I used to be my bank’s internal auditor and compliance officer. I am switching over to straight compliance and we are considering outsourcing our internal audit function.

Here’s my question. If you outsource your internal audit function, what do you do with those day to day issues that typically arise that as internal auditor would trigger me to go audit that area just to determine if there was a potential problem. For example, a large cash outage in a branch or a general ledger account out of balance condition that cannot easily be explained.

I was hired as Compliance Manager in my current position, but I used to be in the same position you were - with both compliance and audit responsibilities. My current bank outsources internal audit, and I'm the director of that.

Those day to day things that come up are handled by line management. It's our contention that the problem is in their area, and they are responsible for resolving the issue. I do still get called on to help out if they just run out of alternatives, however. We also have a clause in our contract with the outsourced auditors that allows us to call on them if the situation warrants.

It might be pretty tough to make that change, however, if everyone is used to just calling you and letting you take care of it. I'd be interested to hear if anyone has had to deal with that!

I also perform both functions. I do the compliance function and manage the outsourced i/a. I manage the i/a like staff and I go to the AC to present findings and perform follow-up for outstanding i/a issues.

We actually got through the whole audit schedule in 2001 much to the delight of our AC. We have blended approach when dealing with i/a spot jobs. I usually work with the line management to determine what is truly needed and then we make a decision on which is the best group to perform the function (line unit, me, or i/a).

One caution, don't be tempted to limit you i/a budget to just audit hours. Last year I realized that I needed some fudge hours in there to deal with things special projects and re-audits for less than satisfactory i/a's.

The outsourced company should commit to getting the complete audit schedule completed, so the hours you get currently with a "staff" where you can assign on an "as needed basis" aren't there unless you budget for them.

This was the part that was the "hard sell" to management and the AC. They figured that we knew what our i/a's were and good estimate on hours, so why did I need "extra" hours.

Good Luck.

lglover has hit on an important point that applies to both audit and compliance. Many, if not most, problems should be detected and resolved by line management. If line managers do not have the QC procedures in place, but instead rely on audit and compliance to clean up their mistakes, they are dumping line responsibilities into the back office. Obviously, line managers would love to spend someone else's budget fixing problems, but to fairly evaluate the performance of their business units you must make them absorb all of their operating costs.

Just curious how your day to day job duties have changed with the shift from auditor to compliance manager? Do I understand correctly that you no longer perform compliance audits, but those are done by a third party? Thanks.

It hasn't really changed. Our Compliance Program has a self-assessment component, I review all of the self-assessments for reasonableness and accuracy. Our i/a vendor, when they audit a line unit looks at compliance and also tests the accuracy of the self-assessments.

To help encourage honesty, a self-assessment compliance error, will probably not reach the audit committee depending on the severity of the error and if management and I agree on a work out a plan. However, compliance issues identified in i/a go to the audit committee and if the self-assessment was not candid, those findings go directly to high-risk and at a minimum an "needs to improve" audit rating regardless of how the rest of the i/a goes.

We don't do any SFR or consumer lending which helps, but in some other shops where I've been and run this program that did, management did the assessing and I did the reviewing. You get a lot more ownership for compliance issues, IMHO, if management is also responsible for monitoring.

That being said, I spend a lot of time working with management trying to set up systems that make compliance part of the process. I'd much rather spend my time setting something up right the first time than fixing it later.