Annual
Audit and Reporting Requirements
Internal
Control Attestation Standards for Independent Auditors
The FDIC is providing
guidance on the internal control attestation standards that auditors of
insured institutions with $500 million or more in total assets should follow
to comply with the FDIC's audit and reporting requirements.
Section 36 of the Federal
Deposit Insurance Act (FDI Act) and Part 363 of the FDIC's regulations
impose annual audit and reporting requirements on insured depository
institutions with $500 million or more in total assets. The annual report
that these institutions file with the FDIC and other federal and state
supervisors, as appropriate, must include a statement of management's
responsibilities for establishing and maintaining an adequate internal
control structure and procedures for financial reporting. For purposes of
Part 363, financial reporting encompasses both financial statements prepared
in accordance with generally accepted accounting principles and those
prepared for regulatory reporting purposes.
In addition, the Part 363
annual report must contain an assessment by management of the effectiveness
of internal control over financial reporting as of year-end as well as a
report by the institution's independent auditor on management's assertion
concerning internal control. To date, independent auditors have performed
the attestation work necessary to satisfy the FDIC's reporting requirements
by following Section 501 of the American Institute of Certified Public
Accountants' (AICPA) attestation standards, Reporting on an Entity's
Internal Control Over Financial Reporting, commonly referred to as
"AT 501."
Using language substantially
similar to that in Section 36 of the FDI Act, Section 404 of the
Sarbanes-Oxley Act requires public companies1 to include in their annual reports
under the federal securities laws a statement of management's
responsibilities for internal control over financial reporting, management's
assessment of the effectiveness of this internal control, and an attestation
report on this assessment by the public company's independent auditor. The
independent auditor's attestation and reporting on the effectiveness of
internal control for public companies must be performed in accordance with
the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard
No. 2, An Audit of Internal Control Over Financial Reporting Performed
in Conjunction with an Audit of Financial Statements. The
Securities and Exchange Commission's (SEC) regulations implementing Section
404 and PCAOB Auditing Standard No. 2 take effect for "accelerated
filers" 2 for fiscal years ending on of
after November 15, 2004. Other public companies ("non accelerated filers")
must begin to comply with these internal control requirements in fiscal
years ending on or after July 15, 2005.
Taken together, the SEC's
Section 404 regulations and PCAOB Auditing Standard No. 2 establish more
extensive testing and documentation requirements for internal control over
financial reporting than those that have been in place under the FDIC's Part
363 and AT 501. However, institutions should note that the AICPA's Auditing
Standards Board (ASB) has undertaken a project to substantially revise AT
501, a process that has included the issuance of a proposal in March 2003
and is now taking the provisions of Auditing Standard No. 2 and other
matters into consideration. The ASB has not adopted the March 2003 proposed
revisions and therefore they are not authoritative attestation standards for
auditors.
Since the PCAOB's adoption of
Auditing Standard No. 2 earlier this year, the FDIC has received questions
from bankers and auditors about the applicability of this standard to
institutions subject to Part 363. Although the FDIC has responded to these
inquiries as they have arisen, we believe it would be beneficial to advise
all institutions about the internal control standards that auditors should
use to comply with the annual audit and reporting requirements of Part 363.
-
For an insured
institution that is not a public company, its independent auditor need
only follow the AICPA's existing internal control attestation standards
in AT 501 until any revisions to these standards on which the
AICPA is working take effect to satisfy Part 363 of the FDIC's
regulations, absent any future amendments to these regulations that
would require the use of a different set of standards.
-
For a public institution
that is a non-accelerated filer, its independent auditor is not required
to follow PCAOB Auditing Standard No. 2 until its effective date in
2005. Until then, the auditor need only follow the existing internal
control attestation standards in AT 501.
In addition, an institution
subject to Part 363 that is a subsidiary of a public holding company that is
an accelerated filer, but is not itself a public company, has flexibility in
complying with the FDIC's internal control requirements. If the conditions
specified in Section 363.1(b)(2) of the FDIC's regulations are met,
management and the independent auditor may choose to report to the FDIC on
internal control over financial reporting at the consolidated holding
company level.3 In this situation, the
auditor's work would be performed for the public holding company in
accordance with PCAOB Auditing Standard No. 2. Alternatively, the
institution may choose to comply with the internal control reporting
requirements of Part 363 at the institution level and its independent
auditor can follow existing AT 501. However, this alternative may not be
cost-effective.
Questions about the FDIC's
annual audit and reporting requirements, including applicable internal
control attestation standards, may be addressed to your FDIC Regional
Accountant or Senior Policy Analyst Harrison E. Greene, Jr., Division of
Supervision and Consumer Protection, at (202) 898-8905 or hgreene@fdic.gov.
|
Michael J.
Zamorski
Director
Division of Supervision and Consumer Protection
|
1 Public companies are companies subject
to the reporting requirements of the Securities Exchange Act of 1934.
2 In general, accelerated filers are
public companies whose common equity has an aggregate market value of $75
million or more.
3 As previously stated, the scope of
financial reporting for Part 363 includes financial statements prepared for
regulatory reporting purposes.
|