Home > Regulation & Examinations > Bank Examinations > Risk Management Manual of Examination Policies
Risk Management Manual of Examination Policies
Section 4.2 - Internal Routine and Controls
The board of directors is responsible for ensuring the proper and profitable conduct of banking activities; the safety of the bank's assets; and the accuracy and adequacy of periodic reports to shareholders, regulatory bodies, and in some instances, the general public. As a result, the primary responsibility for creating, implementing, and monitoring a system of internal control rests with the directorate. Rarely, if ever, can the board personally discharge the many duties stemming from these responsibilities. The workload usually demands delegation to the management team and other employees. Increases in asset size and complexity and business lines result in the need for a continually growing and changing series of interrelated operating procedures intended to establish and maintain control over delegated duties. These continual changes require that the internal control system be periodically reviewed and updated in order for it to be effective.
Internal control is a process designed to provide reasonable assurance that the institution will achieve the following internal control objectives: efficient and effective operations, including safeguarding of assets; reliable financial reporting; and, compliance with applicable laws and regulations. Internal control consists of five components that are a part of the management process: control environment, risk assessment, control activities, information and communication, and monitoring activities. The effective functioning of these components, which is brought about by an institution's board of directors, management, and other personnel, is essential to achieving the internal control objectives. This description of internal control is consistent with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) report entitled Internal Control-Integrated Framework. Institutions are encouraged to evaluate their internal control against the COSO internal control framework if they are not already doing so.
Basic Elements of an Internal Control System
Internal accounting controls are the techniques employed to prevent and detect errors in the processing of data and to safeguard assets and the reliability of financial records. Many internal control techniques are built into the operating system so that they appear to be part of the normal processing of a given task. Any attempt to identify and evaluate the overall system of controls requires that individual activities be considered in concert with other activities. The relative importance of an individual control, or lack thereof, must be viewed in the context of other control procedures that are in place. Every bank is unique, and one set of internal procedures, or for that matter, even a few sets of alternative procedures, cannot be prescribed for all cases. There are, however, certain basic principles and procedures that must be present in any bank to ensure the adequacy of internal controls. These include: development of an effective organizational structure; establishment of appropriate accounting procedures; provisions for the protection of assets; and development and use of an effective audit program.
The control environment begins with the bank's board of directors, which is responsible for the development of objectives and policies and for monitoring adherence to such. The policies established should ensure that decision-making authority is vested at the proper management level and that management decisions and policies are properly implemented throughout the organization. An effective directors' audit committee, made up of or including outside directors, is desirable to accomplish that responsibility.
The organization plan must have the complete support of the board of directors and must establish clear lines of authority and responsibility. The plan must segregate the operating and recording functions and provide for employees who are qualified to perform their assignments. From an organizational viewpoint, an internal control system, at a minimum, should provide for the items listed below.
Limitations imposed by the board of directors with regard to authority levels, such as lending and investment authority and responsibilities, should be clearly detailed in (preferably) written job descriptions and policies. Actions taken by officers should be subject to periodic review by the board or a committee thereof. This control feature should provide for a reporting system that keeps the directors informed of such items as new loans, overdue loans, overdrafts, securities transactions, the statements of condition and income, and expense and audit reports.
Segregation of Duties
The participation of two or more persons or departments in a transaction causes the work of one to serve as proof for the accuracy of another. Additionally, when two or more persons are involved in a transaction, the possibility of fraud diminishes considerably. Ideally, duties should be arranged so that no one person dominates any transaction from inception to termination. For example, a loan officer should not be allowed to disburse loan proceeds; those having authority to sign checks should not be assigned to reconcile correspondent bank accounts; records should be reconciled to the general ledger by someone other than the one originating the entries; and IT service center personnel should not initiate transactions or correct data except when such activity may be required to complete processing in a reasonable period of time (if this unusual situation arises, transactions should be approved by appropriate levels of management at the data center and at the serviced institution).
Rotation of Personnel
Planned and unannounced rotation of duties is an important principle of internal control. The rotation should be of sufficient duration to be effective. Rotation of personnel, besides being an effective internal check, can be a valuable aid in the overall training program.
Sound Personnel Policies
Sound personnel policies are conducive to establishing an effective control environment. Such policies should include hiring employees for positions commensurate with their skills, effective training before assignment to more responsible positions, and evaluating and reviewing job performance with each employee.
All banks should have a vacation policy, which provides that officers and employees be absent from their duties for an uninterrupted period of not less than two consecutive weeks. Such a policy is considered an important internal safeguard largely because perpetration of an embezzlement of any substantial size usually requires the constant presence of the embezzler in order to manipulate records, respond to inquiries from customers or other employees, and otherwise prevent detection. Examiners and bank management should recognize that the benefits of this policy may be substantially, if not totally, eroded if the duties performed by an absent individual are not assumed by someone else. Where the bank's policy does not conform to the two-week recommended absence period, examiners should encourage the board of directors to annually review and approve the policy actually followed and the exceptions allowed. In such cases it is important that adequate compensating controls be devised and strictly enforced. If after consideration of all relevant facts and circumstances it is determined that the vacation policies are deficient, the matter should be discussed with the chief executive officer and the board of directors. Comments and recommendations on the supplemental Internal Routine and Controls schedule may be appropriate.
The adoption of an accounting system that is flexible in capacity and rigid in controls and standards promotes accuracy and efficiency and holds costs to a minimum. Such a system is considered basic to any system of internal controls.
An efficient banking operation cannot be conducted without a recordkeeping system capable of generating a wide variety of internal information and reports. Such a system is necessary if the board of directors is to be kept well-informed and maximum managerial effectiveness is to be achieved. Furthermore, the needs of customers, supervisory agencies, and tax authorities must be met. Banks are often called upon to produce certain records in court.
While it is expected that forms, records, and systems will differ from bank to bank in varying degrees, the books of every bank should be kept in accordance with well-established accounting and banking principles. In each instance, a bank's records and accounts should reflect the actual financial condition and accurate results of operations. The following characteristics should be found in a bank's accounting procedures.
The accounting system should be designed to facilitate preparation of internal reports that correspond with the responsibilities of individual supervisors and key employees.
Records should be updated daily, reflecting each day's activities separately and distinctly from that of another day. The records should show the bank's financial condition as of the given date.
Subsidiary Control Accounts
Subsidiary records, such as those pertaining to deposits, loans, and securities should be kept in balance with general ledger control figures.
The records and systems should be designed to enable tracing any given item as it passes through the books. The following recordkeeping deficiencies are some of the more prevalent encountered during examinations:
Sequentially numbered instruments should be used wherever possible. Prenumbered documents aid in proving, reconciling, and controlling used and unused items. Number controls, including printer's confirmation, should be monitored by a person who is detached from that particular operation. Unissued, prenumbered instruments that could be used to obtain funds should be maintained under dual control or joint custody.
The uniform handling of like transactions is essential to the production of reliable reports. Accordingly, it is essential that instructions be established for processing routine transactions. In smaller banks where some or all records are manually produced, it may be advisable to reduce instructions to writing, possibly in the form of an accounting manual.
In banks where some or all records are computer generated, there should be an understandable user's guide for each application readily available for reference by user departments and personnel. Manuals for each application normally consist of a guide provided by the servicer and supplemented by procedures written by the user. Manuals normally delineate preparation and control source documents and certain practices pertaining to control over the movement of documents from the user to the servicer and their return, the daily reconcilement of subsystem totals to the general ledger, and changes to master files.
Protection of Physical Assets
A principal method of safeguarding assets is to limit access by authorized personnel. Protection of assets can be accomplished by various procedures, including those listed below.
Tellers should be provided with their own funds to which they have sole access. Common cash funds should not be utilized. Inability to fix responsibility in the event of a difference could be embarrassing and is unfair to all concerned.
