[Federal Register: February 17, 1998 (Volume 63, Number 31)]
[Notices]
[Page 7796-7802]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr17fe98-104]
=======================================================================
-----------------------------------------------------------------------
FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL
Policy Statement on External Auditing Programs of Banks and
Savings Associations
AGENCY: Federal Financial Institutions Examination Council.
ACTION: Proposed policy statement; Request for comment.
-----------------------------------------------------------------------
SUMMARY: The Federal Financial Institutions Examination Council (FFIEC)
1 is requesting comments on a proposed Policy Statement on
External Auditing Programs of Banks and Savings Associations (Policy
Statement) which is intended to provide uniform guidance regarding
independent external auditing programs. Because institutions with $500
million or more in total assets must have an annual audit performed by
an independent public accountant in accordance with section 36 of the
Federal Deposit Insurance Act (FDI Act), as implemented by 12 CFR part
363, this policy would apply only to institutions below that threshold
that are not otherwise subject to audit requirements.
---------------------------------------------------------------------------
\1\ The FFIEC consists of representatives from the Board of
Governors of the Federal Reserve System (FRB), the Federal Deposit
Insurance Corporation (FDIC), the Office of the Comptroller of the
Currency (OCC), the Office of Thrift Supervision (OTS) (referred to
as the ``banking agencies''), and the National Credit Union
Administration. However, this guidance is not directed to credit
unions.
---------------------------------------------------------------------------
The Policy Statement expresses the banking agencies' belief that a
well-planned external audit program, combined with a strong internal
audit function, increases the ability of an institution to detect and
correct any serious problems that exist. In this regard, the proposed
guidance encourages each institution to adopt an external auditing
program that includes an annual audit of its financial statements by an
independent public accountant. If an institution's board of directors
or audit committee determines that an audit is not appropriate for the
institution, the proposal provides two alternative approaches for
consideration. The alternatives, which should also be performed by an
independent public accountant, consist of a report on the institution's
balance sheet or an attestation report on internal control over
specified schedules of its regulatory reports.
The proposed Policy Statement also encourages institutions to
establish an audit committee consisting entirely of outside directors,
if practicable.
DATES: Comments must be received by April 20, 1998.
ADDRESSES: Comments should be directed to Joe M. Cleaver, Executive
Secretary, Federal Financial Institutions Examination Council, 2100
Pennsylvania Avenue, NW, Suite 200, Washington, DC 20037 (Fax number:
(202) 634-6556). Comments will be available for public inspection
during regular business hours at the above address. Appointments to
inspect comments are encouraged and can be arranged by calling the
FFIEC at (202) 634-6526.
FOR FURTHER INFORMATION CONTACT:
FDIC: Doris L. Marsh, Examination Specialist, Division of
Supervision, (202) 898-8905, or A. Ann Johnson, Counsel, Legal
Division, (202) 898-3573, FDIC, 550 17th Street, N.W., Washington, DC
20429.
FRB: Charles H. Holm, Project Manager, (202) 452-3502, or Arthur
Lindo, Supervisory Financial Analyst, (202) 452-2695, Division of
Banking Supervision and Regulation, Board of Governors of the Federal
Reserve System, 20th Street and Constitution Avenue, N.W., Washington,
DC 20551.
OCC: Thomas Rees, Senior Accountant, Chief Accountant's office,
Core Policy Division, (202) 874-5411, or Bill Morris, National Bank
Examiner, Core Policy Division, (202) 874-4915, Office of the
Comptroller of the Currency, 250 E Street, S.W., Washington, DC 20219.
OTS: Timothy J. Stier, Chief Accountant, Accounting Policy
Division, (202) 906-5699, or Christine A. Smith, Policy Analyst,
Accounting Policy Division, (202) 906-5740, Office of Thrift
Supervision, 1700 G Street, N.W., Washington, DC 20552.
SUPPLEMENTARY INFORMATION:
I. Background
An institution's internal auditing and external auditing programs
are critical to its safety and soundness. When an institution lacks an
internal auditing program or has weaknesses in an existing program,
examiners often encourage the institution to obtain an independent
external audit. Accordingly, many institutions now supplement their
internal auditing programs by obtaining independent external audits,
either voluntarily or as a result of the requirements of section 36 of
the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831m) and its
implementing regulation, 12 CFR part 363, the Securities and Exchange
Act of 1934 (15 U.S.C. 78a), or the Federal Reserve bank holding
company reporting requirements in the FR-Y-6 Annual Report of Bank
Holding Companies. However, a number of institutions, particularly
smaller institutions, do not have an external audit for various
reasons.
