Incorporating Regulatory Findings, Prior Issues, and Coverage

No audit starts from a blank page. Before you scope, you read the institution's history. That means prior internal audit findings and whether they were actually fixed, regulatory examination findings, including Matters Requiring Attention from the OCC, Federal Reserve, or FDIC, and past incidents, control breaches, and near-misses.

You also pull the inventory of open issues, the ones that were raised before and never fully closed. History tells you where this institution has struggled, and struggling areas deserve a hard look. An auditor who ignores prior findings and scopes purely from theory will miss the very problems that have already proven real here.

Prior findings reshape the scope in specific ways. A finding that keeps recurring, year after year, signals that the institution has been treating symptoms rather than the root cause, and that pattern itself deserves investigation. An area carrying open issues warrants confirmatory testing to see whether interim fixes are holding.

Regulatory findings raise both the risk rating and the stakes, since the regulator is now watching. And here's the discipline the exam keeps testing: closed does not mean fixed. When you plan to revisit a remediated issue, you re-test the control, you don't simply read management's attestation that it was resolved.

We'll return to validation when we reach follow-up, but it starts here in planning.

Planning also fixes the time window your testing covers. Sometimes a control failure triggers a formal look-back, re-examining a past period to find activity that the broken control should have caught but missed, suspicious transactions that were never reviewed, for instance. Beyond that, the planner makes sure that across engagements no period falls permanently outside coverage, that there's no quiet gap where, say, the third quarter of last year was tested by nobody.

Aligning the testing windows of related engagements prevents those seams. The exam may show you a coverage timeline and ask where the gap is; the answer is the stretch that no engagement actually examined.

Finally, coordinate without compromising independence. Know what the second line's monitoring and quality assurance already cover, so you don't blindly duplicate it, but never treat second-line testing as a substitute for your independent test; that's their oversight, not your assurance. Map your plan against the regulatory examination cycle so audit coverage is fresh when examiners arrive.

Coordination is fine; dependence is not. You can talk to compliance and align timing, but your conclusions must rest on your own independent work. If a scenario shows audit simply adopting compliance's QA results as its finding, independence has slipped.

Regulatory findings deserve a careful read, because they tell you what supervisors are focused on. A Matter Requiring Attention, or MRA, from a federal banking regulator is a supervisory expectation that the institution correct a deficiency; it is not optional advice, and ignoring it invites escalation to a formal enforcement action. So when you plan, map your coverage against open MRAs and recent enforcement themes, both at your institution and across the industry, since regulators tend to press the same issues sector-wide.

And understand the gravity of a repeat: when a regulator finds the same deficiency it flagged before, the stakes rise sharply, because it signals the institution either couldn't or wouldn't fix a known problem, which examiners read as a management and governance failure, not just a control gap. Audit's job is to surface those repeat risks before the regulator does, which is exactly why prior findings sit so high in the planning inputs.

Recapping: you plan from history, prior audit findings, regulatory findings and MRAs, incidents, and open issues, because struggling areas earn deeper coverage and recurring findings hint at a systemic root cause. Define your testing window, run look-backs where a control failed, and make sure no period falls permanently outside coverage. Coordinate with the second line and the regulatory exam cycle without ever leaning on their work for your own independent conclusion.

And read regulatory findings for what they signal: an MRA is a supervisory expectation, not a suggestion, and a repeat finding raises the stakes sharply because it shows a known problem went unfixed. Next, we get hands-on with one of the most testable planning skills: choosing between statistical and judgmental sampling. Test yourself first.