Federal Deposit
Insurance Corporation

=======================================================================
-----------------------------------------------------------------------

FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL

Federal Financial Institutions Examination Council

Interagency Policy Statement on External Auditing Programs of
Banks and Savings Associations

ACTION: Notice of final interagency policy statement.

-----------------------------------------------------------------------

SUMMARY: The Federal Financial Institutions Examination Council (FFIEC)
on behalf of the Board of Governors of the Federal Reserve System
(FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of
the Comptroller of the Currency (OCC), and the Office of Thrift
Supervision (OTS), collectively referred to as the ``banking agencies''
or the ``agencies,'' is adopting an Interagency Policy Statement on
External Auditing Programs of Banks and Savings Associations (Policy
Statement). The National Credit Union Administration (NCUA), also a
member of the FFIEC, does not plan to adopt the policy at this time.
Banks and savings associations (institutions) with $500 million or more
in total assets must have an annual audit performed by an independent
public accountant under section 36 of the Federal Deposit Insurance Act
(FDI Act), as implemented by 12 CFR Part 363. Thus, this Policy
Statement applies only to institutions below that threshold that are
not otherwise subject to audit requirements.
Accurate financial reporting is essential to an institution's
safety and soundness. To ensure accurate and reliable financial
reporting, the agencies recommend that the board of directors of each
institution establish and maintain an external auditing program. This
Policy Statement provides guidance regarding independent external
auditing programs encompassing: responsibilities of boards of
directors, audit committees, and senior management; attributes and
types of external auditing programs; special situations for
institutions that are part of a holding company, newly chartered
institutions, and institutions presenting supervisory concern; and
examiner guidance for the review of external auditing programs. The
Policy Statement also encourages institutions that are not otherwise
required to do so, to establish an audit committee. This committee
should consist entirely of outside directors, if practicable.

EFFECTIVE DATE: The Policy Statement is effective for fiscal years
beginning on or after January 1, 2000.

FOR FURTHER INFORMATION CONTACT: FDIC: Doris L. Marsh, Examination
Specialist, Division of Supervision, (202) 898-8905, or A. Ann Johnson,
Counsel, Legal Division, (202) 898-3573, FDIC, 550 17th Street, N.W.,
Washington, DC 20429.
FRB: Charles H. Holm, Manager, (202) 452-3502, or Arthur Lindo,
Supervisory Financial Analyst, (202) 452-2695, Accounting Policy and
Disclosure, Division of Banking Supervision and Regulation, Board of
Governors of the Federal Reserve System, 20th Street and Constitution
Avenue, N.W., Washington, DC 20551.
OCC: Gene Green, Deputy Chief Accountant, Office of the Chief
Accountant, (202) 874-4933, or Bill Morris, Senior Policy Analyst/
National Bank Examiner, (202) 874-4915, Core Policy Division, Office of
the Comptroller of the Currency, 250 E Street, S.W., Washington, DC
20219.
OTS: Timothy J. Stier, Chief Accountant, (202) 906-5699, or
Christine A. Smith, Policy Analyst, (202) 906-5740, Accounting Policy
Division, Office of Thrift Supervision, 1700 G Street, N.W.,
Washington, DC 20552.

SUPPLEMENTARY INFORMATION:

I. Background

An institution's internal and external auditing programs are
critical to its safety and soundness. Many institutions currently have
independent external audits. These audits are undertaken voluntarily or
are required by section 36 of the FDI Act (12 U.S.C. 1831m) and its
implementing regulation, 12 CFR part 363; the Securities and Exchange
Act of 1934 (15 U.S.C. 78a); the Federal Reserve bank holding company
reporting requirements in the FR Y-6 Annual Report of Bank Holding
Companies; or other appropriate laws and regulations. When an
institution lacks an internal auditing program or

[[Page 52320]]

has weaknesses in an existing program, examiners often encourage the
institution to have an independent external audit <SUP>1</SUP>
performed. However, some institutions, particularly smaller
institutions, still do not have an external audit for various reasons.
---------------------------------------------------------------------------

\1\ An examination of the financial statements of an institution
performed by an independent certified or licensed public accountant
in accordance with generally accepted auditing standards (GAAS) and
of sufficient scope to enable the independent public accountant to
express an opinion on the institution's financial statements as to
their presentation in accordance with generally accepted accounting
principles (GAAP).
---------------------------------------------------------------------------

The banking agencies believe that an independent external audit
provides reasonable assurance that an institution's financial
statements are prepared in accordance with generally accepted
accounting principles (GAAP). Accordingly, the banking agencies
encourage all institutions to obtain external audits. To provide
explicit guidance to institutions regarding external audits, the FFIEC
has approved a uniform Interagency Policy Statement. The FFIEC
recommends to the banking agencies that they individually adopt the
policy.
This Policy Statement is generally consistent with the individual
policies of the banking agencies. The agencies have provided guidance
on external audits to their supervised institutions, but a uniform
policy does not exist. For example, the OCC discusses its policies with
regard to independent external audits for national banks in the
Comptroller's Handbook for National Banks, Section 102, Internal and
External Audits, and the Comptroller's Corporate Manual. The FDIC first
adopted guidance on this subject in its Policy Statement Regarding
Independent External Auditing Programs of State Nonmember Banks in 1988
(53 FR 47871, November 28, 1988) and amended this policy in 1996 (61 FR
32438, June 24, 1996). The OTS's policy on independent external audits
is discussed in the Thrift Activities Regulatory Handbook, Section 350,
Independent Audits. The FRB sets forth its policy on external audits in
the FR Y-6--Annual Report of Bank Holding Companies and Section 1010,
``External Audits,'' of the Commercial Bank Examination Manual.

