After 20+ years as an internal auditor for regulatory compliance in the financial institution industry, I have certainly come to realize that the audit function is an essential tool ensuring success in building a strong compliance management program. As we all know, non-compliance to regulatory requirements can result in potentially severe (and painful) penalties.
The core elements of an effective audit function, whether completed internally or outsourced, are the same for any area of audit to be completed. As a compliance audit is a review for compliance with regulatory requirements, it doesn't really qualify as an audit promulgated by the Institution of Internal Auditors. Therefore, the compliance audit function is oftentimes referred to as a compliance review. The terminology in this article will be interchangeable.
The most critical piece is the Audit Plan. Audit plans are developed based on a completed risk assessment of the area(s) to be audited. The plan will establish the overall strategy of the engagement.
Effective compliance programs are based on a completed risk assessment of each applicable regulation that pertains to the institution's products and services offered. The risk assessment weighs the inherit risks with applied controls and mitigating factors to determine the residual risk of each category. Each area is evaluated on the strength of the staff, controls in place, action items needed, training provided, and monitoring functions. Based on those results, the audit necessity is rated low, moderate or high. Areas with higher ratings will be completed more often. Ideally, the high-risk areas will be audited at minimum every year, moderate every two years and low every three. The timing depends upon the institution's complexity of products and services and volume. From there, the audit plan is developed, documented and the timing of each area to be audited will be scheduled with estimated dates of completion. Most often the plan is spread over one to three years. Plans should be approved by the Board or Compliance Committee to ensure appropriate oversight.
The assigned auditor will develop an Audit Program for the area under review. The program will include a summary of functions of a specific area to be included for the review period as Loan Compliance, Deposit Compliance, Fair Lending, Bank Secrecy Act, etc.
The program will also take into consideration and evaluate the effectiveness and strength of the staff, the policy and procedural requirements, prior regulatory examinations and audits and any other factors that would significantly direct the activities of the engagement.
Once the audit program is ready and functions are identified, Audit Checklists should be developed and used to test the effectiveness of compliance in each area. Depending on the regulation being audited, the size and number of checklists may vary. To audit and test privacy controls, there may only be one or two checklists developed to adequately assess the compliance functions. One to review the privacy notice and one to test compliance with the opt-out function. For Regulation Z, however, there may be numerous checklists developed to adequately review the type products offered by the institution.
Regulatory agencies have numerous examination guides available on the internet which can be used as a starting point to develop checklists. The regulations themselves are great resources in creating effective checklists. The checklists should include identification of regulatory violations (exceptions) as well as best practice observations, including adherence to approved policies and procedures.
During the completion of the audit program process, try to reassure staff that the internal audit function should not be viewed as a "gotcha" moment. The purpose of the auditor is to identify areas of exposure with regulatory requirements and assist the applicable staff with identification and implementation of controls to improve the overall strength of the area.
As you proceed through the steps of your audit program, you want to ensure Effective Communication with applicable staff and management as exceptions or observations are identified. There is always the potential that an exception can be cleared once there is a better understanding or explanation from staff.
Once the program and checklists are satisfactorily completed and management agrees with any findings, prepare a draft Audit Report which will be presented to management for their review and input. Any findings noted should always include either a reference to a specific regulatory citation or, if an observation, a reference to a policy or procedure. List the procedures completed for that area, the sample size selected and then the violations noted. Once you have identified the exception, provide recommendations on how to correct the finding or resolve issues noted. Once the draft is completed, management should then insert their responses. The responses should include a responsible party and a target completion date.
Upon completion of management responses, the auditor should then prepare a formal report to present to either the Audit Committee or the Board of Directors along with an exception tracking summary. The summary will be used as an ongoing tracking tool to be updated periodically to ensure all exceptions are addressed and rectified by completion dates.
In summary, the audit/review process does not have to be complicated or intimidating. It's a step by step process that is used for any type of audit. Once the proper annual risk assessment and planning functions are completed, the clarity and conciseness of the program(s) will continue to function effectively for the institution.