|
[Main Tabs]
[Table of Contents - 5000]
[Index]
[Previous Page]
[Next Page]
[Search]
5000 - Statements of Policy
{{10-29-99 p.5299}}
INTERAGENCY POLICY STATEMENT ON EXTERNAL AUDITING
PROGRAMS OF BANKS AND SAVINGS ASSOCIATIONS
Introduction
The board of directors and senior managers of a banking institution
or savings association (institution) are responsible for ensuring that
the institution operates in a safe and sound manner. To achieve this
goal and meet the safety and soundness guidelines implementing section
39 of the Federal Deposit Insurance Act (FDI Act)
(12 U.S.C.
1831p-1), 1
the institution should maintain effective systems and internal
controls 2
to produce reliable and accurate financial reports.
Accurate financial reporting is essential to an institution's
safety and soundness for numerous reasons. First, accurate financial
information enables management to effectively manage the institution's
risks and make sound business decisions. In addition, institutions are
required by law 3
to provide accurate and timely financial reports (e.g., Reports of
Condition and Income [Call Reports] and Thrift Financial Reports) to
their appropriate regulatory agency. These reports serve an important
role in the agencies' 4
risk-focused supervision programs by contributing to their
pre-examination planning, off-site monitoring programs, and assessments
of an institution's capital adequacy and financial strength. Further,
reliable financial reports are necessary for the institution to raise
capital. They provide data to stockholders, depositors and other funds
providers, borrowers, and potential investors on the company's
financial position and results of operations. Such information is
critical to effective market discipline of the institution.
To help ensure accurate and reliable financial reporting, the
agencies recommend that the board of directors of each institution
establish and maintain an external auditing program. An external
auditing program should be an important component of an institution's
overall risk management process. For example, an external auditing
program complements the internal auditing function of an institution by
providing management and the board of directors with an independent and
objective view of the reliability of the institution's financial
statements and the adequacy of its financial reporting internal
controls. Additionally, an effective external auditing program
contributes to the efficiency of the agencies' risk-focused
examination process. By considering the significant risk areas of an
institution, an effective external auditing program may reduce the
examination time the agencies spend in such areas. Moreover, it can
improve the safety and soundness of an institution substantially and
lessen the risk the institution poses to the insurance funds
administered by the FDIC.
This policy statement outlines the characteristics of an effective
external auditing program and provides examples of how an institution
can use an external auditor to help ensure the reliability of its
financial reports. It also provides guidance on how an examiner may
assess an instituion's external auditing program. In addition, this
policy statement provides specific guidance on external auditing
programs for institutions that are holding company subsidiaries, newly
insured institutions, and institutions presenting supervisory concerns.
The adoption of a financial statement audit or other specified type
of external auditing program is generally only required in specific
circumstances. For example, insured depository institutions covered by
section 36 of the FDI Act (12 U.S.C.
1831m), as implemented by part 363 of the FDIC's regulations
(12 CFR part 363), are
required to have an external audit and an audit committee. Therefore,
this policy statement is directed toward banks and savings associations
which are exempt from part 363 (i.e., institutions with less than $500
million in total assets at the beginning of their fiscal year) or are
not otherwise subject to audit requirements by order, agreement,
statute, or agency regulations.
{{10-29-99 p.5300}}
Overview of External Auditing Programs
Responsibilities of the Board of Directors
The board of directors of an institution is responsible for
determining how to best obtain reasonable assurance that the
institution's financial statements and regulatory reports are reliably
prepared. In this regard, the board is also responsible for ensuring
that its external auditing program is appropriate for the institution
and adequately addresses the financial reporting aspects of the
significant risk areas and any other areas of concern of the
institution's business.
To help ensure the adequacy of its internal and external auditing
programs, the agencies encourage the board of directors of each
institution that is not otherwise required to do so to establish an
audit committee consisting entirely of outside
directors. 5
However, if this is impracticable, the board should organize the audit
committee so that outside directors constitute a majority of the
membership.
Audit Committee
The audit committee or board of directors is responsible for
identifying at least annually the risk areas of the institution's
activities and assessing the extent of external auditing involvement
needed over each area. The audit committee or board is then responsible
for determining what type of external auditing program will best meet
the institution's needs (refer to the descriptions under "Types of
External Auditing Programs").
