What is government fraud, waste, and abuse?

Read this if you are at a financial institution.

While documentation of your CECL implementation and ongoing practices is essential to a successful outcome, it can sometimes feel like a very tall order when you are building a new methodology from the ground up. It may help to think of your CECL documentation as your methodology blueprint. While others will want to see it, you really need it to ensure that what you are building is well-designed, structurally sound, appropriately supported, and will hold up to subsequent “renovations” (model changes or tweaks). To help you focus on what’s essential, consider these documentation tips:

Getting started

Like any good architect, you need to understand the expectations for your design—what auditors and regulators want to see in your documentation. Two resources that can really help are the AICPA Practice Aid: Allowance for credit losses-audit considerations¹, and the Interagency Supervisory Guidance on Model Risk Management². One way to actively use these guides is to take note of the various section/subject headers and the key points, ideas, and questions highlighted within each, and turn that into your documentation checklist. You’ll also want to think strategically about where to keep the working document, who needs access to it, and how to maintain version control. It is also a good idea to decide up-front how you will reference, catalog, and store the materials (e.g., data files, test results, analyses, committee minutes, presentations, approvals, etc.) that helped you make and capture final decisions. You can download our CECL Documentation checklist now.   

What to watch out for

What’s new under CECL are areas requiring documentation (e.g., broader scope of “financial assets,” prepayments, forecasts, reversion, etc.). But watch out for elements that seem familiar—they may now have a new twist (e.g., segmentation, external data, Q factors, etc.). It’s a good idea to challenge any documentation from the past that you feel could be re-purposed or “rolled into” your CECL documentation. Be prepared also to spend time explaining or customizing vendor-provided documents (e.g., model design and development, data analysis memos, software procedures, etc.). 

While this material can give you a running start, they will not on their own satisfy auditor and regulator expectations. Ultimately, your documentation will need to reflect your own understanding and conclusions: how you considered, challenged, and got comfortable with the vendor’s work; what validations and testing you did over that work, and how you’ve translated this into policies and procedures appropriate for your institution’s operations, workflows, governance, and controls. For more information on making the vendor decision, and for suggestions of vendor selection criteria, read our previous article “CECL Readiness: Vendor or no vendor?” 

Point of view

It is human nature, especially whenever entering new territory, to want to know how others are approaching the task at hand. Related to CECL, networking, joining peer discussion groups, researching what and how those who have already adopted CECL are disclosing, are all great ways to see possibilities, learn, and gain perspective. When it comes to CECL documentation, however, the most important point of view to communicate is that of your institution’s management. Consider the difference in these two documentation approaches: (a) we looked at what others are doing, this is what most of them seem to be doing, so we are too; or (b) this is what we did and why we feel this decision is the best for our portfolio/risk profile; as part of our decision-making process, we did this type of benchmarking and discovered this. Example b is stronger documentation: your point of view is the primary focus, making it clear you reached your own conclusions. 

Other elements for CECL documentation

Documenting your CECL implementation, methodology, and model details is critical, but not the only documentation expected as you transition to CECL. It has been said that CECL is a much more enterprise-wide methodology, meaning that some of the model decisions or inputs may require you use data and assumptions traditionally controlled in other departments and for other purposes. One common example of this is prepayments. Up to this point, prepayment data may have been something between management and a vendor and used for management discussion and planning, but not necessarily validated, tested, or controlled for in the same way as your loss model calculations. Under CECL, this changes specifically because it is now an input into the loss estimate that lands in your financial statements. As a result, prepayments would be subject to, for example, “accuracy and completeness” considerations, among others (for more information on these expectations, refer to our earlier articles on data and segmentation). Prepayments is just one example, but does illustrate how CECL adoption will likely trigger updates to policies, procedures, governance, and controls across multiple areas of the organization.    

One final note: There are some new financial statement disclosures required with CECL adoption. Beyond those, there may be other CECL-related information either you want to share, or your audit/tax firm recommends be disclosed. Consulting with your auditor at least a quarter prior to adoption will help make sure you aren’t scrambling last minute to draft new language or tables.  

Struggling with CECL documentation or other elements of CECL? 

No matter what stage of CECL readiness you are in, we can help you navigate the requirements as efficiently and effectively as possible. For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions.

For more tips on documenting your CECL adoption, stay tuned for our next article in the series. You can also follow Susan Weber on LinkedIn.

