Skip to Main Content

insightsarticles

Artificial intelligence and the future of internal audit

08.28.18

Artificial Intelligence, or AI, is no longer the exclusive tool of well-funded government entities and defense contractors, let alone a plot device in science fiction film and literature. Instead, AI is becoming as ubiquitous as the personal computer. The opportunities of what AI can do for internal audit are almost as endless as the challenges this disruptive technology represents.

To understand how AI will influence internal audit, we must first understand what AI is.The concept of AI—a technology that can perceive the world directly and respond to what it perceives—is often attributed to Alan Turing, though the term “Artificial Intelligence” was coined much later in 1956 at Dartmouth College, in Hanover, New Hampshire. Turing was a British scientist who developed the machine that cracked the Nazis’ Enigma code. Turing thought of AI as a machine that could convince a human that it also was human. Turing’s humble description of AI is as simple as it is elegant. Fast-forward some 60 years and AI is all around us and being applied in novel ways almost every day. Just consider autonomous self- driving vehicles, facial recognition systems that can spot a fugitive in a crowd, search engines that tailor our online experience, and even Pandora, which analyzes our tastes in music.

Today, in practice and in theory, there are four types of AI. Type I AI may be best represented by IBM’s Deep Blue, a chess-playing computer that made headlines in 1996 when it won a match against Russian chess champion Gary Kasparov. Type I AI is reactive. Deep Blue can beat a chess champion because it evaluates every piece on the chessboard, calculates all possible moves, then predicts the optimal move among all possibilities. Type I AI is really nothing more than a super calculator, processing data much faster than the human mind can. This is what gives Type I AI an advantage over humans.

Type II AI, which we find in autonomous cars, is also reactive. For example, it applies brakes when it predicts a collision; but, it has a low form of memory as well. Type II AI can briefly remember details, such as the speed of oncoming traffic or the distance between the car and a bicyclist. However, this memory is volatile. When the situation has passed, Type II AI deletes the data from its memory and moves on to the next challenge down the road.

Type II AI's simple form of memory management and the ability to “learn” from the world in which it resides is a significant advancement. 
The leap from Type II AI to Type III AI has yet to occur. Type III AI will not only incorporate the awareness of the world around it, but will also be able to predict the responses and motivations of other entities and objects, and understand that emotions and thoughts are the drivers of behavior. Taking the autonomous car analogy to the next step, Type III AI vehicles will interact with the driver. By conducting a simple assessment of the driver’s emotions, the AI will be able to suggest a soothing playlist to ease the driver's tensions during his or her commute, reducing the likelihood of aggressive driving. Lastly, Type IV AI–a milestone that will likely be reached at some point over the next 20 or 30 years—will be self-aware. Not only will Type IV AI soothe the driver, it will interact with the driver as if it were another human riding along for the drive; think of “HAL” in Arthur C. Clarke’s 2001: A Space Odyssey.

So what does this all mean to internal auditors?
While it may be a bit premature to predict AI’s impact on the internal audit profession, AI is already being used to predict control failures in institutions with robust cybersecurity programs. When malicious code is detected and certain conditions are met, AI-enabled devices can either divert the malicious traffic away from sensitive data, or even shut off access completely until an incident response team has had time to investigate the nature of the attack and take appropriate actions. This may seem a rather rudimentary use of AI, but in large financial institutions or manufacturing facilities, minutes count—and equal dollars. Allowing AI to cut off access to a line of business that may cost the company money (and its reputation) is a significant leap of faith, and not for the faint of heart. Next generation AI-enabled devices will have even more capabilities, including behavioral analysis, to predict a user’s intentions before gaining access to data.

In the future, internal audit staff will no doubt train AI to seek conditions that require deeper analysis, or even predict when a control will fail. Yet AI will be able to facilitate the internal audit process in other ways. Consider AI’s role in data quality. Advances in inexpensive data storage (e.g., the cloud) have allowed the creation and aggregation of volumes of data subject to internal audit, making the testing of the data’s completeness, integrity, and reliability a challenging task considering the sheer volume of data. Future AI will be able to continuously monitor this data, alerting internal auditors not only of the status of data in both storage and motion, but also of potential fraud and disclosures.

The analysis won’t stop there.
AI will measure the performance of the data in meeting organizational objectives, and suggest where efficiencies can be gained by focusing technical and human resources to where the greatest risks to the organization exist in near real-time. This will allow internal auditors to develop a common operating picture of the day-to-day activities in their business environments, alerting internal audit when something doesn’t quite look right and requires further investigation.

As promising as AI is, the technology comes with some ethical considerations. Because AI is created by humans, it is not always vacant of human flaws. For instance, AI can become unpredictably biased. AI used in facial recognition systems has made racial judgments based on certain common facial characteristics. In addition, AI that gathers data from multiple sources that span a person’s financial status, credit status, education, and individual likes and dislikes could be used to profile certain groups for nefarious intentions. Moreover, AI has the potential to be weaponized in ways that we have yet to comprehend.

There is also the question of how internal auditors will be able to audit AI. Keeping AI safe from internal fraudsters and external adversaries is going to be paramount. AI’s ability to think and act faster than humans will challenge all of us to create novel ways of designing and testing controls to measure AI’s performance. This, in turn, will likely make partnerships with consultants that can fill knowledge gaps even more valuable. 

Challenges and pitfalls aside, AI will likely have a tremendous positive effect on the internal audit profession by simultaneously identifying risks and evaluating processes and control design. In fact, it is quite possible that the first adopters of AI in many organizations may not be the cybersecurity departments at all, but rather the internal auditor’s office. As a result, future internal auditors will become highly technical professionals and perhaps trailblazers in this new and amazing technology.

Related Industries

Related Services

Consulting

Read this if you are at a financial institution.

Feeling stuck, or maybe even frozen, in your CECL readiness efforts? No matter where you are in the process, here are three things you can do right now to ensure your CECL implementation is on track:

  1. Create or re-visit your 2022 timeline
    With just under 12 months to the January 2023 CECL adoption date, it’s important to make every moment count. Consider CECL adoption your Olympic moment and, like every great Olympic athlete, you have interim events—a timeline of major milestones—to ensure you are ready for “Day 1” and beyond. One strategy to ensure you do not “run out of time” is to start at the end of your timeline and work backward.

    Tip: Whether it be 1/1/2023 (“Day 1” adoption), or the first date by which you want to start parallel runs, fix the date of that final must-hit milestone, and work backward. For example, in order to adopt CECL on 1/1/2023, what major milestone has to be achieved before then and how much time will you need for that? Setting milestones from the final date backward will help you fit the remaining major activities into the time you have left—you can’t “run out of time” this way!



     
  2. Assess where you are, tactically, and fill in the gaps
    What would an Olympic athlete be without a training schedule, and coaches, trainers, and other professionals to guide and push them? In order to make the most of each event (or milestone) in the countdown to CECL adoption, let’s fill in our training schedule. What key decisions still need to be made or documented? Who has the authority to approve them? What’s the right time and venue to obtain that approval? Will these be one-to-one, small group, or committee/board meetings? Will meetings be set up as-needed, or is the meeting schedule (e.g. quarterly executive/board) already set? Who are you engaging for model validation and key control review? What is the date of that review work? 

