SOC 1 audits for casinos: A commitment to robust financial controls and compliance

Read this if you are a bank with over $1 billion in assets.

It’s no secret COVID-19 has had a substantial impact on the economy. As unemployment soared and the economy teetered on the edge of collapse, unprecedented government stimulus attempted to stymie the COVID-19 tidal wave. One tool used by the government was the creation of the Paycheck Protection Program (PPP). Part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the PPP initially authorized the lending of $349 billion to encourage businesses to keep workers employed and cover certain operating expenses during the coronavirus pandemic. The PPP was then extended through August 8, 2020 with an additional $310 billion authorized.

Many financial institutions scrambled to free up resources and implement processes to handle the processing of PPP loan applications. However, such underwriting poses unique challenges for financial institutions. PPP loans are 100% guaranteed by the US Small Business Administration (SBA) if the borrowers meet certain criteria. Establishing appropriate controls over the loan approval and underwriting process is more a matter of ensuring compliance with the PPP, rather than ensuring the borrower can repay their loan.

Federal Deposit Insurance Corporation Improvement Act of 1991 compliance 

Banks with total assets over $1 billion as of the beginning of their fiscal year must comply with the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). Amongst other things, FDICIA requires management perform an assessment and provide a resulting attestation on the operating effectiveness of the bank’s internal controls over financial reporting (ICFR) as of the bank’s fiscal year-end. Although this attestation is as of year-end, management must perform testing of the bank’s ICFR throughout the bank’s fiscal year to obtain sufficient evidence regarding the operating effectiveness of ICFR as of year-end. Key controls over various transaction cycles are typically housed in a matrix, making it easy for management and other users, such as independent auditors, to review a bank’s key ICFR. 

Internal control documentation

If the process for originating PPP loans is different from the bank’s process for traditional loan products, it’s likely the internal controls surrounding this process is also different. Given that $659 billion in PPP loans have been granted to date, it is possible PPP loans may be material to individual banks’ balance sheets. If PPP loans are material to your bank’s balance sheet, you should consider the controls that were put in place. If the controls are deemed to be different from those already documented for other types of loans, you should document such controls as new controls in your FDICIA matrix and test accordingly.

As noted earlier, the risks a financial institution faces with PPP loans are likely different from traditional underwriting. If these unique risks could impact amounts reported in the financial statements, it’s smart to address them through the development of internal controls. Banks should assess their individual situations to identify any risks that may have not previously existed. For instance, given the volume of PPP loans originated in such a short period of time, quality control processes may have been stretched to their limits. The result could be PPP loans inaccurately set up in the loan accounting system or loan files missing key information. Depending on the segregation of duties, the risk could even be the creation of fictitious PPP loans. A detective internal control that could address inaccurate loan setup would be to scan a list of PPP loans for payment terms, maturity dates, or interest rates that appear to be outliers. Given the relatively uniform terms for PPP loans, any anomalies should be easily identifiable. 

Paycheck Protection Program loan fees

Aside from internal controls surrounding the origination of PPP loans, banks may also need to consider documenting internal controls surrounding PPP loan fees received by the SBA. Although the accounting for such fees is not unique, given the potential materiality to the income statement, documenting such a control, even if it is merely addressing the fees in an already existing control, exhibits that management has considered the impact PPP loan fees may have on their ICFR. 

The level of risk associated with PPP loan fees may differ from institution to institution. For instance, a bank that is calculating its PPP loan fees manually rather than relying on the loan accounting system to record and subsequently recognize income on these fees, inherently has more risk. This additional level of risk will need to be addressed in the development and documentation of internal controls. In this example, a periodic recalculation of PPP loan fees on a sample basis, including income recognition, may prove to be a sufficient internal control.

With the calendar year-end fast approaching, it is time to take a hard look at those FDICIA matrices, if you haven’t already done so:

• Consider what has changed at your bank during the fiscal year and how those changes have impacted the design and operation of your internal controls. 
• Ensure that what is happening in practice agrees to what is documented within your FDICIA matrix. 
• Ensure that new activities, such as the origination of PPP loans, are adequately documented in your FDICIA matrix. 

