Audit Is Here To Help!

Show Notes

May is Internal Audit Awareness Month, and to celebrate, we invited our Chief Auditor, Laura Fiore, to the podcast to chat about the audit profession. Laura dives into the key differences between internal and external auditors, and maps out how the role of internal auditors spans the entirety of a company. How can an internal audit department benefit your company? Find out in this episode!

Resources:
The Institute of Internal Auditors
FFIEC

Credits:
An AmeriServ Financial, Inc. Production
Music by Rattlesnake, Millo, and Andrey Kalitkin
Hosted by Drew Thomas and Jeff Matevish

Thanks for listening! You can find out more about AmeriServ by visiting ameriserv.com. You can also find us on Facebook, Instagram, and Twitter.

DISCLAIMER
This podcast focuses on having valuable conversations on various topics related to banking and financial health. The podcast is grounded in having open conversations with professionals and experts, with the goal of helping to take some of the mystery out of financial and related topics; as learning about financial products and services can help you make more informed financial decisions. Please keep in mind that the information contained within this podcast, and any resources available for download from our website or other resources relating to Bank Chats is not intended, and should not be understood or interpreted to be, financial advice. The hosts, guests, and production staff of Bank Chats expressly recommend that you seek advice from a trusted financial professional before making financial decisions. The hosts of Bank Chats are not attorneys, accountants, or financial advisors, and the program is simply intended as one source of information. The podcast is not a substitute for a financial professional who is aware of the facts and circumstances of your individual situation. AmeriServ Presents: Bank Chats is produced and distributed by AmeriServ Financial, Incorporated.

Chapters

• 0:00: Fast Fact
• 0:19: Intro
• 1:59: Meet Laura Fiore
• 2:57: Internal vs. External Auditors
• 6:30: Audit vs. Compliance
• 8:49: What Makes a Good Auditor?
• 11:47: What Makes Internal Audit Important?
• 15:39: Let's Talk Regulations
• 18:38: Money Laundering
• 21:36: The Process
• 22:51: Fixing the Problem
• 24:51: What Happens if a Company Doesn't Follow the Rules?
• 28:52: Sarbanes–Oxley Act
• 32:12: Audit Frequency
• 33:46: How To Pursue a Career in Audit
• 35:35: Types of Internal Auditors
• 38:50: The IIA
• 42:17: Wrap Up
• 44:06: Disclaimer
• 45:20: Final Thoughts
• 45:46: Credits

Transcript

Drew Thomas: 0:03

Fast fact, the term auditor comes from the Latin word, to hear, because the first recorded auditors acted as the king's ears, listening to the oral reports of responsible officials and confirming their accuracy. I'm Drew Thomas, and you're listening to Bank Chats. So, yeah, so, Jeff, how are you?

Jeff Matevish: 0:46

I'm good. How are you, Drew?

Drew Thomas: 0:47

Good, better than I deserve. No, always better than I deserve. Did you know today's Apple Pie Day?

Jeff Matevish: 0:54

I did know it's Apple Pie Day.

Drew Thomas: 0:56

Today's Apple Pie Day. Yeah, pretty cool. Have you seen me? Do I like apple pie? Yes, of

Jeff Matevish: 0:58

Do you like apple pie? course I like apple pie. Do you like apple pie? I love apple pie.

Drew Thomas: 1:04

Are you a Dutch apple pie person or are you like a regular apple pie person?

Jeff Matevish: 1:08

Any apple pie. Any pie, I'm a pie guy over cake. Definitely pie.

Drew Thomas: 1:13

Yeah, probably, yeah. This is not a podcast about apple pie. The reason I bring up that it is Apple Pie Day is that there are a lot of days that we've, I've noticed that, you know, every day on the calendar is now a national day of something, absolutely, and last month, we talked about the fact that it was...

Jeff Matevish: 1:29

Financial Literacy Month.

Drew Thomas: 1:30

Financial Literacy Month, right? And Teach Children to Save Day was on what, April 24 this year, or, yeah, this year, yeah. It's still this year, even though it's passed. So, I don't know, but May is Internal Audit Awareness Month?

Jeff Matevish: 1:41

Yes, it is.

Drew Thomas: 1:42

Yeah. And to make you more, are you more aware of internal audit now? Because of, because it's May?

Jeff Matevish: 1:48

I am a little bit because I did research. But prior to that, no.

Drew Thomas: 1:52

Okay, but you are more aware? Yeah, great. We're done. All right. No, we have, we have our senior auditor from AmeriServ with us, Laura Fiore, hi.

Laura Fiore: 2:03

Hi. How are you? I'm good. Yeah, happy to be here, yeah, and welcome.

Drew Thomas: 2:07

So, we're going to talk a little bit about internal audit and what that means. So, tell us a little bit about yourself and like, what, what your job entails.

Laura Fiore: 2:15

Okay, sure, so I'm Laura Fiore. I'm Senior Vice President, Chief Auditor here at AmeriServ. Been here 14 years, always been in internal audit. Yeah, prior to this, I was an external auditor, so I'm a career auditor, and excited that internal audit has an awareness month, right? So, so, you know, I think internal audit is very important. We're here to help the company. We're here to help our customers. We're here to help the community as a whole, right? Like we're here to help make sure the initiatives that the banks undertaking to help our customers in the community are working in line with all the rules and regulations that, that we have in banking, right? But internal auditors span all kinds of industries.