    Tip: Add those key approval, review, and validation dates to your timeline, and make sure the meeting time you need with decision-makers is booked in their calendars now. Scheduling this time in advance is a transparent and tangible sign that you’ve charted the course, helps ensure decision-makers are available to you when needed most, and incremental progress is being consistently made toward your ultimate goal. 
  3. Identify the top three tasks to complete this week, reserve the time in your calendar, and complete them!
    Like any athlete, you are now “in training”, and daily and weekly actions you take will ensure you reach your goal in as strong a position possible. Whether it’s scheduling those meetings, identifying subject matter experts you can rely upon for coaching, or putting the finishing touches on model documentation and internal control mapping, booking that time with yourself to complete these tasks is key to feeling prepared and ready for CECL adoption. 

    Tip: Set aside a few minutes at the end or start of each week to review your timeline/milestones and identify the next key actions to complete.

Would you like assistance with certain aspects of your CECL readiness efforts? Are you ready for some validation/review work, or need guidance on policy, governance, or internal/financial reporting controls?

Contact our Financial Institutions team. We'll help you get your CECL implementation over the finish line. 


 

Article
CECL implementation: Three steps for a medal-winning adoption 

Read this if you are a behavioral health agency leader looking for solutions to manage mental health, substance misuse, and overdose crises.

As state health departments across the country continue to grapple with rising COVID-19 cases, stalling vaccination rates, and public heath workforce burnout, other crises in behavioral health may be looming. Diverted resources, disruption in treatment, and the mental stress of the COVID-19 pandemic have exacerbated mental health disorders, substance use, and drug overdoses.

State agencies need behavioral health solutions perhaps now more than ever. BerryDunn works with state agencies to mitigate the challenges of managing behavioral health and implement innovative strategies and solutions to better serve beneficiaries. Read on to understand how conducting a needs assessment, redesigning processes, and/or establishing a strategic plan can amplify the impact of your programs. 

Behavioral health in crisis

The prevalence of mental illness and substance use disorders has steadily increased over the past decade, and the pandemic has exacerbated these trends. A number of recently released studies show increases in symptoms of anxiety, depression, and suicidal ideation. One CDC study indicates that in June 2020 over 40% of adults reported an adverse mental or behavioral health condition, which includes about 13% who have started or increased substance use to cope with stress or emotions related to COVID-19.1 

The toll on behavioral health outcomes is compounded by the pandemic’s disruption to behavioral health services. According to the National Council for Behavioral Health, 65% of behavioral health organizations have had to cancel, reschedule, or turn away patients, even as organizations see a dramatic increase in the demand for services.2,3 Moreover, treatment facilities and harm reduction programs across the country have scaled back services or closed entirely due to social distancing requirements, insufficient personal protective equipment, budget shortfalls, and other challenges.4 These disruptions in access to care and service delivery are having a severe impact.

Several studies indicate that patients report new barriers to care or changes in treatment and support services after the onset of the pandemic.5, 6 Barriers to care are particularly disruptive for people with substance use disorders. Social isolation and mental illness, coupled with limited treatment options and harm reduction services, creates a higher risk of suicide ideation, substance misuse, and overdose deaths.

For example, the opioid epidemic was still surging when the pandemic began, and rates of overdose have since spiked or elevated in every state across the country.7 After a decline of overdose deaths in 2018 for the first time in two decades, the CDC reported 81,230 overdose deaths from June 2019 to May 2020, the highest number of overdose deaths ever recorded in a 12-month period.8 

These trends do not appear to be improving. On October 3, the CDC reported that from March 2020 to March 2021, overdose deaths have increased 29.6% compared to the previous year, and that number will only continue to climb as more data comes in.9  

As the country continues to experience an increase in mental illness, suicide, and substance use disorders, states are in need of capacity and support to identify and/or implement strategies to mitigate these challenges. 

Solutions for state agencies

Behavioral health has been recognized as a priority issue and service area that will require significant resources and innovation. In May, the US Department of Health and Human Services' (HHS) Secretary Xavier Becerra reestablished the Behavioral Health Coordinating Council to facilitate collaborative, innovative, transparent, equitable, and action-oriented approaches to address the HHS behavioral health agenda. The 2022 budget allocates $1.6 billion to the Community Mental Health Services Block Grant, which is more than double the Fiscal Year (FY) 2021 funding and $3.9 billion more than in FY 2020, to address the opioid epidemic in addition to other substance use disorders.10 

As COVID-19 continues to exacerbate behavioral health issues, states need innovative solutions to take on these challenges and leverage additional federal funding. COVID-19 is still consuming the time of many state leaders and staff, so states have a limited capacity to plan, implement, and manage the new initiatives to adequately address these issues. Here are three ways health departments can capitalize on the additional funding.

Conduct a needs assessment to identify opportunities to improve use of data and program outcomes

Despite meeting baseline reporting requirements, state agencies often lack sufficient quality data to assess program outcomes, identify underserved populations, and obtain a holistic view of the comprehensive system of care for behavioral health services. Although state agencies may be able to recognize challenges in the delivery or administration of behavioral health services, it can be difficult to identify solutions that result in sustained improvements.

By performing a structured needs assessment, health departments can evaluate their processes, systems, and resources to better understand how they are using data, and how to optimize programs to tailor behavioral health services and promote better health outcomes and a more equitable distribution of care. This analysis provides the insight for agencies to understand not only the strengths and challenges of the current environment, but also the desires and opportunities for a future solution that takes into account stakeholder needs, best practice, and emerging technologies. 

Some of the benefits we have seen our clients enjoy as a result of performing a needs assessment include: 

  • Discovering and validating strengths and challenges of current state operations through independent evaluation
  • Establishing a clear roadmap for future business and technological improvements
  • Determining costs and benefits of new, alternative, or enhanced systems and/or processes
  • Identifying the specific business and technical requirements to achieve and improve performance outcomes 

Timely, accurate, and comprehensive data is critical to improving behavioral health outcomes, and the information gathered during a needs assessment can inform further activities that support programmatic improvements. Further activities might include conducting a fit-gap analysis, performing business process redesign, establishing a prioritization matrix, and more. By identifying the greatest needs and implementing plans to address them, state agencies can better handle the impact on behavioral health services resulting from the COVID-19 pandemic and serve individuals with mental health or substance use disorders more efficiently and effectively.

Redesign processes to improve how individuals access treatment and services

Despite the availability of behavioral health services, inefficient business and technical processes can delay and frustrate individuals seeking care and in some cases, make them stop seeking care altogether. With limited resources and increasing demands, behavioral health agencies should analyze and redesign work flows to maximize efficiency, security, and efficacy. Here are a few examples of process improvements states can achieve through process redesign:

  • Streamlined data processes to reduce duplicative data entry 
  • Automated and aligned manual data collection processes 
  • Integrated siloed health information systems
  • Focused activities to maximize staff strengths
  • Increased process transparency to improve communication and collaboration 

By placing the consumer experience at the core of all services, state health departments can redesign business and technical processes to optimize the continuum of care. A comprehensive approach takes into account all aspects that contribute to the delivery of behavioral health services, including both administrative and financial processes. This helps ensure interconnected activities continue to be performed efficiently and effectively. Such improvements help consumers with co-occurring disorders (mental illness and substance use disorder) and/or developmental disorders find “no wrong door” when seeking care. 

Establish a strategic plan of action to address the impact of the COVID-19 pandemic

With the influx of available dollars resulting from the American Recovery Plan Act and other state and federal investments, health departments have a unique opportunity to fund specific initiatives to enhance the delivery and administration of behavioral health services. Understanding how to allocate the millions of newly awarded dollars in an impactful and sustainable way can be challenging. Furthermore, the additional reporting and compliance requirements linked to the funding can be difficult to navigate in addition to current monitoring obligations. 