Joint Custody or Dual Control
These two terms are not synonymous, but are often discussed in tandem. Joint custody refers to a procedure whereby two or more persons are equally accountable for the physical protection of certain items or records. An example consists of two keys or combinations, under the separate control of two individuals, which must be used in order to obtain access to vaults, files or other storage devices. These custodial responsibilities should be clearly assigned and communicated to all employees. For this system to be effective, persons exercising control must guard their key or combination carefully. If this is done, only collusion can bypass the important control feature. Reserve cash, negotiable collateral, investment securities, trust assets, safekeeping items, reserve supply of official checks, unissued electronic debit or credit cards, unissued traveler's checks, unissued Series E Bonds, the night depository, electronic banking terminals, dormant deposit accounts, safe deposit spare locks and keys, and spare keys to tellers' cash boxes are examples of items that should be under effective joint custody.
Dual control is a related, but slightly different concept in which the work of one person is verified or approved by another. The purposes of involving the second individual are to ensure that proper authority for the transaction or activity is given, that the transaction or activity is properly recorded, and that proper settlement is made. Dual control in automated systems should be used in the same manner as in manual systems. Supervisory holds should be placed on customer accounts requiring special attention. For example, dormant accounts, collateral accounts, and accounts with large uncollected funds normally have holds that require the action of two people to remove. In addition, certain types of transactions (e.g., master file changes) should require special codes or terminal keys from two people before they can be completed. When a hold on an account is added/removed or when a transaction requiring supervisory approval is completed on an automated system, exception reports will be printed and should be reviewed by a designated person not involved with the transaction. Used conscientiously, automated dual control methods are superior to the manual procedures.
Employee Hiring Procedures
The credit and previous employment references of prospective employees should be checked by management. The facilities of the FBI are available to check the fingerprints of employees and prospective employees of banks and to supply such institutions with criminal records, if any, of those whose fingerprints are submitted. Pursuant to Section 19 of the FDI Act, written consent of the FDIC is needed in order for persons to serve in an insured bank as a director, officer, or employee if they have been convicted of a criminal offense involving dishonesty, breach of trust, or money laundering. Some insurance companies that write bankers' blanket bonds also offer assistance to banks in screening officers and employees.
Emergency Preparedness Plans
Written emergency preparedness plans and off-premise storage of backup files for all critical records should be maintained in the event of natural disaster or physical damage to premises.
Procedures should be developed for the prompt reporting and investigation of shortages when they become known. The results of an investigation should be reported to supervisory personnel within the bank and to fidelity insurers, regulators, and law enforcement agencies, when appropriate.
All banks should adopt an adequate audit program. Ideally, such a program would consist of a full-time, continuous program of internal audit coupled with a well-planned external auditing program. Such a system would substantially lessen the risk that a bank would not detect potentially serious problems.
The board of directors and senior management of an institution are responsible for ensuring that the system of internal control operates effectively. Their responsibility cannot be delegated to others within the institution or to outside parties. An important element in assessing the effectiveness of the internal control system is an internal audit function. When properly structured and conducted, internal audit provides directors and senior management with vital information about weaknesses in the system of internal control so that management can take prompt, remedial action. Examiners should review an institution's internal audit function and recommend improvements, if needed.
The FDIC adopted minimum standards for an internal audit program, which can be found in Part 364, Standards for Safety and Soundness, of the FDIC Rules and Regulations. The regulation requires each institution to provide the following elements within the internal audit program:
Each institution should have an internal audit function that is appropriate to its size and the nature and scope of its activities. The Interagency Policy Statement on the Internal Audit Function and Its Outsourcing sets forth the internal audit function's key characteristics, sound vendor outsourcing practices, and outsourcing arrangements effect on external auditor independence. Although the board of directors and senior management cannot delegate the responsibility for having an effective system of internal control and an effective internal audit function, they may delegate the design, implementation, and monitoring of specific internal controls to lower-level management and the testing and assessment of internal controls to others. Directors and senior management should have reasonable assurance that the system of internal control prevents or detects significant inaccurate, incomplete, or unauthorized transactions; deficiencies in the safeguarding of assets; unreliable financial reporting (which includes regulatory reporting); and deviations from laws, regulations, and the institution's policies. In order to be confident that the internal audit function addresses the risks and meets the demands posed by the institution's current and planned activities, directors should consider whether their institution's internal audit activities are conducted in accordance with professional standards, such as the Institute of Internal Auditors' (IIA) Standards for the Professional Practice of Internal Auditing. These standards address independence, professional proficiency, scope of work, performance of audit work, management of internal audit, and quality assurance reviews. Furthermore, directors and senior management should ensure that the following key characteristics regarding structure, management, staffing and audit quality, scope, communications, and contingency planning are reflected in the internal audit function.
Structure - The internal audit function should be positioned so that the board has confidence that internal audit will perform its duties with impartiality and not be unduly influenced by managers of day-to-day operations. The audit committee should oversee the internal audit function, evaluate performance, and assign responsibility for the internal audit function to a member of management or the internal audit manager. The internal audit manager should understand the internal audit function and have no responsibility for operating the system of internal control. Ideally, the internal audit manager should report directly and solely to the audit committee regarding both audit issues and administrative matters, e.g., resources, budget, appraisals, and compensation. If the internal audit manager is placed under a dual reporting structure, the board should weigh the risk of diminished independence against the benefit of reduced administrative burden, and the audit committee should document its consideration of this risk and mitigating controls.
Management, staffing, and audit quality - The internal audit manager is responsible for control risk assessments, audit plans, audit programs, and audit reports. Control risk assessments document the internal auditor's understanding of significant business activities and associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. An internal audit plan is based on the control risk assessments and typically includes the key internal controls summaries within each significant business activity, the timing and frequency of planned internal audit work, and the resource budget. An internal audit program describes the audit objectives and lists the procedures that will be performed during each internal audit review. An audit report generally presents the purpose, scope, and results of the audit including findings, conclusions, and recommendations. Workpapers that document the work performed and support the audit report should be maintained.
Ideally, the internal audit function's only role should be to independently and objectively evaluate and report on the effectiveness of an institution's risk management, control, and governance processes. The role should not include a business-line management role over control activities, such as approving or implementing operating policies or procedures. The audit committee should ensure that any consulting work performed (e.g. mergers, acquisitions, advice on new products or services, etc.) by the internal auditor(s) does not interfere or conflict with the objectivity of monitoring the internal control system.
The internal audit function should be competently supervised and staffed by people with sufficient expertise and resources to identify the risks inherent in the institution's operations and assess whether internal controls are effective. Internal audit policies and procedures should be consistent with the size and complexity of the department and the institution.
Scope - An effective system of internal control and an independent internal audit function form the foundation for safe and sound operations, regardless of an institution's size. The frequency and extent of internal audit review and testing should be consistent with the nature, complexity, and risk of the institution's on- and off-balance-sheet activities.
It is the responsibility of the audit committee and management to carefully consider the extent of auditing that will effectively monitor the internal control system after taking into account the internal audit function's cost and benefits. For institutions that are large or have complex operations, the benefits derived from a full-time manager of internal audit or an auditing staff likely outweighs the cost. For small institutions with few employees and less complex operations, however, these costs may outweigh the benefits. Nevertheless, a small institution without an internal auditor can ensure that it maintains an objective internal audit function by implementing a comprehensive set of independent reviews of significant internal controls. The key characteristic of such reviews is that the person(s) directing and or performing the review of internal controls is not also responsible for managing or operating those controls. A person who is competent in evaluating a system of internal control should design the review procedures and arrange for their implementation. The person for reviewing the system of internal control should report findings directly to the audit committee. The audit committee should evaluate the findings and ensure that senior management has or will take appropriate action to correct the control deficiencies.
