Skip to main content
Image coming soon

Control Testing That Closes Repeat Findings

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Control Testing That Closes Repeat Findings

The on-site examiner methodology for findings that produce real remediation, not attestation letters.

The finding is closed on paper. The remediation package arrived, you reviewed it, and the finding moved to resolved. At the next review cycle the same control fails again. The problem was never in the testing. It was in what happens after the finding leaves your desk.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

On-site control examiners operate in a loop that the standard testing methodology does not break. You identify a control failure. You write a finding. The business line submits a remediation package, typically a policy update, a training attestation, and a new procedure document. You accept the package and close the finding. Months later, during the next cycle or during a regulatory examination, the same control fails again. The business line says the procedure changed. The examiner says the control is still not operating effectively. Both are technically correct. The procedure changed. The control is not operating. These are not contradictions, they are the same problem: accepting documentation as evidence of operating change. The on-site controls function carries the reputational risk when findings recur, because the testing program is supposed to surface and close these gaps before regulators find them. When the OCC or Federal Reserve arrives and identifies something your program already flagged and accepted as remediated, the question becomes why your verification was not sufficient. This course is built around the methodology that breaks the loop: root-cause standards that prevent symptom-only fixes, verification protocols that require evidence of operating change rather than design change, and finding formats that commit business lines to specific testable actions.

What you walk away with

  • Build a pre-visit briefing that concentrates testing effort on controls with the highest probability of failure before you arrive on site.
  • Write findings that specify testable remediation actions rather than process documentation or training attestations.
  • Apply a root-cause determination framework that commits business lines to fixing the cause rather than the symptom.
  • Implement a remediation verification protocol that confirms a control is actually operating before accepting closure.
  • Coordinate regulatory visit preparation that demonstrates program maturity without exposing gaps that are still open internally.
  • Deliver testing program results in formats that reach the chief risk officer and board audit committee without losing the substance of what was found.

The 12 modules

Module 1. Pre-Visit Intelligence: What the Self-Assessment Doesn't Tell You
Before stepping on-site, the effective control examiner knows three things the business line's self-assessment cannot reveal: where actual operating performance diverged from the last formal testing cycle, which control families had near-misses that didn't rise to formal findings, and which business line managers are most likely to dispute a finding rather than remediate. This module builds the pre-visit briefing template that surfaces that signal before you arrive, so testing effort concentrates where failure probability is highest.
Module 2. Test Design: What the OCC Actually Wants to See
Control testing that passes internal review but fails regulatory examination is the most common failure mode in on-site programs. This module builds sampling logic, evidence sufficiency standards, and documentation requirements calibrated to OCC Comptroller's Handbook expectations and Federal Reserve SR-letter methodology. The core distinction is between a control designed to operate a certain way and a control actually operating that way, and the different evidence each requires to satisfy an independent examiner.
Module 3. Evidence Collection Under a Fixed Site-Visit Window
Site visits have fixed windows and business lines that produce documents slowly. This module builds the evidence collection prioritisation framework: which document types establish operating effectiveness, which establish only design intent, and how to use structured interviews to fill gaps when written evidence is thin or delayed. Includes workpaper templates for evidence chain-of-custody, interview note capture, and the exception log that feeds directly into the findings draft at close of visit.
Module 4. Root-Cause Analysis: Distinguishing the Failure from the Symptom
A finding that addresses the symptom recurs. A finding that addresses the root cause closes. This module applies root-cause analysis methodology adapted for banking control environments: the five-why sequence and a fishbone diagram reframed for process and governance failures. The output is a root-cause determination template that commits the business line to a specific fix rather than a general corrective action, with worked examples drawn from common patterns in operational risk and conduct controls.
Module 5. Writing Findings That Commit Business Lines to Testable Actions
The finding format that produces real remediation has five components: condition, criteria, cause, effect, and recommendation. This module builds each component with worked examples, covering the difference between findings that drive implementation change and findings that produce attestation letters and then recur. Includes the management response template that requires the business line to name the specific artefact or process that will change, not just the date by which they commit to change it.
Module 6. Remediation Verification: Confirming Operating Change Before Closing
Accepting a remediation as complete requires evidence the fix is actually operating, not just documented. This module builds the verification protocol: the evidence standard for each remediation type, including process change, system change, training, and policy update. Covers the re-test procedure for high-risk or previously-recurring findings, and the escalation criteria for remediation packages that do not meet the acceptance threshold. The goal is a protocol the business line can prepare against before submitting.
Module 7. Managing Pushback: Factual, Scope, and Standards Disputes
On-site control examiners encounter three categories of pushback: factual dispute (we didn't do that), scope dispute (that's not in our testing universe), and standards dispute (the regulator didn't flag this last time). Each requires a different response. This module covers the escalation ladder appropriate for each type, the documentation approach that protects the finding's integrity regardless of outcome, and the negotiation framework for realistic remediation timelines that don't become indefinite deferrals.
Module 8. Regulatory Citation: Backing Every Finding with a Named Standard
Every finding must be traceable to a standard. This module maps the OCC Comptroller's Handbook chapters, Federal Reserve SR letters, and FFIEC guidance most relevant to on-site control testing work, and builds a citation practice that connects each finding to the specific regulatory section the control is measured against. Includes a reference library and the approach for citing regulatory standards when management disputes the criteria underlying a finding rather than the observed condition.
Module 9. Building a Repeatable Testing Program with Defensible Coverage
An on-site control program is only as strong as its universe definition and rotation logic. This module builds the annual testing calendar: how to define the in-scope control population, how to tier by risk and set testing frequency, and how to manage the rotation so every material control is tested within cycle. Includes the coverage dashboard that communicates program scope to the risk committee and board audit committee in a format that demonstrates a systematic rather than ad hoc approach.
Module 10. Communicating Results to the CRO and Audit Committee
The workpaper that supports a finding and the executive summary that reaches the chief risk officer are two different documents. This module covers the translation layer: compressing multi-page testing workpapers into single-paragraph finding summaries, characterising severity in terms that resonate with non-technical leadership, and presenting trend data that demonstrates whether the control environment improved or deteriorated across consecutive testing cycles. Includes the rating framework that maps examiner observations to risk ratings senior management can act on.
Module 11. Regulatory Visit Coordination: What to Prepare and What Not to Volunteer
When OCC or Federal Reserve examiners arrive, the on-site controls function is typically their first internal point of contact. This module covers the regulatory visit package: what to prepare, what not to volunteer, how to handle information requests that overlap with areas where your program has open findings, and how to manage the relationship between an internal finding and the same control area surfacing in a regulatory examination. The goal is a visit that confirms your program's credibility, not one that surfaces gaps the examiners find before you do.
Module 12. Your Personal Examiner Methodology: The Working Document You Take On-Site
The final module assembles the course artefacts into a personal examiner methodology document: your evidence standards, your finding format, your root-cause determination protocol, your remediation verification checklist, and your escalation decision tree. This is the working document you carry into every site visit, adjusted to the specific risk profile and regulatory relationship of the location under review. It is also the document that demonstrates program consistency if your approach is ever examined from the outside.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

