I need help understanding the difference between a "compliance monitoring program" and "internal audit". We are a $350M institution; 13 locations. I am compliance officer but also run the Operations department (good integration, actually). We have a new internal auditor who is very well versed / trained in regulatory compliance (consumer compliance) requirements.

I am struggling with what should comprise a compliance monitoring program versus what should just be covered in risk based scheduled audits of various compliance areas.

Thoughts or help?

One scenario: Internal audit independently audits procedures, practices, etc. at an in depth level...with samples, write ups, etc. Time consuming. Compliance is copied on the reports to learn about possible problems,i.e. hold practices don't follow regs. Compliance would then follow up with dept, have extra training etc. etc. Compliance may also be in charge of a program but where responsibility is assigned to various other peeps who will provide reports, etc. to Compliance. Compliance does no actual testing a la audit, except when a new reg is issued and Compliance should then check to make sure all the elements needed are, in fact, in play.Compliance is the big picture. Audit tests Compliance's programs, procedures, etc.

I like that a lot and was really the direction I would like to go. Do you have a sense of how common this sort of practice is for an institution our size? Thinking I might need a little support for that approach. Anyone out there do it this way? If so, please state your asset size / # branches. I appreciate whatever input I can get on this. Really don't want to duplicate efforts...

I've worked at banks of various sizes and used basically the same program. Compliance is separate from audit. When I worked for a smaller institution, I conducted my own monitoring. This is basically a spot check of transactions, review of policy, and training records. I would then know where to concentrate my training efforts. Sometimes when you work on correcting a problem found in the internal audit or by the regulatory exam, the staff loses focus on other areas and they begin to decline in quality. Determine your bank's areas of highest risk - where you've had the most problems and spot check those transactions to see if you need to conduct additional training. spot check everything annually - high risk areas quarterly. I report our monitoring/training efforts to the audit committee of the BOD.

Walden -

When you worked at the smaller institutions, two questions:

1 - how big is "smaller"
2 - was there a separate internal audit function (internal or outsourced) or was your monitoring essentially the audits for compliance?

Appreciate the input.

Smaller was $100 million. There was a separate internal audit function. Monitoring can also be given to the Deposit Operations supervisor and the Loan Operations supervisor to review transactions.

Thanks!