98-3374. Policy Statement on External Auditing Programs of Banks and Savings Associations  

  • [Federal Register Volume 63, Number 31 (Tuesday, February 17, 1998)]
    [Notices]
    [Pages 7796-7802]
    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
    [FR Doc No: 98-3374]
    
    
    =======================================================================
    -----------------------------------------------------------------------
    
    FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL
    
    
    Policy Statement on External Auditing Programs of Banks and 
    Savings Associations
    
    AGENCY: Federal Financial Institutions Examination Council.
    
    ACTION: Proposed policy statement; Request for comment.
    
    -----------------------------------------------------------------------
    
    SUMMARY: The Federal Financial Institutions Examination Council (FFIEC) 
    1 is requesting comments on a proposed Policy Statement on 
    External Auditing Programs of Banks and Savings Associations (Policy 
    Statement) which is intended to provide uniform guidance regarding 
    independent external auditing programs. Because institutions with $500 
    million or more in total assets must have an annual audit performed by 
    an independent public accountant in accordance with section 36 of the 
    Federal Deposit Insurance Act (FDI Act), as implemented by 12 CFR part 
    363, this policy would apply only to institutions below that threshold 
    that are not otherwise subject to audit requirements.
    ---------------------------------------------------------------------------
    
        \1\  The FFIEC consists of representatives from the Board of 
    Governors of the Federal Reserve System (FRB), the Federal Deposit 
    Insurance Corporation (FDIC), the Office of the Comptroller of the 
    Currency (OCC), the Office of Thrift Supervision (OTS) (referred to 
    as the ``banking agencies''), and the National Credit Union 
    Administration. However, this guidance is not directed to credit 
    unions.
    ---------------------------------------------------------------------------
    
        The Policy Statement expresses the banking agencies' belief that a 
    well-planned external audit program, combined with a strong internal 
    audit function, increases the ability of an institution to detect and 
    correct any serious problems that exist. In this regard, the proposed 
    guidance encourages each institution to adopt an external auditing 
    program that includes an annual audit of its financial statements by an 
    independent public accountant. If an institution's board of directors 
    or audit committee determines that an audit is not appropriate for the 
    institution, the proposal provides two alternative approaches for 
    consideration. The alternatives, which should also be performed by an 
    independent public accountant, consist of a report on the institution's 
    balance sheet or an attestation report on internal control over 
    specified schedules of its regulatory reports.
        The proposed Policy Statement also encourages institutions to 
    establish an audit committee consisting entirely of outside directors, 
    if practicable.
    
    DATES: Comments must be received by April 20, 1998.
    
    ADDRESSES: Comments should be directed to Joe M. Cleaver, Executive 
    Secretary, Federal Financial Institutions Examination Council, 2100 
    Pennsylvania Avenue, NW, Suite 200, Washington, DC 20037 (Fax number: 
    (202) 634-6556). Comments will be available for public inspection 
    during regular business hours at the above address. Appointments to 
    inspect comments are encouraged and can be arranged by calling the 
    FFIEC at (202) 634-6526.
    
    FOR FURTHER INFORMATION CONTACT:
    
        FDIC: Doris L. Marsh, Examination Specialist, Division of 
    Supervision, (202) 898-8905, or A. Ann Johnson, Counsel, Legal 
    Division, (202) 898-3573, FDIC, 550 17th Street, N.W., Washington, DC 
    20429.
        FRB: Charles H. Holm, Project Manager, (202) 452-3502, or Arthur 
    Lindo, Supervisory Financial Analyst, (202) 452-2695, Division of 
    Banking Supervision and Regulation, Board of Governors of the Federal 
    Reserve System, 20th Street and Constitution Avenue, N.W., Washington, 
    DC 20551.
        OCC: Thomas Rees, Senior Accountant, Chief Accountant's office, 
    Core Policy Division, (202) 874-5411, or Bill Morris, National Bank 
    Examiner, Core Policy Division, (202) 874-4915, Office of the 
    Comptroller of the Currency, 250 E Street, S.W., Washington, DC 20219.
        OTS: Timothy J. Stier, Chief Accountant, Accounting Policy 
    Division, (202) 906-5699, or Christine A. Smith, Policy Analyst, 
    Accounting Policy Division, (202) 906-5740, Office of Thrift 
    Supervision, 1700 G Street, N.W., Washington, DC 20552.
    
    SUPPLEMENTARY INFORMATION:
    
