FDIC Law, Regulations, Related Acts
5000 - Statements of Policy
Interagency Advisory on External Audits of Internationally Active U.S. Financial Institutions
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (hereafter, the agencies) are issuing this advisory to indicate their support for the principles and expectations set forth in Parts 1 and 2, respectively, of the Basel Committee on Banking Supervision's (the BCBS or the Committee) March 2014 guidance on "External audits of banks" (hereafter, the BCBS external audit guidance).1 In supporting these principles and expectations, the agencies acknowledge that the existing standards and practices in the United States are broadly consistent with the BCBS external audit guidance. However, because of the legal and regulatory framework in the United States, certain differences exist between the standards and practices followed in the United States and the principles and expectations in the BCBS external audit guidance. These differences are addressed in this advisory, which also describes the agencies' supervisory expectations for U.S. financial institutions within the scope of this advisory for incorporating the principles and expectations in the BCBS external audit guidance into their practices. This advisory also outlines examiner responsibilities related to these supervisory expectations.
The BCBS external audit guidance is intended for "internationally active banks" and is relevant for the management, audit committees, external auditors, and prudential supervisors of such financial institutions. For purposes of this advisory, the agencies are defining "internationally active banks" as:
* Insured depository institutions that meet either of the following two criteria: (i) consolidated total assets of $250 billion or more; or (ii) consolidated total on-balance sheet foreign exposure of $10 billion or more (referred to as "core banks"); and
* U.S. depository institution holding companies that meet any of the following three criteria: (i) consolidated total assets (excluding assets held by an insurance underwriting subsidiary) of $250 billion or more; (ii) consolidated total on-balance sheet foreign exposure of $10 billion or more; or (iii) have a subsidiary depository institution that is a core bank.
In the United States, core banks are subject to 12 CFR Part 363, the Federal Deposit Insurance Corporation's (FDIC) regulation on Annual Independent Audits and Reporting Requirements (Part 363).2 Core banks typically comply with the Part 363 requirements at a holding company level. In addition, these holding companies generally are public companies that are required to file annual, quarterly, and other periodic reports with the U.S. Securities and Exchange Commission (SEC). The Public Company Accounting Oversight Board (PCAOB) regulates the external auditors of these public companies.
In March 2014, the Committee published the BCBS external audit guidance to improve the external audit quality of banks and enhance the effectiveness of prudential supervision, which contributes to financial stability. The BCBS external audit guidance elaborates on Core Principle 27, Financial Reporting and External Audit, of the Committee's Core Principles for Effective Banking Supervision3 by providing guidance related to bank audit committees' responsibilities in overseeing the external audit function. This guidance also discusses prudential supervisors' relationships with external auditors of banks and audit oversight bodies. Additionally, the BCBS external audit guidance includes information relevant to external audits of financial statements that the Committee believes will enhance the quality of these external audits.
The BCBS external audit guidance has two parts:
* Part 1 provides guidance ("principles") on the roles and responsibilities of audit committees relevant to external audits and the engagement of bank supervisors with external auditors and external auditors' regulators.
* Part 2 of the document ("expectations") emphasizes the proper application of existing internationally accepted auditing standards. The BCBS external audit guidance also provides recommendations for procedures that external auditors could perform in the execution of bank audits to enhance audit quality.4
Supervisory Expectations Regarding the Differences Between U.S. Standards and Practices and the BCBS External Audit Guidance
The BCBS external audit guidance builds upon internationally accepted auditing standards and sets expectations for institutions and their external auditors. In the United States, financial institutions within the scope of this advisory are directly or indirectly subject to the audit requirements of Part 3635 and supervisory guidance related to audits of financial institutions.6 In order for a core bank to comply with the audited financial statements requirement of Part 363 at a public holding company level, the audit must be performed in accordance with PCAOB standards. The Part 363 audit requirements, supervisory guidance, and PCAOB standards, collectively, are generally consistent with the BCBS external audit guidance, except for the differences noted below. This advisory discusses the agencies' supervisory expectations regarding these differences with reference to the corresponding principles from Part 1 and expectations from Part 2 of the BCBS external audit guidance.
