Our National Bank has assets of $225 million. Our audit committee meets 3 times a year and is composed of all outside directors. The bank president is included in the begining of the meeting but excused when reports are presented. He is called back in at the end of the meeting. He wants to change this to be present for the whole meeting, possibly excusing himself for a time where the internal auditor could have a closed meeting with the committee. When he is in for a whole meeting, he will interject his view of the audit recommendations. He has said to the committee that the internal control recommendations are the "Jane's opinion". Additionally he will give the management discussion points, or indicate the finding is unwarranted and outside the scope of a risk based audit, when he does not agree with the auditor recomendations. It does not seem fair to have to defend the audit decision at this point in time, when audit reports are supplied well in advance and management has given a written response. The president argues that management does not have a voice in the Board room. I interpret the OCC as supporting the internal audit function reporting directly to the audit committee. Am I correct? What's your take on this?

It is going to be the board decision, but it sounds less than productive to me. If the audit committee wants to hear from management in additional to any written response, they should have a separate session with them without the auditor.

Thanks for your response! Any others out there?

You are correct. Based on my experiences with OCC-regulated banks with assets under $500 million, they want the internal audit function and outside auditors to report directly to the audit committee without any filtering or influence from management. Unless your institution is publicly-traded, a bank of your size is not technically required to have an audit committee that is completely independent of management. However, your board should be commended for establishing an independent audit committee.

I agree with your thought-process and I agree with rlcarey's comments as well.

We were OCC regulated and under $500MM. At our quarterly Audit Meetings management stayed in the room while the audit results were presented, but there wasn't discussion on managements part other than any confirmation of their response. Then management (and me, Compliance) left so that only the audit committee and auditors remained.

The real issue is, will audit results change, on either past audits now disputed, or on future audits where the auditor may become gun-shy? If it is working now, it ain't broke so don't fix it. If management intends for it to change, that is an undue influence. Management already has the opportunity to respond. Now they want to further tweak the audit results, opinions, corrective actions, etc. That isn't what is supposed to happen at that point. I see nothing wrong with them hearing the presentation, but there isn't input from them at that point.

Thanks everyone! I feel so much better knowing my logic is appropriate. What a valuable resource this site is

We are regulated by the OCC and have assets of about 170 million. The president is included in the audit committee meetings, so he knows what is going on in other areas of the institution. We also have an open communication and I am comfortable stating my findings and recommendations in front of him. I think that helps. Also, if I have an issue that obtains to him, I talk to him about it then depending on the issue or the risk it has on the institution,I will explain to him that I need to have an executive session with the committee alone. At that time we discuss the issue and then he is called in to explain his response. That way there is no surprises. Right or wrong that is what works for us.

For a little extra ammo, look at this C&D that was issued last month...

http://www.occ.treas.gov/FTP/EAs/ea2008-070.pdf

Specifically, go to page 12, item (5). Quoting directly: (5)
The Board, or a designated committee of the Board, shall ensure that the audit program is independent. The persons responsible for implementing the BSA audit program described above shall report directly to the Board, or a designated committee of the Board, which shall have the sole power to direct their activities. All reports prepared by the audit staff shall be filed directly with the Board and not through any intervening party.

Granted, this was just BSA but it is still a specific regulatory order pertaining to audit indpendence.

Our Audit Committee meets 8-9 times a year. Four meetings are devoted to internal audit activity (i.e. presenting audit reports, open issues, status of the audit plan, etc.).

Management attends meetings for the duration, though we have executive sessions between internal audit and the A/C about 5 times per year (during these sessions, you can and should voice any concerns you might have). Management also has an executive session with the A/C, without internal audit present. The external auditors have 1-2 executive sessions with the A/C, without management or internal audit present).

On thought on minimizing the tug-of-war. Our internal audit reports contain an executive summary that address the scope, overall conclusions, number of findings by area, etc. Only the High Priority issues are spelled out in the executive summary. Moderate and Low Priority issues are not. Same thing when we review the status of open issues - we only present the status of High Priority issues to the A/C. The full report is presented to executive management monthly. This, of course, must be ok with the audit committee, as they may want all of the detail. Not necessarily productive, in my opinion, but they are internal audit's primary customer so you give them what they want.

Another thought... Life is not perfect. Ideally, the President would not try to ramrod the meeting or belittle the findings of the internal auditor. If he does, however, that is outside your control. All you can do is present your opinion of how things should operate, if asked.

Regarding the president belittling your findings, you must do your homework and be prepared to stand your ground. Much of this will come with experience. Focus on the facts and don't take things too personal. Keep in mind the following: state the current situation / facts; state the standard / expectation (and the source of the standard...more difficult when very subjective); state the risk of not meeting the standard (if we don't have dual control over the wire function, some could wire out the bank's capital account); present your recommendation for mitigating the risk, realizing that it is the job of management and the board to establish the risk tolerance, not the internal auditor. Be willing to work with management/managers on the resolution, and be sure and consider compensating controls. Keep in mind that all controls must meet the cost benefit test (unless absolutely mandated by law/regulation). Make sure your recommendations are make sense from a business point of view, not just come from a checklist somewhere.

At the end of the day, much of your working environment is outside your control. If the president is too overbearing and the A/C can't or won't keep him/her in check, you have to decide if this is the place to be.

I echo Risk Officer's last paragraph. Seems to me the issue here is the audit committee, not you, nor the president. The meeting interaction you describe is more or less the normal give and take between operations/profits and control and the committee should be listening to both of your opinions and making decisions based upon both viewpoints. Problems arise when an audit committee goes too far to the extreme one way or the other. My guess is that, from the way your question is laid out, and from the fact that you asked the question at all, your audit committee is almost exclusively leaning toward the opinion of the operations/profit side (in this case your president) versus the opinion of the control side (in this case, you, the auditor). This often arises for several reasons, one of which, typically found in smaller banks, the members of the committee aren't knowledgeable about anything you're talking about when it gets to the nitty gritty technical aspects, and are afraid to show this, and so lean on the president too much to direct them. In larger institutions, the scope of what's presented to the audit committee is much broader in nature, so very rarely are small audit findings even getting to the committee, so whether or not the committee understands all the details of the audit is much less an issue.

Most of the time this works out OK and nothing really "bad" happens, but unfortunately the downside is tremendous because it opens up a lot of doors for senior management override of policies and controls. Dot your i's and cross your t's to show you've done your job.