    I. Background
    
        An institution's internal auditing and external auditing programs 
    are critical to its safety and soundness. When an institution lacks an 
    internal auditing program or has weaknesses in an existing program, 
    examiners often encourage the institution to obtain an independent 
    external audit. Accordingly, many institutions now supplement their 
    internal auditing programs by obtaining independent external audits, 
    either voluntarily or as a result of the requirements of section 36 of 
    the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831m) and its 
    implementing regulation, 12 CFR part 363, the Securities and Exchange 
    Act of 1934 (15 U.S.C. 78a), or the Federal Reserve bank holding 
    company reporting requirements in the FR-Y-6 Annual Report of Bank 
    Holding Companies. However, a number of institutions, particularly 
    smaller institutions, do not have an external audit for various 
    reasons.
        Because the banking agencies believe that an independent external 
    audit provides reasonable assurance that an institution's financial 
    statements are prepared in accordance with generally accepted 
    accounting principles (GAAP), the banking agencies encourage all 
    institutions to obtain external audits. In an effort to provide more 
    explicit guidance to institutions regarding external audits, the FFIEC 
    is proposing to approve a uniform Policy Statement. Upon FFIEC 
    approval, the FFIEC would recommend to the banking agencies that they 
    individually adopt the policy. This proposal is generally consistent 
    with the individual policies of the banking agencies.
        Although some of the banking agencies have provided guidance on 
    external audits to their supervised institutions, a uniform policy does 
    not exist. For example, the OCC discusses its policies with regard to 
    independent external audits for national banks in the Comptroller's 
    Handbook for National Banks, Section 102, Internal and External Audits, 
    and the Comptroller's Manual for Corporate Activities. The FDIC adopted 
    similar guidance in its Policy Statement Regarding Independent External 
    Auditing Programs of State Nonmember Banks on November 16, 1988, as 
    published on November 28, 1988 (53 FR 47871), and amended on June 24, 
    1996, (61 FR 32438). The OTS's policy on independent external audits is 
    discussed in the Thrift Activities Regulatory Handbook, Section 350, 
    Independent Audits. The FRB sets forth its policy on external audits in 
    the FR-Y-6'Annual Report of Bank Holding Companies and Section 1010, 
    ``External Audits,'' of the Commercial Bank Examination Manual.
    
    II. The Policy Statement
    
        The following paragraphs describe the principal provisions of the 
    proposed Policy Statement.
    
    [[Page 7797]]
    
    Board of Directors' Responsibilities
    
    External Auditing Program
        This section of the proposed Policy Statement expresses the banking 
    agencies' belief that a well-planned external auditing program combined 
    with a strong internal auditing function increases the ability of an 
    institution to detect and correct any potentially serious problems. 
    This section also emphasizes the importance to the institution's board 
    of directors and management of establishing an effective internal 
    control process to provide reasonable assurance that the institution 
    achieves its objectives. The banking agencies believe that the board of 
    directors should consider an external auditing program performed by an 
    independent public accountant to be conducive to the safe and sound 
    operation of the institution.
    Audit Committee
        This section encourages institutions to establish an audit 
    committee consisting entirely of outside directors, if practicable. 
    Among its duties, the audit committee should identify the areas of 
    greatest risk affecting financial reporting in the institution's 
    operations. In addition, this section states that an institution's 
    board of directors or audit committee should consider the 
    appropriateness of an external auditing program for the institution. 
    This evaluation should address what form of external auditing program 
    will best assist the board or audit committee in obtaining reasonable 
    assurance that the institution's financial statements and regulatory 
    reports are reliably prepared. The results of this evaluation should be 
    documented.
    
    Alternative External Auditing Programs
    
        The proposal identifies the preferred external auditing program and 
    two acceptable alternatives.2
    ---------------------------------------------------------------------------
    
        \2\ It is the understanding of the banking agencies that, under 
    most state public accountancy laws, only an independent public 
    accountant may perform a balance sheet audit or issue an attestation 
    report on internal control.
    ---------------------------------------------------------------------------
    
    Financial Statement Audit by an Independent Public Accountant
        The proposal encourages each institution to adopt an external 
    auditing program that includes an annual audit of its financial 
    statements by an independent public accountant. The banking agencies 
    believe that a financial statement audit benefits management in 
    carrying out its control responsibilities.
    Report on the Balance Sheet Audit
        As an alternative to a financial statement audit, the proposed 
    Policy Statement suggests that an institution consider engaging an 
    independent public accountant to examine its assets, liabilities, and 
    equity under generally accepted auditing standards (GAAS) and to opine 
    on the fairness of the presentation on the balance sheet. Under this 
    type of engagement, the accountant would not provide an opinion on the 
    fairness of the presentation of the institution's income statement, 
    statement of changes in equity capital, or statement of cash flows.
    Attestation Report on Internal Control Assertion
        Another alternative to a financial statement audit is to engage an 
    independent public accountant to provide a report attesting to 
    management's assertion concerning the effectiveness of internal control 
    over financial reporting. The report would cover certain schedules of 
    its regulatory reports, including those relating to loans and 
    securities. Under this alternative, management would review its 
    internal control over the preparation of these schedules and document 
    this review. Management would then provide a written assertion stating 
    whether it believes its internal control is effective. The independent 
    public accountant would examine management's assertion and provide an 
    appropriate attestation report.
        The banking agencies believe that an institution's annual ongoing 
    cost of an attestation report on internal control over certain 
    schedules of its regulatory reports would be significantly less than 
    the cost of an audit of its financial statements. However, the cost 
    projections depend on the circumstances of each institution, and an 
    institution may incur additional start-up costs to create the initial 
    documentation of its internal control structure and procedures in the 
    first year. This documentation is necessary to enable the independent 
    public accountant to evaluate management's assertion on the 
    effectiveness of internal control.
    Holding Company Subsidiaries
        The proposal describes the responsibilities of the board or audit 
    committee of a subsidiary of a holding company with respect to the 
    institution's external auditing program. Specifically, the proposal 
    says that an institution which is a subsidiary of a holding company may 
    find it appropriate to express the scope of its external auditing 
    program in terms of its relationship to the consolidated group. 
    However, the board or audit committee should determine whether the 
    subsidiary's activities involve unusual risks that are not adequately 
    covered within the scope of the audit of the consolidated financial 
    statements. If so, the proposal suggests that the board or audit 
    committee consider implementing an appropriate alternative external 
    auditing program.
    
