[Federal Register Volume 64, Number 204 (Friday, October 22, 1999)]
[Notices]
[Pages 57094-57100]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-27588]
=======================================================================
-----------------------------------------------------------------------
FEDERAL DEPOSIT INSURANCE CORPORATION
Rescission of Policy Statement Regarding Independent External
Auditing Programs of State Nonmember Banks, and Adoption of the
Interagency Policy Statement on External Auditing Programs of Banks and
Savings Associations
AGENCY: Federal Deposit Insurance Corporation (FDIC or Corporation).
ACTION: Rescission of a Policy Statement and Adoption of an Interagency
Policy Statement.
-----------------------------------------------------------------------
SUMMARY: In an effort to provide consistent guidance for banks and
savings associations regardless of their primary federal supervisor,
the FDIC is rescinding its Statement of Policy Regarding Independent
External Auditing Programs of State Nonmember Banks (Current Policy
Statement) and concurrently adopting the Interagency Policy Statement
on External Auditing Programs of Banks and Savings Associations
(Interagency Policy Statement). Both policy statements encourage
institutions to adopt an annual external auditing program, preferably
an audit by an independent public accountant, and to establish an audit
committee composed entirely of outside directors, where practicable. In
addition, the Interagency Policy Statement includes two alternatives to
an audit by an independent public accountant for institutions not
subject to the audit requirement in section 36 of the Federal Deposit
Insurance Act (FDI Act). The alternatives consist of (1) An attestation
report on internal control over specified schedules of the
institution's regulatory reports or (2) A report on the institution's
balance sheet. Both must be performed by an independent public
accountant.
The Interagency Policy Statement also includes guidance regarding
the responsibilities of boards of directors, audit committees, and
senior management with respect to external auditing programs; the
attributes and types of external auditing programs; and the review of
external auditing programs by examiners.
DATES: The Current Policy Statement is rescinded and the Interagency
Policy Statement is effective for fiscal years beginning on or after
January 1, 2000.
FOR FURTHER INFORMATION CONTACT: Doris L. Marsh, Examination
Specialist, Division of Supervision, (202) 898-8905, or A. Ann Johnson,
Counsel, Legal Division, (202) 898-3573, FDIC, 550 17th Street, NW,
Washington, DC 20429.
SUPPLEMENTARY INFORMATION:
I. Background
The FDIC first adopted guidance on external auditing programs in
its Policy Statement Regarding Independent External Auditing Programs
of State Nonmember Banks in 1988 (53 FR 47871, November 28, 1988). In
1996, the FDIC reviewed the Current Policy Statement pursuant to
section 303(a) of the Riegle Community Development and Regulatory
Improvement Act of 1994 and adopted several amendments to eliminate
inconsistencies and outdated requirements (61 FR 32438, June 24, 1996).
The Federal Financial Institutions Examination Council (FFIEC), on
behalf of the Board of Governors of the Federal Reserve System (FRB),
the Federal Deposit Insurance Corporation (FDIC), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift Supervision
(OTS), collectively referred to as the ``banking agencies'' or the
``agencies,'' have each provided guidance on external audits to their
supervised institutions, but a uniform policy did not exist. Under the
auspices of the FFIEC, the agencies sought public comment on a proposed
policy statement on External Auditing Programs of Banks and Savings
Associations in February 1998 (63 FR 7796, February 17, 1998). The
FFIEC received approximately 120 letters commenting on the proposed
policy statement, and it revised the policy statement after considering
the comments. On August 19, 1999, the FFIEC approved the Interagency
Policy Statement on External Auditing Programs of Banks and Savings
Associations (Policy Statement) (64 FR 52319, September 28, 1999) and
recommended that the banking agencies adopt it.1
---------------------------------------------------------------------------
\1\ The National Credit Union Administration (NCUA), also a
member of the FFIEC, is not adopting the policy.
---------------------------------------------------------------------------
II. Rescission of the Current Policy Statement and Adoption of the
Interagency Policy Statement
In order to minimize burden on institutions and holding companies
and in the spirit of section 303 of the Riegle Community Development
and Regulatory Improvement Act of 1994, the banking agencies seek to
provide consistent and uniform guidance for supervised institutions.
The banking agencies believe that an independent external audit
provides reasonable assurance that an institution's financial
statements are prepared in accordance with generally accepted
accounting principles (GAAP). Accordingly, the banking agencies
recommend that every institution have an external auditing program.