The best way to begin using the available funding is to develop and implement strategic plans that optimize funds for behavioral health programs and services. You can establish priorities and identify sustainable solutions that build capacity, streamline operations, and promote the equitable distribution of care across populations. A few of the activities state health departments have undertaken resulting from the strategic planning initiatives include: 

  • Modernizing IT systems, including data management solutions and Electronic Health Records systems to support inpatient, outpatient, and community mental health and substance use programs 
  • Promoting organizational change management 
  • Establishing grant programs for community-driven solutions to promote health equity for the underserved population
  • Organizing, managing, and/or supporting stakeholder engagement efforts to effectively collaborate with internal and external stakeholders for a strong and comprehensive approach

The prevalence of mental illness and substance use disorder were areas of concern prior to COVID-19, and the pandemic has only made these issues worse, while adding more administrative challenges. State health departments have had to redirect their existing staff to work to address COVID-19, leaving a limited capacity to manage existing state-level programs and little to no capacity to plan and implement new initiatives. 

The federal administration and HHS are working to provide financial support to states to work to address these exacerbated health concerns; however, with the limited state capacity, states need additional support to plan, implement, and/or manage new initiatives. BerryDunn has a wide breadth of knowledge and experience in conducting needs assessments, redesigning processes, and establishing strategic plans that are aimed at amplifying the impact of state programs. Contact our behavioral health consulting team to learn more about how we can help. 

Sources:
Mental Health, Substance Use, and Suicidal Ideation During the COVID-19 Pandemic, CDC.gov
COVID-19 Pandemic Impact on Harm Reduction Services: An Environmental Scan, thenationalcouncil.org
National Council for Behavioral Health Polling Presentation, thenationalcouncil.org
The Impact of COVID-19 on Syringe Services Programs in the United States, nih.gov
COVID-19 Pandemic Impact on Harm Reduction Services: An Environmental Scan, thenationalcouncil.org
COVID-19-Related Treatment Service Disruptions Among People with Single- and Polysubstance Use Concerns, Journal of Substance Abuse Treatment
Issue Brief: Nation’s Drug-Related Overdose and Death Epidemic Continues to Worsen, American Medical Association
Increase in Fatal Drug Overdoses Across the United States Driven by Synthetic Opioids Before and During the COVID-19 Pandemic, CDC.gov
Provisional Drug Overdose Death Counts, CDC.gov
10 Fiscal Year 2022 Budget in Brief: Strengthening Health and Opportunity for All Americans, HHS.gov

Article
COVID's impact on behavioral health: Solutions for state agencies

Read this if you are a community bank.

The Federal Deposit Insurance Corporation (FDIC) recently issued its third quarter 2021 Quarterly Banking Profile. The report provides financial information based on Call Reports filed by 4,914 FDIC-insured commercial banks and savings institutions. The report also contains a section specific to community bank performance. In third quarter 2021, this section included the financial information of 4,450 FDIC-insured community banks. Community banks are identified based on criteria defined in the FDIC’s 2020 Community Banking Study. Here are BerryDunn’s key takeaways from the community bank section of the report:

  • There was a $1.4 billion increase in quarterly net income from a year prior despite continued net interest margin (NIM) compression. This increase was mainly due to higher net interest income and lower provision expenses. Net interest income had increased $2.2 billion due to lower interest expense and higher commercial and industrial (C&I) loan interest income, mainly due to fees earned through the payoff and forgiveness of Paycheck Protection Program (PPP) loans. Provision expense decreased $1.4 billion from third quarter 2020. However, it remained positive at $270.4 million, which was an increase of $219.2 million from second quarter 2021. For noncommunity banks, provision expense was negative $5.2 billion for third quarter 2021

    *See Exhibit B at the end of this article for more information on the third-quarter year-over-year change in income.
     
  • Quarterly NIM increased 3 basis points from third quarter 2020 to 3.31%. The average yield on earning assets fell 20 basis points to 3.60% while the average funding cost fell 23 basis points to 0.29%. This was the first annual expansion of NIM since first quarter 2019. The annual decline in both yield and cost of funds were the smallest reported since first quarter 2020.
  • Net gains on loan sales revenue declined $1.2 billion (41.5%) from third quarter 2020. However, other noninterest income increased $343.3 million or 15.2% while revenue from service charges on deposit accounts increased $100.3 million or 14.5%. In total, noninterest income decreased $616.3 million from third quarter 2020.
  • Noninterest expense increased 5.7% from third quarter 2020. This increase was mainly attributable to salary and benefit expenses, which saw an increase of $402.2 million (4.3%). That being said, average assets per employee increased 10.4% from third quarter 2020. Noninterest expense as a percentage of average assets declined 12 basis points from third quarter 2020 to 2.45%, despite 74.1% of community banks reporting higher noninterest expense.
  • Noncurrent loan balances (loans 90 days or more past due or in nonaccrual status) declined by $847 million, or 7.1%, from second quarter 2021. The noncurrent rate dropped 4 basis points to 0.65% from second quarter 2021.
  • The coverage ratio (allowance for loan and lease losses as a percentage of loans that are 90 days or more past due or in nonaccrual status) increased 44.1 percentage points year-over-year to 203.5%. This ratio is well above the financial crisis average of 147.9% and is a record high. The coverage ratio for community banks is 26.2 percentage points above the coverage ratio for noncommunity banks.
  • Net charge-offs declined 4 basis points from third quarter 2020 to 0.06%.
  • Loans and leases declined from second quarter 2021 by 0.2%. This decrease was mainly seen in the C&I loan category, which was driven by a $45.6 billion decrease in PPP loan balances due to their payoff and forgiveness. Total loans and leases declined by $19.2 billion (1.1%) from third quarter 2020. The largest decline was shown in C&I loans ($87.3 billion or 24.9%). Growth in other loan categories, such as nonfarm nonresidential commercial real estate, construction & development, and multifamily loans of $69.9 million offset a portion of this decline. 

    *See Exhibit C at the end of this article for more information on the change in loan balances.
     
  • Nearly seven out of ten community banks reported an increase in deposit balances during the third quarter. Growth in deposits above the insurance limit increased by $57.8 billion, or 5.5%, while growth in deposits below the insurance limit showed an increase of $1.7 billion, or 0.1%, from second quarter 2021. In total, deposit growth was 2.6% during third quarter 2021.
  • The average community bank leverage ratio (CBLR) for the 1,737 banks that elected to use the CBLR framework was 11.3%. The average leverage capital ratio was 10.25%.
  • The number of community banks declined by 40 to 4,450 from second quarter 2021. This change includes one new community bank, 10 banks transitioning from community to noncommunity bank, five banks transitioning from noncommunity to community bank, 35 community bank mergers or consolidations, and one community bank having ceased operations.

Third quarter 2021 was another strong quarter for community banks, as evidenced by the increase in year-over-year quarterly net income of 19.6% ($1.4 billion). However, NIMs remain low despite seeing growth in the most recent quarter (for the first time since first quarter 2019), as shown in Exhibit A. The consensus remains that community banks will likely need to find creative ways to increase their NIM, grow their earning asset bases, or continue to increase noninterest income to maintain current net income levels. In regards to the latter, many pressures to noninterest income streams exist. Financial technology (fintech) companies are changing the way we bank by automating processes that have traditionally been manual (for instance, loan approval). Decentralized financing (DeFi) also poses a threat to the banking industry. Building off of fintech’s automation, DeFi looks to cut out the middle-man (banks) altogether by building financial services on a blockchain. Ongoing investment in technology should continue to be a focus, as banks look to compete with nontraditional players in the financial services industry. The larger, noncommunity banks are also putting pressure on community banks and their ability to generate noninterest income, as recently seen by Capital One Bank eliminating all overdraft fees.

