I am trying to set up a realistic Audit/Compliance Review Program for next year. I did not do so hot in conducting all the reviews I said I would this past year (but keep in mind it was my first year)

Questions being how much time do you allow for your compliance reviews? 12 months to cover all the regs at least once? 18 months? What time frame is reasonable?

Also if you conduct Safety & Soundness Audits what time frame is reasonable? Again 12 months, 18 months?

We did a lot this year but I want a good plan for next year. One that is realistic but yet covers the risk areas. Any input on your coverage scope is greatly appreciated.

Also when you conduct your compliance audit, do you cover every procedure that your regulator has listed? It seems too indepth to get it all done.

Thanks so much for you input.

Requests and opinions are mine not my employer.

Well, this is not real responsive to your question, but some thoughts none-the-less.

Relative to the compliance piece of your question, and aside for the required BSA audit, I think the approach to use is to use a risk based approach looking at you business activities, rather that looking at it on a regulation by regulation basis. (Although some like OFAC, BSA, Privacy may be looked at globally)

The reason I say this, is that I would assume the $$ you have to work with are limited. Therefore, you have to decide where resources are needed (i.e. which areas to review and how frequently) to mitigate the compliance risk and compliance costs for your company.

The way we plan our schedule is to look at each business line and the processes with in the business line and the past internal and external audit results for the business line. Then, we ask ourselves how confident are we that no significant compliance issues exist. That confidence level then drives our list of testing priorities and the scope of the review. We then begin work on a schedule based on our approved staff levels. Then when we find that there is more work to do than staff we have. We need to re-think our plan to hit the higher risk areas. Then, I have a plan of what we can do, along with an assessment of the risks we may have by not testing certain areas. Management can then decide whether the testing plan is adequate or wheter staffing adjustments or priority adjustments should be made.

As a result of this process, we find that there are some areas tested monthly, and some that are done every two years.

Eric has provided good advice. Your business, your products and your customers will dictate the areas of risk you have.

Your audit calendar will then reflect those risks in the frequency of things you review. And while you may review new RE loans for flood checks quarterly, you may also review flood coverage on applicable loans semi-annually or annually.

I have a calendar that you can customize available on my Web site under Compliance Management Tools. It may give you some ideas and help formulate what gets looked at, how often and when. It will require your customization if you want to use it, but I find the schedule helpful since I can set completion deadlines and allow for vacation and conference time in those dates.

Remember to add in some time for new hot-topics. Every time Lucy comes out with a new list of what's hot, I go back to my calendar to make sure I don't add to the statistics.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

Thank you both so much. Your replies give me a good direction. I can see a lot of thought has to be given to the planning and process. I also appreciate your calendar Andy. I will adjust and use it.

Thanks again.

Opinions are mine not my employer.

Maria, another idea that I use is the self-assessment.

I have a self-assessment schedule for the year and have responsible area managers review areas for compliance either quarterly or semi-annually or annually depending on the reg and our internal exposure. I then use the self-assessments to help me tweak my audit program.

From a compliance perspective, I can't get to everything every year. When I do audit an area, I pull their self-assessment, retest some of that work to help limit the scope of the review. If I can rely on management to do compentent self-assessments, then I get more compliance audit coverage, because I spend less time in the areas, but get more areas done.

The audit schedule is risk ranked based on various items, including self-assessment results.

My bank uses the carrot and stick approach, if management's upfront with an issue in the self-assessment and is working on getting it fixed, it probably won't end up as a significant audit finding (some regs excepted) when audit comes in to audit. However, if management is not upfront and the audit identifies areas that the self-assessment should have uncovered, the findings become significant because management wasn't addressing the issues.

The self-assessment process is part of my Compliance Program that the Audit Committee approves.

The audit schedule gets risk ranked over a 24 month period. We outsource our internal audit work so that I prepare a budget with total number of hours that I want to audit that year. We contract to get those audits done during the year, and I hold the vendor's feet to the fire to make sure that I get the audits scheduled completed.

Andy - is there a way to get just the audit calendar from your website? I don't have the ability to open up a zip file on our computer, unless there's another way to do this. Thanks.

Sure. I'll get you a copy in e-mail.

I have considered making these zipped files self-extracting. That way, no unzipper would be necessary. I am surprised to see the number of folks who don't have anything to unzip files.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

Andy,
Me too please! I went in and printed it all and tried to download but I can't unzip it either. Sorry!

For those that do not have an "unzipper" here is a link to some freeware.
www.stuffit.com/expander/winindex.html

The Audit Calendar is now in an executable format. Once downloaded and opened, it is a self-contained decompression program that will leave you with an Excel file.
http://www.vvm.com/~zavoina/cmpl.html

Enjoy.

I hope everyone had a good Thanksgiving and is looking forward to a joyful, secure and violation free remainder of the year.

------------------
Andy Zavoina
Opinions stated are not necessarily that of my employer.

Oops. Forgot to mention that I also added Reg. C and its Commentary to the PDA Regs page.

That was upon request since HMDA is quickly approaching. I did not do the "Getting it Right" booklet since it would be a lot more work and may have a short life since it is due for some changes.

If desired, get the PDA Acrobat Reader and the PDF file for the booklet.