BOARD OF GOVERNORS
FEDERAL RESERVE SYSTEM
WASHINGTON, D. C. 20551
DIVISION OF BANKING
SUPERVISION AND REGULATION
January 13, 1994
TO THE OFFICER IN CHARGE OF SUPERVISION
AT EACH FEDERAL RESERVE BANK
SUBJECT: Supervisory Guidance on the Implementation of Section 112 of the FDIC Improvement Act
The FDIC's final rule implementing Section 112 of the FDIC Improvement Act of 1991 (FDICIA) became effective July 2, 1993. This section of FDICIA amends the Federal Deposit Insurance Act by adding Section 36, "Early Identification of Needed Improvements in Financial Management." Effective with fiscal years beginning after December 31, 1992, the final rule requires state member banks and other insured depository institutions with $500 million or more in total assets as of the beginning of each fiscal year to obtain annual independent audits, to submit certain management reports to their regulatory agencies, and to establish audit committees of their board of directors comprised of independent directors. In addition, the final rule establishes certain new requirements for independent auditors of insured depository institutions. A copy of the final rule and the accompanying "Guidelines and Interpretations" are attached to this letter.
Beginning in the first quarter of 1994, all state member banks and certain other banks covered by Section 36 will be filing the required reports (see section on "Management Responsibilities") with each Federal Reserve Bank. This letter sets forth the types of reports the Federal Reserve Banks will receive, and provides guidance for the review of these reports. In addition, this letter addresses the impact of the statute and the rule on examinations, including appropriate training for Reserve Bank staff.
The "Guidelines and Interpretations" that accompany the final FDIC rule are designed to aid in the rule's implementation by providing greater clarity to the rule's requirements and by permitting future modification of the guidelines, consistent with practical experiences gained by the FDIC and other federal banking agencies in the administration of the rule. The regulatory scheme now requires new responsibilities of managements, boards of directors, and independent public accountants (CPAs). Although these requirements became effective as of July 2, 1993, many of the reporting requirements will be effective for the 1993 annual reports. It is expected that reasonable and good faith attempts to comply with the advice contained in the Guidelines will minimize the need for agency enforcement actions.
Management Responsibilities. The rule requires institutions with total assets greater than $500 million to submit to the FDIC, its primary federal regulator, and appropriate state regulator within 90 days after the end of its fiscal year:
- an annual report containing audited annual financial statements including the CPA's report thereon,
- a management report, and
- a CPA's attestation report concerning the institution's internal control structure and procedures for financial reporting.1
The financial statements included in the annual report must be prepared in accordance with generally accepted accounting principles (GAAP). The management report must contain: (i) a statement of management's responsibility for preparing the institution's annual financial statements, for establishing and maintaining adequate internal controls over financial reporting, and for complying with certain laws and regulations designated by the FDIC; and (ii) management's assessment of the effectiveness of those internal controls and the institution's compliance with the designated laws and regulations.
Institutions are also required to submit to their primary supervisory agency a report prepared by the CPA based upon the "agreed-upon procedures" performed to determine compliance with designated laws and regulations.2 However, unlike the annual report, the management report, and the CPAs attestation report, this report is not available for public inspection.
There has been some question regarding whether the internal controls over the preparation of the Call Report is covered by the definition of internal controls over financial reporting. The FDIC staff, together with the staff of the Federal Reserve and the staffs of the other federal banking agencies, believes the intent of the final rule is to include Call Reports in the definition of internal controls over financial reporting. Therefore, those controls related to the preparation of the Call Report should be included in management's assessment and the CPAs attestation regarding the effectiveness of the internal control structure and procedures over financial reporting.
Section 36 provides exceptions for certain reporting requirements by an insured depository institution that is a subsidiary of a holding company. First, any such depository institution subject to the requirements of this section may satisfy the annual audit requirement by filing the audited financial statements of the consolidated holding company. Second, the other reporting requirements of Section 36 affecting insured depository institutions that are subsidiaries of a holding company may be satisfied by submitting consolidated holding company reports if:
(i) the services and functions "comparable" to those required by the largest insured depository institution are provided at the holding company level; and
(ii) either the insured depository institution has total assets at the beginning of the year of: (a) less than $5 billion; or (b) more than $5 billion, but less than $9 billion, and a composite CAMEL rating of 1 or 2.
