Skip to content
BOL Conferences
Thread Options
#113477 - 09/09/03 08:55 PM Annual Security Report to the BOD
Anonymous
Unregistered

In my audit report, I cited the Security Officer for not conducting the annual reporting to the BOD for the previous year. ex. - last report was in 2001 but per review of the BOD minutes there was not a report given in 2002.

The SO stated that b/c the FDIC did not cite this at their last exam (Fall 2002), then I shouldn't cite it. I understand where he's coming from but at the same time, that might not have been in their scope at the last exam. I need feedback!!!!

Should I revise the report and not cite this?

Return to Top
Audit
#113478 - 09/09/03 09:13 PM Re: Annual Security Report to the BOD
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
I would cite it.

As a former regulator, this is something that could very easily not have been included in the scope of your last exam.

Regardless, if it is wrong, it is wrong.
_________________________
My opinions are just that...my opinions.

Return to Top
#113479 - 09/09/03 09:22 PM Re: Annual Security Report to the BOD
abloom Offline
New Poster
abloom
Joined: Sep 2003
Posts: 7
Iowa
I agree w/ RO. In order to achieve your objectives under your APG, you must perform adequate test work. In this security audit, your objective was to determine if the SO was reporting to the BOD in a timely fashion. Your objectives and the objectives of your regulatory agency may not always coincide, but if your APG was approved by the Audit Committee, stick with it and report all exceptions.

Return to Top
#113480 - 09/09/03 10:28 PM Re: Annual Security Report to the BOD
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
"They didn't catch it, so it isn't wrong", doesn't fly. This is where you tout the fact that you are sharper on this than they were. Now it won't be overlooked this year. And the examiner's shouldn't go back and cite it on their next exam, just denote that you caught it and it was corrected... by adding it to someone's calendar, more than one persons calendar for a double check, etc.

The next report should also include that gap so the board has all the data.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#113481 - 09/10/03 03:39 PM Re: Annual Security Report to the BOD
MackenzieS Offline
Diamond Poster
MackenzieS
Joined: Jul 2002
Posts: 1,722
Oklahoma
Wow! Could you imagine if I did not have to audit everything that the FDIC didn't ask for? I could get rid of my assistant and work part time.

Okay, I am being facecious, but I get tired of hearing that statement from the mouths of management. When it comes to a compliance audit, the best you can do is cite the portion of the regulation and if there are monetary penalties, show that as a compliance risk and financial risk to the bank.

One of the things that I try to do when conducting an audit is to explain the adverse impact it could have on the bank. My questions would be, did the SO not prepare/present the report to the Board because he hadn't performed his duties or because he forgot or what? Remember the Board is always ultimately responsible for the actions/inactions of the bank. If the SO did not perform all of his required duties then you have a larger problems.

Return to Top
#113482 - 09/16/03 09:17 PM Re: Annual Security Report to the BOD
Rangers Fan Offline
Gold Star
Rangers Fan
Joined: Dec 2001
Posts: 345
Plus, point out the fact that if you note the violation first in your audit, they won't cite you for the violation (well, maybe not as harshly) if they find the same thing during an exam (or focused too much on it after reviewing the audits) because you were doing your job and you found the exception and reported on it and now everything is back on track. Does anyone else ever feel like we are in a race to find the "booboo" first?

Return to Top
#113483 - 09/17/03 02:46 PM Re: Annual Security Report to the BOD
Anonymous
Unregistered

You have an obligation as an Auditor to report findings. I would cite it. It is either that, or you will be cited by the regulator's for not citing it. Which is worse?

Return to Top
#113484 - 09/17/03 03:54 PM Re: Annual Security Report to the BOD
MackenzieS Offline
Diamond Poster
MackenzieS
Joined: Jul 2002
Posts: 1,722
Oklahoma
Quote:

You have an obligation as an Auditor to report findings. I would cite it. It is either that, or you will be cited by the regulator's for not citing it. Which is worse?




Agreed. Do you want it to look like they are not doing their job or that you are not doing your job? We just went through an IT exam by the FDIC and they asked for a copy of this report.

Return to Top
#113485 - 09/18/03 07:04 PM Re: Annual Security Report to the BOD
Anonymous
Unregistered

The most important issue, and it is an issue that no responder has addressed, is first: Did the security officer actually complete an annual assessment of the bank's security environment -- i.e., its architecture, policies; physical, administrative, and technical protective components? If the answer is yes, that an annual, comprehensive security program assessment was completed, then what you really have is a reporting-to-the-BOD problem, and not a problem where you have an indignant or otherwise less-than-fully-competent security officer. The FDIC/OCC/OTS/FED, et.al. are too smart to know the difference between a substantive security program --where an assessment was done -- and a very weak annual analysis that did get reported to the directorate. If as an auditor all you're focusing on is whether the annual report was recorded in the minutes and actually presented to or otherwise indirectly provided to the board, then you're missing the point. The importance of your role as auditor vis-a-vis the board and security officer is to ensure that the annual security assessment is conducted, is comprehensive, and, finally, that the board is informed of, and acts on, the results of the assessment. If all you're focusing on is whether the report is presneted and that it's reflected in the minutes, then any security officer who wants to cover his/her a-- will simply turn in a say-nothing report and call it the annual report. That would apparently satisfy you. Perhaps the FDIC actually knew that the annual analysis was done, and they decided not to make a written comment on the delivery issue to the board. Or, maybe the security officer does not have good access to the board or a board committee. The key is...was the report completed?

Return to Top

Moderator:  Andy_Z