Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

[Federal Register: February 17, 1998 (Volume 63, Number 31)]

[Notices]

[Page 7796-7802]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr17fe98-104]


 

=======================================================================

-----------------------------------------------------------------------


 

FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL



 

Policy Statement on External Auditing Programs of Banks and

Savings Associations


 

AGENCY: Federal Financial Institutions Examination Council.


 

ACTION: Proposed policy statement; Request for comment.


 

-----------------------------------------------------------------------


 

SUMMARY: The Federal Financial Institutions Examination Council (FFIEC)

1 is requesting comments on a proposed Policy Statement on

External Auditing Programs of Banks and Savings Associations (Policy

Statement) which is intended to provide uniform guidance regarding

independent external auditing programs. Because institutions with $500

million or more in total assets must have an annual audit performed by

an independent public accountant in accordance with section 36 of the

Federal Deposit Insurance Act (FDI Act), as implemented by 12 CFR part

363, this policy would apply only to institutions below that threshold

that are not otherwise subject to audit requirements.

---------------------------------------------------------------------------


 

\1\ The FFIEC consists of representatives from the Board of

Governors of the Federal Reserve System (FRB), the Federal Deposit

Insurance Corporation (FDIC), the Office of the Comptroller of the

Currency (OCC), the Office of Thrift Supervision (OTS) (referred to

as the ``banking agencies''), and the National Credit Union

Administration. However, this guidance is not directed to credit

unions.

---------------------------------------------------------------------------


 

The Policy Statement expresses the banking agencies' belief that a

well-planned external audit program, combined with a strong internal

audit function, increases the ability of an institution to detect and

correct any serious problems that exist. In this regard, the proposed

guidance encourages each institution to adopt an external auditing

program that includes an annual audit of its financial statements by an

independent public accountant. If an institution's board of directors

or audit committee determines that an audit is not appropriate for the

institution, the proposal provides two alternative approaches for

consideration. The alternatives, which should also be performed by an

independent public accountant, consist of a report on the institution's

balance sheet or an attestation report on internal control over

specified schedules of its regulatory reports.

The proposed Policy Statement also encourages institutions to

establish an audit committee consisting entirely of outside directors,

if practicable.


 

DATES: Comments must be received by April 20, 1998.


 

ADDRESSES: Comments should be directed to Joe M. Cleaver, Executive

Secretary, Federal Financial Institutions Examination Council, 2100

Pennsylvania Avenue, NW, Suite 200, Washington, DC 20037 (Fax number:

(202) 634-6556). Comments will be available for public inspection

during regular business hours at the above address. Appointments to

inspect comments are encouraged and can be arranged by calling the

FFIEC at (202) 634-6526.


 

FOR FURTHER INFORMATION CONTACT:


 

FDIC: Doris L. Marsh, Examination Specialist, Division of

Supervision, (202) 898-8905, or A. Ann Johnson, Counsel, Legal

Division, (202) 898-3573, FDIC, 550 17th Street, N.W., Washington, DC

20429.

FRB: Charles H. Holm, Project Manager, (202) 452-3502, or Arthur

Lindo, Supervisory Financial Analyst, (202) 452-2695, Division of

Banking Supervision and Regulation, Board of Governors of the Federal

Reserve System, 20th Street and Constitution Avenue, N.W., Washington,

DC 20551.

OCC: Thomas Rees, Senior Accountant, Chief Accountant's office,

Core Policy Division, (202) 874-5411, or Bill Morris, National Bank

Examiner, Core Policy Division, (202) 874-4915, Office of the

Comptroller of the Currency, 250 E Street, S.W., Washington, DC 20219.

OTS: Timothy J. Stier, Chief Accountant, Accounting Policy

Division, (202) 906-5699, or Christine A. Smith, Policy Analyst,

Accounting Policy Division, (202) 906-5740, Office of Thrift

Supervision, 1700 G Street, N.W., Washington, DC 20552.


 

SUPPLEMENTARY INFORMATION:


 

I. Background


 

An institution's internal auditing and external auditing programs

are critical to its safety and soundness. When an institution lacks an

internal auditing program or has weaknesses in an existing program,

examiners often encourage the institution to obtain an independent

external audit. Accordingly, many institutions now supplement their

internal auditing programs by obtaining independent external audits,

either voluntarily or as a result of the requirements of section 36 of

the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831m) and its

implementing regulation, 12 CFR part 363, the Securities and Exchange

Act of 1934 (15 U.S.C. 78a), or the Federal Reserve bank holding

company reporting requirements in the FR-Y-6 Annual Report of Bank

Holding Companies. However, a number of institutions, particularly

smaller institutions, do not have an external audit for various

reasons.