At least annually, the audit committee should review and approve internal audit's control risk assessment and the audit plan scope, including how much the manager relies on the work of an outsourcing vendor. The audit committee should also periodically review the internal audit's adherence to the audit plan and should consider requests for expansion of basic internal audit work when significant issues arise or when significant changes occur in the institution's environment, structure, activities, risk exposures, or systems.
Communication - Directors and senior management should foster forthright communications including critical issues to better understand the importance and severity of internal control weaknesses identified by the internal auditor and operating management's solutions to these weaknesses. Internal auditors should immediately report internal control deficiencies to the appropriate level of management and significant matters should be promptly reported directly to the board of directors (or its audit committee) and senior management. Moreover, the audit committee should give the manager of internal audit the opportunity to discuss his or her findings without management being present. Furthermore, each audit committee should establish and maintain procedures for employees of their institution to submit (confidentially and anonymously) concerns to the committee about questionable accounting, internal accounting control, or auditing matters.
Contingency Planning - Whether using an internal audit staff and/or outsourcing arrangement, the institution should have a contingency plan to mitigate any significant discontinuity in audit coverage, particularly for high-risk areas. Operational risk may increase when an institution enters into an outsourcing arrangement because the arrangement may be terminated suddenly.
Internal Audit Outsourcing Arrangements
An outsourcing arrangement is a contract between an institution and an outsourcing vendor to provide internal audit services. Some institutions consider entering into these arrangements to enhance the quality of their control environment by obtaining the services of a vendor with the knowledge and skills to critically assess, and recommend improvements to, their internal control systems. Outsourcing may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. The structure, scope, and management of some internal audit outsourcing arrangements should contribute to the institution's safety and soundness as directors and senior management are still responsible for maintaining an effective system of internal control and for overseeing the internal audit function.
Even when outsourcing vendors provide internal audit services, the board of directors and senior management of an institution are responsible for ensuring that both the system of internal control and the internal audit function operate effectively and must maintain ownership of the internal audit function and provide active oversight of outsourced activities. When negotiating the outsourcing arrangement with an outsourcing vendor, an institution should carefully consider its current and anticipated business risks in setting each party's internal audit responsibilities. The outsourcing arrangement should not increase the risk that a breakdown of internal control will go undetected.
To clearly distinguish its duties from those of the outsourcing vendor, the institution should have a written contract that typically includes: a definition of both parties expectations and responsibilities; the scope, frequency, fees for the vendor's work; the responsibilities for providing and receiving information about the contract work status; the process for changing service contract terms; the internal audit reports are the institution's property and specified employees will have reasonable and timely access to the vendor prepared workpapers; the locations of internal audit reports and the related workpapers; the time period that vendors must maintain the workpapers; the vendor audits are subject to regulatory review and examiners will be granted full and timely access to the internal audit reports and related workpapers; a process (arbitration, mediation, or other means) for resolving disputes and for determining who bears the cost of consequential damages arising from errors, omissions, and negligence; and the vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with AICPA, U.S. Securities and Exchange Commission (SEC), Public Company Accounting Oversight Board (PCAOB), or regulatory independence guidance.
Before entering an outsourcing arrangement, the institution should perform due diligence to satisfy itself that the outsourcing vendor has sufficient staff qualified to perform the contracted work. Throughout the outsourcing arrangement, management should ensure that the outsourcing vendor maintains sufficient expertise to effectively perform its contractual obligations. Directors and senior management should ensure that the outsourced internal audit function is competently managed with proper vendor oversight. Communication between the internal audit function and the audit committee and senior management should not diminish because the institution engages an outsourcing vendor. Rather, the entire vendor's work should be well-documented and all findings of control weaknesses should be promptly reported to the institution's manager of internal audit. Decisions not to report the outsourcing vendor's findings to directors and senior management should be the mutual decision of the internal audit manager and the outsourcing vendor. In deciding what issues should be brought to the board's attention, the concept of "materiality," as the term is used in financial statement audits, is generally not a good indicator of which control weakness to report. For example, when evaluating an institution's compliance with laws and regulations, any exception may be important.
Independence of the Independent Public Accountant
When one accounting firm performs both the external audit and the outsourced internal audit function, the firm risks compromising its independence. While the Sarbanes-Oxley Act of 2002 prohibits an accounting firm from acting as the external auditor of a public company during the same period that the firm provides internal audit outsourcing services, non-publicly traded institutions are also encouraged to consider the risks associated with compromising independence versus potential audit cost savings. Refer to the Corporate Governance portion of this section for further details on applicability.
An external auditing program is designed to determine whether a bank's financial statements have been properly prepared in accordance with GAAP and to alert management to any significant deficiencies in internal controls over financial reporting.
Part 363 of the FDIC Rules and Regulations establishes specific audit and reporting requirements for insured depository institutions with total assets of $500 million or more which are discussed later in this section. In addition, the FDIC adopted the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations which is applicable to all institutions. The examination reports for banks that are not in general compliance with the policy statement regarding external audits should indicate the status of implementation efforts. When warranted, the examiner's comments and recommendations with respect to the adequacy of a bank's external auditing program should also be presented.
All banks are strongly encouraged to establish an audit committee consisting, if possible, entirely of outside directors and, in appropriate circumstances, should be criticized for not doing so. Although a committee of outside directors may not appear possible in a small closely held bank where there are, in effect, no outside directors on the board, all banks should be encouraged to add outside directors to their board and to appoint them to the audit committee. The audit committee or board should annually analyze the extent of external auditing coverage needed by the bank.
The board or audit committee, when evaluating the institution's external auditing needs should consider the size of the institution and the nature, scope, and complexity of its operations. It should also consider the potential benefits of an audit of the institution's financial statements or an examination of the institution's internal control structure over financial reporting, or both. In addition, the board or audit committee may determine that additional or specific external auditing procedures are warranted for a particular year or several years to cover areas of particularly high risk or special concern. The reasons supporting these decisions should be recorded in the committee's or board's minutes. If, in the judgment of the examiner, unique risks of the bank need additional external audit procedures, specific recommendations for addressing these areas should be made for audit committee and/or board consideration.
External Audit of the Financial Statements
Each bank is strongly encouraged to adopt an external auditing program that includes an annual audit of its financial statements by an independent public accountant (unless its financial statements are included in the audit of its holding company's consolidated financial statements). A bank that does so would generally be considered to have satisfied the objectives of the Interagency Policy Statement. An external audit of the financial statements benefits management by assisting in the establishment of the accounting and operating policies, internal controls, internal auditing programs, and management information systems necessary to ensure the fair presentation of these statements. An audit also assists the board of directors in fulfilling its fiduciary responsibilities and provides greater assurances that financial reports are accurate and provide adequate disclosure.
Nevertheless, examiners should not automatically comment negatively on a bank with an otherwise satisfactory external auditing program merely because an independent public accountant is not engaged to perform an audit of its financial statements.
Alternative External Auditing Programs
Alternatives to a financial statement audit by an independent public accountant include:
If the audit committee or board, after due consideration, determines not to engage an independent public accountant to conduct an annual audit of the financial statements, the reason(s) for the conclusion to use one of the acceptable alternatives or to have no external auditing program should be documented in the written meeting minutes. Generally, the board or audit committee should consider not only the cost of an annual audit, but also the potential benefits. The examiner should determine whether the alternative selected by the bank adequately covers the bank's high-risk areas and is performed by a qualified auditor who is independent of the bank. As with deficiencies in an internal auditing program, any scope weaknesses in the bank's external auditing program should be commented on in the examination report.
If a bank chooses not to have a financial statement external audit by an independent public accountant, the examiner should strongly encourage the bank, at a minimum, to engage an independent auditor to perform an external auditing program for the bank. However, if high-risk areas are not adequately covered, the examiner should recommend that the additional procedures be performed in the future and that any other deficiencies in the auditing program be corrected to ensure that there is adequate independent external auditing coverage of operational risk areas.
