Game plan for a winning audit

Photo by Kaniz Photo/iStock

Are your compliance best practices in shape? From internal to external auditing, managerial oversight and proper assessment prep, these expert tips can help community banks prepare for audit season.

By Mary Thorson Wright


A winning compliance audit comprises the team, the gear and practice, practice, practice. How’s your season looking? Who are your key players? What will your game plan be?

Building an audit A-team

The team is the backbone of audit success, and it starts at the top. A community bank’s compliance management system (CMS) should begin with board (or a designated committee) and management oversight, including due diligence and direction of external providers.

One primary responsibility of the board is to identify consumer compliance issues and take corrective action when needed. The board may choose to accomplish that using organic resources like internal auditors and the compliance officer (CO) or choose to outsource to a third party. The board must also provide resources to support the audit function consistent with the community bank’s size, complexity and risk profile.

Bank management is charged with implementing the directives of the board. The CO is a key player and should be the compliance team manager. While the CO may be more or less “hands on” depending on the size and structure of the bank, they should ensure that the bank adheres to governmental regulations and laws, work with upper management and frontline staff to ensure that the policies and procedures are upheld, and monitor compliance support programs, including compliance audits and corrective action, to ensure program adequacy.

The CO should perform or oversee routine compliance monitoring and periodic reviews to identify and correct CMS weaknesses early. Issues should be reported to the board soon after discovery and corrective actions discussed and implemented.

Staying compliant inside and out

While monitoring and periodic reviews are typically performed at the CO or department management levels, audits should also be performed to ensure independence from business and compliance functions.

Bank auditors, whether internal or external, are responsible for performing objective, independent and reliable assessments of the effectiveness of a community bank’s risk management activities, its compliance with applicable regulations and its internal control environment.

The internal auditor generally takes responsibility for audit project management activities of the bank, as well as planning, developing and scoping the audit test plan. An internal auditor may also contribute expertise and advice to the board to engage and utilize external auditors, scoping the external audit plan and preparing for and managing the external audit.

External auditors are a valuable tool to provide adequate oversight of internal controls and practices and can elevate the independence of the audit process and bring specific skill sets to the table that the bank cannot support organically. Still, it is incumbent on the board to ensure the scope and depth of any external auditor engagements fit the needs of the bank, are comprehensive in coverage, and can address areas of concern for current requirements and those that are applicable in the foreseeable future.

Internal auditors, COs and external auditors have a broad selection of gear to accomplish the compliance audit process. Certainly, the results, corrective actions and follow-up reviews of past audits and compliance reviews play a critical role, much like reviewing the “game film” following a challenging competition. A community bank’s documented risk assessment of its products and services is also a valuable tool for vetting and prioritizing the timing, scope and depth of the audit process. Standardized worksheets and audit procedures can be developed organically or purchased from a commercial source, and they should mirror those employed during regulatory examinations of the same areas.

The bank should ensure coverage of all areas consistent with regulatory requirements and its own internal controls and procedures.

“Banks can benefit from a heightened, holistic review of disclosures, notices and fees across products and services.”
—Rhonda Thomas-Whitley, ICBA

‘Square one’ auditing

Rhonda Thomas-Whitley, ICBA vice president and regulatory counsel, advises that community banks should carefully consider the comprehensiveness of workpapers employed in compliance audits.

“The content of worksheets can include ‘check the box’ queries and responses,” she says. “However, it is important to expand the process beyond box checking to tell a better story about the procedures and results; numbers, timeframes and scope of sampled documents and files; applicable governing rules; and the proposed corrective measures that may be required.”

Every successful team studies an opponent and prepares for the likely “moves” it may employ. For the most part, compliance requirements are known and communicated well. There may be moving parts that require extra attention that emerge from shifting regulatory emphasis or from developing requirements.

From the headlines and sources like the agenda of the U.S. House of Representatives Financial Services Committee, there are developing issues of fair lending, diversity and inclusion in financial services, home appraisal bias investigations, consumer complaints about mortgage servicing, overdraft procedures and fees, and the review and revision of flood insurance.

Thomas-Whitley supports a “from square one” approach to compliance audit prep. “Banks can benefit from a heightened, holistic review of disclosures, notices and fees across products and services,” she says. “It should include checks for accuracy and completeness and to ensure policies, procedures and actual practices are aligned to mitigate violations and examination findings, and the perception of UDAAP violations.”


Mary Thorson Wright is a writer in Virginia.