows

• Examine evidence that supports management’s expected cash flows. (For example, evidence might include borrower financial statements and income tax returns.)

• Consider contradictory evidence that suggests that management’s cash flow expectations are unreasonable.

- Contractual payment terms required under modified loan are not necessarily the best estimate of expected future cash flows




• Compare the discount rate used in the cash flow calculation

to the loans original effective rate (not modified rate)

• Test the clerical accuracy of the cash flow calculation

• Consider default and prepayment assumptions

• Environmental factors – industry, geographical, economic, political



• Impairment based on PV of expected cash flows - Cash flows from other available sources (including guarantors)

must be more than nominal to conclude a loan is not collateral dependent

- E.g., cash flows generated by operation of a business or other source outside of lender’s security interest in the collateral

- Balloon payments

- Significant uncertainty may exist regarding the borrower’s ability to refinance/pay the loan off at maturity when contractual balloon payments are required

- Acceptable approach is to utilize the fair value of collateral (less costs to sell) as expected future cash flows at maturity

• Unless balloon payment amount is less than FV of collateral; in those cases, use the balloon payment




- In general, GAAP does not allow impairment calculations to run beyond the contractual term

- Exceptions

• E.g., automatic renewal at maturity

• Regulators are open to possibility of adjusting the impairment measurement by a qualitative factor if quantifiable/objectively measured

- More accurately approximate the risk and economics of the relationship between the institution and borrower

- Key point is to have a well-documented workout plan if measuring impairment beyond contractual term



• Troubled Debt Restructuring • Loan modified by granting a concession on

- Rate

- Term/maturity extension

- Payment amount

- Interest or principal forgiveness

• For economic or legal reasons related to the borrowers financial difficulties

- Should be considered impaired and accounted for as an impaired loan in accordance with ASC 310-40



• Troubled Debt Restructuring • It is ok to pool, non-collateral dependent, insignificant loans?

• How would the reserve be calculated?

- Search for TDRs

- Options for removing TDRs ASC 310-20 (FAS 91)



Michael Koupal, CPA Email: [email protected]

Phone: 704.808.5211





Risk Management Roundtable


Moderator: Chris Purvis, Shareholder, Elliott Davis Decosimo Panelist: Laura Kirk, SVP/Senior Audit Manager, First Citizens Bank Bill McKendry, Chief Enterprise Risk Officer, Bank of North Carolina Steve Setser, SVP/General Auditor, Select Bank

Developing an Effective Enterprise Risk Management Program Jay Brietz, Senior Manager, Elliott Davis Decosimo With more than 20 years of experience in finance and accounting, Jay focuses on providing assurance and consulting services to financial institutions including external and internal audits, risk management, information technology and Sarbanes-Oxley compliance. Jay also leads the firm’s SSAE 16 – Service Organization Controls Reporting practice. Jay is both a certified public accounting and a certified internal auditor. His experience includes serving as senior compliance manager for a global banking institution, a business advisory senior manager for an international CPA firm, a managing consultant for a large technology and process consulting firm and a financial statement auditor for a Big Four accounting firm. Jay has written numerous articles on dealing with Sarbanes-Oxley, corporate governance and internal controls. He also was a principal contributor in COSO’s Guidance on Monitoring Internal Control Systems. Regulatory Compliance Hot Topics Matthew Cordell, Attorney, Ward & Smith P.A. Matt Cordell's practice encompasses a broad spectrum of business and regulatory matters, with a particular emphasis on financial institutions and financial services. He handles business transactions, securities offerings and reporting, mergers and acquisitions, corporate matters, lending and financing, consumer protection compliance, and privacy and information security issues for organizations of all sizes. Matt has been rated by his peers as being among the best in his fields of law, receiving the highest possible ratings in a number of peer surveys, and has been recognized by a number of organizations. He is an active leader in the legal profession, serving in various statewide leadership roles, including as Division Director of the Young Lawyers Division of the North Carolina Bar Association. Matt also enjoys contributing to his communities. He has devoted hundreds of hours to providing free ("pro bono publico") legal services, working with lawmakers on legislation and regulations, and education lawyers, bankers and the public on various legal and policy issues. Cybersecurity and Data Security Richard Cook, Director, Elliott Davis Decosimo Richard has 11 years of IT consulting/audit experience as an IT Risk Management professional primarily with Big Four and national firms. His main focus is providing IT related assurance, consulting, advisory and security services. He has an extensive IT services technical background and has executed engagements in the following industries: Financial Institutions (regional, community and De Novo banks) Manufacturing & Distribution, Healthcare, Retail, Agriculture and Grocery; his range of experience includes assessing IT environments of public (accelerated-SOX 404 and non-accelerated filers, including Fortune 500 companies) and private enterprises both large and small from an internal and external perspective. Also, he has significant experience implementing the PCAOB’s AS5 top-down risk-based approach for SEC registrants as well as implementing the updated COSO 2013 framework.