Drew Thomas: 2:57

So, so what's the difference between the internal and an external auditor? Because you said you were an external auditor first, right?

Laura Fiore: 3:03

Yeah. So, external auditors typically work like in

Drew Thomas: 3:03

So, as an internal auditor. You're basically doing a firm setting, so they're at, you know, like accounting firms, the opposite of that, like when an ex, does an external auditor auditing firms, consultant firms. Like, the primary role normally of an external auditor is more so financial statement ask you for that stuff and then you provide it as an internal auditing, so making sure a company's financial statements, auditor. Or how does that? you know are accurate, that they're complete, accurately stating what the company actually financial picture

Laura Fiore: 3:24

External auditors can also do other types of really looks like. Okay, because there are people on the you know, on the outside, in the public, if you're a publicly traded company, shareholders use that information. So, external auditors are a lot of times focused more so on financial statement assertion saying, you know, to the public, or whoever may use a company's financial statements that you know that the company's financial health is appropriately you know, shown in that document. Also a lot of times, you know, outside of banking, if you're a company and you need to engage in a lending relationship with a bank. Guess what? Banks like to see your financial picture. External auditing is kind of the top layer of a way to assure that you know, you have an independent, objective person saying, you know, this company is in good financial condition. reviews, right, like you can specifically engage them to do a very specific topic for you. From an internal perspective, we kind of go beyond, right, so financial statements, we are from an internal perspective, before the external auditors look at it, we're doing our own reviews, similar to what they would do, so that if there is an issue or something that would be incorrect, we could get that resolved before an external person is kind of giving a grade or a judge, gotcha, that looks like. So, we're really here from an internal perspective, kind of the last line to say, you know, we feel like this is appropriately stated. This is accurate information. If it's not, we would work with someone to get it resolved before that external kind of...

Jeff Matevish: 5:13

You're the, you're the pre-test before the final exam.

Drew Thomas: 5:15

Yeah, you're the scrimmage game, as we do, yeah, exactly.

Laura Fiore: 5:21

Exactly. So, so, yeah. I mean, in that analogy, right, like in internal audit, we focus also on compliance with rules, regulations that are industry specific. A lot of times that's beyond what a normal external audit would normally entail. So, you know, from like a banking perspective, you have Federal Reserve, you have FDIC, you have OCC, depending what kind of you know, bank organization you are under, you have a certain set of guidelines and rules, and you get examined by regulatory authorities based on how you're organized. And so we're also kind of the scrimmage or the pre-test, to say, before an external examiner, before a Federal Reserve, you know, group would come in. We're doing kind of that pre-testing, that initial review, to say, you know, we feel like we have good support, we have good processes. We can tell things are working. So, that when we get kind of that external review from an examiner that we know that we've kind of, you know, got a good process in place to represent to them, and if we don't, we like to work internally to fix that and show that we've resolved that internally together, so.

Jeff Matevish: 6:30

So, banks have compliance departments as well. How do you, how do you work with compliance? Or like, does, is there any like crossover for, for roles between audit and compliance?

Laura Fiore: 6:41

Yeah, so in auditing, no matter what industry you're in, you have what they call the three lines of defense. Okay, right? So, like first line of defense is, you know, customer contact, the management team, you know they have layers of controls, right of, of making sure transactions, accounts, loans, whatever it may be, making sure that they followed policies, procedures, rules, right? So, there's management reviews on top of what work is being done. So, there's a layer there. Then your second line of defense is things like compliance departments or risk departments, and they're there to support and make sure that specific tests of specific rules are done, so they're kind of more limited in their topic coverage. And then from the third line of defense, which is internal audit, we come in and test all layers, from the very beginning, frontline customer contact, all the way up through the supervisory reviews of management, all the way through like our risk department and what their controls and reviews are, the compliance testing to make sure their testing made sense and they caught what they were supposed to, and all the reporting that happens out of all those layers. So, we're coming in at the very last line there and making sure that everyone's roles were appropriately covering items. So, there is some overlap, but we do work very closely with, with all the lines, right? Like, obviously, if you're a manager of an area, you want to make sure your team's doing a good job, and sure to make sure, like, what you're doing is your time well spent. If you're a compliance department, you know we can help be a resource to them or management, helping them interpret rules or research or find information that helps them do their jobs as well. So, you know, we're really here to help along the way and be a resource to, you know, kind of help everyone study. You brought up the testing, yeah. So, yeah, we, we know where all the, you know, study material is. We know where the books and the manuals and all that is for like, internal and regulatory and accounting rules. Like, we can help get you to the right place if you have questions.

Drew Thomas: 8:49

So, so what made you get into auditing? Like, what kind of a person, what's your personality, the type that makes a good auditor? Like, what appealed to you about it?