II. The Proposed Policy Statement

The FFIEC sought public comment on the proposed policy statement on
External Auditing Programs of Banks and Savings Associations in
February 1998 (63 FR 7796, February 17, 1998). A section-by-section
summary of the proposal follows:

Board of Directors' Responsibilities

The proposed policy statement expressed the banking agencies'
belief that accurate financial reporting is essential to an
institution's safety and soundness. To help ensure accurate and
reliable financial reporting, the agencies recommended that the board
of directors of each institution consider establishing and maintaining
an external auditing program. The banking agencies believe that the
board of directors should consider an external auditing program
performed by an independent public accountant to be conducive to the
safe and sound operation of the institution.
The proposal also encouraged the board of each institution, that is
not otherwise required to do so, to establish an audit committee
consisting entirely of outside directors, if practicable. It stated
that an institution's board of directors or audit committee should
consider the appropriateness of an external auditing program for the
institution. In addition, the board of directors or audit committee
should consider what form of external auditing program would assure
that the institution's financial statements and regulatory reports are
prepared reliably.

Alternative External Auditing Programs

The proposed policy statement identified a preferred external
auditing program--a financial statement audit by an independent public
accountant. The proposal also identified two alternatives--a report on
the balance sheet audit and an attestation report on an internal
control assertion.
The proposal also stated that an institution which is a subsidiary
of a holding company may express the scope of its external auditing
program in terms of its relationship to the consolidated group.
However, the board or audit committee of the subsidiary should
determine whether the subsidiary's activities involve unusual risks
that are not covered adequately within the scope of the audit of the
consolidated financial statements. If so, the proposal suggested that
the board or audit committee consider strengthening its internal
auditing procedures or implementing an appropriate alternative external
auditing program.

Other Matters Concerning an External Auditing Program

The proposed policy statement recommended that an institution's
external auditing program be performed as of a quarter-end date that
coincides with a regulatory report date. The proposal explained that an
independent public accountant should have access to examination
reports, other documents, and reports of action related to the
supervision of the institution by its appropriate federal or state
banking agency.

Examiner Review of the External Auditing Program

The proposal explained that examiners should consider an
institution's size, the nature and scope of its activities, and any
compensating controls when determining the adequacy of its external
auditing program and making recommendations for improvement. Examiners
should also consider whether the institution has undertaken a state-
required auditing program (the scope of which differs from the
preferred and alternative programs set forth in the proposal) when
determining whether to make recommendations for improvements to the
institution's external auditing program.

Notification and Submission of Reports

In the proposal, the agencies requested that each institution
furnish, to its appropriate supervisory office, a copy of any reports
by the independent public accountant pertaining to the external
auditing program. The proposal also requested each institution to
notify its appropriate supervisory office when an independent public
accountant is engaged initially or when a change in, or termination of
the services of, its accountant occurs.

Special Situations

The proposed policy statement noted that the FDIC Statement of
Policy on Applications for Deposit Insurance (57 FR 12822) requires
newly insured institutions to adopt an appropriate external auditing
program. The proposal also listed some of the conditions that might be
present in a problem institution which would warrant imposing
requirements for specific external auditing services.

Appendix A--Definitions

Appendix A defined the terms used throughout the proposed policy
statement. The agencies intended that these definitions be consistent
with those used in current professional accounting and auditing
literature and in the report of the Committee of Sponsoring
Organizations of the Treadway Commission (COSO Report), ``Internal
Control--Integrated Framework.''

[[Page 52321]]

III. Discussion of Public Comments

A. General Comments

The FFIEC received approximately 120 letters commenting on the
proposed policy statement. Over 90 letters came from depository
institutions whose size (based on total assets) ranged from about $2
million to $250 million. Of those letters, 20 percent came from
national banks, 70 percent from state nonmember banks, and 10 percent
from state member banks. One savings association submitted a comment.
The other letters primarily came from national and state bank trade
associations, accounting trade associations, accounting firms, and
state banking departments. Other commenters included an organization
representing state bank supervisory authorities, an attorney, an
auditor, a consultant and two bank holding companies with small
community banks.
Almost two-thirds of the commenters generally were opposed to the
proposed policy statement. They cited the cost of requiring an audit by
an independent public accountant as the reason for opposition. Those
commenters warned that the cost of a financial statement audit would
far outweigh its benefits for most small banks. In addition, over 40
percent of commenters opposed any requirement that each institution
have an independent public accountant perform any external auditing
program.
A number of commenters suggested that only institutions over a
specified threshold be required to have an annual audit. The
recommended thresholds ranged from $50 million to $250 million in total
assets, with most respondents suggesting either $100 or $150 million in
total assets as the appropriate size.
In contrast, most of the state banking departments that commented
on the proposal favored it as did three-quarters of the accounting
organizations, two banks, and one national bank trade association.
Several commenters questioned the timing of this proposal.
Commenters suggested that the FFIEC not make it effective until after
institutions had dealt with their Year 2000 computer problems. One
state banking regulator suggested that the FFIEC phase in the proposal
over a three year period to give states time to make their laws and
regulations consistent with the proposed policy statement. Another
state banking department recommended that the FFIEC exempt institutions
in states with acceptable directors' examination requirements.

