CFO attestation: building a sustainable process
This regulatory briefing highlights the challenges faced by firms in establishing their CFO attestation supporting capabilities, as well as the priorities for improving and sustaining these capabilities for future reporting. Additionally, we highlight where technology and automation may be implemented or considered.
Background The Federal Reserve Board (FRB) established an FR Y-14 attestation requirement for Large Institution Supervision Coordinating Committee (LISCC) firms, where the CFO must attest to each FR Y-14 annual (A), Quarterly (Q) and Monthly (M) submission. For US bank holding company LISCC firms, initial attestations were submitted on April 5, 2017 for data as of December 31, 2016. For intermediate holding company LISCC firms, initial attestations will apply to data as of December 31, 2017 (official attestation submission dates have not yet been published by the FRB). Additionally, the FRB requires that firms have a materiality policy in place for assessing materiality in the context of management s attestation that the data is materially accurate and that internal controls over FR Y-14A/Q/M reports are free of material weaknesses. Similar to other regulatory reports, the FR Y-14 attestation certifies the effectiveness of the firm s control environment and conformance of the reports with the instructions issued by the FRB. However, this attestation is more prescriptive and extensive than in the past, as it introduces new requirements around materiality, involvement of internal audit and compliance, and data accuracy. Although today the Comprehensive Capital Analysis and Review CFO attestation requirements are applicable only to LISCC firms, many firms have taken this opportunity to revisit materiality considerations across the full suite of regulatory reports. The table below highlights the FR Y-14 CFO attestation statements and how they compare to other existing attestations. Data type Attestation statement requirement Differences from other attestations Projections and actuals The reports have been prepared in conformance with the Explicit certification of data accuracy, in addition to instructions issued by the FRB. effectiveness of the control environment Actuals Management is responsible for the internal controls over the reporting of the FR Y-14 data. The data reported are materially correct to the best of his or her knowledge. Controls are effective and include those practices necessary to provide reasonable assurance as to the accuracy of these data. Controls are audited annually by internal audit or compliance staff. Controls are assessed regularly by management of the named institution. Management or the CFO agrees to report material weaknesses in these internal controls and any material errors or omissions in the data submitted to the FRB promptly as they are identified. Coverage of a broader and more granular data set, including: Non-financial data Transaction-level data Projections New materiality requirements in the context of data, controls and issues, based on impact to capital New requirement for management assessment of internal controls Direct involvement of internal audit or compliance US LISCC bank holding companies Bank of America Corporation Bank of New York Mellon Citigroup Goldman Sachs Group, Inc. JPMorgan Chase & Co. FBO LISCC intermediate holding companies Barclays Credit Suisse Deutsche Bank UBS Morgan Stanley State Street Corporation Wells Fargo & Company CFO attestation: building a sustainable process 1
CFO attestation program setup In preparation for their FR Y-14 attestations, firms have placed significant attention on enhancing their supporting capabilities and systems, as well as launching initiatives to address critical gaps. To oversee these efforts, some firms established centralized governance structures, with cross-functional representation across risk, finance, operations, technology, and capital, etc., while others leveraged a more decentralized approach with responsibilities embedded across functions. In either scenario, reporting packages and performance metrics have typically been developed to facilitate communication of program outcomes with senior management and governance committees. Supporting capabilities Efforts have focused on the following foundational capabilities that support the CFO attestation process: Program governance and executive communication Materiality Issue management Internal controls Independent review Data Attestation Training Challenges and priorities Program governance and executive communication Effective governance plays a critical role in the success of an attestation program. CFOs and relevant cross-functional executive leadership should be highly engaged in: Setting program objectives and designing the operating model Providing input into the structure and contents of the executive attestation report Reviewing outcomes of supporting processes and material issues When developing the operating model and plan, attestation program leads must allocate sufficient time for communication with governance committees and executive leadership. Given the inherent time constraints, organizations are seeking to enhance their processes by: Re-evaluating the contents and level of detail within their executive attestation reports Exploring automated methods to more easily collect, analyze and report outcomes Materiality For LISCC firms, an FR Y-14 materiality policy must be in place for assessing materiality in the context of management s attestation that the data is