We are an OCC bank with assets < $1 billion but occassionally we outsource internal audit procedures due to staffing resources or to use an external firms expertise. During a recent OCC exam, our OCC exam team has stated that in this situation, I should be writing the workprogram, determining sample sizes, reviewing all workpapers and if not detailed or sufficient testing, require additional work or documenation. Have other banks had this same critique?
In some cases, i.e. technical IS scanning, firewall review, etc. I do not have the expertise to make these judgements. In this case, do we hire someone else to check these?