According to the Consumer Financial Protection Bureau, the financial services industry brought in $15.5 billion in overdraft fees in 2019. Seen as a move to enhance Capital One Bank’s relationships with its customers, community banks will also need to find innovative ways to enhance relationships with current and potential customers. As fintech companies and DeFi become more mainstream and accepted in the marketplace, the value propositions of community banks will likely need to change.

The importance of the efficiency ratio (noninterest expense as a percentage of total revenue) is also magnified as community banks attempt to manage their noninterest expenses in light of low NIMs. Banks appear to be strongly focusing on noninterest expense management, as seen by the 12 basis point decline from third quarter 2020 in noninterest expense as a percentage of average assets, although inflated balance sheets may have something to do with the decrease in the percentage.

Furthermore, much uncertainty still exists. For instance, although significant charge-offs have not yet materialized, the financial picture for many borrowers remains uncertain. And, payment deferrals have made some credit quality indicators, such as past due status, less reliable. Payment deferrals for many borrowers are coming to a halt. So, the true financial picture of these borrowers may start to come into focus. The ability of community banks to maintain relationships with their borrowers and remain apprised of the results of their borrowers’ operations has never been more important. This monitoring will become increasingly important as we transition into a post-pandemic economy.

For seasonal borrowers, current indications, such as the most recent results from the Federal Reserve’s Beige Book, show that economic activity was modest in August and September 2021. Supply chain pressures, labor shortages, and concerns over COVID-19 variants (delta and now omicron) have slowed economic growth and continue to provide uncertainty as to (1) the trajectory of the economy, (2) whether inflation is transitory, and (3) the need for the Federal Reserve to increase the federal funds target rate. If an increase in the federal funds target rate is used to combat inflation, community banks could see their NIMs in another transitory stage.

Also, as offices start to open, employers will start to reassess their office needs. Many employers have either created or revised remote working policies due to changing employee behavior. If remote working schedules persist, whether it be full-time or hybrid, the demand for office space may decline, causing instability for commercial real estate borrowers. Banks should closely monitor these borrowers, as identifying early signs of credit deterioration could be essential to preserving the relationship.

The financial services industry is full of excitement right now. While the industry faces many challenges, these challenges also bring opportunity for banks to experiment and differentiate themselves. The forces at play right now indicate the industry will likely look much different ten years from now. However, as the pandemic has exhibited, you may be full steam ahead in one direction and then an unforeseen force may totally up-end your plans. As always, please don’t hesitate to reach out to BerryDunn’s Financial Services team if you have any questions.

Article
FDIC Issues its Third Quarter 2021 Quarterly Banking Profile

Read this if you are an employee benefit plan fiduciary.

Fiduciary risk management

This is the final article in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with ERISA requirements. You can find the full series here.

If, as part of your involvement with an employee benefit plan, you have decision-making ability; you advise those with decision-making ability; or someone tasks you with decision-making related to the plan, you are more likely than not, a fiduciary. As discussed in the first article of the series, this status comes with responsibilities and, therefore, risks and consequences.

The general approach to handling risk is a cycle of identifying, assessing, controlling, and reviewing controls over risks. Based on the assessment of a given risk, there are four ways to manage it: you can avoid, reduce, transfer, or accept the risk. 

Identifying and assessing fiduciary risk1 

The risks facing a plan fiduciary include, but are not limited to, the following:

Removal of fiduciary

In appropriate cases, a fiduciary may be removed and permanently prohibited from acting as a fiduciary or from providing services to ERISA plans.

Civil penalties

Among other penalties, the DOL may assess a civil penalty equal to 20% of the amounts recovered for the plan through litigation or settlement.

Criminal prosecution

Upon a conviction for a willful violation of ERISA’s reporting and disclosure requirements, a fiduciary may be subject to fines and/or imprisonment for not more than ten years. There is also a provision in ERISA that applies to any person, not just ERISA fiduciaries, that makes coercive interference with ERISA rights a criminal offense punishable by fines and/or imprisonment for up to ten years. In addition, outside of ERISA, there are a number of criminal statutes that apply to any person, not just ERISA fiduciaries, including criminal statutes for embezzling from an ERISA plan, making false statements in ERISA documents, and taking illegal kickbacks in connection with an ERISA plan.

Participant lawsuits

Additionally, plan participants may file a lawsuit against the fiduciary for breach of their fiduciary duty. Over the past few years, this has become more common and has generally been related to the fiduciary’s failure to adequately negotiate and monitor plan fees. 

Co-fiduciary liability

ERISA's unique co-fiduciary liability provisions make each fiduciary responsible for the actions of the other plan fiduciaries but only under certain circumstances. As a general rule, fiduciaries aren’t responsible for the breach of another fiduciary unless:

  • They participate knowingly in, or knowingly undertake to conceal, an act or omission of such other fiduciary, knowing such act or omission is a breach;
  • Their failure to be prudent in the administration of their own fiduciary responsibilities enables the other fiduciary to commit a breach; or
  • They have knowledge of a breach by such other fiduciary and don’t make reasonable efforts under the circumstances to remedy the breach.

Controlling fiduciary risk

There are several ways to effectively manage fiduciary risk. When used together, they give you solid controls to greatly reduce your level of risk.

Plan documentation

A fiduciary and/or plan sponsor should reduce their exposure to the risks identified above and their first line of defense is through plan documentation (discussed in depth here). Broadly speaking, the organizers and fiduciaries of the plan should ensure that policies and procedures are laid out to ensure proper oversight and internal controls are in place to prevent any voluntary or involuntary noncompliance with ERISA and the DOL.

Oversight

Fiduciaries should meet formally on a regular basis to review the plan’s offerings, service providers, fees, and other issues that may affect the plan. A single individual who is the sole fiduciary for a plan may not have the knowledge or bandwidth to appropriately fulfill the responsibilities of the plan. Additionally, having an auditor come in and audit the plan can help identify some of the risks identified above, although an audit of the plan does not reduce your responsibility to monitor and review the plan’s activity on an ongoing basis.

Third Party Administrators (TPA) & recordkeepers

Fiduciaries may also be able to mitigate some of the risks identified above through use of a TPA and/or recordkeeper. While TPAs and recordkeepers are not generally considered fiduciaries or co-fiduciaries, TPAs have varying service offerings, including recordkeeping, that are powerful tools to plan administrators to review and operate the plan. For example, depending on the plan sponsor’s existing payroll and HR structure, inclusive of TPAs and recordkeepers, fiduciaries may be able to automate the transfer of contributions to ensure timeliness of deposits. The plan may also be able to add another layer of internal controls by incorporating the TPA’s or recordkeeper’s internal controls into the plan’s control environment assuming the fiduciary has gained an understanding and comfort around the controls present at the TPA and/or recordkeeper.

Professional investment advisors and co-fiduciaries

Employee benefit plans must meet certain requirements with regard to their investment offerings. For instance, the plan must allow participants to invest in a diversified portfolio. The plan may try to transfer some of these risks and employ the help of a professional investment advisor to help ensure the plan’s investment offerings meet such criteria. This could involve hiring either an ERISA 3(21) fiduciary or an ERISA 3(38) fiduciary. The former serves as an advisor and a co-fiduciary, but does not have any authority by themselves, while the latter is an investment manager and therefore authorized to select investments for the plan. Doing so may help demonstrate to regulators that a fiduciary has fulfilled their duty in this regard. Alternatively, a plan may hire a 3(16) Fiduciary. 3(16) Fiduciaries are individuals or organizations that are charged with running plans as the plan administrator. A company may be able to shift most of their fiduciary risk to such a fiduciary. 

