INTERNAL ROUNTINE & CONTROLS

Introduction
- Board is responsible for creating, implementing and policing a system of internal
control
- Internal control system should be periodically reviewed and updated to remain
effective
Internal Control
- Plan of organization designed to safeguard bank assets, check the accuracy and
reliability of accounting data, promote operational efficiency, and encourage
adherence to prescribed managerial policies.
- Two components of internal control
- Administrative Control – the process leading to management’s authorization of
transactions, starting point for establishing accounting control of transactions
- Accounting Control – plan to provide reasonable assurance that transactions are
executed according to Board policies, transactions are properly recorded, access
to assets is limited to proper individuals, recorded assets are compared to existing
assets, and appropriate action is taken when differences arise
Basic Elements of an Internal Control System
Internal accounting controls are techniques used to prevent and detect errors in the
processing of data, to safeguard assets, and to produce reliable financial statements
- Basic elements for effective internal controls system are:
- Organizational Structure
- Control environment begins with the Board
- Audit committee should be established with outside Director representation
- Board should establish clear lines of authority and responsibility and segregate
operating and recording functions
- Directors Approval
- Board periodic review of actions taken by management
- Board should develop reporting system that captures, new loans, overdue loans,
overdrafts, securities transactions, financial statements, and audit reports
- Segregation of Duties
- No one person should dominate a transaction from inception to termination
- Participation of two or more persons or departments in a transaction causes the
work of one to serve as proof for accuracy of another
- Rotation of Personnel
- Should be planned and unannounced
- Be for a sufficient duration of time
- Also improves overall training (cross-training)
- Sound Personnel Policies
- Polices for hiring, providing training, and evaluating and reviewing job
performance
- Vacation Policies
- Should provide that active officers and employees be absent from their duties for
at least 2 consecutive weeks.
 - Duties performed by an absent individual should be assumed by someone else for
an the program to be effective
- Where there is no 2-week absence from position requirement the bank’s Board
should annually review and approve the policy followed and the exceptions
allowed
- Accounting Procedures
- Recordkeeping system should be able to produce a wide variety of reports
- Bank records and accounts should reflect its actual financial condition and
accurate results of operations
- Operating Policies
- Current Records
- Records should be updated daily and able to produce each day’s activity
separately from another’s day
- Subsidiary Control Accounts
- Audit Trail
- Records and systems should be designed to enable tracing any given item as it
passes through the bank’s books
- Prenumbered Documents
- Documents should be sequentially numbered when possible
- Unissued, prenumbered instruments (that could be used to obtain funds) should be
maintained under dual control
- Accounting Manual
- Manual should be establish containing instructions for the uniform handling of
like transactions
- Protection of Physical Assets
- Safeguard assets by limiting access to authorized personnel only, AND
- Cash Control
- Tellers should be provided with their own funds which they have sole access
- Joint Custody or Dual Control
- The two are not the same
- Joint custody – procedures whereby two or more persons are equally accountable
for the physical protection of certain items or records (two keys or combinations,
under separate controls of the two persons, which must be used together in order
to obtain access) Only collusion can bypass this system
- Dual control – the work of one person is verified or approved by another. Purpose
of the second person is to ensure that proper authority for the transaction or
activity has been given, the transaction or activity is properly recorded, and proper
settlement is made
- Employee Hiring Procedures
- Credit and previous employment references of applicants should be checked
- Written consent of the FDIC is needed in order for persons to serve in an insured
bank as a Director, officer or employee, if they have been convicted of a criminal
offense involving dishonesty or breach of trust
- Emergency Preparedness Plans
- Should be written, and off-site storage of backup files for all critical records
should be maintained
- Reporting Shortages – tellers
Part 364
Requires bank to have internal systems that provide for:
- Organizational structure (that establish clear lines of authority and responsibility)
- Effective risk assessment
- Timely and accurate financial, operational, and regulatory reports
- Adequate procedures to safeguard and manage assets, AND
- Compliance with applicable laws and regulations
Audit
- All banks should adopt an audit program
External Audit
- Designed to test and evaluate the high-risk areas of a bank’s business
Audit Committees
- Audit committees should be established consisting of entirely of outside directors
- Audit committee or Board should annually analyze the extent of external auditing
coverage needed by the bank
- Committee/Board deliberations for the need of external audit should be
documented in minutes
External Audit of Financial Statements
- All banks are strongly encouraged to adopt an external auditing program that
includes an annual audit of its financial statements by an independent public
accountant
- External audits provide greater assurances to management that financial reports
are accurate and provide adequate disclosure