He has executed SOC1 and SOC2 engagements. In addition, Richard’s ERP experience includes: SAP, Oracle, JD Edwards, and PeopleSoft (Financials & HRMS) – operating systems: Unix/Linux, iSeries (AS/400), Windows Server and mainframe – and databases; Oracle, SQL, DB2, and Informix among others. Richard has worked with various frameworks including: COBIT, FFIEC, AICPA, PCAOB, COSO, and FISMA.

Regulatory Focus on Internal Audit Ryan Senegal, Examiner, Federal Deposit Insurance Corporation Ryan Senegal is a Supervisory Examiner with the FDIC. During his 15 years career he has experience working at examinations for small and large community banks and problem banks in the Chicago, IL and Charlotte, NC field offices. He helped oversee a horizontal review for internal audit at large community banks in North Carolina and South Carolina in 2013, is an accounting subject matter expert for the Charlotte Territory specializing in purchase accounting, and oversees training and development for the Charlotte Territory. He was named the Atlanta Region RMS Corporate Manager of the Year for 2012. He graduated with a BS in Business Administration from Central State University, Wilberforce OH. Performing Model Validations Melody Reed, Manager, Elliott Davis Decosimo Melody has more than a decade of experience performing internal audit and compliance services for financial institutions. She provides risk management services for financial institutions; including outsourced internal audit, regulatory compliance audits, regulatory compliance consulting, Bank Secrecy Act reviews, and SOX testing. Prior to joining Elliott Davis Decosimo, Melody held roles with a $20 billion regional bank in Raleigh, North Carolina, in Internal Audit and Corporate Governance, and was most recently the bank’s BSA Officer Michael Koupal, Senior Manager, Elliott Davis Decosimo Michael focuses on providing accounting and assurance services to clients in the financial institution industry sector. Prior to joining Elliott Davis Decosimo in September 2012, Michael was employed with Plante Moran, PLLC in Toledo, Ohio and served community banks throughout Michigan and Ohio. With approximately 10 years of experience in public accounting his experience includes working with community banks ranging in size from $100 million to more than $3 billion in assets. Michael’s external audit experience includes both private and public institutions, including SOX 404 and FDICIA requirements. Michael’s internal audit experience also includes private and public institutions, including assisting in determining and setting up key controls for SOX 404 and FIDICIA requirements. He also specializes in interest rate risk and liquidity risk management audits, Automated Clearing House (“ACH”) audits, and loan/credit reviews. Risk Management Roundtable Chris Purvis, Shareholder, Elliott Davis Decosimo Chris has more than nine years of accounting experience, including eight years in public accounting and one year in corporate accounting with a bank. Chris specializes in providing audit and consulting services for financial institutions. Prior to joining Elliott Davis in August 2009, Chris was employed as the Controller of American Founders Bank, a mid-sized community bank headquartered in Lexington, Kentucky. Chris' prior experience in public accounting was with BKD, LLP in Louisville, Kentucky and Dean, Dorton & Ford PSC in Lexington, Kentucky. Chris' primary focus in public accounting has been in providing services for community banks, including external audit, internal audit, regulatory compliance, external loan reviews, Bank Secrecy Act reviews and Interest Rate Risk testing. Chris leads the firm’s compliance consulting services group. Training relevant to compliance includes the North Carolina Bankers Association's Regulatory Compliance School.