    Other Matters Concerning an External Auditing Program
    
    Timing and Experience
        The proposed Policy Statement recommends that whatever external 
    auditing program is adopted be performed at a quarter-end date that 
    coincides with a regulatory report date. It states that the independent 
    public accountant performing this program should be experienced in 
    performing external auditing work for banks and savings associations.
    Access to Regulatory Reports
        The proposal explains that an independent public accountant should 
    have access to examination reports, other documents, and reports of 
    action related to the supervision of the institution by its appropriate 
    federal or state banking agency.
    
    Examiner Review of the External Auditing Program
    
        The proposal explains that examiners should consider an 
    institution's size, the nature and scope of its activities, and any 
    compensating controls when determining the adequacy of the 
    institution's external auditing program and making recommendations for 
    improvement. Examiners should also consider whether the institution has 
    undertaken a state-required auditing program (that differs from the 
    programs set forth in this policy) when determining whether to make 
    recommendations for improvements under this policy.
    
    Notification and Submission of Reports
    
        In general, each institution should furnish its appropriate 
    supervisory office with a copy of external auditing reports issued by 
    its independent public accountant. However, the proposal also addresses 
    the submission of the independent public accountant's report by holding 
    company subsidiaries. This guidance reflects the banking agencies' 
    current approach to supervising banking organizations which own more 
    than one depository institution. Because each banking agency designates 
    one
    
    [[Page 7798]]
    
    supervisory office to manage the supervision of an entire banking 
    organization, any reports from the independent public accountant should 
    be sent to the appropriate supervisory office of each banking agency 
    which supervises the entire banking organization.
    
    Special Situations
    
    Newly Insured Institutions
        The proposed Policy Statement notes that the FDIC Statement of 
    Policy on Applications for Deposit Insurance (57 FR 12822) requires 
    newly insured institutions to adopt an appropriate external auditing 
    program.
    Institutions Presenting Supervisory Concerns
        This section of the proposal lists some of the conditions in a 
    problem institution which would warrant the inclusion of a requirement 
    for a strong external auditing program.
    
    Performance of Other Services
    
        This section of the proposal explains that although each 
    institution is encouraged to have an external auditing program 
    performed by an independent public accountant, an institution may hire 
    other firms for advisory and consulting services if it so desires.
    
    Appendix A--Definitions
    
        Appendix A defines the terms used throughout the proposed Policy 
    Statement. The banking agencies have tried to achieve consistency in 
    these definitions with current professional accounting and auditing 
    literature. In addition, references are consistent with terminology in 
    the report of the Committee of Sponsoring Organizations of the Treadway 
    Commission (COSO Report), ``Internal Control--Integrated Framework,'' 
    which is the standard by which the vast majority of institutions 
    evaluate internal control.
    
    III. Comments
    
        The banking agencies encourage each institution to consider 
    engaging an independent public accountant to perform an audit of its 
    financial statements. If an institution's board or audit committee 
    determines that an audit is not appropriate for the institution, the 
    banking agencies encourage each institution to consider having one of 
    the alternatives recommended in this proposal performed. Comments on 
    the proposed Policy Statement are especially encouraged from any 
    institution which has had its independent public accountant perform one 
    of the alternatives (a report on the institution's balance sheet or an 
    attestation report on internal control over specified schedules of its 
    regulatory reports).
        Some states have state-required external auditing programs (e.g., 
    directors' examinations) that differ from the external auditing 
    programs set forth in this policy statement. Accordingly, comments are 
    requested on the amount of time those states might need if they wish to 
    modify their directors' examination requirements to be consistent with 
    this Policy Statement.
    
    IV. Paperwork Reduction Act
    
        As part of their continuing effort to reduce paperwork and 
    respondent burden, the banking agencies invite the general public and 
    other Federal agencies to take this opportunity to comment on proposed 
    and/or continuing information collections, as required by the Paperwork 
    Reduction Act of 1995. Currently, the banking agencies are soliciting 
    comments concerning this proposed FFIEC policy statement, as there is a 
    likelihood that each of the banking agencies will adopt it for their 
    institutions. The banking agencies expect to submit the information 
    collection to OMB for review in conjunction with FFIEC's approval of 
    the final policy statement, and will invite public comment again in the 
    Federal Register notice that publishes the final policy statement.
        Written comments regarding the information collection aspects of 
    the proposed policy statement should be submitted to any one or all of 
    the addresses listed under the ADDRESSES section of this Federal 
    Register notice. A copy of the comments may also be submitted to the 
    OMB Desk Officer for the banking agencies: Alexander T. Hunt, Office of 
    Information and Regulatory Affairs, Office of Management and Budget, 
    New Executive Office Building, Room 3208, Washington, DC 20503.
        Requests for information regarding the collections of information 
    contained in the proposed policy statement may be sent to:
        FDIC: Steven F. Hanft, FDIC Clearance Officer, (202) 898-8766, 
    Office of the Executive Secretary, Federal Deposit Insurance 
    Corporation, 550 17th Street, NW, Washington, DC 20429.
        FRB: Mary M. McLaughlin, Federal Reserve Board Clearance Officer 
    (202) 452-3829, Division of Research and Statistics, Board of Governors 
    of the Federal Reserve System, Washington, DC 20551. Telecommunications 
    Device for the Deaf (TDD) users may contact Diane Jenkins, (202) 452-
    3544, Board of Governors of the Federal Reserve System, 20th Street and 
    Constitution Avenue, N.W., Washington, DC 20551.
        OCC: Jessie Gates, OCC Clearance Officer, (202) 874-5090, 
    Legislative and Regulatory Activities Division, Office of the 
    Comptroller of the Currency, 250 E Street, SW, Washington, DC 20219.
        OTS: Christine Smith, Policy Analyst, (202) 906-5740, Timothy 
    Stier, Chief Accountant, (202) 906-5699, Accounting Policy, Office of 
    Thrift Supervision, 1700 G Street, NW, Washington, DC 20552.
    