Laura Fiore: 9:00

So, I didn't initially know I wanted to be an auditor. I did initially pick accounting, because accounting is a really good like general business field, where every company, every industry, needs accountants, right? Everyone, everyone needs that, right? So, I liked that there's a variety there. You know, if you become, like a doctor or a nurse, you're always going to be in health care. Can't really apply that to different industries, yeah, right, right. So, being an accountant, I liked that it was a very versatile role. And then I got into auditing, did some internships initially, right? But what I liked about auditing is, obviously there's like, an analytical type of person, right? Like analyzing data, little bit of like puzzles and problem solving, curiosity is good because you're trying to, like, fit pieces of puzzles together and analyze information and try to figure out the best way to do something, but more so than it's probably realized, from an auditor perspective, you have to really be a people person. So, I love working with people. I love talking with people. I love hearing people's perspectives, and linking people together is really what you end up doing in an auditing role, right? So, you know one department's doing a piece of the puzzle, and they may not know where that information goes, and the other department's receiving this information, and they know what they need to do with it, but they don't really know where it came from. And so really, from an audit perspective, you're kind of connecting the dots for a company, and you can see a process beginning to end, like, where did it start? Where did it end up? And along the way, like, who all had touch points in that, and if something goes wrong, you can obviously help then figure out which piece of the puzzle didn't happen appropriately, that caused a chain reaction to a problem, right? And then that's where audit can come in and help and say, hey, you might not have realized, but you changed something you were doing, and they were using that, and now it's not there for them to use. But they didn't know that, sure. So, really, like, the, the people skills of, of linking things together, like very much appealed to me, yeah, and just the variety in a day, right? So, auditing is not something where you come in and day in and day out, you do the same thing every day.

Jeff Matevish: 11:22

No set procedure or anything like that.

Drew Thomas: 11:25

Well I bet there's procedures.

Jeff Matevish: 11:26

I'm sure there are yeah, yeah.

Laura Fiore: 11:28

There's, there's definitely a method, and a way, to do things. But, you know, we, we basically span every department here at the bank, right? So, like any company you were at, you would probably span across different departments, and get to see a more full company picture of how everything fits together. So, that's what makes it very interesting.

Drew Thomas: 11:48

So, from a customer perspective, right? Because obviously, most of the people that listen to this are not bankers themselves. They're most likely listening to us either for entertainment while they're falling asleep, maybe, or because they actually want to learn something about banking, hopefully. But from a customer perspective, why is audit important? Because you don't, you're not really customer facing, right? Your customer is the, the bank employees and the different departments, right? So, why do customers, why should customers be happy that there's an internal audit in banking?

Laura Fiore: 12:21

Yeah, absolutely. So, having an internal audit department, especially in-house here fully, is very important, because we have the best interest of the company, which also means we have the best interest of the customers. Because what's in the best interest of the customer is ultimately what's in the best interest of our company, right? Like, sure, you know, obviously there's a balance to everything. But from a customer perspective, you know, it's helpful to know that there's multiple layers of controls, departments here, right? Internal audit's, objective in that, you know, we're separated from the direct processes, and we can come in and give fresh eyes, like fresh eyes to something is always, is always good.

Drew Thomas: 13:02

Oh, sure, absolutely, yeah.

Laura Fiore: 13:04

And so, you know, we're looking at rules, regulations, policies, all that exciting stuff, but at the end of the day, we're making sure the customers' accounts are being treated appropriately, in line with the rules, and obviously making sure that the financial statements are accurate, which is important for shareholders, which is a different type of, you know, I don't want to say customer, but like a different key constituency, it's important. So, you know, we're here making sure the bank is operating in a, in a safe and sound manner, so that, you know, we're here to serve the community and make sure that the banks making, you know, efficient use of their time and resources so we can better serve customers.

Drew Thomas: 13:45

Yeah, that totally makes sense. I mean, when you're, you know, we've discussed a lot on, in different avenues, on the, on the, on the show, but just the idea that, you know, you're, you're entrusting as a customer, you're entrusting your bank with a lot, you know, in terms of your livelihood. I mean, if my debit card gets lost, that's it for me. Like I can't do anything. You know, I can't, I can't get gas, I can't go to the store, I can't do so, and that's a pretty basic thing. So, the idea that you're entrusting the bank with your money, with your, with your information, things like that, knowing that the bank is being a good trustee of that information is, is very important, you know? And so I get that, and having somebody objective within the organization has to be important too, because you can't have a conflict of interest where you're making decisions that are in the best interest of the bank, but maybe not necessarily for the customer or vice versa. You need to have somebody sort of managing that, right? Balancing that out.

Laura Fiore: 14:44

Keep, keeping the balance of that is, is always, you know, the goal, and obviously, you know, you brought up confidentiality of information. That's one of the most important things in today's environment, right? Yeah, like fraud and scams, and people's identity being stolen. You know, the bank obviously has a lot of very personal information of people, their, their names, their account numbers, how much money is in their accounts. Like we have all that information that, you know, we commit to protect, and we have many layers of, of departments and people here that are committed to protecting that information because it's the right thing to do, but obviously there's a lot of rules about that as well. So, you know, definitely keeping the customers happy with our services, but at the same time, obviously protecting that information that that's so important and vital.

Drew Thomas: 15:39

So, you've brought up rules a couple of times, so

Jeff Matevish: 15:39

Yeah, because compliance, they talk about all let's, let's talk about what some of those rules are. Because Jeff, you kind of mentioned, this kind of dovetails, I think, to your question about compliance. Yeah, you know. these regulations. And I guess audit does too, yeah. And I always thought that compliance handled all that. You have a question about any of the regulations go to compliance, but.

