Internal Control Questionnaires and Verification Procedures

During the Examination

  1. Conduct the review of risk areas.

  2. If substantive deficiencies are not identified, complete the onsite examination as planned.

  3. If substantive deficiencies exist, determine if the scope of examination should be expanded. If the scope is not expanded, complete the onsite examination. If the scope is expanded, select appropriate expanded procedures from the booklets of the Comptroller’s Handbook, including ICQs and verification procedures.

    Expanded procedures should focus on the specific substantive deficiencies identified and be tailored to include additional transaction testing or a more thorough assessment of the risk management process. The scope of work performed must be sufficient to determine the extent of the problems and their effect on bank operations.

    Examples of deficiencies that would require the use of expanded procedures include indications that:

    • Management is trying to control or inhibit communications from internal audit staff to the board of directors.

    • Significant new products or activities are being pursued with little or no expertise or with inadequate risk management controls.

    • Bank underwriting and risk selection standards have been relaxed.

    • High growth is occurring in specific areas of the bank without adequate audit or internal controls.

    • Capital levels or ratios are rapidly declining.

    • Balances in suspense accounts are high or growing.

    • Separation of duties in areas involved with disbursement of funds is inadequate.

    • Reliance on short-term or unstable funding sources is increasing.

    • Volume of loans granted or renewed with policy exceptions is large or increasing.

    • Significant increases or decreases in noninterest income have occurred.

  4. Conduct the expanded procedures.

  5. Determine if substantive concerns remain, particularly about the adequacy of audit, internal controls, the existence of assets, or the integrity of the bank’s financial management or risk management controls.

  6. If no substantive concerns remain, complete the examination, developing appropriate conclusions, MRAs, ROE comments, and supervisory follow-up.

  7. If substantive safety and soundness concerns remain unresolved that may have a material adverse effect on the bank, further expand the scope by completing additional verification procedures. The scope of work performed must be sufficient to determine the extent of the problems, their root causes, and their effect on bank operations. Examiners should consult with their supervisory office or the Chief Accountant’s office before conducting direct confirmations with customers or third parties.

    The existence of a “clean” external audit opinion does not necessarily preclude the use of verification procedures by examiners, if there is a significant concern about the quality, scope or depth of the external audit.

    Verification procedures should also be used whenever:

    • Account records are significantly out of balance.

    • Management is uncooperative or poorly manages the bank and substantive deficiencies remain unresolved from prior OCC examinations or internal audits.

    • Management restricts access to bank records.

    • Significant accounting, audit, or internal control deficiencies remain uncorrected from previous examinations or from one audit to the next.

    • Bank auditors are unaware of, or unable to sufficiently explain, significant deficiencies.

    • Management engages in activities that raise questions about their integrity.

    • Repeated violations of law affect audit, internal controls, or regulatory reports.

    • Other situations exist that examiners believe warrant further investigation.

    The extent that examiners perform verification procedures is decided on a case-by-case basis after consultation with the supervisory office. The EIC may direct the bank to contract with a third party to perform the verification necessary to determine the extent and effect of the deficiency on bank operations. If done by a third party, the verification must be done on a timely basis; supervisory follow-up will consist of reviewing the scope and results of the verification work and will be scheduled shortly after the third party completes its work.

  8. For less problematic situations than those identified in Step 7, the examiner may require the bank to expand its audit program to include the areas containing weaknesses or deficiencies. However, this alternative will only be used if management has demonstrated a capacity and willingness to address regulatory problems, if there are no concerns about management’s integrity, and management has initiated timely corrective action in the past. Use of this alternative must result in timely resolution of each identified supervisory problem. If examiners use this alternative, supervisory follow-up will include a review of audit work papers in areas where the bank audit was expanded.

  9. Develop appropriate conclusions, MRAs, ROE comments, and supervisory follow-up. These conclusions should also be incorporated into regulatory ratings and the risk assessments.

  10. Provide supervisory strategy recommendations for the next supervisory cycle to the EIC.

Previous: Pre-Examination Planning Next: Accounts Receivable and Inventory Financing