CECL and the New AICPA Practice Aid (Part 3): Internal Controls and Governance

Charles Soranno, Managing Director Internal Audit and Financial Advisory
Ariste Reno, Managing Director Risk & Compliance

A new current expected credit losses (CECL) standard changes the way financial institutions estimate loss reserves from an “incurred loss” to an “expected loss” model. The AICPA has published a Practice Aid to help managers, internal auditors and audit committees prepare for the transition. We are offering our perspective on some of the sections in the Practice Aid that we think warrant additional attention, in a series of blog posts here on The Protiviti View.

In Part I, we highlighted areas to which board and audit committee members should pay particular attention. Part 2 examined the requirements intended to ensure that financial statement presentation and related disclosures are relevant, reliable and transparent. In this post, we explore the design, implementation and maintenance of internal controls over financial reporting.

CECL, formally known as FASB Accounting Standards Codification (ASC) 326, Financial Instruments — Credit Losses, includes enhanced data requirements, including data not previously subject to financial reporting controls. This will require financial institutions to come up with additional controls and governance protocols that will need to be documented and tested by auditors.

Many institutions have adopted the 2013 Internal Control — Integrated Frameworkissued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO framework). Although no specific framework is specified under FASB ASC 326, the COSO model offers a basis for our discussion. Each of the following subsections represents one of the five main elements of the COSO framework.

The Control Environment

Under guidelines published by the Public Company Accounting Oversight Board, audit committees and executive management are expected to set the “tone at the top” regarding expectations related to establishing internal controls and appropriate governance. As it applies to CECL, one of the most important areas where this plays out is in the estimation of the allowance for credit losses (ACL). Although it is management’s responsibility to calculate and establish the ACL, it is the control environment established by the audit committee and management together that sets the tone for accounting policies and decisions to ensure that they are transparent, based on sound judgment, well-documented and free from inappropriate bias.

Risk Assessment

It is management’s job to assess the risk inherent in the internal control environment over the ACL estimation process, considering important risk attributes, including the completeness and accuracy of inputs, the applications and models used, the reliability of information systems, documentation of policies and procedures, the potential for management bias, estimation uncertainty, and the transparency and clarity of related ACL disclosures.

In evaluating inputs, it is important to consider the input source and any potential risk of bias. Objective inputs include data related to the unamortized cost basis of loans, historical losses, contractual terms and payment structure. Subjective inputs include management adjustments or assumptions related to prepayment expectations, expected cash flows, current state conditions, reasonable and supportable economic forecasts, the reversion period and method, the consistency of default recognition over time and across the portfolio, and estimated recoveries.  

Control Activities

As it pertains to CECL, management should establish control activities that are designed to prevent or detect material misstatements created by the risks identified in the risk assessment process. These control activities typically include formally documented policies and procedures that evidence key decisions, judgments and interpretations made by management, as well as the assumptions, data, models and methods used to create the ACL estimate. Policies and procedures should also include a rationale for how management’s ACL estimation process meets the requirements of CECL.

Other control activities include information technology general controls that pertain to the way data is stored and processed, as well as automated and manual controls over various components of the ACL estimate such as segregation of duties, approval, verification, reconciliation and management review.

Information and Communication

In the context of the ACL, controls over information include how the information used to make assumptions is produced and evaluated, its quality, and documentation of a transparent and repeatable process. This includes both internal information (for example., historical losses) and external information (such as economic forecasts). The information should be accessible, correct (accurate and complete), current, retained, sufficient, timely, valid and verifiable.

Monitoring

Monitoring ensures the effectiveness of the internal control system and includes evaluation of the internal controls at all levels of the entity by management and the audit committee — both during transition and after the CECL effective date.

Implementation monitoring activities are typically going to be focused on readiness and how timely management responds to identified risks, including the completeness and accuracy of data; the reasonableness of assumptions, policies and methodologies used to generate estimates; controls to mitigate potential management bias; estimation uncertainty; ACL disclosure transparency; and how management identifies and fulfills the need for any specialized skills, including the hiring of specialists.

Postimplementation, the focus will shift to the monitoring of ongoing controls, such as those related to producing the periodic ACL calculation — data availability; skills competency; methodology limitations; model evaluation; management bias; and the overall reasonableness of the ACL estimate, including assumptions.

Our Point of View

Regulators continue to emphasize the importance of audit committees in protecting investors by ensuring quality financial reporting and quality audits. This is consistent with their longstanding view that the audit committee is the final line of defense against a breakdown in audit and financial reporting quality. As it pertains to CECL, this means monitoring for control deficiencies, for the initial implementation and on an ongoing basis.

As stated in the AICPA Practice Aid, management is responsible for the preparation and fair presentation of its financial statements and for the design, implementation and maintenance of internal control over financial reporting. As such, we recommend that management have an established process, including an appropriately designed system of internal controls, under a relevant framework, namely COSO, to ascertain whether or not loans are appropriately accounted for in accordance with the CECL standard. This includes processes and controls over inputs and assumptions used in the estimation processes, planned use of vendors and other risk-based considerations.

With the adoption of CECL, we believe management should focus on the implementation of internal controls over the following areas:

  • How applicability and adoption of new accounting policies are determined
  • How the methodologies, assumptions and data for establishing an estimate of the ACL are selected
  • How the final calculation of the ACL is aggregated and validated

Finally, management and others charged with governance should focus on the implementation of the standard to ensure that, among other considerations:

  • Management is prepared to adopt CECL by the effective date.
  • Management has identified the credit loss model or models it will use, understands how the model or models work and has assessed the historical data needed.
  • Inputs and assumptions used in the model or models are reasonable.
  • Financial statement disclosures issued both prior to the effective date and as of the effective date are aligned with regulatory guidance. The ICFR components are in place for the transition to CECL and in the postadoption period as well.

The AICPA Practice Aid and the SEC Staff Guidance are valuable resources to help audit committees and management navigate through CECL implementation and beyond. Keep checking The Protiviti View for our latest thought leadership on the subject.

Add comment