To provide explicit guidance to institutions regarding these
programs, the FFIEC approved a uniform Interagency Policy Statement on
August 19, 1999. The FFIEC recommended to the banking agencies that
they individually adopt the policy. Thus, the FDIC must replace its
Current Policy Statement with the Interagency Policy Statement in order
to achieve uniformity in this area.
III. Comparison of the Current and Interagency Policy Statements
For the most part, both the Current Policy Statement and the
Interagency Policy Statement provide similar guidance. Both encourage
each institution to have an annual audit of its financial statements
performed by an independent public accountant. The Interagency Policy
Statement also describes two alternatives to an audit that an
institution may elect to have performed annually in order to have an
acceptable external auditing program. These alternatives, which must be
performed by an independent public accountant, are an attestation on
internal control over financial reporting on certain schedules of the
Reports of Condition and Income (Call Report) and an audit of the
institution's balance sheet. The Interagency Policy Statement further
indicates that for a smaller institution with less complex operations,
the attestation on internal control may be less costly than an audit of
its financial statements or its balance sheet and provide more useful
information to management. Neither policy precludes the use of agreed-
upon procedures/state-required examinations as an external auditing
program.
Both policy statements include sections discussing their
applicability to institutions that are part of a holding company, newly
chartered institutions, and institutions presenting supervisory
concern. In addition, both policies recommend that each institution
have an audit committee consisting entirely of outside directors,
unless impracticable.
Banks and savings associations (institutions) with $500 million or
more in total assets must have an annual audit performed by an
independent public accountant under section 36 of
[[Page 57095]]
the Federal Deposit Insurance Act (FDI Act), as implemented by 12 CFR
part 363. Thus, both policy statements are directed toward institutions
below that threshold that are not otherwise subject to audit
requirements.
The two policies differ in the extent of guidance provided rather
than the content of the guidance. Accordingly, the Interagency Policy
Statement includes some guidance regarding independent external
auditing programs that is lacking in the Current Policy Statement. For
example, it discusses the responsibilities of boards of directors,
audit committees, and senior management in more detail than the Current
Policy Statement. It also describes the attributes and types of
external auditing programs available and includes a short description
of each. Guidance on what examiners will be evaluating in their review
of external auditing programs is also included in the Interagency
Policy Statement. This policy statement also recommends that examiners
have access to the auditor's workpapers concerning the auditing
engagement.
The following table shows the number and section title of each of
the paragraphs in the Current Policy Statement and the section title of
the corresponding provision in the Interagency Policy Statement:
Paragraph Conversion Table
------------------------------------------------------------------------
Current policy Interagency policy
Current policy statement: section statement: section
paragaraph No. title title
------------------------------------------------------------------------
1-3..................... Introduction.......... Introduction.
4....................... State Nonmember Banks Introduction.
Not Subject to Part
363.
5....................... ...................... Overview of the
External Auditing
Program Audit
Committee.
6....................... ...................... Examiner Guidance
Review of the
External Auditing
Program.
7....................... Audit by an External Auditing
Independent Public Programs Types of
Accountant. External Auditing
Programs.
8....................... ...................... External Auditing
Programs Other
Considerations--Timin
g.
9-10.................... Alternatives to a External Auditing
Financial Statement Programs External
Audit. Auditing Programs.
11...................... Newly Insured Banks... Special Situations
Newly Insured
Institutions.
12-13................... Notification and Examiner Guidance
Submission of Reports. Access to Reports.
14...................... Holding Company Special Situations
Subsidiaries. Holding Company
Subsidiaries.
15...................... Troubled Banks........ Special Situations
Institutions
Presenting
Supervisory Concerns.
Appendix A.............. Definitions........... Appendix A--
Definitions.
------------------------------------------------------------------------
The Interagency Policy Statement instructs institutions to provide
copies of reports pertaining to the external auditing program,
including any management letters, to the agencies and any state
authority in accordance with their appropriate supervisory office's
guidance. The FDIC requests that each state nonmember bank furnish a
copy of any reports by the independent public accountant pertaining to
the bank's external auditing program (regardless of the scope) to the
appropriate FDIC regional office as soon as possible after the report
is received by the bank. In addition, the FDIC requests each bank to
promptly notify the appropriate FDIC regional office when any
independent public accountant is initially engaged to perform external
auditing work and when a change in, or termination of, its independent
public accountant occurs.