Because the banking agencies believe that an independent external
audit provides reasonable assurance that an institution's financial
statements are prepared in accordance with generally accepted
accounting principles (GAAP), the banking agencies encourage all
institutions to obtain external audits. In an effort to provide more
explicit guidance to institutions regarding external audits, the FFIEC
is proposing to approve a uniform Policy Statement. Upon FFIEC
approval, the FFIEC would recommend to the banking agencies that they
individually adopt the policy. This proposal is generally consistent
with the individual policies of the banking agencies.
Although some of the banking agencies have provided guidance on
external audits to their supervised institutions, a uniform policy does
not exist. For example, the OCC discusses its policies with regard to
independent external audits for national banks in the Comptroller's
Handbook for National Banks, Section 102, Internal and External Audits,
and the Comptroller's Manual for Corporate Activities. The FDIC adopted
similar guidance in its Policy Statement Regarding Independent External
Auditing Programs of State Nonmember Banks on November 16, 1988, as
published on November 28, 1988 (53 FR 47871), and amended on June 24,
1996, (61 FR 32438). The OTS's policy on independent external audits is
discussed in the Thrift Activities Regulatory Handbook, Section 350,
Independent Audits. The FRB sets forth its policy on external audits in
the FR-Y-6'Annual Report of Bank Holding Companies and Section 1010,
``External Audits,'' of the Commercial Bank Examination Manual.
II. The Policy Statement
The following paragraphs describe the principal provisions of the
proposed Policy Statement.
[[Page 7797]]
Board of Directors' Responsibilities
External Auditing Program
This section of the proposed Policy Statement expresses the banking
agencies' belief that a well-planned external auditing program combined
with a strong internal auditing function increases the ability of an
institution to detect and correct any potentially serious problems.
This section also emphasizes the importance to the institution's board
of directors and management of establishing an effective internal
control process to provide reasonable assurance that the institution
achieves its objectives. The banking agencies believe that the board of
directors should consider an external auditing program performed by an
independent public accountant to be conducive to the safe and sound
operation of the institution.
Audit Committee
This section encourages institutions to establish an audit
committee consisting entirely of outside directors, if practicable.
Among its duties, the audit committee should identify the areas of
greatest risk affecting financial reporting in the institution's
operations. In addition, this section states that an institution's
board of directors or audit committee should consider the
appropriateness of an external auditing program for the institution.
This evaluation should address what form of external auditing program
will best assist the board or audit committee in obtaining reasonable
assurance that the institution's financial statements and regulatory
reports are reliably prepared. The results of this evaluation should be
documented.
Alternative External Auditing Programs
The proposal identifies the preferred external auditing program and
two acceptable alternatives.2
---------------------------------------------------------------------------
\2\ It is the understanding of the banking agencies that, under
most state public accountancy laws, only an independent public
accountant may perform a balance sheet audit or issue an attestation
report on internal control.
---------------------------------------------------------------------------
Financial Statement Audit by an Independent Public Accountant
The proposal encourages each institution to adopt an external
auditing program that includes an annual audit of its financial
statements by an independent public accountant. The banking agencies
believe that a financial statement audit benefits management in
carrying out its control responsibilities.
Report on the Balance Sheet Audit
As an alternative to a financial statement audit, the proposed
Policy Statement suggests that an institution consider engaging an
independent public accountant to examine its assets, liabilities, and
equity under generally accepted auditing standards (GAAS) and to opine
on the fairness of the presentation on the balance sheet. Under this
type of engagement, the accountant would not provide an opinion on the
fairness of the presentation of the institution's income statement,
statement of changes in equity capital, or statement of cash flows.
Attestation Report on Internal Control Assertion
Another alternative to a financial statement audit is to engage an
independent public accountant to provide a report attesting to
management's assertion concerning the effectiveness of internal control
over financial reporting. The report would cover certain schedules of
its regulatory reports, including those relating to loans and
securities. Under this alternative, management would review its
internal control over the preparation of these schedules and document
this review. Management would then provide a written assertion stating
whether it believes its internal control is effective. The independent
public accountant would examine management's assertion and provide an
appropriate attestation report.
The banking agencies believe that an institution's annual ongoing
cost of an attestation report on internal control over certain
schedules of its regulatory reports would be significantly less than
the cost of an audit of its financial statements. However, the cost
projections depend on the circumstances of each institution, and an
institution may incur additional start-up costs to create the initial
documentation of its internal control structure and procedures in the
first year. This documentation is necessary to enable the independent
public accountant to evaluate management's assertion on the
effectiveness of internal control.
