[Federal Register Volume 61, Number 122 (Monday, June 24, 1996)]
[Notices]
[Pages 32438-32441]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-16047]



=======================================================================
-----------------------------------------------------------------------


FARM CREDIT ADMINISTRATION
FEDERAL DEPOSIT INSURANCE CORPORATION


Amendment to Statement of Policy Regarding Independent External 
Auditing Programs of State Nonmember Banks

AGENCY: Federal Deposit Insurance Corporation (FDIC or Corporation).

ACTION: Statement of policy.

-----------------------------------------------------------------------

SUMMARY: As part of the FDIC's systematic review of its regulations and 
written policies under Section 303(a) of the Riegle Community 
Development and Regulatory Improvement Act of 1994 (CDRI), the FDIC is 
amending its policy statement regarding independent external auditing 
programs of state nonmember banks (Policy Statement). These amendments 
remove an inconsistency between the Policy Statement and another policy 
that was later approved by the FDIC Board of Directors and eliminate a 
reference to another FDIC policy which has been superseded. The 
amendments also add a paragraph referencing a statutory requirement 
enacted since the Policy Statement's adoption and renumber the 
subsequent paragraphs of the Policy Statement.

EFFECTIVE DATE: June 24, 1996.

FOR FURTHER INFORMATION CONTACT: Doris L. Marsh, Examination 
Specialist, Division of Supervision, (202) 898-8905, or Sandra 
Comenetz, Counsel, Legal Division, (202) 898-3582, FDIC, 550 17th 
Street NW., Washington, DC 20429.

SUPPLEMENTARY INFORMATION: The FDIC is conducting a systematic review 
of its regulations and written policies. Section 303(a) of the CDRI (12 
U.S.C. 4803(a)) requires each federal banking agency to streamline and 
modify its regulations and written policies in order to improve 
efficiency, reduce unnecessary costs, and eliminate unwarranted 
constraints on credit availability. Section 303(a) also requires each 
federal agency to remove inconsistencies and outmoded and duplicative 
requirements from its regulations and written policies.
    As part of this review, the FDIC has determined that the Policy 
Statement needs several amendments to eliminate inconsistencies and 
outmoded requirements.
    The Policy Statement was adopted by the FDIC Board of Directors on 
November 16, 1988, and published on November 28, 1988, 53 FR 47871. The 
Policy Statement states that the FDIC strongly encourages each state 
nonmember bank to adopt an external auditing program that includes an 
annual audit of its financial statements by an independent public 
accountant. However, the Federal Deposit Insurance Corporation 
Improvement Act of 1991 added Section 36 to the Federal Deposit 
Insurance Act. Section 36, and its implementing regulation at 12 CFR 
Part 363, requires all insured depository institutions with $500 
million or more in total assets at the beginning of their fiscal year 
to have an annual audit performed by an independent public accountant 
and to have an audit committee entirely consisting of outside directors 
who are independent of management. A new paragraph 3 has been added to 
the Policy Statement describing these and certain related requirements 
for larger institutions and the existing paragraphs 3 through 15 have 
been redesignated paragraphs 4 through 16.
    In addition, the Policy Statement advises applicants for deposit 
insurance that they will generally be expected to commit their bank to 
obtain an audit of its financial statements by an independent public 
accountant annually for at least the first three years after deposit 
insurance is granted [emphasis added]. Original footnote 2 to the 
Policy Statement refers to a June 24, 1987, FDIC policy statement on 
deposit insurance applications by operating non-FDIC insured 
institutions.
    However, newly insured institutions generally present greater risks 
to the deposit insurance funds than operating insured institutions 
which have been subject to ongoing supervision by the applicable 
federal and state regulators. In addition, a statement of policy on 
Applications for Deposit Insurance was adopted by the FDIC Board of 
Directors on April 7, 1992, 57 FR 12822, which superseded the 
referenced 1987 policy statement. The 1992 policy statement states the 
FDIC's belief that an annual audit by an independent public accountant 
should be an integral part of the safe and sound management of a 
depository institution. As a result, applicants for deposit insurance 
coverage are expected to commit their depository institution to obtain 
an audit by an independent public accountant annually for at least the 
first five years after deposit insurance coverage is granted [emphasis 
added]. Thus, this Policy Statement must be amended to be consistent 
with the more recent statement of policy on Applications for Deposit 
Insurance. A reference to the 1992 applications policy replaces a 
reference to the rescinded policy statement in footnote 2.

