Hello, I am a compliance auditor for a larger FI ($36B), and we currently write narratives for our adequacy testing for compliance audits. The narratives are essentially a high-level overview of the numerous processes within the business unit and the key controls. Several of our loan audit universes are large and all encompassing end-to-end (pre-qualification to servicing and collections) so the narratives get very lengthy and essentially just end up being a very high-level paragraph or a few paragraphs describing certain processes in procedures and a brief one or two sentence mention of the key controls. These can easily be very lengthy because there is so much to cover in a large compliance-heavy consumer-purpose loan audit. We are exploring ideas on how we could more effectively conduct our adequacy testing for all types of audits (compliance, financial, IT, and operational) but specifically compliance-related audits as the current narrative method does not dive deep enough on each process to truly determine if the process is adequate or not.

How do other larger banks conduct their adequacy testing? Do you utilize narratives? If so, please describe how you complete a narrative (high-level) if it's different than our approach. If you utilize more of an adequacy workpaper with certain audit steps vs a narrative of processes, please also describe this.

Thank you for your help in advance!

We are a $3 billion FI. For our operational type audits and compliance audits, we start with risk rating the various components of the process we are auditing using a Risk Control Matrix (RCM). For any processes that get rated moderate or high, we know we will need to perform transactional testwork. For the low risk we might just perform a walk through or narrative depending on the process. If a department/business unit has good procedures, we rely on them as our narrative and/or walkthrough. If they do not have good procedures, then we will perform a narrative and/or walkthrough. Management stresses to the various departments/business units their procedures must be kept current. Therefore, we do not want to reinvent the wheel. If we can take the procedures and perform a walkthrough of the process then we are good. If we cannot rely on the procedures, then we generally have to perform transactional testwork to get comfortable with the process.

I am a compliance auditor for an institution about the size of yours. We have a compliance audit universe, each year we complete risk assessments within IA by regulation and by process/product. We take these results and risk rate each area and make our audit schedule based on risk. Low risk regs/process are every three years, medium every other and high is annual. Are you only using narratives or are you completing transaction testing as well? I don't think you can say a process is adequate by just looking at its design. In each of our audits we conclude on both the design and effectiveness of the controls in scope.