Situation: Our Audit Comm members are asking that we summarize and prioritize the most critical issues of our Risk Assessment and present them to the Audit Committe instead of presenting the full Risk Assessment for review and approval. I've reviewed our internal Audit Comm policy and there is a general statement that "the committee shall review the Bank's risk assessments". Our Audit Comm charter states that : a matrix will be used to manage and report ...and be presented to the audit committe". The Interagency Policy doesnt address this. My question: is it acceptable to change the policy and charter and present just a summary of the critical items instead?

First of all, the Board should not approve the risk assessment; it is provided to them for their information so that they can know what the organization's BSA and OFAC risks are. Insofar as to the level of detail, you can summarize when it is being presented but in my opinion the complete R/A should also be provided and be in the Board package.