If a bank has no external auditing program, the examiner should review the minutes to determine the reasons for this choice. A strong internal audit program is fundamental to the safety and soundness of a bank, but it is usually not a sufficient reason for the lack of an external auditing program. One should complement the other, and typically the external program tests and proves (or disproves) the strength of the internal audit program. In such situations, the bank should be strongly urged to reconsider its decision.
External Auditors' Reports
Each state nonmember bank that undergoes any external auditing work, regardless of the scope, is requested to furnish a copy of any reports by the public accountant or other external auditor, including any management letters, to the appropriate FDIC Regional Office, as soon as possible after receipt by the bank. A bank whose external auditing program combines State-mandated requirements with additional procedures may submit a copy of the auditors' report on its State-mandated procedures that is supplemented by a report on the additional procedures. In addition, the FDIC requests each bank to notify promptly the appropriate Regional Office when any public accountant or other external auditor is initially engaged to perform external audit procedures and when a change in its accountant or auditor occurs.
The auditors' reports submitted to the FDIC by a financial institution that chooses an alternative external auditing program rather than an annual audit of the financial statements should include a description of the procedures performed. If the auditor's report states that the "procedures agreed upon with management" have been performed, the bank should be requested to supply a copy of the engagement letter or other document that outlines the agreed-upon procedures so that the FDIC can determine the scope of the external auditing program.
When examining banks that have not had audits performed by an independent public accountant and at which any of the following conditions exist:
The examiner and Regional Office staff should consider adding to any contemplated administrative order a condition directing the bank to obtain an audit or, if more appropriate, to have specified audit procedures performed by a public accountant or other independent party. Since each situation differs, the examiner and Regional Office must evaluate the type of external audit program that would be most suitable for each troubled bank and, in conjunction with the Regional Counsel, ascertain that the inclusion of such an external audit program as a condition in the order is appropriate. Whenever a condition requiring an audit or specified audit procedures is included in an order, it should include requirements that the bank promptly submit copies of the auditor's reports to the Regional Office and notify the Regional Office in advance of any meeting between the bank and its auditors at which audit findings are to be presented.
FDIC Rules and Regulations for Institutions over $500 Million
Although the described audit programs are recommended for all depository institutions in accordance with general prudent banking practices, certain institutions are specifically required by law to have external audit programs. Part 363 of the FDIC Rules and Regulations establishes audit and report requirements for insured depository institutions with total assets of $500 million or more and their independent public accountants.
Management of each institution covered by this regulation must:
The annual management reports must contain a statement of management's responsibilities for preparing the financial statements, for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and for complying with laws and regulations relating to loans to insiders and dividend restrictions. The reports must also contain an evaluation by management of the effectiveness of the internal control structure and procedures for financial reporting and an assessment of the institution's compliance with designated laws and regulations.
The independent public accountant engaged by the institution is responsible for:
Part 363 requires that insured depository institutions submit the following reports and notifications to the FDIC, the appropriate Federal banking agency, and the appropriate State bank supervisor.
Part 363 requires certain filings from independent public accountants. The accountants must notify the FDIC and the appropriate Federal banking supervisor when it ceases to be the accountant for an insured depository institution. The notification must be in writing, must be filed within 15 days after the relationship is terminated, and must contain the reasons for the termination. The accountant must also file a peer review report with the FDIC within 15 days of receiving the report or before commencing any audit under Part 363.
Each insured depository institution subject to Part 363 must establish an independent audit committee of its board of directors. The members of this committee must be outside directors who are independent of management. Their duties include overseeing the internal audit function, selecting the accountant, and reviewing with management and the accountant the audit's scope and conclusions, and the various management assertions and accountant attestations. Part 363 establishes the following additional requirements for audit committees of insured depository institutions with total assets of more than $3 billion: two members of the audit committee must have banking or related financial management expertise; large customers of the institution are excluded from the audit committee; and the audit committee must have access to its own outside counsel.
Holding Company Subsidiary Institutions
Subsidiaries of holding companies, regardless of asset size, may file the audited, consolidated financial statements of the holding company in lieu of separate audited financial statements covering only the institution. In addition, subsidiary institutions with less than $5 billion in total assets may elect to comply with the other requirements of Part 363 at the holding company level, provided that the holding company performs services and functions comparable to those required of the institution. If the holding company performs comparable functions and services, the institution may elect to rely on the holding company's audit committee and may file a management report and accountant's attestations that have been prepared for the holding company. Subsidiary institutions with $5 billion or more in total assets may elect to comply with these other requirements of Part 363 at the holding company level only if the holding company performs services and functions comparable to those required by the institution, and the institution has a composite CAMELS rating of 1 or 2.
The institution's audit committee may be composed of the same persons as the holding company's audit committee only if such persons are outside directors of both the holding company and the subsidiary and are independent of management of both. A separate set of minutes must be maintained.
If the institution being examined is not the lead bank in the holding company, the examiner need only confirm that the institution qualified for, and has invoked the holding company exemption and review the holding company reports to determine if any pertinent information about the institution is disclosed.
Institutions subject to Part 363 that cease to exist at fiscal year-end have no responsibility under this rule. If a covered institution no longer exists as a separate entity as a result of its merger into another institution after the end of the fiscal year, but before its annual and other reports must be filed under this rule, reports should still be submitted to the FDIC and appropriate Federal and State banking agencies. An institution should consult with the DSC Accounting and Securities Disclosure Section in Washington, DC, and its primary Federal regulator, if other than the FDIC, concerning the statements and reports that would be appropriate to submit under the circumstances.
Review of Part 363
Examination procedures regarding the review of the bank's audit program and Part 363 are included in the Examination Documentation (ED) Modules under the Management and Internal Control Evaluation section.
When reviewing the audit report, particular note should be taken of any qualifications in the independent accountant's opinion and any unusual transactions. In reviewing management's report and the accountant's attestation, special attention should be given to any assessment that indicates less than reasonable assurance that internal controls over financial reporting are effective or less than material compliance with the designated laws and regulations exists. Notices referencing a change in accountants should be reviewed for possible "opinion shopping" and any other issues that may be related to safety and soundness.
The board's annual determination that all members of the committee are "independent of the management of the institution" should also be reviewed. For institutions exceeding $3 billion in total assets, the examiner should review board determinations and minutes documenting that at least two members of the audit committee have banking or related financial management expertise and that no member is a large customer of the institution. Appropriate recommendations should be made in the examination report if any determination is judged as unreasonable.
At the first examination of each institution subject to Part 363, examiners should describe and discuss any apparent violations, but based on their judgment of the institution's situation, should focus on education and making recommendations about compliance. The examination report should indicate the status of the institution's implementation efforts if not yet in full compliance with the rule.
Problems or concerns with the accountant's or firm's auditing, attestation, or accounting policies and procedures that may represent a basis for a suggested review of its peer review workpapers should be referred to the Regional Accountant. If the Regional Accountant considers a peer review workpaper review warranted, the Regional Accountant will confer with the DSC Accounting and Securities Disclosure Section about conducting the review. This referral does not preclude the Regional Office from filing a complaint, or taking any other enforcement action, against the accountant. Peer review workpaper reviews would generally be appropriate only in unusual or egregious circumstances; therefore, they are expected to be relatively rare.
Examiners, if requested, are not to provide any written representations concerning Part 363 to institutions or their independent outside auditors. Examination staff should continue to respond orally to inquiries of external auditors in accordance with outstanding guidelines on these communications.
The Interagency Policy Statement on Coordination and Communication Between External Auditors and Examiners includes guidelines regarding meetings between external auditors and examiners.
