|
|
|
DIY-ing Your Payments Services?
Don’t start from scratch – use our workbooks as a roadmap to success! We’ve covered nearly any service you could need – including ACH Audit, ACH Risk Assessment, Remote Deposit Capture Risk Assessment as well as Third-Party Sender ACH Audit and Risk Assessment.
|
|
Because such an evaluation obviously cannot be performed on transactions and tasks that have yet to occur, this highlights the simplified statement above that an audit is looking backward. The audit determines that the organization followed the relevant set of requirements over the stated time frame. Specific to ACH, the purpose of your ACH Audit is to review your organization’s ACH activities (originated and received entries, including dollar entries, prenotes, return entries, NOCs, executed agreements, authorizations, WSUDs, stop payments, etc.) to determine that those activities were conducted in accordance with the ACH Rules. This audit typically incorporates a sampling process, rather than testing 100% of the activity, in order to arrive at a conclusion of the organization’s overall compliance with the ACH Rules, with instances of noncompliance being reported based on severity and overall impact. The ACH Audit makes no conclusions and offers no assurances that future activity will be in compliance with the ACH Rules. That being said, the results of an audit can highlight ineffective policies and processes that need to be addressed to increase greater compliance moving forward.
Other audits performed by EPCOR, such as audits of wire transfers and remote deposit capture (RDC), include a slightly different mix of audit procedures that incorporate a greater degree of operational considerations versus regulatory compliance. This is due to the fact that while these activities are subject to certain laws and regulations, a significant percentage of them are driven by individual organization policies and procedures, as well as industry best practices. Even so, the objective of the audit engagement is a review of past activity in relation to the established criteria.
Risk assessments, on the other hand, are forward-looking. Risk assessments are intended to identify potential risks that could impede an organization’s ability to meet its strategic objectives and determine how prepared it is to prevent those risks from occurring. The risk assessment will evaluate the degree of risk that is present against internal controls implemented by the organization. For example, an organization may evaluate current policies, processes and procedures to determine the potential effects of internal and external events and circumstances on the organization’s activities. A thorough risk assessment, such as one related to compliance with the ACH Rules, should identify the threats to an entity’s compliance objectives and provide opportunities for management to implement effective internal controls to reduce future non-compliance. The risk assessment should also evaluate the possible effects of circumstances such as, but not limited to, changes in the operating environment, personnel/management changes, changes in laws and regulations, the effects of operational growth and new products and services, advances in technology and risks from third-party relationships. A risk assessment can be viewed as a plan to identify risks and develop responses to those risks before they inflict damage on the organization.
Risk assessments are a vital tool to any organization and can be utilized in conjunction with an audit. However, it's important to note that a risk assessment does NOT include testing of individual transactions, controls or other events to determine past compliance. This is one primary difference between the two engagements that should not be confused. The risk assessment does not validate past performance or guarantee future compliance. However, an effective risk assessment can be a very useful tool in an organization’s overall compliance program.
Nacha requires all financial institutions and Third-Party Senders to conduct an ACH Risk Assessment. In conjunction with that risk assessment, the organization is required to implement an ACH risk management program based on the ACH risk assessment. Nacha realizes that while audits report the success of past activity and identify areas where improvement is needed, the risk assessment, if performed thoroughly and updated periodically, will prove to be just as effective in managing risks and play a material role in ensuring audits with fewer compliance exceptions.
Hopefully, this article clarifies the differences between audits and risk assessments and how they can work together to promote greater compliance within your organization. While ACH Audits and Risk Assessments are a requirement of Nacha, don’t neglect the importance of audits and risk assessments of other payment activities of your organization; including your wire transfer activities, RDC, instant payments and Third-Party Services. If you have questions about any of these services, please don’t hesitate to contact Member Support today at memserve@epcor.org!
|
Let Our Team Take Services Off Your To-Do List!
No matter what’s on your to-do list, EPCOR stands ready to help! Our team of payments experts offers a wide variety of services, including audits, risk assessments and more. We would love to help your organization! Reach out to us at advisoryservices@epcor.org to learn how we can help or to receive a free, no-obligation quote.
|