Compliance audits in financial services: Techniques and tools for success

Regulatory vs. general compliance

Regulatory compliance refers to an organization's adherence to mandatory laws, regulations, and guidelines set by governmental or regulatory bodies specific to its industry, with non-compliance leading to legal penalties. In contrast, general compliance encompasses the adherence to internal policies, standards, and best practices aimed at ensuring ethical behavior, operational efficiency, and internal control, applicable across various industries and driven by the organization's values and strategic goals. While regulatory compliance is enforced by external entities, general compliance is monitored internally. The focus of this article will primarily be on regulatory compliance for the financial services industry in the US.

Understanding the regulatory compliance landscape

Regulatory agencies in financial services exist to ensure the safety, integrity, and stability of the financial system. They protect consumers from unfair and deceptive practices, enforce laws to prevent fraud and market manipulation, and ensure financial institutions operate soundly and transparently. These agencies also promote competition, combat money laundering and terrorism financing, and align domestic practices with international standards. By overseeing and enforcing regulations, they help maintain public confidence in the financial system and safeguard the broader economy from financial crises.

For further context and clarity, the chart below summarizes the regulatory agencies that oversee financial services in the U.S., along with their roles and functions:

Auditing compliance

Performing audits on compliance in financial services requires a comprehensive and systematic approach to ensure that the organization adheres to regulatory requirements and internal policies. While general internal audit best practices apply (i.e., planning, risk assessment, testing, reporting, follow-up, etc.), the following is a list of additional considerations:

• Understanding the regulatory environment
  • Familiarize yourself with the scope of key regulations applicable to the financial institution such as the Dodd-Frank Act, Sarbanes-Oxley Act (SOX), Bank Secrecy Act (BSA), Anti-Money Laundering (AML) regulations, and other relevant local and international regulations. Consider the potential impact of non-compliance, including legal penalties, financial losses, and reputational damage.
  • Stay updated on any changes in regulations and emerging compliance trends. Consider having a subject matter expert(s) (SME) on your internal audit team that focuses on compliance.
  • Review relevant enforcement actions in the industry that may be applicable to the financial institution. This data can be indicative of key areas of regulatory focus.
• Planning considerations
  • Review the organization’s compliance risk assessment as a reference point. Does it include all relevant risk areas?
  • Review the scope of monitoring and testing performed by the compliance function. Testing performed outside of internal audit may provide valuable insight into the effectiveness of internal controls and where to focus internal audit coverage.
  • Consider the timing of higher risk compliance internal audits against the organization’s regulatory audit schedule. Feedback from an internal audit can help an area improve prior to a regulatory examination.
  • Some compliance audits have a set cadence outlined by regulatory expectations or internal policy, which should be reflected in the overall audit plan. For instance, according to the NACHA Operating Rules, financial institutions, third-party service providers and third-party senders must complete an ACH audit annually by December 31^st.
• Conducting the audit
  • Ensure that the organization’s policies and procedures are up-to-date and align with regulatory requirements.
  • Perform detailed testing of compliance procedures to ensure they meet regulatory requirements.
  • Ensure that required reports are filed timely with regulatory authorities.
  • Remember that any compliance internal audits may be viewed and scrutinized by regulators for years to come. With this in mind, take extra care to ensure that audit workpapers and reporting are thoroughly reviewed and meet the highest quality standards.
  • Document findings, including any instances of non-compliance, control weaknesses, and areas for improvement.
  • Share the audit report with senior management, the compliance committee, and other relevant stakeholders. Ensure that findings are understood and that there is a commitment to addressing them.
  • Leverage technology, such as data analytics and audit management software, to improve audit efficiency and accuracy.
• Ongoing
  • Monitor the implementation of audit recommendations to ensure that corrective actions are taken. Be sure to document monitoring and follow-up activities. Conduct follow-up testing as necessary to verify that issues have been resolved.
  • Keep abreast of changes in the regulatory environment and emerging compliance risks. Participate in relevant training and professional development opportunities. The regulatory bodies listed in this article all provide ongoing education including web-based content and webinars.
  • Consider having a compliance SME for your internal audit team that is able to provide updates on regulatory changes to the group.
  • Work productively with the organization’s compliance function to ensure alignment and cooperation. Share insights and best practices to strengthen the overall compliance framework.
  • Consider signing up for TeamMate’s Monthly Expert Insights to stay up to date on all things internal audit.

By following this approach, financial services auditors can effectively assess and enhance their organization’s compliance posture, help to ensure adherence to regulatory requirements, and mitigate compliance risks.

Conclusion

Auditing compliance is crucial because it provides an independent and objective evaluation of an organization’s adherence to regulatory requirements and internal policies, ensuring that controls are effective and risks are managed. This process not only supports the overall compliance framework by identifying and addressing gaps and weaknesses but also enhances the organization's credibility and trustworthiness. By systematically verifying compliance, audits help satisfy regulatory expectations, mitigate potential legal penalties, and protect the organization's reputation, ultimately contributing to long-term sustainability and success.