The FDIC encourages communication between its examiners and external auditors with the permission of institution management. Permission has been given once an institution notifies the FDIC of the accountant's name or the accounting firm that it engaged as external auditor (by letter or by submitting a copy of the auditor's report to an FDIC Regional Office). Permission continues until the institution notifies the FDIC that its relationship with the external auditor has been terminated or that another auditor has been engaged.
The FDIC encourages external auditors to attend exit conferences and other meetings at which examination findings are discussed between an institution's management and its examiners. In addition, auditors may request a meeting to discuss relevant supervisory matters with any of the regulatory agencies involved in the institution's supervision. An auditor who determines that communication with the FDIC is warranted concerning a recent examination should contact the appropriate Regional Office. A Regional Office staff member, the examiner, or the field supervisor may discuss any of the examiner's findings with the external auditor. The regulatory agencies will usually request that institution management be represented at the meeting. However, an external auditor may request a meeting without the representation of the institution's management.
Requests for meetings and information can also originate with the regulatory agencies. If questions arise concerning matters pertaining to the institution on which the external auditor is knowledgeable, examiners may request meetings, including confidential meetings, with an institution's external auditor. FDIC staff may also inquire of the external auditor whether any problems were encountered during the audit of which the FDIC should be aware. Furthermore, copies of workpapers relating to services performed by the external auditor may be solicited. In some instances, an FDIC examiner, field supervisor, or Regional Office staff member may determine that attending the meeting between an institution's auditors and its management or board of directors (or an appropriate committee) at which the audit report is discussed would be useful. The institution should be advised and asked to present the request to the auditor.
The Policy Statement suggests that the institution provide its external auditor a copy of certain regulatory reports and supervisory documents including, but not limited to, reports of condition, examination reports and correspondence from regulators, any memorandum of understanding or written agreement, and a report on any actions initiated under Section 8 of the FDI Act or similar action taken by a State banking supervisor. Similarly, the AICPA's Audit and Accounting Guide for Depository and Lending Institutions: Banks and Savings Institutions, Credit Unions, Finance Companies and Mortgage Companies (Guide) provides auditors with guidance regarding communicating with examiners during audits of financial institutions. Chapter 5 of the Guide stresses communication between auditors and examiners. For example, the Guide recommends that auditors endeavor to be responsive to any requests from examiners to attend meetings with an institution's management at which audit reports are reviewed. According to the Guide, a refusal by bank management to allow the auditor to review such material or to communicate with the examiner would ordinarily be an audit scope limitation sufficient to prevent the auditor from rendering an opinion.
Workpaper Review Procedures
Examiners, in consultation with the Regional Accountant, may review the workpapers of the independent public accountant. Workpapers of the holding company audit may be examined with regard to the examination of a subsidiary institution. However, before any workpaper review is undertaken, the primary Federal regulator, if other than the FDIC, and any State bank supervisors of the institution or other holding company subsidiaries should be contacted to arrange a coordinated review. No set of workpapers should be reviewed more than once by all concerned agencies combined.
A workpaper review is not expected to be performed for every institution; however, examiners should review workpapers before or during an examination, (unless the workpapers of the institution for that fiscal year have been previously reviewed) in the following instances: each insured institution subject to Part 363 that has been or is expected to be assigned a CAMELS rating of 4 or 5; each state nonmember bank not subject to Part 363 that has been or is expected to be a assigned a CAMELS rating of 4 or 5; and where an institution, regardless of size, is not expected to be assigned a rating of 4 or 5, but significant concerns exist regarding other matters that would have been covered in the audit. A workpaper review may assist with the examination scope by identifying those areas where sufficient audit work was performed by the independent public accountant so examination procedures could be limited and by identifying those higher-risk areas where examination procedures should be expanded. A workpaper review may be especially useful before or during an examination if the institution has asset quality problems, aggressive accounting practices, mortgage servicing activities, or large deferred tax assets.
Requests by the Regional Director to independent public accountants for access to workpapers should be in writing and specify the institution to be reviewed, indicate that the accountant's related policies and procedures should be available for review, and request that a staff member knowledgeable about the institution be available for any questions. Since workpapers are often voluminous, examiners are expected to view them where they are located. Since these workpapers are highly confidential, examiners are encouraged to take notes of needed information, and should request copies of only those workpapers that are needed for their records. No requests for copies of all workpapers should be made.
Complaints Against Accountants
An examiner encountering evidence of possible violations of professional standards by a CPA or licensed public accountant should, if practicable, initially discuss the matter with the accountant in an attempt to resolve the concern. If the concern is not resolved in this manner, the examiner should send a memorandum to the Regional Director, with a copy to the Regional Accountant, summarizing the evidence of possible violations of professional standards and the inability to resolve the matter with the accountant. As part of the discussion, the accountant should be made aware that a complaint to the AICPA and/or the State board of accountancy is under consideration. Documentary evidence should be attached to support comments. Where notification of apparent violation of professional standards appears appropriate, letters should be concurrently forwarded by the Regional Director to the State board of accountancy in the institution's home state, the Professional Ethics Division of the AICPA (in the case of certified public accountants), the subject accountant or firm, and the DSC Accounting and Securities Disclosure Section.
In addition to violations of professional standards, complaints should also include substandard auditing work or lack of independence.
Institutions Contracting With A Third Party To Perform Specific Work at the FDIC's Request
Examiners sometimes find that an institution is involved in unique activities or complex transactions that are not within management's range of expertise. For example, the institution may carry certain complex financial instruments or other unusual assets on its financial statements at values that management cannot adequately support and that the examiner cannot confirm. Additionally, the institution may have certain internal control problems that require the expertise of an independent consultant to properly resolve.
In situations such as these, after receiving appropriate approval, examiners may request that an institution contract with an independent public accountant or other professional to perform specific work to address the identified concern. Such an assignment normally would not be included in the scope of the work performed in the usual external auditing programs, i.e., an audit, balance sheet audit, or attestation on internal control over financial reporting. This additional work, when performed by an independent public accountant, may be considered an engagement to perform "agreed-upon procedures," to issue a "special report," or "to report on the application of accounting principles" under applicable professional standards. These latter two engagements are performed by an independent public accountant under GAAS, while "agreed-upon procedures," are performed under Generally Accepted Standards for Attestation Engagements (GASAE). If another type of professional is contracted to perform services for an institution, the professional may be subject to a different set of professional standards. Nevertheless, the important elements for the examiner to consider when evaluating the adequacy of the institution's contract with the professional are similar in all cases.
When requiring or recommending that an institution contract with an independent public accountant or other outside professional for specific additional work, the examiner should advise the institution to provide the FDIC with a copy of the contract for review before the contract is signed. The contract should be reviewed to ascertain whether it describes the work that needs to be performed in sufficient detail so that the outside professional understands exactly what the FDIC's expectations are and can be responsive to any requirements established by the FDIC concerning the work to be performed. The contract or engagement letter should, at a minimum, include:
The contract or engagement letter covering the specific work should include language assuring examiner access to the accountant's or other professional's workpapers. An example of the type of language that should be included in the engagement letter or other contract between the institution and the independent public accountant or other professional is:
The workpapers for this (specify type of engagement, e.g., agreed-upon procedures, special report) are the property of (name of firm) and constitute confidential information. However, (name of firm) agrees to make the workpapers supporting this engagement available to the FDIC and other Federal and State banking regulators. In addition to the workpapers, (name of firm) agrees to make any or all of the following available to the FDIC and other Federal and State banking regulators:Corporate Governance
The provisions of the Sarbanes-Oxley Act of 2002 are primarily directed toward those companies, including depository institutions, that have a class of securities registered with the Securities and Exchange Commission (SEC) or the appropriate Federal banking agency under Section 12 of the Securities Exchange Act of 1934, i.e., public companies. Applicability of the Sarbanes-Oxley Act to insured depository institutions depends, in large part, on an institution's size and whether it is a public company or a subsidiary of a public company.