IV. Paperwork Reduction Act
In accordance with the Paperwork Reduction Act of 1995 (PRA), the
FDIC may not conduct or sponsor, and the respondent is not required to
respond to, an information collection that does not display a currently
valid Office of Management and Budget (OMB) control number. The FDIC
submitted to OMB a request for approval of the information collection
requested by this policy statement (64 FR 55926, October 15, 1999).
V. Rescission and Adoption of Policy Statements
For the reasons set forth in the preamble, the Board of Directors
of the FDIC hereby rescinds the FDIC's Policy Statement Regarding
Independent External Auditing Programs of State Nonmember Banks and
adopts the Interagency Policy Statement on External Auditing Programs
of Banks and Savings Associations.
The text of the Interagency Policy Statement follows:
Interagency Policy Statement On External Auditing Programs of Banks
and Savings Associations
Introduction
The board of directors and senior managers of a banking institution
or savings association (institution) are responsible for ensuring that
the institution operates in a safe and sound manner. To achieve this
goal and meet the safety and soundness guidelines implementing section
39 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831p-
1),1 the institution should maintain effective systems and
internal control 2 to produce reliable and accurate
financial reports.
---------------------------------------------------------------------------
\1\ See 12 CFR part 30 for national banks; 12 CFR part 364 for
state nonmember banks; 12 CFR part 208 for state member banks; and
12 CFR part 510 for savings associations.
\2\ This Policy Statement provides guidance consistent with the
guidance established in the ``Interagency Policy Statement on the
Internal Audit Function and its Outsourcing.''
---------------------------------------------------------------------------
Accurate financial reporting is essential to an institution's
safety and soundness for numerous reasons. First, accurate financial
information enables management to effectively manage the institution's
risks and make sound business decisions. In addition, institutions are
required by law 3 to provide accurate and timely financial
reports (e.g., Reports of Condition and Income [Call Reports] and
Thrift Financial Reports) to their appropriate regulatory agency. These
reports serve an important role in the agencies' 4 risk-
focused supervision programs by contributing to their pre-examination
planning, off-site monitoring programs, and assessments of an
institution's capital adequacy and financial strength. Further,
reliable financial reports are necessary for the institution to raise
capital. They provide data to stockholders, depositors and other
[[Page 57096]]
funds providers, borrowers, and potential investors on the company's
financial position and results of operations. Such information is
critical to effective market discipline of the institution.
---------------------------------------------------------------------------
\3\ See 12 U.S.C. 161 for national banks; 12 U.S.C. 1817a for
state nonmember banks; 12 U.S.C. 324 for state member banks; and 12
U.S.C. 1464(v) for savings associations.
\4\ Terms defined in appendix A are italicized the first time
they appear in this policy statement.
---------------------------------------------------------------------------
To help ensure accurate and reliable financial reporting, the
agencies recommend that the board of directors of each institution
establish and maintain an external auditing program. An external
auditing program should be an important component of an institution's
overall risk management process. For example, an external auditing
program complements the internal auditing function of an institution by
providing management and the board of directors with an independent and
objective view of the reliability of the institution's financial
statements and the adequacy of its financial reporting internal
controls. Additionally, an effective external auditing program
contributes to the efficiency of the agencies' risk-focused examination
process. By considering the significant risk areas of an institution,
an effective external auditing program may reduce the examination time
the agencies spend in such areas. Moreover, it can improve the safety
and soundness of an institution substantially and lessen the risk the
institution poses to the insurance funds administered by the FDIC.
This policy statement outlines the characteristics of an effective
external auditing program and provides examples of how an institution
can use an external auditor to help ensure the reliability of its
financial reports. It also provides guidance on how an examiner may
assess an institution's external auditing program. In addition, this
policy statement provides specific guidance on external auditing
programs for institutions that are holding company subsidiaries, newly
insured institutions, and institutions presenting supervisory concerns.
The adoption of a financial statement audit or other specified type
of external auditing program is generally only required in specific
circumstances. For example, insured depository institutions covered by
section 36 of the FDI Act (12 U.S.C. 1831m), as implemented by part 363
of the FDIC's regulations (12 CFR part 363), are required to have an
external audit and an audit committee. Therefore, this policy statement
is directed toward banks and savings associations which are exempt from
part 363 (i.e., institutions with less than $500 million in total
assets at the beginning of their fiscal year) or are not otherwise
subject to audit requirements by order, agreement, statute, or agency
regulations.