Generally, services and functions will be considered "comparable" if the holding company (a) prepares the reports used by the insured depository institution to meet the requirements of Section 36, (b) has an audit committee that meets the requirements of Section 36 appropriate for its largest insured depository institution subsidiary, and (c) prepares and submits the management assessment of internal controls and compliance with designated laws and regulations based on activities and operations of all subsidiaries covered by Section 36.
Finally, each state member bank must provide written notice to the appropriate Reserve Bank within 15 days after the termination, resignation, or engagement of a CPA. In addition, the CPA must provide written notice to the appropriate Reserve Bank within 15 days of their termination of services. The above notices must include a statement describing the reasons for the actions taken.
Audit Committee Requirements. Each institution subject to Section 36 must establish an audit committee comprised entirely of outside directors who are independent of the institution. For "large institutions," that is, institutions with total assets greater than $3 billion, the audit committee is subject to more stringent requirements. These audit committees must (i) include members with banking or related management experience, (ii) have access to its own outside counsel, and (iii) not include any large customers of the institution. Although the final rule does not define "independent person," "large customer," and "banking and financial management expertise," the guidelines establish circumstances and criteria that should assist boards of directors in making determinations about the qualifications of audit committee members.
CPA Requirements. CPAs must satisfy certain general qualifications set forth in the Rule and Guidelines in order to be eligible to perform the audit and attest services of Section 36. In addition, the rule provides guidance concerning CPA independence, the CPA's "Peer Review" program, the filing of peer review reports, and information that institutions must provide the CPA. Consistent with the statutory mandate of Section 36, the Rule and Guidelines include a requirement that CPAs make their audit policies, programs, and workpapers available to the regulatory agencies upon request. Lastly, FDICIA Section 112 also grants the federal banking and thrift agencies with expanded enforcement authority over CPAs, including suspension and debarment of accountants from performing Section 36 services. A joint rule establishing such remedies is under consideration as a separate project of the federal banking agencies, but has not yet been issued for public comment.
Reporting Requirements and Review Procedures
Reporting Requirements - State member banks covered by Section 36 are required to file within 90 days after the end of its fiscal year the annual report, the management report, the CPAs attestation report, and the agreed-upon procedures report (collectively; Section 36 reports) with the appropriate Federal Reserve Bank. In addition, the rule also permits insured depository institutions to satisfy Section 36 reporting requirements under the consolidation criteria indicated previously. However, the rule does not address the Federal Reserve Board's responsibility as the primary regulator of bank holding companies. Thus, to facilitate prudential supervision, all bank holding companies shall submit on behalf of their insured depository institution subsidiaries one copy of the reports required by Section 36 for those applicable institutions regardless of the charter of the subsidiary in the holding company. Therefore, Reserve Banks should receive Section 36 reports from all bank holding companies that submit Section 36 reports prepared on behalf of their subsidiaries covered by Section 36, including any subsidiary that did not qualify for the holding company exception.3 A sample transmittal letter to be sent by the Reserve Bank to each bank holding company subject to Section 36 which communicates these reporting requirements is attached.
In addition to the Section 36 reports discussed above, the FDIC rule requires insured depository institutions to submit the management letter, any qualification, and any "other report" prepared by the CPA pursuant to Section 36 within 15 days after receipt. Management should submit any of these other reports that, in their judgment, pertains to the requirements of Section 36 including opinions on financial reporting or accounting matters, internal controls over financial reporting, and compliance with laws and regulations.4
Report Review Procedures - The annual reporting requirements of Section 36 will result in the submission of many reports that will require review by Reserve Bank personnel in late March and April (starting in 1994). Each Reserve Bank should endeavor to see that these reports are reviewed within 45 days of receipt. Accordingly, each Reserve Bank should consider implementing the following two-step process for reviewing Section 36 reports. This review process should lead to effective identification of significant issues, and at the same time minimize the pressure on Reserve Bank resources. Although, the respective Reserve Bank may find the need to modify this suggested approach in view of staffing and other resource considerations, nonetheless it should take the necessary steps to accomplish the objectives and timetable for the preliminary review detailed herein.