- Banks not to be criticized for not engaging a CPA to perform an acceptable audit
Alternative External Auditing Programs
- If bank determines not to engage an independent public accountant reasons should
be documented in minutes (consideration should not only be on cost, but also benefit
of audit)
- Alternatives should adequately cover high-risk areas of the bank and be
performed by a qualified auditor who is independent of the bank
- Strong internal audit program is fundamental to a bank, but is not a sufficient
reason for lacking an external audit program
- External audit program tests and proves the strength of the internal auditing
program
State-mandated Auditing Requirements
External Auditors Report
- Any state nonmember bank that undergoes any external auditing work (regardless
of scope) is requested to furnish a copy of any reports by the auditor (including
management letters) to the FDIC RO
- FDIC request each bank to notify the RO when any auditor is initially engaged to
perform external auditing procedures and when a change in its auditors occurs
- Reports submitted to FDIC should describe procedures performed
Troubled Banks
- When weaknesses exist, (internal controls are inadequate, uninformed Board,
insider abuse, criminal activity, director liability for losses, questionable transactions
 with affiliates) the FDIC should consider adding a condition directing the bank to
obtain an audit or specified auditing procedures be performed by a public accountant
or other independent party
- Condition should require bank to furnish copy of report to FDIC and notify FDIC
in advance of any meetings with auditor
Communication with External Auditors
- Communication between examiners and external auditors is encouraged with
permission from bank management
- Permission is considered given once the bank notifies the FDIC (by written letter
or submission of report) of the name of the external auditor
- Permission continues until the bank notifies the FDIC that the relationship with
the external auditor has been terminated or that another auditor has been engaged
- External auditors are encouraged to attend exit meetings – may discuss findings
with external auditor – may request confidential meetings with external auditors –
may solicit workpapers performed by external auditors
- AICPA – refusal of management to allow the auditor to view examination
material or communicate with examiners limits the scope and prevents auditors from
rendering an opinion
Internal Audit
Strong internal audit function establishes the proper control environment and promotes
accuracy and efficiency in bank operation. Basic purpose of internal auditing is the
prevention and detection of loss
Internal Audit Program Should Include:
- Determination that records of the bank are complete and adequate, and that
transactions are promptly and properly recorded in the accounts
- In an EDP environment there should be a review of data controls
- Determination that assets are adequately safeguarded and properly presented in
financial reports, and that liabilities are completely disclosed and accounted for
- Assurance that collateral and other nonledger items are properly recorded and
protected by effective custodial controls
- Check for compliance with applicable statutes and regulations
- Review for compliance with policies set forth by management including
verification that loans and securities have been properly approved
- Accounting for the receipt of income and review of expenses to determine that
they are authorized, correct in amount, and consistent with bank policy
- Appraisal of the performance of personnel in accomplishing assigned internal
control functions and responsibilities
- Validation of the authority granted to members of the organization to be certain
there are no departures from established policy
- Review of loan losses, operating charge-offs, and the control exercised over
recoveries
- Evaluation of the adequacy of fidelity and casualty insurance coverage
- Preparation of a proper and complete set of working papers covering each audit
- Utilization of accepted verification and confirmation techniques
- Establishment and maintenance of an operating manual describing the specific
procedures and techniques to be used by the auditor or auditing staff in performing
the audit function.
- Direct verification of loan and deposit balances on a periodic basis
Internal audit report should be in written form and findings should be reported directly to
the Board (or committee). Auditors must have complete independence and have
sufficient authority
Part 364
Minimum standards for an internal audit program
- Adequate monitoring of the bank’s internal control system
- Independence and objectivity
- Qualified personnel
- Adequate testing and review of IS
- Adequate documentation of tests and findings of any corrective actions
- Verification and review of management’s actions to address material weaknesses
AND
- Review by the bank’s audit committee/Board of the effectiveness of the program
Independent review of key internal controls may be sufficient is small, less complex
banks
Part 363
Establishes audit and reporting requirements for insured banks with total assets of $500
million or more and their independent public accountants
Management Must:
- Engage an independent public accountant,
- Prepare annual financial statements in accordance with GAAP
- Produce annual reports that contain:
- Statement of management’s responsibility for preparing financial statements, for
establishing and maintaining an internal control structure and procedures for
financial reporting, and for complying with laws and regulations relating to loans
to insiders and dividend restrictions. Reports must also contain an evaluation by
management of the effectiveness of the internal control structure and procedures
for financial reporting and an assessment of the bank's compliance with
designated laws and regulations.