With Congress considering another round of PPP loans, there is no time like the present to make sure your bank is ready from an ICFR perspective. If you have questions about your specific situation, or would like more information, please contact the FDICIA compliance team. 

Read this if you are a Maine business or organization that has been affected by COVID-19. 

The State of Maine has released a $200 million Maine Economic Recovery Grant Program for companies and organizations affected by the COVID-19 pandemic. Here is a brief outline of the program from the state, and a list of eligibility requirements. 

“The State of Maine plans to use CARES Act relief funding to help our economy recover from the impacts of the global pandemic by supporting Maine-based businesses and non-profit organizations through an Economic Recovery Grant Program. The funding originates from the federal Coronavirus Relief Fund and will be awarded in the form of grants to directly alleviate the disruption of operations suffered by Maine’s small businesses and non-profits as a result of the COVID-19 pandemic. The Maine Department of Economic & Community Development has been working closely with affected Maine organizations since the beginning of this crisis and has gathered feedback from all sectors on the current challenges.”

Eligibility requirements for the program from the state

To qualify for a Maine Economic Recovery Grant your business/organization must: 

• Demonstrate a need for financial relief based on lost revenues minus expenses incurred since March 1, 2020 due to COVID-19 impacts or related public health response; 
• Employ a combined total of 50 or fewer employees and contract employees;
• Have significant operations in Maine (business/organization headquartered in Maine or have a minimum of 50% of employees and contract employees based in Maine); 
• Have been in operation for at least one year before August 1, 2020; 
• Be in good standing with the Maine Department of Labor; 
• Be current and in good standing with all Maine state payroll taxes, sales taxes, and state income taxes (as applicable) through July 31, 2020;
• Not be in bankruptcy; 
• Not have permanently ceased all operations; 
• Be in consistent compliance and not be under any current or past enforcement action with COVID-19 Prevention Checklist Requirements; and 
• Be a for-profit business or non-profit organization, except: 
  • Professional services 
  • 501(c)(4), 501(c)(6) organizations that lobby 
  • K-12 schools, including charter, public and private
  • Municipalities, municipal subdivisions, and other government agencies 
  • Assisted living and retirement communities 
  • Nursing homes
  • Foundations and charitable trusts 
  • Trade associations 
  • Credit unions
  • Insurance trusts
  • Scholarship funds and programs 
  • Gambling 
  • Adult entertainment 
  • Country clubs, golf clubs, other private clubs 
  • Cemetery trusts and associations 
  • Fraternal orders 
  • Hospitals, nursing facilities, institutions of higher education, and child care organizations (Alternate funding available through the Department of Education and Department of Health and Human Services for hospitals, nursing facilities, child care organizations, and institutions of higher education.)

For more information

If you feel you qualify, you can find more details and the application here. If you have questions about your eligibility, please contact us. We’re here to help. 

Read this if your company is seeking assistance under the PPP.

The rules surrounding PPP continue to rapidly evolve. As of June 22, 2020, we are anticipating some additional clarifications in the form of an interim final rule (or IFR) and additional answers to frequently asked questions (FAQ). The FAQs were last updated on May 27, 2020. For the latest information, please be sure to check our website or the Treasury website.

A few important changes:

1. The loan forgiveness application, and instructions, have been updated.
2. There is a new EZ form, designed to streamline the forgiveness process, if borrowers meet certain criteria.
3. Changes now allow for businesses to use 60% of the PPP loan proceeds on payroll costs, down from 75%.
4. Businesses now have 24 weeks to use the loan proceeds, rather than the original eight-week period (or by December 31, 2020, whichever comes earlier).
5. The rules around what is a full-time equivalent (FTE) employee and the safe harbors with respect to employment levels and forgiveness have been clarified.
6. Entities can defer payroll taxes through the ERC program, even if forgiveness is granted.

