Thread Options
#1193441 - 05/31/09 09:47 PM Establishing an Internal Audit Program
Gomez Offline
New Poster
Joined: May 2009
Posts: 15
Our total assets are $195 million and we have seven branches.

We currently have an internal auditor who also oversees compliance. We have a somewhat decentralized compliance function with the senior lending officer responsible for loan compliance, the cashier responsible for deposit compliance, etc.

The auditor has a MPA (masters in accounting) with approximately 15 years experience. Ten at the OCC and 5 at our bank.

We have an active Audit Committee comprised of all outside directors, including an individual who has a Phd in accounting.

Questions:

In general who should be responsible for

Developing the Internal Audit Program
Reviewing the Internal Audit Program for completeness, proper coverage, addressing risk areas, coverage of operational areas, etc.
Monitoring progress of completion of the program.

Should Executive Operating Officers (CEO, CFO, etc.)
Due to the size of the institution Executive Officers serve as Information Security Officers and Risk Officers.

provide any input in the above areas?

Return to Top
Audit
#1193745 - 06/01/09 05:02 PM Re: Establishing an Internal Audit Program Gomez
Fallgirl Offline
Gold Star
Fallgirl
Joined: Mar 2005
Posts: 432
Wisconsin
We are approximately $250 million with four branches. I am the internal auditor/compliance officer. I am responsible for developing the internal audit program. The audit program is a three year plan based upon a risk assessment. I developed the audit program and presented it to the audit committee for review and approval. The audit committee is responsible for monitoring progress of the program.

Return to Top
#1194118 - 06/02/09 12:30 AM Re: Establishing an Internal Audit Program Fallgirl
Gomez Offline
New Poster
Joined: May 2009
Posts: 15
Thanks for the follow up. Does anyone else have any comments.

Return to Top
#1195063 - 06/03/09 02:36 PM Re: Establishing an Internal Audit Program Gomez
Life of Riley Offline
Gold Star
Joined: Sep 2006
Posts: 388
In a pineapple under the sea
Our assets are just over $110 million with 8 branches. I am the sole internal auditor here, compliance (along with BSA) is with the deposit ops manager.

I am responsible for developing the internal audit program in addition to review. The internal audit program once developed alont with my annual audit plan is presented to the audit committee (also comprised of outside directors including CPA)for approval. Througout the year I report to the audit committee on the status of my audit plan and to obtain approval for any necessary schedule changes.

Our EO's have been assigned the reponsibilities of Risk Officer (CFO) and Info Security (SVP, Market Manager). Our regulator (OTS)recommended these functions be separate from IA and approves of the current structure.

Hope this helps you.
_________________________
Just smile and wave y'all, smile and wave...

Return to Top
#1195222 - 06/03/09 05:02 PM Re: Establishing an Internal Audit Program Life of Riley
Neytiri Offline
Platinum Poster
Neytiri
Joined: Jul 2002
Posts: 645
Pandora
I am at a $75MM bank with 3 branches. We have one IA who sets the audit schedule, does the risk assessments for each area/department, decides on the frequency, etc. We use an audit program provided by our CPA firm, but add/change procedures and audits as necessary.

The Audit Committee (all outside directors) is responsible for reviewing and approving the audit schedule, areas audited, and monitoring completeness of the program. We have quarterly meetings.

We have separate Audit and Compliance Officers.

No one should have input on your audit program or schedules except for the Audit Committee, examiners, etc. You can ask for advice and the dept. heads or officers can give input all they want, but you and the Audit Committee have the final say-so as to what is done and when. If you get too involved in a department, or if an exec officer gets too involved in your audit program or schedule, you have pretty much lost your independence.
Last edited by Donna Banker; 06/03/09 05:03 PM.
Return to Top
#1196306 - 06/04/09 09:18 PM Re: Establishing an Internal Audit Program Neytiri
COMPLIcated Offline
Diamond Poster
Joined: Mar 2003
Posts: 1,035
OK
We are $440 mm and have 9 branches. I am the IA & Compliance Officer. We have an audit committee that meets quarter which half of the members are Board of Directors. I create an annual risk assessment (with input from the various dept. heads) and the audit committee and I decide from that what we want to audit for the year. I also manage the program, do reports, track exceptions, and report all this to the audit committee each quarter. As far as compliance, I also have a compliance committee that I meet with monthly just to go over exceptions and give updates. I present that report directly to the Board of Directors each month in their meeting.

Return to Top
#1196373 - 06/05/09 12:45 AM Re: Establishing an Internal Audit Program COMPLIcated
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 78,948
Galveston, TX
"We have an audit committee that meets quarter which half of the members are Board of Directors. "

That is not going to cut it for much longer.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1196725 - 06/05/09 04:51 PM Re: Establishing an Internal Audit Program rlcarey
COMPLIcated Offline
Diamond Poster
Joined: Mar 2003
Posts: 1,035
OK
Yes, we've already been visiting with our regulator about changes when we hit $500mm

Return to Top
#1198363 - 06/09/09 09:41 PM Re: Establishing an Internal Audit Program rlcarey
agent99 Offline
100 Club
Joined: Apr 2008
Posts: 240
Originally Posted By: rlcarey
"We have an audit committee that meets quarter which half of the members are Board of Directors. "

That is not going to cut it for much longer.


rlclarey - do you care to elaborate?

Return to Top
#1198384 - 06/09/09 10:06 PM Re: Establishing an Internal Audit Program agent99
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 78,948
Galveston, TX
For non-publicly traded institutions at $1 billion in assets:

Appendix A to FDICIA indicates that audit committee independence is compromised when its membership consists of current and former officers and employees, relatives of current and former officers and employees, principal shareholders, consultants, advisors, attorneys, and customers with large relationships.