B. Changes to the Proposal in Response to Comments

Introduction
Many of the commenters misinterpreted the purpose, effect, and
consequences of the proposed policy statement, believing that the
agencies were requiring external audits of all institutions. For that
reason, the FFIEC has expanded the Introduction to the Policy Statement
and revised several parts of the document to better explain the
recommendations.
Overview of External Auditing Programs
The FFIEC has revised the overview to set forth the benefits of a
strong external auditing program and to discuss the responsibilities of
the board of directors and audit committee for such a program. Because
of many commenters' misunderstanding that the proposed policy statement
requires an audit, the final Policy Statement has been clarified to
explain that both an institution's audit committee and the agencies'
examiners should consider the size of the institution and the nature,
scope, and complexity of its operations when evaluating its external
auditing program.
Nevertheless, many institutions already have an annual audit of
their financial statements performed by an independent public
accountant. In fact, almost 65 percent of institutions with total
assets under $500 million either voluntarily or for other reasons have
such an audit. More than 85 percent of the institutions with total
assets under $500 million either have an audit or another type of
external auditing program performed annually by an independent public
accountant.<SUP>2</SUP> Thus, the agencies do not believe that they
need to establish a total asset threshold (below the $500 million
threshold in 12 CFR 363) at which institutions would be required to
have audits. However, the agencies expect those institutions that
historically have had annual audits to continue to do so. For those
having another type of external auditing program performed by an
independent public accountant, the agencies expect them to continue to
obtain the same, or a more extensive, external auditing program in
future years.
---------------------------------------------------------------------------

\2\ Of institutions under $500 million in total assets, annual
audits are obtained by approximately 70 percent of national banks,
65 percent of state member banks, and 58 percent of state nonmember
banks. If other annual external auditing programs performed by an
independent public accountant are included, approximately 90 percent
of national banks, 86 percent of state member banks, and 82 percent
of state nonmember banks already have external auditing programs
that would likely meet the recommendations of the Policy Statement.
With regard to all thrift institutions, about 97 percent currently
have annual audits and 99 percent have an external auditing program
performed by an independent public accountant.
---------------------------------------------------------------------------

The proposed policy statement encouraged institutions that are not
otherwise required to do so to have an audit committee consisting
entirely of outside directors, if practicable. However, several
commenters argued that small banks in rural communities may find it
difficult to obtain knowledgeable persons outside of the institution
who are willing to sit on a bank's board of directors. The agencies do
not dispute this argument and for that reason, included a
practicability exception in the proposal. This exception remains in the
Policy Statement. As with the other provisions of this Policy
Statement, an institution's board is encouraged to establish an audit
committee entirely of outside directors, but is not required to do so.
External Auditing Programs
The final Policy Statement includes a new section which provides an
overview of the basic attributes of a sound external auditing program.
This section should assist boards and audit committees in determining
the type of program that is most suitable for their institution. The
final Policy Statement continues to identify a preferred external
auditing program (a financial statement audit by an independent public
accountant) and two alternative programs (an attestation report on
internal control and a report on the balance sheet audit). It includes
an explanation of these alternatives.
Several commenters argued that the cost of the balance sheet audit
alternative was similar to that of a complete financial statement
audit. Others stated that the internal control attestation report
alternative is impractical because establishing and maintaining
adequate internal control is very difficult in a small bank with few
employees. The agencies agree that the cost of a balance sheet report
audit may approach the cost of a financial statement audit, but in
their opinion, it is a satisfactory alternative for many small banks.
The internal control attestation alternative is generally the least
costly of the three and may be the most beneficial choice for many
small institutions. The agencies understand that small institutions
will not have sufficient employees to establish as extensive an
internal control system as larger institutions (for example,
segregation of duties), but small institutions can use compensating
controls to lessen the internal control risk.

[[Page 52322]]

The final Policy Statement discusses the state-required
examinations and agreed-upon procedures that are performed annually for
some small institutions. The document does not preclude an institution
from selecting one of these external auditing programs. The Policy
Statement also describes when management should consider expanding the
scope of the external auditing program.
This section also recommends that an institution schedule an annual
external auditing program as of year-end, or if that is not possible,
at a quarter-end date that coincides with a regulatory report date. To
minimize expense, several commenters suggested that the FFIEC recommend
that external auditing programs be performed every 18 months, every
other year, or every third year. The agencies did not change their
recommendation, because they believe that external auditing programs
are most effective if performed annually.
The Policy Statement encourages institutions to use an independent
public accountant to provide a recognized standard of knowledge and
objectivity. It has been revised, however, to permit a person other
than an independent public accountant to perform agreed-upon
procedures/state required examinations when permitted under the
appropriate state law or regulations. Nevertheless, the Policy
Statement cautions that whoever does such work should have experience
with financial institution accounting and auditing and should be
knowledgeable about relevant laws and regulations.
Special Situations
This section of the Policy Statement generally is unchanged from
the proposal. It continues to address institutions that are holding
company subsidiaries, newly insured institutions, and institutions that
present supervisory concerns.
Examiner Guidance
This section has been expanded to provide general guidance to
examiners who will assess an institution's external auditing program,
and to describe the basis for evaluating the institution's performance.
For example, examiners are expected to evaluate whether (1) the board
or audit committee has reviewed at least annually an institution's
external auditing program; (2) the program is appropriate for the size
and operations of the institution; (3) the external auditor is
independent; (4) the board or audit committee has concluded that the
auditor is competent and knowledgeable about banking; and (5) the
external auditing program has been monitored properly. Nevertheless, in
the agencies' opinion, an examiner should not automatically comment
adversely to the board of directors of an institution with an otherwise
satisfactory external auditing program merely because it does not
engage an independent public accountant to audit its financial
statements.
In addition, this section reconfirms that an auditor should have
access to examination reports and other communications between
regulators and the institution. Institutions also are encouraged to
submit, to their appropriate supervisory office on a timely basis,
reports issued by their external auditor on the external auditing
program. The section also states that the institution should obtain an
engagement letter from the auditor which states that examiners will be
granted immediate and full access to the external auditing reports and
related workpapers prepared by the auditor.