Part 1, Principle 2: The audit committee should monitor and assess the independence of the external auditor.
Paragraph 49 of the BCBS external audit guidance indicates that an institution's audit committee should have a policy in place that stipulates the criteria for "tendering," i.e., putting its external audit contract out for bid. This paragraph further states that the policy also should call for the audit committee to periodically consider whether to put the external audit contract out for bid. Consistent with Part 363, the banking agencies encourage audit committees to establish policies and procedures addressing the retention and remuneration of the external auditor (independent public accountant).7 In addition, the external auditors of insured depository institutions subject to Part 363 must comply with the SEC's rules regarding audit partner rotation. Audit committees are encouraged to consider whether their policies should explicitly address the criteria for tendering the audit contract and whether the contract should periodically be put out for bid.
Part 1, Principle 6: The supervisor and the external auditor should have an effective relationship that includes appropriate communication channels for the exchange of information relevant to carrying out their respective statutory responsibilities.
Part 1, Principle 7: The supervisor should require the external auditor to report to it directly on matters arising from an audit that are likely to be of material significance to the functions of the supervisor.
Paragraphs 95 and 96 of the BCBS external audit guidance indicate that the auditor may share information about the external audit of an institution that may be of interest to the depository institution's supervisor (e.g., significant risks of material misstatements, signifi- cant or unusual transactions, evidence of management bias, significant deficiencies or material weaknesses in internal control over financial reporting, and actual or suspected breaches of regulations or laws8 ), either (1) directly with the supervisor when a safe harbor exists, or (2) indirectly through the institution to the supervisor when a legal safe harbor does not exist. Paragraph 99 of the BCBS external audit guidance provides that the external auditor should communicate matters arising from the audit that may be of material significance to the supervisor when required by the legal or regulatory framework or by a formal agreement or protocol. According to the BCBS external audit guidance, "[a] matter or group of matters is normally of material significance . . . when, due either to its nature or its potential financial impact, it is likely of itself to require investigation by the regulator."9
There is no generally applicable legal or regulatory requirement in the United States for external auditors of banks and holding companies to report directly to the institution's primary federal (and, if applicable, state) supervisor matters arising from the audit that may be of material significance, nor is there a legal safe harbor to do so. Insured depository institutions subject to Part 363 are required to file with appropriate federal and state supervisors copies of reports and other written communications issued by the external auditor to the institution in connection with the external audit services provided to the institution. Consistent with interagency policy statements10 and practices, the agencies continue to encourage open and candid communication between an institution's external auditor and the institution's supervisors.
Part 2, Expectation 5: The external auditor of a bank should identify and assess the risks of material misstatement in the bank's financial statements, taking into consideration the complexities of the bank's activities and the effectiveness of its internal control environment.
Part 2, Expectation 6: The external auditor of a bank should respond appropriately to the significant risks of material misstatement in the bank's financial statements.
Paragraphs 157 and 168 of the BCBS external audit guidance set forth the Committee's expectations for external auditors to (1) consider regulatory ratios in the determination of materiality for the audit, and (2) evaluate any identified audit differences, errors, and adjustments and their effect on regulatory capital or regulatory capital ratios. PCAOB standards11 and SEC Staff Accounting Bulletin Topic 1.M, Materiality, indicate external auditors should consider qualitative factors (which include regulatory capital, ratios, and disclosures) in determining materiality and when evaluating the effect of audit differences, errors, and adjustments. Therefore, the agencies expect institutions' audit committees will ensure that their external auditors consider regulatory capital ratios in planning and performing the audit. In this regard, audit committees are encouraged to inquire as to how the external auditors factored these ratios into their materiality assessments.