Some FDIC-supervised banks have registered their securities pursuant to Part 335 of the FDIC's regulations and are, therefore, public companies. Other FDIC-supervised banks are subsidiaries of bank holding companies that are public companies. These public companies and their independent public accountants must comply with the Sarbanes-Oxley Act - including those provisions governing auditor independence, corporate responsibility and enhanced financial disclosures.
Non-public FDIC-Supervised Banks With Less Than $500 Million in Total Assets
Non-public, FDIC-supervised banks that have less than $500 million generally do not fall within the scope of the Act. Nevertheless, certain provisions of the Act mirror existing policy guidance related to corporate governance issued by the FDIC and other banking agencies. Other provisions of the Act represent sound corporate governance practices; and although such practices are not mandatory for smaller, non-public institutions, the FDIC recommends that each institution consider implementation to the extent possible, given the institution's size, complexity and risk profile.
Insured Depository Institutions With $500 Million or More in Total Assets
Institutions that have $500 million or more in total assets as of the beginning of their fiscal year are subject to the annual audit and reporting requirements of Section 36 of the FDI Act as implemented by Part 363 of the FDIC's Rules and Regulations. Some large institutions are also public companies or subsidiaries of public companies, and some institutions subject to Part 363 satisfy the requirements of the Act on a holding company basis. There are selected provisions of the Act that are applicable to FDIC-supervised banks with $500 million or more in total assets. For example, the auditor independence requirements, management's responsibility for financial reporting and controls, and management's assessment of internal controls and accountant's attestation on this assessment are applicable for FDIC-supervised banks with $500 million or more in total assets.
When performing a review of the Act and its applicability to the institution being examined, examiners should refer to outstanding guidance and, when necessary, should consult with the Regional Accountant.
Examinations are not undertaken for the detection of fraud, nor are their sole or primary purpose to assure the complete correctness or appropriateness of records. The overall assessment of a bank's system of internal control is, however, an important examination function. In most cases, such an appraisal can be accomplished by an overall evaluation of the internal control system, a specific review of audit systems and reports, performance of standard examination procedures, and recommendations to management. In some instances, all or a portion of a bank's system of internal control may be deficient, or management or the condition of a particular institution may be such that more intensive audit tests, suited to the particular circumstances and needs of the bank under examination, should be undertaken. These matters are discussed in a following section on possible audit techniques.
These techniques may lead to an indication of possible fraud or insider abuse. Such situations should be thoroughly investigated by the examiner. Please refer to the Bank Fraud and Insider Abuse section of this Manual for further information.
The examiner's principal efforts should be focused on the detection, exposure and correction of important weaknesses in the bank's records, operating systems, and auditing procedures. Information should be developed through discussions with management and employees and examiner observation of performance and procedures. Each bank presents specific situations to which common sense and technical knowledge must be applied. The institution's size, the number of employees, and the character of the bank's operations must be considered in any meaningful evaluation.
Specific Review of Audit Systems and Reports
The examiner's evaluation of internal/external audit procedures and reports plays a key role in the overall assessment of a bank's internal controls system. The following is a listing of functions and procedures that should be encompassed by the audit program. The list is not all-inclusive and performance lacking in any one area should not necessarily be viewed as a major deficiency. The list may, however, serve as a framework to assist in the evaluation of a bank's audit program.
Verify cash on hand; review cash items, cutbacks, or any other assets or liabilities held in suspense accounts to determine proper and timely disposition; and verify clearings.
Due From Banks
Test and review bank prepared reconcilements with particular emphasis on old or recurring outstanding items; obtain cut off bank statements as of audit date and an appropriate date subsequent thereto for use in testing bank reconcilements; review all return items for an appropriate period subsequent to the audit date; and confirm balances due from banks to include time accounts with the banks holding the deposits.
Prove subsidiary records to the general ledger; verify securities on hand or held by others for safekeeping; check the gain and loss entries on securities sold or matured since the previous audit; review accrued interest accounts and test check computations and disposition of interest income. Review premium amortization procedures, especially for securities that have principal reductions to determine that premiums are being amortized appropriately.
Prove subsidiary records to general ledger; verify a sampling of loan balances on a positive or negative basis; verify the existence of negotiable collateral; review accrued interest accounts and test the computation and disposition of interest income; verify leases and related balance sheet accounts; verify unearned discount account; and test rebate amounts for loans that have been prepaid. Verify that Rules of 78 loans and loans with unearned discounts have decreased and that only those loans booked prior to January 1, 1999, remain on the books. Installment loans booked thereafter should be booked using the simple interest method for accounting.
Allowance For Loan and Lease Losses (ALLL)
Verify loan balances for loans charged-off since the previous audit and the debit entries to the ALLL account; check supporting documentation for loans charged-off; and review loan recoveries and check the credit entries in the allowance account; and review ALLL methodology to determine compliance with GAAP.
Bank Premises and Equipment
Examine entries and documentation relative to purchases and sales since the previous audit; check computation of depreciation expense; and check computation of gain or loss on property sold and trace sales proceeds.
Verify the appropriateness of all other asset categories.
Reconcile subsidiary records to general ledger accounts; verify account balances on a test basis; review closed accounts and determine they were properly closed; review account activity in dormant accounts and in the accounts of bank insiders; review overdrafts; check computation of service charges and trace postings to appropriate income accounts; review accrued interest accounts and check computation of interest expense; account for numerical sequence of prenumbered certificates of deposit and official checks; reconcile outstanding official checks; determine the validity of outstanding official checks; examine documentation supporting paid official checks; and test certified checks to customers' collected funds balances.
Verify borrowed fund balances; verify changes in capital notes outstanding; and review the accrued interest accounts and check interest expense computation.
Check the appropriateness of all other liabilities.
Capital Accounts and Dividends
Account for all unissued stock certificates; review capital account changes since the previous audit; check computations for dividends paid or accrued; and review minutes to determine propriety of dividend payments and accruals.
Consigned Items and Other Non Ledger Control Accounts
Test rental income for safe deposit boxes; examine and confirm safekeeping items; and reconcile consigned items on hand.
Income and Expenses
Test income and expenses by examining supporting documentation for authenticity and proper approval; and test accruals by either recomputing amounts or examining documents supporting such accruals.
Direct verification is universally recognized as one of the most effective methods of confirming the correctness and validity of certain accounts, primarily loan and deposit balances and collateral. Direct verification should be an important part of any internal and/or external audit program, and may be employed alone as an internal control separate from regularly scheduled audits.
There are two well-recognized types of direct verification, positive and negative. When the positive method is used, the customer is asked to confirm whether or not the balance, as shown, is correct. When the negative method is used, a reply is not requested unless an exception is noted.
The positive method has obvious advantages from an audit standpoint as it provides considerable assurance the customer has carefully checked the confirmation form. The negative method is less costly and provides a measure of protection in those institutions having a strong program of internal control. The positive method is recommended for loan accounts and preferred for deposit accounts, but because of the high volume and cost factor in the latter, the negative method is often employed. It is suggested that at least large accounts, public accounts, dormant accounts and accounts with high and usual volumes of activity be positively verified.
Direct verification may be conducted in whole or in part. The necessity for a complete verification of loans and deposits is rare. A partial verification of representative accounts is usually satisfactory. Overdue loans should be included in the verification as well as charged off loans. It should be noted that direct verification may be accomplished internally, as well as externally. To be effective, the verification procedure (including follow-ups) must be completely controlled by someone not having responsibility for the accounts or records being verified.
The Examination Documentation (ED) Modules include examination procedures regarding control activities and monitoring. Procedures are provided both for institutions with formal internal audit departments and for institutions with either no audit functions or limited audit activity. Refer to the Management and Internal Control Evaluation ED Module for details.
Recommendations to Management or the Board of Directors
Serious or numerous internal routine and controls deficiencies detected during an examination should be brought to management's and the board's attention and appropriate action urged. In making recommendations and criticisms, examiners should consider the following points.
