Skip to content
BOL Conferences
Thread Options
#304347 - 01/14/05 08:51 PM Risk Acceptance Procedures
Anonymous
Unregistered

Does anyone have any risk acceptance procedures from their audit manual that they would be willing to share? I am simply looking for a starting place for the process that ensures the Audit Committee approves mgt's decision to accept the risk of not correcting an audit finding. Thanks!

Return to Top
Audit
#304348 - 01/14/05 10:36 PM Re: Risk Acceptance Procedures
LSmith Offline
Platinum Poster
LSmith
Joined: Dec 2002
Posts: 703
I am not sure what you are asking, but we have what we call a "poll Sheet" that we send to loan committee members that approve a loan over a certain $ amount. In this poll sheet the lender will stipulate any exceptions or waivers from loan policy and if approved by the loan committee they sign off on this sheet. This sheet is attached to loan file and is reported to the board. PM me if you want a copy of this sheet; otherwise, I am not sure I understand what you are asking for.

Return to Top
#304349 - 01/18/05 02:48 PM Re: Risk Acceptance Procedures
Anonymous
Unregistered

huh? I don't think that is a starting place for me...but thank you for trying to help...Anyone else?

Return to Top
#304350 - 01/18/05 02:58 PM Re: Risk Acceptance Procedures
Kathleen O. Blanchard Offline

10K Club
Kathleen O. Blanchard
Joined: Dec 2000
Posts: 21,293
Management should either demonstrate that the risk is not material - you would need a materiality standard - so they don't see the need to mitigate it or detail the mitigating factors that lessen that risk and allow them to accept it. If SOX applies, you can't just "accept it".
_________________________
Kathleen O. Blanchard, CRCM "Kaybee"
HMDA/CRA Training/Consulting/Mapping
The HMDA Academy
www.kaybeescomplianceinsights.com

Return to Top
#304351 - 01/19/05 09:18 PM Re: Risk Acceptance Procedures
Anonymous
Unregistered

Our procedure is similar. All highly critical, critical and less critical findings require corrective action or risk acceptance. The most minor comments (observations) do not require an action plan.

Line management may decide to accept the risk by providing executive management and the risk/audit committees with appropriate reasons. These can include their own view of materiality, cost/benefit, and budgetary constraints. If a risk is accepted, an annual re-evaluation of this decision is required since conditions, cost/benefit etc. can change over time. The risk/audit committee reviews acceptances and obviously has the final word.

A form documenting all of this information as well as line management and executive management approval is completed with supporting documentation and is available for regulatory and audit review.

Return to Top
#304352 - 01/26/05 10:05 AM Re: Risk Acceptance Procedures
Anonymous
Unregistered

HI,

We concentrate on identifying 'residual risk' - the risk that remains after measures to correct risk have been put into place. You can do this with a simple tabular approach

See for example "A Practical Guide to Managing Information Security", Steve Purser, Aretech House.

Return to Top
#304353 - 01/27/05 07:03 PM Re: Risk Acceptance Procedures
Anonymous
Unregistered

I have an Audit Tracking Sheet I maintain for all audit findings. In the event management decides to accept the risk and not implement my recommendations, that is indicated on my Tracking Sheet. I ask management to provide me with documentation supporting their view. At the Audit Committee meeting we review findings on my sheet specifically the ones without resolution. If the A/C agrees with management, the item is closed. If the A/C disagrees, management is "forced", if you will, to implement the recommendation from I/A and the A/C.

Hope this helps.

Return to Top

Moderator:  Andy_Z