Drew Thomas: 16:02

So, so what are some rules that, that customers might like, are we talking about regulations like, I'm gonna go banking terminology here, like reg CC or reg DD, or things like that, that people can, can look up online to see what they are. Or are we talking about rules that are less public, that are that are, you know, internal, or both. I don't know.

Laura Fiore: 16:22

All the rules for banking are publicly available, right? They have, like, bank exam manuals, the Federal Reserve, the FDIC, the OCC, they all have their own rules and guidebooks, but that they're all you know pretty well aligned for the most part. But yeah, like reg CC is, you know the hold and the availability of your funds on, on checks that are cashed, right? And there's a lot of rules about how soon the bank has to make your funds available, and reg CC outlines all those parameters of you know depends on, you know, the amount of the check, the amount of money in your account, where's the check written from? Where is the check cashed at, right? So, like, there's a hold there, because if you know, we cash your check too soon and we haven't got communication from the other bank yet that, that money is really available, if that money never shows up and we gave that money out, like, the bank's short on money or out of our own personal right? So, like, right? The whole reason that there's a hold process is to make sure we get the customer the money as soon as we safely can give them that money to verify the transaction is going to, you know, be whole and be good. But at the same time, you know, making sure we're following the rules for the various situations that can come up.

Drew Thomas: 17:40

We had an interesting show that we talked about a number of years, about a year ago, Serena Williams, do you remember that?

Jeff Matevish: 17:46

Oh, yeah, yeah. Tried to cash a million-dollar check.

Drew Thomas: 17:49

You hear about that one? So, Serena Williams, everyone knows who Serena Williams is. If you have not lived under a rock, you know who's right? Yes, yeah. And she found, she found in her car a million, was it a million-dollar check?

Jeff Matevish: 18:03

Yeah, her manager or something said, hey, you better cash that.

Drew Thomas: 18:05

Yeah, it was just like, lying in her car. It must be nice to have a million dollars check just lying around that you that you forgot about, right? So, but she went through

Laura Fiore: 18:13

Rules apply to everyone. the drive through at her bank, and they put a hold on the check, and she flipped out. She was, she didn't understand why there was a hold on, on her check, you know? And it's like, look that, yeah, you're Serena Williams, and we know, but there's still processes and procedures we have to follow here, right, so.

Drew Thomas: 18:29

Yeah, do they? No, so what, so what are some of the other things? Um, we talked about, when I was doing some, some preliminary research on audit, the money laundering came up a lot. Can we talk a little bit about what that is and how banks help to prevent it?

Laura Fiore: 18:48

Yes, absolutely. So, so money laundering, you know, I don't know, do you guys watch Ozark on Netflix? Right?

Jeff Matevish: 18:53

I did, yeah.

Laura Fiore: 18:54

If you want to understand money laundering, you...

Jeff Matevish: 18:56

Is that accurate? Yeah, okay.

Laura Fiore: 18:58

But, um, money laundering is basically when criminal activity occurs, right, to generate funds, and you try to basically make those funds appear from, that they're from a legitimate source. Okay, gotcha. So, so money laundering is, you know, I drive my income from some type of criminal activity, I try to cover it up as part of some legitimate activity, and then I, you know, integrate it, place it through the banking world, right? And a lot of times, people who money launder will move it through multiple bank accounts, multiple different locations, right? Okay, and, and then it's harder to follow that trail of funds, right? So, yeah, basically, you know, the Bank Secrecy Act, the Patriot Act, anti-money laundering, there's a lot of rules around trying to make sure, like criminal activity, and you know, if you go back to like the Patriot Act was, unfortunately, like following 911, it is financing and like a big push there, but, you know, it's really criminal activity of any type. We don't want that flowing through government regulated banks, because, you know, criminal activity is illegal, right? And that's where Bitcoin has become so popular. And unfortunately, Bitcoin is not regulated, so a lot of times, if there's, you know, a fraud or a scam, a fraudster or a scammer is an illegal activity, right? Sure, and a lot of times today, you hear them trying to get money moved to Bitcoin. And that's because it can't be as easily traced. It can't be identified, it can't be recalled, right? Like if it moves through five banks, those five banks can end up tracing that and getting communication back. There's an authority that can help connect the dots to get people's money back. Once you put it into Bitcoin, there's not good regulation or authority. So, that money kind of...

Jeff Matevish: 20:53

Yeah until you, until you offload it, yeah until

Laura Fiore: 20:55

Yeah, so that's why scammers, fraudsters, really, you take it out, yeah. you know, unfortunately, a lot of times ask people to do things in Bitcoin.

Drew Thomas: 21:09

So, yeah, but so I guess my thing is, from an audit perspective, really, what you're, what part of your job, I mean, you have a pretty intense job, but part of your job is trying to track that and make sure that people aren't doing those things right? Because you're, you're a check and balance, right? So, if something doesn't add up, no pun intended, but if something doesn't add up, that's part of your job to notice that and point it out and stop it right where it is, right before it gets too far down the line. Is that fair?

