Management and Internal Controls Evaluation

Internal control is a process designed to provide reasonable assurance that the institution will achieve the following objectives:  efficient and effective operations, including safeguarding of assets; reliable financial reporting; and compliance with applicable laws and regulations. Internal control consists of five components that are a part of the management process:  control environment, risk assessment, control activities, information and communication, and monitoring activities. The effective functioning of these components, which is brought about by an institution’s board of directors, management, and other personnel, is essential to achieving the internal control objectives.

Directors are placed in a position of trust by the bank’s shareholders, and both statutes and common law place responsibility for the affairs of a bank firmly and squarely on the board of directors. The board of directors of a bank should delegate the day-to-day routine of conducting the bank’s business to its officers and employees, but the board cannot delegate its responsibility for the consequences of unsound or imprudent policies and practices. (COSO, in the CBEM Manual)

Policy Letters

Audit (Internal and External)

Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion

Interagency Advisory on External Audits of Internationally Active U.S. Financial Institutions

Filing Procedures for Annual Independent Audits and Reports Required Under Federal Deposit Insurance Corporation (FDIC) Rules

Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing

Interagency Advisory on the Unsafe and Unsound Use of Limitation of Liability Provisions in External Audit Engagement Letters

Amended Interagency Guidance on the Internal Audit Function and its Outsourcing

Guidelines for Using External Experts on Examinations, Inspections, and Other Bank Supervision Matters

Interagency Policy Statement on External Audits of Banks With Less Than $500 Million in Total Assets

Supervisory Guidance on Required Absences from Sensitive Positions

Guidance on Addressing Internal Control Weaknesses in U.S. Branches and Agencies of Foreign Banking Organizations through Special Audit Procedures

Rating the Adequacy of Risk Management Processes and Internal Controls at State Member Banks and Bank Holding Companies

Sharing of Facilities and Staff by Banking Organizations

Supervisory Guidance on the Implementation of Section 112 of the FDIC Improvement Act

Interagency Guidance on Coordination and Communication Between External Auditors and Examiners

Corporate Governance and Internal Controls

Contact Information in Relation to Computer-Security Incident Notification Requirements

Guide for Community Banking Organizations Conducting Due Diligence on Financial Technology Companies

Supervisory Guidance on Board of Directors' Effectiveness

Inactive or Revised SR Letters Related to the Federal Reserve’s Supervisory Expectations for a Firm’s Boards of Directors

Consolidated Recovery Planning for Certain Large Domestic Bank Holding Companies

Heightened Supervisory Expectations for Recovery and Resolution Preparedness for Certain Large Bank Holding Companies - Supplemental Guidance on Consolidated Supervision Framework for Large Financial Institutions (SR letter 12-17/CA letter 12-14)

Guidance on Model Risk Management

Interagency Statement on Sound Practices Concerning Elevated Risk Complex Structured Finance Activities

Elements of a Sound Conflict of Interest Program

Additional Resources

Manual References

  • Bank Holding Company Supervision Manual
    • Section 1060.31, "Assessment of Risk-Management Processes and Internal Controls of BHCs Having $100 Billion or More in Total Assets"
    • Section 1062.1, "Supervisory Guidance for Assessing Risk Management at Supervised Institutions with Total Consolidated Assets Less than $100 Billion"
  • Commercial Bank Examination Manual
    • Section 4000.1, "Duties and Responsibilities of Directors"
    • Section 4010.1, "Management Assessment"
    • Section 4500.1, "Internal Control and Audit Function, Oversight, and Outsourcing"
    • Section 4510.1, "Internal Control: Supplement on Internal Auditing"
    • Section 4520.1, " Required Absences from Sensitive Positions"
Back to Top
Last Update: October 03, 2023