IMO Compliance regulations should be included in the audit universe and subject to audit. We outsource our audit function and they have not included any compliance audits in their audit plan. The answer I received, "Compliance performs monitoring reviews based on their regulator's exam program. We don't need to perform compliance audits because we're relying on your monitoring program." Am I missing something? I would think compliance would be part of any bank audit plan. Thoughts?

Seems like your IA doesn't know what they are talking about. Basically, they refuse to audit your bank's AML program because they solely rely on your internal procedures? This is a recipe to disaster... One of the four pillars of BSA is having an independent audit to test your bank's overall AML Compliance program. You may be better off by finding a competent IA.

Agree with Aqua

At our institution, Compliance does some monitoring, but we still have our Internal Audit department conduct Compliance audits.

In some situations, if a bank has an extensive compliance monitoring process, the audit will audit that process and do validation testing to ensure that it is a good process and can be relied upon. It won't repeat the same level of testing but the audit still occurs.

In other cases, with a less formal monitoring program, there will be full audits of the regulations.

I don't see where AML was referenced in the original post.

KB, referenced or not, AML is inclusive of the overall banking Compliance. Bottom line - an independent audit/testing MUST be performed across the entire compliance program at least on an annual basis.

Probably not something that needs to be explained to KB as she does this for a living

Thanks to everyone for their responses. Just an note, our compliance monitoring process is not extensive. I would not feel comfortable having an auditor rely on the testing as we can never cover everything that should to be covered.

I mentioned it because everyone went off on a tangent about AML and that is not usually part of a bank's "compliance monitoring program" which focuses on testing loans and deposits for the "usual" regs like B, Z, etc.

Then in this case, yes you need compliance audits!

The examiners include AML with their S&S exams, not compliance.

In my last exam which was our first with the OCC, the person handling the compliance part of the exam covered BSA/AML.

Yes, I usually had a compliance examiner (a very experienced one) conduct the BSA exam. It was never the lending or finance safety and soundness folks. It was reported as part of safety and soundness, however.

Sorry - I didn't mean to imply it was a lending or finance S&S examiner; only that the BSA examiners have always been onsite with those examiners (not with the "traditional" compliance ones), and as you mention, include BSA in that report.

As I have tried, unsuccessfully, to implement, I think compliance monitoring is first done at the department level- they need to be responsible for ensuring their staff is following compliance rules and usually do so using checklists, etc. Then compliance spot checks the process and checklists. Additional compliance monitoring by compliance would be checking after a software upgrade or shortly after a new regulation is implemented. My monitoring is NOT fully based on the examiner's audit but rather on the key points of the regulation where the bank would be likely to make a mistake. Internal audit then does the full examiner's audit.

While this all makes sense to me, it can't be documented neatly into a "schedule" or reported in a consistent format like an audit can, so I get stuck doing the examiner's audit. Even commercial monitoring programs you can buy are just the regulator's audit broken down into pieces.

Am I the one off base here? What good does it do to check a box saying "Yes, we don't discriminate" if you aren't digging deeper into HOW you don't discriminate???

In years past we also did not have any compliance auditing being done (except for BSA). Our internal auditor did a review of the compliance monitoring program at a very high level. More recently we had an external firm come in and perform a full compliance audit of all applicable regulations. This gave the new internal auditor a starting point to move forward. Our internal auditor now audits compliance with regulations. It starts by identifying which onces must be audited annually (BSA, Safe Act etc...) followed by a risk analysis and incorporating into the overall annual audit plan. The compliance audits do place some reliance on the compliance departments monitoring program and testing results.