Federal Deposit
Insurance Corporation

Annual Audit and Reporting Requirements
Internal Control Attestation Standards for Independent Auditors

The FDIC is providing guidance on the internal control attestation standards that auditors of insured institutions with $500 million or more in total assets should follow to comply with the FDIC's audit and reporting requirements.

Section 36 of the Federal Deposit Insurance Act (FDI Act) and Part 363 of the FDIC's regulations impose annual audit and reporting requirements on insured depository institutions with $500 million or more in total assets. The annual report that these institutions file with the FDIC and other federal and state supervisors, as appropriate, must include a statement of management's responsibilities for establishing and maintaining an adequate internal control structure and procedures for financial reporting. For purposes of Part 363, financial reporting encompasses both financial statements prepared in accordance with generally accepted accounting principles and those prepared for regulatory reporting purposes.

In addition, the Part 363 annual report must contain an assessment by management of the effectiveness of internal control over financial reporting as of year-end as well as a report by the institution's independent auditor on management's assertion concerning internal control. To date, independent auditors have performed the attestation work necessary to satisfy the FDIC's reporting requirements by following Section 501 of the American Institute of Certified Public Accountants' (AICPA) attestation standards, Reporting on an Entity's Internal Control Over Financial Reporting, commonly referred to as "AT 501."

Using language substantially similar to that in Section 36 of the FDI Act, Section 404 of the Sarbanes-Oxley Act requires public companies¹ to include in their annual reports under the federal securities laws a statement of management's responsibilities for internal control over financial reporting, management's assessment of the effectiveness of this internal control, and an attestation report on this assessment by the public company's independent auditor. The independent auditor's attestation and reporting on the effectiveness of internal control for public companies must be performed in accordance with the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. The Securities and Exchange Commission's (SEC) regulations implementing Section 404 and PCAOB Auditing Standard No. 2 take effect for "accelerated filers" ² for fiscal years ending on of after November 15, 2004. Other public companies ("non accelerated filers") must begin to comply with these internal control requirements in fiscal years ending on or after July 15, 2005.

Taken together, the SEC's Section 404 regulations and PCAOB Auditing Standard No. 2 establish more extensive testing and documentation requirements for internal control over financial reporting than those that have been in place under the FDIC's Part 363 and AT 501. However, institutions should note that the AICPA's Auditing Standards Board (ASB) has undertaken a project to substantially revise AT 501, a process that has included the issuance of a proposal in March 2003 and is now taking the provisions of Auditing Standard No. 2 and other matters into consideration. The ASB has not adopted the March 2003 proposed revisions and therefore they are not authoritative attestation standards for auditors.

Since the PCAOB's adoption of Auditing Standard No. 2 earlier this year, the FDIC has received questions from bankers and auditors about the applicability of this standard to institutions subject to Part 363. Although the FDIC has responded to these inquiries as they have arisen, we believe it would be beneficial to advise all institutions about the internal control standards that auditors should use to comply with the annual audit and reporting requirements of Part 363.

• For an insured institution that is not a public company, its independent auditor need only follow the AICPA's existing internal control attestation standards in AT 501 – until any revisions to these standards on which the AICPA is working take effect – to satisfy Part 363 of the FDIC's regulations, absent any future amendments to these regulations that would require the use of a different set of standards.
• For a public institution that is a non-accelerated filer, its independent auditor is not required to follow PCAOB Auditing Standard No. 2 until its effective date in 2005. Until then, the auditor need only follow the existing internal control attestation standards in AT 501.

In addition, an institution subject to Part 363 that is a subsidiary of a public holding company that is an accelerated filer, but is not itself a public company, has flexibility in complying with the FDIC's internal control requirements. If the conditions specified in Section 363.1(b)(2) of the FDIC's regulations are met, management and the independent auditor may choose to report to the FDIC on internal control over financial reporting at the consolidated holding company level.³ In this situation, the auditor's work would be performed for the public holding company in accordance with PCAOB Auditing Standard No. 2. Alternatively, the institution may choose to comply with the internal control reporting requirements of Part 363 at the institution level and its independent auditor can follow existing AT 501. However, this alternative may not be cost-effective.

Questions about the FDIC's annual audit and reporting requirements, including applicable internal control attestation standards, may be addressed to your FDIC Regional Accountant or Senior Policy Analyst Harrison E. Greene, Jr., Division of Supervision and Consumer Protection, at (202) 898-8905 or hgreene@fdic.gov.

¹ Public companies are companies subject to the reporting requirements of the Securities Exchange Act of 1934.

² In general, accelerated filers are public companies whose common equity has an aggregate market value of $75 million or more.

³ As previously stated, the scope of financial reporting for Part 363 includes financial statements prepared for regulatory reporting purposes.