I am the internal auditor at a small community bank - 125M in assets. Our Bank Compliance Officer is leaving and our president is trying to determine if its feasible to somewhat combine the audit and compliance functions. We know independence would be an area of concern but were hoping we could come up with some ideas to "make it work". I was thinking the implementation of a Risk Manager type position to oversee - audit and compliance. That individual could manage audit schedules, perform some safety and soundness audits, perform compliance -self-checks, and assist with the management of the compliance program (policy and procedures, best practice tools, training etc.) through a compliance committee. Additional audits could be performed by operations and lending staff members and an external compliance audit would be scheduled annually. Does anyone think that could
work? (We are OCC regulated)
Thanks for any input!

We are OCC and we've had the position merged for several years. Both when we were the size you mention and after some M&A activity and we have grown to $400MM. Our department now includes 5.5 FTE and is jointly overseen by Risk Management Officer (me) focusing on credit quality and loan compliance and IA/CO who has 3 reporting directly to him/her.

It takes coordination and policy writing plus training (except for BSA and similar) is handled by department heads (all policies reviewed by IA/CO before approval). IA/CO performs S&S and compliance audits.

Feel free to PM for more info.

So you lose a compliance officer and want to replace it with a risk manager? I guess I am a little confused. What is the goal. Reduction in costs??? Compliance is an arm of management and audit is an arm of the board of directors. At your size and if you are growing, I think you are going backwards in trying to combine the function in any manner. Many institutions at your size might have them combined in some fashion, but if they are now separate - why go backwards?

With an RM to oversee both areas, you'd still want to have two areas. rlcarey said it the best above. Don't do your self the disservice of having to separate them later. This includes having to separate compliance from the loan officer that ran the slowest or someone else at your bank that mgmt. doesn't see as having a full slate. Does mgmt. not see compliance as a full-time job? I've seen that before, too.

If that's the issue, consider how much time the compliance officer will be spending on compliance and what he/she could do with the other hours in the week. But adding it to the auditor's list will cost you more time in trying to keep the areas independent.

Having a FT internal auditor at your size is impressive and shows a commitment from your BOD. Maybe you need to convince them of the value of a FT CO. After all, aren't you already FT in the audit world? Do you really have time to run compliance management in addition to your current duties? (I'm assuming you will have no new hire.)

My new posting at work.... "Compliance is an arm of mgmt.; Audit is an arm of the BOD." Love that.