We have touched on this some in the past, but the info is scattered somewhat. What are your favorite resources (suggested reading), audit manuals (procedures) and audit-related web sites.

Here are some of mine...

The regulators have good procedures for some areas. The OCC and Fed have good internal control questionnaires built into their manuals. Also, I would recommended reading the manual sections on internal control and internal auditing, as well as the issuances (i.e. OCC Bulletins, FILs, etc.) from all of the agencies. It's just good background information.

Sheshunoff has an Internal Control Manual and a two volume set of Internal Audit Procedures. They seem to be geared more to the large bank and have to be pared back extensively.

The study guides for the Certified Bank Auditor designation (offered by the Bank Administration Institute) are pretty good but very dated. Each discussion includes a description of the area, the risks involved, etc, which is lacking in most manuals. I believe that they are updating this manual, but not sure.

I know the Warren, Gorham, and Lamont manual has been mentioned before. We also use it.

Like most folks that have been in internal auditing for a while, our programs are pieced together from many sources, because one size does not fit all.

COSO's Internal Control - Integrated Framework, in my opinion, is a required read (available from the Institute of Internal Auditors), as are the IIA's Internal Auditing Standards, available at the same site.

Some favorite web sites...
Bankers Online - of course
www.auditnet.org - mentioned many times - many free audit workprograms
www.theiia.org - excellent resource for Internal Audit Standards, general information on internal auditing, source of the Certified Internal Auditor (CIA) designation, books and resources
www.theiia.org/itaudit - probably one of the best resources for IT auditing. Includes hundreds of articles, many in series such as for new auditors, security, etc.

The Internal Auditor magazine from the IIA is very good. You must be a member to access...membership is worth the money.

I just got the new release (5th edition) of Sawyer's Internal Auditing (from the IIA). It looks like a great resource...I have seen it referred to as THE internal audit resource (not specific to banking) in many places and by many people.

What other resources would you suggest?

In regards to certification, I would suggest the following to anyone wanting to seriously pursue a career in internal audit.

The Certified Internal Auditor (CIA) designation is administered by the IIA and is THE internal audit designation. I would also obtain one of the banking specific certifications to go along with it (Certified Bank Auditor, offered by BAI; Certified Financial Services Auditor (CFSA), offered by the IIA; the Certified Community Bank Internal Auditor (CCBIA), offered by IBAA; etc.

The Certified Information Systems Auditor (CISA), offered by ISACA, is THE information systems auditor designation. Another IS-related designation I see frequently is the Certified Information Systems Security Professional, offered by the International Information Systems Security Certification Consortium.

Hey Risk Officer, thanks for answering my question on the FDICIA. I forgot to actually log in on that one.

Some additional websites where I have found very useful information include:
Bank Director- http://bankdirector.com/
Kirchman Corporation- http://www.kirchman.com/
Compliance Headquarters- http://www.complianceheadquarters.com/
Financial Manager's Society (FMS)- http://www.fmsinc.org/cms/
FFIEC IT Handbook- http://www.ffiec.gov/ffiecinfobase/index.html

What I would like to find is a reliable resource on control procedure standards and why. You can deduct from most procedures what the standard may be, but finding the resource or material to support why can be difficult. A lot of recommendations are based on subjective opinion and common sense, such as best practices for key control regarding internal/external devices, night depository controls, and control procedures for exchange items. Are you aware of any resources that provide the industry standard or alternate controls for issues such as this?

I once to tried to support a recommendation regarding who should be required to sign a night depository contract to no avail. And I really don't want to say..Well, the procedural manual asks - "Are there any customers utilizing the n/d facility without the benefit of a contract". All I have been able to do is research different legal cases, commentary from various experts, etc. But nothing in one reference manual seems to be available.

I agree. Telling them "this is a better way" won't work every time! Support would be nice.

I think to go into detail would change the subject of this particular thread.

