If your bank is anything like ours, you have about 1 or 2 audits going on every single month. Some are large audits and some are small, but they generally seem to be continual. To name just a few, banks have operational, financial, regulatory compliance, information technology and a host of other audits every single year. Perhaps that is why PwC research finds 48% of stakeholders want the internal audit function to be a trusted advisor to the business.
If yours is like most banks, you have limited resources to devote to compliance monitoring and audits. One consideration may be to have both the compliance plan and the internal audit plan cover the same areas to the same degree. As long as compliance covers high-risk areas, internal audit might be able to simply review those results vs. recreating them.
This approach can save banks time and money. It also saves time for compliance and audit teams, as well as for the departments they examine. Without coordination, for example, your bank's compliance department might do a detailed testing of compliance in the first quarter. That brings an unavoidable amount of disruption. Then the same department might face yet more upheaval in the third quarter, when it's the subject of an internal audit. The same department is disrupted twice, productivity drops and value added is probably minimal.
When one department gets double attention, other areas may get none at all. If both compliance and internal audit decide that fair-lending compliance is a high-risk area, for instance, they may both investigate it while ignoring another area for an entire year.
Certainly, internal audit has to stay independent, as they scrutinize high-risk areas without regard to whether the compliance department is examining the same areas. However, internal audit can perform a high-level review of the compliance department's work, rather than reinvent that work.
An annual audit plan for the compliance department might begin with an audit of the management program as a whole, including the compliance monitoring program. That audit might determine the program's overall effectiveness and identify areas that need more attention in the detailed audit plan. Once internal audit is happy with the program, the audit plan might primarily target specific compliance risks and examine the entire compliance management program perhaps on a rotating basis.
The amount of coverage each business line or area of regulation gets depends on how effective the planning may be. Thinking about areas of risk first, targeting those the most and then rotating around others that might not be as risky is a good way to leverage resources in general.
Obviously another area of focus that is low hanging fruit revolves around prior issues from exams or other audits. Cleaning these up is critical to staying on top of changing regulations and it can also serve to highlight ongoing risks.
Finally, any good audit program should respond to both the timing and the intensity of monitoring efforts. Some audits can focus more on transactional testing and sampling, while others can go much deeper as needed (based on risk).
Leveraging your scarce resources as you monitor the impact of audit activities on various groups around the bank is very important to keep things balanced.
