It is that time of year when I am conducting a risk assessment and planning a year of audits. I feel like I audit the same areas each year even thought some of them are not "high" risk. Would anyone be willing to share the areas they audit that are not high risk I may want to consider incorporating in place of those I did last year?

I will pm me your email.

www.ficsas.com

FI Compliance is a BOL Sponsor!!! Check out GRC Pro....It is a great tool for creating a frequecy and scope model for your audit program. I should know because I was an auditor for the FRB for 22 years!


GRC Pro benefits Internal Auditing in many areas; below highlights some of the most beneficial to auditing:
Planning
Background: The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals. The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels or limits set by management for the different activities or parts of the organization.
Benefits: GRO Pro provides the risk framework based upon safety and soundness standards internal audit would need to create a risk based audit plan. GRC Pro identifies gaps in the system of internal control and measures the associated risk exposure in terms of severity and probability.
Policies and Procedures
Background: The chief audit executive must establish policies and procedures to guide the internal audit activity. The form and content of policies and procedures are dependent upon the size and structure of the internal audit activity and the complexity of its work.
Benefits: GRC Pro will identify safety and soundness gaps in the Audit Policy. This occurs in both the “Collection” and “Evaluation” assessment phases where the audit policy would be mapped to various safety and soundness standards and associated risks; and, the evaluation for operational effectiveness. Examiners scrutinize all policies especially the Audit Policy for safety and soundness attributes.



Reporting to Senior Management and the Board
Background: The chief audit executive must report periodically to senior management and the board on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. The frequency and content of reporting are determined in discussion with senior management and the board and depend on the importance of the information to be communicated and the urgency of the related actions to be taken by senior management or the board.
Benefits: GRC Pro allows internal audit access to a robust number of reports on demand that focuses on both assessment and remediation activities at a detail or summary level. Auditing can chose various reports and automatically package them in a comprehensive report that would reflect GRC Pro, internal audit and examinations findings. GRC Pro allows for external findings to be added to the remediation process.
Governance
Background: The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
 Promoting appropriate ethics and values within the organization;
 Ensuring effective organizational performance management and accountability;
 Communicating risk and control information to appropriate areas of the organization; and
 Coordinating the activities of and communicating information among the board, external and internal auditors, and management.
Benefits: GRC Pro establishes a Governance program based upon the safety and soundness standards that promote ethics, performance, and communication.


Risk Management
Background: The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:
• Organizational objectives support and align with the organization's mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization's risk appetite; and
• Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
Benefits: GRC Pro’s Enterprise Risk Management methodology is based upon COSO and provides internal audit the opportunity to review organizational objectives, identified risk that are measure in terms of severity and probability, the alignment of risk with the institution’s risk profile and a robust reporting capability.

Reference: (The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 1992 report “Internal Control – Integrated Framework” discusses control system structures and components. COSO is a voluntary private-sector organization, formed in 1985, dedicated to improving the quality of financial reporting through business ethics, effective internal control, and corporate governance.


System of Internal Control
Background: The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Benefits: GRC Pro’s assessment and remediation methodology provides the board, management, internal audit and examiners with reasonable assurance that:

1. Institution operations are efficient and effective.
2. Recorded transactions are accurate.
3. Financial reporting is reliable.
4. Risk management systems are effective.
5. The institution complies with laws and regulations, internal policies, and internal procedures.

Planning Considerations
Background: In planning the engagement, internal auditors must consider:
• The objectives of the activity being reviewed and the means by which the activity controls its performance;
• The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level;
• The adequacy and effectiveness of the activity's risk management and control processes compared to a relevant control framework or model; and
• The opportunities for making significant improvements to the activity's risk management and control processes.
Benefits: Through GRC Pro’s reports internal auditing can at anytime view their institution’s risk profile based upon how well the institution has implemented the safety and soundness standards; and, the effectiveness of the institution’s system of internal control.
• GRC Pro helps internal auditing conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives reflect the results of management’s self-assessment.
• GRC Pro helps internal auditors consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives through the review of reports reflecting management’s self-assessment.
• GRC Pro in its design evaluation requires Policy Owners (management) to provide adequate rationale to support their evaluation of controls. This helps internal auditors ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished.
Identifying Information
Background: Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement's objectives. Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Reliable information is the best attainable information through the use of appropriate engagement techniques. Relevant information supports engagement observations and recommendations and is consistent with the objectives for the engagement. Useful information helps the organization meet its goals.
Benefits: GRC Pro provides a wealth of information that has been reviewed and validated by FI Compliance Solutions’ Implementation and Advisory staff. The 3rd Party review encompasses the following:
• Policy Collection
o Review Policy Common Elements Results
o Review for Invalid Associations Results

• Policy Design Evaluation

o Review for Design Conclusion Results
o Identify design conclusions that were insufficiently and inappropriately documented by the PO.

Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.
Benefits: GRC Pro provides remediation reporting that gives internal auditing a systematic way to follow-up and monitor findings to ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.