APPLICABILITY OF SELECTED PROVISIONS OF
THE SARBANES-OXLEY ACT OF 2002 TO
INSURED INSTITUTIONS WITH $500 MILLION OR MORE IN TOTAL ASSETS
Attachment I summarizes selected provisions of the Sarbanes-Oxley Act. The FDIC is considering possible amendments to Part 363 of its regulations that would extend certain provisions of the Sarbanes-Oxley Act that were described in Attachment I to all insured institutions with $500 million or more in total assets (covered institutions), whether or not they are public companies or subsidiaries of public companies. Any amendments to Part 363 would be developed in consultation with the other banking agencies and would be published in proposed form for public comment in the Federal Register.
This attachment discusses the relationship between three elements of the Sarbanes-Oxley Act and the annual audit and reporting requirements of Section 36 of the Federal Deposit Insurance Act and Part 363 of the FDIC's regulations. It then explains how FDIC-supervised covered institutions that are not public companies should view the other provisions of the Sarbanes-Oxley Act.
Appendix A to Part 363, Guidelines and Interpretations, presents the views of the FDIC on the interpretation of the annual audit and reporting requirements prescribed by Section 36 of the Federal Deposit Insurance Act. Guideline 14 addresses the qualifications of an independent public accountant engaged by an insured institution subject to Part 363 and states that the accountant should be "in compliance with the AICPA's Code of Professional Conduct and meet the independence requirements and interpretations of the SEC and its staff."
Thus, the guidelines provide for each covered institution, whether or not it is a public company, and its external auditor to comply with the SEC's auditor independence requirements (17 C.F.R. Section 210.2-01) that are in effect during the period covered by the audit of the institution's financial statements. If a covered institution satisfies the annual independent audit requirement by relying on the audit of its parent holding company, the holding company's external auditor should meet the SEC's independence requirements. Accordingly, all covered institutions should review the final rules on auditor independence that the SEC adopted on January 22, 2003, and ensure that they and their external auditors take appropriate actions to comply with these rules consistent with the time frames specified in the transition guidance.
The SEC's final rules on auditor independence implement the provisions of Sections 201, 202, 203, and 206 of Title II of the Sarbanes-Oxley Act. In summary, the final rules:
Revise the SEC's existing regulations related to the non-audit services that, if provided to an audit client, would impair an accounting firm's independence;
Require that a public company's audit committee pre-approve all audit and non-audit services provided to the company by the auditor of its financial statements;
Prohibit certain partners on the audit engagement team from providing audit services to the public company for more than five or seven consecutive years, depending on the partner's involvement in the audit, except that certain small accounting firms may be exempted from this requirement; and
Prohibit an accounting firm from auditing a public company's financial statements if certain members of management of that public company had been members of the accounting firm's audit engagement team within the one-year period preceding the commencement of audit procedures; and
Provide that an audit partner's receipt of compensation based on the sale of engagements to an audit client for services other than audit, review, and attest services would impair the accountant's independence.
The final rules were published in the Federal Register on February 5, 2003, and generally become effective on May 6, 2003 (68 Fed. Reg. 6006).6 However, the final rules include transition guidance that states that, provided a relationship between an accountant and its audit client that is not acceptable under the final rules did not impair the accountant's independence under the pre-existing independence requirements of the SEC, the Independence Standards Board, or the American Institute of Certified Public Accountants, the accountant's independence will not be deemed to be impaired under the final rule in the following circumstances:
With respect to prohibited non-audit services under Section 201 of the Sarbanes-Oxley Act, as implemented by Section 201.2-01(c)(4) of the SEC's regulations, an accountant's independence will not be deemed to be impaired until May 6, 2004, if the accountant provides non-audit services prohibited by Section 201.2-01(c)(4) to an audit client pursuant to contracts in existence on May 6, 2003. This portion of the final rule recognizes that audit clients may need a period of time to exit existing contracts with their auditor.
With respect to the audit committee preapproval requirements under Section 202, as implemented by Section 201.2-01(c)(7) of the SEC's regulations, an accountant's independence will not be deemed to be impaired until May 6, 2003, if the accountant provides services that have not been approved by the audit committee.
With respect to the audit partner rotation requirements under Section 203, as implemented by Section 201.2-01(c)(6) of the SEC's regulations, an accountant's independence will not be deemed to be impaired until the first day of the public company's fiscal year beginning after:
May 6, 2004, if a concurring partner provides services to the audit client in excess of those permitted in this regulation; or
May 6, 2003, if a lead partner or other audit partner provides services in excess of those permitted in this regulation.