Additionally, paragraph 166 of the BCBS external audit guidance recommends that the external auditor provide written feedback about the audit engagement team's relations with the institution's internal audit function, including its observations on the adequacy of the work of internal audit, to those charged with governance of the bank. PCAOB Auditing Standard No. 16, Communications with Audit Committees, requires the external auditor, as part of communicating the overall audit strategy, to explain the extent to which the auditor plans to use the work of internal audit in an audit of the financial statements or an audit of internal control over financial reporting. However, PCAOB standards do not require the external auditor to provide written feedback about the audit engagement team's relations with the institution's internal audit function, including its observations on the adequacy of the work of internal audit. The agencies encourage audit committees to consider requesting their external auditor to provide written feedback about the audit engagement team's relations with internal audit, including its observations on the adequacy of the work of internal audit, as it relates to the audit of the financial statements or the audit of internal control over financial reporting.
Furthermore, consistent with the March 2003 Interagency Policy Statement on the Internal Audit Function and Its Outsourcing, an institution's audit committee should consider whether the institution's internal audit activities are conducted in accordance with professional standards, such as the Institute of Internal Auditors' (IIA) International Professional Practices Framework (previously known as the Standards for the Professional Practice of Internal Auditing). Audit committees may look to the IIA's Framework for guidance for both internal and external assessments of the internal audit function.
Examiners should evaluate any actions taken by institutions within the scope of this advisory and their audit committees to ensure such actions are consistent with the objectives of this advisory and the BCBS external audit guidance. Where there are differences between the BCBS external audit guidance and U.S. standards, examiners should encourage institutions' audit committees to follow the practices identified in this advisory.
External auditors play an important role in contributing to financial stability when they deliver quality audits, which foster market confidence in institutions' financial statements. Quality audits are also a valuable complement to the supervisory process. The agencies support the principles and expectations set forth in the BCBS external audit guidance because enhanced audit quality is an important factor in ensuring the safety and soundness of U.S. institutions. Institutions and their external auditors are expected to comply with existing laws, regulations, and professional standards, as applicable, including those referenced in this advisory.
[FDIC Financial Institution Letter (FIL-5--16), dated January 15, 2016]
1http://www.bis.org/publ/bcbs280.pdf Go back to Text
212 CFR Part 363 applies to any insured depository institution with respect to any fiscal year in which its consolidated total assets as of the beginning of such fiscal year are $500 million or more. Go back to Text
3The Committee's Core Principles are available at http://www.bis.org/publ/bcbs230.pdf. In particular, Core Principle 27 states, "The supervisor determines that banks and banking groups maintain adequate and reliable records, prepare financial statements in accordance with accounting policies and practices that are widely accepted internationally and annually publish information that fairly reflects their financial condition and performance and bears an independent external auditor's opinion. The supervisor also determines that banks and parent companies of banking groups have adequate governance and oversight of the external audit function." Go back to Text
4The BCBS external audit guidance acknowledges that the Committee does not have the authority to set professional standards for external auditors. Go back to Text
512 CFR Section 363.3(f) requires external auditors to comply with the independence standards and interpretations of the American Institute of Certified Public Accountants, the SEC, and the PCAOB. Go back to Text
6For example, Interagency Policy Statement on Coordination and Communication Between External Auditors and Examiners (July 23, 1992). Go back to Text
712 CFR Section 363.5(a) states, "The duties of the audit committee shall include the appointment, compensation, and oversight of the independent public accountant who performs services required under this part, and reviewing with management and the independent public accountant the basis for the reports issued under this part." Go back to Text
8See also paragraphs 90--94 of the BCBS external audit guidance. Go back to Text
9See footnote 9 in the BCBS external audit guidance. Go back to Text
10See footnote 6 of this advisory. Go back to Text
11See PCAOB Auditing Standard No. 11, Consideration of Materiality in Planning and Performing an Audit, paragraph 6, and PCAOB Auditing Standard No. 14, Evaluating Audit Results, Appendix B, paragraph B2. Go back to Text