Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Your Compliance Program: Assess, Then Test
September 01, 2006

This is the second in a three-part series on developing a comprehensive compliance program.

A financial institution is expected to have appropriate mechanisms in place for managing risks. To do so, an organization should first conduct a risk assessment, a fundamental step for creating an effective compliance program (part one of this series).

The assessment process gives an organization a clear picture of its risks. While it identifies high-risk products, procedures, services, and even customers, it doesn’t necessarily mean that an institution cannot take on such risks; it simply means that processes must be in place to mitigate and manage each identified risk.

So how does an organization know whether those processes are working effectively? It tests them.

Examine, analyze, evaluate

Testing is, in essence, a process to evaluate processes. The objective is to catch vulnerabilities and correct problems before they can become larger issues. It’s part of the compliance responsibility package, and regulators expect that institutions will have a vigorous testing system in place.

While a strong testing program is critical, it must also be appropriate to the financial institution. A good testing system will be fluid, allowing the organization to align and adjust resources to meet its changing needs and challenges.

Frequency of testing is also important, but it should likewise be determined by the organization’s particular needs, circumstances, and risks. An institution can determine the optimum frequency of testing by establishing a schedule or a “compliance calendar.”

A compliance calendar is a valuable tool that identifies what control elements the financial institution will test each month. Higher risk items as identified by the institution’s initial and recurring risk assessments should be targeted first. The institution can then change its calendar priorities to allow greater scrutiny on a more frequent basis for those issues that warrant it.

An Institution should test against its own policies as well as regulatory requirements. Work papers can act as roadmaps, guiding an organization through a checklist of requirements and ensuring that all the right factors are evaluated. Formatted reports also help to capture the necessary information and serve as a written record for action items.

Testing documents can be entirely developed by the institution, though many standardized work paper documents and forms exist and can be used as a reliable foundation for the institution’s testing process.

The results are in

Throughout testing, it is critical that an institution look for underlying causes of any items that fall below expectations. More often than not, an organization focuses on exception items by just addressing the symptoms and overlooking what might be deep-rooted causes. Unless the causes are remedied, exception items will continue to be problems.

Solutions for any exception items are typically provided to management, and tracking is put into place for continued follow-up. A report on the overall testing results should then be shared with senior management and the institution’s audit committee.

By and large, the journey to more favorable exam reports begin with institutions finding problems themselves through testing and correcting them well before exam time.