materially accurate and that internal controls over FR Y-14 A/Q/M reports are free of material weaknesses, taking into account both quantitative and qualitative considerations. While firms have similar policies in place in relation to SOX requirements, the FR Y-14 materiality policy is distinct in its application to capital ratios. Beyond FR Y-14 A/Q/M reporting, many firms have established broad regulatory reporting materiality thresholds across all reports. Moving forward, recommended priorities include: Enhancing materiality frameworks to better define qualitative considerations in support of prioritization of efforts related to critical data and issue evaluation Defining ownership and a business-as-usual (BAU) operating model for ongoing application of the materiality framework each year 2 CFO attestation: building a sustainable process
Issue management In order for CFOs to attest that all material issues have been reported to the FRB, firms need to evaluate many of their existing issues for impact to capital, FR Y-14 and other regulatory reports. Moving forward, recommended priorities include: Establishing a clear link or alignment with existing issue management programs (e.g., SOX, data management) Defining the population of issues not currently covered by an existing program that require incremental evaluation Enhancing qualitative considerations for assessing the magnitude of impact to capital within their materiality policies to better support the evaluation process Internal controls Multiple attestation statements stress the need for effective internal controls. To demonstrate an effective control environment, firms have sought to leverage their existing control frameworks for financial, regulatory and operational reporting and enhance them for incremental and more granular coverage. Key controls are then identified based on the materiality policy. A critical challenge that many continue to face is driving accountability further upstream, through data origination processes. Moving forward, recommended priorities include: Enhancing regulatory control frameworks to extend responsibilities beyond finance into the broader organization (e.g., data providers) Enhancing upstream data origination and data provider controls in support of data accuracy and conformance with instructions Designing and implementing a sustainable BAU operating model for ongoing maintenance of control standards and control inventories Data The FR Y-14 attestation is unique in its requirement to attest directly to the material accuracy of the data reported to the FRB. Additionally, the reported data must conform to the FRB s instructions. This poses a considerable challenge given the granularity of the data reported. Both the FR Y-14 Q and FR Y-14 M reports capture transaction-level data that includes both financial and non-financial attributes. Many firms have sought to address data accuracy and conformance for FR Y-14 and all other regulatory reports through a combination of various initiatives, including: Tracing the movement of critical data from system to system to gain insight into data sources, transformations and accountability across the data supply chain Decomposing the reporting requirements at the data element level, documenting the current data used for reporting, as well as identified reporting logic or conformance issues, and capturing where requirements overlap with other reports, as well as data owners, sources and associated documentation Moving forward, recommended priorities include: Expanding data documentation to cover a larger population of data elements Developing technology and the capability to store and manage documentation for use within the attestation program, in line with their evolving business and technology infrastructures Attestation Prior to the release of the attestation requirement for the FR Y-14 reports, many firms had existing attestation processes in place for SOX and other regulatory reports (e.g., FR Y-9C, FFIEC 101). Given the additional requirement for CCAR, firms have begun to develop tools to facilitate their attestation processes. Firms have also focused on enhancing attestation language to support the new requirement. Moving forward, recommended priorities include: Streamlining attestation tools to more systematically collect attestations and reduce redundancy across reports Leveraging their data initiatives to evaluate whether the current attestations provide sufficient coverage of data across the end to end process Enhancing their attestation frameworks to extend accountability further upstream to data owners and providers and establish clearer linkages to downstream requirements CFO attestation: building a sustainable process 3
Independent review Firms have sought to rationalize existing testing plans to determine how they could be leveraged and to expand control and data assessment programs across their first, second and third lines of defense. This includes testing the effectiveness of business and IT controls and verifying that reported transactions reconcile back to origination systems or source documentation. Many institutions also are currently undergoing data lineage and quality testing to verify the accuracy and completeness of data movement throughout the data supply chain. However, additional testing requirements have placed significant demand on existing personnel. Moving forward, recommended priorities include: Leveraging near-shore and offshore centers or a managed services model Defining manageable test plans based on materiality by scoping