Because the banking agencies believe that an independent external

audit provides reasonable assurance that an institution's financial

statements are prepared in accordance with generally accepted

accounting principles (GAAP), the banking agencies encourage all

institutions to obtain external audits. In an effort to provide more

explicit guidance to institutions regarding external audits, the FFIEC

is proposing to approve a uniform Policy Statement. Upon FFIEC

approval, the FFIEC would recommend to the banking agencies that they

individually adopt the policy. This proposal is generally consistent

with the individual policies of the banking agencies.

Although some of the banking agencies have provided guidance on

external audits to their supervised institutions, a uniform policy does

not exist. For example, the OCC discusses its policies with regard to

independent external audits for national banks in the Comptroller's

Handbook for National Banks, Section 102, Internal and External Audits,

and the Comptroller's Manual for Corporate Activities. The FDIC adopted

similar guidance in its Policy Statement Regarding Independent External

Auditing Programs of State Nonmember Banks on November 16, 1988, as

published on November 28, 1988 (53 FR 47871), and amended on June 24,

1996, (61 FR 32438). The OTS's policy on independent external audits is

discussed in the Thrift Activities Regulatory Handbook, Section 350,

Independent Audits. The FRB sets forth its policy on external audits in

the FR-Y-6'Annual Report of Bank Holding Companies and Section 1010,

``External Audits,'' of the Commercial Bank Examination Manual.


 

II. The Policy Statement


 

The following paragraphs describe the principal provisions of the

proposed Policy Statement.


 

[[Page 7797]]


 

Board of Directors' Responsibilities


 

External Auditing Program

This section of the proposed Policy Statement expresses the banking

agencies' belief that a well-planned external auditing program combined

with a strong internal auditing function increases the ability of an

institution to detect and correct any potentially serious problems.

This section also emphasizes the importance to the institution's board

of directors and management of establishing an effective internal

control process to provide reasonable assurance that the institution

achieves its objectives. The banking agencies believe that the board of

directors should consider an external auditing program performed by an

independent public accountant to be conducive to the safe and sound

operation of the institution.

Audit Committee

This section encourages institutions to establish an audit

committee consisting entirely of outside directors, if practicable.

Among its duties, the audit committee should identify the areas of

greatest risk affecting financial reporting in the institution's

operations. In addition, this section states that an institution's

board of directors or audit committee should consider the

appropriateness of an external auditing program for the institution.

This evaluation should address what form of external auditing program

will best assist the board or audit committee in obtaining reasonable

assurance that the institution's financial statements and regulatory

reports are reliably prepared. The results of this evaluation should be

documented.


 

Alternative External Auditing Programs


 

The proposal identifies the preferred external auditing program and

two acceptable alternatives.2

---------------------------------------------------------------------------


 

\2\ It is the understanding of the banking agencies that, under

most state public accountancy laws, only an independent public

accountant may perform a balance sheet audit or issue an attestation

report on internal control.

---------------------------------------------------------------------------


 

Financial Statement Audit by an Independent Public Accountant

The proposal encourages each institution to adopt an external

auditing program that includes an annual audit of its financial

statements by an independent public accountant. The banking agencies

believe that a financial statement audit benefits management in

carrying out its control responsibilities.

Report on the Balance Sheet Audit

As an alternative to a financial statement audit, the proposed

Policy Statement suggests that an institution consider engaging an

independent public accountant to examine its assets, liabilities, and

equity under generally accepted auditing standards (GAAS) and to opine

on the fairness of the presentation on the balance sheet. Under this

type of engagement, the accountant would not provide an opinion on the

fairness of the presentation of the institution's income statement,

statement of changes in equity capital, or statement of cash flows.

Attestation Report on Internal Control Assertion

Another alternative to a financial statement audit is to engage an

independent public accountant to provide a report attesting to

management's assertion concerning the effectiveness of internal control

over financial reporting. The report would cover certain schedules of

its regulatory reports, including those relating to loans and

securities. Under this alternative, management would review its

internal control over the preparation of these schedules and document

this review. Management would then provide a written assertion stating

whether it believes its internal control is effective. The independent

public accountant would examine management's assertion and provide an

appropriate attestation report.

The banking agencies believe that an institution's annual ongoing

cost of an attestation report on internal control over certain

schedules of its regulatory reports would be significantly less than

the cost of an audit of its financial statements. However, the cost

projections depend on the circumstances of each institution, and an

institution may incur additional start-up costs to create the initial

documentation of its internal control structure and procedures in the

first year. This documentation is necessary to enable the independent

public accountant to evaluate management's assertion on the

effectiveness of internal control.

