Auditable Areas

Posted By: mojoe472

Auditable Areas - 02/24/03 08:53 PM

I work for an FDIC regulated bank. Is there an FDIC or other regulation/law/act whereby every area of the bank (even a low risk function like the mailroom) is required to be reviewed by the internal audit department on a periodic basis?

something i heard but could not find anything on this.

Posted By: DawgFan

Re: Auditable Areas - 02/24/03 09:23 PM

You do have areas, like BSA and Information Security, where they will expect to have seen those areas audited (because the regs call for testing of controls), but I am not aware of a particular reg like that.
Posted By: 1111

Re: Auditable Areas - 02/24/03 09:44 PM

The FDIC has very little direct interest in specific areas of internal audit, except for those areas that are impacted by a law or regulation. That's why consultants offer regulatory audits or internal audits - two separate "products." In the old days, regulators had a lot of interest in internal audit tasks, but that has changed, big time. The FDIC simply wants to know that your bank has a program but it would be very unusual for a regulator to tell you to, for example, audit the mailroom.

On the other hand, the auditing of the mailroom may be on an internal audit list, depending on risk factors.
Posted By: MackenzieS

Re: Auditable Areas - 02/25/03 07:58 PM

We are also an FDIC regulated bank. I am not sure about the state in which you live, but in Oklahoma the FDIC trades off with the Oklahoma State Banking department to conduct Safety and Soundness audits every other exam. Therefore I know that they do care about internal audits. What they tend to review during their exam is the requirements imposed by your state banking rules. In my experience I have downright argued with them moreso over internal controls than over compliance issues simply because internal controls can be a gray area where regulations tend to be more black and white.

On top of that you may have an examiner that has a real beef about a particular control and want to write you up for it when they can't point to a state banking code that says you have to do it that way, but that they feel it would be "in our best interest" to do it their way.

As far as the mail room, you could say that there is a risk associated with deposits or loan payments coming in through the mail. Are these being opened under dual control? How are they being logged? It is a risk, it is how you forsee that risk being detrimental to your bank that tells you whether or not you should audit that type of an operation.

Here is a link to the FDIC's Safety & Soundness examination manual. This should guide you to what they would review during their examination so maybe you could gear an audit program to that.
Posted By: Pale Rider

Re: Auditable Areas - 02/25/03 08:27 PM

Internal audits should be based upon risk assessments. Therefore, some areas of the bank may go a long time without review while others more often. Follow your risk assessment and the FDIC will be pleased.
Posted By: 1111

Re: Auditable Areas - 02/25/03 09:39 PM

Things are different in Oklahoma, apparently, as in my state the FDIC simply looks over the program of internal audit tasks with no interest beyond that. They conduct a "compliance exam," not an internal audit exam - they are two different animals.