- Each Reserve Bank should organize a team of qualified personnel (i.e., that have the experience and skills referred to below) that will be dedicated to the preliminary review of Section 36 reports. (These persons are referred to as the "review team" or the "reviewer" in this SR Letter.) Generally, Section 36 reports will be received from state member banks and bank holding companies during late March and April for those institutions with a calendar year-end. The review team should endeavor to complete their preliminary review of these reports within 45 days of their receipt.
The preliminary review should focus on identifying information within the annual reports that could have a significant impact on the safety and soundness of an institution (for example, if the financial statements indicate significant adverse financial trends, or the report on internal controls over financial reporting identifies a material weakness, etc.). Any Section 36 report that has such a situation identified will be recommended for additional review procedures. Appropriate additional review procedures could require significant professional judgement and should be the responsibility of an appropriate supervisory officer of the reviewing Reserve Bank (for example, discussion with institution management or the CPA, request for documentation from management or the CPA, special examination, etc.). A "Preliminary Review Checklist" to aid in performing this preliminary review is attached (see Attachment 1). The preliminary review checklist assists the reviewer in identifying significant financial and reporting relationships that can "red flag" potential problems that would warrant additional follow-up procedures.
The reviewer should note that in the initial year of implementation of this new rule, there will be an initial period in which institutions and CPAs will need to gain an understanding of the reporting requirements. During this initial review period, the reviewer should describe and discuss any apparent reporting violations with the institution and its CPA. Based upon the reviewer's judgement of the institution's situation, the reviewer should focus on education and making recommendations about compliance, rather than pursuing formal enforcement actions for apparent reporting violations. However, this should not preclude the pursuit of formal enforcement actions, when warranted, such as a flagrant disregard for the reporting requirements. During the first year of implementation, the review checklist should indicate the status of the institution's implementation efforts if the institution is not yet in full compliance with the rule. (This approach is consistent with recent examination guidance issued by the FDIC.)
- After completion of the preliminary reviews all Section 36 reports, together with a copy of the Preliminary Review Checklist and any other pertinent information, should be forwarded to the appropriate supervisory officer (in many cases this will be the examiner in-charge) for each reporting institution. Additional guidance to aid the examiner in applying Section 36 reports to the examination process is currently under development and will be the subject of a subsequent letter. This letter will cover examination planning, review procedures for Section 36 reports which will be performed during the examination, and a method to determine the extent to which detailed examination procedures may be modified. The representations reported by management and the CPA in preparing Section 36 reports may enable the examiner to reduce or supplement examination procedures planned for such areas as internal controls over financial reporting and compliance with designated laws and regulations.
Review team examiners that are performing the preliminary review should possess certain basic skills and experience. For example: (i) these examiners should have sufficient experience to understand overall bank management practices, (ii) be able to identify the risks and analytical relationships in financial statements, (iii) understand the requirements of Section 36, and (iv) have a basic understanding of GAAP, generally accepted auditing standards (GAAS), and the AICPA's Statements on Standards for Attestation Engagements.
In addition, it is recommended that the review of Section 36 reports filed by bank holding companies be performed by the Reserve Bank with supervisory responsibility for that bank holding company. For state member bank subsidiaries located in a Reserve District different from the parent bank holding company, a copy of the Section 36 reports and a copy of the completed preliminary review checklist should be forwarded to the appropriate Federal Reserve Bank supervisory officer for the state member bank.
As discussed above, Section 36 requires the submission of several additional types of reports, which include, the management letter, or "other reports" issued by the institution's CPA. These reports should be forwarded to the appropriate Federal Reserve Bank supervisory official or examiner that is responsible for the supervision of the particular bank. Reserve Bank personnel should endeavor to complete this review within 30 days of their receipt.