Appendix A--Definitions

Appendix A defines the terms used throughout the Policy Statement.
The agencies made revisions only when needed to be consistent with any
changes in the final Policy Statement.

C. Other Comments

The agencies encouraged comments on the proposed policy statement
from any institution that had its independent public accountant perform
one of the proposed alternative external auditing programs, i.e., a
report on the institution's balance sheet or an attestation report on
internal control over specified schedules of its regulatory reports.
Although many commenters objected to those alternatives, no respondents
from banking organizations indicated that they had experience with
these types of engagements.
In addition, some states have state-required external auditing
programs (e.g., directors' examinations) that differ from the types of
external auditing programs described in the proposed policy statement.
Accordingly, the FFIEC requested comments on the amount of time states
needed to modify the agreed-upon procedures in state-required
examinations to be consistent with the types of programs set forth in
any final Policy Statement. One state suggested three years. Several
states indicated that the policy would have little effect because all,
or almost all, of the institutions within their states already obtain
audits. Since this Policy Statement recommends, but does not require
that institutions establish external auditing programs, the agencies
are not providing a phase-in period as suggested by some commenters or
a specifically defined transition period to allow states to modify
their requirements.
Several other state banking departments recommended state-required
examinations as an alternative. Since these examinations differ among
the states, and the states may, at any time, amend their requirements,
the agencies did not believe that they should make any determination as
to which state requirements should be considered acceptable. The final
Policy Statement does not preclude an institution from using the state-
required examination as an alternative. However, as with all other
external auditing programs, the institution's board or audit committee
should determine whether such an examination meets the institution's
needs, considering its size and the nature, scope, and complexity of
its business activities.

IV. Paperwork Reduction Act

In accordance with the Paperwork Reduction Act of 1995 (PRA), the
Agencies may not conduct or sponsor, and the respondent is not required
to respond to, an information collection that does not display a
currently valid Office of Management and Budget (OMB) control number.
The FFIEC's Proposed policy statement; Request for comment, which was
published on February 17, 1998, at 63 FR 7796, fulfilled the first
notice requirement required by the PRA. Four comments were received
relating to the information collections in the FFIEC Proposed policy
statement. Each Agency likely will adopt the Final FFIEC policy
statement for its institutions, including the information collections,
as appropriate. At that time, each Agency will respond to the comments
received and determine what changes, if any, are appropriate for its
supervised institutions.

V. Policy Statement

The text of the Interagency Policy Statement follows:

Federal Financial Institutions Examination Council

Interagency Policy Statement on External Auditing Programs of Banks
and Savings Associations

Introduction

The board of directors and senior managers of a banking institution
or savings association (institution) are responsible for ensuring that
the institution operates in a safe and sound manner. To achieve this
goal and meet

[[Page 52323]]

the safety and soundness guidelines implementing Section 39 of the
Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831p-
1),<SUP>1</SUP> the institution should maintain effective systems and
internal control <SUP>2</SUP> to produce reliable and accurate
financial reports.
---------------------------------------------------------------------------

\1\ See 12 CFR Part 30 for national banks; 12 CFR Part 364 for
state nonmember banks; 12 CFR Part 208 for state member banks; and
12 CFR Part 510 for savings associations.
\2\ This Policy Statement provides guidance consistent with the
guidance established in the ``Interagency Policy Statement on the
Internal Audit Function and its Outsourcing.''
---------------------------------------------------------------------------

Accurate financial reporting is essential to an institution's
safety and soundness for numerous reasons. First, accurate financial
information enables management to effectively manage the institution's
risks and make sound business decisions. In addition, institutions are
required by law <SUP>3</SUP> to provide accurate and timely financial
reports (e.g., Reports of Condition and Income [Call Reports] and
Thrift Financial Reports) to their appropriate regulatory agency. These
reports serve an important role in the agencies' <SUP>4</SUP> risk-
focused supervision programs by contributing to their pre-examination
planning, off-site monitoring programs, and assessments of an
institution's capital adequacy and financial strength. Further,
reliable financial reports are necessary for the institution to raise
capital. They provide data to stockholders, depositors and other funds
providers, borrowers, and potential investors on the company's
financial position and results of operations. Such information is
critical to effective market discipline of the institution.
---------------------------------------------------------------------------

\3\ See 12 U.S.C. 161 for national banks; 12 U.S.C. 1817a for
state nonmember banks; 12 U.S.C. 324 for state member banks; and 12
U.S.C. 1464(v) for savings associations.
\4\ Terms defined in Appendix A are italicized the first time
they appear in this policy statement.
---------------------------------------------------------------------------