The SEC's regulation also explains how to measure a partner's period of service for purposes of determining when a partner becomes subject to the audit partner rotation requirements. This transition guidance is designed to allow accounting firms to establish an orderly transition of their audit engagement teams. In addition, the SEC's regulation exempts accounting firms with fewer than five public company audit clients and fewer than ten audit partners from the rotation requirements provided the Public Company Accounting Oversight Board conducts a review of all of the firm's audit engagements of these public company clients at least once every three years.
For purposes of the FDIC's Part 363 auditor independence guideline, the accounting firm for a covered institution, whether or not it is a public company or a subsidiary of a public company, should meet the SEC's audit partner rotation requirements, unless the SEC's small firm exemption would apply to the firm because it has fewer than five public company audit clients and fewer than ten audit partners.
Management's Responsibility for Financial Reporting and Controls
As noted in Attachment I, Section 302 of the Sarbanes-Oxley Act requires a certification by the principal executive officer and the principal financial officer in each quarterly and annual report that a public company files under the Securities Exchange Act of 1934. The SEC adopted a final rule implementing Section 302 that became effective August 29, 2002.7 This final rule prescribes the specific wording of the required certification and this wording may not be changed in any respect. In addition, each principal executive officer and principal financial officer of a public company must provide a separate certification.
Section 36 of the FDI Act and Part 363 of the FDIC's regulations require each covered institution must include a management report in the annual report it files with the FDIC, its primary federal regulator (if other than the FDIC), and any appropriate state supervisor. The management report must be signed by the institution's chief executive officer and chief accounting or chief financial officer. It must contain a statement of management's responsibilities for:
Preparing the institution's annual financial statements;
Establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
Complying with designated safety and soundness regulations.
The management report also must include assessments by management of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the fiscal year and the institution's compliance with the designated safety and soundness regulations during the fiscal year.
With certain exceptions, this management report requirement may be satisfied by an insured institution's holding company if the services and functions comparable to those required of the institution by Section 36 and Part 363 are provided at the holding company level.
The content of the certification required by Section 302 is sufficiently different from the content of the management report required by Section 36 and Part 363 that an insured institution that is a public company, or a subsidiary of a public holding company, may not submit a Section 302 certification in place of the required management report.
Furthermore, in recent reviews of management reports filed by insured institutions subject to Section 36 and Part 363, the FDIC has found that many institutions are failing to fully comply with the requirements governing the content of these reports. Managements of institutions are frequently omitting one or more of the following from these reports:
The required statement of management's responsibilities for preparing the institution's financial statements;
The required statement of management's responsibilities for complying with the designated safety and soundness laws and regulations; and
Management's required assessment of the institution's compliance with the designated safety and soundness laws and regulations during its most recent fiscal year.
The chief executive officer and the chief accounting or chief financial officer of each institution subject to the annual audit and reporting requirements of Section 36 and Part 363 should ensure that their management report has been properly prepared before signing and dating the report. Institutions filing deficient management reports will be directed to revise and resubmit these reports.
Management's Assessment of Internal Controls and Accountant's Attestation on This Assessment
In addition to the management report requirements pertaining to the internal control structure and procedures for financial reporting discussed above, Section 36 and Part 363 require a covered institution's independent public accountant to examine, attest to, and report separately on management's assertion concerning internal control. This attestation report must be included in the annual report the covered institution files with the FDIC, its primary federal regulator (if other than the FDIC), and any appropriate state supervisor.
The language in Section 404 of the Sarbanes-Oxley Act requiring each public company to include an internal control report and an accountant's attestation report thereon in its annual report filed under the Securities Exchange Act of 1934 is substantially similar to the language in Section 36. However, the SEC has yet to prescribe rules requiring the internal control report and accountant's attestation report. After such rules have been adopted by the SEC, the FDIC will review these rules to determine whether covered institutions that are public companies, or subsidiaries of public companies, can use the Section 404 internal control report and accountant's attestation report to satisfy the comparable Section 36 and Part 363 requirement. In the meantime, covered institutions and their independent public accountants must continue to comply with the relevant requirements of Section 36 and Part 363 that pertain to internal control.
Other Provisions of the Sarbanes-Oxley Act
Unless and until the FDIC adopts any amendments to Part 363 in response to other provisions of the Sarbanes-Oxley Act and the SEC's implementing regulations, FDIC-supervised covered institutions that are not public companies should review the guidance in Attachment I concerning corporate governance practices that the FDIC encourages non-public institutions to implement to the extent feasible given the institution's size, complexity, and risk profile.