Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
INACTIVE
This page is no longer active. Its content has expired or been rescinded by the FDIC.

Annual Audit and Reporting Requirements Internal Control Attestation Standards for Independent Auditors

Accounting, Auditing, and Securities Disclosure
February 1, 2008
Summary: The FDIC is providing the attached guidance on the internal control attestation standards that auditors of insured institutions with $1 billion or more in total assets should follow to comply with the FDIC's audit and reporting requirements in Part 363 of the FDIC's regulations.

Highlights:

  • Part 363 of the FDIC's regulations requires assessments of internal control over financial reporting by both management and independent auditors for insured institutions with $1 billion or more in total assets.
  • Section 404 of the Sarbanes-Oxley Act imposes similar internal control requirements on public companies. On May 24, 2007, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard No. 5 (AS 5).
  • Generally, auditors of public institutions that are accelerated filers will follow AS 5 for Section 404 purposes for fiscal years ending on or after November 15, 2007.
  • Generally, auditors of public institutions that are non- accelerated filers will follow AS 5 for Section 404 purposes for fiscal years ending on or after December 15, 2008.
  • In response to questions it has received, the FDIC has determined that auditors' internal control reports issued under AS 5 satisfy the requirements of Part 363.
  • For non-public institutions, auditors may follow the American Institute of Certified Public Accountants' (AICPA) attestation standards, known as "AT 501," when reporting on internal controls.
  • Auditors of public institutions that are non-accelerated filers need only follow AT 501 to satisfy Part 363 until AS 5 takes effect for non-accelerated filers in 2008.
  • For Part 363 purposes, the scope of financial reporting includes financial statements prepared for regulatory reporting.

Distribution:
FDIC-Insured Institutions With $500 Million or More
in Assets

Suggested Routing:
Chief Executive Officer
Chief Financial Officer
Board of Directors
Audit Committee

Note:
FDIC financial institution letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2008/index.html .

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html .

Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 3501 Fairfax Drive, E-1002, Arlington, VA 22226 (1-877-275-3342 or 703-562- 2200).



Additional Related Topics:

  • Federal Deposit Insurance Act Section 36
  • Part 363 of the FDIC's Regulations
FIL-5-2008
Attachment(s)
Guidance on Part 363 Internal Control Attestation Standards for Independent Accountants
Contact(s)
Harrison Greene, 202-898-8905

Last Updated: February 1, 2008