These changes are designed to make it easier to qualify for loan forgiveness. In the event you do not qualify for loan forgiveness, you may be able to extend the loan to five years, as opposed to the original two years.

The relaxation on FTE reductions is significant. The reductions will NOT count against you when calculating forgiveness, even if you haven’t restored the same employment level, if you can document that:

• you offered employment to people and they refused to come back, or
• HHS, CDC, OSHA or other government intervention causes an inability to “return to the same level of business activity” as of 2/15/2020.

As of June 20, 2020, there was still an additional $128 billion in available funds. The program is intended to fund new loans through June 30, 2020. 

We’re here to help.
If you have questions about the PPP, contact a BerryDunn professional.

Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

While COVID-19 has forced many of us into a remote work environment, we also have to deal with the challenges that come along with it. The stark contrast between an office environment and one that potentially involves working in isolation can be a difficult adjustment. Office kitchen conversations have evolved into conversations with pets, our newest co-workers. A quick, in-person question has now turned into an email, phone, or video call. And job responsibilities expand as we try to not only juggle work but also ensure our children focus on school work―and don’t destroy the house. 

Not only has this forced environment caused social challenges, it has also opened the door for internal control challenges, as  internal controls designed to operate effectively in an office environment may not be ideal for a remote workplace. Even ones that are appropriately designed, may prove to be operating ineffectively in this new environment. Let’s take a look at some internal control challenges, and potential solutions, faced by working in a remote environment.

Establishing a remote control environment

Exercising appropriate tone at the top and establishing appropriate oversight can be challenging with a remote workforce. Ethics and governance policies play an important role in setting clear expectations about workplace behaviors. But, a workforce is much more apt to follow a leadership team’s example rather than a policy. All of those office conversations, even the conversations that are not work related, help set an expectation of appropriate and inappropriate behaviors. These conversations often happen naturally in the office via a quick conversation in passing in the hallway or a late-Friday happy hour with your department. However, these interactions do not naturally occur in a remote workplace. Leadership and department heads should make an active effort to maintain communication with their workforce. Some things to consider:

• Send out weekly emails to the entire department and possibly more personal, one-on-one videoconferences or phone calls between your department heads or managers and individual members of their teams.
• These department-wide emails should stress the importance of communication as well as continuing to produce high quality work and maintaining accountability. 
• One-on-one meetings should be used to check in with employees to ensure their work needs are being met. 

Employees will most likely have many suggestions to improve their new work environment, including suggestions on how to improve communication amongst team members. 

The power of video

Videoconferencing also provides a great opportunity to stay connected. Virtual happy hours simulate an in-person happy hour. This is a great way to check-in with team members and show that, although people are out of sight, they are not out of mind. Town hall-type meetings can also be explored. Your leadership team can solicit open discussion. Agenda items may include office status updates, technological considerations, and an opportunity for employees to openly discuss current challenges due to working in a remote environment. Employees are going to have anxiety about the current environment. These meetings can help put employees at ease.

Risk assessment

Internal control environments are constantly evolving. Employees leave. Software is updated.  Offered services and products change. The list goes on. However, it is unprecedented that an internal control environment has changed so rapidly. Given these unprecedented times, there is potential for higher risk of fraud, internally and externally. Those responsible for designing internal controls (control owners) should reassess your company’s environment. Although internal controls can be designed in a manner in which they operate effectively regardless of the circumstances, it is possible there are unintended changes to processes that have occurred. 

For instance, let’s say the employee responsible for reviewing loan file maintenance changes is now working an alternative work schedule due to personal obligations. This employee does not have the ability to make loan file changes; therefore, segregation of duties has never been an issue. An employee within loan servicing has agreed to take some of the employee’s responsibilities and is now reviewing some of the loan file maintenance changes, which has put this employee in a position to review some of their own changes. 