Special attention should be directed to notifications of changes in CPAs (also referred to as "notices" in the FDIC guidelines). Appropriate Reserve Bank personnel (Supervising Officer or examiner-in-charge) should endeavor to review these notices within 15 days of receipt. The reviewer should evaluate the change in CPAs to determine if the reason for such a change has any impact on the credibility of future audit reports. This review should focus on determining whether any differences of opinion on accounting or reporting issues between management and the former CPA influenced the decision to change CPAs. In addition, the review should determine that the successor CPA satisfies the general qualifications and independence requirements of Section 36 and that the successor CPA has a current peer review report on file with the FDIC. The reviewer should also consider discussing the change in CPAs with bank management, the audit committee chairman, the predecessor CPA, and the successor CPA to determine the reasonableness of the change in CPAs. Finally, notices received from institutions with a CAMEL rating of 3 or below should receive closer scrutiny to ensure that the changes were not a result of "opinion shopping" or some other inappropriate or questionable reason.5
Impact on Internal Control Review Program
The Staff of the Federal Reserve System is currently developing a comprehensive internal control review program to aid examiners in assessing the effectiveness of an institution's internal controls. The requirements of Section 36 expand the degree of evaluation and reporting required of management and CPAs in the area of internal controls. Clearly, these new requirements should have an impact on the procedures currently performed by examiners. Separate examination guidance to supplement the comprehensive internal control review program is being developed which will aid the examiner in performing an assessment of the effectiveness of the system of internal controls.
The requirements of Section 36 will have an impact on the basic training needs of Reserve System personnel. Foremost is the need to educate personnel in the requirements of Section 36, including attendant policies and procedures developed to satisfy these requirements. Furthermore, examiners and other personnel that will be reviewing CPA workpapers and reports will need to develop or further refine their knowledge and expertise in the following areas: (i) GAAP, GAAS, and Attestation Standards, (ii) CPA workpaper techniques and related review procedures, and (iii) CPA firm quality review program. Federal Reserve System training programs to address these matters are under development.
As previously mentioned in the background discussion, Section 36 provides the Federal Reserve and the other federal banking agencies expanded authority to review (1) CPA audit workpapers and programs, and (2) CPA firm "Peer Review" reports (i.e., reports on the quality of a CPA firms audit work). Implementation guidance concerning these areas will be addressed in subsequent SR letters.
Questions regarding the guidance in this letter should be directed to John Frech at (202) 452-2275 or Stephen Mackey at (202) 452-5264. In addition, if state member banks and bank holding companies request a copy of this letter, you may provide them with a copy. Finally, please submit the name of the individual(s) assigned at the Reserve Bank with the implementation responsibility for this section of FDICIA to John Frech as soon as possible.
ATTACHMENTS TRANSMITTED ELECTRONICALLY BELOW
Suggested Transmittal Letter to
Bank Holding Companies with
Subsidiaries Subject to Section 36 of FDI Act
To The Chief Executive Officer of
Bank Holding Companies
The FDIC's final rule implementing Section 112 of the FDIC Improvement Act of 1991 (FDICIA) became effective July 2, 1993. This section of FDICIA amends the Federal Deposit Insurance Act by adding Section 36, "Early Identification of Needed Improvements in Financial Management." In general, effective with fiscal years beginning after December 31, 1992, the final rule requires state member banks and other insured depository institutions with $500 million or more in total assets as of the beginning of each fiscal year ("Covered institutions") to obtain annual independent audits, to submit certain management reports to their regulatory agencies, and to establish audit committees of their board of directors comprised of independent directors. In addition, the final rule establishes certain new requirements for independent auditors of insured depository institutions.
Covered institutions are required to submit a copy of the following reports to the Federal Reserve Bank, ATTN:...............................(Federal Reserve Bank staff member or Department), with additional copies submitted to the FDIC and its appropriate state regulator, within 90 days after the end of its fiscal year:
- an annual report containing audited annual financial statements including the CPA's report thereon. The financial statements included in the annual report must be prepared in accordance with generally accepted accounting principles (GAAP).
- a management report. This report must contain: (i) a statement of management's responsibility for preparing the institution's annual financial statements, for establishing and maintaining adequate internal controls over financial reporting, and for complying with certain laws and regulations designated by the FDIC; and (ii) management's assessment of the effectiveness of those internal controls and the institution's compliance with the designated laws and regulations.
- a CPA's attestation report concerning the institution's internal control structure and procedures for financial reporting.
Covered institutions are also required to submit to their primary supervisory agency a report prepared by the CPA based upon certain "agreed-upon procedures" performed to determine compliance with designated laws and regulations. However, unlike contents of the annual report above, this report is not available for public inspection.