Independent Public Accountant Is Responsible For:
- Auditing and reporting on the bank’s annual financial statements in accordance
with GAAP, AND
- Examining, attesting to, and reporting separately on management’s assertions
concerning the bank’s internal control structure and procedures for financial reporting
Reporting Requirements
- Within 90 days after fiscal year end, an annual report must be filed (that contains
audited FS, audit report, management statement’s and assessments, auditors attestation concerning
internal controls and financial reporting procedures)
- Within 15 days after receipt, the bank must submit any management letter, the
audit report and any qualification to the audit report; and any other report from the
accountant
- Within 15 days of occurrence, the bank must provide written notice of the
engagement of an independent public accountant, the resignation or dismissal of a
previously engaged accountant, and the reason for such an event
- Accountants must notify the FDIC when a bank has dismissed their services,
notification must be in writing, must be filed within 15 days after the relationship is
terminated, and must contain the reasons for termination
Audit Committee
- Must establish an independent audit committee composed of outside directors
who are independent of management (for banks exceeding $3 billion, two members
must have banking or related financial management expertise; large customers are
excluded, and the committee must have access to its own outside counsel)
- Duties of the committee include:
- Overseeing internal audit function
- Selecting the accountant
- Reviewing with management and the accountant the scope of the audit, audit
conclusions, and various management assertions and accountant attestations
Holding Company Subsidiary Institutions
- Holding companies may file consolidated financial statements (regardless of size)
- If subsidiary has $5 billion or more in total assets and a CAMELS rating of 1 or 2,
it may rely on the HC’s audit committee and may file a management report and
accountants attestations that have been prepared for the HC
- HOWEVER, if the subsidiary has $5 billion or more in total assets with a
composite CAMELS rating of 3, 4, or 5, it may file the audited consolidated financial
statements of the HC, but must have its own audit committee and file a separate
management report and accountants attestation. Audit committee may be composed
of the same persons as the HC’s audit committee only if such persons are outside
directors of both the HC and the subsidiary and are independent of management of
both. Separate set of minutes must be maintained
Mergers
Banks no longer existing at fiscal year-end have no responsibility under this rule
Examination Procedures – Part 363
- First examinations (of 363 banks), examiners should describe and discuss and
apparent violations of this regulation (usually don’t cite vios)
- Report should indicate the status of the bank’s implementation efforts if not yet in
full compliance with the rule
Workpaper Review Procedures
- Examiners may review the WP’s of the independent public accountant
- Coordinated effort between agencies for reviewing WP’s should be accomplished,
no set of WP’s should be reviewed more than once by all concerned agencies
combined
- Useful to review for banks with asset quality problems, aggressive accounting
practices, MSA, or large deferred tax assets
- Request for access to WP’s should be in writing, specify the bank to be reviewed,
indicate that the accountant’s policies and procedures should be available for review,
and request a staff member knowledgeable about the bank be available for questions
- WP’s to be viewed where they are located
- Take notes, limit copies
Complaints Against Accountants
Specific Review of Audit Systems and Reports

Direct Verification
- Two types of direct verification (positive and negative)
- Positive Method – used when the customer is asked to confirm whether or not the
balance as shown is correct
- Negative Method – used when a reply is not requested unless and exception is
noted
- (Positive method has advantages over negative method, but is more expensive. At
least large accounts, public accounts, dormant accounts and accounts with high and
usual volumes of activity be positively verified)
- Direct verification does not need to be in full, can be in partial (not the whole
portfolio), but should include overdue loans and charged-off loans
Examiner Responsibilities
Examination are not undertaken for the detection of fraud, nor is their sole or primary
purpose to assure the complete correctness or appropriateness of records
Overall Evaluation of Internal Controls
Examiner principal efforts should be focused on the detection, exposure and correction of
important weaknesses in the bank’s records, operating systems, and auditing procedures
Recommendations to Management or the Board of Directors
When numerous IRC deficiencies are detected the deficiencies should be brought to
management and the Boards attention. The following should be considered:
- Advantage and profitability of the suggestion to the bank should be stressed, not
the advantage to the examiner
- Suggestions and criticisms mush have substance and merit (not petty)
- Recommendation or criticism should be discussed with management prior to
telling the Board
- Recommending records or accounting forms supplied by a particular stationery
house is to be avoided
- Goal is to obtain correction
- Criticisms must be based on specific negative findings
Third Party to Perform Specific Work @ FDIC’s Request
- After receiving appropriate approval, examiners may request that a bank contract
with a third party to perform specific work to address identified concerns
- Any work performed by request of a third party requires a contract. The FDIC
should review the contract before the contract is signed
- Contract or engagement letter, should include:
- Description of work to be performed
- Responsibilities of the third party
- Reference to any professional standards to be adhered to
- Qualifications of the third party
- Time frame for completing the work
- Any restrictions on the use of reported findings
- Provision for examiner access to workpapers
Fraud and Insider Abuse
Examinations are not undertaken for the purpose of uncovering fraud, the examiner must
be alert to its possible existence though
- (Read this section for techniques, did not outline)
- Conditions/situations indicative of the need to utilize more comprehensive and
intensive audit techniques:
- One person dominates operations
- Lack of any audit program
- Weak internal controls
- Poorly maintained records
- Lack of Board or senior management supervision
- Substantial growth in short period of time
- Little growth or a steady decline in deposits
- Etc.
