69U-120.045. Minimum Internal Audit Procedures  


Effective on Monday, January 18, 2021
  • 1(1) Each state commercial bank, association and trust company shall have an internal audit performed every calendar year. The internal audit shall be performed within 15 months of the previous internal audit. However, if an internal audit is performed on a continuous basis, it shall be initiated during the calendar year and within 15 months of the previous internal audit.

    61(2) To satisfy the internal audit requirement, any party conducting the internal audit must be independent of any manager or employee in charge of operating the financial institution. The party must be one of the following:

    97(a) The audit department or internal auditor of the financial institution;

    108(b) The audit department of a related financial institution holding company or affiliate thereof;

    122(c) The audit department of a correspondent bank;

    130(d) A certified public accountant licensed to practice in the State of Florida and independent of the financial institution and its affiliates; or

    153(e) The board of directors as a whole or acting through a designated committee of board members; however, if a committee is designated, no active executive officers or employees of the financial institution may participate on the committee.

    191(3) A party is considered independent if:

    198(a) The party reports directly to the financial institution’s board of directors;

    210(b) The party’s duties at the financial institution are confined entirely to auditing the financial institution;

    226(c) The party has no proprietary interest, directly or indirectly, in any partnership, firm, or other person that controls or directs the financial institution;

    250(d) The party has no outstanding loans or other obligations which have been criticized by any other auditor or any regulatory agency; and,

    273(e) All relationships the party has with any member of the board of directors have been disclosed to the board of directors and all questions concerning the party’s independence have been resolved before the internal audit begins.

    310(4) To satisfy the requirements of this section, each internal audit shall:

    322(a) Assess the effectiveness of the financial institution’s internal control policies and procedures, including the electronic data processing function; and

    342(b) Shall include an assessment of each of the following areas:

    3531. Asset accounts;

    3562. Liability accounts;

    3593. Capital accounts;

    3624. Income and expense accounts; and,

    3685. Contingent liabilities and off-balance sheet activities.

    375(5) In lieu of a comprehensive internal audit, a financial institution may satisfy this audit requirement by having a continuous audit performed by a party qualified pursuant to subsection (2), above. Additionally, financial institutions that are subsidiaries of a holding company may satisfy this audit requirement by submitting an audit of the consolidated holding company, if such audit complies with the requirements of this rule.

    440(6) Within 90 days after the completion of the internal audit, and within 45 days of acceptance by the board of directors, the board of directors shall submit the following to OFR:

    472(a) A copy of the completed internal audit report, including the date or dates on which the audit was conducted and the date it was reviewed and approved by the board of directors;

    505(b) A statement indicating that all of the areas outlined in this rule were reviewed, or specific reasons why certain areas were not reviewed;

    529(c) A statement of condition and a statement of income and expense for the financial institution (and the holding company if appropriate) as of the audit date;

    556(d) A statement describing the findings and recommendations of the audit; and,

    568(e) The board of directors’ response to the findings and recommendations of the audit.

    582(7) OFR shall review each audit and, if it finds that the internal audit does not comprehensively address all relevant areas of concern or accurately reflect the condition of the financial institution, OFR shall require an audit pursuant to section 622655.045(3)(a), F.S.

    624Rulemaking Authority 626655.012(2) FS. 628Law Implemented 630655.045 FS. 632History–New 7-18-74, Amended 1-5-77, 6-30-81, Formerly 3-1.13, 3C-11.13, 3C-11.013, Amended 1-31-96, Formerly 3C-120.045, Amended 1-18-21.