Recent developments for FDICIA banks
Part 363 of the FDIC's regulations are generally intended to facilitate early identification of problems in financial management of insured depository institutions with assets above certain thresholds through the following:
1. Annual independent audits of the financial statements
2. Assessments of the effectiveness of internal controls over financial reporting
3. Management’s assessment of compliance with designated laws and regulations
4. Establishment of independent audit committees
5. Related reporting requirements to the appropriate banking regulators
The asset size threshold for provision No. 2 is $1 billion (measured as of the beginning of the fiscal year); while the threshold for the others Part 363 provisions is $500 million (also measured as of the beginning of the fiscal year).
Recent developments have implications for banks in applying provision No. 2. Specifically, it requires an assessment of internal control over financial reporting by both management and their independent auditors for insured institutions with $1 billion or more in total assets.
When reporting on a financial institution’s internal control over financial reporting pursuant to the requirements of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), the auditor’s attestation engagement has previously been required to be performed in accordance with American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements No. 10, Chapter 5, Reporting on an Entity’s Internal Control Over Financial Reporting (AT 501). Recently, the AICPA’s Auditing Standards Board (ASB) issued Statement of Standards for Attestation Engagement No. 15, An Examination of an Entity’s Internal Control Over Financial Reporting That is Integrated With an Audit of Its Financial Statements (SSAE 15). SSAE No. 15 substantially conforms to Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting that is Integrated with an Audit of Financial Statements (AS 5). The effective date of SSAE No. 15 is for years ended Dec. 31, 2008 and thereafter.
SSAE No. 15 is very similar to AS 5 (which applies to public companies) and convergence with AS 5 was supported by the banking regulators. As such, privately owned banks over $1 billion in total assets, as of Jan. 1, 2008, will now need to approach their documentation and testing of internal controls over financial reporting in a similar manner to that of a public company. In addition, the bank’s external auditors will need to ensure their attestation engagement complies with the more rigorous requirements of SSAE No. 15. Key areas in SSAE No. 15:
- Requires integration with the audit of the financial statements
- Provides definitions of significant deficiencies and material weaknesses
- Provides guidance relating to using the work of others
- Provides guidance relating to top down and risk based approach considerations
- Provides guidance relating to fraud risk assessment
- Provides guidance relating to identification of significant accounts, disclosures and relevant assertions
- Requires management to provide sufficient documentation to support management’s assertion regarding the effectiveness of internal controls over financial reporting
Given the short time frame to comply with SSAE No. 15, all impacted banks should consider the following:
- Meet with your external auditors as soon as possible to discuss SSAE No. 15
- Review management’s existing documentation and testing relating to internal controls over financial reporting to determine if this documentation and testing will be sufficient for management’s assessment and your external auditor’s attestation requirements as outlined in SSAE No. 15
- Develop an implementation plan to ensure all appropriate documentation, internal testing, external attestation and related reporting to the appropriate federal banking regulators is completed by the reporting deadline of March 31, 2009.
- Develop an implementation plan if your bank is approaching $1 billion in total assets and expecting to be subject to FDICIA internal control requirements in 2009 or 2010. The level of documentation and testing that is necessary may be significant in relation to expectations. A well-defined implementation plan can assist with minimizing surprises and potential unfavorable reporting implications.
Generally speaking, implications relating to the issuance of SSAE No. 15 will be limited to private banks and to certain public banks that are non-accelerated filers (non-accelerated filers are public companies whose common equity has an aggregate public float of less than $75 million as of the end of the most recent second quarter end within their fiscal year). Most non-accelerated filing banks have total assets less than $1 billion and, as such, aren’t subject to SSAE 15; and AS 5 for these banks will take effect as of Dec. 31, 2009. For non-accelerated filing banks with total assets over $1 billion, their external auditor’s attestation of internal control over financial reporting for 2008 may be under either SSAE 15 or AS 5 (AS 5 only for 2009). Given the convergence noted above, these engagements would be expected to be very similar.
Also, as previously mentioned, SSAE 15 provides definitions, which are consistent with AS 5, for material weaknesses and significant deficiencies:
- Material weakness: A deficiency, or combination of deficiencies, in internal control such that is there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis.
- Significant deficiency: A deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
It should be noted internal control over financial reporting cannot be deemed effective if there are any material weaknesses. Further, material weaknesses must be disclosed in the related reporting (by management and the external auditor) that is submitted to the appropriate banking regulators. This reporting is also available for public inspection pursuant to Part 363.
Tim Tiefenthaler is a managing director with RSM McGladrey. For more information, contact him at tim.tiefenthaler@mcgladrey.com.
