I am looking for banks similar in size and type to ours to tell me how their Compliance Department and Internal Audit Department works.

My bank is $160 million with 87 employees, 11 branches, 2 loan production centers, and 1 mortgage center. We have one Compliance Officer/Internal Auditor who handles all Deposit and Lending Compliance as well as auditing for all areas of the bank.

Is this how other banks handle these departments? If not, what are the responsibilities of the Compliance Officer and the responsibilities of the Internal Auditor?

Thanks for any help!

We are a $156 million bank with 47 employees - 4 branches - 1 loan department. I am the compliance ofcr/interal auditor who handles all deposit and lending auditing. Besides these hats I oversee HR and marketing. Sorry I couldn't put more of a positive spin and get you some help. But after 4 years I finally rec'd an HR generalist and a marketing coordinator to assist me. But compliance is still all mine. Hope this helps. Have a great NY!

We are $250 million, 6 branches, 1 loan center. I am compliance officer and internal auditor, security officer, etc.... However, we also outsource annual audits of all compliance areas to an external audit firm. They're my check and balance.

Pizzaz: Do you do internal audits and if so what all do you audit?

I do internal self-assessment audits of loan files, deposit operations compliance, NDIP and branch audits. Our external audit firm conducts audits in the above area annually, as a cross-check to me.

We are $280 million, 5 branches.
2 in the audit dept (including me). One of us is also IT and compliance. The other(that's me) is SLOWING taking on the compliance role, too. We have a seperate loan review dept., that I audit quarterly.

Just curious "mom," - I am the manager of the Loan Review Department. Exactly what do you audit in Loan Review? We have no transactional authority. Our check and balance is our annual safety and soundness FDIC & State exam. I just never really thought about Audit "auditing" my department - what do you look for?

I am mostly looking at a selection of files for compliance violations, whereas the loan review is looking at them for credit/ collateral worthiness. So I guess it's not really an audit of the "loan review" dept., sorry if I sounded like that.

I look to make sure the Grade assigned to a loan agrees to our system, there is compliance with Reg. Z, the board is properly aware of Watch list and Classified loans, bank policy is being followed, upgraded or downgraded loans are properly approved, and that there is proper documentation of charged off loans. I also do this audit with a Reserve for Loan Loss audit, so I am particularly concerned with the amounts that make up each of our grading categories.

Gottcha. I just wanted to know if I needed to suggest to my audit department that they include my department in their audit schedule to protect my behind!!! But since I am lending compliance also, we review loan files for everything from cash flow and appropriate grade to compliance with all laws and regulations. I also calculate the loan loss adequacy report which is reviewed semi-annually and validated by external auditors. Thanks for the reply. I hope your daughter is having a great day! (and you too!)

I would also be interested to know the difference in bank's compliance officer's role and the internal auditor's roles. Any help out there?

IMHO, the best use of a compliance officer is policy writing, staff training, compliance reviews (sampling and checking for regulatory compliance exceptions), and maybe most importantly help desk for everything regarding regulations (this could simply be a teller with a question about a customer sitting at their station all the way to state/federal legal matters the CEO is curious about). Also, cooridinating exams and government reporting (HMDA/CRA). The best use of an auditor is to perform audits using audit programs and keeping to a calendar approved/established by audit committee. The audits I am familiar with are typically more procedures inspecting and internal control weaknesses related. The auditor should be completely independent of operations (including policy writing) and should audit the compliance function of the bank. Also common for auditors is to include IT auditing.

Again this is simply my opinion and I would be the first to say there is no one right way and everything else is wrong. It depends a lot on the bank and their needs. The board owns the bank and it is their responsibility to address liability.

I would further say in my opinion auditors strive to minimize/reduce financial loss exposure to the bank. Compliance officers strive to minimize/reduce loss from regulatory compliance violation exposure (both potential lawsuit losses and potential governmental penalties).

At many if not most banks employees have to wear multiple hats. I have seen a recent survey that showed about 30% was both compliance and audit, about 30% was compliance and security, about 10% were soley compliance, and the other 30% wore compliance plus another hat besides audit or compliance.

Thank you for that last post - that was the information I was looking for as far as responsibilities for CO and IA, but I would still like to get more input from other banks what they do for IA and CO. Thanks!

I will tell you several years ago I audited the Loan Review function. I found where there were statements in the review that weren't true and brought it to management's attention. Unfortunately, the head of loan review was making short cuts and not obtaining annual statements, but still coming out with satisfactory reviews. It wasn't pretty.