critical data elements and controls Communicating ownership and coordination of the testing across the three lines of defense earlier in the process to more effectively allocate resources Implementing automated capabilities to more effectively manage assessments and findings between teams, including the use of robotics and workflow tools Training Training is viewed by many firms as a critical way of supporting conformance with instructions. As such, training efforts have been ramped up with a focus on providing stakeholders with awareness of the attestation requirements and related capabilities. Moving forward, recommended priorities include: Developing product- and schedule-specific trainings to reinforce linkages across regulatory reports Developing process training and more granular job aids for upstream data providers to support conformance with the reporting instructions EY views on automation Business process management (BPM) BPM is a solution that enables firms to improve business processes through creating a detailed view of a process with the ability to track/record completed steps and analyze process performance. BPM could initially be adopted for some of the components that are tracking intensive. Below is a list of processes that could be improved through a BPM solution: Attestation is a cumbersome process that is very manual in nature and requires coordination across a wide group of stakeholders. A BPM solution for attestation can help facilitate the processes and dependencies, provide tracking of attestations occurring across a firm and integrate with other key process inputs. Issue management requires input/assistance from different stakeholders and adequate information to link similar issues across an organization, making it a good candidate for BPM. Documentation is also a prime candidate for a BPM tool because it requires coordination across stakeholders to develop, update and finalize policies, procedures and other supporting documentation for regulatory reporting. As other processes mature, they should also be incorporated into the BPM solution to create a more robust view of the endto-end process, including control and data testing. BPM solutions improve the efficiencies of regulatory reporting by providing a real-time status of the reporting process and creating a platform to perform additional process analysis. Analytics Analytics solutions enable firms to capture snapshots of the reporting process, create customizable metrics for ad hoc analysis and generate reports for relevant committees and boards. Analytics improves the reporting process by improving the overall efficiencies related to collecting, consolidating and aggregating data, as well as generating automated reports on an ad hoc basis. Robotic process automation (RPA) RPA is a technology solution that is useful for understanding and improving processes within a firm through automating repetitive, manual processes that are performed on a regular basis. RPA can be employed in independent review environments to assist with the surge in controls and transaction testing of regulatory reports. Successful RPA implementations can reduce costs by decreasing the amount of full-time employee time required for process execution and increase efficiencies by improving the frequency and/or coverage of the current process. 4 CFO attestation: building a sustainable process
Conclusion and next steps LISCC firms face a number of challenges when trying to establish and execute their supporting capabilities to meet FR Y-14 CFO attestation requirements. IHCs, in particular, face an added challenge, as a number of processes that were leveraged by BHCs for the initial submission are not yet in place or have just been developed. To effectively navigate through this environment, it is important to keep the following actions in mind: Continually rationalize the processes and systems in place to determine whether they are sustainable and can be leveraged across a broader suite of regulatory reports Identify areas where processes can be enhanced through technology or automation (e.g., singular tool for attestation, workflow capability to integrate different aspects of the issue management process, analytics tool to simplify aggregation and reporting of program outcomes, and automated regulatory reporting solutions) Consider alternative resource models to tackle surges in demand, such as leveraging near-shore and offshore resources or external managed services providers As supporting processes begin to stabilize, leverage workflow capabilities to better orchestrate CFO attestation programs more broadly, with added control over the handoffs across the end-to-end process Though the CFO attestation requirement is relevant only to LISCC firms, this requirement further demonstrates the FRB s heightened expectations more broadly regarding governance, controls and data accuracy around regulatory filings for the production of complete and accurate reports. Ernst & Young LLP contacts Anita Bafna Partner +1 212 773 3938 anita.bafna@ey.com Christine Burke Senior Manager +1 212 773 5607 christine.burke@ey.com Abraham Mizrahi Manager +1 212 773 8632 abraham.mizrahi@ey.com Vadim Tovshteyn Executive Director +1 212 773 3801 vadim.tovshteyn@ey.com Eileen Miller Senior Manager +1 212 773 5852 eileen.miller@ey.com CFO attestation: building a sustainable process 5
EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. 2017 Ernst & Young LLP. All Rights Reserved. SCORE no. 05620-171US 1709-2406811 ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com