When evaluating the institution's external auditing needs, the
board or audit committee should consider the size of the institution
and the nature, scope, and complexity of its operations. It should also
consider the potential benefits of an audit of the institution's
financial statements or an examination of the institution's internal
control structure over financial reporting, or both. In addition, the
board or audit committee may determine that additional or specific
external auditing procedures are warranted for a particular year or
several years to cover areas of particularly high risk or special
concern. The reasons supporting these decisions should be recorded in
the committee's or board's minutes.
If, in its annual consideration of the institution's external
auditing program, the board or audit committee determines, after
considering its inherent limitations, that an agreed-upon
procedures/state-required examination is sufficient, they should also
consider whether an independent public accountant should perform the
work. When an independent public accountant performs auditing and
attestation services, the accountant must conduct his or her work
under, and may be held accountable for departures from, professional
standards. Furthermore, when the external auditing program includes an
audit of the financial statements, the board or audit committee obtains
an opinion from the independent public accountant stating whether the
financial statements are presented fairly, in all material respects, in
accordance with generally accepted accounting principles (GAAP). When
the external auditing program includes an examination of the internal
control structure over financial reporting, the board or audit
committee obtains an opinion from the independent public accountant
stating whether the financial reporting process is subject to any
material weaknesses.
Both the staff performing an internal audit function and the
independent public accountant or other external auditor should have
unrestricted access to the board or audit committee without the need
for any prior management knowledge or approval. Other duties of an
audit committee may include reviewing the independence of the external
auditor annually, consulting with management, seeking an opinion on an
accounting issue, and overseeing the quarterly regulatory reporting
process. The audit committee should report its findings periodically to
the full board of directors.
{{10-29-99 p.5301}}
External Auditing Programs
Basic Attributes
External auditing programs should provide the board of directors
with information about the institution's financial reporting risk
areas, e.g., the institution's internal control over financial
reporting, the accuracy of its recording of transactions, and the
completeness of its financial reports prepared in accordance with GAAP.
The board or audit committee of each institution at least annually
should review the risks inherent in its particular activities to
determine the scope of its external auditing program. For most
institutions, the lending and investment securities activities present
the most significant risks that affect financial reporting. Thus,
external auditing programs should include specific procedures designed
to test at least annually the risks associated with the loan and
investment portfolios. This includes testing of internal control over
financial reporting, such as management's process to determine the
adequacy of the allowance for loan and lease losses and whether this
process is based on a comprehensive, adequately documented, and
consistently applied analysis of the institution's loan and lease
portfolio.
An institution or its subsidiaries may have other significant
financial reporting risk areas such as material real estate
investments, insurance underwriting or sales activities, securities
broker-dealer or similar activities (including securities underwriting
and investment advisory services), loan servicing activities, or
fiduciary activities. The external auditing program should address
these and other activities the board or audit committee determines
present significant financial reporting risks to the institution.
Types of External Auditing Programs
The agencies consider an annual audit of an institution's financial
statements performed by an independent public accountant to be the
preferred type of external auditing program. The agencies also consider
an annual examination of the effectiveness of the internal control
structure over financial reporting or an audit of an institution's
balance sheet, both performed by an independent public accountant, to
be acceptable alternative external auditing programs. However, the
agencies recognize that some institutions only have agreed-upon
procedures/state-required examinations performed annually as their
external auditing program. Regardless of the option chosen, the board
or audit committee should agree in advance with the external auditor on
the objectives and scope of the external auditing program.
Financial Statement Audit by an Independent Public
Accountant. The agencies encourage all institutions to have an
external audit performed in accordance with generally accepted auditing
standards (GAAS). The audit's scope should be sufficient to enable the
auditor to express an opinion on the institution's financial
statements taken as a whole.
A financial statement audit provides assurance about the fair
presentation of an institution's financial statements. In addition, an
audit may provide recommendations for management in carrying out its
control responsibilities. For example, an audit may provide management
with guidance on establishing or improving accounting and operating
policies and recommendations on internal control (including internal
auditing programs) necessary to ensure the fair presentation of the
financial statements.
