Implementing ICFR for the CECL Standard

Thoughtware Article Published: Jan 21, 2019
Change on top of a calculator and a magnifying glass

Accounting Standards Update (ASU) 2016-13, Financial Instruments—Credit Losses, is widely described as the most significant accounting change for financial institutions in recent memory. The model is commonly called the current expected credit loss (CECL) model. Applying the CECL model to an institution’s loan portfolio is expected to become an increasingly significant area of attention and resource deployment for senior management and boards. Many financial institution managers and boards are working hard to gain a good understanding of the potential effect the adoption of the new standard will have on their procedures for estimating losses in their loan portfolio, loan data collection/retention procedures and financial accounting/reporting activities. This article outlines another important aspect of the new standard’s adoption: the design and implementation of effective internal controls for the CECL standard.

First, however, a word of caution: Each institution’s implementation of the CECL standard and internal control environment is unique. The complexity of the institution’s organizational structure, the composition of the loan portfolio, the experience level and expertise of personnel involved in control activities, financial reporting requirements and other factors will affect an institution’s identification and adoption of internal control over financial reporting (ICFR) for the CECL standard. Therefore, the concepts described below may not be applicable or appropriate for your institution and are not intended to be comprehensive. The following are general concepts for the identification of internal controls and control activities that could be applicable when adopting the standard.

Concepts for the identification of internal controls and control activities

Researching Publicly Available Resources

Gaining a better understanding of the principles underpinning the development of a good control environment is a critical first step for institutions required to identify and document ICFR. Researching publicly available resources may be an effective approach for managers wanting a deeper understanding of the guiding principles for identifying and documenting ICFR. The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control — Integrated Framework is a cornerstone resource for managers and boards to develop and document their institution’s internal control structure, control environment and internal audit function. The Institute of Internal Auditors’ (The IIA) The Three Lines of Defense in Effective Risk Management and Control summarizes risk management techniques that are essential in an effective control environment. The Committee on Corporate Reporting of Financial Executives International’s A Guide to Implementing Internal Control over Financial Reporting for the Current Expected Credit Loss (CECL) Standard provides readers with detailed information on example control activity language and concepts for documenting controls over the new standard’s implementation.

Identifying & Documenting Control Activities – Prior to Implementation

Implementing the CECL standard will involve significant judgment and development of an accounting estimate based, in part, on forecasting future events. Identifying and documenting control activities for this type of accounting estimate is inherently challenging. Documenting the process your institution uses to develop the CECL approach is an important foundation for supporting the planned control activities to be deployed upon implementation and might include a summary of the following:

  • Oversight body of key managers established to oversee the adoption of the standard that meets periodically to discuss issues, approve key decisions and provide reports on progress to the board (CECL committee)
  • Key process owners responsible for identifying and deploying new policies, procedures and operational initiatives in connection with the standard’s adoption and their qualifications to serve in their role in implementation
  • Documentation of specific methodologies selected or developed to implement the standard and documentation of validation techniques used to test the models selected or developed
  • Vendor management and due diligence controls for monitoring third parties involved with implementation (if applicable)
  • Changes to accounting policies, including the definition of key terms used in selected or developed models and documentation of approval by the oversight body or board of directors
  • Progress reports provided to the institution’s board of directors or designated subcommittees and documentation of approvals of strategic decisions on the path toward implementation

Identifying & Documenting Control Activities – Preliminary Implementation

Once institutions have elected their initial CECL approach and begun adopting policies, procedures and control activities prior to required adoption dates, institutions may find running parallel simulations to compare and contrast initial CECL model selections with current loss estimates under the incurred loss model a useful technique to evaluate the efficacy of credit quality indicators and other variables used in the initial CECL estimation models. Control activities to be considered in this implementation phase may include:

  • Periodic validation of methodology selected, including supporting rationale for model selection
  • Validation of key assumptions used in CECL model(s)
  • Validation of pooling techniques used for selected CECL model(s)
  • Validation of contractual terms of pooled loans within selected CECL model(s)
  • Backtesting or other validation of model estimates based on historical data (if available)
  • Controls over the selection and documentation of forecasting data used in CECL model(s)
  • Monitoring controls over third-party vendors used to obtain economic or forecasting data for use in selected CECL model(s)
  • Controls over lending data input and maintenance, including loan grade changes
  • Controls over spreadsheets or other electronic documents used by management to prepare the estimate of expected credit losses
  • Controls over estimating loan prepayments within selected CECL model(s) (if applicable)

Identifying & Documenting Control Activities – Implementation

In addition to the controls activities documented and put in place during the implementation phases described above, institutions will need to identify, develop and document internal controls over financial disclosures required under the new standard prior to mandatory adoption dates. Examples of control activities to be considered in this final phase before adoption may include:

  • Controls over qualitative and quantitative disclosures describing management’s method for developing its current estimate of expected credit losses by portfolio segment
  • Controls over the accuracy of portfolio segment and class data for financial disclosure reporting
  • Controls over the identification and classification of assets in past-due or nonaccrual status
  • Controls over the identification and classification of collateral-dependent loans
  • Controls over identifying and reporting on changes in factors that influenced management’s estimate of expected credit losses in the reporting period

Implementing The IIA’s “Three Lines of Defense” Model

Mitigating risk is not accomplished with a single control activity. Rather, layers of control activities generally are required to effectively mitigate risks such as the risk of a material misstatement in an institution’s financial statements and disclosures. The IIA model describes three lines of defense that an institution should identify and document to fully develop its risk mitigation approach:

  • Operational Management (First Line) – Business and process owners who own the risk, identify control activities and monitor operation of control activities, information and communication
  • Internal Monitoring and Oversight Functions (Second Line) – Management personnel with expertise in functional areas such as information security, accounting, financial reporting and risk management who are assigned responsibility for setting standards of performance, risk management frameworks and monitoring of operational and entitywide control activities
  • Internal Audit (Third Line) – Audit professionals who perform an assurance function and test the operations of control activities and report results to corporate governance bodies and senior management

Identifying and fortifying your institution’s lines of defense is key to developing an effective risk mitigation and internal control environment in general and will be essential when adopting the CECL standard. Consider the significant operational changes your institution may need to make to adopt the new standard. Contemplate the following:

  • What are the institution’s three lines of defense to mitigate the risk of adopting the wrong CECL model?
  • What prevents or detects the introduction of inaccurate loan or historical data into management’s calculation of expected credit losses in the loan portfolio?
  • What prevents the use of forecast data that is not appropriate or inaccurate for the CECL model selected for a loan segment?
  • What are the three lines of defense in place to detect and prevent material misstatements in the institution’s financial statements and disclosures related to CECL?


Adopting ASU 2016-13 is expected to have a significant effect on institutions large and small in terms of leadership focus and attention. Resources will need to be applied to prepare for the adoption date applicable to your institution. Beginning the process of identifying and documenting internal controls necessary to mitigate the risks associated with adopting the new standard will require the focus and attention of your institution’s managers and board. Embedding the identification and documentation of internal controls into your institution’s CECL approach from the earliest stages of implementation will allow for a more comprehensive risk mitigation and control environment than starting this process after implementing the operational and accounting changes necessary to adopt the new standard.

The adoption of CECL will be complex and likely will require significant hours to implement correctly. BKD can help educate your team, provide implementation tools and assist with analysis and documentation. If you would like assistance complying with the CECL standard, contact your trusted BKD advisor. BKD has prepared a library of BKD Thoughtware® on this topic. Visit our website to learn more.


Related Thoughtware

Kate & Ben — How can we help you? Contact Us!

How can we help you?