I am new to the internal audit/risk management function.

Would anyone care to share their Audit Program and Audit Scope with me?

rlane@firstokmulgee.com

Also, any tips or resources for training?

RL:

I think you will find that all of our audit programs and scopes are different. My scope even varies year-to-year.

We could send them to you, but I think you would be overwhelmed by the variances.

My suggestion (and this is just the turtle talkin') is to start with listing all of the functions of your bank....commercial lending, consumer lending, account opening....all of them! Figure out who is in charge of each process. Usually the VP that manages the work is better than the SVP in charge of the entire area. Some people will be on the list a number of times. Risk rate the whole process. Look at where you have risk, what controls (think policies, segregation, reports to managers, forms, signatures) you have in place to mitigate that risk and how well they work. Consider change in the staff performing the duties, training, new procedures or software and how material the function is the overall success of the bank. Rank your functional areas from riskiest and least risky and start auditing!

The first year I started at my current bank, I couldn't believe what our riskiest area turned out to be. Our external auditors (who review our risk assessment) thought the process was flawed, too. But not, so.... we really did have some risk in that area. Like I said at the start.... I think it really is bank-dependent. And even then, each risk assessment is a snapshot of risk at that moment.

Setting the scope basically works the same way. I get management participation, too. They do the risk assessment and, trust me, they know what keeps them up at night.

Resources? I'm an IIA member and I belong to the financial services group of that association. They have books, webinars, local meetings, national conferences, certifications, etc.

Hope at least some of this very long post is helpful.

Oh...and I almost forgot to welcome you to BOL!!! Welcome!

Turtle:

Thank you very much! I found your post to be very helpful. It calms me to know I have already taken some of these steps in the right direction. I think my largest hurdle will be making all of this sound good on paper as I have to present the entire 2015 Audit Program and Scope to the Audit Committee next month. Yikes!

I'll look into IIA some more.

Thanks Again!

YIKES! Next month?

Yell out if you need any more advice, help or just moral support.

And, when all else fails, add some color to the spreadsheets!

Most Internal Audit functions break their audits down by risk. As always, wire transfers generally are a high risk function. Don't forget about your ACH audit which needs to be performed.

If you have other questions send me a pm.

Thanks for the support! I'm wondering how I'm going to get the employees to see I am the good guy because I am helping the bank. Management is helping. I'm avoiding the word "audit" like the plague. I call it "assessing risk" or "reviewing controls." Any tricks?

I like your advice on adding color! I will do that!

osucpa:

I think I'm going to suggest that the wire department require wire transfer agreements on file for all repeat wire customers. The OCC seems to like that suggestion but from what I've seen, it's not required. What is your experience with that? Also, do ACH (payroll origination) customers need to have some sort of agreement on file with us?

Yes on repetitive wire agreements and most definitely yes on ACH origination agreements. (Will you be doing the ACH audit, by the way?)

As for tricks....I've always come to the managers pre-audit, with "What can I look at for you?" Most of them want to know that everything's working but don't have the time or tools to check. Continually reinforce that we are all on the same team....I'm here to find it before "they" do. I've had very little trouble with being the bad guy. But then I don't just come in with a checklist and start hitting staff with violations. I ask questions about why we do what we do rather than just check the "no" box. (Hope this rambling is making sense!)

That said, some of that is my approach and, I think, a lot of it is management. My Board here treats audit like part of the support team ... like IT or facilities or HR. All here to support the rest of the staff. They all know that the BOD isn't just looking at a findings count.

I believe I will be executing the ACH audit. Is it normally part of an IT audit or something else?

I like your approach. I will incorporate your ideas!

Thanks again!

ACH will hit your exam under IT, but there is a required ACH audit from NACHA. Currently, we do the ACH audit in house. Our external IT auditor always requests a copy as part of the IT audit. Based on your risk, you may need to audit other controls around ACH, too. We get our ACH risk assessment to the IT auditor as well and let him set scope from there.

NACHA sells an audit program that is relatively inexpensive. It's step by step and easy to follow. Satisfies the NACHA requirements. Has to be completed by YE.

Turtle:

Thank you! It will be completed by year end. I think you are exactly right, I will audit from a control standpoint. I will look into what I need to report to satisfy NACHA. I'll be sure to get a copy to the IT auditors.

I'm thankful for your input!