Possible Audit Techniques
(Read this section, did not outline)
Information Systems
- Operation and control over IS should be identified and reviewed at every
examination
- Essential that information be accurate, safeguarded and provided without
interruption
- Bank should formulate a security plan that addresses physical security, data
security, and backup and contingency planning
- Community Workprogram is designed to assist the examiner in evaluation of IRC
procedures over in-house and serviced information processing systems and should be
used when:
- There is not programming or testing performed and software is vendor-supported
for a bank of any size
- Some contract programming and testing is performed for banks of any size,
provided that the Systems & Programming section of the workprogram is
performed and ARD approval is obtained in banks greater than $300 million (TA)
- Workprogram’s ATM, POS, ACH and networks sections may be used in any size
bank
- All applications are serviced by an outside vendor, the workprogram may be used
regardless of the bank’s size
- (Should not be used when the bank services other financial institutions)
- Separate IS examination reports are to be completed at the initial examination of
in-house and RJE systems
- Separate examination reports are also required when an IS composite 3 rating or
worse is likely to be assigned or was assigned at the most recent examination
- (Examiners authorized to examine the data servicer)
Management Information Systems (MIS)
Considered a feedback device used for managing risk
- Five elements that must be addressed before any MIS can be considered usable
- Timeliness
- Accuracy
 - Consistency
- Completeness
- Relevance
Electronic Funds Transfer Services
- Two types of systems
- Wholesale Systems (large dollar systems) access through FEDWIRE
- FEDWIRE
- Clearing system, three methods to access: off-line via telephone with FRB,
dial up access via a PC based system, direct compute interface
- No settlement risk in FEDWIRE system (credit risk can still be present)
- Retail Systems (automated clearing houses, ATM, POS, telephone bill paying,
home banking systems, and debit cards)
Lost and Stolen Securities Program (SEC Rule 17f1)
All insured banks subject to the rule and must register with the Securities Information
Center (SIC)
Registration
- May register as direct or indirect inquirer
- If register indirect, must designate a correspondent bank to act as direct inquirer
on behalf
Reporting Requirements
- All securities discovered missing, lost, stolen, or counterfeit, which are or were in
the bank’s possession or control must be reported on Form X17F1A
- (Counterfeit and stolen securities involving suspected criminal activity must be
reported to law enforcement authority)
- Banks must report recovery or finding any security previously reported as lost or
stolen within one business day
Inquiry Requirements
- Banks must make an inquiry to SIC for every security which comes into their
possession unless:
- Received directly from the issuer or issuing agent at the time of issue
- Received from another reporting bank or FRB
- Received from a customer of the bank, and the security is registered in the name
of the customer, as verified by the internal records of the bank, OR
- The security is part of a transaction involving bonds of less than $10,000 face
value and stocks of less than $10,000 market value. (Limit applies to the
aggregate transaction amount)
- The following securities are not subject to reporting and inquiry requirements:
- Registered US Government securities
- Security issues not assigned CUSIP numbers
- Bond coupons
Recordkeeping
- Banks shall maintain and preserve for 3 years copies of all Forms X17F1A and
all confirmations or other information received from the SIC as a result of inquiry
into the system
Improper and Illegal Payments by Banks and Bank HC’s
Examination Procedures, review (certain cases expanded procedures are required)