Overview of External Auditing Programs
Responsibilities of the Board of Directors
The board of directors of an institution is responsible for
determining how to best obtain reasonable assurance that the
institution's financial statements and regulatory reports are reliably
prepared. In this regard, the board is also responsible for ensuring
that its external auditing program is appropriate for the institution
and adequately addresses the financial reporting aspects of the
significant risk areas and any other areas of concern of the
institution's business.
To help ensure the adequacy of its internal and external auditing
programs, the agencies encourage the board of directors of each
institution that is not otherwise required to do so to establish an
audit committee consisting entirely of outside directors.5
However, if this is impracticable, the board should organize the audit
committee so that outside directors constitute a majority of the
membership.
---------------------------------------------------------------------------
\5\ Institutions with $500 million or more in total assets must
establish an independent audit committee made up of outside
directors who are independent of management. See 12 U.S.C.
1831m(g)(1) and 12 CFR 363.5.
---------------------------------------------------------------------------
Audit Committee
The audit committee or board of directors is responsible for
identifying at least annually the risk areas of the institution's
activities and assessing the extent of external auditing involvement
needed over each area. The audit committee or board is then responsible
for determining what type of external auditing program will best meet
the institution's needs (refer to the descriptions under ``Types of
External Auditing Programs'').
When evaluating the institution's external auditing needs, the
board or audit committee should consider the size of the institution
and the nature, scope, and complexity of its operations. It should also
consider the potential benefits of an audit of the institution's
financial statements or an examination of the institution's internal
control structure over financial reporting, or both. In addition, the
board or audit committee may determine that additional or specific
external auditing procedures are warranted for a particular year or
several years to cover areas of particularly high risk or special
concern. The reasons supporting these decisions should be recorded in
the committee's or board's minutes.
If, in its annual consideration of the institution's external
auditing program, the board or audit committee determines, after
considering its inherent limitations, that an agreed-upon procedures/
state-required examination is sufficient, they should also consider
whether an independent public accountant should perform the work. When
an independent public accountant performs auditing and attestation
services, the accountant must conduct his or her work under, and may be
held accountable for departures from, professional standards.
Furthermore, when the external auditing program includes an audit of
the financial statements, the board or audit committee obtains an
opinion from the independent public accountant stating whether the
financial statements are presented fairly, in all material respects, in
accordance with generally accepted accounting principles (GAAP). When
the external auditing program includes an examination of the internal
control structure over financial reporting, the board or audit
committee obtains an opinion from the independent public accountant
stating whether the financial reporting process is subject to any
material weaknesses.
Both the staff performing an internal audit function and the
independent public accountant or other external auditor should have
unrestricted access to the board or audit committee without the need
for any prior management knowledge or approval. Other duties of an
audit committee may include reviewing the independence of the external
auditor annually, consulting with management, seeking an opinion on an
accounting issue, and overseeing the quarterly regulatory reporting
process. The audit committee should report its findings periodically to
the full board of directors.
External Auditing Programs
Basic Attributes
External auditing programs should provide the board of directors
with information about the institution's financial reporting risk
areas, e.g., the institution's internal control over financial
reporting, the accuracy of its recording of transactions, and the
completeness of its financial reports prepared in accordance with GAAP.
The board or audit committee of each institution at least annually
should review the risks inherent in its particular activities to
determine the scope of its external auditing program. For most
institutions, the lending and
[[Page 57097]]
investment securities activities present the most significant risks
that affect financial reporting. Thus, external auditing programs
should include specific procedures designed to test at least annually
the risks associated with the loan and investment portfolios. This
includes testing of internal control over financial reporting, such as
management's process to determine the adequacy of the allowance for
loan and lease losses and whether this process is based on a
comprehensive, adequately documented, and consistently applied analysis
of the institution's loan and lease portfolio.
An institution or its subsidiaries may have other significant
financial reporting risk areas such as material real estate
investments, insurance underwriting or sales activities, securities
broker-dealer or similar activities (including securities underwriting
and investment advisory services), loan servicing activities, or
fiduciary activities. The external auditing program should address
these and other activities the board or audit committee determines
present significant financial reporting risks to the institution.
