FDIC Law, Regulations, Related Acts
5000 - Statements of Policy
STATEMENT OF POLICY REGARDING INDEPENDENT EXTERNAL AUDITING PROGRAMS OF STATE NONMEMBER BANKS
1. In view of its interest in the financial soundness of banks and the banking system, the FDIC believes that a strong internal auditing function combined with a well-planned external auditing program1 substantially lessens the risk that a bank will not detect potentially serious problems. An external auditing program is a set of procedures designed to test and evaluate high risk areas of a bank's business which are performed by an independent auditor who may or may not be a public accountant. The failure to detect and correct potentially serious problems increases the risk a bank poses to the FDIC's insurance funds. A strong internal auditing function establishes the proper control environment and promotes accuracy and efficiency in a bank's operations. An external auditing program complements this function by providing an objective outside view of the bank's operations.
2. Regardless of the strength of a bank's internal auditing procedures, the FDIC believes that an external auditing program should be considered by a bank's board of directors as part of the cost of operating a bank in a safe and sound manner. An external auditing program assists the bank's board of directors in safeguarding assets and identifying risks inherent in its operation. In addition, an external auditing program may tend to assist directors in the event of litigation on whether an institution's board has exercised reasonable care in protecting the assets of the bank. Thus, the FDIC urges all state nonmember banks to establish and maintain a sound external auditing program.
3. In accordance with Section 36 of the Federal Deposit Insurance Act, as implemented by 12 CFR Part 363, each insured depository institution with $500 million or more in total assets at the beginning of its fiscal year is required to file with the FDIC and the appropriate federal banking agency, an annual report, including its financial statements which have been audited by an independent public accountant, and a management report and independent public accountant's attestation concerning both the effectiveness of the institution's internal controls for financial reporting and its compliance with designated safety and soundness laws. In addition, each such institution is required to have an audit committee consisting entirely of outside directors who are independent of management. For state nonmember banks subject to Section 36 and Part 363, these audit and audit committee requirements take precedence over the provisions of this Statement of Policy. State Nonmember Banks Not Subject to Part 363
4. The FDIC strongly encourages the board of directors of each state nonmember bank to establish an audit committee consisting, if possible, entirely of outside directors. The audit committee or board of directors of each state nonmember bank generally should analyze the extent of the external auditing coverage needed by the bank annually. They should determine whether the bank's needs will best be met by an audit of its financial statements or by an acceptable alternative (described in paragraphs 9 and 10 below). When selecting the scope of the planned external auditing program for the year, the committee or board should ensure that the program will provide sufficient substantive external coverage of the bank's risk areas and any other areas of potential concern, such as compliance with applicable laws and regulations. If not, additional external auditing procedures conducted by an independent auditor may be appropriate for a specific year or several years to cover particularly high risk areas of the bank. The decisions resulting from these deliberations should be recorded in the committee's or board's minutes.
5. If the audit committee or board of directors of a bank, after due consideration, determines not to engage an independent public accountant to conduct an annual audit of the bank's financial statements (or whose parent holding company's consolidated financial statements are not audited), the reasons for the committee's or board's conclusion to use one of the acceptable alternatives or to have no external auditing program should be documented in its minutes. In the evaluation, the committee or board generally should consider not only the cost of an annual audit of the bank's financial statements, but also the potential benefits.
6. A review of both a bank's internal and external auditing programs has been and will continue to be a part of the FDIC's examination procedures. FDIC examiners will review the nature of each bank's external auditing program in conjunction with the risk areas perceived in that particular bank's business and operations, and they will exercise their judgment and discretion in evaluating the adequacy of a bank's external auditing program. Examiners will not automatically comment negatively to the board of directors of a bank with an otherwise satisfactory external auditing program merely because it does not engage an independent public accountant to perform an audit of its financial statements.
