TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK
The FDIC's final rule implementing Section 112 of the
FDIC Improvement Act of 1991 (FDICIA) became effective July 2,
1993. This section of FDICIA amends the Federal Deposit Insurance
Act by adding Section 36, "Early Identification of Needed
Improvements in Financial Management." Effective with fiscal years
beginning after December 31, 1992, the final rule requires state
member banks and other insured depository institutions with $500
million or more in total assets as of the beginning of each fiscal
year to obtain annual independent audits, to submit certain
management reports to their regulatory agencies, and to establish
audit committees of their board of directors comprised of
independent directors. In addition, the final rule establishes
certain new requirements for independent auditors of insured
depository institutions. A copy of the final rule and the
accompanying "Guidelines and Interpretations" are attached to this
letter.
Beginning in the first quarter of 1994, all state member
banks and certain other banks covered by Section 36 will be filing
the required reports (see section on "Management Responsibilities")
with each Federal Reserve Bank. This letter sets forth the types
of reports the Federal Reserve Banks will receive, and provides
guidance for the review of these reports. In addition, this letter
addresses the impact of the statute and the rule on examinations,
including appropriate training for Reserve Bank staff.
Background
The "Guidelines and Interpretations" that accompany the
final FDIC rule are designed to aid in the rule's implementation by
providing greater clarity to the rule's requirements and by
permitting future modification of the guidelines, consistent with
practical experiences gained by the FDIC and other federal banking
agencies in the administration of the rule. The regulatory scheme
now requires new responsibilities of managements, boards of
directors, and independent public accountants (CPAs). Although
these requirements became effective as of July 2, 1993, many of the
reporting requirements will be effective for the 1993 annual
reports. It is expected that reasonable and good faith attempts to
comply with the advice contained in the Guidelines will minimize
the need for agency enforcement actions.
Management Responsibilities. The rule requires
institutions with total assets greater than $500 million to submit
to the FDIC, its primary federal regulator, and appropriate state
regulator within 90 days after the end of its fiscal year:
The financial statements included in the annual report
must be prepared in accordance with generally accepted accounting
principles (GAAP). The management report must contain: (i) a
statement of management's responsibility for preparing the
institution's annual financial statements, for establishing and
maintaining adequate internal controls over financial reporting,
and for complying with certain laws and regulations designated by
the FDIC; and (ii) management's assessment of the effectiveness of
those internal controls and the institution's compliance with the
designated laws and regulations.
Institutions are also required to submit to their primary
supervisory agency a report prepared by the CPA based upon the
"agreed-upon procedures" performed to determine compliance with
designated laws and regulations.2 However, unlike the annual
report, the management report, and the CPAs attestation report,
this report is not available for public inspection.
There has been some question regarding whether the
internal controls over the preparation of the Call Report is
covered by the definition of internal controls over financial
reporting. The FDIC staff, together with the staff of the Federal
Reserve and the staffs of the other federal banking agencies,
believes the intent of the final rule is to include Call Reports in
the definition of internal controls over financial reporting.
Therefore, those controls related to the preparation of the Call
Report should be included in management's assessment and the CPAs
attestation regarding the effectiveness of the internal control
structure and procedures over financial reporting.
Section 36 provides exceptions for certain reporting
requirements by an insured depository institution that is a
subsidiary of a holding company. First, any such depository
institution subject to the requirements of this section may satisfy
the annual audit requirement by filing the audited financial
statements of the consolidated holding company. Second, the other
reporting requirements of Section 36 affecting insured depository
institutions that are subsidiaries of a holding company may be
satisfied by submitting consolidated holding company reports if:
(i) the services and functions "comparable" to those required
by the largest insured depository institution are
provided at the holding company level; and
(ii) either the insured depository institution has total
assets at the beginning of the year of: (a) less than $5
billion; or (b) more than $5 billion, but less than $9
billion, and a composite CAMEL rating of 1 or 2.
Generally, services and functions will be considered "comparable"
if the holding company (a) prepares the reports used by the insured
depository institution to meet the requirements of Section 36, (b)
has an audit committee that meets the requirements of Section 36
appropriate for its largest insured depository institution
subsidiary, and (c) prepares and submits the management assessment
of internal controls and compliance with designated laws and
regulations based on activities and operations of all subsidiaries
covered by Section 36.
Finally, each state member bank must provide written
notice to the appropriate Reserve Bank within 15 days after the
termination, resignation, or engagement of a CPA. In addition, the
CPA must provide written notice to the appropriate Reserve Bank
within 15 days of their termination of services. The above notices
must include a statement describing the reasons for the actions
taken.