Holding Company Subsidiaries

The proposal describes the responsibilities of the board or audit

committee of a subsidiary of a holding company with respect to the

institution's external auditing program. Specifically, the proposal

says that an institution which is a subsidiary of a holding company may

find it appropriate to express the scope of its external auditing

program in terms of its relationship to the consolidated group.

However, the board or audit committee should determine whether the

subsidiary's activities involve unusual risks that are not adequately

covered within the scope of the audit of the consolidated financial

statements. If so, the proposal suggests that the board or audit

committee consider implementing an appropriate alternative external

auditing program.


 

Other Matters Concerning an External Auditing Program


 

Timing and Experience

The proposed Policy Statement recommends that whatever external

auditing program is adopted be performed at a quarter-end date that

coincides with a regulatory report date. It states that the independent

public accountant performing this program should be experienced in

performing external auditing work for banks and savings associations.

Access to Regulatory Reports

The proposal explains that an independent public accountant should

have access to examination reports, other documents, and reports of

action related to the supervision of the institution by its appropriate

federal or state banking agency.


 

Examiner Review of the External Auditing Program


 

The proposal explains that examiners should consider an

institution's size, the nature and scope of its activities, and any

compensating controls when determining the adequacy of the

institution's external auditing program and making recommendations for

improvement. Examiners should also consider whether the institution has

undertaken a state-required auditing program (that differs from the

programs set forth in this policy) when determining whether to make

recommendations for improvements under this policy.


 

Notification and Submission of Reports


 

In general, each institution should furnish its appropriate

supervisory office with a copy of external auditing reports issued by

its independent public accountant. However, the proposal also addresses

the submission of the independent public accountant's report by holding

company subsidiaries. This guidance reflects the banking agencies'

current approach to supervising banking organizations which own more

than one depository institution. Because each banking agency designates

one


 

[[Page 7798]]


 

supervisory office to manage the supervision of an entire banking

organization, any reports from the independent public accountant should

be sent to the appropriate supervisory office of each banking agency

which supervises the entire banking organization.


 

Special Situations


 

Newly Insured Institutions

The proposed Policy Statement notes that the FDIC Statement of

Policy on Applications for Deposit Insurance (57 FR 12822) requires

newly insured institutions to adopt an appropriate external auditing

program.

Institutions Presenting Supervisory Concerns

This section of the proposal lists some of the conditions in a

problem institution which would warrant the inclusion of a requirement

for a strong external auditing program.


 

Performance of Other Services


 

This section of the proposal explains that although each

institution is encouraged to have an external auditing program

performed by an independent public accountant, an institution may hire

other firms for advisory and consulting services if it so desires.


 

Appendix A--Definitions


 

Appendix A defines the terms used throughout the proposed Policy

Statement. The banking agencies have tried to achieve consistency in

these definitions with current professional accounting and auditing

literature. In addition, references are consistent with terminology in

the report of the Committee of Sponsoring Organizations of the Treadway

Commission (COSO Report), ``Internal Control--Integrated Framework,''

which is the standard by which the vast majority of institutions

evaluate internal control.


 

III. Comments


 

The banking agencies encourage each institution to consider

engaging an independent public accountant to perform an audit of its

financial statements. If an institution's board or audit committee

determines that an audit is not appropriate for the institution, the

banking agencies encourage each institution to consider having one of

the alternatives recommended in this proposal performed. Comments on

the proposed Policy Statement are especially encouraged from any

institution which has had its independent public accountant perform one

of the alternatives (a report on the institution's balance sheet or an

attestation report on internal control over specified schedules of its

regulatory reports).

Some states have state-required external auditing programs (e.g.,

directors' examinations) that differ from the external auditing

programs set forth in this policy statement. Accordingly, comments are

requested on the amount of time those states might need if they wish to

modify their directors' examination requirements to be consistent with

this Policy Statement.


 

IV. Paperwork Reduction Act


 

As part of their continuing effort to reduce paperwork and

respondent burden, the banking agencies invite the general public and

other Federal agencies to take this opportunity to comment on proposed

and/or continuing information collections, as required by the Paperwork

Reduction Act of 1995. Currently, the banking agencies are soliciting

comments concerning this proposed FFIEC policy statement, as there is a

likelihood that each of the banking agencies will adopt it for their

institutions. The banking agencies expect to submit the information

collection to OMB for review in conjunction with FFIEC's approval of

the final policy statement, and will invite public comment again in the

Federal Register notice that publishes the final policy statement.