¹You can find the AICPA Practice Aid here.
²The interagency guidance was released as OCC Bulletin 2011-12, FRB SR 11-7, and as FDIC FIL 22-2017
 

Read this if you are at a financial institution.

This article is part of our series on CECL implementation. You can read previous articles in the CECL series here. 

Segments, sub-segments, pools, cohorts—by whatever name you call it, grouping loans (and other financial instruments) for CECL¹ is kind of a big deal. Like choosing an inner circle of friends, creating effective loan pools can have a lot of influence over your CECL experience, from methodology decisions to your allowance estimates. As a CECL adopter, you are expected to evaluate, support, and document segmentation choices (no such requirement for your inner circle of friends!), even if you plan to use the same segmentation in place today. To do so successfully, consider these segmentation ABCD’s:

A: Accuracy and completeness of data

The accuracy and completeness of data used to determine the most appropriate segmentation under CECL covers a lot of ground—everything from what information you considered to be relevant and why, to where the data came from and how it was determined to be valid (aka accurate and complete). CECL requires loans sharing similar risk characteristics² to be pooled together for “collective evaluation”; examples include loans with similar terms and structures, lien position on collateral (e.g. first, or junior lien), or collateral use (e.g. owner-occupied or investment real estate). As a result, “accuracy and completeness” applies not only to the data you rely on to pool loans, but also to what you determined the common risk characteristics to be, why those, what others you identified but ultimately didn’t use, and why. Read our earlier article, CECL Adoption: The five W's of data, for more information on data considerations.

B: Balance between granularity and significance

Striking a balance between how many segments you create and the significance of doing so can be a little like trying to achieve the “just right” goal of Goldilocks. For example, is pooling all your consumer loans together most aligned with your past loss experience, or does the type of collateral also influence your risk of loss? How far is too far (real estate, cars, boats, RV’s, tractors)? At what point does it become difficult to consistently demonstrate or predict meaningful differences in risk of loss for each? Several sections of the standard address this need to balance detail with what is useful³. In this way pools should be small enough that the risk characteristics they share are relevant to estimating inherent risk, but not so small as to be confusing, misleading, or not able to be modeled consistently over time. Being aware of how small a pool is in terms of the number of loans it consistently contains may be one consideration for whether or not the segmentation is too granular. 

C: Controls over the selection of risk characteristics

Your segmentation choices will likely have far-reaching effects on other key decisions in your CECL methodology. Model selection, qualitative adjustments, and even if/what/how external or peer data may apply are examples of what could be impacted by your segmentation selection. As a result, and in addition to the above, your auditors and regulators will want to see evidence the risk characteristics driving your segmentation choices were robustly reviewed, challenged, tested, and documented. Further, they will want to see that you have a similar systematic approach in place, and ongoing, to identify when a loan no longer shares the defined risk characteristics of its segment, resulting in its removal from the pool to be assessed individually.⁴  

D: Documentation tips

Documentation is like exercise—you know you should do it, but sometimes you don’t make it a priority. CECL opens the door for all kinds of documentation expectations, so coming up with a way to do this as you work through implementation can save you a lot of headache later. For segmentation, setting up a simple spreadsheet with the ABC’s to the left and columns to the right to list data, testing, key considerations, decisions, approvers, and even links to supporting evidence (data files, governance memos, etc.) is but one example of how you might keep track of these items as you work. Be sure to include any assumptions you had to make along the way (e.g. how you handled missing information on old or purchased loans), or aggregations (larger-level pools than you might have preferred) you accepted and why.

Finally, while you may be checking out what segmentation others in the industry are using—which will vary as it does today—what you’ll want to document most is why the choices you made are right for your institution.

For more tips on documenting your CECL adoption, stay tuned for our next article in the series on documentation. You can also follow Susan Weber on LinkedIn.

No matter what stage of CECL readiness you are in, our Financial Institutions team is here to help you navigate the requirements as efficiently and effectively as possible. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions.

¹Current Expected Credit Loss (CECL) methodology as provided for in the Financial Accounting Standards Board (FASB) Accounting Standards Update (ASU) Financial Instruments-Credit Losses Topic 326, commonly referred to as FASB ASU 326. A copy of the standard is available for download from the FASB website.
²Refer to FASB ASU 326-20-55-5
³Examples include FASB ASU 326-20-50-3, 326-20-55-10, and 326-20-55-11 (for financing receivables)
⁴Refer to FASB ASU 326-20-30-2

Read this if you are at a financial institution.