In any case, the plan fiduciary must continue to monitor a 3(16), 3(21) or 3(38) advisor to make sure it is still prudent to use that advisor.

Bonding and fiduciary liability insurance

Bonding is required for most EB plans and does not protect the fiduciary from any risk. It does however protect the plan from fraud or dishonesty. On the other hand, fiduciary liability insurance can protect the fiduciary in the case of breach of fiduciary duty. This type of insurance is not required but is another option to transfer fiduciary risk.

As mentioned in our second article, much like owning a car, regular preventative maintenance can help you avoid the need for costly repairs. Plan fiduciaries should periodically refresh their understanding of ERISA requirements and re-evaluate their current and future business activities on an ongoing basis. Doing so will help mitigate any risks associated with non-compliance with the DOL and IRS and keep the plan running smoothly. 

Need help navigating the fiduciary road? Reach out to the BerryDunn employee benefit consulting team today.

1From Fidelity’s Plan Sponsor Webstation: Consequences of breach of fiduciary duties 

Article
Fiduciary risk: Five ways to control and reduce it

Read this if you are an employer that gives employee gifts.

The holiday season is officially in full swing! Unlike Ebenezer Scrooge, many employers are looking for ways to recognize the dedication and hard work of their employees. This gratitude often comes in the form of a holiday gift of some fashion. While this generosity is well-intended, gifts to employees can be fraught with potential tax consequences organizations should be aware of. This article will attempt to demystify the rules surrounding employee gifts to ensure organizations and their employees have a joyous holiday season.

Holiday gifts: Taxable or not?

So, are holiday gifts to employees taxable? The answer, as is so often the case with tax questions, is it depends. The IRS is very clear that cash and cash equivalents (specifically including gift cards) are always included as taxable income when they are provided by the employer, regardless of amount, with no exceptions. This means that if you plan to give your employees cash or a gift card this year, the value must be included in the employees’ wages and is subject to all payroll taxes. Bah humbug indeed!

Nontaxable gift options

There are however, a few ways to make nontaxable gifts to employees. In each instance the gift must be noncash (nor convertible to cash). IRS Publication 15 offers a variety of examples of de minimis (minimal) benefits, defined as any property or service you provide to an employee that has a minimal value, making the accounting for it unreasonable and administratively impracticable. Examples include holiday or birthday gifts with a low market value (a card and flowers, fruit baskets, a box of chocolates, etc.), or occasional tickets for theater or sporting events, among others. Again, cash and cash equivalents never qualify. The key is that the gift must be occasional or unusual in its frequency and must not be a form of disguised compensation. While de minimis benefits can be a gray area, the IRS has generally deemed items with a value exceeding $100 as too large to qualify as de minimis.

Holiday gifts can also be nontaxable if they are in the form of a gift coupon, if given for a specific item (with no redeemable cash value). A common example would be issuing a coupon to your employee for a free ham or turkey redeemable at the local grocery store. Nontaxable employee gifts can also come in the form of achievement awards, either for length of service or for safety achievements. The proverbial gold watch upon retirement is a classic example of such a gift. Here too, the award must always be tangible personal property—never cash or a cash equivalent. There are additional rules and value thresholds on any such gift. Please contact a member of your tax team to discuss these specific details further.

Whether employers are considering supplying gift cards, turkeys, or something in between, we hope all find this guidance helpful and still in the giving spirit! Coincidentally, at the end of A Christmas Carol, Ebenezer himself gives Bob Cratchit a turkey on Christmas day. Of course Mr. Scrooge would be aware of the potential tax consequences! We wish you all a very happy and healthy holiday season!

Not-for-profit resources

If you are a not-for-profit organization receiving charitable gifts, read Donor Acknowledgements: We have to file what?

Article
What employers need to know before making gifts to employees

Read this if you are a Chief Financial Officer, Chief Compliance Officer, FINOP, or charged with governance of a broker-dealer.

The results of the Public Company Accounting Oversight Board’s (PCAOB) 2020 inspections are included in its 2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers. There were 65 audit firms inspected in 2020 by the PCAOB and, although deficiencies declined 11% from 2019, 51 firms still had deficiencies. This high level of deficiencies, as well as the nature of the deficiencies, provides insight into audit quality for broker-dealer stakeholders. Those charged with governance should be having conversations with their auditor to see how they are addressing these commonly found deficiencies and asking if the PCAOB identified any deficiencies in the auditor’s most recent examination. 

If there were deficiencies identified, what actions have been taken to eliminate these deficiencies going forward? Although the annual report on the Interim Inspection Program acts as an auditor report card, the results may have implications for the broker-dealer, as gaps in audit quality may mean internal control weaknesses or misstatements go undetected.

Attestation Standard (AT) No. 1 examination engagements test compliance with the financial responsibility rules and the internal controls surrounding compliance with the financial responsibility rules. The PCAOB examined 21 of these engagements and found 14 of them to have deficiencies. The PCAOB continued to find high deficiency rates in testing internal control over compliance (ICOC). They specifically found that many audit firms did not obtain sufficient, appropriate evidence about the operating effectiveness of controls important to the auditor’s conclusions regarding the effectiveness of ICOC. This insufficiency was widespread in all four areas of the financial responsibility rules: the Reserve Requirement rule, possession or control requirements of the Customer Protection Rule, Account Statement Rule, and the Quarterly Security Counts Rule.

The PCAOB also identified a firm that included a statement in its examination report that referred to an assertion by the broker-dealer that its ICOC was effective as of its fiscal year-end; however, the broker-dealer did not include that required assertion in its compliance report.

AT No. 2 review engagements test compliance with the broker-dealer’s exemption provisions. The PCAOB examined 83 AT No. 2 engagements and found 19 of them to have deficiencies. The most significant deficiencies were that audit firms:

  • Did not make required inquiries, including inquiries about controls in place to maintain compliance with the exemption provisions, and those involving the nature, frequency, and results of related monitoring activities.
  • Similar to AT No. 1 engagements, included a statement in their review reports that referred to an assertion by the broker-dealer that it met the identified exemption provisions throughout the most recent fiscal year without exception; however, the broker-dealers did not include that required assertion in their exemption reports.

The majority of the deficiencies found were in the audits of the financial statements. The PCAOB did not examine every aspect of the financial statement audit, but focused on key areas. These areas were: revenue, evaluating audit results, identifying and assessing risks of material misstatement, related party relationships and transactions, receivables and payables, consideration of an entity’s ability to continue as a going concern, consideration of materiality in planning and performing an audit, leases, and fair value measurements. Of these areas, revenue and evaluating audit results had the most deficiencies, with 45 and 27 deficiencies, or 47% and 26% of engagements examined, respectively.

Auditing standards indicate there is a rebuttable presumption that improper revenue recognition is a fraud risk. In the PCAOB’s examinations, most audit firms either identified a fraud risk related to revenue or did not rebut the presumption of revenue recognition as a fraud risk. These firms should have addressed the risk of material misstatement through appropriate substantive procedures that included tests of details. The PCAOB noted there were instances of firms that did not perform any procedures for one or more significant revenue accounts, or did not perform procedures to address the assessed risks of material misstatement for one or more relevant assertions for revenue. The PCAOB also identified deficiencies related to revenue in audit firms’ sampling methodologies and substantive analytical procedures. Other deficiencies of note, that were not revenue related, included:

  • Incomplete qualitative and quantitative disclosure information, specifically in regards to revenue from contracts with customers and leases.
  • Missing required elements from the auditor’s report.
  • Missing auditor communications:
    • Not inquiring of the audit committee (or equivalent body) about whether it was aware of matters relevant to the audit.
    • Not communicating the audit strategy and results of the audit to the audit committee (or equivalent body).
  • Engagement quality reviews were not performed for some audit and attestation engagements.
  • Audit firms assisted in the preparation of broker-dealer financial statements and supplemental information.

