This question relates to Sarbanes Oxley. Our Commercial Loan Collateral and Documentation Department does a monthly "audit" of the new commercial loan document closing packages that were reviewed that month by the collateral review specialists. The audit checks the reviewer's work to ensure they did what was necessary to perfect certain collateral documents (mortgages, ucc's, etc.)and caught any exceptions for "missing collateral docs", or any other collateral related problems that could cause risk to the bank. They refer to this monthly audit as their "SOX" audit (and they believe that I, as the Compliance/Risk Analyst for their department, should be performing this monthly "SOX" audit), and I'm wondering if this audit truly relates to any "SOX" compliance issues, or if in-fact any commercial loan collateral issues would fall under SOX compliance? I can't find any info on SOX that would indicate that this is a SOX issue at all, but either way, wouldn't this fall in the category of a "checkback" process that would typically be performed by someone within their department (i.e. the Supervisor of the Review Specialists) rather than by a Compliance Analyst?

While there are some general guidelines typically used, SOX controls are very individualized between organizations. If one of your organization's key objectives (and therefore key control) within commercial loans is adequate collateral and adequate documentation (and these typically are key objectives), then yes, this would be SOX Rule 404 control.

There may or may not be a requirement that a person independent from the lending function perform these checks. This would depend a lot on how this fits within your other lending controls.

I know that seems like a wishy-washy answer, but SOX 404 compliance is not a published laundry list of "must do" items that fits all organizations, but a documentation of how your organization achieves its internal control objectives. If the objectives you talk about have been identified as key, then you need key controls somewhere to achieve this objective, and if you decide this check process is the key control, then yes it is an integral part of your SOX documentation. If you decide that you don't need segregation of duty (i.e.-person external to the loan function doing the check), you need to convince your auditor that you achieve the results without segregation. If you do decide you need segregation, then someone outside the loan function will need to perform these checks.