Laura Kirk, SVP/ Senior Audit Manager, First Citizens Bank Laura Kirk has 38 years of internal bank auditing experience. Currently, she is employed with First Citizens Bank as a Senior Vice President / Senior Audit Manager. Prior to her seventeen years employment with FCB she was the Audit Director for United Carolina BancShares. Laura is a Certified Internal Auditor and a Certified Fraud Examiner. She is a cum laude graduate of Pfeiffer University, 1975, with a Bachelor of Arts majoring in Business Administration and Economics and a graduate of Pfeiffer University, 2003, with a Masters of Business Administration. Laura is also an honors graduate of The School for Bank Administration, 1988, majoring in Audit. She was the Institute of Internal Audit, Raleigh-Durham Chapter’s President in 2000 and still is active in the local chapter. Bill McKendry, Chief Enterprise Risk Officer, Bank of North Carolina Bill McKendry is an Executive Vice President and the Chief Enterprise Risk Officer for Bank of North Carolina. He has been with the Bank since 2011. Mr. McKendry has over 18 years of experience in the banking industry, including some of the largest financial institutions in the United States. Prior to joining the Bank, Mr. McKendry was most recently the Deputy General Auditor for First Citizens Bank. He is a graduate of the University of Notre Dame, with a MBA and an undergraduate Accounting degree. Steve Setser, SVP/ General Auditor, Select Bank Steve has worked in community banking since 2004, serving roles in internal audit and enterprise risk management. Steve began his career as a staff auditor with a bank headquartered in Eastern North Carolina. His initial focus was primarily on Information Security and Technology audits but responsibilities ultimately grew to include most bank functions, including SOX control testing. Steve was promoted to Internal Audit Director in 2008 and held that position until 2012 when he assumed the role of ERM Reporting Director. A merger in 2013 led to Steve being named the Manager of ERM, Privacy & Regulatory Reporting, which included oversight of an outsourced internal audit function along with key input into the development of an ERM program. In March 2014 Steve joined Select Bank & Trust as General Auditor and is responsible for management of the Bank’s audit function. Steve has a degree in Decision Science with a concentration in Management Information Systems from East Carolina University. He also earned his MBA from ECU – go Pirates! Steve is a graduate of the North Carolina Bankers Association’s School of Banking and has been a member of the Southeastern Chapter of the Financial Manager’s Society since 2004, including holding the chapter President role from May 2012 – December 2013. Steve is currently preparing to take the IIA’s CIA exam.

200 East Broad Street Suite 500 Greenville, SC 29601 Direct: 864.552.4763 Office: 864.242.3370 Fax: 864.241.5713 [email protected]

Robert Beckwith, CPA Shareholder Services: Tax | Industries: Financial Services Professional Overview Bob focuses on providing tax consulting services to clients in the financial services industry. Bob has more than 40 years of bank tax consulting and compliance experience, including 20 years at a Big Four accounting firm. He assists clients with financial reporting in accordance with FASB ASC 740 and planning and analysis of C corporation tax issues including mergers and acquisitions, tax benefit limitations upon Sec. 382 change-of-control, compensation and golden parachutes, and accounting methods and periods. Bob has served multi-billion dollar organizations, filing complex consolidated and multi-state returns. He also possesses expertise in planning for the election to be an S corporation bank and the resulting compliance issues. Education, Credentials and Special Training Certified Public Accountant M.S., Accounting, Colorado State University B.S., Business Administration with emphasis in accounting, University of Nebraska Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Thought Leadership Panelist, Bank Tax Institute Community Banking Panel Co-instructor, Co-Community Bank Tax Workshop

el l i ot td av is . co m © Elliott Davis Decosimo LLC

1901 Main Street Suite 900 Columbia, SC 29201 Direct: 803.255.1497 Office: 864.242.3370 Fax: 803.255.0733 [email protected]

William (Bill) J. Bossong, CPA, CBA Shareholder Financial Institutions Group Consulting Services: Consulting | Industries: Financial Services Professional Overview Bill has more than eight years of public accounting experience with an emphasis in financial institutions and SEC registrants. He leads the firm’s Financial Institution Consulting Practice for merger and acquisition matters. These services include due diligence projects, Day 1 valuations, Day 2 accounting, internal audits over other Day 2 providers, and accounting policy creation and review. This team has developed ValuCastTM, a proprietary solution designed to assist banks with Day 1 and 2 accounting in accordance with the Accounting Standards Codification (ASC). Bill has led numerous FDIC-assisted and whole bank valuation projects including valuing various net assets acquired to include but not limited to the loan portfolio, core deposit intangible, time deposits, borrowings and other long term debt, and share based payment awards. In addition to the Day 1 valuations and Day 2 experience, Bill and his team have assisted their clients by developing projection and other financial planning models and reports. Bill also has a significant amount of experience related to the Allowance for Loan and Lease Losses (ALLL) under ASC 450-20 and ASC 310-10 to include building an ALLL model for a large regional bank. Bill has also worked closely with the valuation team for various financial service line of business acquisitions to include leasing companies, mortgage companies, and broker dealer/investment companies. He provides consulting services to numerous clients ranging in size from $400 million in assets to over $20 billion in assets. Education, Credentials and Special Training Certified Public Accountant Certified Bank Auditor Master of Accountancy, University of South Carolina B.S., Accounting, University of South Carolina SEC Reporting, AICPA Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Civic and Community Activities Walk Team Captain, Juvenile Diabetes Research Foundation Board of Directors, Midlands March of Dimes Deacon and Former Member of the Finance Committee, First Baptist Church of Columbia



