Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

Annual Audit and Reporting Requirements Internal Control Attestation Standards for Independent Auditors

November 17, 2004

Summary

The FDIC is providing guidance on the internal control attestation standards that auditors of insured institutions with $500 million or more in total assets should follow to comply with the FDIC's audit and reporting requirements.

Highlights

  • The annual audit and reporting requirements for insured institutions with $500 million or more in total assets in Part 363 of the FDIC's regulations require assessments of internal control over financial reporting by both management and independent auditors.
  • To date, auditors have followed the American Institute of Certified Public Accountants' (AICPA) attestation standards, known as "AT 501," when reporting on internal control.
  • Section 404 of the Sarbanes-Oxley Act imposes similar internal control requirements on public companies. Auditors of public companies will begin to follow the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard No. 2 when reporting on internal control.
  • The FDIC has received questions about the applicability of PCAOB Auditing Standard No. 2 to institutions subject to Part 363.
  • The auditor of a nonpublic institution need only follow the AICPA's existing internal control attestation standards in AT 501 – until any revisions to AT 501 on which the AICPA is working take effect – to satisfy Part 363.
  • The auditor of a public institution that is a non accelerated filer need only follow AT 501 to satisfy Part 363 until PCAOB Auditing Standard No. 2 takes effect for non accelerated filers in 2005.

Continuation of FIL-122-2004

Distribution

FDIC-Insured Institutions With $500 Million or More in Assets

Suggested Routing

Chief Executive Officer

Chief Financial Officer

Audit Committee

Note

FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/news/announcements/index.html.

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html.

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).

Additional Related Topics

  • Federal Deposit Insurance Act Section 36
  • Part 363 of the FDIC's Regulations

Financial Institution Letters
FIL-122-2004
November 17, 2004

Annual Audit and Reporting Requirements
Internal Control Attestation Standards for Independent Auditors

The FDIC is providing guidance on the internal control attestation standards that auditors of insured institutions with $500 million or more in total assets should follow to comply with the FDIC's audit and reporting requirements.

Section 36 of the Federal Deposit Insurance Act (FDI Act) and Part 363 of the FDIC's regulations impose annual audit and reporting requirements on insured depository institutions with $500 million or more in total assets. The annual report that these institutions file with the FDIC and other federal and state supervisors, as appropriate, must include a statement of management's responsibilities for establishing and maintaining an adequate internal control structure and procedures for financial reporting. For purposes of Part 363, financial reporting encompasses both financial statements prepared in accordance with generally accepted accounting principles and those prepared for regulatory reporting purposes.

In addition, the Part 363 annual report must contain an assessment by management of the effectiveness of internal control over financial reporting as of year-end as well as a report by the institution's independent auditor on management's assertion concerning internal control. To date, independent auditors have performed the attestation work necessary to satisfy the FDIC's reporting requirements by following Section 501 of the American Institute of Certified Public Accountants' (AICPA) attestation standards, Reporting on an Entity's Internal Control Over Financial Reporting, commonly referred to as "AT 501."

Using language substantially similar to that in Section 36 of the FDI Act, Section 404 of the Sarbanes-Oxley Act requires public companies1 to include in their annual reports under the federal securities laws a statement of management's responsibilities for internal control over financial reporting, management's assessment of the effectiveness of this internal control, and an attestation report on this assessment by the public company's independent auditor. The independent auditor's attestation and reporting on the effectiveness of internal control for public companies must be performed in accordance with the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. The Securities and Exchange Commission's (SEC) regulations implementing Section 404 and PCAOB Auditing Standard No. 2 take effect for "accelerated filers"2 for fiscal years ending on of after November 15, 2004. Other public companies ("non accelerated filers") must begin to comply with these internal control requirements in fiscal years ending on or after July 15, 2005.

Taken together, the SEC's Section 404 regulations and PCAOB Auditing Standard No. 2 establish more extensive testing and documentation requirements for internal control over financial reporting than those that have been in place under the FDIC's Part 363 and AT 501. However, institutions should note that the AICPA's Auditing Standards Board (ASB) has undertaken a project to substantially revise AT 501, a process that has included the issuance of a proposal in March 2003 and is now taking the provisions of Auditing Standard No. 2 and other matters into consideration. The ASB has not adopted the March 2003 proposed revisions and therefore they are not authoritative attestation standards for auditors.

Since the PCAOB's adoption of Auditing Standard No. 2 earlier this year, the FDIC has received questions from bankers and auditors about the applicability of this standard to institutions subject to Part 363. Although the FDIC has responded to these inquiries as they have arisen, we believe it would be beneficial to advise all institutions about the internal control standards that auditors should use to comply with the annual audit and reporting requirements of Part 363.

  • For an insured institution that is not a public company, its independent auditor need only follow the AICPA's existing internal control attestation standards in AT 501 – until any revisions to these standards on which the AICPA is working take effect – to satisfy Part 363 of the FDIC's regulations, absent any future amendments to these regulations that would require the use of a different set of standards.
  • For a public institution that is a non-accelerated filer, its independent auditor is not required to follow PCAOB Auditing Standard No. 2 until its effective date in 2005. Until then, the auditor need only follow the existing internal control attestation standards in AT 501.

In addition, an institution subject to Part 363 that is a subsidiary of a public holding company that is an accelerated filer, but is not itself a public company, has flexibility in complying with the FDIC's internal control requirements. If the conditions specified in Section 363.1(b)(2) of the FDIC's regulations are met, management and the independent auditor may choose to report to the FDIC on internal control over financial reporting at the consolidated holding company level.3 In this situation, the auditor's work would be performed for the public holding company in accordance with PCAOB Auditing Standard No. 2. Alternatively, the institution may choose to comply with the internal control reporting requirements of Part 363 at the institution level and its independent auditor can follow existing AT 501. However, this alternative may not be cost-effective.

Questions about the FDIC's annual audit and reporting requirements, including applicable internal control attestation standards, may be addressed to your FDIC Regional Accountant or Senior Policy Analyst Harrison E. Greene, Jr., Division of Supervision and Consumer Protection, at (202) 898-8905 or hgreene@fdic.gov.

Michael J. Zamorski
Director
Division of Supervision and Consumer Protection

1Public companies are companies subject to the reporting requirements of the Securities Exchange Act of 1934.
2In general, accelerated filers are public companies whose common equity has an aggregate market value of $75 million or more.
3As previously stated, the scope of financial reporting for Part 363 includes financial statements prepared for regulatory reporting purposes.
FIL-122-2004
Attachment(s)
Contact(s)
FDIC Regional Accountant or Harrison Greene, Senior Policy Analyst, Division of Supervision and Consumer Protection, (202) 898-8905

Last Updated: November 17, 2004