Discussion of Amendments

    A new paragraph 3 is added to the Policy Statement to explain the 
audit and audit committee requirements for all insured depository 
institutions with $500 million or more in total assets as a result of 
the addition of Section 36 to the Federal Deposit Insurance Act in 
1991. Thus, the original paragraphs 3 through 15 have been redesignated 
paragraphs 4 through 16. In renumbered paragraph 11 of the Policy 
Statement, the word ``three'' is replaced with the word ``five'' 
because newly insured

[[Page 32439]]

institutions generally present greater risks to the insurance funds, a 
factor recognized in the FDIC's 1992 applications policy statement. 
This change in the Policy Statement will bring it into conformity with 
the recommended number of years an applicant for deposit insurance must 
commit to obtaining an annual audit as set forth in the applications 
policy statement. The reference in footnote 2 to the FDIC's rescinded 
1987 policy statement is replaced with a reference to the FDIC's 
current applications policy statement.
    For the reasons set forth in the preamble, the Board of Directors 
of the FDIC hereby amends its Statement of Policy Regarding Independent 
External Auditing Programs of State Nonmember Banks to read as follows:

Statement of Policy Regarding Independent External Auditing Programs of 
State Nonmember Banks

    1. In view of its interest in the financial soundness of banks and 
the banking system, the FDIC believes that a strong internal auditing 
function combined with a well-planned external auditing program 1 
substantially lessens the risk that a bank will not detect potentially 
serious problems. An external auditing program is a set of procedures 
designed to test and evaluate high risk areas of a bank's business 
which are performed by an independent auditor who may or may not be a 
public accountant. The failure to detect and correct potentially 
serious problems increases the risk a bank poses to the FDIC's 
insurance funds. A strong internal auditing function establishes the 
proper control environment and promotes accuracy and efficiency in a 
bank's operations. An external auditing program complements this 
function by providing an objective outside view of the bank's 
operations.
---------------------------------------------------------------------------

    \1\ Terms defined in Appendix A are italicized the first time 
they appear in this statement of policy.
---------------------------------------------------------------------------

    2. Regardless of the strength of a bank's internal auditing 
procedures, the FDIC believes that an external auditing program should 
be considered by a bank's board of directors as part of the cost of 
operating a bank in a safe and sound manner. An external auditing 
program assists the bank's board of directors in safeguarding assets 
and identifying risks inherent in its operation. In addition, an 
external auditing program may tend to assist directors in the event of 
litigation on whether an institution's board has exercised reasonable 
care in protecting the assets of the bank. Thus, the FDIC urges all 
state nonmember banks to establish and maintain a sound external 
auditing program.
    3. In accordance with Section 36 of the Federal Deposit Insurance 
Act, as implemented by 12 CFR Part 363, each insured depository 
institution with $500 million or more in total assets at the beginning 
of its fiscal year is required to file with the FDIC and the 
appropriate federal banking agency, an annual report, including its 
financial statements which have been audited by an independent public 
accountant, and a management report and independent public accountant's 
attestation concerning both the effectiveness of the institution's 
internal controls for financial reporting and its compliance with 
designated safety and soundness laws. In addition, each such 
institution is required to have an audit committee consisting entirely 
of outside directors who are independent of management. For state 
nonmember banks subject to Section 36 and Part 363, these audit and 
audit committee requirements take precedence over the provisions of 
this Statement of Policy.