R. Jason Caskey, CPA Shareholder and Financial Services Practice Leader Services: Assurance | Industries: Financial Services Professional Overview As leader of the firm’s Financial Services practice, Jason focuses on serving financial institutions and SEC registrants. With more than 24 years of experience, he serves community banking clients in both the private and public sector. Jason has assisted clients with public stock offerings, mergers and acquisitions, and SEC filings including comfort letters. In addition, he also serves clients with a number of consulting engagements including outsourced internal audit, external loan reviews and Bank Secrecy Act reviews. Jason recently completed six years as an elected member of the firm’s Executive Committee. He recently completed four years as the managing shareholder of the firm’s Columbia office. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of South Carolina University of Virginia National Banking School Professional Affiliations American Institute of Certified Public Accountants South Carolina and North Carolina Association of Certified Public Accountants State Bankers Associations in South Carolina, North Carolina, Georgia and Virginia Independent Bankers Association of South Carolina Civic and Community Activities Board of Directors and Audit Committee, United Way of the Midlands Board of Directors and Audit Committee, Navigating from Good to Great Board of Advisors and Audit Committee, USC Business Partnership Foundation Member, Greater Columbia Chamber of Commerce Finance Committee Deacon, First Baptist Church of Columbia Columbia Chamber of Commerce Committee of 100 Former Board of Directors and Audit Committee, Central Carolina Community Foundation Former Member Board of Directors, Children’s Trust of South Carolina Former Board of Directors, South Carolina Student Loan Corporation Former Board of Directors and Audit Committee, SC Economics Former Member Board of Trustees, Charleston Southern University Former Member Board of Directors, Juvenile Diabetes Research Foundation 2011 Heart Ball Chair, American Heart Association, Columbia 2008 Distinguished Young Alumnus, USC Moore School of Business Class of 2006 "20 Under 40,” The State


Roundabout Plaza 1600 Division Street, Suite 225 Nashville, TN 37203 Direct: 615-376-1925 Office: 615-292-7135 Fax: 615-292-7169 [email protected]

Larry Felts, CPA Shareholder Services: Assurance | Industries: Financial Institutions, Educational Services, Retail, Not-For-Profits, Manufacturing & Distribution Professional Overview Larry has more than 30 years of experience with both public and private company clients in industries such as manufacturing and distribution, higher education, financial services, retail, government and technology. He has extensive experience in SEC services, including initial and secondary public offerings, periodic reporting and client and audit committee advisory services. His experience with financial institutions has ranged from major public clients to many Tennessee community banks, credit unions and savings banks. Larry also assists clients with employee benefit plan audits. Education, Credentials and Special Training Certified Public Accountant B.S., Business Administration, University of Tennessee Professional Affiliations American Institute of Certified Public Accountants Tennessee Society of Certified Public Accountants Civic and Community Activities Advisory Board Member, Nashville Capital Network Board Member, Junior Achievement of East Tennessee Member, Leadership Knoxville Former President & Board Member, Junior Achievement of East Tennessee Former Board Member, United Way of Knoxville Former Chancellor’s Associate Member, University of Tennessee



http://www.decosimo.com/www/docs/249.165/manufacturing-distribution

http://www.decosimo.com/www/docs/244.162/government-entities

http://www.decosimo.com/www/docs/411.2772/employee-benefit-plan-audits

http://www.decosimo.com/www/docs/411.2772/employee-benefit-plan-audits

700 East Morehead Street Suite 400 Charlotte, NC 28202 Direct: 704.808.5208 Office: 704.333.8881 Fax: 704.749.7908 [email protected]

