The most important issue, and it is an issue that no responder has addressed, is first: Did the security officer actually complete an annual assessment of the bank's security environment -- i.e., its architecture, policies; physical, administrative, and technical protective components? If the answer is yes, that an annual, comprehensive security program assessment was completed, then what you really have is a reporting-to-the-BOD problem, and not a problem where you have an indignant or otherwise less-than-fully-competent security officer. The FDIC/OCC/OTS/FED, et.al. are too smart to know the difference between a substantive security program --where an assessment was done -- and a very weak annual analysis that did get reported to the directorate. If as an auditor all you're focusing on is whether the annual report was recorded in the minutes and actually presented to or otherwise indirectly provided to the board, then you're missing the point. The importance of your role as auditor vis-a-vis the board and security officer is to ensure that the annual security assessment is conducted, is comprehensive, and, finally, that the board is informed of, and acts on, the results of the assessment. If all you're focusing on is whether the report is presneted and that it's reflected in the minutes, then any security officer who wants to cover his/her a-- will simply turn in a say-nothing report and call it the annual report. That would apparently satisfy you. Perhaps the FDIC actually knew that the annual analysis was done, and they decided not to make a written comment on the delivery issue to the board. Or, maybe the security officer does not have good access to the board or a board committee. The key is...was the report completed?