The document discusses the continuous program cycle for internal audit and monitoring compliance programs. It describes designing, implementing, checking, correcting, and reporting as the ongoing cycle. Key aspects discussed include establishing an annual monitoring plan, defining monitoring, testing, quality control and auditing. The presentation provides guidance on sampling techniques, rating control strength, documentation, corrective action plans, and reporting findings.

1. Washington Bankers Association
Executive Development Program
Audit and Compliance
Internal Audit and Monitoring:
The Continuous Program Cycle
Presenter:
David McCrea
U.S. Program Manager
Global Regulatory Compliance Team
Infosys Limited

2. The Continuous Program Cycle
Designing
Implementing
&
Checking
Correcting
&
Reporting

3. Testing Your Controls
Use your Risk Assessment as the foundation
of your monitoring program.
• You have documented the controls to test
and can validate the control strength
ratings
• You know where your highest risks are so
you can prioritize your program.

4. Establishing Your Checking Plan
• You should set an annual monitoring / testing
plan with a goal of validating the effectiveness of
key controls at least annually.
– Riskier controls should be evaluated more frequently
– Validate stronger controls are working as planned
– Plan to test adequate and weak controls more vigorously

5. Definitions
• Quality Control – Evaluating a transaction for quality
(such as meeting compliance requirements) prior to
the transaction being consummated or closed, such
that errors made in the initial phases can be
corrected prior to the point of no return.
• Compliance Monitoring – The process of evaluating
reports, systems, analyses, customer complaint
trending, or other information in order to determine
strengths or weaknesses in the program/process.
• Audit – Independent review to ascertain the validity
and reliability of information; also to provide an
assessment of internal controls.
– The goal of an audit is to express an opinion of the person /
organization / system under evaluation based on work
done on a test basis.

6. Risk Detection Activities
Compliance
Dept Activities
Testing & Review
Monitoring
Activities
Other Detective
Controls
Quality Control
Audit
Regulators
Combined Activities Helps to Draw Conclusions about Overall Risk

7. Monitoring - characteristics
–Ongoing and Regular
–Typically dependent on business line
reports
–Results in self-detection of potential
weaknesses or violations
–Systemic weaknesses identified
–Typically more frequent than audits

8. Monitoring Examples
May take a variety of forms:
 Periodic review or certification that duties were
performed;
 Review of regular system-generated exception
reports;
 Review of periodic ad hoc extract reports;
 Review of consumer complaint trend data;
 Review of reports of exam/review by Audit,
investors, regulators, due diligence firms, etc.

9. Testing / Review - characteristics
• Ongoing
• Flexible
• Self-detection of potential
weaknesses or violations
• Risk-based
• Quality Control – corrective
actions

10. Testing – Examples
May take the form of:
 Review of transactional activity (think Reg
CC Hold Notices or TILA Disclosures); or
 Verification of data against source
documents (think loan files against the
HMDA LAR);
 Review of employee regulatory knowledge
through interviews.
 Others?

11. Auditing - characteristics
–Independent
–More formal
–Validates the effectiveness of your
program – including your testing and
monitoring
–Internal or External
–Often relies on Compliance Review results
or compliance monitoring

12. Checking Techniques
• Scoping
• Sampling
• Rating Control Strength
• Documentation

13. Scope of Your Program
 Monitoring and testing scope and frequency
should consider the following:
– Inherent Risk Rating
– Volume (number or amounts of items)
– Complexity of requirements:
• Number of endpoints,
• Difficulty of performance,
• Dependency on manual input or individual
performance.
– Historical reliability of control processes

14. Scope - continued
Monitoring and testing scope and frequency
should also consider internal / external
events:
– Change in law or regulations,
– Reorganization (change in responsibilities),
– Changes to process or system,
– Turnover and key staffing changes,
– New products, services, or jurisdictions.
– Customer complaints

15. Sampling
 The basic purpose of sampling is to enable
the reviewer to draw an adequately reliable
conclusion about a “universe.”
 The universe from which the sample is
chosen should have similar characteristics
 The sample should include an adequate
number of transactions to which the
requirement applies.

16.  The size of the sample depends on the
complexity of the regulations involved, the
bank’s circumstances and characteristics.
 Must be large enough to determine the
cause and extent of noncompliance.
 Be prepared to expand sample if
necessary.
Sampling

17. Sampling - Judgmental
 Involves an in-depth analysis of only a portion of the
group and items are not selected randomly.
 Using judgment and knowledge of policies, controls
and systems, reviewers identify the areas of greatest
exposure to select items for testing.
 The time period selected for the sample must yield
enough items to provide the reviewer a
representative base for the product/process under
review (otherwise will need to extend time period).

18. Sampling-Statistical
 Every member of the universe should
have an equal chance of being chosen.
 The time period selected for the sample
must yield enough items to provide the
reviewer a representative base for the
product/process under review
(otherwise will need to extend time
period).

19. Control Strength
 Generally, internal controls with an exception rate of
5% or greater are typically considered ineffective.
However, the regulatory environment may dictate
a lower, perhaps 0% tolerance – for example,
matched pairs in fair lending testing.
 Exceptions and root causes should be discussed with
the business unit management.

20. Control Strength
A Strong Control has less than a __ % error rate.
An Adequate Control has between a __% and __%
error rate.
A Weak Control exceeds an error rate of __%.
Other quantitative measures of control
effectiveness?

21. Re-evaluate Control Strength
Control Effectiveness Rating
Strong Adequate Weak
High Moderate Moderate High
Moderate Low Moderate Moderate
Inherent
Risk
Rating
Low Low Low Low
Residual Risk Rating

22. Supporting Documentation
 Activities should be appropriately
documented and the performance of the
work adequately evidenced to facilitate
third-party reviews by corporate
compliance, internal/external audit, or
regulatory examiners.

23. Corrective Action Plans
• Corrective Action Plan Elements
– Develop Steps to Remedy the Issue
– Assign Responsible Parties
– Establish a Time Frame

24. Corrective Action Plans - Tracking
Establish a Tracking System
Elements to Include:
– Executive Sponsor
– Observations
– Risk Ratings
– Source of Issue
– Target Date for Correction & Date of Completion Notification
– Issue Date
– Person Accountable for Execution
– Action Steps
– Comments
– Target Date Revisions

25. Corrective Action Determination
• Determine Root Cause
• Remember the old rule of asking “why” of
each successive answer until you know the
true root cause:
Is it a policy flaw?
An execution blunder?
A training mishap?
A systems defect?

26. Reporting: Definition and Purpose
– Reporting defined:
The use of internally and/or externally generated data
to provide ongoing, regular reporting to stakeholders
on the state of the institution’s compliance program.
– Risk management at each appropriate level
– Required reporting to Regulatory Agency,
Community Groups, Investors, etc.
– Your company’s specific needs are paramount.

27. Reporting to the Board
Describe the general regulatory environment:
• Recent fines and penalties imposed on other
institutions.
• New or revised rules that will impact operations
and risk.
Also detail your compliance program:
• Exam , Audit , or compliance monitoring results
• Corrective actions taken
• New compliance initiatives
• Employee training
• Community Development
• Supplemental information they have requested.