Do you want to be better prepared for your next bank audit? Do you want to spend less time on your next audit? If you answered “yes,” then incorporating mini audits into your compliance calendar could help you get what you want.
Every year, when you get audited by your Issuing Bank, the auditor sends you a booklet of items they want to review. These topics cover everything from the items you submitted to the bank to get your program approved, all the processes and procedures that the bank requires of your program, and the pain point items that came out of the bank’s latest regulatory and network audits.
Answering all of these questions can take forever. In speaking with other compliance officers, it can take 40 hours of prep work, 16-24 hours with the auditors on site, and another 40 hours of follow up.
What Is A Mini Audit
Mini audits are just what they sound like – a miniature version of the bank’s audit. Don’t worry, this is not a scaled-down version of the entire audit. It is simply addressing one or two of the potential items at a time that could come from an auditor during the annual audit.
Why Are Mini Audits Important
The best way to decrease the amount of time on your annual audit is to be better prepared and organized. Mini audits can help you do both. They keep you in “audit shape.”
In addition, mini audits can give your Issuing Bank more confidence in your program.
How?
Once you are done with your audit, provide the documentation to your Issuing Bank’s compliance department. They will review it and file it away to show their auditors the next time they show up. This gives you yet another positive touch-point with your bank’s compliance department.
Who Should Do A Mini Audit?
Mini audits are not for everyone. I do not recommend conducting mini audits in your first year of business. There is so much work for your compliance team to complete that first year. Adding mini audits to the mix is just too much.
However, after your go through your first Issuing Bank audit, it is time to consider conducting mini audits. I recommend coming up with your plan immediately after you close your first Issuing Bank audit. This way, the previous audit is fresh in your mind, and you will vividly remember where your pain points were.
What If I Don’t Have Time For A Mini-audit
I get it. As a compliance professional, there is too much work and not enough time. Not only do you need to keep track of all your policies and procedures, but you need to monitor your employees to ensure that they are following the rules too. Additionally, you have to run down the answers to questions posed by your Issuing Bank, your CEO, and other interested parties. And since it is compliance, it is always needed RIGHT NOW!
That is why I recommend starting small. You don’t have to do everything at first…or even ever. Start by doing the key items that will help you save time and reduce stress on your next audit.
How Often Should I Conduct a Mini Audit
Ideally, mini audits should be completed monthly. However, if this is your first time, start quarterly. After you conduct one mini audit each quarter for a year, add a second mini audit each quarter, and then change your mini audit schedule to once per month in year three.
What should I Audit?
First and foremost, you should audit the things that: 1) keep you up at night, 2) were big surprises in your last audit, or 3) are areas where your program has the most challenges.
For example, if you have a GPR program that tends to attract identity thieves, you should audit your stolen identity logs. However, if your program executes a lot of advertising on different mediums, consider auditing your advertising materials.
If you are lacking ideas, don’t worry. Below I give you a list of ideas on what you can audit in your program. This is by no means an exhaustive list, but it is a good place to start.
Ideas For Mini Audits (In order of importance):
1. CIP/OFAC – Run a report to verify that all new cardholders have been run through identity verification upon signup, and no cardholders are on the OFAC list. Most Issuing Banks require you to recheck cardholders against the OFAC list on a periodic basis. Make sure that this activity is happening, and that no cardholders have shown up on that list. Also consider auditing your OFAC false positive procedures.
2. Customer Complaints – Regulators are currently looking at customer complaints with great interest. Keep in mind that customer complaints need to be resolved quickly, categorized across the company into a central log, and reviewed by executive management and the board regularly. Go to your customer complaints log and choose one to five complaints at random. Review the documentation on the complaints against the documentation in the system to ensure everything was captured correctly and in accordance with your policy and procedure.
3. Fees – With processors pushing IT releases on a regular basis, quality assurance is not always their first priority. You should review the fee settings for your program on a regular basis to ensure that the fees set in the system match what is in your cardholder agreement and that the fees are being charged correctly.
4. Marketing Materials – A good marketer can rewrite an entire ad campaign and deploy it in a single morning. The problem is that those campaigns need to be reviewed by compliance and approved by the Issuing Bank, and possibly the network, before going live. If you are doing any advertising, you need to have a good system in place to ensure that all of these approvals are taking place. Have your marketing team (or person) pull a recent ad that was deployed and check that ad against what was approved by you and the bank. If you’re not doing any advertising, you can look at things like the app store write up, your cardholder website content, your card art, and even your cardholder agreement. Adobe Acrobat has a cool compare feature that you can use to do a comparison of your approved items against what is currently deployed.
5. Process / Procedures – Bank audits will focus on your policies, and the procedures that you’ve written to enforce those policies. Choose one to two procedures to review each term. Find instances where those procedures came into play, and ensure that the procedure was followed to the letter.
6. Identity Theft – Identity thieves are getting very creative in how they use prepaid cards. In most cases, your Issuing Bank probably requires you to keep a log of any reports of identity theft. Pick one to five entries on that log and check your system against the procedure to ensure that it was followed.
7. Escheatment – If your program is old enough to require escheating abandoned funds to the state (usually starting in year three), you should be sending funds to the appropriate state on a regular basis. Review reports from two to three months prior, and ensure that any cards on the escheatment list were actually escheated. You can also run current versions of those reports to make sure there are no escheatments that are past due as these can result in big fines.
8. On Us – In many cases, a program will provide cardholders a free ATM withdrawal or other transaction based on loading their card or certain time triggers. These are some of the most complex transactions in a processor’s system. Find two to four cardholders who were eligible to receive an “On Us” transaction, review their transaction history, and make sure that they received that transaction for free.
9. Customer Service – Customer service agents who are not properly trained can be a nightmare for a compliance officer. In most cases, your customer service team will listen to calls on a monthly basis to ensure a certain level of quality is being maintained. Join these sessions and listen in from a compliance standpoint. Make sure to take notes on what compliance areas came into play, and if the call center representative followed the correct procedures.
Closing
I hope this article on mini audits was more helpful than scary. I know that adding additional work to your team can seem overwhelming; however, a good mini audit plan will go a long way in saving you time during your annual audit.
Tools to Help You
I have two tools to help you save time when it comes to carrying out your prepaid compliance duties.
First, you can click here to download some Microsoft Excel forms to use when conducting your mini audits for the areas listed above.
Second, I invite you to check out the Prepaid Academy. The Prepaid Academy provides your team with a training and tracking system for all of your compliance needs. It contains:
- Bank approved compliance training
- Information security training
- Introduction to prepaid course
- PCI training for your IT team
- A way for your employees to track their outside training.
- One-click reporting of all employee activity
Good luck, and let me know in the comments below if you have any questions.