    Abstract
    
        The title of this proposed information collection is ``External 
    Auditing Programs (<$500mm).'' the="" information="" would="" be="" collected="" from="" all="" institutions="" with="" less="" than="" $500="" million="" in="" total="" assets="" and="" consists="" of:="" (a)="" a="" recordkeeping="" requirement="" that="" institutions="" maintain="" management="" assertions="" regarding="" certain="" regulatory="" report="" schedules,="" and="" (b)="" reporting="" requirements="" that="" institutions="" submit="" to="" the="" appropriate="" supervisory="" office:="" (1)="" a="" notification="" when="" an="" independent="" public="" accountant="" is="" initially="" engaged="" to="" perform="" external="" auditing="" work="" and="" when="" a="" change="" in,="" or="" termination="" of,="" an="" independent="" public="" accountant="" occurs;="" and="" either="" (2)="" a="" copy="" of="" any="" reports="" by="" the="" independent="" public="" accountant="" pertaining="" to="" the="" external="" auditing="" program,="" including="" any="" management="" letters;="" or="" (3)="" when="" an="" institution's="" financial="" information="" is="" included="" in="" the="" audited="" consolidated="" financial="" statements="" of="" its="" parent="" company,="" a="" copy="" of="" the="" audited="" financial="" statements="" of="" the="" consolidated="" company,="" any="" other="" reports="" by="" the="" independent="" public="" accountant,="" and="" any="" notifications="" of="" changes="" in,="" or="" terminations="" of,="" the="" consolidated="" company's="" independent="" public="" accountant,="" with="" a="" transmittal="" letter="" identifying="" the="" institutions="" covered.="" type="" of="" review:="" new="" collection.="" affected="" public:="" businesses="" or="" other="" for-profit.="" number="" of="" respondents:="" fdic:="" 5,960.="" frb:="" 900.="" occ:="" 2,200.="" ots:="" 1,050.="" total="" annual="" respones:="" the="" banking="" agencies="" estimate="" 2="" responses="" per="" respondent.="" frequency="" of="" response:="" annually="" and="" on="" occasion.="" [[page="" 7799]]="" total="" annual="" burden="" hours="" ------------------------------------------------------------------------="" ------------------------------------------------------------------------="" fdic................="" recordkeeping="" burden...="" 1,490="" hours.="" reporting="" burden.......="" 2,980="" hours.="" total="" burden.........="" 4,470="" hours.="" frb.................="" recordkeeping="" burden...="" 225="" hours.="" reporting="" burden.......="" 450="" hours.="" total="" burden.........="" 675="" hours.="" occ.................="" recordkeeping="" burden...="" 550="" hours.="" reporting="" burden.......="" 1,100="" hours.="" total="" burden.........="" 1,650="" hours.="" ots.................="" recordkeeping="" burden...="" 263="" hours.="" reporting="" burden.......="" 525="" hours.="" total="" burden.........="" 788="" hours.="" ------------------------------------------------------------------------="" comments="" comments="" submitted="" in="" response="" to="" this="" notice="" will="" be="" summarized="" and/or="" included="" in="" each="" agency's="" request="" for="" omb="" approval.="" all="" comments="" will="" become="" a="" matter="" of="" public="" record.="" comments="" are="" invited="" on:="" (a)="" whether="" the="" collection="" of="" information="" is="" necessary="" for="" the="" proper="" performance="" of="" the="" functions="" of="" the="" agency,="" including="" whether="" the="" information="" shall="" have="" practical="" utility;="" (b)="" the="" accuracy="" of="" the="" agency's="" estimate="" of="" the="" burden="" of="" the="" collection="" of="" information;="" (c)="" ways="" to="" enhance="" the="" quality,="" utility,="" and="" clarity="" of="" the="" information="" to="" be="" collected;="" (d)="" ways="" to="" minimize="" the="" burden="" of="" the="" collection="" on="" respondents,="" including="" through="" the="" use="" of="" automated="" collection="" techniques="" or="" other="" forms="" of="" information="" technology;="" and="" (e)="" estimates="" of="" capital="" or="" startup="" costs="" and="" costs="" of="" operation,="" maintenance,="" and="" purchase="" of="" services="" to="" provide="" the="" required="" information.="" the="" text="" of="" the="" proposed="" policy="" statement="" follows:="" federal="" financial="" institutions="" examination="" council="" policy="" statement="" on="" external="" auditing="" programs="" of="" banks="" and="" savings="" associations="">1
    
