Guidance on Part 363 Internal Control Attestation Standards for Independent Auditors

Section 36 of the Federal Deposit Insurance Act and Part 363 of the FDIC's regulations impose annual audit and reporting requirements on insured depository institutions with $500 million or more in total assets. The annual report that these institutions file with the FDIC and other federal and state supervisors, as appropriate, must include, as one of its components, a statement of management's responsibilities for establishing and maintaining an adequate internal control structure and procedures for financial reporting. For purposes of Part 363, financial reporting encompasses both financial statements prepared in accordance with generally accepted accounting principles (GAAP) and those prepared for regulatory reporting purposes.

In addition, the Part 363 annual report for insured depository institutions with $1 billion or more in total assets must contain an assessment by management of the effectiveness of internal control over financial reporting as of year-end, as well as a report by the institution's independent auditor on management's assertion concerning internal control.

On May 24, 2007, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements (AS 5), which supersedes Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements (AS 2). The U.S. Securities and Exchange Commission (SEC) approved AS 5 on July 25, 2007, and it is effective for fiscal years ending on or after November 15, 2007.

In a related matter, on June 20, 2007, the SEC amended its Regulation S-X to require an auditor to express a single opinion directly on the effectiveness of internal control over financial reporting in the auditor's attestation report. ¹ The SEC stated that the single opinion more effectively communicates the auditor's responsibility in relation to management's process for assessing the effectiveness of internal control over financial reporting and conveys whether management's assessment is fairly stated. The SEC also stated that its amendments are fully consistent with, and will continue to achieve, the objectives of Section 404(b) of the Sarbanes-Oxley Act.

Given the PCAOB's adoption and the SEC's approval of AS 5, the FDIC has been asked whether the auditor's opinion on internal control over financial reporting issued under AS 5 would satisfy the internal control attestation requirements of Part 363. The reason for this question relates to the auditor's opinions issued under AS 2 and AS 5. More specifically, AS 2 required the auditor to issue two opinions related to internal control: (1) an auditor's opinion on management's assessment of internal control over financial reporting and (2) an auditor's opinion on the company's internal control over financial reporting. However, under AS 5, the auditor is required to issue only one opinion, an opinion on the company's internal control over financial reporting. An auditor's separate opinion on management's assessment of internal control over financial reporting is not required under AS 5. Since the requirements of the SEC's Section 404 regulations are similar to the internal control reporting requirements of Part 363 of the FDIC's regulations, the FDIC has determined that the auditor's opinion on internal control over financial reporting issued under AS 5 would satisfy the attestation requirements of Part 363, provided the opinion covers both financial statements prepared in accordance with GAAP and those prepared for regulatory reporting purposes.

For public companies, ² the implementation dates for the use of AS 5 for audits of internal control over financial reporting can be summarized generally as follows:

• Public companies that are "large accelerated filers" ³ or "accelerated filers" ⁴ must continue to comply with the SEC's Section 404 regulations regarding management's report on internal control and the auditor's attestation report on internal control. Therefore, auditors of public companies that are "large accelerated filers" or "accelerated filers" must follow AS 5 for audits of internal control for fiscal years ending on or after November 15, 2007.
• Public companies that are "non‑accelerated filers" ⁵ must begin to comply with the SEC's Section 404 regulations regarding management's report on internal control for fiscal years ending on or after December 15, 2007, and they must comply with the SEC's Section 404 regulations regarding the auditor's attestation report on internal control for fiscal years ending on or after December 15, 2008. Therefore, auditors of public companies that are "non-accelerated filers" must follow AS 5 for audits of internal control for fiscal years ending on or after December 15, 2008.

The Part 363 requirements related to the report by the institution's independent auditor concerning internal control over financial reporting ⁶ for insured institutions with $1 billion or more in total assets can be summarized as follows:

• For an insured institution that is neither a public company nor a subsidiary of a public company, its independent auditor need only follow Section 501 of the American Institute of Certified Public Accountants' (AICPA) existing attestation standards, Reporting on an Entity's Internal Control Over Financial Reporting (AT 501) – until any revisions to these standards on which the AICPA is working take effect – to satisfy Part 363 of the FDIC's regulations.
• For an insured institution that is a public company that is a large accelerated filer or an accelerated filer, its independent auditor should follow AS 5 for audits of internal control for fiscal years ending on or after November 15, 2007, to satisfy Part 363 of the FDIC's regulations.
• For an insured institution that is a public company but is a non-accelerated filer, its independent auditor is not currently required to follow AS 5. However, the use of AS 5 will be required for audits of internal control for fiscal years ending on or after December 15, 2008. Until then, the auditor need only follow the existing internal control attestation standards in AT 501 to satisfy Part 363 of the FDIC's regulations.

Nonetheless, if an auditor need only follow the internal control attestation standards in AT 501, but the auditor and the insured institution instead agree to have the internal control attestation performed under AS 5, the auditor's report directly on internal control would satisfy the attestation requirements of Part 363.

In addition, an institution subject to Part 363 that is a subsidiary of a public company that is an accelerated filer or a large accelerated filer, but is not itself a public company, has flexibility in complying with the FDIC's internal control requirements. If the conditions specified in Section 363.1(b)(2) of the FDIC's regulations are met, management and the independent auditor may choose to report to the FDIC on internal control over financial reporting at the consolidated holding company level. In this situation, the auditor's work would be performed for the public company in accordance with AS 5. Alternatively, the institution may choose to comply with the internal control reporting requirements of Part 363 at the institution level and its independent auditor could follow existing AT 501. However, this alternative may not be cost-effective.

Finally, the FDIC reminds insured institutions with $1 billion or more in total assets that are public companies or subsidiaries of public companies that they have considerable flexibility in determining how best to satisfy the internal control attestation requirements in the SEC's Section 404 rules and the FDIC's Part 363. As indicated in the preamble to the SEC's Section 404 final rule release, ⁷ the FDIC (and the other federal banking agencies) agreed with the SEC that insured depository institutions that are subject to both Part 363 (as well as holding companies permitted under the holding company exception in Part 363 to file an internal control report on behalf of their insured depository institution subsidiaries) and the SEC's rules implementing Section 404 can choose either of the following two options:

• Management can prepare two separate reports on the institution's or the holding company's internal control over financial reporting to satisfy the FDIC's Part 363 requirements and the SEC's Section 404 requirements; or
• Management can prepare a single report on internal control over financial reporting that satisfies both the FDIC's requirements and the SEC's requirements.

¹ See SEC Release Number 33-8809, Amendments to Rules Regarding Management's Report on Internal Control Over Financial Reporting ( http://www.sec.gov/rules/final/2007/33-8809.pdf?bcsi_scan_BAB8C33EF8E0E6E9=0&bcsi_scan_filename=33-8809.pdf - PDF ( PDF Help )

² Public companies are companies subject to the reporting requirements of the Securities Exchange Act of 1934.

³ In general, large accelerated filers are public companies whose common equity has an aggregate market value of $700 million or more.

⁴ In general, accelerated filers are public companies whose common equity has an aggregate market value of $75 million or more but less than $700 million.

⁵ In general, non-accelerated filers are public companies whose common equity has an aggregate market value of less than $75 million.

⁶ As previously stated, the scope of financial reporting for Part 363 includes both financial statements prepared in accordance with GAAP and those prepared for regulatory reporting purposes.

⁷ See Section II.H.4 of the preamble to the SEC's final rule (68 FR 36648, June 18, 2003).