Risk Management Services
You may not like risk … but if you’re a bank, you’re in the business of assessing, assuming and managing risk… whether it’s interest rate and liquidity risk, credit risk, or operational, legal, reputational and strategic risk.Cost-Effective Enterprise

Enterprise Risk Assessment
At AuditOne, we’re in the business of helping you manage your risk. Our proprietary Enterprise Risk Assessment (ERA) analyzes each operational bank function and calibrates the precise level of risk and internal control auditing necessary to meet safety, soundness and the latest regulatory requirements. The AuditOne ERA saves banks money by identifying and applying appropriate risk-based resources. It is the industry's most granular, targeted, comprehensive, and sophisticated risk assessment intelligence tool. Our ERA format provides risk rating at a disaggregated level. For example, we don’t just look at Branch Operations, we drill down to all the major scope activities for an audit of that function (for example, new accounts, cash, security, safe deposit, etc.). This in depth analysis allows us to provide recommendations not just as to what areas need auditing over the coming year but also the scope items that should be included. All this is based on our proprietary ERA methodology that a) risk-scores each area and activity, b) translates that score into a risk rating, and c) maps that rating to a recommended audit frequency (and component scope items) based on our broad experience in the banking and financial institution industry. The ERA is performed with cost-effective sensitivity to identify opportunities to defer audits where feasible, or to trim their scope or otherwise economize. We recommend an ERA as an annual exercise – not only because the regulators have come to expect it, but more importantly, because it allows banks to develop a risk-based internal audit plan in which audit dollars are allocated to where they’re most needed.

Sarbanes-Oxley Methodology
At the other end of the spectrum are the Sarbanes-Oxley (“SOX”) requirements that public filers must meet, as well as the FDICIA 36 requirements for larger institutions (> $1 billion assets). We have considerable experience with SOX reporting, both in the documentation and the testing phases. Most institutions adopt a COSO-type approach, which is also what the FDIC recommends for meeting FDICIA 36 requirements. Documentation of the internal controls to be tested requires first going through a risk assessment of the institution – a similar, though more detailed exercise to what’s described above for an Enterprise Risk Assessment. SOX/FDICIA 36 requires analyzing specific risks at a disaggregated level, then identifying the controls (key controls, plus back-up/compensating controls) on each risk. Public and/or large institutions are now required to go through this exercise, with an appropriate structural framework and rigorous documentation and validation of the risks and controls. But it can be expected that over time there will be rising demands for smaller, non-public institutions to go down this path. It will become a differentiator of well-managed, best-practice players. And it will give management and the Board more comfort that the institution has positioned itself to minimize the risk of any given loss event and the amount that would be lost were such an event to occur. Risk-Based Report Format To assist the Audit Committee, our risk-based approach to internal audit extends to our audit report format that provides more granular information on audit results. This increased granularity includes the above-mentioned inherent risk rating on all of the scope items for an audit, and a four-point audit rating scale applied to each scope item within each audit. This more granular reporting can also be used as input to functions such as:

• audit planning (“Needs Improvement” means more attention must be paid before next year’s audit
• internal best-practices (based on any units receiving Strong rating)
• performance appraisal (rating managers on their unit’s audit results and how they compare to prior year).

Finally, we provide ratings (High, Moderate or Low)on all findings to help the Audit Committee in assessing the importance of each finding, and to focus its attention on the high-priority findings. This prioritization of findings not only helps the Audit Committee monitor progress, but it is also a basic tool that regulators expect institutions to employ. We encourage you to contact us to see a sample of our new audit reports.