Audit by an Independent Public Accountant
7. The FDIC strongly encourages each state nonmember bank to adopt an external auditing program that includes an annual audit of its financial statements by an independent public accountant. A bank that does so would generally be considered to have a satisfactory external auditing program. An external audit of a bank's financial statements benefits management by assisting in the establishment of the accounting and operating policies, internal controls, internal auditing programs, and management information systems necessary to ensure the fair presentation of these statements. An audit also assists boards of directors in fulfilling their fiduciary responsibilities and provides them greater assurance that financial reports are accurate and provide adequate disclosure.
8. An audit of a bank's financial statements performed by the independent public accountant as of a quarter-end date when the Reports of Condition and Income are prepared is preferable and would permit the bank to use the audited financial statements in the preparation and/or subsequent review of those reports. A bank may also find it more cost effective to be audited during accounting firms' less busy periods. The independent public accountant chosen should be experienced in auditing banks and knowledgeable about banking regulations in order to provide the bank with the most effective service. Alternatives to an Audit by a Public Accountant
9. The FDIC recognizes that a bank's audit committee or board of directors may determine that the external auditing program that will best meet its individual needs for that particular year will be other than an audit of its financial statements by an independent public accountant. The committee or board, after a full review of alternative and/or supplemental approaches for an adequate independent external auditing program, may decide on a well-planned directors' examination, an independent analysis of internal controls or other areas, a report on the balance sheet, or specified auditing procedures by an independent auditor. If the bank has an outside auditing firm that is simply obtaining confirmations of deposits and loans, for example, the committee or board should normally expand the scope of the auditing work performed to include additional procedures to test the bank's high risk areas.
10. Nonaccounting firms with bank auditing experience and expertise that are independent of the bank are available in some geographic locations. They may provide acceptable directors' examinations, analyses, or specified auditing work at a reasonable cost. In some instances, these firms' services include nonauditing work which enables them to provide suggestions on compliance issues and operational efficiencies. Depending upon the expertise of the firm and the scope of the engagement, these nonaccounting firms may be an appropriate choice for an external auditing program.
Newly Insured Banks
11. The FDIC believes that an adequate external auditing program performed by an independent auditor should be an integral part of the safe and sound management of a bank. Thus, applicants for deposit insurance coverage will generally be expected to commit their bank to obtain an audit of its financial statements by an independent public accountant annually for at least the first five years after deposit insurance coverage is granted.2 The FDIC may determine on a case-by-case basis that an independent audit of financial statements is unnecessary where an applicant can demonstrate that the benefits derived from such an external audit will be substantially provided by other outside sources, or where the applicant is owned by another company and will undergo an audit performed by an independent public accounting firm as part of an audit of the consolidated financial statements of its parent company.
Notification and Submission of Reports
12. Whether currently or newly insured, the FDIC requests each state nonmember bank that undergoes any external auditing work, regardless of the scope of the work, to furnish a copy of any reports by the public accountant or other external auditor, including any management letters, to the appropriate FDIC regional office as soon as possible after their receipt by the bank.
13. In addition, the FDIC requests each bank to promptly notify the appropriate FDIC regional office when any public accountant or other external auditor is initially engaged to perform external auditing procedures and when a change in its accountant or auditor occurs.
Holding Company Subsidiaries
14. When the audit committee or board of directors of any state nonmember bank owned by another company (such as a bank holding company) considers its external auditing program, it may find it appropriate to express the scope of its program in terms of the bank's relationship to the consolidated group. No section of this statement of policy is intended to imply that any state nonmember bank owned by another company is expected to obtain a separate audit of the financial statements of the individual bank. Where the state nonmember bank is directly or indirectly included in the audit of the consolidated financial statements of its parent company performed by an independent public accounting firm, the state nonmember bank may send one copy of the comparable reports by the public accountant or notification of the change in accountants for the consolidated company to the appropriate regional director. If several banks supervised by the same FDIC regional office are owned by one parent company, a single copy of each report applicable to the consolidated company may be submitted to the regional office on behalf of all of the affiliated banks.