To help ensure accurate and reliable financial reporting, the
agencies recommend that the board of directors of each institution
establish and maintain an external auditing program. An external
auditing program should be an important component of an institution's
overall risk management process. For example, an external auditing
program complements the internal auditing function of an institution by
providing management and the board of directors with an independent and
objective view of the reliability of the institution's financial
statements and the adequacy of its financial reporting internal
controls. Additionally, an effective external auditing program
contributes to the efficiency of the agencies' risk-focused examination
process. By considering the significant risk areas of an institution,
an effective external auditing program may reduce the examination time
the agencies spend in such areas. Moreover, it can improve the safety
and soundness of an institution substantially and lessen the risk the
institution poses to the insurance funds administered by the Federal
Deposit Insurance Corporation (FDIC).
This policy statement outlines the characteristics of an effective
external auditing program and provides examples of how an institution
can use an external auditor to help ensure the reliability of its
financial reports. It also provides guidance on how an examiner may
assess an institution's external auditing program. In addition, this
policy statement provides specific guidance on external auditing
programs for institutions that are holding company subsidiaries, newly
insured institutions, and institutions presenting supervisory concerns.
The adoption of a financial statement audit or other specified type
of external auditing program is generally only required in specific
circumstances. For example, insured depository institutions covered by
Section 36 of the FDI Act (12 U.S.C. 1831m), as implemented by Part 363
of the FDIC's regulations (12 CFR part 363), are required to have an
external audit and an audit committee. Therefore, this policy statement
is directed toward banks and savings associations which are exempt from
Part 363 (i.e., institutions with less than $500 million in total
assets at the beginning of their fiscal year) or are not otherwise
subject to audit requirements by order, agreement, statute, or agency
regulations.

Overview of External Auditing Programs

Responsibilities of the Board of Directors
The board of directors of an institution is responsible for
determining how to best obtain reasonable assurance that the
institution's financial statements and regulatory reports are reliably
prepared. In this regard, the board is also responsible for ensuring
that its external auditing program is appropriate for the institution
and adequately addresses the financial reporting aspects of the
significant risk areas and any other areas of concern of the
institution's business.
To help ensure the adequacy of its internal and external auditing
programs, the agencies encourage the board of directors of each
institution that is not otherwise required to do so to establish an
audit committee consisting entirely of outside directors.<SUP>5</SUP>
However, if this is impracticable, the board should organize the audit
committee so that outside directors constitute a majority of the
membership.
---------------------------------------------------------------------------

\5\ Institutions with $500 million or more in total assets must
establish an independent audit committee made up of outside
directors who are independent of management. See 12 U.S.C.
1831m(g)(1) and 12 CFR 363.5.
---------------------------------------------------------------------------

Audit Committee
The audit committee or board of directors is responsible for
identifying at least annually the risk areas of the institution's
activities and assessing the extent of external auditing involvement
needed over each area. The audit committee or board is then responsible
for determining what type of external auditing program will best meet
the institution's needs (refer to the descriptions under ``Types of
External Auditing Programs'').
When evaluating the institution's external auditing needs, the
board or audit committee should consider the size of the institution
and the nature, scope, and complexity of its operations. It should also
consider the potential benefits of an audit of the institution's
financial statements or an examination of the institution's internal
control structure over financial reporting, or both. In addition, the
board or audit committee may determine that additional or specific
external auditing procedures are warranted for a particular year or
several years to cover areas of particularly high risk or special
concern. The reasons supporting these decisions should be recorded in
the committee's or board's minutes.
If, in its annual consideration of the institution's external
auditing program, the board or audit committee determines, after
considering its inherent limitations, that an agreed-upon procedures/
state-required examination is sufficient, they should also consider
whether an independent public accountant should perform the work. When
an independent public accountant performs auditing and attestation
services, the accountant must conduct his or her work under, and may be
held accountable for departures from, professional standards.
Furthermore, when the external auditing program includes an audit of
the financial statements, the board or audit committee obtains an
opinion from the independent public accountant stating whether the
financial statements are presented fairly, in all material respects, in
accordance with generally accepted accounting principles (GAAP). When
the external auditing program includes

[[Page 52324]]

an examination of the internal control structure over financial
reporting, the board or audit committee obtains an opinion from the
independent public accountant stating whether the financial reporting
process is subject to any material weaknesses.
Both the staff performing an internal audit function and the
independent public accountant or other external auditor should have
unrestricted access to the board or audit committee without the need
for any prior management knowledge or approval. Other duties of an
audit committee may include reviewing the independence of the external
auditor annually, consulting with management, seeking an opinion on an
accounting issue, and overseeing the quarterly regulatory reporting
process. The audit committee should report its findings periodically to
the full board of directors.

External Auditing Programs

Basic Attributes
External auditing programs should provide the board of directors
with information about the institution's financial reporting risk
areas, e.g., the institution's internal control over financial
reporting, the accuracy of its recording of transactions, and the
completeness of its financial reports prepared in accordance with GAAP.
The board or audit committee of each institution at least annually
should review the risks inherent in its particular activities to
determine the scope of its external auditing program. For most
institutions, the lending and investment securities activities present
the most significant risks that affect financial reporting. Thus,
external auditing programs should include specific procedures designed
to test at least annually the risks associated with the loan and
investment portfolios. This includes testing of internal control over
financial reporting, such as management's process to determine the
adequacy of the allowance for loan and lease losses and whether this
process is based on a comprehensive, adequately documented, and
consistently applied analysis of the institution's loan and lease
portfolio.
An institution or its subsidiaries may have other significant
financial reporting risk areas such as material real estate
investments, insurance underwriting or sales activities, securities
broker-dealer or similar activities (including securities underwriting
and investment advisory services), loan servicing activities, or
fiduciary activities. The external auditing program should address
these and other activities the board or audit committee determines
present significant financial reporting risks to the institution.
Types of External Auditing Programs
The agencies consider an annual audit of an institution's financial
statements performed by an independent public accountant to be the
preferred type of external auditing program. The agencies also consider
an annual examination of the effectiveness of the internal control
structure over financial reporting or an audit of an institution's
balance sheet, both performed by an independent public accountant, to
be acceptable alternative external auditing programs. However, the
agencies recognize that some institutions only have agreed-upon
procedures/state-required examinations performed annually as their
external auditing program. Regardless of the option chosen, the board
or audit committee should agree in advance with the external auditor on
the objectives and scope of the external auditing program.
Financial Statement Audit by an Independent Public Accountant. The
agencies encourage all institutions to have an external audit performed
in accordance with generally accepted auditing standards (GAAS). The
audit's scope should be sufficient to enable the auditor to express an
opinion on the institution's financial statements taken as a whole.
A financial statement audit provides assurance about the fair
presentation of an institution's financial statements. In addition, an
audit may provide recommendations for management in carrying out its
control responsibilities. For example, an audit may provide management
with guidance on establishing or improving accounting and operating
policies and recommendations on internal control (including internal
auditing programs) necessary to ensure the fair presentation of the
financial statements.
Reporting by an Independent Public Accountant on an Institution's
Internal Control Structure Over Financial Reporting. Another external
auditing program is an independent public accountant's examination and
report on management's assertion on the effectiveness of the
institution's internal control over financial reporting. For a smaller
institution with less complex operations, this type of engagement is
likely to be less costly than an audit of its financial statements or
its balance sheet. It would specifically provide recommendations for
improving internal control, including suggestions for compensating
controls, to mitigate the risks due to staffing and resource
limitations.
Such an attestation engagement may be performed for all internal
controls relating to the preparation of annual financial statements or
specified schedules of the institution's regulatory reports.\6\ This
type of engagement is performed under generally accepted standards for
attestation engagements (GASAE).\7\
---------------------------------------------------------------------------

