With the deadline around the corner for large companies to adopt the new accounting standards on current expected credit losses (CECL), the AICPA has published a Practice Aid to help management, internal auditors and audit committees prepare.
The new CECL standard fundamentally changes the way financial services organizations calculate expected loan losses and raises the bar on financial statement disclosures, all in an effort to increase the accuracy of loss estimates and increase transparency for stakeholders.
Large public filer financial institutions are required to comply with the law effective beginning on January 1, 2020. Smaller companies have been granted an extension until January 1, 2023, due to the anticipated complexity of the transition and the cumulative resource burden of multiple standards being updated in rapid succession.
With the implementation deadline looming for many organizations, we already have performed extensive work in this area, helping financial institutions effectively manage CECL transitions, developing forward-looking loss reserving models and compliance methodologies, and reviewing internal systems, data, processes and controls. We think the AICPA Practice Aid is an excellent reference and want to offer our perspective on some of the specific sections we think warrant additional attention.
Overall, there is a lot to consume, consider and execute on in the AICPA’s comprehensive guide, which was published in September 2019. We will be covering key components in a series of blog posts here on The Protiviti View. We begin at the top, exploring areas that should be of concern to board and audit committee members, items they may want to assess, questions to ask and resource assistance to consider to help their organizations effectively and efficiently navigate their CECL implementation.
Below, we break down the most important areas for board and audit committee member consideration. It will quickly become apparent that these topics are significantly interrelated and that it may not be possible to consider one without crossing over into one or more of the others.
Modeling and Assumptions
One of the defining characteristics of the CECL accounting standard update is that it is less prescriptive and more principles-based than the current standards and therefore requires deeper interpretation and analysis in the context of the credit risk faced by each financial institution. This includes the need for more management judgment and subjectivity, and thus increased financial reporting risk.
As a board or audit committee member, it is important to know how financial instrument portfolio risk was interpreted and considered, both when selecting and developing CECL models and underlying forecast assumptions. Of course, different portfolio segments may have different risk characteristics and therefore may require different models. It is also important to be certain there are adequate internal controls around the new CECL process, including robust model selection, development and validation controls. Protiviti believes that a holistic validation of models includes a review of model inputs, assumptions, theory, analytics, output, and associated governance and controls in order to determine if the model is operating as desired and for its intended use.
Our Point of View: The new CECL standard requires management to analyze historical data and make forward-looking loss estimates based on both internal and external data. These estimates are inherently complex and need to be vetted for uncertainty and management bias, among other quantitative and qualitative factors. This is central to the mission of the new CECL standard and, in our view, it is an area where many financial institutions that have implemented the new standard have found that they have a critical skills gap. The AICPA Practice Aid mentions the importance of having modeling specialists — both internal and external — to assist with the development of estimates and ensuring there are proper controls in place to verify that the estimates are reliable.
Are You Ready for CECL Model Validation?
Judgmental Accounting Areas
Estimates are only as good as their underlying assumptions, methodologies, models and inputs and will therefore always contain some element of uncertainty. A basic tenet of the new CECL standard is that it is an expected, or lifetime, loss model, and thus the longer the instrument’s life, the greater the potential uncertainty. It is important for management to document and communicate key assumptions to the board and audit committee, and it is incumbent on the board and audit committee to fully understand and, as appropriate, challenge these assumptions.
With regard to challenging management’s assumptions, the Practice Aid recommends asking probing questions such as:
- How does management identify the range of possible outcomes in determining the Allowance for Credit Loss (ACL)?
- What are the assumptions and data elements that go into establishing a final estimate?
- How rigorously are those assumptions tested/alternative outcomes considered?
- How is potential quantitative and qualitative uncertainty addressed?
- Are outcomes monitored and reconciled with prior-period allowance estimates to help calibrate current estimates?