State Nonmember Banks Not Subject to Part 363

    4. The FDIC strongly encourages the board of directors of each 
state nonmember bank to establish an audit committee consisting, if 
possible, entirely of outside directors. The audit committee or board 
of directors of each state nonmember bank generally should analyze the 
extent of the external auditing coverage needed by the bank annually. 
They should determine whether the bank's needs will best be met by an 
audit of its financial statements or by an acceptable alternative 
(described in paragraphs 9 and 10 below). When selecting the scope of 
the planned external auditing program for the year, the committee or 
board should ensure that the program will provide sufficient 
substantive external coverage of the bank's risk areas and any other 
areas of potential concern, such as compliance with applicable laws and 
regulations. If not, additional external auditing procedures conducted 
by an independent auditor may be appropriate for a specific year or 
several years to cover particularly high risk areas of the bank. The 
decisions resulting from these deliberations should be recorded in the 
committee's or board's minutes.
    5. If the audit committee or board of directors of a bank, after 
due consideration, determines not to engage an independent public 
accountant to conduct an annual audit of the bank's financial 
statements (or whose parent holding company's consolidated financial 
statements are not audited), the reasons for the committee's or board's 
conclusion to use one of the acceptable alternatives or to have no 
external auditing program should be documented in its minutes. In the 
evaluation, the committee or board generally should consider not only 
the cost of an annual audit of the bank's financial statements, but 
also the potential benefits.
    6. A review of both a bank's internal and external auditing 
programs has been and will continue to be a part of the FDIC's 
examination procedures. FDIC examiners will review the nature of each 
bank's external auditing program in conjunction with the risk areas 
perceived in that particular bank's business and operations, and they 
will exercise their judgment and discretion in evaluating the adequacy 
of a bank's external auditing program. Examiners will not automatically 
comment negatively to the board of directors of a bank with an 
otherwise satisfactory external auditing program merely because it does 
not engage an independent public accountant to perform an audit of its 
financial statements.

Audit by an Independent Public Accountant

    7. The FDIC strongly encourages each state nonmember bank to adopt 
an external auditing program that includes an annual audit of its 
financial statements by an independent public accountant. A bank that 
does so would generally be considered to have a satisfactory external 
auditing program. An external audit of a bank's financial statements 
benefits management by assisting in the establishment of the accounting 
and operating policies, internal controls, internal auditing programs, 
and management information systems necessary to ensure the fair 
presentation of these statements. An audit also assists boards of 
directors in fulfilling their fiduciary responsibilities and provides 
them greater assurance that financial reports are accurate and provide 
adequate disclosure.
    8. An audit of a bank's financial statements performed by the 
independent public accountant as of a quarter-end date when the Reports 
of Condition and Income are prepared is preferable and would permit the 
bank to use the audited financial statements in the preparation and/or 
subsequent review of those reports. A bank may also find it more cost 
effective to be audited during accounting firms' less busy periods. The 
independent public accountant chosen should be experienced in auditing 
banks and

[[Page 32440]]

knowledgeable about banking regulations in order to provide the bank 
with the most effective service.

Alternatives to an Audit by a Public Accountant

    9. The FDIC recognizes that a bank's audit committee or board of 
directors may determine that the external auditing program that will 
best meet its individual needs for that particular year will be other 
than an audit of its financial statements by an independent public 
accountant. The committee or board, after a full review of alternative 
and/or supplemental approaches for an adequate independent external 
auditing program, may decide on a well-planned directors' examination, 
an independent analysis of internal controls or other areas, a report 
on the balance sheet, or specified auditing procedures by an 
independent auditor. If the bank has an outside auditing firm that is 
simply obtaining confirmations of deposits and loans, for example, the 
committee or board should normally expand the scope of the auditing 
work performed to include additional procedures to test the bank's high 
risk areas.
    10. Nonaccounting firms with bank auditing experience and expertise 
that are independent of the bank are available in some geographic 
locations. They may provide acceptable directors' examinations, 
analyses, or specified auditing work at a reasonable cost. In some 
instances, these firms' services include nonauditing work which enables 
them to provide suggestions on compliance issues and operational 
efficiencies. Depending upon the expertise of the firm and the scope of 
the engagement, these nonaccounting firms may be an appropriate choice 
for an external auditing program.