Furthermore, some internal controls that require employees be at a physical location to operate may also be compromised, such as inventory cycle counts. If these controls are unable to operate, control owners will need to consider the impacts on the affected transaction areas, and if there are compensating controls that can be designed to alleviate some of the control risk.

Control activities

Accounts payable and check signing

The accounts payable and cash disbursement process will most likely be upended as a result of your new remote environment. Bills received through the mail will need to be scanned to the accounts payable clerk for entry into the accounting system. Some offices have designated certain personnel responsible for checking mail on an infrequent basis, for instance, weekly. Check signing may also prove to be a challenge as blank check stock may be inaccessible. Electronic receipt of invoices and signing of checks, as well as the use of wire and ACH transfers, lend themselves as feasible solutions. Email approvals may suffice when multiple signers are needed to approve high dollar disbursements.

Segregation of duties

As mentioned above, it is possible processes have inadvertently changed, exposing certain internal controls to ineffectiveness. Segregation of duties may become difficult as employees shift to alternative work schedules or have other issues. Maintaining segregation of duties should be a top priority for control owners and is something that should be constantly assessed as circumstances change. Challenging times may make segregation of duties difficult and may force you to get creative by requesting employees perform duties they are not otherwise accustomed to performing.

Digital sign-offs

You should also consider the manner in which you document the completion of controls. Control owners should be cautious about the integrity of an employee’s initials simply typed onto a digital document, as any employee can perform this task. Digital signatures, which require an employee to enter credentials prior to signing, enhance the integrity of a sign-off and are often time stamped. Digital signatures may also “lock down” the document, prohibiting any changes to the signed document.

Timely review

Given the circumstances, it is not unreasonable that preparation and review may take longer than under normal circumstances. Even if additional time is granted for the preparation and review of documents, you should consider the implications this has on the transaction class as a whole. The longer it takes to complete a control, the greater the consequences may be if you identify an error. For instance, the impact of an incorrect change to a loan rate index can be substantial if not identified timely. If identified quickly, you can avoid consequences later.

Information and communication

For many companies that have moved from a paper to a digital environment, sharing of information should not be an issue. However, for those that still operate in a mostly paper environment, performing tasks and sharing information with team members may prove to be difficult. And, those without the capability of scanning and sending documents from home could compromise a specific internal control altogether. Being forced to work remotely may be the perfect excuse to move paper processes into a digital format.

Monitoring

Monitoring your internal control environment is of the utmost importance given these significant changes. Frequent conversations should be had with control owners to ensure changes to processes do not render controls ineffective. Identified gaps in internal controls should be addressed proactively. Provide control owners with the opportunity to discuss changes to control processes with Internal Audit or Risk Management so such departments can consider the impact of changes on internal control. This also gives these departments the opportunity to cover any resulting gaps.

Permanent changes

Once the remote workplace requirements end, the effects of working in such an environment will not. There are many benefits and efficiencies to be found in working remotely. As people have now been forced to work in such an environment, they will be more apt to continue to do so. Therefore, let’s take this opportunity to revise processes and internal controls to be “remote workplace” compatible. This will provide a long-lasting impact to your organization far beyond the pandemic. 
 

Editor’s note: Please read this if you are a not-for-profit board member, CFO, or any other decision maker within a not-for-profit.

In a time where not-for-profit (NFP) organizations struggle with limited resources and a small back office, it is important not to overlook internal audit procedures. Over the years, internal audit departments have been one of the first to be cut when budgets are tight. However, limited resources make these procedures all the more important in safeguarding the organization’s assets. Taking the time to perform strategic internal audit procedures can identify fraud, promote ethical behavior, help to monitor compliance, and identify inefficiencies. All of these lead to a more sustainable, ethical, and efficient organization. 

Internal audit approaches

The internal audit function can take on many different forms, depending on the size of the organization. There are options between the dedicated internal audit department and doing nothing whatsoever. For example:

• A hybrid approach, where specific procedures are performed by an internal team, with other procedures outsourced. 
• An ad hoc approach, where the board or management directs the work of a staff member.