Laura Fiore: 21:37

Yeah. And I guess I would say we're the reviewer of the people that do that, right? Okay, we have, you know, all the, all the way up through the various departments here, everyone has a responsibility to identify, you know, if something's fraudulent or something appears, you know, outside of the ordinary, or something doesn't add up, and money's missing, like that. That should be way before audit becomes involved, right? Like, yeah, that should be we have layers of controls. We have a dedicated, you know, set of departments that are reviewing and checking for those kinds of things. And then audits coming in and saying, you know, like, we may pick our own samples, right? Like, in audit, you pick samples. So, okay, you know, so you'll say, if there was like, 100 of something, we'll pick 10% and if you know 10 that we pick have a problem, if there's one or two that have a problem, that probably means there's more that have a problem, right? So, you have sample approaches, and use those samples to say, like, okay, we checked 10 accounts and we saw one that maybe wasn't handled the way we feel. Let's keep looking and let's get to a root cause, and let's connect people and figure out, you know, is, is there something here that, that we could have done different? Yeah.

Jeff Matevish: 22:49

So, sorry, so if you do find something that, that you see that is wrong, how do you rectify that? Like, what, is there a procedure that you just go scold that department that you did something wrong, or what is the procedure to actually fix the situations? Or is it different for every, for every situation?

Laura Fiore: 23:07

No, I mean, it gets back to those people skills, right? Like we pull the people together that you know, that are intimately involved in the daily, you know, whatever that topic is. Like their daily processes of how they manage something, or how they coordinate something. We really pull people together that are along that lines of, you know, where did the transaction start? Where did, where did the item start? Where did it end? Where along the way, did that, you know, maybe should have been identified but didn't? And how can we, basically, like, learn together, maybe what we could adjust? So, and, you know, sometimes it's like, just internal education, right? And we try to educate our customers as well, like a lot of times, you know, if you lose your debit card or it's stolen, or you do get some type of scam call or email, and you get it, you get impacted by that. You know, our frontline customer contact people try to educate customers on sure, like, hey, we would have never asked you for your social security number over the phone. Like, if you would ever get a call like that again, know that our bank wouldn't do that, right? Like, I know you guys do a lot of online, social media education.

Jeff Matevish: 24:18

but BanksNeverAskThat.

Drew Thomas: 24:19

We try, yeah, yeah.

Laura Fiore: 24:20

Oh yeah, the banks never asked that stuff. So, it's kind of the same thing. It's just like becoming more aware and growing our education together on, you know, kind of, how should this have worked better? How could we get better? How can we continue to, you know, protect, protect our customers, protect the bank? And so it takes, a village, right? Takes everyone, yeah.

Jeff Matevish: 24:42

Everybody's got to work together.

Laura Fiore: 24:44

Going in the same direction, with the same goals, to, to know how we can get everything to work appropriately,

Drew Thomas: 24:51

Yeah. So, so, you know, there's no way that we could possibly cover every rule and regulation and so forth that's involved in banking, right? But what happens to, I guess there are probably levels here, like what happens to a bank or, I mean, you could say any organization, because I'm sure audit exists in places other than banking, right? I mean, every company has some sort of internal audit process, most likely. But what happens, because we're talking finance, what happens to a bank that isn't following the rules? What are some of the consequences for not doing what you're supposed to do?

Laura Fiore: 25:20

I mean, obviously, as a customer, we want to make sure that there's good customer service, right? So, if you're not doing something right, probably eventually your customers are, are going to realize something's not right, right? Yeah, you would hope customers right, and no one wants to do that like you know, customers are very important to any business. So, obviously, customer service definitely is top of mind to make sure we're serving our customers appropriately. And a lot of times the rules are made for the benefit of customers.

Drew Thomas: 25:53

Oh sure, absolutely, yeah. Well, as you're talking about this, I'm thinking

Laura Fiore: 25:54

But beyond that, from, from a, from a, you know, Enron. regulatory perspective, right? Like if an external auditor Exactly, I mean, you know, you go back to why we comes in, or an examiner comes in. You know, I guess anytime you break a, break a rule there, there can be a punishment, I guess, yeah, it's where you're going with this, right? So, for financial statements, if your financial statements are, you know, inaccurate to a significant degree that can, if you're a publicly traded company, that can be public information. So, you obviously can have reputation risk with that. From an examiner standpoint, most exam results are confidential. They are not shared publicly until you, like, get into a very high-level issue, right? So, the FFIEC, have a lot of controls and rules. Normally, it's out of which is basically like a joint authority that pulls together the Federal Reserve and the OCC it's like, it's like an agreed upon set of rules and requirements where the various agencies agree on how something is to be handled. They actually have a site called enforcement, FFIEC enforcement site, and if something really bad happenings. Yeah, that's a good example of you go out there, you can search any person's name, you can search any bank name, and it'll tell you if there's been, like a formal legal action taken, like a cease-and-desist order or a penalty or a fine. So, in very extreme cases, you can have to pay fines and get penalties, and people can be disbarred from banking if they identify a specific person was to blame, like, you know, if someone would embezzle a large sum of money from, from a bank, like they would obviously end up probably getting charges pressed, because, I mean, it becomes like a legal issue. something really bad happening in a publicly traded company. They were, you know, not issuing their financial statements completely and accurate, right? It did not represent the actual picture of that company's standing and what happened, right? People lost their jobs; shareholders lost a lot of money. Yeah, right. And that's where, you know, we basically have Sarbanes Oxley, which is financial controls for publicly traded companies, any, any publicly traded company, right? Because Enron wasn't a bank.

