WIXLIB

INTERNAL ROUTINE AND CONTROLSINTRODUCTION.2INTERNAL CONTROL SYSTEMS .2Key Control System Components .2Control Environment .2Risk Assessments .2Control Activities .3Information and Communication .3Monitoring .3Control Standards .3Director Approvals .3Sound Personnel Policies .3Segregation of Duties .3Joint Custody.4Vacation Policies .4Rotation of Personnel .4Pre-numbered Documents .4Cash Controls .5Reporting Irregularities and Shortages .5Business Continuity Plans .5Accounting Systems .5Audit Trail .5Accounting Manual .6AUDIT .6Internal Audit .6General Standards .6Organizational Structure .7Management, Staffing, and Audit Quality .7Scope .7Communication .7Contingency Planning .8Outsourcing Internal Audits .8Accountant Independence .8External Audit .8Audit Committees .9External Audits of Financial Statements .9External Audit Reports .9Audits at Institutions Under 500 Million.9Audits at Institutions of 500 Million or More . 10Public Accountant Responsibilities . 11Reporting Requirements . 11Audit Committee . 11Holding Company Subsidiaries . 12Mergers . 12Review of Compliance with Part 363. 12OTHER EXTERNAL AUDIT ISSUES . 13Communication with External Auditors . 13Workpaper Review Procedures . 13Complaints Against Accountants . 14Third-Party Audits at FDIC’s Request . 14SARBANES-OXLEY ACT . 15Public Companies. 15Non-public Banks. 15Reporting Requirements . 15EVALUATING AUDIT PROGRAMS. 16Recommendation Considerations . 16Troubled Banks . 16RMS Manual of Examination PoliciesFederal Deposit Insurance CorporationSection 4.2Management Responsibilities . 16Common Controls. 17Cash and Due From Audits. 17Investments . 17Loans . 17Allowance for Loan and Lease Losses (ALLL). 17Bank Premises and Equipment . 17Other Assets and Other Liabilities . 18Deposits . 18Borrowed Funds . 18Capital Accounts and Dividends. 18Other Control Accounts . 18Income and Expenses . 18Direct Verification . 18FRAUD AND INSIDER ABUSE . 19Introduction . 19Loans . 19Loan Collateral . 19Deposits . 19Correspondent Bank Accounts . 19Tellers and Cash . 19Income and Expense . 19Investment Securities . 19Additional Risks . 19EXAMINATION TECHNIQUES . 20Introduction . 20Account Reconcilements . 20Direct Verification . 20Loans . 20Deposits . 21Correspondent Bank Accounts . 22Tellers and Cash . 22Suspense Accounts . 22Income and Expense Accounts . 22General Ledger Accounts . 22Other . 22Secretary of State Websites . 22RELATED CONTROL ISSUES . 22Information Technology . 22Management Information Systems . 23Payment Systems . 23Lost and Stolen Securities Program . 24Registration . 24Inquiries . 24Reporting . 24Exemptions . 25Examination Considerations . 25Improper and Illegal Payments . 254.2-1Internal Routine and Controls (3/15)

INTERNAL ROUTINE AND CONTROLS INTRODUCTION Internal controls include the policies and procedures thatfinancial institutions establish to reduce risks and ensurethey meet operating, reporting, and compliance objectives.The board of directors is responsible for ensuring internalcontrol programs operate effectively. Their oversightresponsibilities cannot be delegated to others within theinstitution or to outside parties. The board may delegateoperational activities to others; however, the board mustensure effective internal control programs are establishedand periodically modified in response to changes in laws,regulations, asset size, organizational complexity, etc. Timely and accurate financial, operational, andregulatory reports;Adequate procedures to safeguard and manage assets;andCompliance with applicable laws and regulations.Many internal controls are programmed directly intosoftware applications as part of data input, processing, oroutput routines.Other controls involve proceduralactivities standardized in an institution’s policies. Therelative importance of an individual control, or lackthereof, must be viewed in the context of other controls.Every bank is unique, and one set of internal procedurescannot be prescribed for all institutions. However, allinternal control programs should include effective controlenvironments, risk assessments, control activities,information systems, and monitoring programs.Internal control programs should be designed to ensureorganizations operate effectively, safeguard assets,produce reliable financial records, and comply withapplicable laws and regulations. Internal control programsshould address five key components: Section 4.2If examiners determine internal routines or controls aredeficient, they should discuss the deficiencies with thechief executive officer and the board of directors, andinclude appropriate comments in the report of examination(ROE).Control environments,Risk assessments,Control activities,Information and communication, andMonitoring.Key Control System ComponentsControl EnvironmentThese components must function effectively forinstitutions to achieve internal control objectives. Thisoverview of internal control is described further in a reportby the Committee of Sponsoring Organizations of theTreadway Commission (COSO) titled Internal ControlIntegrated Framework. Institutions are encouraged toevaluate their internal control program against this COSOframework.The control environment begins with a bank’s board ofdirectors and senior management. They are responsible fordeveloping effective internal control systems and ensuringall personnel understand and respect the importance ofinternal controls. Control systems should be designed toprovide reasonable assurance that appropriatelyimplemented internal controls will prevent or detect: INTERNAL CONTROL SYSTEMS Part 364 of the FDIC Rules and Regulations establishessafety and soundness standards that apply to insured statenonmember banks and state-licensed, insured branches offoreign banks. Appendix A to Part 364 includes, amongother things, general standards for internal controls,information systems, and audit programs. The standardsrequire all financial institutions to have controls, systems,and programs appropriate for their size and the nature,scope, and risk of their activities. Internal controls andinformation systems should ensure: Risk ion,measurement, analysis, and documentation of significantbusiness activities, associated risks, and existing controls.Financial risk assessments focus on identifying controlweaknesses and material errors in financial statementssuch as incomplete, inaccurate, or unauthorizedtransactions. Risk assessments are conducted in order toidentify, measure, and prioritize risks so that attention isplaced first on areas of greatest importance.Riskassessments should analyze threats to all significantAn organizational structure that defines clear lines ofauthority and responsibilities for monitoringadherence to established policies;Effective risk assessments;Internal Routine and Controls (3/15)Materially inaccurate, incomplete, or unauthorizedtransactions;Deficiencies in the safeguarding of assets;Unreliable financial and regulatory reporting; andDeviations from laws, regulations, and internalpolicies.4.2-2RMS Manual of Examination PoliciesFederal Deposit Insurance Corporation

