Is Your Audit Schedule Complete?

Is Your Audit Schedule Complete?

Issue

In a July 7, 2008, speech to his own staff, John C. Dugan, Comptroller of the Currency, stated, “… we simply cannot take our eyes off compliance while we address safety and soundness.” Mr. Dugan’s remarks serve as a reminder that consumer protection and operational compliance require- ments continue to be key areas of focus for regulatory agencies, and require the attention of financial services industry management even during the current financial crisis

The federal banking regulatory agencies have set forth expectations that the institutions they supervise establish reasonable compliance management programs. However, there are no prescribed definitions of how these programs should be developed and maintained. Rather, regulatory guidance is framed by examples and direction indicating that a program be based upon the institution’s size, com- plexity and scope of activities. Regulatory agency guidance does suggest, however, that one measure of the effective- ness of a compliance program is whether it is integrated adequately into an institution’s internal audit program.

As a result, compliance risks, as with other risks faced by a financial institution, should be incorporated into annual internal audit risk assessments and planning processes.

Challenges and Opportunities

Incorporating regulatory compliance into an institution’s audit risk assessment presents certain unique challenges. When conducting a compliance risk assessment, internal audit departments should be prepared to:

  • Coordinate with and potentially leverage the risk assessment efforts of the internal compliance and/or enterprise risk management (ERM) functions.
  • Decide whether to focus the compliance risk assessment by business line, product type or regulatory requirements.
  • Develop a repeatable and documented methodology to rate the inherent and residual risk of applicable regulatory  requirements.
  • Determine, based on the results of the risk assessment, the depth of coverage of each internal audit (i.e., when to conduct a high-level evaluation of control design and when to test controls specifically for effectiveness).
  • Assess how compliance requirements should be addressed in the internal audit plan (e.g., whether as stand-alone or horizontal compliance audits, or as integrated operational and compliance audits).

An institution that addresses these challenges effectively will achieve strategic benefits, including:

  • Minimizing compliance management efforts through internal coordination of risk assessment and compliance audit and monitoring efforts
  • Satisfying regulatory agency expectations
  • Identifying and addressing effectively key compliance risks and potential compliance gaps before they can harm the organization
  • Potentially reducing the scope of risk-based regulatory examinations if examiners are comfortable that the institution has effective compliance management and internal audit programs in place

Our Point of View

It is essential that institutions integrate regulatory compli- ance requirements into their internal audit risk assessment and planning processes. We believe the keys to considering regulatory requirements effectively in internal audit risk assessment and planning processes include:

  • Agreeing on and documenting the methodology by which to assess applicable compliance risks and the sufficiency of related internal controls
  • Coordinating efforts with compliance and ERM functions
  • Involving experienced personnel to identify applicable risks
  • Avoiding over-complication by ensuring the output will be meaningful
  • Efficiently designing the internal audit plan and prioritizing resources by incorporating regulatory requirements into other operational audits
  • Ensuring the final methodology and results are presented and acceptable to management and the audit committee

 

How We Help Companies Succeed

Protiviti assists internal audit clients with their regulatory compliance risks through a highly collaborative and customized process in which clients’ unique regulatory

and operating characteristics are assessed and documented. We work with management to develop and document a sustainable process, enabling an organization to refresh the identification and ratings of key risks on a periodic basis. We can help your institution meet the challenges of assessing compliance risk when developing your annual internal audit plan by assisting you with:

Protiviti assists internal audit clients with their regulatory compliance risks through a highly collaborative and customized process in which clients’ unique regulatory

and operating characteristics are assessed and documented. We work with management to develop and document a sustainable process, enabling an organization to refresh the identification and ratings of key risks on a periodic basis. We can help your institution meet the challenges of assessing compliance risk when developing your annual internal audit plan by assisting you with:

  • Developing an inventory of applicable regulatory requirements and auditable entities
  • Conducting interviews with key members of management and with process and control owners
  • Developing, deploying and assessing the results of management surveys
  • Developing and implementing a methodology to assess inherent and residual risks and the strength of internal controls
  • Creating and presenting the audit universe and audit plan to management and the audit committee

Example

A large financial institution engaged us to facilitate the development of its internal audit plan and to conduct audits on an outsourced basis in accordance with the plan.

To develop the audit plan, we created and deployed management surveys to identify high-level business risk categories important to the organization. We identified additional current and emerging risks through interviews with key executives. After assessing regulatory compliance as a high-risk category, we worked with the client’s internal audit, compliance and legal personnel to “drill down” in order to identify applicable regulatory requirements and assess the degree of noncompliance risk to the organiza- tion. We then prioritized and incorporated compliance risks into the development of the audit universe.

As a result, our client was able to demonstrate to its regulators and its audit committee the completeness of its audit plan through the comprehensive and documented analyses that Protiviti performed during the audit plan- ning process. Our client also was able to direct its audit resources to areas of highest risk.

Carol Beaumier

+1.212.603.8337

[email protected]

Michael Brauneis

+1.312.476.6327

[email protected]

Scott Jones

+1.213.327.1442

[email protected]

Patrick Scott

+1.312.476.6397

[email protected]

Ready to work with us?