A finding you accepted as remediated last quarter just failed again in a regulatory examination. The business line says they implemented the fix. The examiner says the control is still not operating. You need a verification protocol that settles that dispute before it reaches the examiner.
You are preparing for a site visit next week. The business line's self-assessment scores look clean. You know from experience that the self-assessment and the actual operating condition will diverge. You need a pre-visit briefing framework that surfaces where the divergence is most likely.
The business line is pushing back on a finding, arguing the condition you observed was a one-time exception and doesn't reflect normal operations. You need a documentation approach and escalation path that protects the finding's integrity without escalating a factual dispute into a relationship problem.
Regulatory examiners are arriving next month. Your internal program has three open findings in control areas that overlap with the examination scope. You need a regulatory visit preparation approach that demonstrates a mature control environment without drawing attention to the gap between what you found and what you've been able to close.

What you get with this course

  • 12 written modules covering the full on-site control testing methodology from pre-visit preparation through findings writing and remediation verification
  • Downloadable control testing templates: pre-visit briefing, evidence chain-of-custody workpaper, structured interview note template, root-cause determination worksheet, finding format guide, and remediation verification checklist
  • Regulatory citation library covering OCC Handbook, Federal Reserve SR letters, and FFIEC guidance relevant to on-site control work
  • The hand-built implementation playbook, delivered alongside course access, tailored to your specific control testing program and regulatory environment

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Findings keep recurring because remediation evidence is accepted on documentation rather than operating proof. Pre-visit prep misses the controls most likely to fail because the self-assessment looks clean. Pushback from business lines stalls remediation without a clear escalation path. Regulatory examinations surface findings your program already identified but couldn't close.

After

Findings are written with specific testable remediation requirements, not general corrective action commitments. Pre-visit briefings target high-failure-probability controls before arrival. Verification protocols confirm operating change before findings are closed. Regulatory visits confirm what your program already found rather than expanding the finding inventory.

What happens if you do not address this

The next regulatory examination surfaces a finding in a control area your program already identified, remediated, and closed. The gap between what your program accepted as remediated and what is actually operating becomes the examination finding. That gap is the reputational exposure for the on-site controls function, and it is not recoverable by pointing to the remediation package you accepted.

Who it is for

AVP-level on-site controls professionals at large financial institutions, responsible for testing the operating effectiveness of first-line controls across business lines and locations, managing findings from identification through remediation acceptance, and coordinating with regulatory examiners who conduct independent on-site reviews. This person has conducted dozens of site visits, accepted hundreds of remediation packages, and has seen the same control fail twice. They know the methodology needs to change but have not had a structured way to rebuild it.

Who this is NOT for. External auditors working under US GAAS or PCAOB standards. Model risk validation teams. Compliance monitoring functions that operate primarily through self-assessment and attestation rather than independent on-site testing.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 8 to 10 hours across 12 modules. Each module is designed for 40 to 50 minutes, making it practical to complete one module between site visits or review cycles.

Why $199 is the right number

The OCC Handbook and Federal Reserve SR letters define what controls should do. They do not teach you how to test whether controls are doing it, how to write the finding that survives pushback, or how to verify that the remediation package actually changed operating behavior rather than procedure documentation. That is what this course covers.

FAQ

Is this relevant if my on-site program covers operational risk rather than financial crime controls specifically?
Yes. The core methodology, including root-cause analysis, evidence standards, and remediation verification, applies across control domains. The module on regulatory alignment covers OCC and Federal Reserve frameworks relevant to operational risk and conduct risk on-site testing.
I already have a documented testing procedure. Will this course add anything?
Most on-site programs have documented procedures. The course focuses on the gap between documented and operating: why controls that pass internal testing still fail regulatory examination, and how the finding format, verification protocol, and pre-visit briefing approach close that gap.
How is this different from internal audit methodology training?
Internal audit methodology is built around financial statement assertions and GAAS. On-site control testing is built around regulatory expectations for operational effectiveness. The evidence standards, finding formats, and regulatory citation practices are different. This course is built specifically for the second or third-line control testing function, not for financial statement audit work.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!