ISSUING OFFICE: DOS/AS
Doris L. Marsh, Ext. 88905 NOTICE MEMORANDUM
J. Ketcha Jr.
of State Nonmember Banks
To provide guidance to examiners on acceptable external auditing
programs of state nonmember banks.
The FDIC Board of Directors rescinded the "Statement of Policy
Providing Guidance on External Auditing Procedures for State Nonmember
Banks" effective December 31, 1997. This policy statement had
provided an alternative to an audit for banks not subject to the
audit requirement in Section 36 of the Federal Deposit Insurance
Act (FDI Act). Despite the rescission of that statement, the FDICís
"Statement of Policy Regarding Independent External Auditing
Programs of State Nonmember Banks," as amended on June 24,
1996, (Current Policy) remains in effect. In the Current Policy,
the FDIC strongly encourages each state nonmember bank to adopt
an adequate external auditing program, preferably one that includes
an annual audit of its financial statements. In addition, the audit
requirements of Section 36 of the Federal Deposit Insurance
Act (FDI Act) and its implementing regulation, 12 CFR Part 363,
continue to apply to insured depository institutions with $500 million
or more in total assets.
16, 1998, the FDIC and other banking agencies, under the auspices
of the Federal Financial Institutions Examination Council (FFIEC),
requested public comment on a uniform interagency document, "Policy
Statement on External Auditing Programs of Banks and Savings Associations"
(Proposed Policy). This proposal recommended that an external auditing
program be performed by an independent public accountant and offered
two acceptable alternatives to a financial statement audit for institutions
not subject to the audit requirement in Section 36 of the FDI Act:
a report on the balance sheet and an attestation report on an internal
control assertion. An interagency working group has reviewed the
comment letters and is currently evaluating possible recommendations
for the FFIEC. However, it is not likely that a final recommendation
will be presented before the first quarter of 1999.
of the rescission of the auditing procedures policy statement and
the uncertain timing of the FFIEC action on the Proposed Policy,
questions have arisen concerning what types of programs are now
considered acceptable to the FDIC under the Current Policy.
Policy. Until any new policy statement regarding an annual external
auditing program is adopted, examiners evaluating compliance with
the Current Policy at an institution which has already determined
not to have an annual audit of its financial statements (or is not
covered by an audit of the consolidated holding company) should
encourage the institution to have one of the two alternatives described
below performed by an independent public accountant. The FDIC currently
believes these alternatives represent best practices for external
auditing programs when a financial statement audit is not performed.
Report on Internal Control Assertion. As one alternative to
a financial statement audit, the institutionís board or audit committee
should consider engaging an independent public accountant to provide
a report attesting to managementís assertion concerning the effectiveness
of internal control over financial reporting on the schedules of
its Reports of Condition and Income (Call Report) that cover the
risk areas of the institution, particularly those relating to loans
and securities. Under this alternative, management would first review
its internal control over the preparation of these schedules and
document this review. Management would then provide a written assertion
to the independent public accountant stating whether it believes
its internal control in this area is effective. Ideally, the assertion
would state that internal control is effective, but particularly
in banks that have a small staff, management may find that it needs
to include an explanatory paragraph describing one or more internal
control weaknesses. Initially, the independent public accountant
may have to provide some guidance to management on how to conduct
this review and how to prepare the assertion until management gains
some experience with this process. The independent public accountant
would examine managementís assertion, perform various tests, and
provide an appropriate attestation report in accordance with the
generally accepted standards for attestation engagements (GASAE).
alternative would not provide assurance that the specific dollar
amounts reported on the Call Report are accurate. However, it would
provide reasonable assurance about the reliability of managementís
assertion concerning the establishment of an internal control structure
and procedures over financial reporting on the specified report
schedules and whether that control is effective.
on the results of a field test, this alternative appears to provide
more benefits for lesser cost than the following alternative.
on the Balance Sheet Audit. As the other alternative, the institutionís
board of Directors or its audit committee should consider engaging
an independent public accountant to examine the assets, liabilities,
and equity of the institution under generally accepted auditing
standards (GAAS) and to opine on the fairness of the presentation
on the balance sheet. In these circumstances, the accountant would
not be expected to provide an opinion on the fairness of the presentation
of the institutionís income statement, statement of changes in equity
capital, or statement of cash flows.
Auditing Programs. Some states previously adopted the procedures
from the now rescinded Policy Statement as the state-required external
auditing program. Until a new policy statement is effective, if
an institution does not have an audit of its financial statements
and is subject to a state-required external auditing program (e.g.,
a Directorsí examination) that consists of the rescinded policyís
procedures, the institution would not normally be expected to incur
the cost of one of the preceding alternatives in addition to its
a bank does not choose either alternative above and plans to use
another type of Directorsí examination, including a state-required
Directorsí examination, the examiner should review the external
auditing procedures performed based on the institutionís size and
the nature, scope, and complexity of its business activities. During
this review, the examiner should determine whether these procedures
adequately cover the institutionís risk areas. If not, the examiner
should recommend that the bankís board or audit committee revise
its external auditing program so that it contains some procedures
designed to test the risk areas of the institution, including its
lending and investment securities activities. The board or audit
committee should be encouraged to have these procedures performed
for all risk areas annually. However, if no significant changes
are occurring in a certain risk area, a small institution may choose
to have its external auditing program cover one or two activities
annually so that all of its risk areas are included in its external
auditing program on a rotating basis every two or three years.
If a bankís
external auditing program consists solely of having an outside firm
obtain confirmations of deposits and loans, for example, or if the
bank has no external auditing program at all, the examiner should
recommend that the committee or board expand the scope of the auditing
work performed to include additional procedures to test the bank's
high risk areas or to initiate a financial statement audit or one
of the preceding alternatives.
4. Action Required.
Please distribute this memorandum to the examination staff in your
region. This memorandum may also be provided to bankers and other
interested parties upon request.