Holding Company Subsidiaries
The proposal describes the responsibilities of the board or audit
committee of a subsidiary of a holding company with respect to the
institution's external auditing program. Specifically, the proposal
says that an institution which is a subsidiary of a holding company may
find it appropriate to express the scope of its external auditing
program in terms of its relationship to the consolidated group.
However, the board or audit committee should determine whether the
subsidiary's activities involve unusual risks that are not adequately
covered within the scope of the audit of the consolidated financial
statements. If so, the proposal suggests that the board or audit
committee consider implementing an appropriate alternative external
auditing program.
Other Matters Concerning an External Auditing Program
Timing and Experience
The proposed Policy Statement recommends that whatever external
auditing program is adopted be performed at a quarter-end date that
coincides with a regulatory report date. It states that the independent
public accountant performing this program should be experienced in
performing external auditing work for banks and savings associations.
Access to Regulatory Reports
The proposal explains that an independent public accountant should
have access to examination reports, other documents, and reports of
action related to the supervision of the institution by its appropriate
federal or state banking agency.
Examiner Review of the External Auditing Program
The proposal explains that examiners should consider an
institution's size, the nature and scope of its activities, and any
compensating controls when determining the adequacy of the
institution's external auditing program and making recommendations for
improvement. Examiners should also consider whether the institution has
undertaken a state-required auditing program (that differs from the
programs set forth in this policy) when determining whether to make
recommendations for improvements under this policy.
Notification and Submission of Reports
In general, each institution should furnish its appropriate
supervisory office with a copy of external auditing reports issued by
its independent public accountant. However, the proposal also addresses
the submission of the independent public accountant's report by holding
company subsidiaries. This guidance reflects the banking agencies'
current approach to supervising banking organizations which own more
than one depository institution. Because each banking agency designates
one
[[Page 7798]]
supervisory office to manage the supervision of an entire banking
organization, any reports from the independent public accountant should
be sent to the appropriate supervisory office of each banking agency
which supervises the entire banking organization.
Special Situations
Newly Insured Institutions
The proposed Policy Statement notes that the FDIC Statement of
Policy on Applications for Deposit Insurance (57 FR 12822) requires
newly insured institutions to adopt an appropriate external auditing
program.
Institutions Presenting Supervisory Concerns
This section of the proposal lists some of the conditions in a
problem institution which would warrant the inclusion of a requirement
for a strong external auditing program.
Performance of Other Services
This section of the proposal explains that although each
institution is encouraged to have an external auditing program
performed by an independent public accountant, an institution may hire
other firms for advisory and consulting services if it so desires.
Appendix A--Definitions
Appendix A defines the terms used throughout the proposed Policy
Statement. The banking agencies have tried to achieve consistency in
these definitions with current professional accounting and auditing
literature. In addition, references are consistent with terminology in
the report of the Committee of Sponsoring Organizations of the Treadway
Commission (COSO Report), ``Internal Control--Integrated Framework,''
which is the standard by which the vast majority of institutions
evaluate internal control.
III. Comments
The banking agencies encourage each institution to consider
engaging an independent public accountant to perform an audit of its
financial statements. If an institution's board or audit committee
determines that an audit is not appropriate for the institution, the
banking agencies encourage each institution to consider having one of
the alternatives recommended in this proposal performed. Comments on
the proposed Policy Statement are especially encouraged from any
institution which has had its independent public accountant perform one
of the alternatives (a report on the institution's balance sheet or an
attestation report on internal control over specified schedules of its
regulatory reports).
Some states have state-required external auditing programs (e.g.,
directors' examinations) that differ from the external auditing
programs set forth in this policy statement. Accordingly, comments are
requested on the amount of time those states might need if they wish to
modify their directors' examination requirements to be consistent with
this Policy Statement.
IV. Paperwork Reduction Act
As part of their continuing effort to reduce paperwork and
respondent burden, the banking agencies invite the general public and
other Federal agencies to take this opportunity to comment on proposed
and/or continuing information collections, as required by the Paperwork
Reduction Act of 1995. Currently, the banking agencies are soliciting
comments concerning this proposed FFIEC policy statement, as there is a
likelihood that each of the banking agencies will adopt it for their
institutions. The banking agencies expect to submit the information
collection to OMB for review in conjunction with FFIEC's approval of
the final policy statement, and will invite public comment again in the
Federal Register notice that publishes the final policy statement.