We are approaching $300 Million in assets. We have 2 auditors, and a compliance officer- seperate from the audit function. 120 FTEs. The CO is only responsible for consumer compliance (go figure) and that is the only hat he wears. In my opinion money could be saved by combining the position with something else, maybe the security officer.

We are approaching $500 Million in assets and have 7 branches and about 200 employees. Here we have a full time Internal Auditor (focuses on internal controls, matching procedures with bank policy), full time CRA/CO (handles loan review, policies, training, large bank CRA & does various other audits for bank-wide compliance) & full time CO Assistant (handles CRA/HMDA data entry, monitors flood insurance, Reg D violations, etc.). Our BSA and Security is handled by people that wear additional hats.

We are $325MM, 11 offices, 150 employees and I had been wearing Audit and Compliance hats until recently. We added a Loan Compliance officer and I still have Deposit Compliance. She also wound up with HR so I just quietly kept the Deposit Compliance. Progress is progress.

Either we are grossly overstaffed, or we are trying to control every aspect operations and human nature because we are at $320,000,000, 152 FTE staff, 6 locations and have an Internal Audit department with 3 (includes deposit compliance and IT security) and a Loan Review Department with 3 (which includes lending compliance, CRA & Freddie Mac quality control).

We are 1.1B, 14 branches, 280 employees. Compliance Officer/General Counsel w/ one assistant. All auditing is outsourced.

$200 million, 14 branches, 110 employees. Compliance officer - no auditing, Internal auditing - completes all internal audits, also outsource audits as a follow up to the Internal Auditor.

$650 million, 21 branches, 300 employees, the Audit and Compliance Department is combined and consist of three people. Have separate BSA Officer, Security Officer,a CRA Officer (they wear additional hats). Compliance is monitored by Loan Operations and Deposit Operations. Some monitoring is done by the Audit/Compliance Department - we also audit for compliance so we have to be careful of who is responsible for which audit for independence purposes. We also outsource IT, Consumer Protection, and ACH audits - but we do some in-house auditing in these areas as well. This department was combined back in middle 2004 - seems to be working really well so far.

We are a $185 million bank. We currently have 95 employees. We have 1 CO and 1 IA. The CO also is BSA/CRA/HMDA/Sec Offcr. IA complete consumer audits, NDIP, ACH as well as Safety & Soundness type audits. We also outsource auditing 12-18 months as a checkback to the IA dept.

We are a $270 million bank with 11 branches. Our bank has 1 Compliance Officer, 1 Internal Audit and 1 Security Officer. CO is responsible for Deposit and Lending Compliance and is also the BSA officer. The Compliance Officer has been working with a retired employee to begin conducting compliance audits. I/A performs all other audits, including BSA, NDIP, Deposits, Loans, Maintenance Changes, Funds Transfer, Asset Liability Management, Safeguarding Customer Info, Investments, etc..

We have a BHC that owns 5-chartered banks, for a total of 18-branches and 350+ employees. In the BHC we have both a compliance dept and an internal audit dept and each dept is staffed with three persons. I am one of the BHC compliance staff. About 90% of the compliance reviews are done by the BHC compliance staff, the other 10% is outsourced. The audit reviews are about 75% done by BHC audit staff with the remaining 25% outsourced.

Within each of the bank charters is a CO, but most of them are in name only....... we are still trying to get them to be more involved within the compliance aspect, but that is an ongoing struggle since that is not their "main job". Each charter also has a CRA Officer, BSA Officer, etc. They may or may not be the same person.

I just currently took the job as compliance officer and internal auditor. We have not had this position before. Our compliance was divided out amongst different officers and out audits were outsourced. We are a $50 million bank and we have 2 branches and 35 employees. Do we need to do two risk assessments? One for compliance and one for audit? I would love any input.

I know of several banks that do this. How about if you review the programs you will be using and see if it will cover both? I was just thinking, our IA does things like branch audits, bank rec audits, money order/trav check audits... and the like. Those are things I would not do as a CO.

So, I guess you just have to make sure you cover anything. It is probably very manageable for a smaller bank. Maybe all that you need to do is incorporate your compliance reviews with the audit programs.
I'll be interested to hear what the others have to say. I know there are several on BOL.

Hopefully you have a strong audit committee as well. Best of luck. Sorry I am not more help.

From an internal audit standpoint, I would not want to be responsible also for the compliance function being that it would compromise my independence. My job is to audit to ensure that the company is acting to ensure the compliance.

Quote:

---

Do we need to do two risk assessments? One for compliance and one for audit? I would love any input.