15. An annual independent external auditing program complements both the FDIC's supervisory process and bank internal auditing programs by further identifying or clarifying issues of potential concern or exposure. It can also greatly aid management in taking corrective action, particularly when weaknesses are detected in internal control or management information systems. For these reasons, an annual audit of bank financial statements performed by an independent public accounting firm or, if more appropriate, specified auditing procedures will be a condition of future enforcement actions, when deemed necessary, or if it appears that any of the following conditions may exist:
(a) Internal controls and internal auditing procedures are inadequate;
(b) The directorate is generally uninformed in the area of internal controls;
(c) There is evidence of insider abuse;
(d) There are known or suspected defalcations;
(e) There is known or suspected criminal activity;
(f) It is probable that director liability for losses exists;
(g) Direct verification is warranted; and/ or
(h) Questionable transactions with affiliates have occurred.
16. Such an enforcement action may also require that (a) The bank provide to the appropriate FDIC regional office a copy of the auditor's report and any management letter received from the auditor promptly after the completion of any auditing work and that (b) the bank notify the regional office in advance of the time and date of any meeting between management and the auditor at which any auditing findings are to be presented so that a representative of the FDIC may be present if the FDIC so chooses.
Audit. An examination of the financial statements, accounting records, and other supporting evidence of a bank performed by an independent certified or licensed public accountant in accordance with generally accepted auditing standards and of sufficient scope to enable the auditor to express an opinion on the bank's financial statements as to their presentation in accordance with generally accepted accounting principles (GAAP).
Audit Committee. A committee of the board of directors, consisting, if possible, entirely of outside directors. To the extent possible, members of the committee should be knowledgeable about accounting and auditing. They should be responsible for reviewing and approving the bank's internal and external auditing programs or recommending adoption of these programs to the full board. Both the internal auditor and the external auditor should have unrestricted access to the audit committee without the need for any prior management knowledge or approval. Other duties of the audit committee should include reviewing the independence of the external auditor annually, being consulted by management when it seeks a second opinion on an accounting issue, overseeing the quarterly regulatory reporting process, and reporting its findings periodically to the full board of directors.
Directors' Examination. A review by an independent third party that has been authorized by the bank's board of directors and is performed in accordance with the board's analysis of potential risk areas. Certain procedures may also be required as a result of state law. A directors' examination consisting solely of such procedures as cash counts and confirmations of loans and deposits would not normally be considered a well-planned directors' examination. (Sometimes directors' examinations are similar to so-called "engagement audits" or "operational audits." Nevertheless, no widely accepted national standards exist for the specific procedures that must be performed in directors' examinations or these "audits.")
External Auditing Program. The performance of procedures to test and evaluate high risk areas of a bank's business by an independent auditor, who may or may not be a public accountant, sufficient for the auditor to be able to express an opinion on the financial statements or to report on the results of the procedures performed.
Financial Statements. The statements of financial position, income, cash flows, and changes in shareholders equity together with related notes. Independent. No certified public accountant, public accountant, or other auditor will be recognized as independent who is not in fact independent. (Reference is made to § 335.604 of the FDIC rules and regulations for the complete definition of the term "independent.")
Outside Directors. Members of a bank's board of directors who are not officers, employees, or principal stockholders of the bank, its subsidiaries, or its affiliates, and do not have any material business dealings with the bank, its subsidiaries, or its affiliates.
Public Accountant. A certified public accountant or licensed public accountant who is duly registered and in good standing as such under the laws of the place of his/her residence or principal office, who is licensed by the accounting regulatory authority of his/ her state, and who possesses a permit to practice public accountancy.
Report on the Balance Sheet. An examination of the balance sheet, accounting records, and other supporting evidence performed by an independent certified or licensed public accountant in accordance with generally accepted auditing standards.
Risk Areas. The risk areas are those particular activities of a specific bank that expose the bank to potential losses if problems were to exist and go undetected. The highest risk areas in banks generally include, but are not necessarily limited to, the valuation of collectibility of loans (including the reasonableness of the allowance for loan losses), investments, and repossessed and foreclosed collateral; internal controls; and insider transactions.
[Source: 61 Fed. Reg. 32438].
1Terms defined in Appendix A are italicized the first time they appear in this statement of policy.Go back to Text
2Refer to the April 7, 1992, Statement of Policy on Applications for Deposit Insurance. Go back to Text