Written comments regarding the information collection aspects of

the proposed policy statement should be submitted to any one or all of

the addresses listed under the ADDRESSES section of this Federal

Register notice. A copy of the comments may also be submitted to the

OMB Desk Officer for the banking agencies: Alexander T. Hunt, Office of

Information and Regulatory Affairs, Office of Management and Budget,

New Executive Office Building, Room 3208, Washington, DC 20503.

Requests for information regarding the collections of information

contained in the proposed policy statement may be sent to:

FDIC: Steven F. Hanft, FDIC Clearance Officer, (202) 898-8766,

Office of the Executive Secretary, Federal Deposit Insurance

Corporation, 550 17th Street, NW, Washington, DC 20429.

FRB: Mary M. McLaughlin, Federal Reserve Board Clearance Officer

(202) 452-3829, Division of Research and Statistics, Board of Governors

of the Federal Reserve System, Washington, DC 20551. Telecommunications

Device for the Deaf (TDD) users may contact Diane Jenkins, (202) 452-

3544, Board of Governors of the Federal Reserve System, 20th Street and

Constitution Avenue, N.W., Washington, DC 20551.

OCC: Jessie Gates, OCC Clearance Officer, (202) 874-5090,

Legislative and Regulatory Activities Division, Office of the

Comptroller of the Currency, 250 E Street, SW, Washington, DC 20219.

OTS: Christine Smith, Policy Analyst, (202) 906-5740, Timothy

Stier, Chief Accountant, (202) 906-5699, Accounting Policy, Office of

Thrift Supervision, 1700 G Street, NW, Washington, DC 20552.


 

Abstract


 

The title of this proposed information collection is ``External

Auditing Programs (<$500MM).'' The information would be collected from

all institutions with less than $500 million in total assets and

consists of: (a) A recordkeeping requirement that institutions maintain

management assertions regarding certain regulatory report schedules,

and (b) reporting requirements that institutions submit to the

appropriate supervisory office: (1) A notification when an independent

public accountant is initially engaged to perform external auditing

work and when a change in, or termination of, an independent public

accountant occurs; and either (2) a copy of any reports by the

independent public accountant pertaining to the external auditing

program, including any management letters; or (3) when an institution's

financial information is included in the audited consolidated financial

statements of its parent company, a copy of the audited financial

statements of the consolidated company, any other reports by the

independent public accountant, and any notifications of changes in, or

terminations of, the consolidated company's independent public

accountant, with a transmittal letter identifying the institutions

covered.

Type of Review: New collection.

Affected Public: Businesses or other for-profit.


 

Number of Respondents:

FDIC: 5,960.

FRB: 900.

OCC: 2,200.

OTS: 1,050.


 

Total Annual Respones: The banking agencies estimate 2 responses

per respondent.

Frequency of Response: Annually and On occasion.


 

[[Page 7799]]


 

Total Annual Burden Hours

------------------------------------------------------------------------


 

------------------------------------------------------------------------

FDIC................ Recordkeeping Burden... 1,490 hours.

Reporting Burden....... 2,980 hours.

Total Burden......... 4,470 hours.

FRB................. Recordkeeping Burden... 225 hours.

Reporting Burden....... 450 hours.

Total Burden......... 675 hours.

OCC................. Recordkeeping Burden... 550 hours.

Reporting Burden....... 1,100 hours.

Total Burden......... 1,650 hours.

OTS................. Recordkeeping Burden... 263 hours.

Reporting Burden....... 525 hours.

Total Burden......... 788 hours.

------------------------------------------------------------------------


 

Comments


 

Comments submitted in response to this notice will be summarized

and/or included in each agency's request for OMB approval. All comments

will become a matter of public record. Comments are invited on:

(a) Whether the collection of information is necessary for the

proper performance of the functions of the agency, including whether

the information shall have practical utility;

(b) The accuracy of the agency's estimate of the burden of the

collection of information;

(c) Ways to enhance the quality, utility, and clarity of the

information to be collected;

(d) Ways to minimize the burden of the collection on respondents,

including through the use of automated collection techniques or other

forms of information technology; and

(e) Estimates of capital or startup costs and costs of operation,

maintenance, and purchase of services to provide the required

information.