Written comments regarding the information collection aspects of
the proposed policy statement should be submitted to any one or all of
the addresses listed under the ADDRESSES section of this Federal
Register notice. A copy of the comments may also be submitted to the
OMB Desk Officer for the banking agencies: Alexander T. Hunt, Office of
Information and Regulatory Affairs, Office of Management and Budget,
New Executive Office Building, Room 3208, Washington, DC 20503.
Requests for information regarding the collections of information
contained in the proposed policy statement may be sent to:
FDIC: Steven F. Hanft, FDIC Clearance Officer, (202) 898-8766,
Office of the Executive Secretary, Federal Deposit Insurance
Corporation, 550 17th Street, NW, Washington, DC 20429.
FRB: Mary M. McLaughlin, Federal Reserve Board Clearance Officer
(202) 452-3829, Division of Research and Statistics, Board of Governors
of the Federal Reserve System, Washington, DC 20551. Telecommunications
Device for the Deaf (TDD) users may contact Diane Jenkins, (202) 452-
3544, Board of Governors of the Federal Reserve System, 20th Street and
Constitution Avenue, N.W., Washington, DC 20551.
OCC: Jessie Gates, OCC Clearance Officer, (202) 874-5090,
Legislative and Regulatory Activities Division, Office of the
Comptroller of the Currency, 250 E Street, SW, Washington, DC 20219.
OTS: Christine Smith, Policy Analyst, (202) 906-5740, Timothy
Stier, Chief Accountant, (202) 906-5699, Accounting Policy, Office of
Thrift Supervision, 1700 G Street, NW, Washington, DC 20552.
Abstract
The title of this proposed information collection is ``External
Auditing Programs (<$500MM).'' The information would be collected from
all institutions with less than $500 million in total assets and
consists of: (a) A recordkeeping requirement that institutions maintain
management assertions regarding certain regulatory report schedules,
and (b) reporting requirements that institutions submit to the
appropriate supervisory office: (1) A notification when an independent
public accountant is initially engaged to perform external auditing
work and when a change in, or termination of, an independent public
accountant occurs; and either (2) a copy of any reports by the
independent public accountant pertaining to the external auditing
program, including any management letters; or (3) when an institution's
financial information is included in the audited consolidated financial
statements of its parent company, a copy of the audited financial
statements of the consolidated company, any other reports by the
independent public accountant, and any notifications of changes in, or
terminations of, the consolidated company's independent public
accountant, with a transmittal letter identifying the institutions
covered.
Type of Review: New collection.
Affected Public: Businesses or other for-profit.
Number of Respondents:
FDIC: 5,960.
FRB: 900.
OCC: 2,200.
OTS: 1,050.
Total Annual Respones: The banking agencies estimate 2 responses
per respondent.
Frequency of Response: Annually and On occasion.
[[Page 7799]]
Total Annual Burden Hours
------------------------------------------------------------------------
------------------------------------------------------------------------
FDIC................ Recordkeeping Burden... 1,490 hours.
Reporting Burden....... 2,980 hours.
Total Burden......... 4,470 hours.
FRB................. Recordkeeping Burden... 225 hours.
Reporting Burden....... 450 hours.
Total Burden......... 675 hours.
OCC................. Recordkeeping Burden... 550 hours.
Reporting Burden....... 1,100 hours.
Total Burden......... 1,650 hours.
OTS................. Recordkeeping Burden... 263 hours.
Reporting Burden....... 525 hours.
Total Burden......... 788 hours.
------------------------------------------------------------------------
Comments
Comments submitted in response to this notice will be summarized
and/or included in each agency's request for OMB approval. All comments
will become a matter of public record. Comments are invited on:
(a) Whether the collection of information is necessary for the
proper performance of the functions of the agency, including whether
the information shall have practical utility;
(b) The accuracy of the agency's estimate of the burden of the
collection of information;
(c) Ways to enhance the quality, utility, and clarity of the
information to be collected;
(d) Ways to minimize the burden of the collection on respondents,
including through the use of automated collection techniques or other
forms of information technology; and
(e) Estimates of capital or startup costs and costs of operation,
maintenance, and purchase of services to provide the required
information.
