We have examiners scheduled for next month, and it is also time for me to do the 2002 - 2003 audit schedule. I have not switched to risk-based auditing but want to do so with this next audit cycle - especially since we are usually behind in our schedule.

How much detail do the examiners (ours are OCC) want to see in deciding which functional or audit areas are high, medium or low? Right now I don't have anything documented but have reasons why I have classified each area (transacton volume, high $ area, various risk of loss involved, etc.). Do the assessments need to be written? If so, is there a certain format I need to use?

Love this new Audit Board!!

This is just a personal opinion, but I would not rush into trying to do a "formal" risk assessment to adjust your audit schedule before they come since their exam is so close. Since you appear to have mentally risk assessed your audit schedule, I would document what you could or at least your methology to give the examiners and let them know you are working on a "formal" assessment. I would even ask them what they would like to see.

Again, this is what I would do, but it may not necessarily be the "right" thing.

Opinions are mine not my employer.

We discussed this the last time the OCC was here and I really got no guidance. It was "that is your bank's decision as to what is high risk and what is not". And while I understand that, it seems we get so much detailed guidance on everything else that they should give a little more help than a few paragraphs on risk-based auditing.

I think I will just wait and show them what I have and my reasoning behind my classifications and see what they say.

The OCC in their 2001 examination recommended that I review all the audits and perform audits that are lowest risk on an 18 month or 24 month cycle rather than trying to do every audit once a year. I have a risk assessment model which identifies thirteen areas for each audit and we rate them high, middle or low risk. Then we come up with an arithmetic average and give the audit an overall rating. This system seems to have worked in the past quite nicely and we have a form which we document in our workpapers to support the risk ratings. Of 46 audits on our schedule I was able to schedule out 7 on the 18 to 24 month schedule. I would be happy to share a copy of our risk assessment form with you if you would send me an e-mail at sriley@fnbl.com Thanks.

Donna, One thing to look at is your past internal/external audit reports as well as examinations. Where were the major deficiencies? Were they responded to in a timely manner? Any particular area that seems especially slow or reluctant to take corrective actions? I like to look at risk on the basis of where the institution has committed large amounts of resources (like dollar exposure, but also employees, and things of that nature). Also, the three components of risk (probability, severity, and frequency) can be explored as well. If you use the 9 areas of risk identified by the OCC, you could document your assessment with respect to those 9 areas.

Opinions expressed are my own and do not necessarily reflect those of my employer.