Data. Statistics. Analysis. Modeling. Whatever happened to good old-fashioned experience? When it comes to CECL (current expected credit loss), it’s going to take a combination of both—data and experience—to help you design an effective methodology. While “experience” sounds like a fun day of reminiscing, getting the “data” side can feel like a never-ending journey in the fog. If, in your CECL readiness journey data has you feeling a little lost, let the five W’s of data be your guide.

What data: Knowing what data you need is like having a map for the journey ahead. Understanding how CECL is different—in scope, requirements, definitions, and techniques—is the first step. One approach is to make a list of the differences. To the right of the list (or insert a column to your spreadsheet), add what data you will need to fulfill this part of the standard. For example, a new requirement for CECL is making adjustments for prepayments (new on-going data need). Some methods may use a prepayment rate which is, itself, a calculation requiring data and assumptions. It’s okay if this initial list is incomplete as capturing what’s new and different is an important start, and one that you can build upon as you go.

Where data: Next, you need to know where to get the data you need (sometimes it’s about even knowing if the data exists). This is where having key people from departments across the organization on the team can be very helpful. Time to add a new column to that spreadsheet: identify the system, department, person, and/or vendor responsible for the data you need. Find out where and how the data is stored. For example, is the data in a core system as a data point already, or is it manually calculated and recorded in a monthly memo going back 15 years? Where the data is located may be a key factor in decisions you will make about allocating resources, changing processes, and ensuring good controls over data.    

When data: The next essential question is, 'when is the data going to be needed and used?' In this regard, data falls into two broad categories: periodic and always. Examples of periodic data include data used to make model selection(s), support segmentation, or data that help you choose among several available techniques. Periodic data may be in the form of analysis and testing. Always data is the kind needed on an on-going basis, most typically to directly support the allowance calculation. Examples of always data are prepayments (from our earlier example), and the codes in the core system that allow you to group loans into their proper segments. Knowing when data will be needed and used will help keep your implementation moving forward.  

Why data: Data is often imperfect; it can be historically incomplete, somewhat dated, messy to compile, and may even be biased. Recognizing this upfront and throughout the process will not only reduce your stress; it will also help you document why certain data may have needed to be adjusted, modified, transformed, or ignored. Being equally inquisitive about why the data is in the shape it’s in may lead you to discover important ways to improve its quality, integrity, and the efficiency and effectiveness of collection and validation processes. Ensuring management has a good understanding of why assumptions or adjustments to data had to be made will help them fulfill their oversight responsibilities, pose credible challenge questions, and build context for understanding results.    

Whose data: Finally, whose data are you using? There are options for considering and using external data in your CECL methodology. When thinking through what this ultimately means to you in this process, it’s helpful to define external data as data provided by outside parties. In our journey analogy, think of these as alternate routes and, like alternate routes, there may be trade-offs to taking them that you’ll need to assess. Probably two of the most recognizable external data examples are economic forecasts and peer data. They may also include any data of yours that a vendor may have transformed and returned to you—a common example of this being prepayments. It is important to understand that from an auditor and regulator perspective, you remain responsible for the integrity and use of this data in your methodology. 

Once you have the five W’s of data locked in, you are well on your way to CECL implementation. No matter what stage of CECL readiness you are in, our Financial Institutions team is here to help you navigate the requirements as efficiently and effectively as possible. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions.

Read this if you are at a financial institution.

Whether you have recently adopted CECL, or will later this year, re-assessing your choices around vendor model software and solutions is critical to help ensure you are getting the most from the service and your calculation. If you share these goals for optimization, then take a few minutes to consider these five key factors to making a CECL model vendor decision:

1. Criteria: Identify and list the specific criteria you and others will need to make the vendor/no vendor decision. If you’re currently working with a vendor—make a list of what you wish were different about the model, the process of completing a calculation, or the support you get from the vendor. Ask key decision-makers to weigh in. Getting this consensus on the criteria up-front helps ensure you focus on what’s most important to you, and how to assess trade-offs to reach a decision quickly.     
2. Time: Create a timeline of what has to happen between now and the CECL adoption date for your organization to be ready and confident in your chosen method(s). If you’re already using a vendor solution, consider building the timeline around the contract notification date if you decide to make a change. Identify the staff and hours required to accomplish the review. Clarifying both the time commitment and time constraints will help you assess if additional support or trade-offs are required. Get tips on creating or revising your CECL implementation timeline here. 
3. Expertise: Define the level of expertise necessary to understand, develop, test, and document the new model(s). This work may involve model design, data flow, mathematical formulas, and the ability to document assumptions and limitations of each. If you’re not sure, ask others to help assess if the organization has the internal expertise necessary to do this work, understanding those resources may work in different departments. 
4. Technology: Determine if you have access to, or enough of, the technology needed for CECL model development and testing. In this context, technology may include systems, programs, analytical software, processing speed, and secure access. Knowing what your current technology capabilities are helps you identify any limitations you may need to address in advance.     
5. Risk: Understand the risks. Take time to think through the risks posed by using – and not using – vendor model software. For example, developing a model in-house may save you the cost of vendor software, but what risk does developing a model in-house pose to the organization in allocating the people resources to do so? Likewise, securing vendor software may reduce the strain on limited internal resources, but what risks to access, process, communication, and control are posed by having to manage the vendor? 

Questions about your CECL implementation?

No matter what stage of CECL readiness you are in, our Financial Institutions team is here to help you navigate the requirements as efficiently and effectively as possible. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions. 

Read this if you are at a financial institution.

Feeling stuck, or maybe even frozen, in your CECL readiness efforts? No matter where you are in the process, here are three things you can do right now to ensure your CECL implementation is on track:

1. Create or re-visit your timeline
   Now that 2023 is here and all remaining CECL adoption dates must be met, it’s important to make every moment count. Consider CECL adoption your Olympic moment and, like every great Olympic athlete, you have interim events—a timeline of major milestones—to ensure you are ready for your institution's “Day 1” and beyond. One strategy to ensure you do not “run out of time” is to start at the end of your timeline and work backward.
   
   Tip: Whether it is your adoption date, or the date by which you need to have your model validated, fix the date of that final must-hit milestone, and work backward. For example, if your adoption date is 10/1/2023, what major milestone has to be achieved before then and how much time will you need for that? Setting milestones from the final date backward will help you fit the remaining major activities into the time you have left—you can’t “run out of time” this way!
   
   
   
2. Assess where you are, tactically, and fill in the gaps
   What would an Olympic athlete be without a training schedule, and coaches, trainers, and other professionals to guide and push them? In order to make the most of each event (or milestone) in the countdown to CECL adoption, let’s fill in our training schedule. What key decisions still need to be made or documented? Who has the authority to approve them? What’s the right time and venue to obtain that approval? Will these be one-to-one, small group, or committee/board meetings? Will meetings be set up as-needed, or is the meeting schedule (e.g. quarterly executive/board) already set? Who are you engaging for model validation and key control review? What is the date of that review work? 
   
   Tip: Add those key approval, review, and validation dates to your timeline, and make sure the meeting time you need with decision-makers is booked in their calendars now. Scheduling this time in advance is a transparent and tangible sign that you’ve charted the course, helps ensure decision-makers are available to you when needed most, and incremental progress is being consistently made toward your ultimate goal. 
3. Identify the top three tasks to complete this week, reserve the time in your calendar, and complete them!
   Like any athlete, you are now “in training”, and daily and weekly actions you take will ensure you reach your goal in as strong a position possible. Whether it’s scheduling those meetings, identifying subject matter experts you can rely upon for coaching, or putting the finishing touches on model documentation and internal control mapping, booking that time with yourself to complete these tasks is key to feeling prepared and ready for CECL adoption. 
   
   Tip: Set aside a few minutes at the end or start of each week to review your timeline/milestones and identify the next key actions to complete.

Would you like assistance with certain aspects of your CECL readiness efforts? Are you ready for some validation/review work, or need guidance on policy, governance, or internal/financial reporting controls?

Contact our Financial Institutions team. We'll help you get your CECL implementation over the finish line. 

Read this if you used COVID-19 relief funds to pay essential workers.

The Coronavirus Aid, Relief, and Economic Security (CARES) and American Rescue Plan (ARPA) Acts allowed states and local governments to use COVID-19 relief funds to provide premium pay to essential workers. Many states took advantage of this opportunity, giving stipends or hourly rate increases to government and other frontline employees who worked during the pandemic, such as healthcare workers, teachers, correctional officers, and police officers.

