You may not like risk — but as a financial institution, you’re in the business of assessing, assuming, managing and controlling it. And it comes in many different guises: interest rate and liquidity risk … credit risk … operational, legal, reputational and strategic risk. And they don’t of course exist in silos; controlling one may aggravate another. You don’t just need expertise in one area or another. You need a firm that can help you navigate the full spectrum of risks and address them in a coordinated, disciplined and cost-effective manner.
Our Cost-Effective Enterprise Risk Assessment
At AuditOne, we’re in the business of helping you manage your risk. Our Enterprise Risk Assessment (ERA) can get you started. We analyze each functional area and use our proprietary risk-rating methodology to determine where and how your risk management and audit dollars can most effectively be deployed. We do this in a way that’s highly sensitive to the requirements and expectations of regulators – and to the fact that audit dollars are a scarce resource.
Our ERA format provides both inherent and residual risk ratings at a disaggregated level. For example, we don’t just look at Branch Operations, we drill down into all the major scope activities for an audit of that function (for example, new accounts, cash, security, safe deposit, etc.). This in-depth analysis allows us to provide recommendations not just as to what areas need auditing over the coming year but also the scope items that should be included. Our methodology a) risk-scores each area and activity, b) translates aggregate scores into risk ratings, and c) maps the rating to a recommended audit frequency based on our broad experience in the industry. Again, this is taken down to the level of the individual scope item within each audit. The ERA exercise is sensitive to opportunities to defer audits where feasible, or to trim their scope or otherwise economize. We recommend an ERA as an annual exercise – not only because the regulators have come to expect it, but more importantly because it allows banks to develop a risk-based internal audit plan that’s reflective of any internal and external changes impacting the organization and in which audit dollars are allocated to where they’re most needed.
Informative, Risk-Based Reporting Format
To assist the Audit Committee, our risk-based approach to internal audit extends to our audit report format that provides more granular information on audit results. This increased granularity includes the Inherent Risk Ratings on all of the scope items for an audit, plus a four-point Audit Rating scale for each. This more granular reporting has applications that go beyond audit planning:
- Staffing and other resource allocation (e.g., “Needs Improvement” means more attention needs to be paid before next year’s audit)
- Internal best practices (based on any Strong ratings received)
- Performance appraisal (rating managers on their unit’s audit results and how they compare to prior year)
All of our reports begin with a) a determination of the status of corrective action taken on each individual finding in the most recent examination and internal audit reports for the area in question, and b) an assessment of the completeness and adequacy of the applicable policy and procedures documents. The body of the report contains, for each individual scope item, a statement as to the audit steps or tests, including any sampling parameters. We also clearly identify any applicable regulatory guidance used in formulating our audit program.
Finally, we provide Priority Ratings (High, Moderate or Low) on all findings to help the Audit Committee in assessing the importance of each finding and to focus its attention on the higher-priority findings. This prioritization of findings not only helps Committee members and senior management to monitor progress, but it is also the kind of prudent risk-management tool that regulators expect institutions to employ.
We encourage you to contact us to see a sample of our industry-leading audit reports.