Although there have been improvements in the amounts of deficiencies found in the PCAOB’s examinations, the 2020 annual report shows that there is still work to be done by audit firms. Just like auditors should be inquiring of broker-dealer clients about the results of their most recent FINRA examination, broker-dealers should be inquiring of auditors about the results of their most recent PCAOB examination. Doing so will help broker-dealers identify where their auditor may reside on the audit quality spectrum. If you have any questions, please don’t hesitate to reach out to our broker-dealer services team.

Article
2020 Annual Report on the Interim Inspection Program Related to Audits of Brokers and Dealers

Read this if you are working on ESG initiatives at your organization.

Whether you are a director or an executive well into the journey of developing and communicating your company’s strategic sustainability plans or in early stages, the rising public demand for environmental, social, and governance (ESG) reporting is becoming a force that cannot be ignored by boards and management teams.

ESG overview: reminders and FAQs

What does ESG information comprise? The term “ESG” reporting, used broadly, covers qualitative discussions of topics and quantitative metrics used to measure a company’s performance against ESG risks, opportunities, and related strategies. ESG, sustainability, and corporate social responsibility are terms often used interchangeably to describe nonfinancial reporting being shared publicly by companies. Such information is not currently subject to a singular authoritative set of standards.

What are examples of ESG and sustainability information? The following do not represent all-inclusive lists and, while some ESG information may be measured quantitatively, there are often many means to calculate metrics or information that may be difficult to quantify and therefore may be expressed qualitatively and described as such: 

As corporate ESG activities increase in relevance and importance to stakeholders, companies are seeking to both understand the complex landscape of ESG disclosure and reporting and determine the best path forward. This includes identifying, collecting, sharing, and improving upon qualitative and quantitative metrics reflecting long-term, strategic ESG value creation.

Organizations are in various stages of readiness to report on such decision-useful information. Currently, a myriad of reporting frameworks and wide variations in how companies choose to publicly share ESG information exist, making the ESG landscape complex to navigate. However, two things are certain:

  1. The pressure for companies to publicly disclose their approach to sustainability and ESG reporting continues to mount from a broad variety of stakeholders, and 
  2. ESG is rapidly rising to the forefront of boardroom agendas.

We have prepared the following to provide useful reminders, FAQs, and insights for those charged with governance as they consider the rapidly changing current ESG reporting landscape and evolving regulatory developments.

Is there a single authoritative set of ESG reporting standards? 

There are currently several frameworks and standards in use globally by companies to report on ESG, many of which may be complementary and used in combination for external reporting. Some of the more commonly used frameworks are: Sustainability Accounting Standards Board (SASB); Global Reporting Initiative (GRI); Task Force on Climate-Related Financial Disclosures (TCFD); International Integrated Reporting Council (IIRC); and Climate Disclosures Standards Board (CDSB). While many of these may already be complementary to each other, there is also growing support for a singular, global set of reporting standards for ESG, though the timing to achieve the necessary convergence remains uncertain.

Are U.S. companies required to disclose ESG information? 

Outside of certain industry regulators, such as required reporting by the Environmental Protection Agency on greenhouse gas emissions, implementation by U.S. companies remains voluntary. However, pressure from institutional investors—BlackRock, State Street and Vanguard—is mounting in support of companies providing ESG disclosures that align with both the SASB and TCFD frameworks. Additionally, sustainability risk issues are increasingly integrated into organizational risk frameworks such as COSO’s Enterprise Risk Management (ERM) framework.

Companies must also assess whether other ESG information, such as climate risk disclosures, are required under current MD&A disclosure rules. For example, if the risk represents a known trend or uncertainty the company reasonably expects will have a material impact on the company’s results of operations or capital resources, additional disclosure would be required.

What companies are reporting, and what information are they reporting? 

ESG disclosures vary significantly depending on the nature of the business, geography, industry, and stakeholder base, as well as available resources to devote to ESG. The largest global public companies have led the way in external ESG reporting and engagement, but this reporting is rapidly expanding to encompass smaller public entities and private entities. Companies of all sizes are both feeling the pressure to produce ESG reporting and identifying it as a means to differentiate themselves in the market by proactively conveying their corporate stories and strategies.

As noted in a recent White & Case study of proxy statements and filed 10-Ks for the top 50 companies by revenue in the Fortune 100, the following ESG categories showed the most significant increase in disclosures from the prior year:

  • Human capital management (HCM)
  • Environmental
  • Corporate culture
  • Ethical business practices
  • Board oversight of environment & social (E&S) issues
  • Social impact/community
  • E&S issues in shareholder engagement

The study noted that a majority of E&S disclosures in the SEC filings were qualitative and did not provide quantitative metrics. However, disclosures pertaining to environmental, HCM, and E&S goals, along with social impact and community relations were more likely to contain quantitative metrics.

Where do companies report ESG information? The most common places companies are providing public ESG disclosures include:

  • Standalone reports including corporate social responsibility (CSR)/sustainability reports
  • Company websites and marketing materials
  • MD&A sections of annual and quarterly reports
  • Earnings calls
  • Proxy statements and 8-Ks

Evolving auditor ESG attestation

Many of the metrics and qualitative disclosures around ESG information are not “governed” by an established framework such as generally accepted accounting principles (GAAP), and thus, may not be subject to the same rigor of processes and controls over such processes to ensure the integrity and accuracy of the underlying data and the appropriateness of the decisions and judgments being made by management in reporting on such information. For example, the fear of corporate “green or impact washing”—the incentive to make stakeholders believe that a company is doing more to promote ESG activities, particularly environmental protections, than it actually is—has left many stakeholders questioning the reliability, consistency, and accuracy of company ESG reporting. As ESG reporting continues to evolve and become a significant consideration for boards, investors, employees, suppliers, lenders, regulators, and others in making business decisions, there is a growing focus on the value of assurance on such information provided by independent third parties.

Type of attestation services to be provided

Determining the scope and level of assurance to be provided will vary based on company objectives in presenting ESG information, management’s readiness, and intended users and uses of ESG information. Attest services may include:

  • Examination: Consists of an examination performed by an auditor resulting in an independent opinion indicating whether the ESG information is in accordance with the agreed upon criteria, in all material respects. An examination engagement is the closest equivalent to the reasonable assurance obtained in an audit of financial statements.
  • Review: Consists of limited procedures, performed by an auditor, that result in limited assurance. The objective of a review engagement is for the auditor to express a conclusion about whether any material modifications should be made to the ESG information in order for it to be in accordance with the agreed upon criteria. Review engagements are substantially less in scope than examination engagements.


