Skip to content
GeoDataVision
Thread Options
#1910000 - 03/31/14 04:15 PM Risk-Weighted Compliance Audit Findings
leo_bsayer Offline
Platinum Poster
Joined: Aug 2006
Posts: 645
Does anyone risk-weight compliance audit findings for management such as High, Medium, Low? I don't mean grading the audit overall, but each exception that you find as a result of the review? I'm looking at incorporating such a process, but I'm having trouble determining what critera to use to weight the risk.

Return to Top
Audit
#1910007 - 03/31/14 04:28 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,912
Galveston, TX
I found that if you do that, anything rated low will never be fixed.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1910009 - 03/31/14 04:30 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
osucpa Offline
Diamond Poster
Joined: May 2011
Posts: 1,403
We rate every exception as high, moderate or low.

Return to Top
#1910011 - 03/31/14 04:32 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
leo_bsayer Offline
Platinum Poster
Joined: Aug 2006
Posts: 645
That's a concern that I have, too, RL. In trying to categorize exceptions as "High", or "Medium", I feel I'm hitting my head against a wall. The only thing I can consider is if I risk weight according to quantity or errors, or based on civil money penalties.

Return to Top
#1910012 - 03/31/14 04:33 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
leo_bsayer Offline
Platinum Poster
Joined: Aug 2006
Posts: 645
osucpa, did you have a program that assisted with that process, or did you manually determine how you would rate your exceptions?
Last edited by leobsayer; 03/31/14 04:34 PM. Reason: punctuation
Return to Top
#1910019 - 03/31/14 04:45 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
osucpa Offline
Diamond Poster
Joined: May 2011
Posts: 1,403
We do this manually. For instance, let's take a mortgage loan and a particular disclosure is missing from a loan file. We may rate this exception as either low or moderate. If we look at 10 loans and 8 of them are missing this disclosure, we could have a systemic issue and the exception would be rated high. It also helps the audit committee in identifying issues.

Return to Top
#1910020 - 03/31/14 04:45 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,912
Galveston, TX
If you are dealing with true violations of law or regulation, there is no such thing as low, medium, or high. That would be like telling your child, it's OK to steal a candy bar at the 7-11, but for god's sake don't rob a bank.

In my reports within the executive summary, I handle it just like the regulators. For those issues that have the most significant risks, I classify them as needing immediate management attention and leave it at that. You never see a regulator rate individual exceptions. Why should you internally?
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1910025 - 03/31/14 04:54 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
Cornfed Turtle Offline
Diamond Poster
Joined: Mar 2006
Posts: 1,323
"...Somewhere in Middle Americ...
Leo, I think sometimes it can be only one error but still be a high risk...if it demonstrates that a control is missing/compromised.

I use high/medium/low, too. And Randy, above, is right.

Up until now, I have used my own judgment to decide where my findings landed, but no more. This year, I have been requested to quantify. Should be fun.

Return to Top
#1910026 - 03/31/14 04:55 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
osucpa Offline
Diamond Poster
Joined: May 2011
Posts: 1,403
That's the way we have choosen to identify exceptions and never had an issue with it. Examiners have reviewed every one of my reports and never made a comment about it.

Return to Top
#1910030 - 03/31/14 05:02 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,912
Galveston, TX
Examiners have reviewed every one of my reports and never made a comment about it.

Why would they? They only care about the identification of weaknesses in internal controls and their correction.

I have seen banks spend months and months of time, meetings, memos, etc., regarding the development of these type of individual audit findings ratings and then sat through hours of debate over whether or not this or that findings was rated appropriately. All it did was change the focus from fixing or developing an appropriate internal control into a argument about needless semantics.

If you want to assign overall audit ratings - great. Rating individual findings however is counter productive in almost every instance.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1910032 - 03/31/14 05:05 PM Re: Risk-Weighted Compliance Audit Findings osucpa
Cornfed Turtle Offline
Diamond Poster
Joined: Mar 2006
Posts: 1,323
"...Somewhere in Middle Americ...
They commented on mine....and now I have to quantify! smile

I used my system like they use theirs, I thought .... a high risk is one that needs management's attention right now. A medium risk is one that management needs to fix soon. Go ahead, take a quarter.

