Presentation is loading. Please wait.

Presentation is loading. Please wait.

Washington Bankers Association Executive Development Program Audit and Compliance Internal Audit and Monitoring: The Continuous Program Cycle Presenter:

Published byColin Clifford Arnold Modified over 8 years ago

Similar presentations

Presentation on theme: "Washington Bankers Association Executive Development Program Audit and Compliance Internal Audit and Monitoring: The Continuous Program Cycle Presenter:"— Presentation transcript:

1 Washington Bankers Association Executive Development Program Audit and Compliance Internal Audit and Monitoring: The Continuous Program Cycle Presenter: David McCrea U.S. Program Manager Global Regulatory Compliance Team Infosys Limited

2 The Continuous Program Cycle Designing Implementing & Checking Correcting & Reporting

3 Testing Your Controls Use your Risk Assessment as the foundation of your monitoring program. You have documented the controls to test and can validate the control strength ratings You know where your highest risks are so you can prioritize your program.

4 Establishing Your Checking Plan You should set an annual monitoring / testing plan with a goal of validating the effectiveness of key controls at least annually. – Riskier controls should be evaluated more frequently – Validate stronger controls are working as planned – Plan to test adequate and weak controls more vigorously

5 Definitions Quality Control – Evaluating a transaction for quality (such as meeting compliance requirements) prior to the transaction being consummated or closed, such that errors made in the initial phases can be corrected prior to the point of no return. Compliance Monitoring – The process of evaluating reports, systems, analyses, customer complaint trending, or other information in order to determine strengths or weaknesses in the program/process. Audit – Independent review to ascertain the validity and reliability of information; also to provide an assessment of internal controls. – The goal of an audit is to express an opinion of the person / organization / system under evaluation based on work done on a test basis.

6 Risk Detection Activities Compliance Dept Activities Testing & Review Monitoring Activities Other Detective Controls Quality Control Audit Regulators Combined Activities Helps to Draw Conclusions about Overall Risk

7 Monitoring - characteristics – Ongoing and Regular – Typically dependent on business line reports – Results in self-detection of potential weaknesses or violations – Systemic weaknesses identified – Typically more frequent than audits

8 Monitoring Examples May take a variety of forms:  Periodic review or certification that duties were performed;  Review of regular system-generated exception reports;  Review of periodic ad hoc extract reports;  Review of consumer complaint trend data;  Review of reports of exam/review by Audit, investors, regulators, due diligence firms, etc.

9 Testing / Review - characteristics Ongoing Flexible Self-detection of potential weaknesses or violations Risk-based Quality Control – corrective actions

10 Testing – Examples May take the form of:  Review of transactional activity (think Reg CC Hold Notices or TILA Disclosures); or  Verification of data against source documents (think loan files against the HMDA LAR);  Review of employee regulatory knowledge through interviews.  Others?

11 Auditing - characteristics – Independent – More formal – Validates the effectiveness of your program – including your testing and monitoring – Internal or External – Often relies on Compliance Review results or compliance monitoring

12 Checking Techniques Scoping Sampling Rating Control Strength Documentation

13 Scope of Your Program  Monitoring and testing scope and frequency should consider the following: – Inherent Risk Rating – Volume (number or amounts of items) – Complexity of requirements: Number of endpoints, Difficulty of performance, Dependency on manual input or individual performance. – Historical reliability of control processes

14 Scope - continued Monitoring and testing scope and frequency should also consider internal / external events: – Change in law or regulations, – Reorganization (change in responsibilities), – Changes to process or system, – Turnover and key staffing changes, – New products, services, or jurisdictions. – Customer complaints

15 Sampling  The basic purpose of sampling is to enable the reviewer to draw an adequately reliable conclusion about a “universe.”  The universe from which the sample is chosen should have similar characteristics  The sample should include an adequate number of transactions to which the requirement applies.

16  The size of the sample depends on the complexity of the regulations involved, the bank’s circumstances and characteristics.  Must be large enough to determine the cause and extent of noncompliance.  Be prepared to expand sample if necessary. Sampling

17 Sampling - Judgmental  Involves an in-depth analysis of only a portion of the group and items are not selected randomly.  Using judgment and knowledge of policies, controls and systems, reviewers identify the areas of greatest exposure to select items for testing.  The time period selected for the sample must yield enough items to provide the reviewer a representative base for the product/process under review (otherwise will need to extend time period).