The text of the proposed Policy Statement follows:


 

Federal Financial Institutions Examination Council


 

Policy Statement On External Auditing Programs of Banks and Savings

Associations 1


 

Introduction

The banking agencies 2 believe that a well-planned

annual external auditing program 3 is an important component

of a bank's or savings association's (hereafter referred to as ``an

institution'') risk management process. Furthermore, an external

auditing program complements the internal auditing function of an

institution by providing management and the board of directors with an

independent and objective view of the reliability of the institution's

financial statements. Additionally, an effective external auditing

program contributes to the efficiency of the banking agencies' risk-

focused examination process. By emphasizing the financial reporting

aspects of the significant risk areas of an institution, an effective

external auditing program may also reduce the examination time spent in

these areas.

---------------------------------------------------------------------------


 

\1\ Insured depository institutions covered by Section 36 of the

Federal Deposit Insurance Act, as implemented by 12 CFR part 363,

are required to have an external audit and an audit committee.

Therefore, this guidance only applies to banks and savings

associations which are not subject to part 363 (i.e., institutions

with less than $500 million in total assets at the beginning of

their fiscal year) or are not otherwise subject to audit

requirements by agreement, statute, or agency regulations. Such

banks and savings associations are referred to in this policy

statement as ``institutions.''

\2\ References to the banking agencies throughout this document

mean the Board of Governors of the Federal Reserve System (FRB), the

Federal Deposit Insurance Corporation (FDIC), the Office of the

Comptroller of the Currency (OCC), and the Office of Thrift

Supervision (OTS).

\3\ Terms defined in Appendix A are italicized the first time

they appear in this policy statement.

---------------------------------------------------------------------------


 

This policy statement outlines key elements of an effective

external auditing program and describes how an institution's external

auditing program will be reviewed by examiners. Specifically, this

policy encourages institutions to adopt an external auditing program

and establish an audit committee, and it describes some acceptable

external auditing programs that institutions may consider. In addition,

this policy statement provides guidance on external auditing for

institutions that are subsidiaries of a holding company, newly insured

institutions, and institutions presenting supervisory concerns.

Board of Directors' Responsibilities

External Auditing Program. The banking agencies encourage the board

of directors of each institution to adopt an external auditing program.

The banking agencies believe that the board of directors should

consider an external auditing program performed by an independent

public accountant to be conducive to the safe and sound operation of

the institution. The board of directors should evaluate whether its

external auditing program adequately addresses the financial reporting

aspects of the significant risk areas of the institution's business.

The ability to detect and correct potentially serious problems in these

areas substantially improves the safety and soundness of an

institution's operations and thereby lessens the risk the institution

poses to the FDIC-administered insurance funds.

An external auditing program also gives the institution's

management and board of directors information about the reliability of

its financial statements and often provides information useful to them

in discharging their responsibilities for effective internal control,

such as safeguarding assets and identifying weaknesses in the internal

control structure. In addition, an external auditing program may help

directors exercise reasonable care in protecting the assets of the

institution.

Audit Committee. The banking agencies also encourage the board of

directors of each institution to establish an audit committee. Ideally,

the audit committee should consist entirely of outside directors.

However, if this is impracticable, the banking agencies believe that at

least a majority of the audit committee members should be outside

directors.

An audit committee or board of directors should periodically (at

least annually) identify the risk areas of the institution's activities

and assess the extent of external auditing involvement needed over each

area. The audit committee or board should determine whether the

institution's needs will best be met by an audit of its financial

statements in accordance with generally accepted auditing standards

(GAAS) or by an alternative external auditing program. (Recommended

alternatives are described below.)

When evaluating the alternatives for the institution's external

auditing program, the committee or board should consider the cost and

potential benefits of an annual financial statement audit and ensure

that the selected program provides sufficient coverage of the financial

reporting aspects of the institution's significant risk areas and any

other areas of concern. The committee or board also should consider how

to best obtain reasonable assurance that the institution's financial


 

[[Page 7800]]


 

statements and regulatory reports are reliably prepared.

If the audit committee or board of directors decides to engage an

independent public accountant to conduct an alternative external

auditing program rather than an audit of the institution's financial

statements, the reasons for that decision should be documented in its

minutes.

Alternative External Auditing Programs

Financial Statement Audit by an Independent Public Accountant. The

banking agencies encourage each bank and savings association to have

its financial statements audited by an independent public accountant.

Although other alternatives are acceptable, a financial statement audit

provides the most comprehensive assurance about the fair presentation

of an institution's financial statements.

In addition, an external audit provides information that benefits

management in carrying out its control responsibilities. For example,

an external audit may provide management with guidance on establishing

or improving accounting and operating policies, recommendations on

internal control (including internal auditing programs), and

evaluations of management information systems necessary to ensure the

fair presentation of the financial statements.