Audit Committee Requirements. Each institution subject
to Section 36 must establish an audit committee comprised entirely
of outside directors who are independent of the institution. For
"large institutions," that is, institutions with total assets
greater than $3 billion, the audit committee is subject to more
stringent requirements. These audit committees must (i) include
members with banking or related management experience, (ii) have
access to its own outside counsel, and (iii) not include any large
customers of the institution. Although the final rule does not
define "independent person," "large customer," and "banking and
financial management expertise," the guidelines establish
circumstances and criteria that should assist boards of directors
in making determinations about the qualifications of audit
committee members.
CPA Requirements. CPAs must satisfy certain general
qualifications set forth in the Rule and Guidelines in order to be
eligible to perform the audit and attest services of Section 36.
In addition, the rule provides guidance concerning CPA
independence, the CPA's "Peer Review" program, the filing of peer
review reports, and information that institutions must provide the
CPA. Consistent with the statutory mandate of Section 36, the Rule
and Guidelines include a requirement that CPAs make their audit
policies, programs, and workpapers available to the regulatory
agencies upon request. Lastly, FDICIA Section 112 also grants the
federal banking and thrift agencies with expanded enforcement
authority over CPAs, including suspension and debarment of
accountants from performing Section 36 services. A joint rule
establishing such remedies is under consideration as a separate
project of the federal banking agencies, but has not yet been
issued for public comment.
Reporting Requirements and Review Procedures
Reporting Requirements - State member banks covered by
Section 36 are required to file within 90 days after the end of its
fiscal year the annual report, the management report, the CPAs
attestation report, and the agreed-upon procedures report
(collectively; Section 36 reports) with the appropriate Federal
Reserve Bank. In addition, the rule also permits insured
depository institutions to satisfy Section 36 reporting
requirements under the consolidation criteria indicated previously.
However, the rule does not address the Federal Reserve Board's
responsibility as the primary regulator of bank holding companies.
Thus, to facilitate prudential supervision, all bank holding
companies shall submit on behalf of their insured depository
institution subsidiaries one copy of the reports required by
Section 36 for those applicable institutions regardless of the
charter of the subsidiary in the holding company. Therefore,
Reserve Banks should receive Section 36 reports from all bank
holding companies that submit Section 36 reports prepared on behalf
of their subsidiaries covered by Section 36, including any
subsidiary that did not qualify for the holding company exception.3
A sample transmittal letter to be sent by the Reserve Bank to each
bank holding company subject to Section 36 which communicates these
reporting requirements is attached.
In addition to the Section 36 reports discussed above,
the FDIC rule requires insured depository institutions to submit
the management letter, any qualification, and any "other report"
prepared by the CPA pursuant to Section 36 within 15 days after
receipt. Management should submit any of these other reports that,
in their judgment, pertains to the requirements of Section 36
including opinions on financial reporting or accounting matters,
internal controls over financial reporting, and compliance with
laws and regulations.4
Report Review Procedures - The annual reporting
requirements of Section 36 will result in the submission of many
reports that will require review by Reserve Bank personnel in late
March and April (starting in 1994). Each Reserve Bank should
endeavor to see that these reports are reviewed within 45 days of
receipt. Accordingly, each Reserve Bank should consider
implementing the following two-step process for reviewing Section
36 reports. This review process should lead to effective
identification of significant issues, and at the same time minimize
the pressure on Reserve Bank resources. Although, the respective
Reserve Bank may find the need to modify this suggested approach in
view of staffing and other resource considerations, nonetheless it
should take the necessary steps to accomplish the objectives and
timetable for the preliminary review detailed herein.
Review team examiners that are performing the preliminary
review should possess certain basic skills and experience. For
example: (i) these examiners should have sufficient experience to
understand overall bank management practices, (ii) be able to
identify the risks and analytical relationships in financial
statements, (iii) understand the requirements of Section 36, and
(iv) have a basic understanding of GAAP, generally accepted
auditing standards (GAAS), and the AICPA's Statements on Standards
for Attestation Engagements.
In addition, it is recommended that the review of Section
36 reports filed by bank holding companies be performed by the
Reserve Bank with supervisory responsibility for that bank holding
company. For state member bank subsidiaries located in a Reserve
District different from the parent bank holding company, a copy of
the Section 36 reports and a copy of the completed preliminary
review checklist should be forwarded to the appropriate Federal
Reserve Bank supervisory officer for the state member bank.