18 Sampling-Statistical  Every member of the universe should have an equal chance of being chosen.  The time period selected for the sample must yield enough items to provide the reviewer a representative base for the product/process under review (otherwise will need to extend time period).

19 Control Strength  Generally, internal controls with an exception rate of 5% or greater are typically considered ineffective.  However, the regulatory environment may dictate a lower, perhaps 0% tolerance – for example, matched pairs in fair lending testing.  Exceptions and root causes should be discussed with the business unit management.

20 Control Strength A Strong Control has less than a __ % error rate. An Adequate Control has between a __% and __% error rate. A Weak Control exceeds an error rate of __%. Other quantitative measures of control effectiveness?

21 Re-evaluate Control Strength

22 Supporting Documentation  Activities should be appropriately documented and the performance of the work adequately evidenced to facilitate third-party reviews by corporate compliance, internal/external audit, or regulatory examiners.

23 Corrective Action Plans Corrective Action Plan Elements – Develop Steps to Remedy the Issue – Assign Responsible Parties – Establish a Time Frame

24 Corrective Action Plans - Tracking Establish a Tracking System Elements to Include: – Executive Sponsor – Observations – Risk Ratings – Source of Issue – Target Date for Correction & Date of Completion Notification – Issue Date – Person Accountable for Execution – Action Steps – Comments – Target Date Revisions

25 Corrective Action Determination Determine Root Cause Remember the old rule of asking “why” of each successive answer until you know the true root cause: Is it a policy flaw? An execution blunder? A training mishap? A systems defect?

26 Reporting: Definition and Purpose – Reporting defined: The use of internally and/or externally generated data to provide ongoing, regular reporting to stakeholders on the state of the institution’s compliance program. – Risk management at each appropriate level – Required reporting to Regulatory Agency, Community Groups, Investors, etc. – Your company’s specific needs are paramount.

27 Reporting to the Board Describe the general regulatory environment: Recent fines and penalties imposed on other institutions. New or revised rules that will impact operations and risk. Also detail your compliance program: Exam, Audit, or compliance monitoring results Corrective actions taken New compliance initiatives Employee training Community Development Supplemental information they have requested.

Download ppt "Washington Bankers Association Executive Development Program Audit and Compliance Internal Audit and Monitoring: The Continuous Program Cycle Presenter:"

Similar presentations

Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The Islamic University of Gaza

The Islamic University of Gaza
IS Audit Function Knowledge

IS Audit Function Knowledge
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
ISO 9000 Certification ISO 9001 and ISO 9000.3.

ISO 9000 Certification ISO 9001 and ISO
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
1.  The views expressed are those of the speaker and do not necessarily reflect the views of the Federal Reserve Board of Governors, or the Federal Reserve.

1.  The views expressed are those of the speaker and do not necessarily reflect the views of the Federal Reserve Board of Governors, or the Federal Reserve.
Overview of Financial Statement Analysis

Overview of Financial Statement Analysis
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting
The Sarbanes-Oxley Act of 2002 1 PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.

The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.
Planning an Audit The Audit Process consists of the following phases:

Planning an Audit The Audit Process consists of the following phases:
1 Fair Lending Risk Assessments Presented by:  Ben Henke  Debra Pearlman Fair Lending Examination Specialists Fair Lending Examination Specialists.

1 Fair Lending Risk Assessments Presented by:  Ben Henke  Debra Pearlman Fair Lending Examination Specialists Fair Lending Examination Specialists.
Auditing Internal Control over Financial Reporting

Auditing Internal Control over Financial Reporting
Internal Control in a Financial Statement Audit

Internal Control in a Financial Statement Audit
How does the ECA assess Member States’ internal control systems? Workshop on Audit/Evaluation of Public Internal Financial Control Systems (PIFC) Ankara,

How does the ECA assess Member States’ internal control systems? Workshop on Audit/Evaluation of Public Internal Financial Control Systems (PIFC) Ankara,

Similar presentations

Ads by Google