Types of External Auditing Programs
The agencies consider an annual audit of an institution's financial
statements performed by an independent public accountant to be the
preferred type of external auditing program. The agencies also consider
an annual examination of the effectiveness of the internal control
structure over financial reporting or an audit of an institution's
balance sheet, both performed by an independent public accountant, to
be acceptable alternative external auditing programs. However, the
agencies recognize that some institutions only have agreed-upon
procedures/state-required examinations performed annually as their
external auditing program. Regardless of the option chosen, the board
or audit committee should agree in advance with the external auditor on
the objectives and scope of the external auditing program.
Financial Statement Audit by an Independent Public Accountant. The
agencies encourage all institutions to have an external audit performed
in accordance with generally accepted auditing standards (GAAS). The
audit's scope should be sufficient to enable the auditor to express an
opinion on the institution's financial statements taken as a whole.
A financial statement audit provides assurance about the fair
presentation of an institution's financial statements. In addition, an
audit may provide recommendations for management in carrying out its
control responsibilities. For example, an audit may provide management
with guidance on establishing or improving accounting and operating
policies and recommendations on internal control (including internal
auditing programs) necessary to ensure the fair presentation of the
financial statements.
Reporting by an Independent Public Accountant on an Institution's
Internal Control Structure Over Financial Reporting. Another external
auditing program is an independent public accountant's examination and
report on management's assertion on the effectiveness of the
institution's internal control over financial reporting. For a smaller
institution with less complex operations, this type of engagement is
likely to be less costly than an audit of its financial statements or
its balance sheet. It would specifically provide recommendations for
improving internal control, including suggestions for compensating
controls, to mitigate the risks due to staffing and resource
limitations.
Such an attestation engagement may be performed for all internal
controls relating to the preparation of annual financial statements or
specified schedules of the institution's regulatory
reports.6 This type of engagement is performed under
generally accepted standards for attestation engagements
(GASAE).7
\6\ Since the lending and investment securities activities
generally present the most significant risks that affect an
institution's financial reporting, management's assertion and the
accountant's attestation generally should cover those regulatory
report schedules. If the institution has trading or off-balance
sheet activities that present material financial reporting risks,
the board or audit committee should ensure that the regulatory
report schedules for those activities also are covered by
management's assertion and the accountant's attestation. (See Note.)
However, the schedules listed in the Note are not intended to
address all possible risks in an institution.
\7\ An attestation engagement is not an audit. It is performed
under different professional standards than an audit of an
institution's financial statements or its balance sheet.
---------------------------------------------------------------------------
Note: For banks and savings associations, the lending,
investment securities, trading, and off-balance sheet schedules
consist of:
----------------------------------------------------------------------------------------------------------------
Reports of condition and income
Area schedules schedules Thrift financial report
----------------------------------------------------------------------------------------------------------------
Loans and Lease Financing Receivables......... RC-C, Part I................... SC, CF.
Past Due and Nonaccrual Loans, Leases, and RC-N........................... PD.
Other Assets.
Allowance for Credit Losses................... RI-B........................... SC, VA.
Securities.................................... RC-B........................... SC, SI, CF.
Trading Assets and Liabilities................ RC-D........................... SO, SI.
Off-Balance Sheet Items....................... RC-L........................... SI, CMR.
----------------------------------------------------------------------------------------------------------------
Balance Sheet Audit Performed by an Independent Public Accountant.
With this program, the institution engages an independent public
accountant to examine and report only on the balance sheet. As with the
audit of the financial statements, this audit is performed in
accordance with GAAS. The cost of a balance sheet audit is likely to be
less than a financial statement audit. However, under this type of
program, the accountant does not examine or report on the fairness of
the presentation of the institution's income statement, statement of
changes in equity capital, or statement of cash flows.
Agreed-Upon Procedures/State-Required Examinations. Some state-
chartered depository institutions are required by state statute or
regulation to have specified procedures performed annually by their
directors or independent persons.8 The bylaws of many
national banks also require that some specified procedures be performed
annually by directors or others, including internal or independent
persons. Depending upon the scope of the engagement, the cost of
agreed-upon procedures or a state-required examination may be less than
the cost of an audit. However, under this type of program, the
independent auditor does
[[Page 57098]]
not report on the fairness of the institution's financial statements or
attest to the effectiveness of the internal control structure over
financial reporting. The findings or results of the procedures are
usually presented to the board or the audit committee so that they may
draw their own conclusions about the quality of the financial reporting
or the sufficiency of internal control.
