Let’s say a team of BSA internal auditors come in and audit your Bank. At the conclusion of the audit, an internal audit report is issued to the Bank’s audit committee with a recommendation for changes to the BSA policy. Management indicates in their response to the audit report that they agree with the recommended changes and will update the policy accordingly.
Now come the questions..
I have seen the answers on this topic go both ways. It has always been my personal opinion that if auditors and/or regulators make recommendations to revise a particular policy it would be in the best interest of the Bank to implement such revisions as soon as possible and submit to the Board for approval. I am sure that your Bank has a tracking mechanism in place to track audit recommendations from both internal auditors and regulators (either electronically or by way of excel spreadsheet) which details the issue, the recommendation, management’s response, the responsible person, and a target date for completion. And I suppose that the audit committee is responsible for reviewing this tracking report on a regular basis and ensuring that the recommendations are implemented by the target dates. I also suppose, that the audit committee will be the ones to decide whether the target dates appear reasonable and to change the target dates as they see fit.
All this being said, when policy changes are required, do you implement immediately or do you wait for annual approval of the policy? What are your comments or opinions on this matter?
Senior Quality Control and Review Specialist
Sharon Geiger has 27 years banking experience, 21 of which have been involved in internal audit. She has extensive knowledge of all aspects of the banking industry, with a particular emphasis on regulatory compliance and identifying risks and controls. As QCR Specialist, she performs Quality Control Reviews to ensure all workpapers and reports are completed in compliance with the firm's standards.