States’ initial focus was to get the money to the essential workers as quickly as possible, but these decisions may cause them to be out of compliance with the Fair Labor Standards Act (FLSA), which sets standards for minimum wage, overtime pay, and recordkeeping. As a result, states should review how the funds were disbursed and if payroll adjustments are necessary. The amount, form, and recipients of the pay varied widely from state to state, making determining whether states are compliant with FLSA and calculating any discrepancies an immensely complex task. 

For example, states that disbursed one-time payments to essential workers will likely be able to treat those payments like standard one-time bonuses, while recurring stipends or hourly rate increases should be included in employee’s regular rate when calculating overtime pay. Because this is an unprecedented situation for both states and the federal government, clear guidance is not yet available from the Department of Labor. 

Fortunately, BerryDunn is already working with clients to review their use of the COVID-19 relief funds to help ensure essential workers were paid fairly. Our team is qualified to guide you through your unique situation and help you remain in compliance with FLSA guidelines.

If you have questions about your particular circumstances, please call our Compliance and Risk Management consulting team. We are here to help and happy to discuss options to pay for these services using federal funds.

Read this if you work in an alcohol control capacity for state government.

The COVID-19 outbreak has changed the alcoholic beverage industry significantly over the last 14 months. Restrictions forced people to stay at home, limiting their travel to restaurants, bars, and even some stores to purchase their favorite spirits. In at least 32 states, new legislation allowed consumers the option to buy to-go cocktails as a way to help these establishments stay in business. As a result, consumers took advantage of alcohol delivery services. 

There were two large shifts in consumer purchasing for the alcoholic beverage industry in 2020. The first was a shift from on-premise to off-premise purchasing (for example, more takeaway beverages from bars, breweries, and other establishments). The second was the explosion of e-commerce sales for curbside pickup and home delivery. A study by IWSR, an alcoholic beverage market research firm, stated that alcohol e-commerce sales grew 42% in 2020. The head of consumer insights for the online alcoholic beverage delivery service, Drizly, attributes this growth to the “increased consumer awareness of alcohol delivery as a legal option, as well as an overall shift in consumer purchasing behavior toward online ordering and delivery”. 

How state agencies responded

The move to an e-commerce model has impacted state agencies who regulate the distribution and/or sale of alcohol. States such as Oklahoma, Alabama, and Georgia recently passed legislation allowing alcohol delivery to consumers’ homes. In alcoholic beverage control states, where the state controls the sale of alcohol at the wholesale level, curbside pickup programs (New Hampshire) were implemented, while others started online home delivery services (Pennsylvania). 

In a fluid legislative environment, states agencies are working to meet consumer needs in a very competitive marketplace, while fulfilling their regulatory obligation to the health and safety of their constituents.

How alcoholic beverage control states can adapt

Now is an opportune time for control state agencies to keep pace with consumer demand for more flexible purchasing options, such as buying online with home delivery, or some form of curbside and/or in-store pickup programs. Every one of the 17 alcoholic beverage control states has passed legislation to allow the delivery of either beer, wine, and/or distilled spirits in some form, with some limitations.

While for some the COVID-19 outbreak has necessitated these more distant shopping experiences, the option of these sales channels has brought consumers flexibility they will expect going forward. This calls for control state agencies to act on this changing consumer demand. By prioritizing investing in and taking ownership of new sales channels, such as e-commerce and curbside pickup, control state agencies’ technology and logistics teams can develop strategies and tools to effectively adapt to this new demand. 

Adapting technology and logistics

Through technology, control state agencies can take advantage of e-commerce and curbside pickup sales channels, to drive more revenue. We recommend control states consider the following: 

Define the current capabilities to support an online sales strategy

An important first step is to define how to address constituents’ evolving needs as compared to the current e-commerce capabilities control state agencies can support. Considerations include:

• Are current staff capable of developing and supporting new website capabilities to meet the increased demand on the website?  
• How will the current customer support team(s) expand to support concerns from the new channels?
• How will new e-commerce order volume be fulfilled for home delivery (including order errors, breakage, returns, etc.)?   

Control state agencies should complete current and future state assessments in each area above to confirm what capabilities they have today and which they would like to have in the future; which will allow for an accurate gap analysis and comparison to their future state needs. Once the current state assessment, future state strategy, and gap analysis are complete, control state agencies can define the projects required to support the future state requirements. 