    Introduction
        The banking agencies 2 believe that a well-planned 
    annual external auditing program 3 is an important component 
    of a bank's or savings association's (hereafter referred to as ``an 
    institution'') risk management process. Furthermore, an external 
    auditing program complements the internal auditing function of an 
    institution by providing management and the board of directors with an 
    independent and objective view of the reliability of the institution's 
    financial statements. Additionally, an effective external auditing 
    program contributes to the efficiency of the banking agencies' risk-
    focused examination process. By emphasizing the financial reporting 
    aspects of the significant risk areas of an institution, an effective 
    external auditing program may also reduce the examination time spent in 
    these areas.
    ---------------------------------------------------------------------------
    
        \1\ Insured depository institutions covered by Section 36 of the 
    Federal Deposit Insurance Act, as implemented by 12 CFR part 363, 
    are required to have an external audit and an audit committee. 
    Therefore, this guidance only applies to banks and savings 
    associations which are not subject to part 363 (i.e., institutions 
    with less than $500 million in total assets at the beginning of 
    their fiscal year) or are not otherwise subject to audit 
    requirements by agreement, statute, or agency regulations. Such 
    banks and savings associations are referred to in this policy 
    statement as ``institutions.''
        \2\ References to the banking agencies throughout this document 
    mean the Board of Governors of the Federal Reserve System (FRB), the 
    Federal Deposit Insurance Corporation (FDIC), the Office of the 
    Comptroller of the Currency (OCC), and the Office of Thrift 
    Supervision (OTS).
        \3\ Terms defined in Appendix A are italicized the first time 
    they appear in this policy statement.
    ---------------------------------------------------------------------------
    
        This policy statement outlines key elements of an effective 
    external auditing program and describes how an institution's external 
    auditing program will be reviewed by examiners. Specifically, this 
    policy encourages institutions to adopt an external auditing program 
    and establish an audit committee, and it describes some acceptable 
    external auditing programs that institutions may consider. In addition, 
    this policy statement provides guidance on external auditing for 
    institutions that are subsidiaries of a holding company, newly insured 
    institutions, and institutions presenting supervisory concerns.
    Board of Directors' Responsibilities
        External Auditing Program. The banking agencies encourage the board 
    of directors of each institution to adopt an external auditing program. 
    The banking agencies believe that the board of directors should 
    consider an external auditing program performed by an independent 
    public accountant to be conducive to the safe and sound operation of 
    the institution. The board of directors should evaluate whether its 
    external auditing program adequately addresses the financial reporting 
    aspects of the significant risk areas of the institution's business. 
    The ability to detect and correct potentially serious problems in these 
    areas substantially improves the safety and soundness of an 
    institution's operations and thereby lessens the risk the institution 
    poses to the FDIC-administered insurance funds.
        An external auditing program also gives the institution's 
    management and board of directors information about the reliability of 
    its financial statements and often provides information useful to them 
    in discharging their responsibilities for effective internal control, 
    such as safeguarding assets and identifying weaknesses in the internal 
    control structure. In addition, an external auditing program may help 
    directors exercise reasonable care in protecting the assets of the 
    institution.
        Audit Committee. The banking agencies also encourage the board of 
    directors of each institution to establish an audit committee. Ideally, 
    the audit committee should consist entirely of outside directors. 
    However, if this is impracticable, the banking agencies believe that at 
    least a majority of the audit committee members should be outside 
    directors.
        An audit committee or board of directors should periodically (at 
    least annually) identify the risk areas of the institution's activities 
    and assess the extent of external auditing involvement needed over each 
    area. The audit committee or board should determine whether the 
    institution's needs will best be met by an audit of its financial 
    statements in accordance with generally accepted auditing standards 
    (GAAS) or by an alternative external auditing program. (Recommended 
    alternatives are described below.)
        When evaluating the alternatives for the institution's external 
    auditing program, the committee or board should consider the cost and 
    potential benefits of an annual financial statement audit and ensure 
    that the selected program provides sufficient coverage of the financial 
    reporting aspects of the institution's significant risk areas and any 
    other areas of concern. The committee or board also should consider how 
    to best obtain reasonable assurance that the institution's financial
    