As discussed above, Section 36 requires the submission of
several additional types of reports, which include, the management
letter, or "other reports" issued by the institution's CPA. These
reports should be forwarded to the appropriate Federal Reserve
Bank supervisory official or examiner that is responsible for the
supervision of the particular bank. Reserve Bank personnel should
endeavor to complete this review within 30 days of their receipt.
Special attention should be directed to notifications of
changes in CPAs (also referred to as "notices" in the FDIC
guidelines). Appropriate Reserve Bank personnel (Supervising
Officer or examiner-in-charge) should endeavor to review these
notices within 15 days of receipt. The reviewer should evaluate
the change in CPAs to determine if the reason for such a change has
any impact on the credibility of future audit reports. This review
should focus on determining whether any differences of opinion on
accounting or reporting issues between management and the former
CPA influenced the decision to change CPAs. In addition, the
review should determine that the successor CPA satisfies the
general qualifications and independence requirements of Section 36
and that the successor CPA has a current peer review report on file
with the FDIC. The reviewer should also consider discussing the
change in CPAs with bank management, the audit committee chairman,
the predecessor CPA, and the successor CPA to determine the
reasonableness of the change in CPAs. Finally, notices received
from institutions with a CAMEL rating of 3 or below should receive
closer scrutiny to ensure that the changes were not a result of
"opinion shopping" or some other inappropriate or questionable
reason.5
Impact on Internal Control Review Program
The Staff of the Federal Reserve System is currently
developing a comprehensive internal control review program to aid
examiners in assessing the effectiveness of an institution's
internal controls. The requirements of Section 36 expand the
degree of evaluation and reporting required of management and
CPAs in the area of internal controls. Clearly, these new
requirements should have an impact on the procedures currently
performed by examiners. Separate examination guidance to
supplement the comprehensive internal control review program is
being developed which will aid the examiner in performing an
assessment of the effectiveness of the system of internal
controls.
Training Requirements
The requirements of Section 36 will have an impact on
the basic training needs of Reserve System personnel. Foremost
is the need to educate personnel in the requirements of Section
36, including attendant policies and procedures developed to
satisfy these requirements. Furthermore, examiners and other
personnel that will be reviewing CPA workpapers and reports will
need to develop or further refine their knowledge and expertise
in the following areas: (i) GAAP, GAAS, and Attestation
Standards, (ii) CPA workpaper techniques and related review
procedures, and (iii) CPA firm quality review program. Federal
Reserve System training programs to address these matters are
under development.
Other Considerations
As previously mentioned in the background discussion,
Section 36 provides the Federal Reserve and the other federal
banking agencies expanded authority to review (1) CPA audit
workpapers and programs, and (2) CPA firm "Peer Review" reports
(i.e., reports on the quality of a CPA firms audit work).
Implementation guidance concerning these areas will be addressed
in subsequent SR letters.
Questions regarding the guidance in this letter should
be directed to John Frech at (202) 452-2275 or Stephen Mackey at
(202) 452-5264. In addition, if state member banks and bank
holding companies request a copy of this letter, you may provide
them with a copy. Finally, please submit the name of the
individual(s) assigned at the Reserve Bank with the
implementation responsibility for this section of FDICIA to John
Frech as soon as possible.
Richard Spillenkothen
ATTACHMENTS TRANSMITTED ELECTRONICALLY BELOW
Suggested Transmittal Letter to
To The Chief Executive Officer of
The FDIC's final rule implementing Section 112 of the
FDIC Improvement Act of 1991 (FDICIA) became effective July 2,
1993. This section of FDICIA amends the Federal Deposit
Insurance Act by adding Section 36, "Early Identification of
Needed Improvements in Financial Management." In general,
effective with fiscal years beginning after December 31, 1992,
the final rule requires state member banks and other insured
depository institutions with $500 million or more in total assets
as of the beginning of each fiscal year ("Covered institutions")
to obtain annual independent audits, to submit certain management
reports to their regulatory agencies, and to establish audit
committees of their board of directors comprised of independent
directors. In addition, the final rule establishes certain new
requirements for independent auditors of insured depository
institutions.
Covered institutions are required to submit a copy of
the following reports to the Federal Reserve Bank,
ATTN:...............................(Federal Reserve Bank staff
member or Department), with additional copies submitted to the FDIC and its
appropriate state regulator, within 90 days after the end of its
fiscal year:
Covered institutions are also required to submit to
their primary supervisory agency a report prepared by the CPA
based upon certain "agreed-upon procedures" performed to
determine compliance with designated laws and regulations.
