Hello, I am a compliance auditor for a larger FI ($36B), and we currently write narratives for our adequacy testing for compliance audits. The narratives are essentially a high-level overview of the numerous processes within the business unit and the key controls. Several of our loan audit universes are large and all encompassing end-to-end (pre-qualification to servicing and collections) so the narratives get very lengthy and essentially just end up being a very high-level paragraph or a few paragraphs describing certain processes in procedures and a brief one or two sentence mention of the key controls. These can easily be very lengthy because there is so much to cover in a large compliance-heavy consumer-purpose loan audit. We are exploring ideas on how we could more effectively conduct our adequacy testing for all types of audits (compliance, financial, IT, and operational) but specifically compliance-related audits as the current narrative method does not dive deep enough on each process to truly determine if the process is adequate or not.
How do other larger banks conduct their adequacy testing? Do you utilize narratives? If so, please describe how you complete a narrative (high-level) if it's different than our approach. If you utilize more of an adequacy workpaper with certain audit steps vs a narrative of processes, please also describe this.
Thank you for your help in advance!