---------------------------------------------------------------------------
\8\ When performed by an independent public accountant,
``specified procedures'' and ``agreed-upon procedures'' engagements
are performed under standards, which are different professional
standards than those used for an audit of an institution's financial
statements or its balance sheet.
---------------------------------------------------------------------------
When choosing this type of external auditing program, the board or
audit committee is responsible for determining whether these procedures
meet the external auditing needs of the institution, considering its
size and the nature, scope, and complexity of its business activities.
For example, if an institution's external auditing program consists
solely of confirmations of deposits and loans, the board or committee
should consider expanding the scope of the auditing work performed to
include additional procedures to test the institution's high risk
areas. Moreover, a financial statement audit, an examination of the
effectiveness of the internal control structure over financial
reporting, and a balance sheet audit may be accepted in some states and
for national banks in lieu of agreed-upon procedures/state-required
examinations.
Other Considerations
Timing. The preferable time to schedule the performance of an
external auditing program is as of an institution's fiscal year-end.
However, a quarter-end date that coincides with a regulatory report
date provides similar benefits. Such an approach allows the institution
to incorporate the results of the external auditing program into its
regulatory reporting process and, if appropriate, amend the regulatory
reports.
External Auditing Staff. The agencies encourage an institution to
engage an independent public accountant to perform its external
auditing program. An independent public accountant provides a
nationally recognized standard of knowledge and objectivity by
performing engagements under GAAS or GASAE. The firm or independent
person selected to conduct an external auditing program and the staff
carrying out the work should have experience with financial institution
accounting and auditing or similar expertise and should be
knowledgeable about relevant laws and regulations.
Special Situations
Holding Company Subsidiaries
When an institution is owned by another entity (such as a holding
company), it may be appropriate to address the scope of its external
audit program in terms of the institution's relationship to the
consolidated group. In such cases, if the group's consolidated
financial statements for the same year are audited, the agencies
generally would not expect the subsidiary of a holding company to
obtain a separate audit of its financial statements. Nevertheless, the
board of directors or audit committee of the subsidiary may determine
that its activities involve significant risks to the subsidiary that
are not within the procedural scope of the audit of the financial
statements of the consolidated entity. For example, the risks arising
from the subsidiary's activities may be immaterial to the financial
statements of the consolidated entity, but material to the subsidiary.
Under such circumstances, the audit committee or board of the
subsidiary should consider strengthening the internal audit coverage of
those activities or implementing an appropriate alternative external
auditing program.
Newly Insured Institutions
Under the FDIC Statement of Policy on Applications for Deposit
Insurance, applicants for deposit insurance coverage are expected to
commit the depository institution to obtain annual audits by an
independent public accountant once it begins operations as an insured
institution and for a limited period thereafter.
Institutions Presenting Supervisory Concerns
As previously noted, an external auditing program complements the
agencies' supervisory process and the institution's internal auditing
program by identifying or further clarifying issues of potential
concern or exposure. An external auditing program also can greatly
assist management in taking corrective action, particularly when
weaknesses are detected in internal control or management information
systems affecting financial reporting.
The agencies may require a financial institution presenting safety
and soundness concerns to engage an independent public accountant or
other independent external auditor to perform external auditing
services.9 Supervisory concerns may include:
---------------------------------------------------------------------------
\9\ The Office of Thrift Supervision requires an external audit
by an independent public accountant for savings associations with a
composite rating of 3, 4, or 5 under the Uniform Financial
Institution Rating System, and on a case-by-case basis.
---------------------------------------------------------------------------
Inadequate internal control, including the internal
auditing program;
A board of directors generally uninformed about internal
control;
Evidence of insider abuse;
Known or suspected defalcations;
Known or suspected criminal activity;
Probable director liability for losses;
The need for direct verification of loans or deposits;
Questionable transactions with affiliates; or
The need for improvements in the external auditing
program.
The agencies may also require that the institution provide its
appropriate supervisory office with a copy of any reports, including
management letters, issued by the independent public accountant or
other external auditor. They also may require the institution to notify
the supervisory office prior to any meeting with the independent public
accountant or other external auditor at which auditing findings are to
be presented.