The ESG journey: first steps for boards just beginning the ESG reporting journey

The AICPA and Center for Audit Quality (CAQ) have issued a roadmap for audit practitioners laying out initial steps for those organizations and their boards who are in the beginning phases of the ESG reporting journey:

  • Conduct a materiality or risk assessment to determine which ESG topics are prioritized as important or “material” to the organization, its investors and other stakeholders
  • Implement appropriate board oversight of material ESG matters
  • Integrate/align material ESG topics into the ERM process
  • Integrate ESG matters into the overall company strategy
  • Implement effective internal control over ESG data collection, processing, and reporting


For boards considering an attestation engagement

The CAQ has further prepared the following questions boards may consider for companies that have already started reporting on ESG and may be considering an attestation engagement:

  • What is the purpose and objective of the attestation engagement on ESG information?
  • Who are the intended users of the ESG information and related attestation report?
  • Why do the intended users want or need an attestation report on the ESG information?
  • What are the potential risks associated with a misstatement or omission in the ESG information?
  • Does the company have a clear understanding what ESG information the intended users want or need to be in the scope of the attestation engagement?
  • What level of attestation service (examination or review engagement) will help the company achieve its objective?

Additional questions for board members to consider regarding their company’s preparedness for reporting include:

  • Does management have well established controls, policies, and procedures for the collection of and disclosure of ESG information? Are there gaps to be addressed?
  • Has the board, along with management, set specific objectives and goals for external reporting of ESG information?
  • Is the information disclosed by the company consistent across its various communication channels?
  • Are the ESG responsibilities at the board level clearly defined among appropriate committees and are those responsibilities directly linked to corporate strategic ESG goals and external reporting needs?
  • Have the right advisors been identified to assist in preparing for reporting and/or to attest to the quality of reporting?

Next steps

We encourage management, audit committees, and other board members to continue to educate themselves on the evolving landscape of ESG and carefully consider the needs of various stakeholders broadly when mapping out their ESG reporting needs. Particular attention should be paid to regulatory developments in this area.

Article
ESG reporting: Considerations for boards and those charged with governance

Read this if you are a plan sponsor of employee benefit plans.

This article is the eleventh in a series to help employee benefit plan fiduciaries better understand their responsibilities and manage the risks of non-compliance with Employee Retirement Income Security Act (ERISA) requirements. You can read the previous articles here.

Most employee benefit plans have outsourced a significant portion of the internal controls to a service organization, such as a third-party administrator. The plan administrator has a fiduciary responsibility to monitor the internal controls of the service organization and to determine if the outsourced controls are suitably designed and effective.

SOC 1 reports: Internal controls and financial reporting

Generally, the most efficient way to obtain an understanding of the outsourced controls is to obtain a report on controls issued by the service organization’s auditor. Commonly referred to as a System and Organization Controls (SOC) report, the SOC report should be based on the American Institute of Certified Public Accountants’ (AICPA) attestation standards and should cover internal controls relevant to financial reporting, also known as a SOC 1 report (the “1” indicating it covers internal controls over financial reporting).

Plan sponsors should perform a documented review of the SOC 1 report for each of the plan’s significant service organizations. The documented review should include the plan sponsor’s assessment of the complementary user entity controls outlined in the SOC 1 report. The complementary user entity controls are internal control activities that should be in place at the plan sponsor to provide reasonable assurance that the controls tested at the service organization are operating effectively at your plan. If a service organization’s internal controls are operating effectively, but complementary user entity controls are not in place at your organization, the effectiveness of the service organization’s internal controls may not transfer to your plan’s operations.

Creditability and CPA firms: Considerations

Creditability of the CPA firm completing the SOC 1 report examination may impact the reliability of the CPA firm’s opinion and thus your reliability on the service organization’s internal controls. Unfamiliarity with the service auditor’s qualifications may be mitigated through additional research. Items to consider are: 

  • The firm’s expertise in SOC 1 reporting
    • Are they familiar with the service organization’s industry?
    • How many professionals do they have that perform SOC 1 examination services?
  • The evaluation of AICPA peer reviews 
    Audit firms are required to have a periodic peer review conducted. The results of the peer review are public knowledge and can be found on the AICPA’s website.
    • Did the service auditor receive a “pass” rating during their most recent peer review?
    • Did the peer review cover SOC 1 examination services?
  • Evaluation of the service organization’s due diligence procedures surrounding the selection of an auditor

Some of this information may be readily available via the service auditor’s website, while other information may need to be gathered through direct communication with the service organization. A qualified service auditor should be able to provide a SOC 1 report that contains sufficient detail, relevant transactional activity, relevant control objectives, and a timely reporting period.

SOC 1 reports may contain an unqualified, qualified, adverse, or disclaimer of opinion. The report determines if the controls in place are adequate for complete and accurate financial reporting. Report qualifications may affect the risk of relying on the service organization and may result in the need for additional procedures or safeguards to help ensure the plan’s financial statements are presented fairly. Even if the SOC 1 report received an unqualified opinion, you should review the controls tested by the service auditor and the results of such testing for any exceptions. Exceptions, even if they don’t result in a qualified opinion, may have an impact on the plan’s control environment. 

You should also review the scope of the audit to check that all significant transaction cycles, processes, and IT applications were properly assessed for their impact on the plan’s financial statements. Areas outside the scope of the SOC 1 report may require additional consideration, including the possibility of obtaining more than one SOC 1 report for subservice organizations whose functions were carved out from the service organization’s SOC 1 report.

Subservice organizations

Subservice organizations are frequently utilized to process certain transactions or perform certain functions at the service organization. Management of the service organization may identify certain transaction cycles and processes that are performed by a subservice organization and choose to exclude relevant control objectives and related controls from the SOC 1 report description and the scope of the auditor’s engagement. In such cases, multiple SOC 1 reports may need to be acquired to gain adequate coverage of all controls and objectives relevant to your plan. 

Furthermore, you need to consider the time period the SOC 1 report covers. Coverage should be obtained for your plan’s full fiscal year. For SOC 1 reports that lack coverage of your plan’s full fiscal year, a bridge letter should be obtained to help ensure that no significant changes in controls occurred between the SOC 1 report examination period and the end of your plan’s fiscal year.

Although plans commonly outsource a significant portion of their day-to-day operations to service organizations, plan fiduciaries cannot outsource their responsibilities surrounding the maintenance of a sound control environment. SOC 1 reports are a great resource to assess the control environments of service organizations. However, such reports can be lengthy and daunting to review. We hope this article provides some best practices in reviewing SOC 1 reports. If you have any questions, or would like to receive a copy of our SOC 1 report review template, please don’t hesitate to reach out to our Employee Benefits Audit team.

Article
Service organizations and review of SOC 1 reports: Considerations and recommendations

Read this if you are a Chief Financial Officer at a financial institution. 

The mechanics of interest rate swaps

Interest rate swaps, a form of derivative, are a tool financial institutions can use to manage interest rate risk. In this form of derivative, as an example, the financial institution may hedge the interest rate risk on a pool of fixed rate loans by executing a derivative contract with a counterparty. The derivative contract indicates the financial institution will pay a fixed rate to the counterparty, while the counterparty will pay the financial institution a variable rate. These payments are typically made on a net settlement basis. Thus, the financial institution has effectively turned its fixed rate lending into variable rate lending.

This example is considered a hedge – since the financial institution is mitigating its interest rate risk, as opposed to a speculative transaction – where the financial institution assumes risk with the hope of commensurate reward.

1Original promissory notes
2Derivative contract between financial institution and counterparty

This type of transaction allows the financial institution to separate credit risk from interest rate risk. Borrowers often prefer fixed rate financing, since future cash flows are known. However, a financial institution may avoid lending to creditworthy borrowers that expose the financial institution to excessive interest rate risk. An interest rate swap may allow the financial institution to provide financing to the borrower without having to sell the loan to mitigate interest rate risk.