The text of the proposed Policy Statement follows:
Federal Financial Institutions Examination Council
Policy Statement On External Auditing Programs of Banks and Savings
Associations 1
Introduction
The banking agencies 2 believe that a well-planned
annual external auditing program 3 is an important component
of a bank's or savings association's (hereafter referred to as ``an
institution'') risk management process. Furthermore, an external
auditing program complements the internal auditing function of an
institution by providing management and the board of directors with an
independent and objective view of the reliability of the institution's
financial statements. Additionally, an effective external auditing
program contributes to the efficiency of the banking agencies' risk-
focused examination process. By emphasizing the financial reporting
aspects of the significant risk areas of an institution, an effective
external auditing program may also reduce the examination time spent in
these areas.
---------------------------------------------------------------------------
\1\ Insured depository institutions covered by Section 36 of the
Federal Deposit Insurance Act, as implemented by 12 CFR part 363,
are required to have an external audit and an audit committee.
Therefore, this guidance only applies to banks and savings
associations which are not subject to part 363 (i.e., institutions
with less than $500 million in total assets at the beginning of
their fiscal year) or are not otherwise subject to audit
requirements by agreement, statute, or agency regulations. Such
banks and savings associations are referred to in this policy
statement as ``institutions.''
\2\ References to the banking agencies throughout this document
mean the Board of Governors of the Federal Reserve System (FRB), the
Federal Deposit Insurance Corporation (FDIC), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift
Supervision (OTS).
\3\ Terms defined in Appendix A are italicized the first time
they appear in this policy statement.
---------------------------------------------------------------------------
This policy statement outlines key elements of an effective
external auditing program and describes how an institution's external
auditing program will be reviewed by examiners. Specifically, this
policy encourages institutions to adopt an external auditing program
and establish an audit committee, and it describes some acceptable
external auditing programs that institutions may consider. In addition,
this policy statement provides guidance on external auditing for
institutions that are subsidiaries of a holding company, newly insured
institutions, and institutions presenting supervisory concerns.
Board of Directors' Responsibilities
External Auditing Program. The banking agencies encourage the board
of directors of each institution to adopt an external auditing program.
The banking agencies believe that the board of directors should
consider an external auditing program performed by an independent
public accountant to be conducive to the safe and sound operation of
the institution. The board of directors should evaluate whether its
external auditing program adequately addresses the financial reporting
aspects of the significant risk areas of the institution's business.
The ability to detect and correct potentially serious problems in these
areas substantially improves the safety and soundness of an
institution's operations and thereby lessens the risk the institution
poses to the FDIC-administered insurance funds.
An external auditing program also gives the institution's
management and board of directors information about the reliability of
its financial statements and often provides information useful to them
in discharging their responsibilities for effective internal control,
such as safeguarding assets and identifying weaknesses in the internal
control structure. In addition, an external auditing program may help
directors exercise reasonable care in protecting the assets of the
institution.
Audit Committee. The banking agencies also encourage the board of
directors of each institution to establish an audit committee. Ideally,
the audit committee should consist entirely of outside directors.
However, if this is impracticable, the banking agencies believe that at
least a majority of the audit committee members should be outside
directors.
An audit committee or board of directors should periodically (at
least annually) identify the risk areas of the institution's activities
and assess the extent of external auditing involvement needed over each
area. The audit committee or board should determine whether the
institution's needs will best be met by an audit of its financial
statements in accordance with generally accepted auditing standards
(GAAS) or by an alternative external auditing program. (Recommended
alternatives are described below.)
When evaluating the alternatives for the institution's external
auditing program, the committee or board should consider the cost and
potential benefits of an annual financial statement audit and ensure
that the selected program provides sufficient coverage of the financial
reporting aspects of the institution's significant risk areas and any
other areas of concern. The committee or board also should consider how
to best obtain reasonable assurance that the institution's financial
[[Page 7800]]
statements and regulatory reports are reliably prepared.
If the audit committee or board of directors decides to engage an
independent public accountant to conduct an alternative external
auditing program rather than an audit of the institution's financial
statements, the reasons for that decision should be documented in its
minutes.
Alternative External Auditing Programs
Financial Statement Audit by an Independent Public Accountant. The
banking agencies encourage each bank and savings association to have
its financial statements audited by an independent public accountant.
Although other alternatives are acceptable, a financial statement audit
provides the most comprehensive assurance about the fair presentation
of an institution's financial statements.
In addition, an external audit provides information that benefits
management in carrying out its control responsibilities. For example,
an external audit may provide management with guidance on establishing
or improving accounting and operating policies, recommendations on
internal control (including internal auditing programs), and
evaluations of management information systems necessary to ensure the
fair presentation of the financial statements.