To answer your question, there is nothing in writing to document exactly what your controls are or should be. Each control environment should be designed to fit the size of the institution.

There may be several instances where a particular control is not being met on the questionnare, but there may be a compensating control to minimize the potential amount of risk. If management still fails to correct, I would simply state the importance and document in your report that goes to the Board.

You are one organized poster!

Those are all great resources - but my favorite is GOOGLE as a resource - 9 times out of ten a GOOGLE search will turn up on target sites with bankeronline.com very often listed within the first page.

I know of no centralized repository for this type of information...such "standards" and commentary are scattered throughout regulatory and industry publications. I have searched for such a "consolidated" guide for over ten years...to no avail.

When you get down to specific situations, the problem with an internal control "standard" is that appropriate controls may differ significantly between institutions due to cost benefit (what is cost beneficial to one may not be to another); risk appetite (the exposure may be acceptable to the management and Audit Committee at my bank, but not at yours); mitigating or alternative controls; etc.

In compliance, you can generally look to the law for the answer (granted, there are gray areas, and, since 100% compliance is impossible, you have to decide on what level of noncompliance is acceptable). When it comes to internal controls, it all comes down to best practice, risk assessment and appetite, and other elements of subjectivity.

I agree that you have to tailor your controls to meet your institutions specific structure, or for that matter, each branch w/in your f/i! Hopefully that is common knowledge among auditors. I would just like to see something that provides info regarding industry standards and possibly alternative solutions and work from there. I have been doing this for a while and am confident in my recommendations, but there are many times that supporting written documentation would be of great help.

Maybe one day the great minds of BOL can come together and put something together!

For those of you out there using FMS's Financial Institution Internal Audit Desk Reference (link), does it include discussions on the different functional areas, risks, controls, etc., or is it just another collection of audit procedures and internal control checklists?

Thanks for the input.

It has an overview of internal auditing, fundamentals, as well as audit programs. If I remember correctly, it also discusses the types of risks associated with the banking industry.

Here is an overview of the chapters for the FMS desk reference - it is a very thorough program.

Chapter 1 Introduction to Internal Auditing
Chapter 2 Internal Audit Department Administration
Chapter 3 Standards of Internal Auditing
Chapter 4 The Auditing Process
Chapter 5 Internal Control
Chapter 6 Risk Assessment
Chapter 7 Audit Sampling
Chapter 8 Documentation and Audit Evidence
Chapter 9 Communication of Audit Findings
Chapter 10 The Financial Services Industry
Chapter 11 The Lending Function
Chapter 12 Deposits and Backroom Operations
Chapter 13 Branch Operations
Chapter 14 Finance and Treasury
Chapter 15 Trust Activities
Chapter 16 Corporate-Wide Activities
Chapter 17 Information Technology
Appendix C Internal Control Questionnaires

wlavoie,

Do chapters 10 through 17 include a good discussion of the processes and risks for each functional area?

Is the FII desk reference the best product out there for organizing and creating a structured audit program? Or are there other audit programs? Thanks

The Warren, Gorham, and Lamont manual (I haven't seen the one by Internal Audit Desk Reference by the Financial Managers Society, which also sounds pretty good) is one of the best I've seen, though somewhat dated. As mentioned previously by numerous posters, there is no one stop shop. The best audit programs are customized to the bank and pull from numerous resources: industry manuals, regulatory procedures, and personal experience. That said, either of the two manuals above should give you a good starting point. Add that to the regulator's procedures, internal control questionnaires, etc. (which are free), and you should have a good starting point.

It has been awhile since I looked at the program, so I had to go back and check! Yes, it addresses the risk components for each area as well as internal controls. It breaks each area down into sections. For example - lending area includes all types of loans: mortgage, commercial, consumer along with servicing, secondary marketing, accounting for loans and ALLL. It also explains the documentation required for each loan type. It discusses dealer loans, mobile homes, etc.

It is really good for anyone who needs a basic understanding (or update) of all the functional areas.