Ga. Comp. R. & Regs. R. 80-2-6-.05 - Internal Audit Program

(1) An institution shall have an internal audit program that is appropriate to the size of the institution and the nature and scope of its activities. An appropriate internal audit program consists of qualified persons and provides for effective:

(a) Monitoring and reporting on the system of internal controls;

(b) Testing and review of controls over information systems;

(c) Documenting of testing activities, findings, and corrective actions;

(d) Verifying and reviewing of management actions to address material weaknesses; and

(e) Engagement and oversight by the institution's Board of Directors.

(2) The Board of Directors shall name an internal auditor or designate an officer to act as a liaison with third parties engaged to perform the internal audit program.

(3) The Board of Directors shall review and approve the scope of the internal audit program to include the operational areas targeted for review, the proposed timeline of reviews, testing procedures to be used, the qualifications of personnel for the subject matter to be reviewed, and the independence of personnel from operational responsibilities over areas to be reviewed. Alternatively, an audit committee formed in compliance with O.C.G.A. § 7-1-656(b)(2), is authorized to act in lieu of the Board of Directors. The scope of the internal audit will be documented - via an engagement letter when third parties are engaged - and provided to the Department upon request.

(4) The internal auditor or designated liaison shall:

(a) Implement or oversee implementation of the institution's internal audit program;

(b) Monitor the implementation of corrective actions; and

(c) Report to the Board of Directors at least annually on the status of the internal audit program to include audit activities, findings, and corrective actions.

(5) The internal audit shall be appropriate to the size of the institution and the nature and scope of its activities. In determining the nature and scope of the internal audit, the financial institution shall take into consideration the auditing standards formulated by The Auditing Standards Board of the AICPA, and/or the Institute for Internal Auditors.

(6) Unless pre-approved by the Department in writing, the external audit obtained pursuant to O.C.G.A. § 7-1-657 and Rule 80-2-6-.01 will not satisfy the internal audit program requirement.

(7) In the event the Department determines that an internal audit program is deficient, the Department may require the institution to:

(a) Replace the internal auditor with an individual acceptable to the Department;

(b) Perform additional reviews by personnel acceptable to the Department with subject matter expertise on, and independence from, the areas targeted for review; and

(c) Engage a third-party acceptable to the Department to perform a comprehensive review of the adequacy of the institution's internal control environment in accordance with a standard acceptable to the Department.

Notes

Ga. Comp. R. & Regs. R. 80-2-6-.05

O.C.G.A. § 7-1-61.

Original Rule entitled "Internal Audit Program" adopted. F. July 9, 2019; eff. July 29, 2019.