Data-driven audit management at Washington Trust Bank
“My whole belief is that data will drive audit processes. ACL allows me to have my process—a relationship-based, risk-based process—without any grief whatsoever in a system that allows me to have electronic workpapers, to monitor performance, to know what’s going on with my audit team, as well as what’s going on with my business. It was really the most flexible tool out there and it was almost like it was made for our process.”
Senior Vice President and General Auditor,
Washington Trust Bank
As is the oldest and largest privately-held commercial bank in the Northwest, with more than 40 financial centers and offices in Washington, Idaho and Oregon, Washington Trust Bank enjoys an advantage over our publicly-owned competitors. The bank bases decisions and policies on what’s happening in the Northwest—not in distant locales. Being independent, Washington Trust is able to set its sights on long-term goals rather than quarterly results. Organization-wide, Washington Trust is focused on doing the right things for clients and communities.
Data analysis patterns now drive audit planning
Manual and Excel-based processes modernized
Audit reporting rates against 7 enterprise risk families
Software exactly matches the audit process
Interview with Dan Clark, Senior Vice President and General Auditor, Washington Trust Bank.
What is your vision for creating a different kind of audit team?
We are what we call a relationship audit team with a very unique process, which is one reason why we looked at ACL for the GRC process. A relationship audit team spends most of their time developing the relationship. What does that mean? It means you spend a lot of facetime with either leadership or second-level management. You do walkthroughs of processes. You sit in staff meetings. You personally go in and do the job that the people you are auditing have to do.
How important is having risk data analytics built into your audit management system?
I would say it’s imperative. My whole belief is that data will drive audit processes. They do to some extent today: people like to track things—although not always the right stuff. But understanding data, the data drivers, the data drivers that drive the process drivers of the risk, and the risk drivers of the risk families. Once you get all that together, the only way to look at it is through data.
What does risk look like in your environment?
You have US regulations, international regulations, accounting regulations; there are regulations everywhere. You have to be cognizant of what those are and how they apply to the processes you develop. You have technology risk, operational risk, legal risk, reputation risk—reputation risk is really exacerbated by all the other things you have to manage. If you give lousy credit, it impacts your reputation. If you don’t have a smooth operation and your customers complain, it impacts your reputation. Don’t comply with rules and regulations? It impacts your reputation. So it’s a very holistic and aggregate group of risks that impact the financial industry.
What stood out about ACL™ GRC when you were looking for an audit management system?
It allows me to have my process—a relationship-based, risk-based process—without any grief whatsoever in sitting down and putting it in a system that allows me to have electronic workpapers, to monitor performance, to know what’s going on with my audit team, as well as what’s going on with my business. It was really the most flexible tool out there and it was almost like it was made for our process.
How has your data-driven approach changed the conversation with management and the audit committee?
Last year was the first year we gave the senior management team and the audit committee a risk-based report, where we actually rated the risk of the organization. There are seven different risk families that the enterprise risk management team uses for the bank; we adopted those. We actually rated those based on all of our work, and the work of every other audit that was performed—whether it was outsourced or regulator. That kind of data has never been put together before, but we put it together. All of it, you can get right in ACL either in data analytics or GRC. You put it together and you come up with a 15-page report for the audit committee that says we’re good or bad or whatever with some really detailed comments as to what drove the ratings. They had never seen that before. That was an “aha!” moment, a WOW moment.
How would you describe the return on your investment in a data-driven audit management system?
As I mentioned before, to me the two biggest returns on investment—and I don’t look on ROI monetarily, I just don’t do that. One, my team is cohesive, much more cohesive, much more educated, much more value-driven, and more value-contributory for the organization. That’s a win for us. The other one, the organization has received the benefit of that value, and because of that, it’s been a value to me.