In our last FDIC exam, we were advised to conduct an audit of our Internal Controls. Does anyone have such an audit/workpapers that they would be willing to share? What areas are covered in this type of review? Any help would be greatly appreciated. Thank you

This was a very broad statement made by the examiners. Internal controls involve absolutely every aspect of banking operations. Did they give you any type of indication of an area where there might have been some weaknesses?

Internal controls could be anything from dual control over a vault to security controls for your data processing center. I for one would be willing to help you out if the scope could be narrowed a bit or maybe what they are wanting to see is more of an Audit program that addresses internal controls.

My bank is over $500 million and therefore; we must comply with Part 363. In order to be in compliance with this part, Management must provide an annual attestation of the effectiveness of internal controls. This can be done in various ways.

Through self-monitoring of each Department where they fill out an internal control questionnaire for their area (Sheshunoff has a great Internal Control Manual that has checklist for all Departments) - in addition - We also send out with each audit performed an internal control questionnaire. After the audit is complete, we compare the findings to the questionnaire.

I believe that is probably what the examiners are talking about. Each bank should be able to ensure that their internal controls are effective. Hope this helps!!!

I'll also add that our State banking laws require each state bank to have "Requirements, Standards and Procedures for an Internal Control Program". All of the requirements combined are six pages long. Some of this is reporting requirements to the board and some of this is reports that the Audit department collects and retains as evidence of compliance with the program.

Each month I have to sign a statement that goes before the board that states all Minimum Control requirements have been met (or if they haven't then why).

I would be glad to fax you a copy of this so you can see what is considered in a control program. Granted, this is our state requirements but the FDIC also reviews these same controls during their Safety & Soundness exam, so it could be a good place to start.

You may also want to consult the COSO Internal Control- Integrated Framework.

Start with the FDIC's Internal Control guidance from their exam manual. The Federal Reserve has detailed internal control questionnaires (ICQs) in their commercial bank examination manual, which can be downloaded here. The OCC and OTS also have ICQs in some of their manuals.

Of course, as mentioned above, COSO's Internal Control - Integrated Framework is the prominent guidance on internal control. It can be purchased from the IIA web site.

Sheshunoff, the Financial Managers Society, etc., have audit and internal control manuals that you can use as well.

I'd be interested in seeing what you State regulators want for an "internal control audit". I've always operated under the assumption that controls should be incorporated with each audit program, not a totally separate program.

Sandra,
If you will send me a private message with your fax number I will be glad to fax you a copy and discuss this with you.

Let me add real quick...I understand your thought but look at it this way, the audit program does not incorporate internal controls we audit internal controls. The internal control program I have is a requirement by our state for all Oklahoma banks. It is my job to ensure that the bank has implemented the controls and that we routinely test them to ensure their adequacy.

Once you implement SOX 404 by 12-31-2005 this should be taken care of. I think maybe they are jumping ahead to make sure you have 404 implemented on time.