Does anyone set up their compliance audit schedule on a 18 month cycle, rather than 12 months? Are there any areas that required an annual audit? I know ACH audit is required to be completed December 31st, of each year, are there any others? An 18 month audit cycle may allow us to stay on track with our audit cycle better, as we often fall behind with the 12 month audit cycle (as there is too much to do/audit and never enough time to get it all done). Curious what others do. Thanks.

IMHO, the best thing you can do is to take a risk based approach. When I have done compliance reviews as a third party consultant, I've found that a 2 year cycle works best logistically - I really believe in keeping things simple. Within the two year cycle, I've set up quarterly reviews, while some areas are reviewed multiple times during the two-year cycle and others are only reviewed once. For example, you could review TRID in Q1 of each year and then do a full loan file review (which includes TRID) in Q3 of each year, meaning that TRID is reviewed every 6 months. Other areas (maybe flood, Reg CC holds, and EFT disputes) could be reviewed once a year, while the lowest-risk items (think disclosures that shouldn't change or low-risk areas) could be reviewed every other year. I've tried 18 month and 36 month cycles, and just found that 24 months seems to be the easiest logistically, at least for me. Then, once the two years is up, you can make minor adjustments based on risk and reuse the same schedule.

As far as specific frequency requirements for compliance audits, the SAFE Act, ACH, and BSA are the only ones that come to mind having specific requirements. Everything else should be able to be risk-based.

My audit schedule varies based on the risk rating of the area. I risk rate areas low, moderate, and high. High risk audits are completed every 12-18, but the low and moderate rated audits are 36 or 24 months. We're an OCC bank and when the exam cycle expanded from 12 to 18 months we took a lot of our high risk audits to 18 months too. Our 12 month audits are Trust (annual audit required), Network Security, ACH, BSA (can go up to 18), Flood, SAFE Act (annual audit required), Wires, and HMDA.

Other an the annual required audits, we use a risk based approach. A number of factors go into the risk based approach.

The audit schedule for my bank was just changed to more risk base and based off of an 18 month schedule. The audits that are every year on ours is Trust, ACH, BSA, Flood Disaster Protection Act, SAFE Act, Wires, Network Security, Commercial Loan Review and HMDA. We also integrated our monitoring schedule in with the audit schedule so half way between the audits the area is getting looked at again. The high risk areas are every 12-18 months, moderate risk every 24 months and low risk every 36 months. This helps since our exam schedule is every 18 months, our audit schedule should be based off of it too.