Anyone ran into a situation where examiners are requiring an independent audit manager for a small community, non-complex bank (about $225MM in assets with 3 locations and 35 employees)?
We outsource our IA function to large independent accounting firm and have all the risk assessments, engagement letters, scoping, audit schedule and findings (both preliminary and final) go directly to the audit committee. The bank's CFO does coordinate this process (more of a liaison role) by gathering PBC requests and helping make sure the audit is ran smoothly. However, any findings are not discussed with the CFO or management until they are presented to the audit committee. Further, the audit firm is aware that they can communicate with the audit chair (an outside director) at any time.
The bank's examiners are saying that this is not acceptable as the CFO is involved in the daily operations of the Bank. In the inter-agency guidance, it states "Small institutions that do not employ a full-time audit manager should appoint a competent employee who ideally has no managerial responsibility for the areas being audited to oversee the outsourcing vendor's performance under the contract. This person should report directly to the audit committee for purposes of communicating internal audit." To me, the key word in this sentence is "ideally".
Any thoughts or suggestions would be helpful!
I think you work for my Bank.
FDIC ~$250MM (depending on PPP Balances)
We got hammered on our Audits and Internal Controls last exam. Admittedly, we had areas that we could shore up, but they essentially told us without telling us that we had to, to get an Internal Auditor in the institution.