Drew Thomas: 28:21

Right, right, no, that they weren't. But I just, but when you're talking about, like, financial statements and being audited and keeping things on the above board, you know, that's one of the first things that, that I think of is, is thinking back to those days, and I mean, that was that, that company's name was everywhere for a long time because of all the, yeah.

Laura Fiore: 28:40

Yeah, and a lot of the rules we have today came out shortly after the fallout of all of that, yeah, and govern a lot of the way that the rules for financial statement controls are.

Drew Thomas: 28:52

So, you mentioned Sarbanes Oxley. Do you want to elaborate on what that is maybe a little bit or?

Laura Fiore: 28:56

Yeah. So, Sarbanes Oxley was passed after, you know the Enron yeah, excitement in the world, and basically is a set of rules about how you control processes for financial statement reporting. And so, you're required to abide by that if you're publicly traded, which AmeriServ is publicly traded, our stocks on NASDAQ. We are Sarbanes Oxley compliant. Sarbanes Oxley requires you have an internal audit process as well.

Drew Thomas: 29:25

Hey, how about that?

Laura Fiore: 29:30

So, yeah, it really governs the fact that, like, you know, everything, should have minimum of two to three sets of eyes, right? Like you should have, you should have processes that prevent bad things from happening. You should have processes that detect when bad things do happen.

Drew Thomas: 29:48

Because people are human too. I mean, I mean, honestly, people are human too. I don't think that you, after, like, discussing things with you like, I think a lot of people have an unfair impression of what audit means, you know, that there's...

Jeff Matevish: 30:01

Audits always been a scary word, yeah.

Drew Thomas: 30:03

Yeah, or that they're, they're, they're, they're trying to, they're trying to find something, yeah, that's not entirely true. I mean, you are, you are trying to identify problems. I mean, that is part of your job, but you're not doing it from a, from a standpoint of, like, oh, I just can't wait to stick it to somebody like, you're really doing it in the customers' best interest, and to better the company, right, yeah.

Laura Fiore: 30:24

Absolutely, absolutely, yeah, that's one of the biggest misconceptions. I mean, no one likes to have their work checked, right? Like, I mean, it's just a natural like, defense mechanism, I think, right, sure, hear the word audit. Like, oh, that sounds bad. Someone's gonna come check if I did everything right, which makes me nervous, right? But, but really, it's here to give help and guidance and to make you feel good that what you're doing is working. That's what it should be. Like on the best day for an auditor, everything matches. Everything works. All the rules are followed, and we're all on the same page, and everything's working great. Like anytime there's a problem that does nothing but add work right for you too. Obviously, yeah, right you have to investigate, and you have to figure out why did it break, and when did it break, and where did it break, and how do we fix it, and how do we pull everyone together? So, I mean, while that can be very interesting, obviously the best outcome for everyone is that, you know, we're all on the same page, and everything's working the way it should for customers, for the company and, and we can invest our time on, on other things, yeah, to, to move forward new initiatives to help customers or the community or the, or the company growl is the ultimate goal.

Drew Thomas: 31:42

So, you had mentioned a little bit about how you have to sort of spot check things at times, right? Because really, I mean even a smaller community bank processes 1000s, 10s of 1000s of transactions, sometimes a day, hundreds of 1000s, millions a month or a year. There are systems that check those things to make sure that they're accurate on a one-to-one basis, but it's not realistic for an audit department of 10 people to be able to look at 10 million transactions, right? So, you have to sort of spot check and look for things. How often do you perform that kind of an audit? I guess is where I was kind of going with this. How long does, do you, do you audit different things at different times of the year? Do you, is it always like, hey, it's January, it's audit time, or is it something different?

Laura Fiore: 32:25

No, we're working year-round, rotating through topics, right? And, like, we take a risk-based approach, so where there's more risk to the company or there's more risk to a customer, you know, we try to spend our time where the risk is. So, you know, if, if there are things that are fully automated by a system, and we can check like system settings and confirm the systems working, you know, systems are free from human error, but they're not free from how they're set up to work, right?

Drew Thomas: 32:54

Yeah, humans set it up to begin with.

Laura Fiore: 32:57

So, we definitely use technology a lot to, you know, make sure we're getting as much coverage as we can. Yeah, because, as you said, like, you know, 1000s and 1000s of transactions, what would looking at 10 transactions do? But we'll look at, you know, like, the system controls and, and from that, say, like, well, where's the, where's the risk that something goes wrong in this? And then from that, we are looking at, you know, the various levels of processes and how, you know the company is spending their time, and how they're feeling comfortable that it's working. And so we're really getting an understanding of what the personnel do, what the system does, using technology to help us spend our time wisely on, on where that risk may be.

Drew Thomas: 33:44

Gotcha, that makes sense.

