Here is our policy which is Minnesota state specific but should give you an idea of what they may be looking for.
The Bank hereby adopts the following Internal Control Policy in accordance with sound banking practices.
The Bank will have a designated internal control officer who will be responsible for overseeing the internal control functions. As required by Minnesota Bank Audit Rule 2675.2600, the officer will determine an internal control system is in place and that control procedures are being followed.
The internal control system consists of: 1) general policies approved by the Board, 2) management policies and procedures, 3) department operating procedures and standard control documentation, and 4) specific internal control, monitoring, and validation practices. Internal Control documentation will be retained by the Internal Auditor with verification reports sent monthly to the Board of Directors. Procedures and statements of policy are contained in a separate internal control file.
As required by Minnesota Bank Audit Rule 2675.2610, the Bank will have an annual audit conducted that will contain the minimum requirements as provided in Rule 2675.2610. The annual audit/Directors’ Examination will be performed by the designated Internal Auditor, or by an independent qualified accounting and auditing firm. The results of the annual audit will be reported to the Board of Directors in accordance with Rule 2675.2610.
The Bank recognizes that the cost of a system of internal control should not exceed the benefits derived and the evaluation of these factors requires estimates and judgment of management. The Bank also recognizes the overall objective of the internal control process is to provide reasonable, but not absolute, assurance that the Bank will achieve:
 Effective and efficient operations (including safeguarding of assets);
 Accurate recording of transactions;
 Reliable financial records and management reporting;
 Effective risk management systems;
 Maintaining accountability for assets; and
 Compliance with applicable laws and regulations.
The procedures and statements of policy contained in the separate internal control file are not intended to be all-inclusive. There are additional procedures and inquiries that will be performed by the external auditing firm or by the designated Internal Auditor that are not contained in this policy.