\6\ Since the lending and investment securities activities
generally present the most significant risks that affect an
institution's financial reporting, management's assertion and the
accountant's attestation generally should cover those regulatory
report schedules. If the institution has trading or off-balance
sheet activities that present material financial reporting risks,
the board or audit committee should ensure that the regulatory
report schedules for those activities also are covered by
management's assertion and the accountant's attestation. See Note
above for further information.
\7\ An attestation engagement is not an audit. It is performed
under different professional standards than an audit of an
institution's financial statements or its balance sheet.

Note: For banks and savings associations, the lending,
investment securities, trading, and off-balance sheet schedules
consist of:

------------------------------------------------------------------------
Reports of
Area condition and Thrift financial
income schedules report schedules
------------------------------------------------------------------------
Loans and Lease Financing RC-C, Part I...... SC, CF.
Receivables.
Past Due and Nonaccrual Loans, RC-N.............. PD.
Leases, and Other Assets.
Allowance for Credit Losses.... RI-B.............. SC, VA.
Securities..................... RC-B.............. SC, SI, CF.
Trading Assets and Liabilities. RC-D.............. SO, SI.
Off-Balance Sheet Items........ RC-L.............. SI, CMR.
------------------------------------------------------------------------

[[Page 52325]]

These schedules are not intended to address all possible risks
in an institution.

Balance Sheet Audit Performed By An Independent Public Accountant.
With this program, the institution engages an independent public
accountant to examine and report only on the balance sheet. As with the
audit of the financial statements, this audit is performed in
accordance with GAAS. The cost of a balance sheet audit is likely to be
less than a financial statement audit. However, under this type of
program, the accountant does not examine or report on the fairness of
the presentation of the institution's income statement, statement of
changes in equity capital, or statement of cash flows.
Agreed-Upon Procedures/State-Required Examinations. Some state-
chartered depository institutions are required by state statute or
regulation to have specified procedures performed annually by their
directors or independent persons.\8\ The bylaws of many national banks
also require that some specified procedures be performed annually by
directors or others, including internal or independent persons.
Depending upon the scope of the engagement, the cost of agreed-upon
procedures or a state-required examination may be less than the cost of
an audit. However, under this type of program, the independent auditor
does not report on the fairness of the institution's financial
statements or attest to the effectiveness of the internal control
structure over financial reporting. The findings or results of the
procedures are usually presented to the board or the audit committee so
that they may draw their own conclusions about the quality of the
financial reporting or the sufficiency of internal control.
---------------------------------------------------------------------------

\8\ When performed by an independent public accountant,
``specified procedures'' and ``agreed-upon procedures'' engagements
are performed under standards, which are different professional
standards than those used for an audit of an institution's financial
statements or its balance sheet.
---------------------------------------------------------------------------

When choosing this type of external auditing program, the board or
audit committee is responsible for determining whether these procedures
meet the external auditing needs of the institution, considering its
size and the nature, scope, and complexity of its business activities.
For example, if an institution's external auditing program consists
solely of confirmations of deposits and loans, the board or committee
should consider expanding the scope of the auditing work performed to
include additional procedures to test the institution's high risk
areas. Moreover, a financial statement audit, an examination of the
effectiveness of the internal control structure over financial
reporting, and a balance sheet audit may be accepted in some states and
for national banks in lieu of agreed-upon procedures/state-required
examinations.
Other Considerations
Timing. The preferable time to schedule the performance of an
external auditing program is as of an institution's fiscal year-end.
However, a quarter-end date that coincides with a regulatory report
date provides similar benefits. Such an approach allows the institution
to incorporate the results of the external auditing program into its
regulatory reporting process and, if appropriate, amend the regulatory
reports.
External Auditing Staff. The agencies encourage an institution to
engage an independent public accountant to perform its external
auditing program. An independent public accountant provides a
nationally recognized standard of knowledge and objectivity by
performing engagements under GAAS or GASAE. The firm or independent
person selected to conduct an external auditing program and the staff
carrying out the work should have experience with financial institution
accounting and auditing or similar expertise and should be
knowledgeable about relevant laws and regulations.