Report on the Balance Sheet. An institution's audit committee or

board of directors may determine, based on its assessment of the

institution's risk areas and scope of operations during a particular

year, that a financial statement audit is not the institution's best

alternative. In such cases, the institution may prefer to engage an

independent public accountant to examine and report on the balance

sheet. If this alternative is chosen, the balance sheet on which the

accountant will report should be prepared in conformity with generally

accepted accounting principles (GAAP). Furthermore, the independent

public accountant should perform the engagement in accordance with

GAAS.

Attestation Report on Internal Control Assertion.

4 Another alternative to a financial statement audit is to

engage an independent public accountant to examine and report on

management's assertion concerning the effectiveness of the

institution's internal control over financial reporting in all or

specified schedules of the institution's regulatory reports. A board or

audit committee that elects this alternative should review and assess

the institution's activities and determine its high risk areas with

respect to financial reporting. In addition, management should evaluate

and provide a written assertion about the effectiveness of the

institution's internal control over financial reporting in the

identified risk areas as of one designated regulatory report date. This

assertion should specify the criteria on which management based its

evaluation of internal control. Furthermore, management's evaluation

should be adequately documented.

In most institutions, the lending and investment securities

activities present the most significant risks that affect financial

reporting. Therefore, management's assertion should generally cover the

following regulatory report schedules every year:


 

----------------------------------------------------------------------------------------------------------------

Thrift financial report

Area Reports of condition and income schedules schedules

----------------------------------------------------------------------------------------------------------------

Loans and Lease Financing Receivables RC-C, Part I.............................. SC, CF

Past Due and Nonaccrual Loans, RC-N...................................... PD

Leases, and Other Assets.

Allowance for Credit Losses.......... RI-B...................................... SC, VA

Securities........................... RC-B...................................... SC, SI, CF

----------------------------------------------------------------------------------------------------------------


 

If the board or audit committee determines that trading or off-

balance sheet activities present material financial reporting risks to

the institution, the regulatory report schedules for one or both of

these areas should also be covered by management's assertion and the

accountant's attestation:


 

----------------------------------------------------------------------------------------------------------------

Thrift financial report

Area Reports of condition and income schedules schedules

----------------------------------------------------------------------------------------------------------------

Trading Assets and Liabilities....... RC-D...................................... SO, SI.

Off-Balance Sheet Items.............. RC-L...................................... SI, CMR.

----------------------------------------------------------------------------------------------------------------


 

The regulatory report schedules listed in this policy statement

address the most common high risk areas for financial reporting in

institutions. However, these schedules do not address all possible

risks in an institution. Therefore, each institution should review the

risks inherent in its particular activities annually to determine

whether to expand the scope of its external auditing program to include

other financial reporting risk areas. For example, if an institution or

its subsidiaries has significant real estate investments, insurance

underwriting or sales activities, securities broker-dealer or similar

activities (including securities underwriting and investment advisory

services), loan servicing activities, or fiduciary activities, the

institution should consider whether its external auditing program

should cover these areas.

Holding Company Subsidiaries. When the audit committee or board of

directors of any institution owned by another company (such as a

holding company) considers its external auditing program, it may find

it appropriate to address the scope of its program in terms of the

institution's relationship to the consolidated group. The banking

agencies do not expect an institution owned by another company to

obtain a separate audit of its financial statements if the group's

consolidated financial statements for the same fiscal year are audited.

Nevertheless, the board of directors or audit committee of the

subsidiary may determine that it has activities that involve risks

which were not within the procedural scope of the audit of the

financial statements of the consolidated entity. For example, the risks

arising from some of the subsidiary's activities may be immaterial to

the financial statements of the consolidated entity. Under such

circumstances, the audit committee or board of the subsidiary

institution should consider strengthening its internal auditing

procedures to cover these activities or implementing an appropriate

alternative external auditing program.

---------------------------------------------------------------------------


 

\4\ An attestation engagement is not an audit. It is performed

under different professional standards than an audit of an

institution's financial statements or its balance sheet.


 

---------------------------------------------------------------------------


 

[[Page 7801]]


 

Other Matters Concerning an External Auditing Program

Timing. Whatever external auditing program an institution decides

to implement, it preferably should be performed as of the institution's

fiscal year-end. However, using a quarter-end date that coincides with

a regulatory report date is also acceptable. Such an approach would

permit the institution to use the audited financial statements to

verify and, if appropriate, amend the regulatory report. In this

regard, an institution may also find it cost-effective to have its

financial statements audited during the accounting firm's off-peak

period.