Fraud and Insider Abuse
As noted previously, while examinations are not undertaken for the purpose of uncovering fraud, the examiner must be alert to its possible existence. Bank personnel at every level have committed fraud and experienced officers and employees have perpetrated large defalcations over a period of years. The following represent some of the most frequently used methods of manipulation, as applied to those accounts that normally offer the greatest risk and vulnerability. In addition, the Fraud section of this Manual contains a surveillance module for detecting bank fraud and insider abuse.
Forged or fictitious notes; accommodation loans; loans to insider-related shell companies; embezzlement of principal and interest payments; failure to cancel paid notes; use of blank, signed notes; embezzlement of escrow and collection accounts; commissions and kickbacks on loans; fraudulent loans to cover cash items and overdrafts; and diverted recoveries of charged off loans.
Loans secured by phony collateral such as altered, stolen, or counterfeit securities; or certificates of deposit issued by illegitimate offshore banks; and brokered loans and link-financing arrangements where underlying collateral is not properly pledged or is prematurely released.
Unauthorized withdrawals from dormant accounts; fictitious charges to customer accounts; unauthorized overdrafts; payment of bank personnel checks against customer accounts or against fictitious accounts, manipulation of bookkeepers' throw-out items, computer rejects or other items needed to reconcile deposit trial balances; unauthorized withdrawals from accounts where the employee is acting as an agent or in some other fiduciary capacity; withholding and destroying deposit tickets and checks; misappropriation of service charges; kiting; and manipulation of certificates of deposit, official checks, and money orders.
Correspondent Bank Accounts
Lapping of cash letters; delayed remittance of cash letters; fictitious credits and debits; issuing of drafts without corresponding recordation on the bank's books or credit to the account; overstatement of cash letters and return items; and false collection items.
Tellers and Cash
Lapping deposits; theft of cash; excessive over and short activity; fraudulent checks drawn on customers' accounts; fictitious cash items; manipulation of cash items; and intentional failure to report large currency transactions or suspicious activity.
Income and Expense
Embezzlement of income; fraudulent rebates on loan interest; fictitious expense charges; overstated expense; and misapplication of credit life insurance premiums.
Adjusted trading, which usually involves collusion between a bank employee and a securities dealer to trade securities at inflated prices; concealing trading losses from bank management and examiners; and unauthorized purchases and sales of securities, futures, or GNMA forward contracts with benefit accruing to a bank employee. Improper securities trading practices include:
The different types of manipulations employed in defalcations appear to be limited only by human ingenuity and inventiveness. The schemes and methods devised to cheat banks are virtually unlimited and pose a continuing problem to banks and examiners alike. While no bank is exempt from the threat of defalcations by management, employees or outsiders, certain institutions are more vulnerable than others. Any one or more of the following conditions or situations may be indicative of the need to utilize more comprehensive and intensive audit techniques:
Possible Audit Techniques
Because of the virtually limitless opportunities for perpetrating and concealing bank fraud, even a complete and comprehensive audit may not expose the commission of deceptive practices. Time constraints and optimum resource utilization do not permit a complete audit during bank examinations, nor would the benefits derived from such efforts generally be warranted. Nevertheless, in those cases where the examiner perceives the need, the examination may be expanded to include the use of more audit techniques and procedures. The following is a listing of certain audit techniques available to examiners. The list is not all-inclusive, nor is it intended that any or all of these procedures be utilized at every examination.
Examiner-prepared reconcilements of all asset and liability items can ensure that individual subsidiary records balance to general ledger controls. Performance of any or all of the checks, tests, and reviews listed in this section of the Manual under Specific Review of Audit System and Reports may also be helpful.
Except for securities, correspondent bank accounts and loan participations, direct verification is an audit procedure not often employed by examiners. However, the examiner may in certain circumstances, after obtaining the Regional Director's approval, conduct a direct verification of loans and/or deposits. The following basic procedures or guidelines are utilized in direct verification.
The techniques suggested below may be valuable when examiners have cause to suspect possible irregularities involving the loan portfolio.
The following suggestions may be useful in the investigation of improper activities in the bank's deposit accounts.
Correspondent Bank Accounts
The following audit steps are available relative to these accounts:
Tellers and Cash
Tellers' daily cash records can be inspected for possible discrepancies such as forced balancing, unusual charges or an excessive total and number of cash items. Items drawn on or by bank personnel should always be verified as to final payment or disposition. All work can be checked for prior endorsements and dates that may indicate a teller has been carrying these items for a long period.
In many banks, asset and/or liability suspense accounts are used as "catch-alls." These accounts should be reviewed for large or unusual items. In some instances, suspense accounts have been used for concealment of shortages, worthless assets, and deposit diversions.
Income and Expense Accounts
Test check interest computations on a sampling of loans and securities. Large, regular or unusual debits to income accounts should be verified and interest rebates on loans and monthly service charges on demand deposits may be tested. Finally, interest paid on time and savings deposits can be compared to the amount credited to the respective controls.
General Ledger Accounts
Determine the reason for any unusual or abnormal variations between the various general ledger accounts. Check the validity of any reversing or correcting entries, particularly for a few days immediately following the previous examination. Trace all income closing entries to the undivided profits account.
Be watchful for any major change, particularly growth, in assets or liabilities. In cases of rapid loan expansion, check for the possibility of out-of-territory loans to insiders. If both loans and certificates of deposit have increased beyond normal expectations check the source of certificates of deposit; check for tie-ins between new notes and new certificates of deposit as to common names, common amounts and/or common dates; trace the proceeds of new loans; and determine the source of principal and interest payments on new loans.
Secretary of State Websites
Many states have websites that can provide valuable information on an entity's corporate structure, principal shareholders, or officers and directors. In addition, a search can usually be completed to ascertain the principals other business relationships. Other Related Matters
With respect to internal controls in information systems, Part 364 of the FDIC Rules and Regulations requires institutions to have systems that provide for the following elements commensurate with the size of the institution and the nature, scope and risk of its activities:
If an institution's internal control systems do not meet the above standards, the deficiencies should be described in the Report of Examination or Information Technology Report of Examination, as appropriate.
Rapid changes in information technology have vastly altered the methods by which financial institutions process data. There may be any number of mediums incorporated within the institution to accomplish data processing needs. Networks are increasingly prevalent in the present multi-location banking environment. As with any other function in banking, operation of information systems presents certain risks and may ultimately impact safety and soundness of the institution. For this reason, the operation and control over information technology should be identified and reviewed at every examination.
Protecting or securing information and facilities that process and maintain information is vital to the continuity of operations. It is essential that information be accurate, safeguarded and provided without interruption. In order to maintain continuity and reliability of information, institutions should, at a minimum, formulate a comprehensive security plan to ensure that operations and data are not vulnerable to undue risks and exposures. The plan should, at a minimum, address: physical security; data security; and backup and contingency planning.
The FFIEC Information Technology Systems Examination Handbook is comprised of several booklets, each on a different topic, serves as a reference for the examination of these systems. The Handbook contains information technology examination procedures, examination report format, workprograms and related laws, regulations and examination policies. It also provides the examiner with fundamental principles of internal controls in all information processing environments. The FFIEC procedures, workprograms, and examination report format are the primary tools for the examination of large, complex data centers in financial institutions and independent technology service providers.
Information Technology Maximum Efficiency, Risk-Focused, Institution Targeted (IT-MERIT) procedures and the IT General Workprogram are the primary tools for evaluating information technology in financial institutions with non-complex information technology functions.