Examiner Guidance
Review of the External Auditing Program
The review of an institution's external auditing program is a
normal part of the agencies' examination procedures. An examiner's
evaluation of, and any recommendations for improvements in, an
institution's external auditing program will consider the institution's
size; the nature, scope, and complexity of its business activities; its
risk profile; any actions taken or planned by it to minimize or
eliminate identified weaknesses; the extent of its internal audit
program; and any compensating controls in place. Examiners will
exercise judgment and discretion in evaluating the adequacy of an
institution's external auditing program.
Specifically, examiners will consider the policies, processes, and
personnel surrounding an institution's external auditing program in
determining whether:
The board of directors or its audit committee adequately
reviews and approves external auditing program policies at least
annually.
The external auditing program is conducted by an
independent public accountant or other independent auditor and is
appropriate for the institution.
The engagement letter covering external auditing
activities is adequate.
The report prepared by the auditor on the results of the
external auditing program adequately explains the auditor's findings.
The external auditor maintains appropriate independence
regarding relationships with the institution under relevant
professional standards.
[[Page 57099]]
The board of directors performs due diligence on the
relevant experience and competence of the independent auditor and staff
carrying out the work (whether or not an independent public accountant
is engaged).
The board or audit committee minutes reflect approval and
monitoring of the external auditing program and schedule, including
board or committee reviews of audit reports with management and timely
action on audit findings and recommendations.
Access to Reports
Management should provide the independent public accountant or
other auditor with access to all examination reports and written
communication between the institution and the agencies or state bank
supervisor since the last external auditing activity. Management also
should provide the accountant with access to any supervisory memoranda
of understanding, written agreements, administrative orders, reports of
action initiated or taken by a federal or state banking agency under
section 8 of the FDI Act (or a similar state law), and proposed or
ordered assessments of civil money penalties against the institution or
an institution-related party, as well as any associated correspondence.
The auditor must maintain the confidentiality of examination reports
and other confidential supervisory information.
In addition, the independent public accountant or other auditor of
an institution should agree in the engagement letter to grant examiners
access to all the accountant's or auditor's workpapers and other
material pertaining to the institution prepared in the course of
performing the completed external auditing program.
Institutions should provide reports 10 issued by the
independent public accountant or other auditor pertaining to the
external auditing program, including any management letters, to the
agencies and any state authority in accordance with their appropriate
supervisory office's guidance.11 Significant developments
regarding the external auditing program should be communicated promptly
to the appropriate supervisory office. Examples of those developments
include the hiring of an independent public accountant or other third
party to perform external auditing work and a change in, or termination
of, an independent public accountant or other external auditor.
---------------------------------------------------------------------------
\10\ The institution's engagement letter is not a ``report'' and
is not expected to be submitted to the appropriate supervisory
office unless specifically requested by that office.
\11\ When an institution's financial information is included in
the audited consolidated financial statements of its parent company,
the institution should provide a copy of the audited financial
statements of the consolidated company and any other reports by the
independent public accountant in accordance with their appropriate
supervisory office's guidance. If several institutions are owned by
one parent company, a single copy of the reports may be supplied in
accordance with the guidance of the appropriate supervisory office
of each agency supervising one or more of the affiliated
institutions and the holding company. A transmittal letter should
identify the institutions covered. Any notifications of changes in,
or terminations of, a consolidated company's independent public
accountant may be similarly supplied to the appropriate supervisory
office of each supervising agency.
---------------------------------------------------------------------------
Appendix A--Definitions
Agencies. The agencies are the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit Insurance Corporation
(FDIC), the Office of the Comptroller of the Currency (OCC), and the
Office of Thrift Supervision (OTS).
Appropriate supervisory office. The regional or district office
of the institution's primary federal banking agency responsible for
supervising the institution or, in the case of an institution that
is part of a group of related insured institutions, the regional or
district office of the institution's federal banking agency
responsible for monitoring the group. If the institution is a
subsidiary of a holding company, the term ``appropriate supervisory
office'' also includes the federal banking agency responsible for
supervising the holding company. In addition, if the institution is
state-chartered, the term ``appropriate supervisory office''
includes the appropriate state bank or savings association
regulatory authority.