---

I am over both. We are about $110MM with 4 locations. I do one assessment but I seperate the compliance and IA items. I schedule compliance and IA items at the same time and report on both. For example, when I perform a loan review, I also look at Reg Z, HMDA, RESPA, etc. I find it easier to kill 2 birds with one stone.

Quote:

---

From an internal audit standpoint, I would not want to be responsible also for the compliance function being that it would compromise my independence. My job is to audit to ensure that the company is acting to ensure the compliance.

---

I disagree that it compromises my independence. We have a staff Compliance Committee that is made up of key people in each department. Each member is responsible for the day-to-day management of compliance in their area. My role as Chairman of the committee is to make sure that everyone is kept informed of changes, etc. I am also a resource for the "tough calls". Therefore, when I audit, I am more auditing them, then myself. See the FDIC's FIL 52-2003 from 6/20/03. An excerpt from the Overview of the Compliance Exam:

A compliance committee, either as an alternative to or in addition to a full-time compliance officer, could be formed consisting of the compliance officer, representatives from various departments, and member(s) of senior management or the board. However, the ultimate responsibility of overall compliance with all statutes and regulations resides with the board.

This FIL would be a good place for you to start, if you are new to the compliance area. There is also an Interagency Policy Statement on the Internal Audit Function that would also be good for you to read.

We too have a compliance committee - I sit in as an observer at committee meetings, but I am not considered a member of the committee - I add compliance issues to all my audits performed in each area.

We are at $750MM in assets w 9 branches (2 more on the way), 1 comml/consumer loan center, indirect auto, trust dept, NDIP referral sales. Compliance consists of me and 1 assistant (looking to add 1 more FTE this year due to BSA). Audit consists of 2 FTE (again they are looking to add 1 more FTE this year due to SOX) I hold titles of Compliance, CRA, and Privacy Officer concurrently with possibly adding BSA to that this year.

I view Compliance as a preventative/education tool (similar to anonymous response #299544) and Audit as an identification/reporting tool. We do perform periodic reviews to ensure that compliance is effective. Audit does perform reviews of us. Credit review is a separate function and we hire outside consultants for this purpose.

I personally don't view them as a combined dept. It is very difficult to gain employee trust and confidence in Compliance if they know you are turning around to write them up later. I encourage employees to come to me with issues so we can resolve and correct them before internal/extermal audit shows up. It's not a dig at audit, just a recognition of the difference in the functionality of the depts. No offense to any auditors reading this. My CEO and CAO both agree with this philosophy. I do work with Audit on many occasions to educate them on both regulatory issues and bank policy/approach to it. I also assist them with research upon request.

This is the philosophy that I was getting at - just didn't have as good words as Ford here.

I don't think you're overstaffed...we are understaffed. Of course we are probably paid much more than you are.

I am employed at the Holding Company level, holding company owns 3 banks with total 500,000 million. I am responsible for compliance and also assist in audits. We have 3 other individuals in the audit dept. We do all audits and reviews for the 3 banks.

We are 200 mil, 60 employees, 4 branches, 1 LPO and two more branches "in the oven". I am an audit department of one. I do everything except the IT audit; including loan review. I am also the compliance officer. All our managers have the final responsibility for compliance-I make suggestions and facilitate a monthly compliance committee meeting. I do not write policies or procedures, but I do review them. I also review all advertising for compliance and monitor for check kiting. I recently obtained more objectivity in that I report directly to the board and the audit committee chairman (board member) conducts my reviews. This also allows me to assist our external auditors, saving time and money.

Hope this gives you some ideas.

Hi visit www.bis.org and write the word compliance you will find a vary useful information

Hi Kari, I am a new compliance officer. Our bank is $125M and is also in Pa., have a separate internal audit function. I would like to share ideas with you from time to time as it may benefit us both.

What about this - is there any conflict of interest in having an Operations Department Manager also be the BSA Officer?

don't know but I think the best person to answer this would be EdOils or Devil Queen!!

Joker, would you say in that case then, that the Operations Department manager should have inquiry only access to the internal systems?

It really depends on their job duties. the new examination guidelines indicates that one of the things to review for is:

Provide for dual controls and the segregation of duties. Employees that complete the reporting forms (e.g., SARs, CTRs, and CTR exemptions) should not also be responsible for filing the reports or granting the exemptions.

At my old bank, I was deposit ops mgr adn BSA officer. I didn't do the daily CTRs, but I signed off on them. I did grant the exemptions, and I did file the SARs.

The annual review had to be done by our internal auditor.