A management information system (MIS) is a system or process that provides the information necessary to effectively manage an organization. MIS is essential in all institutions, but becomes increasingly important in larger more departmentalized organizations. MIS is considered a feedback device and as such is a method for managing risks. The board of directors and management determine what information is needed for them to make informed decisions and monitor activities of the institution. Staff correspondingly develops the systems to ensure that the desired information is usable as a performance measurement. There are five essential elements that must be addressed before any MIS can be considered usable. They are timeliness; accuracy; consistency; completeness, and relevance. Management decisions and strategies may be rendered invalid or, in fact, detrimental should any one of these components be compromised.
In order to evaluate MISs, and ultimately the foundation upon which management's decisions are based, examiners must scrutinize each of the five essential components. First, information must be current and available to all appropriate users to facilitate timely decisions. This necessitates prompt collection and editing of data. Secondly, a sound system of internal controls must be in place to ensure the accuracy of data. Information should be properly edited and reconciled, with the appropriate control mechanisms in place. A comprehensive internal and external audit program would greatly facilitate this endeavor. Strategies and decisions can not be adequately monitored or measured unless information provided is consistent. Variations in how data is collected or reported can distort trend analysis. Any change in collection or reporting procedures should be clearly defined, documented, and communicated to all users. Information provided by MIS mechanisms must be complete. Lastly, information provided must be relevant. Details that are inappropriate, unnecessary, or unsuitable are of no value in effective decision-making. Decision-makers can not fulfill their responsibilities unless all pertinent information is provided in a comprehensive, yet concise format. Care should be taken to ensure that senior management and the board of directors receive relevant information in order to identify and measure potential risks to the institution. Sound MIS is a key component of management effectiveness and should be evaluated in relation to the size, structure and decision-making process of each individual institution.
Electronic Funds Transfer Services
Electronic fund transfer services can be grouped broadly into wholesale and retail systems. Wholesale systems generally are thought of as large dollar systems. Whereas, retail systems might include automated clearing houses, automated teller machines, point-of-sale systems, telephone bill paying, home banking systems and debit cards. Procedures for review of retail systems are comprehensive and are covered in the FFIEC Information Technology Examination Handbooks on Retail Payment Systems and Wholesale Payment Systems. Information systems procedures do not cover wholesale wire transfer systems.
Access to wholesale or large dollar transfers is most often provided through the FEDWIRE and CHIPS (Clearing House Interbank Payment System). The latter of which is an international payments clearing system for transactions between domestic and foreign banks. Services available through FEDWIRE include transfers of funds between member institutions; transfers of U.S. Government and Federal agency securities; data transfers such as Automated Clearing House payment files; and administrative and research information. Member institutions may access FEDWIRE by three methods: off-line via telephone with Federal Reserve Bank; dial up access via a PC based system; or direct computer interface.
Although there is no settlement risk in the FEDWIRE system, there may be exposure due to errors and omissions and fraud. Because of these risks, a review of credit risks and control systems for wholesale wire transfer systems should be conducted at each safety and soundness examination. A separate examination procedures module on electronic funds transfer risk assessment is included in the ED Modules.
Lost and Stolen Securities Program
(SEC Rule 17f-1)
Banks may receive securities certificates through transactions for their own investment, as collateral for loans, as trust assets, or through transfer agent activities. In each situation, a bank may possess a securities certificate that has been reported as lost, stolen, counterfeit, or missing. In 1979, the Securities and Exchange Commission (SEC) implemented Rule 17f-1 to require reporting and recordkeeping of such securities, so that the certificates are not later used erroneously or fraudulently. The regulation authorized the SEC to delegate the recordkeeping function and named Securities Information Center (SIC) as the central repository. SIC may be contacted at the Securities Information Center, Inc., P.O. Box 55151, Boston, MA 02205-5151 or via the Internet at www.secic.com.
All banks that possess or plan to possess securities certificates should be registered as either a direct or indirect inquirer. For direct inquirers, the bank has direct access to the SIC. For indirect inquirers, the bank submits information through another bank, most likely a correspondent bank, to inquire on the bank's behalf. In either event, institutions may inquire of the SIC whether a certificate has been reported as lost, stolen, counterfeit, or missing.
For the purposes of the rule, the following definitions are applicable:
For the purposes of this rule, the following types of securities are not subject to the inquiry and reporting requirements: registered securities of the U.S. Government, any agency or instrumentality of the U.S. Government, the International Bank for Reconstruction and Development, the InterAmerican Development Bank, or the Asian Development Bank, and counterfeit securities of such entities; security issues not assigned CUSIP numbers; and bond coupons. In addition, the SEC commented that the rule does not include bond coupons, or escheated, called, or restricted securities, issues in litigation, and bankrupt issues.
Banks must make an inquiry to the SIC by the end of the fifth business day after a certificate comes into its possession, unless the security is received directly from the issuer or issuing agent at the time of issue; received from another reporting institution or Federal Reserve bank or branch, or a securities drop that is affiliated with a reporting institution; received from a customer of the bank, and the security is registered in the name of the customer or its nominee or was previously sold to the customer, as verified by the internal records of the bank; or part of a transaction involving bonds of less than $10,000 face value and stocks of less that $10,000 market value. The limit applies to the aggregate transaction amount, not to the individual security. However, the recent amendment to the rule also provides that inquiries shall be made before the certificate is sold, used as collateral, or sent to another institution, if occurring sooner than the fifth business day.
All securities certificates identified as lost, stolen, counterfeit or missing, which are or were in the bank's possession or control must be reported to the SIC on Form X17FIA. The transfer agent for the certificate should receive a copy of the report, also. For each report submitted, the bank shall maintain and preserve copies of the forms for three years, along with other information received from the SIC as a result of the inquiry. Banks that are registered as indirect inquirers should maintain evidence of the inquiries made via the direct inquirer to the same extent required of the direct inquirers.
Counterfeit securities certificates and stolen certificates involving suspected criminal activity must also be promptly reported to the FBI if there is a "substantial basis" for believing that criminal activity was involved. All counterfeit securities must also be reported to the FBI. If a report has been filed with the SIC or the FBI has been notified, a report to the FDIC is not required. Refer to FDIC Rules and Regulations Part 353 regarding suspicious activity reports. A Suspicious Activity Report (SAR) is required for:
A Suspicious Activity Report must be filed within 30 days of discovery with the Financial Crimes Enforcement Network.
Examiners should consider reviewing the requirements of Rule 17f-1 with bank personnel to ascertain their knowledge and understanding of the rule. Bank procedures may be reviewed to determine adherence to the provisions of the rule. The examiner should consider the bank's audit procedures covering the lost and stolen securities program and ascertain whether documentation is adequate to determine compliance with the rule.
Test checks of the bank's inquiry procedures can be effectively integrated into the examination process. Inquiry will most likely be required for securities coming into the bank's possession as collateral for loans or as assets received by the bank's trust department. A subsequent check of the bank's inquiry records can determine compliance with Rule 17f-1. Noncompliance should be reported as an apparent violation of SEC Rule 240.17f-1 on the violations page of either the commercial or trust report of examination. Various aspects of SEC Rule 17f-1 are also discussed in the Trust Manual.
Improper and Illegal Payments by Banks and Bank Holding Companies
The Foreign Corrupt Practices Act and the Federal Election Campaign Act cover improper and illegal payments by banks and bank holding companies.
The devices used by banking organizations to make political payments include compensatory bonuses to employees, improperly designated expense accounts, excessive fees or salaries paid to officers, and low to zero interest rate loans. In addition, political contributions have been made by providing equipment and services without charge to candidates for office. Many of these devices involve clear departures from acceptable accounting practices. Consequent lack of corporate accountability raises serious questions regarding the effectiveness of an organization's own internal audit procedures. For banking organizations to engage in illegal or unethical activities and to attempt to conceal those activities by the use of irregular accounting practices only serves to undermine public confidence in the banking system.
The following items may be considered to detect violations of these two laws, and to evaluate the effectiveness of an individual institution's control in detecting such violations.
|Last Updated email@example.com|