But, I it's the only thing I had to fix, so I'll do it and move on. Just hate getting locked into a certain number of errors, etc.

I don't rank the entire audit though, but I think "they" were wanting me to.

Return to Top
#1910036 - 03/31/14 05:14 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
osucpa Offline
Diamond Poster
Joined: May 2011
Posts: 1,403
Clearly, there is more than one way to rate an audit exception and an audit. You have to do what works best for you and your readers (audit committee).

Return to Top
#1910121 - 03/31/14 07:25 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
happyauditor Offline
Platinum Poster
happyauditor
Joined: Nov 2004
Posts: 809
NY
Regulators (mainly pushed by FRB with OCC "agreeing" since it was a joint exam of the internal audit department)recently are requiring us to risk rate all findings (not just compliance findings) individually on the audit reports. Prior to that they required us to risk rate them on our finding documentation in the workpapers and also on our issue tracking sheets for internal use and that go to the Audit Committee and Board. Every year they need to add some other "requirement" that is not a true "requirement".

We are approaching the methodology similar to osucpa and Cornfed Turtle's methodology. No hard measures/rules, our judgement comes into play. We take into consideration if it was an isolated incidence (would be rated low)or systemic issue (would be rated high), or something in between (would be rated moderate). We just started putting this in practice for 2014.

Next I anticipate the examiners questioning why we rated something moderate as compared to high. It never ends.
_________________________
* My opinion is not necessarily that of my employer.

Return to Top
#1910164 - 03/31/14 08:10 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,912
Galveston, TX
What a waste of time. You are correct. Give them time and they will make something else up.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1910190 - 03/31/14 08:33 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
happyauditor Offline
Platinum Poster
happyauditor
Joined: Nov 2004
Posts: 809
NY
I agree 100% rlcarey!
_________________________
* My opinion is not necessarily that of my employer.

Return to Top
#1911148 - 04/03/14 02:10 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
Amandak Offline
Member
Joined: Jul 2013
Posts: 80
Wisconsin
Here is how I risk rate findings in my audits. With each finding management needs to make a response. If it is a best practice they can choose to fix it or accept the risk. If they accept the risk then I do not write it up again until I feel the risk is to great to let it go unchanged.

Critical - A result will be rated as critical if it appears to be a singular or multiple occurrences of noncompliance with a significant provision of a rule, regulation, regulatory expectation, or internal policy. A result will also be rated critical if it is a situation that could lead to financial liability, customer service concern, regulatory concern, or significant loss of revenue or reputation.

Repeat - A result will be rated as repeat if it was noted in this report and was noted in prior reports or regulatory examinations.

Systemic - A result will be rated systemic to reflect multiple instances of noncompliance with noncritical laws, regulations, regulatory guidelines, regulatory expectations, internal policies and procedures, or system design issues. These do not reflect a significant risk of financial liability, customer service concern, regulatory concern or a significant loss of revenue or reputation.

Isolated or Technical - A result will be rated isolated to reflect limited instances of noncompliance with noncritical laws, regulations, regulatory guidelines, regulatory expectations, or internal policies and procedures. These do not reflect a significant risk of financial liability, customer service concern, regulatory concern, or a significant loss of revenue or reputation.

Best Practice - A result will be rated as best practice if it would be a prudent practice or is considered an industry best practice, would augment existing controls, or would enhance operations, security, productivity, or customer service.

Return to Top
#1912553 - 04/08/14 01:46 PM Re: Risk-Weighted Compliance Audit Findings leo_bsayer
Philly Fan Offline
Junior Member
Philly Fan
Joined: Nov 2011
Posts: 30
OHIO, USA
We risk rate all of our issues, as either priority 1,2, or 3. We consider evey true violation as a P1 and issues that could lead to violations as either P2 or P1 depending on the law and how it applies to us.

Return to Top

Moderator:  Andy_Z