Lee E. Haynes, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Lee has more than 20 years of combined experience in public accounting and accounting/management positions in publicly held companies. He has participated in the audits of larger entities, including multinational and multistate operations. Lee concentrates his time in the financial services industry serving both publicly traded as well as privately held community banks located in North Carolina, South Carolina and Virginia. In addition to financial services expertise, Lee has extensive experience with preparation of consolidated financial statements, Securities and Exchange Commission (SEC) filings and Sarbanes-Oxley compliance. This experience is complemented by Lee’s experience with engagements involving internal controls within an organization. Lee works on audits of the design and effectiveness of internal controls of service organizations under SSAE 16 (formerly SAS 70) SOC1 Type 1 and Type 2 engagements as well as AT101 SOC2 Type 1 and Type 2 engagements and has also overseen audits of internal control over financial reporting as required by Sarbanes-Oxley and FDICIA for audit clients as well as assisted in the design, documentation and implementation of internal control programs for non-audit clients. Education, Credentials and Special Training Certified Public Accountant B.A., Accounting, Furman University National Banking School, McIntire School of Commerce at the University of Virginia Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants South Carolina Association of Certified Public Accountants Georgia Society of Certified Public Accountants North Carolina Bankers Association South Carolina Bankers Association Virginia Bankers Association Independent Bankers Association of South Carolina Georgia Bankers Association



F. Andrew Mitchell, CPA Shareholder Services: Assurance, Consulting | Industries: Financial Services, Manufacturing & Distribution, Professional Services Professional Overview Andy focuses on providing clients with corporate strategy, transaction, finance and auditing services. With 40 years of accounting experience, including 20 years with a Big Four accounting firm, his extensive background includes significant work with public companies and merger and acquisition transactions in the financial services, professional services, manufacturing and distribution industry sectors. As an audit partner, Andy served numerous public company clients and was the partner for more than a dozen initial public offerings. He recently completed five years as an elected member of the firm’s Executive Committee and currently serves as the managing shareholder for the Greenville office assurance practice. Andy also served as chief financial officer for a publicly held company and two large private companies. In this capacity, he was responsible for all financial areas including accounting, acquisitions, budgeting, forecasting, credit, cash management, borrowings, information systems and stock offerings for these companies. Andy participated in the completion of an initial public offering and a secondary offering for the public company which owned numerous retail stores, then negotiated the sale of the company. He also participated in the acquisition of a large operating subsidiary in the aviation service industry where he was actively involved in the completion of an underwritten bond offering and subsequent registration of those securities. For the third company, he was responsible for the reorganization and ultimate sale of the company which was involved in the sale of hardware and software development and integration services for national retail chains. Since joining Elliott Davis Decosimo in 2004, Andy has been responsible for the formation and development of the firm’s transaction services practice and serving financial institutions as a client service shareholder, including several public reporting companies. Education, Credentials and Special Training Certified Public Accountant B.B.A., Accounting, University of Cincinnati Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants Ohio Society of Certified Public Accountants



George Noonan, CPA Shareholder Services: Tax | Industries: Financial Services Professional Overview With more than 18 years of experience in public accounting, George has worked extensively in the banking and related industries. He provides his clients with a variety of services including tax planning and research, ASC 740 consultation, FIN 48 analysis, tax return preparation, quarterly estimate preparation, forecasts and projections. His experience includes tax preparation and consulting of numerous financial institutions. George has served multi-billion dollar financial institutions filing complex consolidated and multi-state income tax returns. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting and Finance, Wright State University Bank Tax Institute, Annually Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants North Carolina Bankers Association South Carolina Bankers Association


Riverfront Plaza West Tower, Suite 1000 901 E. Byrd Street Richmond, VA 23219 Direct: 804.887.2256 Office: 804.612.4380 Fax: 877.803.0432 [email protected]

Paul M. Pickett, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Paul focuses on providing professional accounting services to the financial services industry, specifically community banks. With more than 20 years of public accounting experience, he has served on audit engagements for more than 40 community banks and bank holding companies in Virginia, West Virginia, North Carolina and South Carolina. Paul has extensive knowledge of GAAP and SEC policies and assists clients with the preparation of consolidated financial statements, quarterly reviews and assistance with SEC filings and reporting, and merger and acquisition reporting. In addition, he serves as an instructor for a number of continuing education courses relating to financial institution accounting and auditing. Education, Credentials and Special Training Certified Public Accountant University of Virginia National Banking School and National Banking Conference,

