Thread Options
#1332304 - 01/27/10 08:32 PM Audit Plan
Banker Offline
100 Club
Joined: Oct 2007
Posts: 128
Southeastern US
I am completing my risk assessment and audit plan for 2010. I know that there are certain items that are required to be audited internally every year no matter what the risk assessment states. I want to make sure that I am not missing anything as far as REQUIRED audits to be performed EVERY year. The following is what I think must be audited:
-Wire Transfers
Am I missing anything?

Return to Top
#1339193 - 02/06/10 12:07 AM Re: Audit Plan Banker
Doug Thompson Offline
New Poster
Joined: Oct 2009
Posts: 18
We audit the following annually regardless of the risk assessment results.

Loans (all areas including the allowance for loan losses)
BSA/CIP/Patriot Act
Compliance (Deposits, Lending, Operations)
Interest Rate Risk
Accounting and Reporting (including investments, capital, accounting and correspondent bank accounts)
Information Technology/Security/GLBA
Information Technology Vulnerability Assessment
Branch Operations

Return to Top
#1341724 - 02/11/10 02:55 PM Re: Audit Plan Doug Thompson
Banker Offline
100 Club
Joined: Oct 2007
Posts: 128
Southeastern US
Does anyone know which ones are REQUIRED to be audited annually. We are trying to keep costs down this year in these tough economic times. In our discussions with the audit committee of the audit plan this year, we will be weighing risk and cost. Can anyone help me with the ones that we MUST have audited no matter what the risk? For example, I have been told that Regulation W must be audited annually--is this a true statement? Help!

Return to Top
#1341735 - 02/11/10 03:06 PM Re: Audit Plan Banker
Ready to Retire Offline
Diamond Poster
Joined: Aug 2005
Posts: 2,313
Living in the land of Oz
BSA and ACH are two that are required annually. There are probably more.

Return to Top
#1345523 - 02/18/10 06:47 PM Re: Audit Plan Ready to Retire
DerrickAuditor Offline
Joined: Mar 2008
Posts: 91
To the best of my knowledge, only the following MUST be audited (internally or externally) annually regardless of your risk assessments:

BSA (per regulation)
ACH (required by NACHA)
GLBA (expectation of our FDIC examiners)
Flood (per our FDIC examiner because of civil monetary penalties)
Trust (if Trust assets under management is significant - ours is)
Transfer Agent (required by SEC if you are publically traded)
HIPPA (if your health insurance plan is self-insured/funded)

Not required, but you might be questioned for not annually auditing:
Allowance for loan losses / Loan Review function
IT areas
Reg O

Also, if your external auditors rely on your audit work, they may increase your external audit fees if you stop performing certain audits as they will have to increase their work load. Which audits they "require" is between you and them.

Finally, you need to consider expectations of the Board's Audit Committee. As an example, ours expect me to audit HR/Payroll and expense reports annually regardless of risk assessments.

Return to Top
#1345529 - 02/18/10 06:50 PM Re: Audit Plan DerrickAuditor
Kathleen O. Blanchard Offline

10K Club
Kathleen O. Blanchard
Joined: Dec 2000
Posts: 21,277
Actually, BSA is not required to be audited annually. The time period is based upon the risk assessment, although annual tends to be the norm (I know one high risk entity that audits twice a year). From the FFIEC manual:

Independent Testing

Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank.
Kathleen O. Blanchard, CRCM "Kaybee"
HMDA/CRA Training/Consulting/Mapping
The HMDA Academy

Return to Top

Moderator:  Andy_Z