Our total assets are $195 million and we have seven branches.

We currently have an internal auditor who also oversees compliance. We have a somewhat decentralized compliance function with the senior lending officer responsible for loan compliance, the cashier responsible for deposit compliance, etc.

The auditor has a MPA (masters in accounting) with approximately 15 years experience. Ten at the OCC and 5 at our bank.

We have an active Audit Committee comprised of all outside directors, including an individual who has a Phd in accounting.

Questions:

In general who should be responsible for

Developing the Internal Audit Program
Reviewing the Internal Audit Program for completeness, proper coverage, addressing risk areas, coverage of operational areas, etc.
Monitoring progress of completion of the program.

Should Executive Operating Officers (CEO, CFO, etc.)
Due to the size of the institution Executive Officers serve as Information Security Officers and Risk Officers.

provide any input in the above areas?

We are approximately $250 million with four branches. I am the internal auditor/compliance officer. I am responsible for developing the internal audit program. The audit program is a three year plan based upon a risk assessment. I developed the audit program and presented it to the audit committee for review and approval. The audit committee is responsible for monitoring progress of the program.

Thanks for the follow up. Does anyone else have any comments.

Our assets are just over $110 million with 8 branches. I am the sole internal auditor here, compliance (along with BSA) is with the deposit ops manager.

I am responsible for developing the internal audit program in addition to review. The internal audit program once developed alont with my annual audit plan is presented to the audit committee (also comprised of outside directors including CPA)for approval. Througout the year I report to the audit committee on the status of my audit plan and to obtain approval for any necessary schedule changes.

Our EO's have been assigned the reponsibilities of Risk Officer (CFO) and Info Security (SVP, Market Manager). Our regulator (OTS)recommended these functions be separate from IA and approves of the current structure.

Hope this helps you.

I am at a $75MM bank with 3 branches. We have one IA who sets the audit schedule, does the risk assessments for each area/department, decides on the frequency, etc. We use an audit program provided by our CPA firm, but add/change procedures and audits as necessary.

The Audit Committee (all outside directors) is responsible for reviewing and approving the audit schedule, areas audited, and monitoring completeness of the program. We have quarterly meetings.

We have separate Audit and Compliance Officers.

No one should have input on your audit program or schedules except for the Audit Committee, examiners, etc. You can ask for advice and the dept. heads or officers can give input all they want, but you and the Audit Committee have the final say-so as to what is done and when. If you get too involved in a department, or if an exec officer gets too involved in your audit program or schedule, you have pretty much lost your independence.

We are $440 mm and have 9 branches. I am the IA & Compliance Officer. We have an audit committee that meets quarter which half of the members are Board of Directors. I create an annual risk assessment (with input from the various dept. heads) and the audit committee and I decide from that what we want to audit for the year. I also manage the program, do reports, track exceptions, and report all this to the audit committee each quarter. As far as compliance, I also have a compliance committee that I meet with monthly just to go over exceptions and give updates. I present that report directly to the Board of Directors each month in their meeting.

"We have an audit committee that meets quarter which half of the members are Board of Directors. "

That is not going to cut it for much longer.

Yes, we've already been visiting with our regulator about changes when we hit $500mm

rlclarey - do you care to elaborate?

For non-publicly traded institutions at $1 billion in assets:

Appendix A to FDICIA indicates that audit committee independence is compromised when its membership consists of current and former officers and employees, relatives of current and former officers and employees, principal shareholders, consultants, advisors, attorneys, and customers with large relationships.

Additionally, the board of directors must review the independence of audit committee members annually. Audit committee members also are required to have banking or financial management expertise.

If you are publicly traded it is at any asset size.

oh - I thought I was really missing something. We are light years away from $1 billion.

All of our Audit Committee members are outside direstors but our CEO and CFO also attend the meetings. Is that comprmising the committee's independence? I feel it does, but the chairman does not.

From the OCC Handbook on Internal Audit:
12 CFR 363 requires national banks with more than $500 million in assets to have an audit committee consisting entirely of outside directors that are independent of bank management. The OCC encourages all other national banks to have a similarly structured audit committee. In small banks where this may not be practical, outside directors should be at least a majority of the audit committee.

Our CEO, CFO, and Controller all attend the Audit Committee meetings. However, the 4 outside Audit Committee directors have a private session with just the Director of Internal Audit. They also have a private session with only the external auditors. It works for us.

It appears that several are addressing who attends the meetings.

However, I am curious as to who establishes the internal audit program and related areas of risk, reviews the program for appropriateness and assures it is completed as planned.

Does this responsibility fall on the Audit Committee and Auditor?


Executive management may only attend the meeting as management. That is to discuss internal audit findings (follow up, clarifications of written responses to findings, discuss concerns related to fingings, etc.)

The ultimate responsibility falls to the Audit Committee.

I have a question for Fallgirl and Donna Banker (and any others who care to reply =]) Do you have a staff, or is it just you filling the role of internal audit & compliance?

I am the internal auditor at our bank and we are $90 million with three branches. I report to our compliance officer who reports to the CEO/President administratively, but ultimately to the Audit committee. I am responsible for auditing the Lending side of compliance, like Reg. Z etc, however the compliance officer (my boss) is the one responding to my audits on the compliance side. Anyone care to comment on that?

"Anyone care to comment on that?"

A lot of banks have really screwed up organizational structures

I would agree with rlcarey that ultimate responsibility falls on the Audit Committee for oversight on the internal audit functions, risk, and monitoring. However, that being said, the Director of Internal Audit should be the one that puts the information together (Establishing an Audit plan based on risk assessment from various audit areas that management helps to complete). The Audit Plan would then go to the Audit committee for approval. The Director of IA should periodically report changes to the audit schedule and updates to the Audit committee so that they can properly monitor the Internal Audit function.

Ideally, the director of internal audit should report directly to the Audit Commmittee and administratively (to approve expense reports and time sheets) to an executive.

The director of audit performs the audit risk assessment annually and develops the audit plan. Based on risk assessments, the director should develop a 3 year rotation audit plan (high risk areas audited annually, moderate risk areas audited every two years and low risk areas audited every 3 years). The director of audit develops a time budget by audit and a departmental $ budget. The risk assessments, audit plan and rotation, and budgets are reviewed and approved by the Audit Committee.

The Audit Committee ideally is composed of non-management directors (required for certain banks). Ideally (and required for certain banks), at least one is a "financial expert" who can understand financial statements, management estimates, the allowance, etc. Management may attend the Audit Committee meetings, but only to discuss/respond to findings, etc. - not to set objectives, scope, timing, or audit assignments.

Ideally (again required for certain banks), the Committee should meet with the Director of Audit and the external auditors in executive session without management present to discuss whatever topics they want openly.