CECL preparation for Internal Auditors and what clients can expect from their Internal Auditors

CECL preparation for Internal Auditors and what clients can expect from their Internal Auditors

Matt Clohessy, Audit Manager, Senior Vice President, KeyBank.

Matt, can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I’m an Audit Manager with KeyBank’s Credit Risk Review Division with over 10 years of experience as an Internal Auditor with regional financial institutions and three years of experience as a Systems Administrator outside of the financial services industry.

Currently my primary focus is on evaluating internal controls over Allowance for Loan and Lease Losses (ALLL) and CECL Implementation activities, and my background includes internal audit activities over commercial lending operations, credit risk governance, counterparty credit risk management, indirect auto lending, electronic banking delivery channels, cybersecurity, back office operations, and depository and lending regulatory compliance.

At the CECL Congress 2018, you will be speaking on your insight regarding, ‘Project management oversight and escalation’ Why is this a key talking point in the industry right now?

Anytime organizations undertake long lived projects that take multiple years to plan, develop, implement and productionize, having effective project management activities are critical to ensure the best possible outcomes. Ensuring there is appropriate oversight and credible challenge to a project status and ensuring significant issues are escalated timely and to the right stakeholders is necessary to ensure key deliverables are achieved within their intended target timeframes. With CECL having a required implementation date, adequate project management activities are critical to an instution’s success in implementing CECL on time and with manageable levels of post-implementation issues to resolve.

Can you provide a brief overview of the essential things to remember when defining a review strategy and assessing partnerships between the three lines of defense?

Given the scope and magnitude of CECL, it’s important for Auditors to define what their strategy or plan is to incorporate CECL implementation and compliance within their risk universe and obtain appropriate levels of coverage. A key part of defining an appropriate strategy is assessing the partnership between first, second and third line stakeholders. Depending on the strength of the divisions, as assessed in review results over the respective areas, and the working relationship that Internal Audit has with those divisions, it will drive the scope and depth of review activities that Internal Audit would conduct versus leveraging and collaborating with first and second line partners.

Finally, what challenges do you foresee with CECL implementation over the coming years and how can institutions best plan to meet deadlines?

CECL was intentionally designed to not be prescriptive in its guidance so that this single standard can be implemented across organizations of varying levels of size and complexity. While this provides organizations a significant amount of flexibility in the methods used to comply with CECL, the lack of prescriptiveness can create challenges in determining whether the decided method is in compliance with CECL’s conceptual objectives and in the coming years, defending the decisions made to internal and external auditors and regulators who may have different interpretations or expectations.

The best way for organizations to manage these risks and still meet their deadlines for implementation are to include multiple viewpoints in their interpretations, be it across first line management, including second and third line, and/or seeking interpretations from their external auditors or other qualified external sources, as well as maintain documentation around the rationalization for how they’ve interpreted and decided to implement various components of CECL. An approach such as this will help identify areas where other stakeholders could potentially challenge management’s interpretations and have the right level of documentation in supporting decisions made.