INTERNAL ROUTINE AND CONTROLSbusiness lines, the sufficiency of mitigating controls, andany residual risk exposures. The results of all assessmentsshould be appropriately reported, and risk assessmentmethodologies should be updated regularly to reflectchanges in business activities, work processes, or internalcontrols.Section 4.2preferably consisting entirely of outside directors(directors independent of operational duties), must monitoradherence to established directives.Boards should establish policy standards that address issuesuch as decision-making authorities, segregation of duties,employee qualifications, and operating and recordingfunctions. Key internal controls are described below.Control ActivitiesControl activities include the policies and proceduresinstitutions establish to manage risks and ensure predefined control objectives are met. Preventative controlsare designed to deter the occurrence of an undesirableevent.Detective controls are designed to identifyoperational weaknesses and help effect corrective actions.Control activities should cover all key areas of anorganization and address items such as organizationalstructures, committee compositions and authority levels,officer approval levels, access controls (physical andelectronic), audit programs, monitoring procedures,remedial actions, and reporting mechanisms.Director ApprovalsThe board of directors should establish limits for allsignificant matters (such as lending and investmentauthorities) delegated to relevant committees and officers.Management should regularly provide financial andoperational reports to the board, including standardizedreports that detail policy exceptions, new loans, past duecredits, concentrations, overdrafts, security transactions,etc. The board or a designated board committee shouldperiodically review all authority levels and materialactions. The key control objective is that the board isregularly informed of all significant matters.Information and CommunicationSound Personnel PoliciesReliable information and effective communication areessential for maintaining control over an organization’sactivities. Information about organizational risks, controls,and performance must be quickly communicated to thosewho need it. Technology systems and organizationalprocedures should facilitate the effective distribution ofreliable operational, financial, and compliance-relatedreports. Clearly defined procedures should be developedthat make it easy for individuals to report risks, errors, orfraud through formal and informal means. The municating, as needed, with external parties such ascustomers, regulators, shareholders, and investors.Sound personnel policies are critical components ofeffective control programs. The policies should requireboards and officers to check employment references, hirequalified officers and competent employees, use ongoingtraining programs, and conduct periodic performancereviews.Management should check the credit and previousemployment references of prospective employees. TheFBI is available to check the fingerprints of current andprospective employees and to supply institutions withcriminal records, if any, of those whose fingerprints aresubmitted. Some insurance companies that write bankers’blanket bonds also offer assistance in screening officersand employees.MonitoringInternal control systems must be monitored to ensure theyoperate effectively. Monitoring may consist of periodiccontrol reviews specifically designed to ensure thesufficiency of key program components, such as riskassessments, control activities, and reporting mechanisms.Monitoring the effectiveness of a control system may alsoinvolve ongoing reviews of routine activities.Theeffectiveness of a periodic review program is enhancedwhen people with appropriate skills and authority areplaced in key monitoring roles.Pursuant to Section 19 of the Federal Deposit InsuranceAct (FDI Act), the FDIC’s written consent is needed inorder for individuals to serve in an insured bank as adirector, officer, or employee if they have been convictedof a criminal offense involving dishonesty, breach of trust,or money laundering.Segregation of DutiesThe possibility of fraud diminishes significantly when twoor more people are involved in processing a transaction. Asegregation of duties occurs when two or more individualsare required to complete a transaction. The segregation ofduties allows one person’s work to verify that transactionsinitiated by another employee are properly authorized,Control StandardsThe control environment begins with the board ofdirectors, which must establish appropriate controlstandards. The board of directors or an audit committee,RMS Manual of Examination PoliciesFederal Deposit Insurance Corporation4.2-3Internal Routine and Controls (3/15)