Reevaluate existing fulfillment, inventory, and distribution processes

Each control state has existing product fulfillment, inventory and distribution processes, and information technology (IT) tools for delivering alcohol, to their own or licensed retail stores and businesses. These current processes and IT systems should be assessed as part of the current state capabilities assessment mentioned above, to help define the level of change needed to support the control state agency’s future needs in the e-commerce channel. Key assessment questions control state agencies should ask themselves include: 

• Can the current IT systems (e.g., inventory management, customer relationship management [CRM], customer support/call center, financial, point of sale [POS], and website infrastructure) support required upgrades?
• Can retail teams and today’s infrastructure support order taking, inventory, fulfillment, and buy online pickup in store programs?
• How will warehouse and retail stores track and manage the e-commerce shipments and returns related to this channel?
• If home delivery is part of the strategy, define how the delivery logistics will be met through state or vendor resources.
• What staffing model and skill sets will support future business needs?
• What is the total cost of ownership for these new e-commerce capabilities so that the short and long-term costs and profits can be accurately estimated? 

The answers to these questions will help to inform a future e-commerce strategy and accommodate the cost and staff impacts. 

Bring in online retail expertise

It is important to ensure that the control state agency has website and mobile capabilities to support today’s consumer needs. This includes the ability to order a wide range of products online for either home delivery or buy online pickup in store. The design of the website and mobile transactional capabilities is critically important to the success of this channel, the true growth in revenues. Being marketing focused (e.g., allowing consumers to view and order products, save items for later, and see similar products) will help drive traffic and sales on this upgraded channel. 

For control state agencies with a more static product website, consider purchasing a commercial off-the-shelf (COTS) e-commerce product with existing retail-focused website features, or contract with a vendor to build a website that meets more unique needs. The control state agency should bring in at least one online retail subject matter expert vendor to help set the direction, design the upgrades or new site, manage the project(s) needed to implement the online capabilities, and potentially manage the operational support of the website and mobile solution.

BerryDunn provides state alcoholic beverage control boards and commissions with many services along the IT system acquisition lifecycle, including planning, needs assessment, business process analysis, request for proposal (RFP) development, requirements development, technology contract development, and project management services. 

For the full list of steps to consider and to learn more about how you can successfully position your control state agency to adapt to the changing alcoholic beverage landscape, contact us.
 

Read this if you are a CFO, CEO, COO, or CLO at a financial institution.

The preparation of financial statements by financial institutions involves a number of accounting estimates, some of which can be quite complex. As these estimates are often a significant focus of audits of those financial statements, financial institution personnel affected by the audit process might benefit from a discussion of the rules auditors need to follow when auditing estimates.

Accounting estimates

Across all industries, there are financial statement items that require a degree of estimation because they cannot be measured precisely. These amounts, called accounting estimates, are determined using a wide array of information available to management. In using such information to arrive at the estimates, a degree of estimation uncertainty exists, which has a direct effect on the risks of material misstatement of the resulting accounting estimates. For financial institutions, common examples of accounting estimates include the allowance for loan losses, valuation of investment securities, allocation of the purchase price in a bank or branch acquisition, and depreciation and amortization of premises and equipment, in addition to intangibles and goodwill. 

For entities other than public companies, the auditing rules are established by the American Institute of Certified Public Accountants’ Auditing Standards Board (ASB). Under these requirements a financial statement auditor has a responsibility to assess the risks of material misstatement for accounting estimates by obtaining an understanding of the following items: 

• The requirements of generally accepted accounting principles (GAAP) relevant to accounting estimates, including related disclosures. 
• How management identifies those transactions, events, and conditions that may give rise to the need for accounting estimates to be recognized or disclosed in the financial statements. In obtaining this understanding, the auditor should make inquiries of management about changes in circumstances that may give rise to new, or the need to revise existing, accounting estimates. 
• How management makes the accounting estimates and the data on which they are based. 

This final item—determining how management has calculated the accounting estimate in question—includes the following specific aspects for the auditor to address:

• the method(s), including, when applicable, the model, used in making the accounting estimate; 
• relevant controls; 
• whether management has used a specialist; 
• the assumptions underlying the accounting estimates; 
• whether there has been or ought to have been a change from the prior period in the method(s) or assumption(s) for making the accounting estimates, and if so, why; and 
• if so, how management has assessed the effects of estimation uncertainty. 

