Objective

1.) Review and summarize the most recent Internal Audit, External Audit, and Examiners Reports. This will assist in setting scope of the
audit depending upon what issues have been identified and whether they have since been resolved or not.
2.) Review Risk Assessment (Notes Link Risk Assessment Link) and Risk Responses (Notes Link Risk Response Link). The purpose here is
to identify and familiarize the auditor with issues from the last audit and/or review of the risks and associated controls so that they
can be incorporated into the audit program as needed to ensure they have been addressed/resolved and if not, why. The Risk
Assessment and the Risk Responses are not to be updated at this time, that will be performed once the audit is complete as part of
work paper 903.
3.) Review the most recent internal compliance reports, to identify and familiarize the auditor with issues from the last audit and/or
review of the risks and associated controls for the area being audited. In today's environment this would consist of the Wealth
Management Compliance reports that are completed by for the ARS, Trust, and Insurance functions. This information should be used
to identify higher risk areas/processes and should also be used as a comparison to actual audit results.
4.) For Enterprise Risk Management (ERM), Managers are responsible for managing their risks and will do so 1) by utilizing their "key risk
indicators" and by updating their risks quarterly within the database (ERM on GF01). New enterprise risks may be added to or
deleted from the database at any given time.
Source/Scope

Process/Procedure/Policy Review:
Link to Loan Policy >>>
Personnel Discussions:
Underwriting Manager
Loan Product Manager and Chief Lending Officer
Chief Credit Officer
Link to previous workpaper >>>
Link to supporting workpaper >>>
Objective 1):
R1: 2011 Credit Administration Internal Audit Report >>>

WP 102 Internal Audit Report for 2011.pdf

R2: Internal Audit Report Rating >>>

WP 102 Internal Audit Report Rating.pdf

R3: 2011 Credit Administration Findings Memo >>>

WP 102 Credit Administration 2011

Findings Memo.pdf

R4: OCC Safety and Soundness Exit Meeting >>>

WP 102 OCC Safety and Soundness Exit

Meeting.pdf

R5: Brady Martz >>>

WP 102 Brady Martz - Audit Report and SAS114 letter (2011).pdf

Objective 2):
R6: Risk Evaluation Form >>>

WP 102 Risk Evaluation Form.pdf

Objective 4):
R7:

ERM Risks_Audits Testing - Shortcut.lnk

R8: Key Risk Indicators and Measurements Spreadsheet >>>

ONCE TERRY LOOKS AT APPLICABLE W/P

WP 102_KRI and Measurements.xlsx UPDATE

Results

Objective 1): Review and summarize the most recent Internal Audit, External Audit, and Examiners Reports. This will assist in setting
scope of the audit depending upon what issues have been identified and whether they have since been resolved or not.
The previous Internal Audit Report for Credit Administration was conducted in the months of January through March 2011 (R1). The Audit
is conducted to ensure operations and controls for Credit Administration along with the Underwriting functions are accomplished. The
rating assigned to the Audit was Marginally Satisfactory (R2) after the completion of testing, reviewing internal controls, review of
automated scoring systems, databases and other tests deemed appropriate. The end result was five reportable findings:(R3)

Loan Approvals/Lending Authority

Extension and Renewals

Credit Reviews
Scoring Models
Real Estate High Loan to Value Monitoring

Credit Administration practices are satisfactory but need strengthening in certain areas.
Corrective actions for prior Matters Requiring Attention (MRA)
Senior Management need to finalize their evaluation of compliance systems and enterprises risk management.

Audit reviewed the External Audit performed by the OCC (R4) Safety and Soundness, the exit meeting date was October 26,2011. The
examination concluded with the following:

The OCC examination conclusions are senior management and the Board provide satisfactory oversight of bank activities. During the
examination, we provided management with recommendations/suggestions to further strengthen the bank's control environment in light
of the bank's increasing size and complexity of operations. The recommendations can be implemented through the normal course of
business and represent best practices within the banking industry. Management has been provided handouts providing the
recommendations.
Audit reviewed the Independent Service Auditor's Report provided by Brady Martz & Associates, P.C. External Audit (R5). The audit
revealed several area's that were reviewed within the Audit. For the purpose of this Audit-Credit Administration, they concluded the
following:

Hiring of a loan reviewer (Prior MRA)

Credit Administration practices are satisfactory but need strengthening in certain areas. Recommendations to require global
cash flow analysis for related business interests, clarify loan impairment assessments for Allowance for Loan and Lease Losses,
and provide loan portfolio diversification reports that cover all loan categories, including those that don't represent a
concentration of credit.
Asset quality is satisfactory but the dollar volume of classified assets in trending upwards.

Objective 2): Review Risk Assessment (Notes Link Risk Assessment Link) and Risk Responses (Notes Link Risk Response Link). The
purpose here is to identify and familiarize the auditor with issues from the last audit and/or review of the risks and associated controls so
that they can be incorporated into the audit program as needed to ensure they have been addressed/resolved and if not, why. The Risk
Assessment and the Risk Responses are not to be updated at this time, that will be performed once the audit is complete as part of work
paper 903.
Audit reviewed the risk assessment for Credit Administration, with the score being 295 dated 4/12/2011. With the combination of the risk

factors and weights, this area continues to be the area with a concentration of high risk. The score has been consistent from previous
Audits (R6).
Objective 3): Review the most recent internal compliance reports, to identify and familiarize the auditor with issues from the last audit
and/or review of the risks and associated controls for the area being audited. In today's environment this would consist of the Wealth
Management Compliance reports that are completed by for the ARS, Trust, and Insurance functions. This information should be used to
identify higher risk areas/processes and should also be used as a comparison to actual audit results.
This area of review is limited to the Wealth Management area. There are not compliance reports generated for the Bank side of Auditing.
Objective 4): For Enterprise Risk Management (ERM), Managers are responsible for managing their risks and will do so 1) by utilizing
their "key risk indicators" and 2) by updating their risks quarterly within the database (ERM on GF01). New enterprise risks may be
added to or deleted from the database at any given time.
Audit reviewed the Enterprise Risk Management (ERM) database (R7). The responsible owners to the applicable "key risk indicators"
within the Credit Administration Audit are: 1:) Loan Product Manager 2:) Chief Credit Officer 3:) Underwriting Manager. There is a total of
20 ERM's to the area. Mr. XXX is the owner of 7 ERM's, all of which have not been updated from the 4th quarter of 2011. Mr. YYY is the
owner of 10 ERM's, all have been updated, and MR.YYYY is the owner of 3 ERM's with 2 of them updated. Audit had a meeting with each
to discuss how each risk is being measured and monitored. The results are located in Key Risk Indicators Spreadsheet (R8).
[Exception noted] link to observation >>> Notes Link