American Institute of Certified Public Accountants B.B.A., Accounting, Radford University Professional Affiliations American Institute of Certified Public Accountants Virginia Society of Certified Public Accountants North Carolina Bankers Association Virginia Association of Community Banks Virginia Bankers Association West Virginia Bankers Association



Christopher R. Purvis, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Chris has more than a decade of experience providing audit and consulting services for financial institutions. Chris leads the firm’s Compliance Consulting Services group. Training relevant to compliance includes the North Carolina Bankers Association's Regulatory Compliance School. Prior to joining Elliott Davis Decosimo in August 2009, Chris was employed as the Controller of American Founders Bank, a mid-sized community bank headquartered in Lexington, Kentucky. Chris' prior experience in public accounting was with BKD, LLP in Louisville, Kentucky and Dean, Dorton & Ford PSC in Lexington, Kentucky. Chris' primary focus in public accounting has been in providing services for community banks, including external audit, internal audit, regulatory compliance, external loan reviews, Bank Secrecy Act reviews and Interest Rate Risk testing. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of Kentucky B.B.A., Finance, University of Kentucky General School of Banking, Kentucky Bankers Association Regulatory Compliance School, North Carolina Bankers Association Professional Affiliations American Institute of Certified Public Accountants North Carolina Association of Certified Public Accountants North Carolina Bankers Association Civic and Community Activities Board of Directors, Charlotte Steeplechase Association/Charlotte Queen’s Cup



Garry A. Rank, CPA Shareholder Services: Assurance | Industries: Financial Services, SEC Reporting Professional Overview Garry focuses on corporate auditing and accounting as well as consultation regarding governance, financial systems and internal controls. With more than 34 years of experience, his industry concentrations include financial services, manufacturing and Securities and Exchange Commission (SEC) reporting. Additional professional experience includes the management of complex engagements, mergers and acquisitions, projects involving subsidiary companies and the application of accounting and reporting standards. Education, Credentials and Special Training Certified Public Accountant Graduate, American Bankers Association, Business of Banking School B.S., Accounting, University of Akron Professional Affiliations American Institute of Certified Public Accountants, Center for Audit Quality Small

Firm Task Force South Carolina Bankers Association North Carolina Bankers Association Georgia Bankers Association Civic and Community Activities Past President and Past Treasurer, Habitat for Humanity of Greenville County Alumnus, Leadership Greenville, Greenville Chamber of Commerce Past President and Past Treasurer, Greenville Breakfast Rotary Club Thought Leadership Speaker on audit committee responsibilities

SCBA/FDIC Directors College, 2003-2012 NCBA Bank Directors Assembly, 2004, 2007-2012

Presentations on SEC, corporate governance and new accounting pronouncements Elliott Davis Decosimo CFO forum, 2003-2013

Authored various articles for publication regarding corporate governance, Sarbanes-Oxley Act of 2002 and ethics



Barbara S. Rushing, CPA Shareholder Services: Assurance | Industries: Financial Services Professional Overview Barbara focuses on providing services to SEC clients in the financial services industry. With more than 20 years of experience, including several years at a Big Four accounting firm, Barbara has extensive knowledge of GAAP and SEC policies. She works with SEC registrant clients with complex accounting issues, comment letters, stock offerings and merger and acquisition reporting. Barbara has serviced more than 40 public offerings. Barbara is Vice Chairperson of the Firm’s Assurance & Advisory Committee, a technical committee that oversees quality control policies and risk management of the Firm’s attest practice. Education, Credentials and Special Training Certified Public Accountant B.S., Accounting, University of South Carolina Professional Affiliations American Institute of Certified Public Accountants South Carolina Association of Certified Public Accountants



Beverly A. Seier, CPA, CPCU Shareholder Services: Tax | Industries: Financial Services and Insurance Professional Overview With more than 20 years of experience, Bev focuses on serving financial institutions, insurance companies and SEC registrants. She provides both public and private clients with a wide range of services, including tax planning and compliance, ASC 740 and SSAP 101 tax provision consulting, federal and state audit examinations assistance, mergers and acquisitions tax planning and Sec. 382 change-in-control and 280G golden parachute studies. Prior to joining Elliott Davis Decosimo, Bev was a Tax Partner at a Northeast-based accounting firm. Education, Credentials and Special Training Certified Public Accountant Chartered Property Casualty Underwriter B.S., Business Administration/Accounting and Mathematics, magna cum laude, University of Mary Washington Professional Affiliations American Institute of Certified Public Accountants Pennsylvania Institute of Certified Public Accountants