Reporting by an Independent Public Accountant on an
Institution's Internal Control Structure Over Financial
Reporting. Another external auditing program is an independent
public accountant's examination and report on management's assertion
on the effectiveness of the institution's internal control over
financial reporting. For a smaller institution with less complex
operations, this type of engagement is likely to be less costly than an
audit of its financial statements or its balance sheet. It would
specifically provide recommendations for improving internal control,
including suggestions for compensating controls, to mitigate the risks
due to staffing and resource limitations.
Such an attestation engagement may be performed for all internal
controls relating to the preparation of annual financial statements or
specified schedules of the institution's
{{10-29-99 p.5302}}regulatory
reports. 6
This type of engagement is performed under generally accepted standards
for attestation engagements
(GASAE). 7
Note: For banks and savings associations, the lending,
investment securities, trading, and off-balance sheet schedules consist
of:
Area
schedules |
Reports of conditionand
incomeschedules |
Thrift financialreport |
Loans and
Lease Financing Receivables |
RC--C, Part I |
SC,
CF. |
Past Due and Nonaccrual Loans, Leases, and Other Assets
|
RC--N |
PD. |
Allowance for Credit Losses |
RI--B
|
SC, VA. |
Securities |
RC--B |
SC, SI,
CF. |
Trading Assets and Liabilities |
RC--D |
SO,
SI. |
Off-Balance Sheet Items |
RC--L |
SI, CMR.
|
Balance Sheet Audit Performed by an Independent Public
Accountant. With this program, the institution engages an
independent public accountant to examine and report only on the balance
sheet. As with the audit of the financial statements, this audit is
performed in accordance with GAAS. The cost of a balance sheet audit is
likely to be less than a financial statement audit. However, under this
type of program, the accountant does not examine or report on the
fairness of the presentation of the institution's income statement,
statement of changes in equity capital, or statement of cash flows.
Agreed-Upon Procedures/State-Required Examinations. Some
state-chartered depository institutions are required by state statute
or regulation to have specified procedures performed annually by their
directors or independent persons. 8
The bylaws of many national banks also require that some specified
procedures be performed annually by directors or others, including
internal or independent persons. Depending upon the scope of the
engagement, the cost of agreed-upon procedures or a state-required
examination may be less than the cost of an audit. However, under this
type of program, the independent auditor does not report on the
fairness of the institution's financial statements or attest to the
effectiveness of the internal control structure over financial
reporting. The findings or results of the procedures are usually
presented to the board or the audit committee so that they may draw
their own conclusions about the quality of the financial reporting or
the sufficiency of internal control.
When choosing this type of external auditing program, the board or
audit committee is responsible for determining whether these procedures
meet the external auditing needs of the institution, considering its
size and the nature, scope, and complexity of its business activities.
For example, if an institution's external auditing program consists
solely of confirmations of deposits and loans, the board or committee
should consider expanding the scope of the auditing work performed to
include additional procedures to test the institution's high risk
areas. Moreover, a financial statement audit, an examination of the
effectiveness of the internal control structure over financial
reporting, and a balance sheet
{{10-29-99 p.5303}}audit may be accepted in some states
and for national banks in lieu of agreed-upon procedures/state-required
examinations.
Other Considerations
Timing. The preferable time to schedule the performance
of an external auditing program is as of an institution's fiscal
year-end. However, a quarter-end date that coincides with a regulatory
report date provides similar benefits. Such an approach allows the
institution to incorporate the results of the external auditing program
into its regulatory reporting process and, if appropriate, amend the
regulatory reports.
External Auditing Staff. The agencies encourage an
institution to engage an independent public accountant to perform its
external auditing program. An independent public accountant provides a
nationally recognized standard of knowledge and objectivity by
performing engagements under GAAS or GASAE. The firm or independent
person selected to conduct an external auditing program and the staff
carrying out the work should have experience with financial institution
accounting and auditing or similar expertise and should be
knowledgeable about relevant laws and regulations.
