Pub. 9 2014-2015 Issue 2

www.nebankers.org 28 Extraordinary Service for Extraordinary Members. When life happens. You want to protect her from bullies and scraped knees, from hurts large and small. Although you can’t always stop bad things from happening, we can help you prevent some, and make others all better. We’ll be there when life happens. For all of life’s boo-boos. nebraskablue.com 800.991.5642 BlueCrossandBlueShieldofNebraska isan independent licenseeof theBlueCrossandBlueShieldAssociation. assessed within the context of the controls and systems put into place in conjunctionwith the product. Manage- ment is responsible for developing and maintaining a system that identifies and mitigates risk. Throughout the audit process, auditors are respon- sible for evaluating the state of risk and control systems and providing this information to the audit committee and senior management. Auditors can use risk assess- ments to identify and evaluate risk levels at a point in time. This lets auditors assess management's risk miti- gation activities and support the development of objec- tives for individual audits and the annual audit plan. Risk assessments can include the evaluation of detailed transactions against a cut-off point and a comparative analysis on a summary of the transactions. In the case of legislation such as the Sarbanes-Oxley Act of 2002, auditors also evaluate management's assessments of their internal controls. Ideally, internal or external audi- tors are not part of the controls monitoring process and do not design or maintain the controls, which allows them to retain their independence. The auditing of the systems and the controls refer to audit activities that identify whether selected controls are working properly. Traditionally, control testing is performed on a retrospective and cyclical basis after business activities occur. The testing procedures often are based on a sampling approach and include activities such as reviews of policies, procedures, approvals, and reconciliations. The audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like themonitoring program, the audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory land- scape, errors or violations, problems in the past, em- ployee turnover in the compliance department or line of business, and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the audit. The audit results should be provided in formal, de- tailed reports that outline findings and management’s action plan to resolve each finding. Auditing should be conducted on a less frequent basis than the monitoring program; timing of the audits can be on a rotational basis and supported by the results of the risk assess- ment process.  Monitoring — continued from page 26