    [[Page 7800]]
    
    statements and regulatory reports are reliably prepared.
        If the audit committee or board of directors decides to engage an 
    independent public accountant to conduct an alternative external 
    auditing program rather than an audit of the institution's financial 
    statements, the reasons for that decision should be documented in its 
    minutes.
    Alternative External Auditing Programs
        Financial Statement Audit by an Independent Public Accountant. The 
    banking agencies encourage each bank and savings association to have 
    its financial statements audited by an independent public accountant. 
    Although other alternatives are acceptable, a financial statement audit 
    provides the most comprehensive assurance about the fair presentation 
    of an institution's financial statements.
        In addition, an external audit provides information that benefits 
    management in carrying out its control responsibilities. For example, 
    an external audit may provide management with guidance on establishing 
    or improving accounting and operating policies, recommendations on 
    internal control (including internal auditing programs), and 
    evaluations of management information systems necessary to ensure the 
    fair presentation of the financial statements.
        Report on the Balance Sheet. An institution's audit committee or 
    board of directors may determine, based on its assessment of the 
    institution's risk areas and scope of operations during a particular 
    year, that a financial statement audit is not the institution's best 
    alternative. In such cases, the institution may prefer to engage an 
    independent public accountant to examine and report on the balance 
    sheet. If this alternative is chosen, the balance sheet on which the 
    accountant will report should be prepared in conformity with generally 
    accepted accounting principles (GAAP). Furthermore, the independent 
    public accountant should perform the engagement in accordance with 
    GAAS.
        Attestation Report on Internal Control Assertion. 
    4 Another alternative to a financial statement audit is to 
    engage an independent public accountant to examine and report on 
    management's assertion concerning the effectiveness of the 
    institution's internal control over financial reporting in all or 
    specified schedules of the institution's regulatory reports. A board or 
    audit committee that elects this alternative should review and assess 
    the institution's activities and determine its high risk areas with 
    respect to financial reporting. In addition, management should evaluate 
    and provide a written assertion about the effectiveness of the 
    institution's internal control over financial reporting in the 
    identified risk areas as of one designated regulatory report date. This 
    assertion should specify the criteria on which management based its 
    evaluation of internal control. Furthermore, management's evaluation 
    should be adequately documented.
        In most institutions, the lending and investment securities 
    activities present the most significant risks that affect financial 
    reporting. Therefore, management's assertion should generally cover the 
    following regulatory report schedules every year:
    
    ----------------------------------------------------------------------------------------------------------------
                                                                                          Thrift financial report   
                     Area                  Reports of condition and  income schedules            schedules          
    ----------------------------------------------------------------------------------------------------------------
    Loans and Lease Financing Receivables  RC-C, Part I..............................  SC, CF                       
    Past Due and Nonaccrual Loans,         RC-N......................................  PD                           
     Leases, and Other Assets.                                                                                      
    Allowance for Credit Losses..........  RI-B......................................  SC, VA                       
    Securities...........................  RC-B......................................  SC, SI, CF                   
    ----------------------------------------------------------------------------------------------------------------
    
        If the board or audit committee determines that trading or off-
    balance sheet activities present material financial reporting risks to 
    the institution, the regulatory report schedules for one or both of 
    these areas should also be covered by management's assertion and the 
    accountant's attestation:
    
    ----------------------------------------------------------------------------------------------------------------
                                                                                          Thrift financial report   
                     Area                   Reports of condition and income schedules            schedules          
    ----------------------------------------------------------------------------------------------------------------
    Trading Assets and Liabilities.......  RC-D......................................  SO, SI.                      
    Off-Balance Sheet Items..............  RC-L......................................  SI, CMR.                     
    ----------------------------------------------------------------------------------------------------------------
    
        The regulatory report schedules listed in this policy statement 
    address the most common high risk areas for financial reporting in 
    institutions. However, these schedules do not address all possible 
    risks in an institution. Therefore, each institution should review the 
    risks inherent in its particular activities annually to determine 
    whether to expand the scope of its external auditing program to include 
    other financial reporting risk areas. For example, if an institution or 
    its subsidiaries has significant real estate investments, insurance 
    underwriting or sales activities, securities broker-dealer or similar 
    activities (including securities underwriting and investment advisory 
    services), loan servicing activities, or fiduciary activities, the 
    institution should consider whether its external auditing program 
    should cover these areas.
        Holding Company Subsidiaries. When the audit committee or board of 
    directors of any institution owned by another company (such as a 
    holding company) considers its external auditing program, it may find 
    it appropriate to address the scope of its program in terms of the 
    institution's relationship to the consolidated group. The banking 
    agencies do not expect an institution owned by another company to 
    obtain a separate audit of its financial statements if the group's 
    consolidated financial statements for the same fiscal year are audited. 
    Nevertheless, the board of directors or audit committee of the 
    subsidiary may determine that it has activities that involve risks 
    which were not within the procedural scope of the audit of the 
    financial statements of the consolidated entity. For example, the risks 
    arising from some of the subsidiary's activities may be immaterial to 
    the financial statements of the consolidated entity. Under such 
    circumstances, the audit committee or board of the subsidiary 
    institution should consider strengthening its internal auditing 
    procedures to cover these activities or implementing an appropriate 
    alternative external auditing program.
    ---------------------------------------------------------------------------
    
        \4\ An attestation engagement is not an audit. It is performed 
    under different professional standards than an audit of an 
    institution's financial statements or its balance sheet.
    