Special Situations

Holding Company Subsidiaries
When an institution is owned by another entity (such as a holding
company), it may be appropriate to address the scope of its external
audit program in terms of the institution's relationship to the
consolidated group. In such cases, if the group's consolidated
financial statements for the same year are audited, the agencies
generally would not expect the subsidiary of a holding company to
obtain a separate audit of its financial statements. Nevertheless, the
board of directors or audit committee of the subsidiary may determine
that its activities involve significant risks to the subsidiary that
are not within the procedural scope of the audit of the financial
statements of the consolidated entity. For example, the risks arising
from the subsidiary's activities may be immaterial to the financial
statements of the consolidated entity, but material to the subsidiary.
Under such circumstances, the audit committee or board of the
subsidiary should consider strengthening the internal audit coverage of
those activities or implementing an appropriate alternative external
auditing program.
Newly Insured Institutions
Under the FDIC Statement of Policy on Applications for Deposit
Insurance, applicants for deposit insurance coverage are expected to
commit the depository institution to obtain annual audits by an
independent public accountant once it begins operations as an insured
institution and for a limited period thereafter.
Institutions Presenting Supervisory Concerns
As previously noted, an external auditing program complements the
agencies' supervisory process and the institution's internal auditing
program by identifying or further clarifying issues of potential
concern or exposure. An external auditing program also can greatly
assist management in taking corrective action, particularly when
weaknesses are detected in internal control or management information
systems affecting financial reporting.
The agencies may require a financial institution presenting safety
and soundness concerns to engage an independent public accountant or
other independent external auditor to perform external auditing
services.\9\ Supervisory concerns may include:
---------------------------------------------------------------------------

\9\ The Office of Thrift Supervision requires an external audit
by an independent public accountant for savings associations with a
composite rating of 3, 4, or 5 under the Uniform Financial
Institution Rating System, and on a case-by-case basis.
---------------------------------------------------------------------------

<bullet> Inadequate internal control, including the internal
auditing program;
<bullet> A board of directors generally uninformed about internal
control;
<bullet> Evidence of insider abuse;
<bullet> Known or suspected defalcations;
<bullet> Known or suspected criminal activity;
<bullet> Probable director liability for losses;
<bullet> The need for direct verification of loans or deposits;
<bullet> Questionable transactions with affiliates; or
<bullet> The need for improvements in the external auditing
program.
The agencies may also require that the institution provide its
appropriate supervisory office with a copy of any reports, including
management letters, issued by the independent public accountant or
other external auditor. They also may require the institution to notify
the supervisory office prior to any meeting with the independent public
accountant or other external auditor at which auditing findings are to
be presented.

[[Page 52326]]

Examiner Guidance

Review of the External Auditing Program
The review of an institution's external auditing program is a
normal part of the agencies' examination procedures. An examiner's
evaluation of, and any recommendations for improvements in, an
institution's external auditing program will consider the institution's
size; the nature, scope, and complexity of its business activities; its
risk profile; any actions taken or planned by it to minimize or
eliminate identified weaknesses; the extent of its internal audit
program; and any compensating controls in place. Examiners will
exercise judgment and discretion in evaluating the adequacy of an
institution's external auditing program.
Specifically, examiners will consider the policies, processes, and
personnel surrounding an institution's external auditing program in
determining whether:
<bullet> The board of directors or its audit committee adequately
reviews and approves external auditing program policies at least
annually.
<bullet> The external auditing program is conducted by an
independent public accountant or other independent auditor and is
appropriate for the institution.
<bullet> The engagement letter covering external auditing
activities is adequate.
<bullet> The report prepared by the auditor on the results of the
external auditing program adequately explains the auditor's findings.
<bullet> The external auditor maintains appropriate independence
regarding relationships with the institution under relevant
professional standards.
<bullet> The board of directors performs due diligence on the
relevant experience and competence of the independent auditor and staff
carrying out the work (whether or not an independent public accountant
is engaged).
<bullet> The board or audit committee minutes reflect approval and
monitoring of the external auditing program and schedule, including
board or committee reviews of audit reports with management and timely
action on audit findings and recommendations.
Access to Reports
Management should provide the independent public accountant or
other auditor with access to all examination reports and written
communication between the institution and the agencies or state bank
supervisor since the last external auditing activity. Management also
should provide the accountant with access to any supervisory memoranda
of understanding, written agreements, administrative orders, reports of
action initiated or taken by a federal or state banking agency under
section 8 of the FDI Act (or a similar state law), and proposed or
ordered assessments of civil money penalties against the institution or
an institution-related party, as well as any associated correspondence.
The auditor must maintain the confidentiality of examination reports
and other confidential supervisory information.
In addition, the independent public accountant or other auditor of
an institution should agree in the engagement letter to grant examiners
access to all the accountant's or auditor's workpapers and other
material pertaining to the institution prepared in the course of
performing the completed external auditing program.
Institutions should provide reports <SUP>10</SUP> issued by the
independent public accountant or other auditor pertaining to the
external auditing program, including any management letters, to the
agencies and any state authority in accordance with their appropriate
supervisory office's guidance.<SUP>11</SUP> Significant developments
regarding the external auditing program should be communicated promptly
to the appropriate supervisory office. Examples of those developments
include the hiring of an independent public accountant or other third
party to perform external auditing work and a change in, or termination
of, an independent public accountant or other external auditor.
---------------------------------------------------------------------------