Special Situations
Holding Company Subsidiaries
When an institution is owned by another entity (such as a holding
company), it may be appropriate to address the scope of its external
audit program in terms of the institution's relationship to the
consolidated group. In such cases, if the group's consolidated
financial statements for the same year are audited, the agencies
generally would not expect the subsidiary of a holding company to
obtain a separate audit of its financial statements. Nevertheless, the
board of directors or audit committee of the subsidiary may determine
that its activities involve significant risks to the subsidiary that
are not within the procedural scope of the audit of the financial
statements of the consolidated entity. For example, the risks arising
from the subsidiary's activities may be immaterial to the financial
statements of the consolidated entity, but material to the subsidiary.
Under such circumstances, the audit committee or board of the
subsidiary should consider strengthening the internal audit coverage of
those activities or implementing an appropriate alternative external
auditing program.
Newly Insured Institutions
Under the FDIC Statement of
Policy on Applications for Deposit Insurance, applicants for
deposit insurance coverage are expected to commit the depository
institution to obtain annual audits by an independent public accountant
once it begins operations as an insured institution and for a limited
period thereafter.
Institutions Presenting Supervisory Concerns
As previously noted, an external auditing program complements the
agencies' supervisory process and the institution's internal auditing
program by identifying or further clarifying issues of potential
concern or exposure. An external auditing program also can greatly
assist management in taking corrective action, particularly when
weaknesses are detected in internal control or management information
systems affecting financial reporting.
The agencies may require a financial institution presenting safety
and soundness concerns to engage an independent public accountant or
other independent external auditor to perform external auditing
services. 9
Supervisory concerns may include:
Inadequate internal control, including the internal auditing
program;
A board of directors generally uninformed about internal
control;
Evidence of insider abuse;
{{10-29-99 p.5304}}
Known or suspected defalcations;
Known or suspected criminal activity;
Probable director liability for losses;
The need for direct verification of loans or deposits;
Questionable transactions with affiliates; or
The need for improvements in the external auditing program.
The agencies may also require that the institution provide its
appropriate supervisory office with a copy of any reports, including
management letters, issued by the independent public accountant or
other external auditor. They also may require the institution to notify
the supervisory office prior to any meeting with the independent public
accountant or other external auditor at which auditing findings are to
be presented.
Examiner Guidance
Review of the External Auditing Program
The review of an institution's external auditing program is a
normal part of the agencies' examination procedures. An examiner's
evaluation of, and any recommendations for improvements in, an
institution's external auditing program will consider the
institution's size; the nature, scope, and complexity of its business
activities; its risk profile; any actions taken or planned by it to
minimize or eliminate identified weaknesses; the extent of its internal
audit program; and any compensating controls in place. Examiners will
exercise judgment and discretion in evaluating the adequacy of an
institution's external auditing program.
Specifically, examiners will consider the policies, processes, and
personnel surrounding an institution's external auditing program in
determining whether:
The board of directors or its audit committee adequately
reviews and approves external auditing program policies at least
annually.
The external auditing program is conducted by an independent
public accountant or other independent auditor and is appropriate for
the institution.
The engagement letter covering external auditing activities
is adequate.
The report prepared by the auditor on the results of the
external auditing program adequately explains the auditor's findings.
The external auditor maintains appropriate independence
regarding relationships with the institution under relevant
professional standards.
The board of directors performs due diligence on the relevant
experience and competence of the independent auditor and staff carrying
out the work (whether or not an independent public accountant is
engaged).
The board or audit committee minutes reflect approval and
monitoring of the external auditing program and schedule, including
board or committee reviews of audit reports with management and timely
action on audit findings and recommendations.
Access to Reports
Management should provide the independent public accountant or other
auditor with access to all examination reports and written
communication between the institution and the agencies or state bank
supervisor since the last external auditing activity. Management also
should provide the accountant with access to any supervisory memoranda
of understanding, written agreements, administrative orders, reports of
action initiated or taken by a federal or state banking agency under
section 8 of the FDI Act (or a
similar state law), and proposed or ordered assessments of civil money
penalties against the institution or an institution-related party, as
well as any associated correspondence. The auditor must maintain the
confidentiality of examination reports and other confidential
supervisory information.
In addition, the independent public accountant or other auditor of
an institution should agree in the engagement letter to grant examiners
access to all the accountant's or auditor's workpapers and other
material pertaining to the institution prepared in the course of
performing the completed external auditing program.