Report on the Balance Sheet. An institution's audit committee or
board of directors may determine, based on its assessment of the
institution's risk areas and scope of operations during a particular
year, that a financial statement audit is not the institution's best
alternative. In such cases, the institution may prefer to engage an
independent public accountant to examine and report on the balance
sheet. If this alternative is chosen, the balance sheet on which the
accountant will report should be prepared in conformity with generally
accepted accounting principles (GAAP). Furthermore, the independent
public accountant should perform the engagement in accordance with
GAAS.
Attestation Report on Internal Control Assertion.
4 Another alternative to a financial statement audit is to
engage an independent public accountant to examine and report on
management's assertion concerning the effectiveness of the
institution's internal control over financial reporting in all or
specified schedules of the institution's regulatory reports. A board or
audit committee that elects this alternative should review and assess
the institution's activities and determine its high risk areas with
respect to financial reporting. In addition, management should evaluate
and provide a written assertion about the effectiveness of the
institution's internal control over financial reporting in the
identified risk areas as of one designated regulatory report date. This
assertion should specify the criteria on which management based its
evaluation of internal control. Furthermore, management's evaluation
should be adequately documented.
In most institutions, the lending and investment securities
activities present the most significant risks that affect financial
reporting. Therefore, management's assertion should generally cover the
following regulatory report schedules every year:
----------------------------------------------------------------------------------------------------------------
Thrift financial report
Area Reports of condition and income schedules schedules
----------------------------------------------------------------------------------------------------------------
Loans and Lease Financing Receivables RC-C, Part I.............................. SC, CF
Past Due and Nonaccrual Loans, RC-N...................................... PD
Leases, and Other Assets.
Allowance for Credit Losses.......... RI-B...................................... SC, VA
Securities........................... RC-B...................................... SC, SI, CF
----------------------------------------------------------------------------------------------------------------
If the board or audit committee determines that trading or off-
balance sheet activities present material financial reporting risks to
the institution, the regulatory report schedules for one or both of
these areas should also be covered by management's assertion and the
accountant's attestation:
----------------------------------------------------------------------------------------------------------------
Thrift financial report
Area Reports of condition and income schedules schedules
----------------------------------------------------------------------------------------------------------------
Trading Assets and Liabilities....... RC-D...................................... SO, SI.
Off-Balance Sheet Items.............. RC-L...................................... SI, CMR.
----------------------------------------------------------------------------------------------------------------
The regulatory report schedules listed in this policy statement
address the most common high risk areas for financial reporting in
institutions. However, these schedules do not address all possible
risks in an institution. Therefore, each institution should review the
risks inherent in its particular activities annually to determine
whether to expand the scope of its external auditing program to include
other financial reporting risk areas. For example, if an institution or
its subsidiaries has significant real estate investments, insurance
underwriting or sales activities, securities broker-dealer or similar
activities (including securities underwriting and investment advisory
services), loan servicing activities, or fiduciary activities, the
institution should consider whether its external auditing program
should cover these areas.
Holding Company Subsidiaries. When the audit committee or board of
directors of any institution owned by another company (such as a
holding company) considers its external auditing program, it may find
it appropriate to address the scope of its program in terms of the
institution's relationship to the consolidated group. The banking
agencies do not expect an institution owned by another company to
obtain a separate audit of its financial statements if the group's
consolidated financial statements for the same fiscal year are audited.
Nevertheless, the board of directors or audit committee of the
subsidiary may determine that it has activities that involve risks
which were not within the procedural scope of the audit of the
financial statements of the consolidated entity. For example, the risks
arising from some of the subsidiary's activities may be immaterial to
the financial statements of the consolidated entity. Under such
circumstances, the audit committee or board of the subsidiary
institution should consider strengthening its internal auditing
procedures to cover these activities or implementing an appropriate
alternative external auditing program.
---------------------------------------------------------------------------
\4\ An attestation engagement is not an audit. It is performed
under different professional standards than an audit of an
institution's financial statements or its balance sheet.
---------------------------------------------------------------------------
[[Page 7801]]
Other Matters Concerning an External Auditing Program
Timing. Whatever external auditing program an institution decides
to implement, it preferably should be performed as of the institution's
fiscal year-end. However, using a quarter-end date that coincides with
a regulatory report date is also acceptable. Such an approach would
permit the institution to use the audited financial statements to
verify and, if appropriate, amend the regulatory report. In this
regard, an institution may also find it cost-effective to have its
financial statements audited during the accounting firm's off-peak
period.