The accounting for interest rate swaps via hedge accounting

Derivatives are recorded at fair value with changes in fair value generally reported in earnings. Hedge accounting is optional and may help prevent earnings volatility due to changes in the fair value of the derivative. Hedge accounting varies depending on the type of hedge. In the case of an interest rate swap, the hedge may be a cash flow hedge or a fair value hedge. A cash flow hedge is one where the financial institution looks to mitigate risk from variable exposures (such as a swap that effectively hedges LIBOR-based trust preferred securities to a fixed rate). Conversely, a fair value hedge looks to mitigate risk from fixed exposures. A fair value hedge is a hedge of the exposure to changes in the fair value of a recognized asset or liability or an unrecognized firm commitment. 

The example above describes a fair value hedge, since the financial institution is mitigating its exposure to the change in fair value of the fixed rate loans (due to changes in market interest rates) by, in substance, converting its fixed position into a variable position. For fair value hedges, the derivative is recorded at fair value with any changes in fair value recorded through earnings. The hedged item is also adjusted to its fair value through earnings. Thus, to the extent changes in the fair value of the hedging instrument and hedged item offset one another, there is no net impact on earnings.

Cash flow hedges

For cash flow hedges, the derivative is also recorded at fair value; however, the effective portion of changes in fair value of the derivative (i.e., the portion that offsets changes in expected cash flows of the hedged item) is recorded in other comprehensive income (OCI) rather than earnings. These changes are then reclassified into earnings when the hedged item affects earnings. A hedge is considered effective if the changes in the cash flow or fair value of the hedged item and the hedging instrument offset each other. Historically, the ineffective portion of the hedge is immediately recorded through earnings. However, Accounting Standards Update (ASU) 2017-12: Derivatives and Hedging (Topic 815), which we discuss below, simplifies this rule by enabling all changes in fair value of the derivative, not just the effective portion, to be recorded in OCI. For a cash flow hedge, there is no effect on the accounting for the hedged item. 

Measuring the effectiveness of a hedge relationship can prove to be complicated, and may in some cases require statistical methods, such as regression analysis. However, for interest rate swaps only, generally accepted accounting principles (GAAP) provides a “shortcut” method. If all of the applicable conditions in paragraph 810-20-25-104 of the Financial Accounting Standards Board’s (FASB) Accounting Standards Codification (the “official” source of GAAP) are met, an entity may assume perfect effectiveness in a hedging relationship of interest rate risk involving a recognized interest-bearing asset or liability and an interest rate swap. Examples of some of the conditions are: 

  • The notional amount of the interest rate swap must match the principal amount of the interest-bearing asset or liability being hedged; and 
  • For fair value hedges only, the expiration date of the interest rate swap must match the maturity date of the interest-bearing asset or liability or, as amended by ASU 2017-12, the assumed maturity date if the hedged item is measured in accordance with paragraph 815-25-35-13B. Paragraph 815-25-35-13B indicates an entity may measure the change in the fair value of the hedged item attributable to interest rate risk using an assumed term that begins when the first hedged cash flow begins to accrue and ends when the last hedged cash flow is due and payable.

Although use of this approach may be considered a shortcut compared to traditional hedge effectiveness assessments, it can still be difficult to qualify for the shortcut method given the number of conditions that need to be met. The shortcut method is also very rigid – the specified conditions must be met exactly.

ASU 2017-12

In 2017, FASB issued ASU 2017-12 to improve the financial reporting of hedging relationships to better portray the economic results of an entity’s risk management activities in its financial statements. For non-public business entities, ASU 2019-10 delayed the effective date of ASU 2017-12 to fiscal years beginning after December 15, 2020, and interim periods within fiscal years beginning after December 15, 2021. For public business entities, the ASU is already in effect.

ASU 2017-12 makes several changes, which the FASB refers to as “targeted improvements”, to the accounting requirements for hedging activities. Two of these changes, which will likely be beneficial to many financial institutions, are partial-term hedging and use of the “last-of-layer” method. 

With the adoption of ASU 2017-12, institutions can measure the hedged item in a partial-term fair value hedge of interest rate risk (e.g., a swap whose term is shorter than that of the loan pool it hedges) by assuming the hedged item has a term that reflects only the designated cash flows being hedged (i.e., that only considers the portion of the term of the loans that corresponds with the term of the swap). Prior to ASU 2017-12, GAAP did not allow this methodology when calculating the change in the fair value of the hedged item attributable to interest rate risk. Thus, institutions would often experience a difference between changes in the fair value of the hedging instrument and the hedged item due to the difference in maturities, resulting in hedge ineffectiveness that was recognized in earnings. Under ASU 2017-12, as long as the termination date of the hedging instrument is on or prior to the maturity date of the hedged item (in this case the loans), partial-term hedging may be used for changes in fair value of the loans during the term of the swap.

Prior to ASU 2017-12, GAAP indicated that hedge accounting should generally be applied to specifically identified assets or liabilities or portions thereof. Therefore, prepayment risk at the individual asset or liability level must be considered. The result can be frequent dedesignation and redesignation of hedges since many hedging instruments do not allow for prepayment. The last-of-layer method introduced by ASU 2017-12 allows the entity to designate a portion of the principal balance of a loan pool that is not expected to be affected by prepayments, defaults, or other events affecting the timing and amount of cash flows, without necessarily identifying which loans (or portions thereof) in the pool are expected to remain outstanding during the term of the hedging instrument. Under this designation, prepayment risk is not incorporated into the measurement of the hedged item. So, similar to the partial-term fair value hedge provisions, the last-of-layer method provides added flexibility in matching terms between the hedging instrument and the hedged item.

In May 2021, FASB issued proposed ASU 2021-002, which would provide clarifying and additional guidance on the application of ASU 2017-12. Amongst other things, the proposed ASU would expand the last-of-layer method to allow multiple-layer hedges. As a result, the term “last-of-layer method” would be renamed “the portfolio layer method.” The portfolio layer method would allow the financial institution to establish tranches, or multiple layers, within its hedged loan pool based on, for example, contractual maturity dates. These various layers could then be paired with different hedging arrangements. Multiple layers also provide added flexibility in the event the financial institution needs to dedesignate a portion of the hedging relationship, which would be required if circumstances change such that the hedge is no longer highly effective.

Lastly, ASU 2017-12 also makes changes to the presentation of changes in fair value in the financial statements. Under ASU 2017-12, for fair value hedges, changes in fair value of the hedging instrument should be presented in the same income statement line that is used to present the earnings effect of the hedged item. (Previous GAAP did not specify a required presentation of the change in fair value of the hedging instrument.) For cash flow hedges, the ineffective portion of such hedges is no longer presented separately from the effective portion. Rather, the entire change in fair value of the hedging instrument is presented in other comprehensive income. These amounts are then reclassified to earnings in the same income statement line item that is used to present the earnings effect of the hedged item when the hedged item affects earnings. According to FASB, these changes are thought to make it easier for the user of the financial statements to understand the results and costs of an entity’s hedging program.

ASU 2017-12 appears to make hedging activities, and the resulting accounting, much more flexible while also reducing the complexity of reporting such transactions. While we have only provided a snapshot of what we believe to be some of the most relevant provisions of the ASU for financial institutions, we encourage you to read the ASU in its entirety to see if there are other provisions that may prove to be useful or applicable to your institution. Likewise, with adoption fast approaching, we encourage you to reach out to your auditors to start the discussion as to how this ASU may impact and/or provide additional opportunity for your financial institution.

For more information on ASU 2017-12, including a deeper dive on the proposed portfolio layer method, check out a recent webcast hosted by our colleagues at Stifel.


 

Article
ASU 2017-12 provides added flexibility to hedge accounting