We are a community bank with approx. $430m in Assets. I am a new Internal Auditor that was asked to take this position within the last year due to criticism from regulators that we didn't have an IA. I have been with the bank for 20 years and know operations very well. The Compliance Office just resigned and the question has been raised about combining the two departments. I know they will need to hire help for me, especially on the audit side. I don't know how other banks handle these two departments. Any insight/suggestions would be appreciated.

Last year our regualtors, OTS, discussed the need to split the departments and make them independent of each other. Our asset size is smaller than yours and at one point in time I held both positions. I think we have enhanced both audit and compliance by splitting the functions. Although audit will still deal with compliance areas, focus can be on doing the auditing instead of writing policies. Independence is the key here, it is difficult to audit policies that you have written. This is not feasible for all institutions, but it has worked well for us.

I do compliance and loan review at a community bank with $200 million in assets. We're OCC regulated. I took this job four years ago with a 20-year history at this bank in the teller and installment loan operations areas. We also have an internal auditor who worked into her job with a background in our accounting department. She & I work very closely and share an assistant. The bank processes in-house and has a start-up trust department, which has added a big IT/Trust load to our schedules in the last three years. The three of us are trying to manage the workload that we feel is appropriate, and that's with a shift from a 12-month review schedule to a more risk-based one.

I am also new to Internal Audit. Our institution has combined the Internal Audit/Compliance and Security functions together into one position. We are an OCC bank. Anyone know how this will work? Or will it?

I work for an OTS regulated institution whose asset size is over $500 million. Our audit and compliance department is one. However, policy making and writing is not part of the department. Compliance in regards to that issue is pushed out to the division executives. I strictly just audit the compliance. It was made known to the management when this jobs merged that I would not be giving advice and provide any input in policy making. If you are doing that, then you are not independent and therefore should not be auditing.

Thanks for the input. We have been outsourcing both the compliance and audit functions but we are now bring them in house. Any other words of wisdom would be greatly appreciated. I will need all the help in establishing the responsibilities of the department that I can get. I would like to know who you report to within your institution. We are looking into that issue also. How do smaller institutions handle that?

In our bank, Internal Audit reports to the Audit/Compliance Committee which consists solely of Directors. The Compliance Officer reports directly to the President and also issues a report to the Audit/Compliance Committee.

Iam both the Internal Auditor and Compliance Officer for a 750 million National Bank. The OCC has not discussed splitting the two, but probably will in the future. I have one full time assistant and a college intern who will be offered full time upon graduation.

No problems so far.

WHen I have to choose either audit or compliance I will choose audit because I like being over the President on the organiztion chart.

zitch70,

I am the internal auditor for a $650 million state non-member bank. We had the compliance and internal audit seperate, but the compliance officer recently resigned. I have been asked to take on both responsibilities. I currently have 1 assistant and the complaince officer also had one. I am very interested in learning how you handle both of these areas.

I have not audited any compliance areas in the past. That was basically handled by the complaince officer. While I agree that the internal audit department should audit compliance areas also - I am not sure how to handle all the other areas she has been dealing with such as updating policy, training, etc.. Would appreciate any suggestions?

Quote:

---

I work for an OTS regulated institution whose asset size is over $500 million. Our audit and compliance department is one. However, policy making and writing is not part of the department. Compliance in regards to that issue is pushed out to the division executives. I strictly just audit the compliance. It was made known to the management when this jobs merged that I would not be giving advice and provide any input in policy making. If you are doing that, then you are not independent and therefore should not be auditing.

---

What you describe here is a bank with NO compliance managment function! If the person who should help management understand regulatory responsibilities and craft cost-effective solutions will not get involved, then you have no compliance support--just a policeman!

Audit exists to assure the board that approved policies are being followed. The compliance management function exists to help management get it done.

I work for a small community bank ($168 MM, FDIC supervision)and recently took the position auditor. The previous auditor, promo to COO, retained the title of Compliance officer. Although I am not the Compliance Officer I am still responsible for all compliance audits.

We just had our FDIC exam and they felt that the COO should not be the compliance officer because of the conflict of interest. THey also felt that I did not have enough schooling to become the Compliance Officer which leaves us stuck. They recommended I attend the ABA Compliance school and be promoted ASAP to avoid any complications.

I am wondering if there is any printed guidance on this issue. We are FDIC regulated and will soon add a person with extensive compliance experience. I am currently the corporate auditor (I also audit compliance)and the Chief Loan Officer is our compliance officer. Any suggestions on how to best divide functions? The CLO is too busy to continue as compliance officer. I am concerned about independence issues.

Audit (whether its auditing compliance, IT, operations, etc.) should be independent. If you are the auditor, you should be independent of every area you are auditing.