This letter will discuss a number of implementation issues that have recently come to our attention affecting the nature and scope of these reports that will be filed with the Federal Reserve.
1. Call Reports. There has been some question regarding whether the internal controls over the preparation of the Call Report is to be covered by the definition of internal controls over financial reporting. The FDIC staff, together with the staff of the Federal Reserve and the staffs of the other federal banking agencies, believes the intent of the final rule is to include Call Reports in the definition of internal controls over financial reporting. Therefore, the control structure and procedures related to the preparation of the Call Report shall be included in management's assessment and the CPAs attestation regarding the effectiveness of the internal control structure and procedures over financial reporting.
2. Bank Holding Company Filing Requirements. State member banks covered by the final FDIC rule are required to file their annual reports with the appropriate Federal Reserve Bank within 90 days of their fiscal year end. In addition, the FDIC rule permits certain insured depository institutions to satisfy their reporting requirements by filing their annual reports on a consolidated holding company basis, provided these institutions meet certain size and CAMEL rating criteria. However, the rule does not address the Federal Reserve Board's responsibility as the primary regulator of bank holding companies. Thus, to facilitate effective and prudential supervision of the holding company, bank holding companies that have institutions subject to the FDIC final rule and guidelines shall submit one copy of the reports covered by this section to the appropriate Federal Reserve Bank. A copy of the reports shall be submitted to the Reserve Bank whether or not the holding company submitted these reports on a consolidated basis for their banking subsidiaries, and regardless of the charter of the bank subsidiary in the holding company.
If there are any questions regarding the reporting requirements of Section 36, or any other requirements associated with this Section, please call ...................... (Reserve Bank staff member) at ........................... .
1. The preamble to the final rule includes the following discussion of internal control structure and procedures for financial reporting. "To comply with the reporting and attestation requirements of the final rule, both management and the independent public accountant should refer to terms, including "internal control structure" and "control procedures," in professional accounting and auditing literature." As an example, current authoritative auditing literature includes the following discussion of internal controls: "In establishing specific internal control structure policies and procedures concerning an entity's ability to record, process, summarize, and report financial data that is consistent with management's assertions embodied in the financial statements, some of the specific objectives management may wish to consider include ... Transactions are recorded as necessary to permit preparation of financial statements in conformity with GAAP or any other criteria applicable to such statements." Return to text
2. In order to permit CPAs to determine the extent of compliance with the laws and regulations designated by Section 36 and the related assessment by management, the FDIC set forth as separate schedules to the guidelines certain "Agreed-Upon Procedures" regarding loans to insiders and dividend restrictions to be performed by the CPA (or in some cases the bank's internal auditor and the CPA). Return to text
3. For example: A bank holding company may have several subsidiaries between $500 million and $5 billion (or $9 billion if rated CAMEL 1 or 2) and a subsidiary larger than this upper limit. The holding company may file Section 36 reports on a consolidated basis for qualified subsidiaries (accompanied by a cover letter identifying these subsidiaries). However, the subsidiary that does not meet the criteria for the holding company exception would be required to file Section 36 reports independently of the holding company. The appropriate Reserve Bank should receive both sets of reports in the above example. Return to text
4. For example: an institution that contracts its data processing needs out to a servicing organization would normally receive a report from the independent public accountant of the servicing organization on the effectiveness of the service organization's internal controls (AICPA Statement on Auditing Standards (SAS) Number 70 - "Reports on the Processing of Transactions by Service Organizations" provides guidance to CPA's on issuing and using these reports). When this report addresses internal controls that affect the institution's financial reporting, the report should be submitted to the appropriate Reserve Bank.
However, if the servicing organization is a depository institution subject to Section 36, and the system used for servicing customers is independent of its data processing system and the internal controls over financial reporting, any report concerning the effectiveness of these controls would not be required to be submitted in satisfaction of the Section 36 reporting requirements for the servicing organization. Return to text
5. The term "Opinion Shopping" usually relates to the situation where management and the CPA have a disagreement on an issue that if not resolved would result in the CPA issuing a qualified or adverse opinion in the audit report. To avoid this qualified opinion, management would seek out a CPA willing to accept their position and issue a clean opinion in the audit report. Return to text
SR letters | 1994