Experience. The banking agencies generally believe that the

independent public accountant that an institution selects to perform

its financial statement audit or its alternative external auditing

program should be experienced in auditing the financial statements of

banks and savings associations and knowledgeable about relevant laws

and regulations.

Access to Regulatory Reports. Regardless of the external auditing

approach chosen, management should inform the independent public

accountant of, and provide the independent public accountant with

access to, all examination reports and written communication between

the institution and the banking agencies or state banking authorities

since the last external auditing activity. The independent public

accountant also should be provided access to any supervisory memoranda

of understanding, written agreements, administrative orders, reports of

action initiated or taken by a federal or state banking agency under

section 8 of the Federal Deposit Insurance Act (or a similar state

law), or civil money penalties assessed against the institution or an

institution-related party, and any associated correspondence. The

independent public accountant must maintain the confidentiality of

examination reports and other confidential supervisory information.

Examiner Review of the External Auditing Program

A review of an institution's external auditing program will

continue to be part of the banking agencies' examination procedures. An

examiner's evaluation of and any recommendations for improvements in an

institution's external auditing program will consider the institution's

size, the nature and complexity of its business activities, its risk

profile, any actions taken or planned by the institution to minimize or

eliminate identified weaknesses, and any compensating controls that are

in place.

Notification and Submission of Reports

Regardless of the type of external auditing program chosen, the

banking agencies request that each institution furnish a copy of any

reports 5 by the independent public accountant pertaining to

the external auditing program, including any management letters, to its

appropriate supervisory office in a timely manner.

---------------------------------------------------------------------------


 

\5\ The institution's engagement letter is not expected to be

submitted as a ``report.''

---------------------------------------------------------------------------


 

In addition, the banking agencies request each institution to

promptly notify its appropriate supervisory office when an independent

public accountant is initially engaged to perform external auditing

work and when a change in, or termination of, its independent public

accountant occurs.

When an institution's financial information is included in the

audited consolidated financial statements of its parent company, the

institution may send its appropriate supervisory office one copy of the

audited financial statements of the consolidated company, any other

reports by the independent public accountant, and any notifications of

changes in, or terminations of, the consolidated company's independent

public accountant. If several institutions are owned by one parent

company, a single copy of the reports and any notifications applicable

to the consolidated company may be submitted to the appropriate

supervisory office of each banking agency supervising one or more of

the affiliated institutions and the holding company. A transmittal

letter should identify the institutions covered.

Special Situations

Newly Insured Institutions. The FDIC Statement of Policy on

Applications for Deposit Insurance requires an applicant for deposit

insurance coverage to obtain an audit of its financial statements by an

independent public accountant.

Institutions Presenting Supervisory Concerns. An independent

external auditing program complements the banking agencies' supervisory

process and the institution's internal auditing program by identifying

or further clarifying issues of potential concern or exposure. It can

also greatly assist management in taking corrective action,

particularly when weaknesses are detected in internal control or

management information systems. For these reasons, the banking agencies

may require an annual audit of an institution's financial statements by

an independent public accountant for an institution presenting

supervisory concerns. However, if it is more appropriate, either (1) a

report on the balance sheet; (2) an attestation report on management's

assertions concerning internal control over financial reporting; (3)

procedures agreed upon by the institution, independent public

accountant, and appropriate banking agency; or (4) other engagements

may be required if any of the following conditions exist:

(a) Internal control, including the internal auditing program, is

inadequate;

(b) The board of directors is generally uninformed in the area of

internal control;

(c) There is evidence of insider abuse;

(d) There are known or suspected defalcations;

(e) There is known or suspected criminal activity;

(f) It is probable that director liability for losses exists;

(g) Direct verification of loans or deposits is warranted;

(h) Questionable transactions with affiliates have occurred; or

(i) Other conditions exist that warrant improvements in the

external auditing program.

Such an action may also require, among other things, that the

institution provide its banking agency's supervisory office a copy of

any reports, including management letters, issued by the independent

public accountant. In addition, it may require the institution to

notify the supervisory office prior to any meeting with the independent

public accountant at which auditing findings are to be presented.

Performance of Other Services

This policy statement does not preclude institutions from engaging

entities other than independent public accountants to perform advisory

and other services that do not require licensing under applicable state

public accountancy statutes. For example, an institution may hire

individuals or firms who are not independent public accountants to

provide independent loan reviews, give advice on consumer compliance

issues, suggest improvements to increase operational efficiency in

specific departments (e.g., information processing), or assist in areas

of taxation or management information systems. In addition, if

acceptable under applicable state laws, these firms may perform state-

required directors' examinations; however, such services may not

constitute or replace


 

[[Page 7802]]


 

an external auditing program performed by an independent public

accountant.