The hybrid approach will allow the organization to hire specialists for more technical tasks, such as an in-depth financial analysis or IT risk assessment. It also recognizes internal staff may be best suited to handle certain internal audit functions within their scope of work or breadth of knowledge. This may add costs but allows you to perform these functions otherwise outside of your capacity without adding significant burden to staff. 

The ad hoc approach allows you to begin the work of internal audit, even on a small scale, without the startup time required in outsourcing the work. This approach utilizes internal staff for all functions directed by the board or management. This leads to the ad-hoc approach being more budget friendly as external consultants don’t need to be hired, though you will have to be wary of over burdening your staff.

With proper objectivity and oversight, you can perform these functions internally. To bring the process to your organization, first find a champion for the project (CFO, controller, compliance officer, etc.) to free up staff time and resources in order to perform these tasks and to see the work through to the end. Other steps to take include:

1. Get the audit/finance committee on board to help communicate the value of the internal audit and review results of the work
2. Identify specific times of year when these processes are less intrusive and won’t tax staff 
3. Get involved in the risk management process to help identify where internal audit can best address the most significant risks at the organization
4. Leverage others who have had success with these processes to improve process and implementation
5. Create a timeline and maintain accountability for reporting and follow up of corrective actions

Once you have taken these steps, the next thing to look at (for your internal audit process) is a thoughtful and thorough risk assessment. This is key, as the risk assessment will help guide and focus the internal audit work of the organization in regard to what functions to prioritize. Even a targeted risk assessment can help, and an organization of any size can walk through a few transaction cycles (gift receipts or payroll, for example) and identify a step or two in the process that can be strengthened to prevent fraud, waste, and abuse.  

Here are a few examples of internal audit projects we have helped clients with:

• Payroll analysis—in-depth process mapping of the payroll cycle to identify areas for improvement
• Health and education facilities performance audit—analysis of various program policies and procedures to optimize for compliance
• Agreed upon procedures engagement—contract and invoice/timesheet information review to ensure proper contractor selection and compliant billing and invoicing procedures 

Internal audits for companies of all sizes

Regardless of size, your organization can benefit from internal audit functions. Embracing internal audit will help increase organizational resilience and the ability to adapt to change, whether your organization performs internal audit functions internally, outsources them, or a combination of the two. For more information about how your company can benefit from an internal audit, or if you have questions, contact us. 

Editor’s note: Read this if you are a Chief Executive Officer, Chief Financial Officer, Chief Risk Officer, Chief Information Officer, or Controller.

Last month, the Office of the Comptroller of the Currency (OCC) issued its Semiannual Risk Perspective for Fall 2019. The report addresses key issues facing banks and focuses on those that pose threats to their safety and soundness. According to the report:

• Bank financial performance is strong due to a favorable credit environment and the longest economic expansion in U.S. history.
• Capital levels have reached historical highs.
• Return on equity was above its 2006 pre-crisis level for the first time at 12.7%.
• Net income grew 8.22% from the same period a year ago; however, net interest income grew only 4%, as loan growth is below historical averages and an increasing number of banks are facing a flat or declining net interest margin.
• There is continued weakness in residential and commercial real estate loan growth.
• Delinquent and nonperforming loans remain below their long-term averages.

Banks can thrive even with economic uncertainty

While these trends indicate that 2019 was by and large an excellent year, banks cannot afford to be complacent, as 2019 also saw increasing risks to the industry. For instance, in 2019 there was much discussion of the future cessation of the London InterBank Offer Rate (LIBOR). The OCC has indicated it will increase its regulatory oversight regarding the anticipated cessation, to ensure banks assess their exposure to LIBOR and are appropriately planning their transition from the widely used benchmark rate. The Financial Accounting Standards Board (FASB) is also working on a project to address accounting issues that could arise from the transition from LIBOR.