Experience. The banking agencies generally believe that the
independent public accountant that an institution selects to perform
its financial statement audit or its alternative external auditing
program should be experienced in auditing the financial statements of
banks and savings associations and knowledgeable about relevant laws
and regulations.
Access to Regulatory Reports. Regardless of the external auditing
approach chosen, management should inform the independent public
accountant of, and provide the independent public accountant with
access to, all examination reports and written communication between
the institution and the banking agencies or state banking authorities
since the last external auditing activity. The independent public
accountant also should be provided access to any supervisory memoranda
of understanding, written agreements, administrative orders, reports of
action initiated or taken by a federal or state banking agency under
section 8 of the Federal Deposit Insurance Act (or a similar state
law), or civil money penalties assessed against the institution or an
institution-related party, and any associated correspondence. The
independent public accountant must maintain the confidentiality of
examination reports and other confidential supervisory information.
Examiner Review of the External Auditing Program
A review of an institution's external auditing program will
continue to be part of the banking agencies' examination procedures. An
examiner's evaluation of and any recommendations for improvements in an
institution's external auditing program will consider the institution's
size, the nature and complexity of its business activities, its risk
profile, any actions taken or planned by the institution to minimize or
eliminate identified weaknesses, and any compensating controls that are
in place.
Notification and Submission of Reports
Regardless of the type of external auditing program chosen, the
banking agencies request that each institution furnish a copy of any
reports 5 by the independent public accountant pertaining to
the external auditing program, including any management letters, to its
appropriate supervisory office in a timely manner.
---------------------------------------------------------------------------
\5\ The institution's engagement letter is not expected to be
submitted as a ``report.''
---------------------------------------------------------------------------
In addition, the banking agencies request each institution to
promptly notify its appropriate supervisory office when an independent
public accountant is initially engaged to perform external auditing
work and when a change in, or termination of, its independent public
accountant occurs.
When an institution's financial information is included in the
audited consolidated financial statements of its parent company, the
institution may send its appropriate supervisory office one copy of the
audited financial statements of the consolidated company, any other
reports by the independent public accountant, and any notifications of
changes in, or terminations of, the consolidated company's independent
public accountant. If several institutions are owned by one parent
company, a single copy of the reports and any notifications applicable
to the consolidated company may be submitted to the appropriate
supervisory office of each banking agency supervising one or more of
the affiliated institutions and the holding company. A transmittal
letter should identify the institutions covered.
Special Situations
Newly Insured Institutions. The FDIC Statement of Policy on
Applications for Deposit Insurance requires an applicant for deposit
insurance coverage to obtain an audit of its financial statements by an
independent public accountant.
Institutions Presenting Supervisory Concerns. An independent
external auditing program complements the banking agencies' supervisory
process and the institution's internal auditing program by identifying
or further clarifying issues of potential concern or exposure. It can
also greatly assist management in taking corrective action,
particularly when weaknesses are detected in internal control or
management information systems. For these reasons, the banking agencies
may require an annual audit of an institution's financial statements by
an independent public accountant for an institution presenting
supervisory concerns. However, if it is more appropriate, either (1) a
report on the balance sheet; (2) an attestation report on management's
assertions concerning internal control over financial reporting; (3)
procedures agreed upon by the institution, independent public
accountant, and appropriate banking agency; or (4) other engagements
may be required if any of the following conditions exist:
(a) Internal control, including the internal auditing program, is
inadequate;
(b) The board of directors is generally uninformed in the area of
internal control;
(c) There is evidence of insider abuse;
(d) There are known or suspected defalcations;
(e) There is known or suspected criminal activity;
(f) It is probable that director liability for losses exists;
(g) Direct verification of loans or deposits is warranted;
(h) Questionable transactions with affiliates have occurred; or
(i) Other conditions exist that warrant improvements in the
external auditing program.
Such an action may also require, among other things, that the
institution provide its banking agency's supervisory office a copy of
any reports, including management letters, issued by the independent
public accountant. In addition, it may require the institution to
notify the supervisory office prior to any meeting with the independent
public accountant at which auditing findings are to be presented.
Performance of Other Services
This policy statement does not preclude institutions from engaging
entities other than independent public accountants to perform advisory
and other services that do not require licensing under applicable state
public accountancy statutes. For example, an institution may hire
individuals or firms who are not independent public accountants to
provide independent loan reviews, give advice on consumer compliance
issues, suggest improvements to increase operational efficiency in
specific departments (e.g., information processing), or assist in areas
of taxation or management information systems. In addition, if
acceptable under applicable state laws, these firms may perform state-
required directors' examinations; however, such services may not
constitute or replace
[[Page 7802]]
an external auditing program performed by an independent public
accountant.