{{10-29-99 p.5305}}
Institutions should provide
reports 10
issued by the independent public accountant or other auditor pertaining
to the external auditing program, including any management letters, to
the agencies and any state authority in accordance with their
appropriate supervisory office's
guidance. 11
Significant developments regarding the external auditing program should
be communicated promptly to the appropriate supervisory office.
Examples of those developments include the hiring of an independent
public accountant or other third party to perform external auditing
work and a change in, or termination of, an independent public
accountant or other external auditor.
Appendix A--Definitions.
Agencies. The agencies are the Board of Governors of the
Federal Reserve System (FRB), the Federal Deposit Insurance Corporation
(FDIC), the Office of the Comptroller of the Currency (OCC), and the
Office of Thrift Supervision (OTS).
Appropriate supervisory office. The regional or district
office of the institution's primary federal banking agency responsible
for supervising the institution, or, in the case of an institution that
is part of a group of related insured institutions, the regional or
district office of the institution's federal banking agency
responsible for monitoring the group. If the institution is a
subsidiary of a holdinig company, the term "appropriate supervisory
office" also includes the federal banking agency responsible for
supervising the holding company. In addition, if the institution is
state-chartered, the term "appropriate supervisory office"
includes the appropriate state bank or savings association regulatory
authority.
Audit. An examination of the financial statements,
accounting records, and other supporting evidence of an institution
performed by an independent certified or licensed public accountant in
accordance with generally accepted auditing standards (GAAS) and of
sufficient scope to enable the independent public accountant to express
an opinion on the institution's financial statements as to their
presentation in accordance with generally accepted accounting
principles (GAAP).
Audit committee. A committee of the board of directors
whose members should, to the extent possible, be knowledgeable about
accounting and auditing. The committee should be responsible for
reviewing and approving the institution's internal and external
auditing programs or recommending adoption of these programs to the
full board.
Balance sheet audit performed by an independent public
accountant. An examination of an institution's balance sheet and
any accompanying footnotes performed and reported on by an independent
public accountant in accordance with GAAS and of sufficient scope to
enable the independent public accountant to express an opinion on the
fairness of the balance sheet presentation in accordance with GAAP.
Engagement letter. A letter from an independent public
accountant to the board of directors or audit committee of an
institution that usually addresses the purpose and scope of the
external auditing work to be performed, period of time to be covered by
the auditing work, reports expected to be rendered, and any limitations
placed on the scope of the auditing work.
Examination of the internal control structure over financial
reporting. See Reporting by an Independent Public Accountant on an
Institution's Internal Control Structure Over Financial
Reporting.
{{10-29-99 p.5306}}
External auditing program. The performance of procedures
to test and evaluate high risk areas of an institution's business by
an independent auditor, who may or may not be a public accountant,
sufficient for the auditor to be able to express an opinion on the
financial statements or to report on the results of the procedures
performed.
Financial statement audit by an independent public
accountant. See Audit.
Financial statements. The statements of financial
position (balance sheet), income, cash flows, and changes in equity
together with related notes.
Independent public accountant. An accountant who is
independent of the institution and registered or licensed to practice,
and holds himself or herself out, as a public accountant, and who is in
good standing under the laws of the state or other political
subdivision of the United States in which the home office of the
institution is located. The independent public accountant should comply
with the American Institute of Certified Public Accountants' (AICPA)
Code of Professional Conduct and any related guidance
adopted by the Independence Standards Board and the agencies. No
certified public accountant or public accountant will be recognized as
independent who is not independent both in fact and in appearance.
Internal auditing. An independent assessment function
established within an institution to examine and evaluate its system of
internal control and the efficiency with which the various units of the
institution are carrying out their assigned tasks. The objective of
internal auditing is to assist the management and directors of the
institution in the effective discharge of their responsibilities. To
this end, internal auditing furnishes management with analyses,
evaluations, recommendations, counsel, and information concerning the
activities reviewed.
Outside directors. Members of an institution's board of
directors who are not officers, employees, or principal stockholders of
the institution, its subsidiaries, or its affiliates, and who do not
have any material business dealings with the institution, its
subsidiaries, or its affiliates.
Regulatory reports. These reports are the Reports of
Condition and Income (Call Reports) for banks, Thrift Financial Reports
(TFRs) for savings associations, Federal Reserve (FR) Y reports for
bank holding companies, and the H-(b)11 Annual Report for thrift
holding companies.