And, although 2019 continued the longest economic expansion in US history, economic uncertainty exists due to, in part, the US-China trade conflict and ongoing Brexit discussions. This economic uncertainty has caused volatility in the interest rate environment. Aside from the yield curve inverting in 2019, banks also saw the Federal Funds target rate increase 25 basis points prior to decreasing 50 basis points. Given the typically asset-sensitive nature of banks’ balance sheets, the current interest rate environment will also put pressure on net interest margins. The current volatility of interest rates has caused the OCC to conclude interest rate risk is currently at heightened levels. 

Net interest income continues to be the most significant driver of net revenues for community banks, comprising nearly 80% of net revenues. With a difficult interest rate environment and lackluster loan growth in residential and commercial real estate, banks may face a difficult path ahead. Banks should tread cautiously, especially if this uncertainty persists. Asset-liability management will need be a significant focus (more than usual) as banks try to position themselves to not only maintain profitability through this uncertainty, but also come out stronger than before. Specifically, if lower rates persist, asset growth will need be a priority over deposit growth to maintain profitability at lower net interest margins. If loan growth continues to wane, this will prove to be difficult.

Innovations to compete with new lending sources

Adding to the list of threats to performance is the increasing amount of alternative financial resources available to borrowers. Banks have traditionally been the only source of credit for borrowers. However, technology has rapidly changed that landscape. Person-to-person (P2P) lending (also known as crowd lending, or social lending), allows people to borrow funds directly from another person, cutting out traditional lending sources (banks). Additionally, blockchain technology, if the hype is accurate, has the potential to eliminate the need of a financial intermediary altogether. 

Banks are adapting to this competition and to customers looking for more convenience and alternative services by offering new, unique services that differentiate themselves from others and provide added value to the customer. Banks have delivered through remote deposit, ATMs, and interactive teller machines (ITMs). Banks will need to continue to adopt innovative services to remain competitive. 

For instance, banks could offer video conferencing services, in which customers could have a live conversation with a bank representative through their smartphone. This convenience would allow a customer to conduct a transaction, such as apply for a loan, from the convenience of their home, while still maintaining human interaction throughout the transaction. Such a service would help banks compete with digital channels offered by non-banks, such as Quicken Loans, which is now the largest mortgage originator in the United States.

Strategies to protect against technological risks

These services all require the use of existing and new technologies, which have caused banks to hold more personally identifiable information (PII) digitally across an increasing number of digital platforms. As noted by the OCC, this digital exposure has created persistent cybersecurity risks for banks. Adopting a robust cybersecurity framework is no longer an option. 

Banks should bring cybersecurity to the forefront of their strategic planning. Any strategic plan must consider cybersecurity implications, as a single disaster can be detrimental to a bank’s reputation. And, given this rapidly changing environment, the cybersecurity conversation must be ongoing through relevant bank committees and the board of directors.

Furthermore, these technological solutions require partnerships with businesses that banks would not traditionally partner with. Financial technology (fintech) companies don’t just pose as a competitor to traditional banks. Many fintech companies are offering their technological solutions to traditional banks. However, outsourcing technological solutions to fintech companies and other businesses does not relieve a bank from performing its own due diligence and ensuring those companies meet the bank’s standards. 

Banks should evaluate potential vendors to ensure they comply with the bank’s vendor management policy. Since environments are constantly changing, this evaluation should be ongoing. Many vendors now provide System and Organization Controls (SOC) reports which detail the control environment at the vendor and involve independent third-party testing of those controls that exist at the vendor. SOC reports can provide a useful starting point for evaluating a vendor’s ongoing compliance with the bank’s vendor management policy. However, it is not a substitute for ongoing communication with a vendor.

There is no doubt 2019 was a successful year for banks. But past performance is not a guarantee of future success. Banks face many challenges, risks, and uncertainties, of which only a few have been outlined above. The current landscape may be challenging but it is also filled with opportunity. Banks should consider expanding their services, adopting new technologies, and partnering with other companies to leverage their strengths. Doing so should help position themselves for an exciting decade ahead.

If you have specific concerns about challenges facing your institution, please contact the team.