    ---------------------------------------------------------------------------
    
    [[Page 7801]]
    
    Other Matters Concerning an External Auditing Program
        Timing. Whatever external auditing program an institution decides 
    to implement, it preferably should be performed as of the institution's 
    fiscal year-end. However, using a quarter-end date that coincides with 
    a regulatory report date is also acceptable. Such an approach would 
    permit the institution to use the audited financial statements to 
    verify and, if appropriate, amend the regulatory report. In this 
    regard, an institution may also find it cost-effective to have its 
    financial statements audited during the accounting firm's off-peak 
    period.
        Experience. The banking agencies generally believe that the 
    independent public accountant that an institution selects to perform 
    its financial statement audit or its alternative external auditing 
    program should be experienced in auditing the financial statements of 
    banks and savings associations and knowledgeable about relevant laws 
    and regulations.
        Access to Regulatory Reports. Regardless of the external auditing 
    approach chosen, management should inform the independent public 
    accountant of, and provide the independent public accountant with 
    access to, all examination reports and written communication between 
    the institution and the banking agencies or state banking authorities 
    since the last external auditing activity. The independent public 
    accountant also should be provided access to any supervisory memoranda 
    of understanding, written agreements, administrative orders, reports of 
    action initiated or taken by a federal or state banking agency under 
    section 8 of the Federal Deposit Insurance Act (or a similar state 
    law), or civil money penalties assessed against the institution or an 
    institution-related party, and any associated correspondence. The 
    independent public accountant must maintain the confidentiality of 
    examination reports and other confidential supervisory information.
    Examiner Review of the External Auditing Program
        A review of an institution's external auditing program will 
    continue to be part of the banking agencies' examination procedures. An 
    examiner's evaluation of and any recommendations for improvements in an 
    institution's external auditing program will consider the institution's 
    size, the nature and complexity of its business activities, its risk 
    profile, any actions taken or planned by the institution to minimize or 
    eliminate identified weaknesses, and any compensating controls that are 
    in place.
    Notification and Submission of Reports
        Regardless of the type of external auditing program chosen, the 
    banking agencies request that each institution furnish a copy of any 
    reports 5 by the independent public accountant pertaining to 
    the external auditing program, including any management letters, to its 
    appropriate supervisory office in a timely manner.
    ---------------------------------------------------------------------------
    
        \5\ The institution's engagement letter is not expected to be 
    submitted as a ``report.''
    ---------------------------------------------------------------------------
    
        In addition, the banking agencies request each institution to 
    promptly notify its appropriate supervisory office when an independent 
    public accountant is initially engaged to perform external auditing 
    work and when a change in, or termination of, its independent public 
    accountant occurs.
        When an institution's financial information is included in the 
    audited consolidated financial statements of its parent company, the 
    institution may send its appropriate supervisory office one copy of the 
    audited financial statements of the consolidated company, any other 
    reports by the independent public accountant, and any notifications of 
    changes in, or terminations of, the consolidated company's independent 
    public accountant. If several institutions are owned by one parent 
    company, a single copy of the reports and any notifications applicable 
    to the consolidated company may be submitted to the appropriate 
    supervisory office of each banking agency supervising one or more of 
    the affiliated institutions and the holding company. A transmittal 
    letter should identify the institutions covered.
    Special Situations
        Newly Insured Institutions. The FDIC Statement of Policy on 
    Applications for Deposit Insurance requires an applicant for deposit 
    insurance coverage to obtain an audit of its financial statements by an 
    independent public accountant.
        Institutions Presenting Supervisory Concerns. An independent 
    external auditing program complements the banking agencies' supervisory 
    process and the institution's internal auditing program by identifying 
    or further clarifying issues of potential concern or exposure. It can 
    also greatly assist management in taking corrective action, 
    particularly when weaknesses are detected in internal control or 
    management information systems. For these reasons, the banking agencies 
    may require an annual audit of an institution's financial statements by 
    an independent public accountant for an institution presenting 
    supervisory concerns. However, if it is more appropriate, either (1) a 
    report on the balance sheet; (2) an attestation report on management's 
    assertions concerning internal control over financial reporting; (3) 
    procedures agreed upon by the institution, independent public 
    accountant, and appropriate banking agency; or (4) other engagements 
    may be required if any of the following conditions exist:
        (a) Internal control, including the internal auditing program, is 
    inadequate;
        (b) The board of directors is generally uninformed in the area of 
    internal control;
        (c) There is evidence of insider abuse;
        (d) There are known or suspected defalcations;
        (e) There is known or suspected criminal activity;
        (f) It is probable that director liability for losses exists;
        (g) Direct verification of loans or deposits is warranted;
        (h) Questionable transactions with affiliates have occurred; or
        (i) Other conditions exist that warrant improvements in the 
    external auditing program.
        Such an action may also require, among other things, that the 
    institution provide its banking agency's supervisory office a copy of 
    any reports, including management letters, issued by the independent 
    public accountant. In addition, it may require the institution to 
    notify the supervisory office prior to any meeting with the independent 
    public accountant at which auditing findings are to be presented.
    Performance of Other Services
        This policy statement does not preclude institutions from engaging 
    entities other than independent public accountants to perform advisory 
    and other services that do not require licensing under applicable state 
    public accountancy statutes. For example, an institution may hire 
    individuals or firms who are not independent public accountants to 
    provide independent loan reviews, give advice on consumer compliance 
    issues, suggest improvements to increase operational efficiency in 
    specific departments (e.g., information processing), or assist in areas 
    of taxation or management information systems. In addition, if 
    acceptable under applicable state laws, these firms may perform state-
    required directors' examinations; however, such services may not 
    constitute or replace
    
    [[Page 7802]]
    
    an external auditing program performed by an independent public 
    accountant.
    
