Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Division of Supervision
6920 (I-R)
DATE: 10-1-98
Doris L. Marsh, Ext. 88905

MEMORANDUM TO: Regional Directors
FROM: Nicholas J. Ketcha Jr.
SUBJECT: External Auditing Programs
of State Nonmember Banks

1. Purpose. To provide guidance to examiners on acceptable external auditing programs of state nonmember banks.

2. Background. The FDIC Board of Directors rescinded the "Statement of Policy Providing Guidance on External Auditing Procedures for State Nonmember Banks" effective December 31, 1997. This policy statement had provided an alternative to an audit for banks not subject to the audit requirement in Section 36 of the Federal Deposit Insurance Act (FDI Act). Despite the rescission of that statement, the FDIC’s "Statement of Policy Regarding Independent External Auditing Programs of State Nonmember Banks," as amended on June 24, 1996, (Current Policy) remains in effect. In the Current Policy, the FDIC strongly encourages each state nonmember bank to adopt an adequate external auditing program, preferably one that includes an annual audit of its financial statements. In addition, the audit requirements of Section 36 of the Federal Deposit Insurance Act (FDI Act) and its implementing regulation, 12 CFR Part 363, continue to apply to insured depository institutions with $500 million or more in total assets.

On February 16, 1998, the FDIC and other banking agencies, under the auspices of the Federal Financial Institutions Examination Council (FFIEC), requested public comment on a uniform interagency document, "Policy Statement on External Auditing Programs of Banks and Savings Associations" (Proposed Policy). This proposal recommended that an external auditing program be performed by an independent public accountant and offered two acceptable alternatives to a financial statement audit for institutions not subject to the audit requirement in Section 36 of the FDI Act: a report on the balance sheet and an attestation report on an internal control assertion. An interagency working group has reviewed the comment letters and is currently evaluating possible recommendations for the FFIEC. However, it is not likely that a final recommendation will be presented before the first quarter of 1999.

Because of the rescission of the auditing procedures policy statement and the uncertain timing of the FFIEC action on the Proposed Policy, questions have arisen concerning what types of programs are now considered acceptable to the FDIC under the Current Policy.

3. Policy. Until any new policy statement regarding an annual external auditing program is adopted, examiners evaluating compliance with the Current Policy at an institution which has already determined not to have an annual audit of its financial statements (or is not covered by an audit of the consolidated holding company) should encourage the institution to have one of the two alternatives described below performed by an independent public accountant. The FDIC currently believes these alternatives represent best practices for external auditing programs when a financial statement audit is not performed.

Attestation Report on Internal Control Assertion . As one alternative to a financial statement audit, the institution’s board or audit committee should consider engaging an independent public accountant to provide a report attesting to management’s assertion concerning the effectiveness of internal control over financial reporting on the schedules of its Reports of Condition and Income (Call Report) that cover the risk areas of the institution, particularly those relating to loans and securities. Under this alternative, management would first review its internal control over the preparation of these schedules and document this review. Management would then provide a written assertion to the independent public accountant stating whether it believes its internal control in this area is effective. Ideally, the assertion would state that internal control is effective, but particularly in banks that have a small staff, management may find that it needs to include an explanatory paragraph describing one or more internal control weaknesses. Initially, the independent public accountant may have to provide some guidance to management on how to conduct this review and how to prepare the assertion until management gains some experience with this process. The independent public accountant would examine management’s assertion, perform various tests, and provide an appropriate attestation report in accordance with the generally accepted standards for attestation engagements (GASAE).

This alternative would not provide assurance that the specific dollar amounts reported on the Call Report are accurate. However, it would provide reasonable assurance about the reliability of management’s assertion concerning the establishment of an internal control structure and procedures over financial reporting on the specified report schedules and whether that control is effective.

Based on the results of a field test, this alternative appears to provide more benefits for lesser cost than the following alternative.

Report on the Balance Sheet Audit . As the other alternative, the institution’s board of Directors or its audit committee should consider engaging an independent public accountant to examine the assets, liabilities, and equity of the institution under generally accepted auditing standards (GAAS) and to opine on the fairness of the presentation on the balance sheet. In these circumstances, the accountant would not be expected to provide an opinion on the fairness of the presentation of the institution’s income statement, statement of changes in equity capital, or statement of cash flows.

Other External Auditing Programs . Some states previously adopted the procedures from the now rescinded Policy Statement as the state-required external auditing program. Until a new policy statement is effective, if an institution does not have an audit of its financial statements and is subject to a state-required external auditing program (e.g., a Directors’ examination) that consists of the rescinded policy’s procedures, the institution would not normally be expected to incur the cost of one of the preceding alternatives in addition to its state-required program.

However, if a bank does not choose either alternative above and plans to use another type of Directors’ examination, including a state-required Directors’ examination, the examiner should review the external auditing procedures performed based on the institution’s size and the nature, scope, and complexity of its business activities. During this review, the examiner should determine whether these procedures adequately cover the institution’s risk areas. If not, the examiner should recommend that the bank’s board or audit committee revise its external auditing program so that it contains some procedures designed to test the risk areas of the institution, including its lending and investment securities activities. The board or audit committee should be encouraged to have these procedures performed for all risk areas annually. However, if no significant changes are occurring in a certain risk area, a small institution may choose to have its external auditing program cover one or two activities annually so that all of its risk areas are included in its external auditing program on a rotating basis every two or three years.

If a bank’s external auditing program consists solely of having an outside firm obtain confirmations of deposits and loans, for example, or if the bank has no external auditing program at all, the examiner should recommend that the committee or board expand the scope of the auditing work performed to include additional procedures to test the bank's high risk areas or to initiate a financial statement audit or one of the preceding alternatives.

4. Action Required. Please distribute this memorandum to the examination staff in your region. This memorandum may also be provided to bankers and other interested parties upon request.

Skip Footer back to content