 

Appendix A--Definitions


 

Appropriate supervisory office. The regional or district office of

the institution's primary federal banking agency which is responsible

for supervising the institution, or, in the case of an institution that

is part of a group of related insured institutions, the regional or

district office of the institution's federal banking agency which is

responsible for monitoring the group. If the institution is a

subsidiary of a holding company, the term ``appropriate supervisory

office'' also includes the federal banking agency responsible for

supervising the holding company. In addition, if the institution is

state-chartered, the term ``appropriate supervisory office'' includes

the appropriate state bank or savings association regulatory authority.

Audit. An examination of the financial statements, accounting

records, and other supporting evidence of an institution performed by

an independent certified or licensed public accountant in accordance

with generally accepted auditing standards (GAAS) and of sufficient

scope to enable the independent public accountant to express an opinion

on the institution's financial statements as to their presentation in

accordance with generally accepted accounting principles (GAAP).

Audit Committee. A committee of the board of directors whose

members should, to the extent possible, be knowledgeable about

accounting and auditing. The committee should be responsible for

reviewing and approving the institution's internal and external

auditing programs or recommending adoption of these programs to the

full board. Both the internal auditor and the independent public

accountant should have unrestricted access to the audit committee

without the need for any prior management knowledge or approval. Other

duties of the audit committee may include reviewing the independence of

the independent public accountant annually, consulting with management

when management seeks a second opinion on an accounting issue, and

overseeing the quarterly regulatory reporting process. The audit

committee should report its findings periodically to the full board of

directors.

Directors' Examination. An engagement performed by an independent

third party that has been authorized by the institution's board of

directors and is required by state law. (A directors' examinations is

called an ``engagement audit'' or ``operational audit.'' Nevertheless,

it is often not performed in accordance with GAAS nor do widely

accepted national standards exist for its performance.)

External Auditing Program. The testing and evaluation of risk areas

of an institution's business by an independent public accountant

sufficient to enable the accountant to express an opinion on the

financial statements or balance sheet. Under professional standards,

this engagement should be performed in accordance with GAAS.

Alternatively, an independent public accountant may attest to

management's assertion concerning the effectiveness of the

institution's internal control over financial reporting. Under

professional standards, the independent public accountant is expected

to perform this attestation engagement in accordance with the generally

accepted standards for attestation engagements (GASAE).

Financial Statements. The statements of financial position (balance

sheet), income, cash flows, and changes in equity together with related

notes.

Independent Public Accountant. An accountant who is independent of

the institution and registered or licensed to practice as a public

accountant, and is in good standing, under the laws of the state or

other political subdivision of the United States in which the home

office of the institution is located. No certified public accountant or

public accountant will be recognized as independent who is not in fact

independent. The independent public accountant also should comply with

the American Institute of Certified Public Accountants' (AICPA) Code of

Professional Conduct and any related guidance adopted by the banking

agencies.

Internal auditing. An independent assessment function established

within an institution to examine and evaluate its system of internal

control and the efficiency with which the various units of the

institution are carrying out their assigned tasks. The objective of

internal auditing is to assist the management and directors of the

institution in the effective discharge of their responsibilities. To

this end, internal auditing furnishes management with analyses,

appraisals, recommendations, counsel, and information concerning the

activities reviewed.

Outside Directors. Members of an institution's board of directors

who are not officers, employees, or principal stockholders of the

institution, its subsidiaries, or its affiliates, and do not have any

material business dealings with the institution, its subsidiaries, or

its affiliates.

Regulatory Reports. These reports are the Reports of Condition and

Income (Call Reports) for banks and Thrift Financial Reports (TFRs) for

savings associations.

Report on the Balance Sheet. An examination of an institution's

balance sheet performed and reported on by an independent public

accountant in accordance with GAAS and of sufficient scope to enable

the independent public accountant to express an opinion on the fairness

of the balance sheet presentation in accordance with GAAP.

Risk Areas. Those particular activities of an institution that

expose it to greater potential losses if problems exist and go

undetected. The areas with the highest financial reporting risk in most

institutions generally are their lending and investment securities

activities.


 

Dated: February 5, 1998.

Joe M. Cleaver,

Executive Secretary, Federal Financial Institutions Examination

Council.

[FR Doc. 98-3374 Filed 2-13-98; 8:45 am]

BILLING CODE 6210-01-P, 6720-01-P, 6714-01-P, 4810-01-P