Reporting by an independent public accountant on an
institution's internal control structure over financial
reporting. Under this engagement, management evaluates and
documents its review of the effectiveness of the institution's
internal control over financial reporting in the identified risk areas
as of a specific report date. Management prepares a written assertion,
which specifies the criteria on which management based its evaluation
about the effectiveness of the institution's internal control over
financial reporting in the identified risk areas and states
management's opinion on the effectiveness of internal control over
this specified financial reporting. The independent public accountant
is engaged to perform tests on the internal control over the specified
financial reporting in order to attest to management's assertion. If
the accountant concurs with management's assertion, even if the
assertion discloses one or more instances of material internal control
weakness, the accountant would provide a report attesting to
management's assertion.
Risk areas. Those particular activities of an institution
that expose it to greater potential losses if problems exist and go
undetected. The areas with the highest financial reporting risk in most
institutions generally are their lending and investment securities
activities.
Specified procedures. Procedures agreed-upon by the
institution and the auditor to test its activities in certain areas.
The auditor reports findings and test results, but does not express an
opinion on controls or balances. If performed by an independent public
accountant, these procedures should be performed under generally
accepted standards for attestation engagements (GASAE).
By order of the Board of Directors, October 15, 1999.
[The page following this is 5327.]
1See 12 CFR part 30 for national banks;
12 CFR part 364 for state
nonmember banks; 12 CFR part 208 for state member banks; and 12 CFR
part 510 for savings associations. Go Back to Text
2This Policy Statement provides guidance consistent with the
guidance established in the
"Interagency Policy
Statement on the Internal Audit Function and its
Outsourcing." Go Back to Text
3See 12 U.S.C. 161 for national banks;
12 U.S.C. 1817a for state
nonmember banks; 12 U.S.C. 324 for state member banks; and 12 U.S.C.
1464(v) for savings associations. Go Back to Text
4Terms defined in appendix A are italicized the first time they
appear in this policy statement. Go Back to Text
5Institutions with $500 million or more in total assets must
establish an independent audit committee made up of outside directors
who are independent of management. See
12 U.S.C. 1831m(g)(1) and
12 CFR 363.5. Go Back to Text
6Since the lending and investment securities activities
generally present the most significant risks that affect an
institution's financial reporting, management's assertion and the
accountant's attestation generally should cover those regulatory
report schedules. If the institution has trading or off-balance sheet
activities that present material financial reporting risks, the board
or audit committee should ensure that the regulatory report schedules
for those activities also are covered by management's assertion and
the accountant's attestation. (See Note.) However, the schedules
listed in the Note are not intended to address all possible risks in an
institution. Go Back to Text
7An attestation engagement is not an audit. It is performed
under different professional standards than an audit of an
institution's financial statements or its balance sheet. Go Back to Text
8When performed by an independent public accountant,
"specified procedures" and "agreed-upon procedures"
engagements are performed under standards, which are different
professional standards than those used for an audit of an
institution's financial statements or its balance sheet. Go Back to Text
9The Office of Thrift Supervision requires an external audit by
an independent public accountant for savings associations with a
composite rating of 3, 4, or 5 under the Uniform Financial Institution
Rating System, and on a case-by-case basis. Go Back to Text
10The institution's engagement letter is not a "report"
and is not expected to be submitted to the appropriate supervisory
office unless specifically requested by that office. Go Back to Text
11When an institution's financial information is included in
the audited consolidated financial statements of its parent company,
the institution should provide a copy of the audited financial
statements of the consolidated company and any other reports by the
independent public accountant in accordance with their appropriate
supervisory office's guidance. If several institutions are owned by
one parent company, a single copy of the reports may be supplied in
accordance with the guidance of the appropriate supervisory office of
each agency supervising one or more of the affiliated institutions and
the holding company. A transmittal letter should identify the
institutions covered. Any notifications of changes in, or terminations
of, a consolidated company's independent public accountant may be
similarly supplied to the appropriate supervisory office of each
supervising agency. Go Back to Text
[Main Tabs]
[Table of Contents - 5000]
[Index]
[Previous Page]
[Next Page]
[Search]
|