Management and Internal Controls Evaluation

Internal control is a process designed to provide reasonable assurance that the institution will achieve the following objectives:  efficient and effective operations, including safeguarding of assets; reliable financial reporting; and compliance with applicable laws and regulations. Internal control consists of five components that are a part of the management process:  control environment, risk assessment, control activities, information and communication, and monitoring activities. The effective functioning of these components, which is brought about by an institution’s board of directors, management, and other personnel, is essential to achieving the internal control objectives.

Directors are placed in a position of trust by the bank’s shareholders, and both statutes and common law place responsibility for the affairs of a bank firmly and squarely on the board of directors. The board of directors of a bank should delegate the day-to-day routine of conducting the bank’s business to its officers and employees, but the board cannot delegate its responsibility for the consequences of unsound or imprudent policies and practices. (COSO, in the CBEM Manual)

Policy Letters

Audit (Internal and External)

Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion

Interagency Advisory on External Audits of Internationally Active U.S. Financial Institutions

Filing Procedures for Annual Independent Audits and Reports Required Under Federal Deposit Insurance Corporation (FDIC) Rules

Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing

Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters

Amended Interagency Guidance on the Internal Audit Function and its Outsourcing

Guidelines for Using External Experts on Examinations, Inspections, and Other Bank Supervision Matters

Interagency Policy Statement on External Audits of Banks With Less Than $500 Million in Total Assets

Supervisory Guidance on Required Absences from Sensitive Positions

Guidance on Addressing Internal Control Weaknesses in U.S. Branches and Agencies of Foreign Banking Organizations through Special Audit Procedures

Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies

Sharing of Facilities and Staff by Banking Organizations

Supervisory Guidance on the Implementation of Section 112 of the FDIC Improvement Act

Interagency Guidance on Coordination and Communication Between External Auditors and Examiners

Corporate Governance and Internal Controls

Contact Information in Relation to Computer-Security Incident Notification Requirements

Guide for Community Banking Organizations Conducting Due Diligence on Financial Technology Companies

Supervisory Guidance on Board of Directors' Effectiveness

Inactive or Revised SR Letters Related to the Federal Reserve’s Supervisory Expectations for a Firm’s Boards of Directors

Consolidated Recovery Planning for Certain Large Domestic Bank Holding Companies

Heightened Supervisory Expectations for Recovery and Resolution Preparedness for Certain Large Bank Holding Companies - Supplemental Guidance on Consolidated Supervision Framework for Large Financial Institutions (SR letter 12-17/CA letter 12-14)

Guidance on Managing Outsourcing Risk

Guidance on Model Risk Management

Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities

Elements of a Sound Conflict of Interest Program

Additional Resources

Manual References

  • Bank Holding Company Supervision Manual
    • Section 4070.1, "Rating the Adequacy of Risk Management Processes and Internal Controls of Bank Holding Companies"
  • Commercial Bank Examination Manual
    • Section 1010.1, "Internal Control and Audit Function, Oversight, and Outsourcing"
    • Section A.1010.1, "Internal Control: Supplement on Internal Auditing"
    • Section 5000.1, "Duties and Responsibilities of Directors"
    • Section 5010.1, "Management Assessment"
    • Section 5017.1, "Internal Control-Procedures, Processes and Systems (Required Absences)"
Back to Top
Last Update: December 20, 2022