Financial Institutions have for years been required to have an annual audit done for many areas of the bank. Wouldn’t it be nice to get away from the peaks and valleys of annual audits and examinations and transition to having a means of conducting continuous reviews?
Here at the The Garland Group, we have had a lot of discussions recently about this topic for annual technology audits, and we believe we can move down that path for the future. We all agree it will take technology and a cultural change at the institution to really make this work. We also agree that if financial institutions don’t find ways to improve compliance processes, their labor and/or outside audit costs will continue to rise.
The first step to transitioning to a continuous compliance model for any area of the institution will require a shift in mindset (aka education) from doing reviews once a year to finding ways to do them on a set schedule. The institution will need to really think out the use of their risk assessment and use that process to set alerts for things that need to be reviewed. Obviously, your internal and/or external auditors will need to be in the loop to help decide on the schedule, and will need to perform some or all of the reviews themselves. This new risk assessment methodology combined with a strict audit scope will force compliance, or it will automatically report to the audit committee that it was not done. This allows your experts to focus on areas of highest risk and maybe even perform reviews of those areas on a more frequent basis.
A good example of this is user profile reviews on your core system. We ALWAYS review this during our annual review, but normally provide a recommendation to review them at least semi-annually for a small institution and a quarterly reveiw for a larger institution. What if we had this scope set up on a continuous compliance model? An alert is sent to someone to run the user report and have it placed in an area where another independent person could review it and provide recommendations based on current data.
I think we should all begin thinking about how we can make the transition to “Continuous Compliance.”