Jeff Matevish: 33:45

Yeah. If someone wanted to get into auditing, how do you do that? What is there like certifications you have to have? Or is it like a specific degree if you want to get into

Laura Fiore: 33:53

Yeah. So, all auditing, really best background auditing? is accounting or finance majors, so definitely, like a business focused major, just because there is a lot of core, like accounting, financial understanding that comes with

Jeff Matevish: 34:06

Not your cup of tea. any industry, not just banking, but any industry, okay, auditing really does center around accounting a lot of the time. And how the, you know, the funds and the flow of things are managed at a company, sure, regardless if your banking or manufacturing. So, so definitely, like a background with a business degree. Beyond that, there are many certifications you can get as an auditor. So, you know, I'm a CPA, I'm a Certified Public Accountant, even though I'm not

Drew Thomas: 34:34

I hate doing taxes, no. in a firm, or I'm not doing someone's taxes, right? People hear I'm a CPA and they're like, oh, so you do people's taxes? No, I could, but I don't. I don't.

Laura Fiore: 34:43

I don't, but so that...

Drew Thomas: 34:50

Do you do your own taxes is the question?

Laura Fiore: 34:52

I do, do my own taxes. I do. But aside from that, there is, like, a Certified Internal Auditor, their Certified Fraud Examiner, right? So, like a lot of what auditors do, can reveal if there's, you know, fraudulent activity, right? There's, like, forensic accountants and things like that that will specifically zero in on, you know, looking for criminal activity. If a company thinks someone's, you know, if money goes missing, you can call on a forensic accountant to help you.

Drew Thomas: 35:21

That sounds like a fun job title, yeah, I put that on my business card.

Jeff Matevish: 35:25

What do you do? I don't know, it's just cool.

Laura Fiore: 35:26

Yeah, yeah. So, there are, there are definitely a lot of different certification routes you can take to zero in on.

Jeff Matevish: 35:34

Are there different types of auditors then? Like, IT auditing versus operational auditors versus others, okay.

Laura Fiore: 35:41

Yes, absolutely, you can definitely get into different niches there, right? Like you can be definitely IT today's cybersecurity risks to all companies, IT is definitely a huge one. So, you know, you can start out with, you know, kind of an IT background, and if you know how to properly, you know, mitigate cybersecurity risk, then you could audit and check others that are mitigating and protecting cybersecurity risk. So, you know, if you wanted to be more compliance specific, right, you, you can really focus in on compliance rules as a background, and then become an auditor of those topics, right? So, there's, there's definitely, from an operational perspective, you know, that's, that's kind of more broad, right? So, that would be more industry specific. So, like, we're in banking, so like, an understanding of banking operations, to be able to audit the operations here. But with any industry, they all have their own sets of rules and regulations and, and normal operating practices. You know, if you, if you get, like, the general background in IT, or in accounting or in finance, you're going to have a lot of opportunities, you know, across any industry, really.

Drew Thomas: 36:57

Yeah, I mean, I, and I think that's something that, you know, we tend to think of audit as being finance specific, because it sounds like a financial thing. It sounds like a financial thing. But to some degree, there's auditing in, like you said, even in manufacturing. I mean, you know, whoever inspector number 35 was that it was in my suit coat pocket when I pulled out the little tag when I bought it is, in a weird way, sort of an auditor. They're randomly pulling things off the assembly line and making sure that things are being put together right, that the stitching is good, that, you know, the right color fabric is being used. They're not sewing red arms onto blue coats and things like that. So, it's not as in depth and probably, you know, I don't know, I'm trying to think of the right word. As, yeah, I mean, as, as a financial auditor, but it's essentially the basic thing, like, everything needs to have a check. You can't just let people go off and do whatever they want to do all the time, because eventually somebody's going to get into the mix that tries to make it about them and not about what's good for the customer, right? And so if it's the if it's the person on the assembly line, you know, that's using an inferior material, the coat is going to fall apart. If it's your bank, you want to make sure that people are making decisions that are, you know, because there are, there are, you know, arguably, decisions that, that banks or organizations that serve customers could make that are in the best interest of the company, but not necessarily for the customer. So, you want to make sure that the customer is being handled first.

Laura Fiore: 38:23

Absolutely, and that's where you know a lot of, you know, consumer compliance rules are to protect customers and to make sure that you know their interest is, is put first. But obviously you know any, any company has to make good decisions to stay in business and to be able to continue to serve those customers. So, it's definitely a balanced approach.

Drew Thomas: 38:48

Cool. What else you got Jeff, anything?

Jeff Matevish: 38:50

Well, do you want to talk about where you can find more information? You want to talk about the IIA at all?

Laura Fiore: 38:54

Sure. Yeah. So, the Institute of Internal Auditors, obviously, are the ones that facilitate audit Awareness Month. So, you know, if you Google Institute of Internal Auditors, their site comes up, it tells you all about, you know, the benefit of internal auditors and what they strive to do to help the world, right, right? So, I mean, it's global, it's national, right? Internal auditors are kind of here to help, and there's a lot of information out there on, on how they can add value. Help protect customers, help protect the company, and add value, right? Like having that objective input to help connect processes, connect people, is, is ultimately the goal, so.