Appendix A--Definitions
Appropriate supervisory office. The regional or district office of
the institution's primary federal banking agency which is responsible
for supervising the institution, or, in the case of an institution that
is part of a group of related insured institutions, the regional or
district office of the institution's federal banking agency which is
responsible for monitoring the group. If the institution is a
subsidiary of a holding company, the term ``appropriate supervisory
office'' also includes the federal banking agency responsible for
supervising the holding company. In addition, if the institution is
state-chartered, the term ``appropriate supervisory office'' includes
the appropriate state bank or savings association regulatory authority.
Audit. An examination of the financial statements, accounting
records, and other supporting evidence of an institution performed by
an independent certified or licensed public accountant in accordance
with generally accepted auditing standards (GAAS) and of sufficient
scope to enable the independent public accountant to express an opinion
on the institution's financial statements as to their presentation in
accordance with generally accepted accounting principles (GAAP).
Audit Committee. A committee of the board of directors whose
members should, to the extent possible, be knowledgeable about
accounting and auditing. The committee should be responsible for
reviewing and approving the institution's internal and external
auditing programs or recommending adoption of these programs to the
full board. Both the internal auditor and the independent public
accountant should have unrestricted access to the audit committee
without the need for any prior management knowledge or approval. Other
duties of the audit committee may include reviewing the independence of
the independent public accountant annually, consulting with management
when management seeks a second opinion on an accounting issue, and
overseeing the quarterly regulatory reporting process. The audit
committee should report its findings periodically to the full board of
directors.
Directors' Examination. An engagement performed by an independent
third party that has been authorized by the institution's board of
directors and is required by state law. (A directors' examinations is
called an ``engagement audit'' or ``operational audit.'' Nevertheless,
it is often not performed in accordance with GAAS nor do widely
accepted national standards exist for its performance.)
External Auditing Program. The testing and evaluation of risk areas
of an institution's business by an independent public accountant
sufficient to enable the accountant to express an opinion on the
financial statements or balance sheet. Under professional standards,
this engagement should be performed in accordance with GAAS.
Alternatively, an independent public accountant may attest to
management's assertion concerning the effectiveness of the
institution's internal control over financial reporting. Under
professional standards, the independent public accountant is expected
to perform this attestation engagement in accordance with the generally
accepted standards for attestation engagements (GASAE).
Financial Statements. The statements of financial position (balance
sheet), income, cash flows, and changes in equity together with related
notes.
Independent Public Accountant. An accountant who is independent of
the institution and registered or licensed to practice as a public
accountant, and is in good standing, under the laws of the state or
other political subdivision of the United States in which the home
office of the institution is located. No certified public accountant or
public accountant will be recognized as independent who is not in fact
independent. The independent public accountant also should comply with
the American Institute of Certified Public Accountants' (AICPA) Code of
Professional Conduct and any related guidance adopted by the banking
agencies.
Internal auditing. An independent assessment function established
within an institution to examine and evaluate its system of internal
control and the efficiency with which the various units of the
institution are carrying out their assigned tasks. The objective of
internal auditing is to assist the management and directors of the
institution in the effective discharge of their responsibilities. To
this end, internal auditing furnishes management with analyses,
appraisals, recommendations, counsel, and information concerning the
activities reviewed.
Outside Directors. Members of an institution's board of directors
who are not officers, employees, or principal stockholders of the
institution, its subsidiaries, or its affiliates, and do not have any
material business dealings with the institution, its subsidiaries, or
its affiliates.
Regulatory Reports. These reports are the Reports of Condition and
Income (Call Reports) for banks and Thrift Financial Reports (TFRs) for
savings associations.
Report on the Balance Sheet. An examination of an institution's
balance sheet performed and reported on by an independent public
accountant in accordance with GAAS and of sufficient scope to enable
the independent public accountant to express an opinion on the fairness
of the balance sheet presentation in accordance with GAAP.
Risk Areas. Those particular activities of an institution that
expose it to greater potential losses if problems exist and go
undetected. The areas with the highest financial reporting risk in most
institutions generally are their lending and investment securities
activities.
Dated: February 5, 1998.
Joe M. Cleaver,
Executive Secretary, Federal Financial Institutions Examination
Council.
[FR Doc. 98-3374 Filed 2-13-98; 8:45 am]
BILLING CODE 6210-01-P, 6720-01-P, 6714-01-P, 4810-01-P