Another important consideration, when it comes to matters of management judgment, is the potential for bias. This is something we address often with organizations we assist. Four of the most common biases listed in the Practice Aid include:
- Availability – where decision-makers rely on specific information or memory that is readily available to them, and, as a result, believe the information used is more representative to the situation than is actually the case.
- Anchoring – where decision-makers anchor or fixate on a specific value and then adjust other assumptions to account for it.
- Confirmation – where management begins with a hypothesis and seeks or gives disproportionate weight to evidence that supports their theory.
- Familiarity – this is more of a procedural bias, in which management may prefer procedures, models or assumptions that are familiar over newer methodologies.
Our Point of View: The new standard requires use of management judgment in determining underlying forecast model assumptions as well as consideration of other risk factors through use of qualitative frameworks, that may not be accounted for in the quantitative CECL models.
Based on the CECL engagements we have performed to date and extensive interactions with audit committees related to the new standard, we consider the areas of potential bias summarized above to be essential to board and audit committee member understanding of assumptions and estimates. As such, audit committees should appropriately challenge areas of potential management bias that can skew predicted or anticipated estimates versus actual results.
The Practice Aid mentions the importance of having modeling specialists — both internal and external — to assist with the development of estimates and ensure there are proper controls in place to verify that the estimates are reliable.
Systems and Data
A crucial factor in any estimate is the data on which it is based. The underlying data used in the CECL estimation process and models should be complete, accurate, accessible and reliable, and auditable for reporting and modeling purposes. The Practice Aid recommends that audit committees question not only whether data utilized has been validated, but also whether systems are adequate to run the risk models and produce the reporting required under the new standard, both on “day one” and on an ongoing basis.
In addition to a reasonable assurance of data accuracy, it is important for board and audit committee members to understand how data is processed, controlled, stored and extracted, as well as the origin and reliability of any external or internal data not previously subject to loan-loss estimates or internal controls.
Our Point of View: It has been our experience that many financial institutions operate on a complex web of older legacy infrastructure that can make it difficult to create and maintain a single source of truth. It will serve audit committees well to understand their organization’s IT infrastructure, systems and applications, as well as IT operations and critical security and privacy matters related to data integrity.
Many financial organizations are undertaking extensive data governance initiatives and updating their legacy infrastructures to better serve their customers and compete more effectively with born-digital companies. CECL data gathering considerations should be part of this process.Updating data infrastructure can be an expensive and time-consuming undertaking, however, and it is another area where third parties are often utilized to supplement limited and overworked internal resources.
Internal Controls
External auditors are required to understand the internal control structures related to management’s process for developing and maintaining the ACL. A failure in any element of internal control, including the audit committee’s oversight, represents a control deficiency that, based on its severity, may rise to the level of a significant deficiency or material weakness in the entity’s internal control structure that would have to be publicly reported to the investor community.
In addition to typical controls, such as segregation of duties and approvals, there are some ACL-specific requirements, including the approval of asset charge-offs; verification controls, such as tracing loan data back to the originating loan documents; reconciling loan data from the ACL system back to the core loan system; and management review. The Federal Deposit Insurance Corporation Improvement Act and the Sarbanes-Oxley (SOX) Act both require management to assess the effectiveness of internal controls relative to financial reporting.
Our Point of View: Intuitively, it is easy to conceptually understand that CECL introduces the need for additional controls over the accounting policies, operational procedures, information systems and data used in the estimation of ACL, both in the year of transition to CECL as well as the new process control suite going forward.
Further, it is important to keep in mind that the 2013 Internal Control — Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO framework) is one of the most popular internal control frameworks. It addresses five components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. For more information on the COSO framework, visit the COSO website.
In Closing
CECL represents a sweeping change and has created a lot of confusion. The long-awaited AICPA Practice Aid breaks things down to a much a more granular level, with significant amount of detail, which we will continue to address in our subsequent blogs. Subscribe to follow this blog series.
Learn about about Protiviti’s Internal Audit Services.