Some Items to Consider for Your Audit Scope, January 18, 2017



As you prepare your annual audit schedule, a task that can often seem mundane, there are significant opportunities to take charge and “change the game”.   The schedule is often set by focusing on the number of audits that must be completed within the year. The bulk of the planning attention goes to the task of scheduling the audits in a manner that is least disruptive.   There is often little attention paid to the construction of the components of the audit scope.   Consider building the scope of the audits around the results of your risk assessment and you can greatly enhance the effectiveness of the audit reports.

The Standard Menu

Outsourced internal audit firms design the scopes for the audits that they conduct based upon their knowledge of auditing, regulatory trends, best practices and the overall knowledge of their staff. This practice allows the firms to bring a wealth of experience and important information from outside of the financial institutions that they are reviewing.   When your audit firm presents you the scope that they propose it is based upon completely external actors and considerations. This is not a criticism of the firm, it is a standard practice.   However, setting of the scope for internal audits is really supposed to be a collaborative effort, and both the audit firm and your institution are best served by developing the scope for audits together, after all, who knows the strengths and weaknesses of your institution better than the management? To get the biggest bang for your buck, why not tie the audit scope into the results of your risk assessment?

The Risk Assessment and the Internal Audit

An effective risk assessment of your compliance program can be an excellent source document for various things including budgeting requests for additional resources and scoping of audits.   Completing the assessment includes considering the inherent risk at your institution, the internal controls that have been established to address risk and a determination of the residual risk.   The process is intended to be one of self-reflection and consideration of the areas of potential weakness. For those areas that have the potential to be a problem, the best practice is to make sure they are included in the scope of an audit. Audit firms are more than happy to work with the management of the institutions they are reviewing on developing a scope. One of the crucial goals of the audit is to uncover areas where there are weaknesses in internal controls. For example, in your risk assessment, you may have noted a large number or errors in disclosures for new accounts. This should be a focus for the internal auditors when the compliance audit is performed.

Root Causes

An area that is often overlooked in audits is a discussion of the root causes for findings. For every violation or a problem noted during an examination or audit, there is a reason the violation occurred. Ineffective training, incomplete written procedures, poor communication or incompetence are all possible causes of a finding. Getting feedback from the auditors on the root cause of a problem allows the remediation to be most effective. One of the main reasons for repeat findings is ineffective remediation.

Future or Strategic Risks

The environment for banking is going through significant change as fintech companies have begun to make inroads into the financial markets. Financial institutions should consider whether their current systems, business plans and infrastructure is well positioned to meet the annual goals. External audit firms can be a very good source of information for industry trends and ideas.   Building a consideration of both future and strategic risks into the scope of the audit can yield significant benefits.

Self-Policing and the New Compliance Ratings

One of the main reasons to expand the scope of your audits is to take advantage of the new compliance ratings systems that take effect in March of 2017. The new ratings will consider the Board and management oversight, strength of the compliance program as well as the potential for consumer harm. These new ratings will put an increased premium on an institutions ability to self-police potential violations. The ability of a financial institution to identify problems, determine the root cause and to remediate the problem will have a large impact of the overall rating of the institution. By setting the scope of your audits to help self -police, your institution can take full advantage of the new ratings system.


Your Partner in Balancing Compliance