Audit. An examination of the financial statements, accounting
records, and other supporting evidence of an institution performed
by an independent certified or licensed public accountant in
accordance with generally accepted auditing standards (GAAS) and of
sufficient scope to enable the independent public accountant to
express an opinion on the institution's financial statements as to
their presentation in accordance with generally accepted accounting
principles (GAAP).
Audit committee. A committee of the board of directors whose
members should, to the extent possible, be knowledgeable about
accounting and auditing. The committee should be responsible for
reviewing and approving the institution's internal and external
auditing programs or recommending adoption of these programs to the
full board.
Balance sheet audit performed by an independent public
accountant. An examination of an institution's balance sheet and any
accompanying footnotes performed and reported on by an independent
public accountant in accordance with GAAS and of sufficient scope to
enable the independent public accountant to express an opinion on
the fairness of the balance sheet presentation in accordance with
GAAP.
Engagement letter. A letter from an independent public
accountant to the board of directors or audit committee of an
institution that usually addresses the purpose and scope of the
external auditing work to be performed, period of time to be covered
by the auditing work, reports expected to be rendered, and any
limitations placed on the scope of the auditing work.
Examination of the internal control structure over financial
reporting. See Reporting by an Independent Public Accountant on an
Institution's Internal Control Structure Over Financial Reporting.
External auditing program. The performance of procedures to test
and evaluate high risk areas of an institution's business by an
independent auditor, who may or may not be a public accountant,
sufficient for the auditor to be able to express an opinion on the
financial statements or to report on the results of the procedures
performed.
Financial statement audit by an independent public accountant.
See Audit.
Financial statements. The statements of financial position
(balance sheet), income, cash flows, and changes in equity together
with related notes.
Independent public accountant. An accountant who is independent
of the institution and registered or licensed to practice, and holds
himself or herself out, as a public accountant, and who is in good
standing under the laws of the state or other political subdivision
of the United States in which the home office of the institution is
located. The independent public accountant should comply with the
American Institute of Certified Public Accountants' (AICPA) Code of
Professional Conduct and any related guidance adopted by the
Independence Standards Board and the agencies. No certified public
accountant or public accountant will be recognized as independent
who is not independent both in fact and in appearance.
Internal auditing. An independent assessment function
established within an institution to examine and evaluate its system
of internal control and the efficiency with which the various units
of the institution are carrying out their assigned tasks. The
objective of internal auditing is to assist the management and
directors of the institution in the effective discharge of their
responsibilities. To this end, internal auditing furnishes
management with analyses, evaluations, recommendations, counsel, and
information concerning the activities reviewed.
Outside directors. Members of an institution's board of
directors who are not officers, employees, or principal stockholders
of the institution, its subsidiaries, or its affiliates, and who do
not have any material business dealings with the institution, its
subsidiaries, or its affiliates.
Regulatory reports. These reports are the Reports of Condition
and Income (Call Reports) for banks, Thrift Financial Reports (TFRs)
for savings associations, Federal Reserve (FR) Y reports for bank
holding companies, and the H-(b)11 Annual Report for thrift holding
companies.
Reporting by an independent public accountant on an
institution's internal control structure over financial reporting.
[[Page 57100]]
Under this engagement, management evaluates and documents its review
of the effectiveness of the institution's internal control over
financial reporting in the identified risk areas as of a specific
report date. Management prepares a written assertion, which
specifies the criteria on which management based its evaluation
about the effectiveness of the institution's internal control over
financial reporting in the identified risk areas and states
management's opinion on the effectiveness of internal control over
this specified financial reporting. The independent public
accountant is engaged to perform tests on the internal control over
the specified financial reporting in order to attest to management's
assertion. If the accountant concurs with management's assertion,
even if the assertion discloses one or more instances of material
internal control weakness, the accountant would provide a report
attesting to management's assertion.
Risk areas. Those particular activities of an institution that
expose it to greater potential losses if problems exist and go
undetected. The areas with the highest financial reporting risk in
most institutions generally are their lending and investment
securities activities.
Specified procedures. Procedures agreed-upon by the institution
and the auditor to test its activities in certain areas. The auditor
reports findings and test results, but does not express an opinion
on controls or balances. If performed by an independent public
accountant, these procedures should be performed under generally
accepted standards for attestation engagements (GASAE).
By order of the Board of Directors.
Dated at Washington, DC this 15th day of October, 1999.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 99-27588 Filed 10-21-99; 8:45 am]
BILLING CODE 6714-01-P