However, unlike contents of the annual report above, this report
is not available for public inspection.
This letter will discuss a number of implementation
issues that have recently come to our attention affecting the
nature and scope of these reports that will be filed with the
Federal Reserve.
1. Call Reports. There has been some question
regarding whether the internal controls over the preparation of
the Call Report is to be covered by the definition of internal
controls over financial reporting. The FDIC staff, together with
the staff of the Federal Reserve and the staffs of the other
federal banking agencies, believes the intent of the final rule
is to include Call Reports in the definition of internal controls
over financial reporting. Therefore, the control structure and
procedures related to the preparation of the Call Report shall be
included in management's assessment and the CPAs attestation
regarding the effectiveness of the internal control structure and
procedures over financial reporting.
2. Bank Holding Company Filing Requirements. State
member banks covered by the final FDIC rule are required to file
their annual reports with the appropriate Federal Reserve Bank
within 90 days of their fiscal year end. In addition, the FDIC
rule permits certain insured depository institutions to satisfy
their reporting requirements by filing their annual reports on a
consolidated holding company basis, provided these institutions
meet certain size and CAMEL rating criteria. However, the rule
does not address the Federal Reserve Board's responsibility as
the primary regulator of bank holding companies. Thus, to
facilitate effective and prudential supervision of the holding
company, bank holding companies that have institutions subject to
the FDIC final rule and guidelines shall submit one copy of the
reports covered by this section to the appropriate Federal
Reserve Bank. A copy of the reports shall be submitted to the
Reserve Bank whether or not the holding company submitted these
reports on a consolidated basis for their banking subsidiaries,
and regardless of the charter of the bank subsidiary in the
holding company.
If there are any questions regarding the reporting
requirements of Section 36, or any other requirements associated
with this Section, please call ...................... (Reserve
Bank staff member) at ........................... .
Footnotes 1. The preamble to the final rule includes the following discussion of internal control structure and procedures for financial reporting. "To comply with the reporting and attestation requirements of the final rule, both management and the independent public accountant should refer to terms, including "internal control structure" and "control procedures," in professional accounting and auditing literature." As an example, current authoritative auditing literature includes the following discussion of internal controls: "In establishing specific internal control structure policies and procedures concerning an entity's ability to record, process, summarize, and report financial data that is consistent with management's assertions embodied in the financial statements, some of the specific objectives management may wish to consider include ... Transactions are recorded as necessary to permit preparation of financial statements in conformity with GAAP or any other criteria applicable to such statements." Return to text 2. In order to permit CPAs to determine the extent of compliance with the laws and regulations designated by Section 36 and the related assessment by management, the FDIC set forth as separate schedules to the guidelines certain "Agreed-Upon Procedures" regarding loans to insiders and dividend restrictions to be performed by the CPA (or in some cases the bank's internal auditor and the CPA). Return to text 3. For example: A bank holding company may have several subsidiaries between $500 million and $5 billion (or $9 billion if rated CAMEL 1 or 2) and a subsidiary larger than this upper limit. The holding company may file Section 36 reports on a consolidated basis for qualified subsidiaries (accompanied by a cover letter identifying these subsidiaries). However, the subsidiary that does not meet the criteria for the holding company exception would be required to file Section 36 reports independently of the holding company. The appropriate Reserve Bank should receive both sets of reports in the above example. Return to text 4. For example: an institution that contracts its data processing needs out to a servicing organization would normally receive a report from the independent public accountant of the servicing organization on the effectiveness of the service organization's internal controls (AICPA Statement on Auditing Standards (SAS) Number 70 - "Reports on the Processing of Transactions by Service Organizations" provides guidance to CPA's on issuing and using these reports). When this report addresses internal controls that affect the institution's financial reporting, the report should be submitted to the appropriate Reserve Bank. However, if the servicing organization is a depository institution subject to Section 36, and the system used for servicing customers is independent of its data processing system and the internal controls over financial reporting, any report concerning the effectiveness of these controls would not be required to be submitted in satisfaction of the Section 36 reporting requirements for the servicing organization. Return to text 5. The term "Opinion Shopping" usually relates to the situation where management and the CPA have a disagreement on an issue that if not resolved would result in the CPA issuing a qualified or adverse opinion in the audit report. To avoid this qualified opinion, management would seek out a CPA willing to accept their position and issue a clean opinion in the audit report. Return to text |
||||||||||