Professional skepticism

When analyzing management’s assessment of the effects of estimation uncertainty, the auditor needs to apply professional skepticism to the accounting estimate by considering whether management considered alternative assumptions, and, if a range of assumptions was reasonable, how they determined the amount chosen was the most appropriate. If estimation uncertainty is determined to be high, this is one indicator to the auditor that estimation uncertainty may pose a significant risk of material misstatement. An identified significant risk requires the auditor to perform a test of controls and/or details during the audit; in other words, analytical procedures and testing performed in previous audits will not suffice. 

CECL considerations

For audits of financial institutions, including those that have implemented the FASB CECL standard as well as those still using the incurred loss method, the allowance for loan losses will likely be deemed a significant risk due to its materiality, estimation uncertainty, complexity, and sensitivity from a user’s perspective.   

Additional factors the auditor needs to consider include whether management performed a sensitivity analysis as part of its consideration of estimation uncertainty as described above, and whether management performed a lookback analysis to evaluate the previous process used. Auditors of accounting estimates are required to do at least a high-level lookback analysis to gain an understanding of any differences between previous estimates and actual results, and to assess the reliability of management’s process. 

Auditing estimate procedures

Procedures for auditing estimates include an evaluation of subsequent events, tests of management’s methodology, tests of controls, and, in some instances, preparation of an independent estimate by the auditor. Tests of management’s method and tests of controls, including auditing the design and implementation of controls, are the most practical and likely procedures to apply to audits of the allowance for loan losses at financial institutions, both under the current guidance and following adoption of the current expected credit loss (CECL) method under Financial Accounting Standards Board (FASB) Accounting Standards Update No. 2016-13, Financial Instruments – Credit Losses (Topic 326): Measurement of Credit Losses on Financial Instruments. As FASB has not prescribed a specific model, auditors must be prepared to tailor their procedures to address the facts and circumstances in place at each respective financial institution. 

In addition to auditing management’s estimate, auditors have the responsibility to audit related disclosures, including information about management’s methods and the model used, assumptions used in developing the estimate, and any other disclosures required by GAAP or necessary for a fair presentation of the financial statements. Throughout the audit process, auditors need to continue to exercise professional skepticism to consider what could have gone wrong during management’s process and to assess indicators of management bias, if any. 

For public companies, the Public Company Accounting Oversight Board (PCAOB) specifies auditors must evaluate both evidence that corroborates and evidence that contradicts management’s financial statement assertions in order to avoid confirmation bias. When considering the assessment of risks, as risk increases, the level of evidence obtained by the auditor should increase. As with audits of private companies, the auditor needs to consider whether the data is accurate, complete, and sufficiently precise and detailed to be used as audit evidence.

An added consideration under PCAOB rules is that the auditor is typically opining on the institution’s internal controls as well as its financial statements. This may restrict the results of control testing performed by parties independent of the function being tested from being used as audit evidence from a financial statement audit perspective. For financial institutions, this is often the case with independent loan review, since the loan review is considered part of the institution’s internal control upon which the auditor is opining. 

Supporting evidence

As with the incurred loss method, PCAOB auditing standards will require the auditor consider how much evidence is necessary to support the allowance for loan losses under CECL. All significant components of management’s allowance for loan losses estimate, including qualitative factors, will need to be supported by institution-specific data. If such data is unavailable (for example, because the institution introduces a new type of loan offering), the FASB standard indicates appropriate peer data may be acceptable. In such cases, management and the auditor may need to understand the controls in place at the vendor providing the peer data to determine its reliability. You may provide this information in the form of System and Organization Controls (commonly know as SOC1) reports of the vendor’s system.  

Recently, the International Auditing and Assurance Standards Board revised its auditing rules for estimates, with a goal of enhancing guidance regarding application of the basic audit risk model in the context of auditing estimates. The revised rules require that auditors must separately assess inherent and control risk when obtaining an understanding of controls, identifying and assessing risks, and designing and performing further audit procedures. The ASB seeks convergence of rules both internationally and domestically, and has therefore proposed changes to its requirements for auditing estimates to align with the IAASB revised rules. The ASB’s proposal on these changes indicated they would be effective beginning with audits of fiscal year ending December 31, 2022; the final effective date will be determined in conjunction with its issuance of the final rules.

The best CECL approach 

The best approach to take? Management should discuss planned changes to estimate the process with your auditors to get their perspective on best practices under CECL. Key areas to review in the discussion include documenting the decision-making process, key players involved, and the resulting review and approval process (especially for changes to methods or assumptions). Always retain copies of your final documentation for auditor review. If you would like more information, or have a specific question about your situation, please contact the team. We’re here to help.