Additionally, the board of directors must review the independence of audit committee members annually. Audit committee members also are required to have banking or financial management expertise.

If you are publicly traded it is at any asset size.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1198541 - 06/10/09 01:36 PM Re: Establishing an Internal Audit Program rlcarey
agent99 Offline
100 Club
Joined: Apr 2008
Posts: 240
oh - I thought I was really missing something. We are light years away from $1 billion.

Return to Top
#1200440 - 06/12/09 04:11 PM Re: Establishing an Internal Audit Program rlcarey
Ready to Retire Offline
Diamond Poster
Joined: Aug 2005
Posts: 2,313
Living in the land of Oz
All of our Audit Committee members are outside direstors but our CEO and CFO also attend the meetings. Is that comprmising the committee's independence? I feel it does, but the chairman does not.

Return to Top
#1200896 - 06/12/09 09:11 PM Re: Establishing an Internal Audit Program Ready to Retire
Hi Offline
Member
Joined: Jun 2003
Posts: 54
From the OCC Handbook on Internal Audit:
12 CFR 363 requires national banks with more than $500 million in assets to have an audit committee consisting entirely of outside directors that are independent of bank management. The OCC encourages all other national banks to have a similarly structured audit committee. In small banks where this may not be practical, outside directors should be at least a majority of the audit committee.

Return to Top
#1200925 - 06/12/09 09:47 PM Re: Establishing an Internal Audit Program Ready to Retire
hawksfan Offline
100 Club
Joined: Mar 2004
Posts: 114
Iowa/Illinois
Originally Posted By: Ms Spring
All of our Audit Committee members are outside direstors but our CEO and CFO also attend the meetings. Is that comprmising the committee's independence? I feel it does, but the chairman does not.


Our CEO, CFO, and Controller all attend the Audit Committee meetings. However, the 4 outside Audit Committee directors have a private session with just the Director of Internal Audit. They also have a private session with only the external auditors. It works for us.

Return to Top
#1200999 - 06/13/09 09:14 PM Re: Establishing an Internal Audit Program hawksfan
Gomez Offline
New Poster
Joined: May 2009
Posts: 15

It appears that several are addressing who attends the meetings.

However, I am curious as to who establishes the internal audit program and related areas of risk, reviews the program for appropriateness and assures it is completed as planned.

Does this responsibility fall on the Audit Committee and Auditor?


Executive management may only attend the meeting as management. That is to discuss internal audit findings (follow up, clarifications of written responses to findings, discuss concerns related to fingings, etc.)

Return to Top
#1201024 - 06/14/09 05:39 PM Re: Establishing an Internal Audit Program Gomez
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 78,948
Galveston, TX
The ultimate responsibility falls to the Audit Committee.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1202001 - 06/16/09 06:28 PM Re: Establishing an Internal Audit Program rlcarey
WV Banker Offline
New Poster
Joined: Jan 2005
Posts: 11
West Virginia
I have a question for Fallgirl and Donna Banker (and any others who care to reply =]) Do you have a staff, or is it just you filling the role of internal audit & compliance?

Return to Top
#1202030 - 06/16/09 07:02 PM Re: Establishing an Internal Audit Program WV Banker
ramelton35 Offline
New Poster
Joined: Jun 2009
Posts: 12
I am the internal auditor at our bank and we are $90 million with three branches. I report to our compliance officer who reports to the CEO/President administratively, but ultimately to the Audit committee. I am responsible for auditing the Lending side of compliance, like Reg. Z etc, however the compliance officer (my boss) is the one responding to my audits on the compliance side. Anyone care to comment on that?

Return to Top
#1202036 - 06/16/09 07:05 PM Re: Establishing an Internal Audit Program ramelton35
rlcarey Online
10K Club
rlcarey
Joined: Jul 2001
Posts: 78,948
Galveston, TX
"Anyone care to comment on that?"

A lot of banks have really screwed up organizational structures smile
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#1203755 - 06/18/09 06:12 PM Re: Establishing an Internal Audit Program rlcarey
Auditjg Offline
Member
Auditjg
Joined: Sep 2004
Posts: 67
I would agree with rlcarey that ultimate responsibility falls on the Audit Committee for oversight on the internal audit functions, risk, and monitoring. However, that being said, the Director of Internal Audit should be the one that puts the information together (Establishing an Audit plan based on risk assessment from various audit areas that management helps to complete). The Audit Plan would then go to the Audit committee for approval. The Director of IA should periodically report changes to the audit schedule and updates to the Audit committee so that they can properly monitor the Internal Audit function.

Return to Top
#1205631 - 06/22/09 10:51 PM Re: Establishing an Internal Audit Program Auditjg
DerrickAuditor Offline
Member
Joined: Mar 2008
Posts: 91
USA
Ideally, the director of internal audit should report directly to the Audit Commmittee and administratively (to approve expense reports and time sheets) to an executive.

The director of audit performs the audit risk assessment annually and develops the audit plan. Based on risk assessments, the director should develop a 3 year rotation audit plan (high risk areas audited annually, moderate risk areas audited every two years and low risk areas audited every 3 years). The director of audit develops a time budget by audit and a departmental $ budget. The risk assessments, audit plan and rotation, and budgets are reviewed and approved by the Audit Committee.

The Audit Committee ideally is composed of non-management directors (required for certain banks). Ideally (and required for certain banks), at least one is a "financial expert" who can understand financial statements, management estimates, the allowance, etc. Management may attend the Audit Committee meetings, but only to discuss/respond to findings, etc. - not to set objectives, scope, timing, or audit assignments.

Ideally (again required for certain banks), the Committee should meet with the Director of Audit and the external auditors in executive session without management present to discuss whatever topics they want openly.

Return to Top

Moderator:  Andy_Z