North Carolina Internal Audit and Compliance Insights Tuesday, May 5, 2015

Grandover Resort Greensboro, North Carolina

Wayne Adams

North State Bank

Senior Vice President--Risk and Compliance Officer

J. Michelle Bailey

Trust Atlantic Bank

VP and Bank Controller

Bonnie Bastow

Elliott Davis Decosimo

Manager

Bennie Benge

Great State Bank

Internal Auditor

Jay Brietz


Senior Manager

Jason Brodmerkel


Manager

Kelly Brown

High Point Bank & Trust

Vice President

Drew Bryan


Manager

Darlene Buchanan

Paragon Bank

AVP/Audit Officer

Jason Caskey


Financial Services Practice Leader

Willie Closs

M&F Bank

Board Member

Ryan Collier


Senior Consultant

Richard Cook


Director

Matthew Cordell

Ward and Smith, P.A.

Attorney

Don Davis

Select Bank & Trust Company

Independent Loan Review Manager

Mildred Dixon

HomeTrust Bank

Internal Auditor

Anita Easter

First Community Bank

Board Director

Joy Fisher

Carolina Bank

SVP / Internal Audit & Enterprise Risk Manager

Christy Flynt

Sound Bank

SVP/ Chief Compliance Officer and Operating Office

Fred Gennari

Paragon Bank

Director of Internal Audit

Jeff Gordon

High Point Bank and Trust

Senior Auditor

Leslie Hambrick

Peoples Bank

First VP, Chief Internal Auditor

Chadwick Hammond

Lumbee Guaranty Bank

Chief Financial Officer

Lenaire Harrison

HomeTrust Bank

Staff Auditor II

Mary Hauser

First Citizens Bank

Staff Auditor II

Lee Haynes


Shareholder

Jeremy Helms


Senior



Lisa Herring

Four Oaks Bank

Senior Vice President, General Auditor

Carrie Hewitt

Yadkin Bank

Chief Auditor

TC Hinkle


Manager

Betsy Hocutt


Senior Auditor

Hilay Hoskins

Federal Deposit Insurance Coporation

Financial Institution Examiner

Anne Howard

TrustAtlantic Bank

Senior Vice President

Mike Kidd

NewBridge Bank

Director Corporate Audit Services and CRO

Laura Kirk

First Citizens Bank

SVP/ Senior Audit Manager

Sara Kollien

Wells Fargo & Company

Accounting, Governance & Oversight Consultant

Michael Koupal


Senior Manager

Katie Lagasse

First Citizens Bank

Internal Audit

Kristin Lang

Carolina Premier Bank

Director

Amy Macari


Chief Administrative Officer

Bill McKendry

Bank of North Carolina

Chief Enterprise Risk Officer

Becky Melton

Grayson National Bank

Chief Credit Officer

Scott Mercer

McGriff, Seibels & Williams, Inc.

Senior Vice President

Dan Metcalf

Old Town Bank

Controller

George Noonan


Shareholder

Edward Payne

Taylorsville Savings Bank, SSB

Secretary/Treasurer, CFO

Chris Purvis


Shareholder

Austin Ramsey


Senior

Melody Reed


Manager

Anna Robinson


Practice Growth Coordinator

Nick Rossini

Yadkin Bank

Director of Risk Management

Ryan Senegal

Federal Deposit Insurance Corporation

Examiner

Steve Setser

Select Bank & Trust

VP, General Auditor

Kay Smith

Fidelity Bank

Chief Risk Officer



Regina Smtih

KS Bank

CFO

Alan Stapleton


Controller

Cheryl Steed


Vice President, Internal Audit

Ed Swing

Bank Consultant

Susan Thacker

Carter Bank &Trust

Auditor

Marshall Trull


Senior

Rose Washofsky


Business Development Director

Amy Watts

Union Bank & Trust Co

Chief Risk Officer

Josh White


Senior Manager

north carolina risk management seminar 2015north carolina risk management seminar 2015 tuesday, may...

Documents