While there are numerous ways to go, if the person you are adding has the skill set to be the compliance officer, making them such may be the easiest solution. Of course, they will not be able to independently audit their own work, so you will probably need to keep auditing compliance.

If your new hire will be in the audit function, there will be a conflict with them taking over the compliance officer role. In this case, since your SLO does not have the time to fulfill the CO duties, you might consider forming a compliance committee. A compliance committee is comprised of representatives of all functional areas...these members are responsible for compliance issues that are applicable to their respective areas/departments. A part time "compliance officer" could be appointed to oversee and coordinate the compliance management function and to chair the committee.

We are an OCC regulated bank. Prior to this year Internal Audit and Compliance reported to the Audit Committee. Now, the Compliance Officer reports to the President and we audit the CO and report the findings to the Audit Committee.

I think the chief issue affecting all of those seeking feedback on the best design for an audit/compliance function (i.e., whether the functions should be together, or whether they should stand apart) is to realize that the changing regulatory focus is on risk mitigation. In some smaller shops, there is only a single person who is the risk control-type person -- tiltle notwithstanding. That person may do everything -- from consumer-based compliance to technology risk control, security; you name it. For shops that are bigger, and particularly for those over $500 million, the emphasis should be on enterprise risk management. Risks are assessed as to their criticality and affect on the institution. An interest rate risk weakness, a lending weakness, or a technoloy-based weakness, would obviously have greater degrees of impact to the bank's soundness than would a violation of a Reg Z disclosure. It is too confusing for boards to understand which risk is really the most critical risk, and this is why -- particularly for large institutions -- the position of "chief risk officer" has grown significantly. Having a separate compliance-only person and a separate audit-only person in an under-$500 million institution can only work of the compliance person is solely "administering" consumer, CRA, HMDA, BSA/OFAC/PATRIOT; while the auditor is "testing" bankwide issues. If the compliance person is "testing" and the auditor is "testing", the function should be merged. The IIA has a new section dealing with bank enterprise risk management, and it addresses just this very issue. This was also talked about at the ABA annual convention. In the final analysis, only one entity should actually be addressing risk conditions with the board or a board committee.

I noticed that you are involved in loan review. I am currently writing a loan review policy. This is my first effort at a project of this sort. I would appreciate reviewing other policies to make sure I have included everything needed. Is your LR policy something you would be willing to share? Thanks mhester@fsbmail.com

Regarding the separation of Internal Audit from Compliance...I work for a 325MM National Bank. Our OCC examiners are requesting that we split the Compliance function out of Internal Audit. I currently have two internal audit/compliance staff auditors working under me. It seems as though it not only depends on the size of the institution but the duty station of the regualtors and different regulatory authorities that decide when the FI should do this. I read above that a 750MM national bank still has both internal audit/compliance in one department.

I don't want to fuel your fire, but if you're a $325 million institution then you're under the $500 million FDICIA threshold. And if you're not public, then Sarbanes doesn't apply, as well. At the banking workshops (i.e., BAI, ABA, etc.) I've been hearing many bankers/auditors/compliance people mention that they were "encouraged" or "urged" to establish an audit process, or something similar. The regulatory language permits the examiners to recommend an internal control process, but there really is nothing that mandates the design of the control process (i.e., internal, co-sourced, outsourced, audit/compliance separate, audit/compliance combined, etc. etc.). The issue comes down to this: Are you going to challenge their recommendation? I think not. We've all learned that they're holding all the cards. You just do the best you can.

We are public. I agree with what you are saying. They pull all the strings and we do what they want. I pick my battles wisely and fight for those that are most important. In this case, we are going to get bigger which will put us over the 500MM. I can see the benefit of having the two split as sometimes I feel I cross the line.

I work for a community bank that is "growing." I did both audit & compliance for two years with one assistant. Since there had not been a prior internal audit and/or compliance program for the bank, we had to implement both. Also, we were two banks that had recently merged, then also acquired assets from a third bank. What a two year period, I learned alot.

I no longer do audit & compliance, I now do branch administration & compliance. I can tell you from my experience, you can attempt to do whatever you need to do, but just how well can you do it? I have found in my three years of working in compliance that even for a community bank, compliance should be give one individual's full time attention. The regulations are quickly growing & changing. Just look at CIP & the new HMDA revisions.

You need time to help managment implement and also need time to monitor. It is very very difficult to try to do a good job for your company in compliance, if you are also doing another job.

Again, if you are like me, you will try to do the best you can for your company, but you can only be stretched so thin.

Good luck and enjoy your experiences. Knowledge is something you never loose. And you will make many friends through the compliance area.

We are a 7 branch $250MM bank and I am the Compliance Officer and perform some internal audit functions. However, we still contract a third party auditor to perform audits the they report directly to the Audit Committee.