\10\ The institution's engagement letter is not a ``report'' and
is not expected to be submitted to the appropriate supervisory
office unless specifically requested by that office.
\11\ When an institution's financial information is included in
the audited consolidated financial statements of its parent company,
the institution should provide a copy of the audited financial
statements of the consolidated company and any other reports by the
independent public accountant in accordance with their appropriate
supervisory office's guidance. If several institutions are owned by
one parent company, a single copy of the reports may be supplied in
accordance with the guidance of the appropriate supervisory office
of each agency supervising one or more of the affiliated
institutions and the holding company. A transmittal letter should
identify the institutions covered. Any notifications of changes in,
or terminations of, a consolidated company's independent public
accountant may be similarly supplied to the appropriate supervisory
office of each supervising agency.
---------------------------------------------------------------------------

Appendix A--Definitions
Agencies. The agencies are the Board of Governors of the Federal
Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC),
the Office of the Comptroller of the Currency (OCC), and the Office of
Thrift Supervision (OTS).
Appropriate supervisory office. The regional or district office of
the institution's primary federal banking agency responsible for
supervising the institution or, in the case of an institution that is
part of a group of related insured institutions, the regional or
district office of the institution's federal banking agency responsible
for monitoring the group. If the institution is a subsidiary of a
holding company, the term ``appropriate supervisory office'' also
includes the federal banking agency responsible for supervising the
holding company. In addition, if the institution is state-chartered,
the term ``appropriate supervisory office'' includes the appropriate
state bank or savings association regulatory authority.
Audit. An examination of the financial statements, accounting
records, and other supporting evidence of an institution performed by
an independent certified or licensed public accountant in accordance
with generally accepted auditing standards (GAAS) and of sufficient
scope to enable the independent public accountant to express an opinion
on the institution's financial statements as to their presentation in
accordance with generally accepted accounting principles (GAAP).
Audit committee. A committee of the board of directors whose
members should, to the extent possible, be knowledgeable about
accounting and auditing. The committee should be responsible for
reviewing and approving the institution's internal and external
auditing programs or recommending adoption of these programs to the
full board.
Balance sheet audit performed by an independent public accountant.
An examination of an institution's balance sheet and any accompanying
footnotes performed and reported on by an independent public accountant
in accordance with GAAS and of sufficient scope to enable the
independent public accountant to express an opinion on the fairness of
the balance sheet presentation in accordance with GAAP.
Engagement letter. A letter from an independent public accountant
to the board of directors or audit committee of an institution that
usually addresses the purpose and scope of the external auditing work
to be performed, period of time to be covered by the auditing work,
reports expected to be rendered, and any limitations placed on the
scope of the auditing work.
Examination of the internal control structure over financial
reporting. See Reporting by an Independent Public Accountant on an
Institution's Internal

[[Page 52327]]

Control Structure Over Financial Reporting.
External auditing program. The performance of procedures to test
and evaluate high risk areas of a institution's business by an
independent auditor, who may or may not be a public accountant,
sufficient for the auditor to be able to express an opinion on the
financial statements or to report on the results of the procedures
performed.
Financial statement audit by an independent public accountant. See
Audit.
Financial statements. The statements of financial position (balance
sheet), income, cash flows, and changes in equity together with related
notes.
Independent public accountant. An accountant who is independent of
the institution and registered or licensed to practice, and holds
himself or herself out, as a public accountant, and who is in good
standing under the laws of the state or other political subdivision of
the United States in which the home office of the institution is
located. The independent public accountant should comply with the
American Institute of Certified Public Accountants' (AICPA) Code of
Professional Conduct and any related guidance adopted by the
Independence Standards Board and the agencies. No certified public
accountant or public accountant will be recognized as independent who
is not independent both in fact and in appearance.
Internal auditing. An independent assessment function established
within an institution to examine and evaluate its system of internal
control and the efficiency with which the various units of the
institution are carrying out their assigned tasks. The objective of
internal auditing is to assist the management and directors of the
institution in the effective discharge of their responsibilities. To
this end, internal auditing furnishes management with analyses,
evaluations, recommendations, counsel, and information concerning the
activities reviewed.
Outside directors. Members of an institution's board of directors
who are not officers, employees, or principal stockholders of the
institution, its subsidiaries, or its affiliates, and who do not have
any material business dealings with the institution, its subsidiaries,
or its affiliates.
Regulatory reports. These reports are the Reports of Condition and
Income (Call Reports) for banks, Thrift Financial Reports (TFRs) for
savings associations, Federal Reserve (FR) Y reports for bank holding
companies, and the H-(b)11 Annual Report for thrift holding companies.
Reporting by an independent public accountant on an institution's
internal control structure over financial reporting. Under this
engagement, management evaluates and documents its review of the
effectiveness of the institution's internal control over financial
reporting in the identified risk areas as of a specific report date.
Management prepares a written assertion, which specifies the criteria
on which management based its evaluation about the effectiveness of the
institution's internal control over financial reporting in the
identified risk areas and states management's opinion on the
effectiveness of internal control over this specified financial
reporting. The independent public accountant is engaged to perform
tests on the internal control over the specified financial reporting in
order to attest to management's assertion. If the accountant concurs
with management's assertion, even if the assertion discloses one or
more instances of material internal control weakness, the accountant
would provide a report attesting to management's assertion.
Risk areas. Those particular activities of an institution that
expose it to greater potential losses if problems exist and go
undetected. The areas with the highest financial reporting risk in most
institutions generally are their lending and investment securities
activities.
Specified procedures. Procedures agreed-upon by the institution and
the auditor to test its activities in certain areas. The auditor
reports findings and test results, but does not express an opinion on
controls or balances. If performed by an independent public accountant,
these procedures should be performed under generally accepted standards
for attestation engagements (GASAE).