Drew Thomas: 39:40

I think we've had a couple of conversations in here, you know, just about, there are so many different occupations you can get into when it comes to banking that, you know, when people oftentimes think of banking, they either think of a CEO, right? Or they think of a teller, maybe a branch, a branch manager or something, but they think of the people they see every, every day, sure. But there are a lot of different occupations that go into the banking world, you know, from, from marketing to audit to IT, so many different disciplines that you can get into that, that in that can involve banking beyond just what you see when you walk into your local branch,

Jeff Matevish: 40:19

And that's why you need audit, because there's

Laura Fiore: 40:21

Same thing, marketing, right? Marketing, right? so many different departments, yeah, that need to work together, and audit helps make them work together. every company needs marketing, right? Everyone needs a good you know, forward facing to the public of whoever your audience is. So, marketing is one of those that transcends all industries. IT, human resources, all companies need those types of input.

Drew Thomas: 40:46

Yeah, and we work with audit a lot and compliance a lot, because in the world of advertising, there are a lot of rules to follow in terms of banking, in terms of how we can present products and how we talk to customers. And you know whether certain products are FDIC insured or not, you know, things like that. So, you know, we definitely work with compliance a lot in the marketing side of banking. And I the only other industry I can think of that is probably as or more heavily regulated in terms of how you can present products and services to customers is maybe food. That's probably about it. And like, we, yeah, yeah. We are, we are very, very diligent about how we present things, because we want to be above board. We want people to understand what it is that they're actually getting right. And audit helps to make sure that that stays correct as well, right? So, yeah, absolutely,

Laura Fiore: 41:34

Yeah. A lot of the rules are just about that like, what you say is what you do. Yeah, right. And so like, you know, audit will review our website, and we'll say, hey, we have these products out there with these types of fees and rates noted, and here's some details on how these products work. And we'll look at that. We'll maybe talk to the business lines that own those products and make sure that, you know, marketing and the people that own the product, and our viewpoint of how that really processes in the back in the system. Yeah, all that really is aligned and working the way we say, so that, you know, we do have the accurate information out there for our customers to make decisions.

Drew Thomas: 42:15

Yeah, yeah. So, if you, if you know any internal auditors in the month of May, you know, give them a thumbs up, tell them that you, you're not afraid of them. That, you know, yeah. But I mean, really, I think it's, and I think it's, you know, you said at the beginning, like, if you like puzzles, if you like you don't have to, I mean, you kind of have to like numbers a little bit, you know, to do this kind of auditing, but.

Laura Fiore: 42:41

You do, yeah, you have to, you have to really like reading and writing too, which people don't, people don't expect, right? Yeah. So, you know, I have an accounting degree, and I think people expect I'm with, like, my calculator and my pocket protector and my Excel spreadsheets all day, but.

Jeff Matevish: 42:57

Yeah but you're an interpreter, I mean, more than a mathematician, I guess. Yeah.

Laura Fiore: 43:00

Yeah, that's a very good way to put it. Yeah. I mean, a lot of just like reading even accounting rules, reading banking rules, reading whatever the industry rules are, and understanding, like reading comprehension, understanding those, and then making sure we have good written documentation that matches those, is a lot of the job.

Drew Thomas: 43:18

I mean, that's, that's, it strikes me as almost like, you're almost like, halfway to being a lawyer. In a lot of ways, you have to interpret a lot of that stuff and, and be willing to read a lot of fine print. Well, thank you very much for coming down and talking with us. I mean, really this, it's very enlightening. And I think a lot of people that you know, again, you know, we've talked in the past about different occupations and things in banking and, you know, there's a lot of cool stuff out there that you can do beyond what you might imagine, you know.

Jeff Matevish: 43:47

I've learned a lot this past month about auditing.

Drew Thomas: 43:49

Yeah, so until next May. No, I'm kidding, yeah.

Jeff Matevish: 43:56

We'll have a refresh.

Laura Fiore: 43:57

We'll do your audit next month so we can come.

Drew Thomas: 44:00

Yay.

Laura Fiore: 44:00

Remember, here to help. That's right.

Drew Thomas: 44:04

Thank you very much. This podcast focuses on having valuable conversations on various topics related to banking and financial health. The podcast is grounded in having open conversations with professionals and experts with the goal of helping to take some of the mystery out of financial and related topics, as learning about financial products and services can help you make more informed financial decisions. Please keep in mind that the information contained within this podcast and any resources available for download from our website or other resources relating to Bank Chats is not intended and should not be understood or interpreted to be financial advice. The host, guests, and production staff of Bank Chats expressly recommend that you seek advice from a trusted financial professional before making financial decisions. The host of Bank Chats is not an attorney, accountant, or financial advisor, and the program is simply intended as one source of information. The podcast is not a substitute for a financial professional who is aware of the facts and circumstances of your individual situation. When people think of careers in the banking industry, auditor isn't typically among the first jobs that spring to mind. But while the occupations like bank manager or teller might be more common, auditors play a critical role in keeping things running smoothly and safely. That is important, not only for the bank as an organization, but also for the customers who entrust their finances to the bank for safe keeping. Our thanks to Laura Fiore for joining us on the program today, and as always, to my co-host and the executive producer of the show, Jeff

Matevish. AmeriServ Presents: 45:54

Bank Chats is produced and distributed by AmeriServ Financial, Incorporated. Music by Rattlesnake, Millo, and Andrey Kalitkin. You can find the podcast on any of your favorite podcast platforms, or you can now view the podcast on YouTube. Please make sure to subscribe so you never miss an episode. For now, I'm Drew Thomas, so long.