    Appendix A--Definitions
    
        Appropriate supervisory office. The regional or district office of 
    the institution's primary federal banking agency which is responsible 
    for supervising the institution, or, in the case of an institution that 
    is part of a group of related insured institutions, the regional or 
    district office of the institution's federal banking agency which is 
    responsible for monitoring the group. If the institution is a 
    subsidiary of a holding company, the term ``appropriate supervisory 
    office'' also includes the federal banking agency responsible for 
    supervising the holding company. In addition, if the institution is 
    state-chartered, the term ``appropriate supervisory office'' includes 
    the appropriate state bank or savings association regulatory authority.
        Audit. An examination of the financial statements, accounting 
    records, and other supporting evidence of an institution performed by 
    an independent certified or licensed public accountant in accordance 
    with generally accepted auditing standards (GAAS) and of sufficient 
    scope to enable the independent public accountant to express an opinion 
    on the institution's financial statements as to their presentation in 
    accordance with generally accepted accounting principles (GAAP).
        Audit Committee. A committee of the board of directors whose 
    members should, to the extent possible, be knowledgeable about 
    accounting and auditing. The committee should be responsible for 
    reviewing and approving the institution's internal and external 
    auditing programs or recommending adoption of these programs to the 
    full board. Both the internal auditor and the independent public 
    accountant should have unrestricted access to the audit committee 
    without the need for any prior management knowledge or approval. Other 
    duties of the audit committee may include reviewing the independence of 
    the independent public accountant annually, consulting with management 
    when management seeks a second opinion on an accounting issue, and 
    overseeing the quarterly regulatory reporting process. The audit 
    committee should report its findings periodically to the full board of 
    directors.
        Directors' Examination. An engagement performed by an independent 
    third party that has been authorized by the institution's board of 
    directors and is required by state law. (A directors' examinations is 
    called an ``engagement audit'' or ``operational audit.'' Nevertheless, 
    it is often not performed in accordance with GAAS nor do widely 
    accepted national standards exist for its performance.)
        External Auditing Program. The testing and evaluation of risk areas 
    of an institution's business by an independent public accountant 
    sufficient to enable the accountant to express an opinion on the 
    financial statements or balance sheet. Under professional standards, 
    this engagement should be performed in accordance with GAAS. 
    Alternatively, an independent public accountant may attest to 
    management's assertion concerning the effectiveness of the 
    institution's internal control over financial reporting. Under 
    professional standards, the independent public accountant is expected 
    to perform this attestation engagement in accordance with the generally 
    accepted standards for attestation engagements (GASAE).
        Financial Statements. The statements of financial position (balance 
    sheet), income, cash flows, and changes in equity together with related 
    notes.
        Independent Public Accountant. An accountant who is independent of 
    the institution and registered or licensed to practice as a public 
    accountant, and is in good standing, under the laws of the state or 
    other political subdivision of the United States in which the home 
    office of the institution is located. No certified public accountant or 
    public accountant will be recognized as independent who is not in fact 
    independent. The independent public accountant also should comply with 
    the American Institute of Certified Public Accountants' (AICPA) Code of 
    Professional Conduct and any related guidance adopted by the banking 
    agencies.
        Internal auditing. An independent assessment function established 
    within an institution to examine and evaluate its system of internal 
    control and the efficiency with which the various units of the 
    institution are carrying out their assigned tasks. The objective of 
    internal auditing is to assist the management and directors of the 
    institution in the effective discharge of their responsibilities. To 
    this end, internal auditing furnishes management with analyses, 
    appraisals, recommendations, counsel, and information concerning the 
    activities reviewed.
        Outside Directors. Members of an institution's board of directors 
    who are not officers, employees, or principal stockholders of the 
    institution, its subsidiaries, or its affiliates, and do not have any 
    material business dealings with the institution, its subsidiaries, or 
    its affiliates.
        Regulatory Reports. These reports are the Reports of Condition and 
    Income (Call Reports) for banks and Thrift Financial Reports (TFRs) for 
    savings associations.
        Report on the Balance Sheet. An examination of an institution's 
    balance sheet performed and reported on by an independent public 
    accountant in accordance with GAAS and of sufficient scope to enable 
    the independent public accountant to express an opinion on the fairness 
    of the balance sheet presentation in accordance with GAAP.
        Risk Areas. Those particular activities of an institution that 
    expose it to greater potential losses if problems exist and go 
    undetected. The areas with the highest financial reporting risk in most 
    institutions generally are their lending and investment securities 
    activities.
    
        Dated: February 5, 1998.
    Joe M. Cleaver,
    Executive Secretary, Federal Financial Institutions Examination 
    Council.
    [FR Doc. 98-3374 Filed 2-13-98; 8:45 am]
    BILLING CODE 6210-01-P, 6720-01-P, 6714-01-P, 4810-01-P
    
    
    

Document Information

Published:
02/17/1998
Department:
Federal Financial Institutions Examination Council
Entry Type:
Notice
Action:
Proposed policy statement; Request for comment.
Document Number:
98-3374
Dates:
Comments must be received by April 20, 1998.
Pages:
7796-7802 (7 pages)
PDF File:
98-3374.pdf