Do I Need an ACH Audit?

12/14/2022 - By Sallie O'Brien, AAP, APRP

We often get the question. “Do I need an ACH audit?” The general requirement per the Nacha Operating Rules is that a bank or credit union (DFI) must conduct, or have conducted, an audit of its compliance with these Rules annually. However, other parties involved in processing ACH transactions need an ACH audit, too.

The Parties in ACH

DFIs often contract with Third-Party Service Providers (TPSP)1 or Third-Party Senders (TPS)2 to process entries. In that case, those third parties must also audit their compliance with the Rules annually.

Some examples of ACH processing functions that a TPSP/TPS, or even a Nested Third-Party Sender3 might perform on behalf of an Originating DFI (ODFI) or another TPS could include the following:

  • Creating ACH files
  • Monitoring Originators’ origination and return activity
  • Enforcing restrictions on the types of entries originated
  • Acting as a sending point for the ODFI’s forward entries
  • Acting as a receiving point for the ODFI’s returns and NOCs

Some examples of ACH processing functions that a Third-Party Service Provider might perform on behalf of an RDFI could include:

  • Acting as a sending or receiving point for the RDFI
  • Posting entries
  • Processing returns and/or NOCs

What does an ACH Audit require?

An annual audit must be conducted under these Rule Compliance Audit Requirements (Subsection 1.2.2)  no later than December 31st of each year. The ACH audit must be performed under the direction of an audit committee, audit manager, senior-level officer or independent (external) examiner or auditor of the Participating DFI, TPSP or TPS. The Rules do not prescribe the manner or method for completing the audit. For instance, it can be conducted by an internal or an external party.

There are different Rules that apply to the parties. For a TPSP, the audit requirements apply only to the functions of ACH processing that it performs on behalf of a DFI or a TPS. For a Third-Party Sender, the audit requirements apply to the performance of any obligations of an ODFI.

The requirement to conduct an audit relates solely to compliance with these Rules – it does not necessarily address other audit considerations, such as the DFI or TPSP or TPS policies, procedures or regulatory compliance (such as Regulation E or Uniform Commercial Code). As these requirements do pose risks, it might be a good enhancement to add these to the scope of your overall audit program. 

Third-Party Service Provider: An Organization that performs any functions on behalf of the Originator, the TPS, the ODFI, or the RDFI related to the processing of entries.

Third-Party Sender: A type of Third-Party Service Provider that acts as an intermediary in Transmitting entries between an Originator and an ODFI

Nested Third-Party Sender: A Third-Party Sender that has an agreement with another Third-Party      Sender to act on behalf of an Originator and does not have a direct agreement with the ODFI.

Receiving Point is an Organization that receives entries from an ACH Operator on behalf of an RDFI.

Sending Point is an Organization that transmits entries to an ACH Operator on behalf of an ODFI. 


Please call me or reach out to our Financial Institution Consulting practice if you have any questions or need a Nacha compliance review or consulting.

Are you looking for more information on ACH? Check out this recent webinar hosted by Sallie O'Brien, AAP, APRP.

About the Author | Sallie O’Brien, AAP, APRP

Sallie is a senior consultant in the Financial Institution Advisory Group at Saltmarsh, Cleaveland & Gund. She has over 19 years of experience working with financial institutions. Sallie specializes in risk-based Nacha compliance audits and provides ACH-consulting services to the firm’s financial institution industry clients. Prior to joining Saltmarsh, Sallie was a senior director of education at a regional consulting firm where she provided payment education and Nacha compliance programming for third-party providers.

Related Posts