Thanks to a successful launch and well developed program, we now have eight Continuous Compliance clients and several more pending approval from Audit Committees. When I am explaining our new service to clients and their committees I hear the same questions regularly….
1) How much more does this cost? SAME PRICE. Our Continuous Compliance process is just a methodology change. We are able to keep the process the same cost by proactively addressing risk in Technology Committee Meetings, reviewing low risk areas less than annually and regularly following up with findings (this process usually takes up quite a bit of time during a one week engagement.
2) Why do you want to be in on Technology Committee meetings? We would like to participate in these meetings to know what is happening within the environment and proactively address potential risk areas. For example, if you are going to rollout remote deposit for commercial customers, we can be sure a risk assessment has been conducted, policies approved, etc. before they become ‘findings’.
3) What do the examiners think about Continuous Compliance? I’ve spoken with several examiners and a couple of them actually, prefer this process to what we currently do. They always say the disclaimer, as long as everything that needs to be reviewed annually is done, then they are fine with it. That is why we will always do the Information Security section and ensuring your policy/procedures are approved annually.
4) What about reports? Two things here, we’ll be using RiskKey to manage this process so all of our reports will come out of here. So we will provide regular reports out of RiskKey to discuss in Technology or Audit Committees. Next, since we are regularly interacting with clients, all you need to do is just let us know you would like some formal reports for examiners and we can put together the most up-to-date reports, so if you have addressed risk areas recently, they won’t show up as risk areas in the most up to date reports.
5) How did you develop the Technology Audit Schedule? We risk rated the sections based on our last full week type of audit. This is where we currently see your risk structure as. We also base it off of industry trends and overall risk structure of the section for all financial institutions. If you think it is different then let us know. The timelines to complete audits are negotiable, but risk ratings are not. For example, we have one client that wants their Website audited annually, even though we said it was a low risk which means it only needs to be reviewed every 18 months. No problem! We’ll also review sections that have major updates or conversions, so if you change wire systems, we’ll do a wire audit after conversion.
Those are the questions I answer most frequently, but let us know if you have anymore. We’re here to help!