Newly Insured Banks

    11. The FDIC believes that an adequate external auditing program 
performed by an independent auditor should be an integral part of the 
safe and sound management of a bank. Thus, applicants for deposit 
insurance coverage will generally be expected to commit their bank to 
obtain an audit of its financial statements by an independent public 
accountant annually for at least the first five years after deposit 
insurance coverage is granted.2 The FDIC may determine on a case-
by-case basis that an independent audit of financial statements is 
unnecessary where an applicant can demonstrate that the benefits 
derived from such an external audit will be substantially provided by 
other outside sources, or where the applicant is owned by another 
company and will undergo an audit performed by an independent public 
accounting firm as part of an audit of the consolidated financial 
statements of its parent company.
---------------------------------------------------------------------------

    \2\ Refer to the April 7, 1992, Statement of Policy on 
Applications for Deposit Insurance.
---------------------------------------------------------------------------

Notification and Submission of Reports

    12. Whether currently or newly insured, the FDIC requests each 
state nonmember bank that undergoes any external auditing work, 
regardless of the scope of the work, to furnish a copy of any reports 
by the public accountant or other external auditor, including any 
management letters, to the appropriate FDIC regional office as soon as 
possible after their receipt by the bank.
    13. In addition, the FDIC requests each bank to promptly notify the 
appropriate FDIC regional office when any public accountant or other 
external auditor is initially engaged to perform external auditing 
procedures and when a change in its accountant or auditor occurs.

Holding Company Subsidiaries

    14. When the audit committee or board of directors of any state 
nonmember bank owned by another company (such as a bank holding 
company) considers its external auditing program, it may find it 
appropriate to express the scope of its program in terms of the bank's 
relationship to the consolidated group. No section of this statement of 
policy is intended to imply that any state nonmember bank owned by 
another company is expected to obtain a separate audit of the financial 
statements of the individual bank. Where the state nonmember bank is 
directly or indirectly included in the audit of the consolidated 
financial statements of its parent company performed by an independent 
public accounting firm, the state nonmember bank may send one copy of 
the comparable reports by the public accountant or notification of the 
change in accountants for the consolidated company to the appropriate 
regional director. If several banks supervised by the same FDIC 
regional office are owned by one parent company, a single copy of each 
report applicable to the consolidated company may be submitted to the 
regional office on behalf of all of the affiliated banks.

Troubled Banks

    15. An annual independent external auditing program complements 
both the FDIC's supervisory process and bank internal auditing programs 
by further identifying or clarifying issues of potential concern or 
exposure. It can also greatly aid management in taking corrective 
action, particularly when weaknesses are detected in internal control 
or management information systems. For these reasons, an annual audit 
of bank financial statements performed by an independent public 
accounting firm or, if more appropriate, specified auditing procedures 
will be a condition of future enforcement actions, when deemed 
necessary, or if it appears that any of the following conditions may 
exist:

(a) Internal controls and internal auditing procedures are inadequate;
(b) The directorate is generally uninformed in the area of internal 
controls;
(c) There is evidence of insider abuse;
(d) There are known or suspected defalcations;
(e) There is known or suspected criminal activity;
(f) It is probable that director liability for losses exists;
(g) Direct verification is warranted; and/or
(h) Questionable transactions with affiliates have occurred.

    16. Such an enforcement action may also require that (a) The bank 
provide to the appropriate FDIC regional office a copy of the auditor's 
report and any management letter received from the auditor promptly 
after the completion of any auditing work and that (b) the bank notify 
the regional office in advance of the time and date of any meeting 
between management and the auditor at which any auditing findings are 
to be presented so that a representative of the FDIC may be present if 
the FDIC so chooses.

Appendix A--Definitions

    Audit. An examination of the financial statements, accounting 
records, and other supporting evidence of a bank performed by an 
independent certified or licensed public accountant in accordance with 
generally accepted auditing standards and of sufficient scope to enable 
the auditor to express an opinion on the bank's financial statements as 
to their presentation in accordance with generally accepted accounting 
principles (GAAP).
    Audit Committee. A committee of the board of directors, consisting, 
if possible, entirely of outside directors. To the extent possible, 
members of the committee should be knowledgeable about accounting and 
auditing. They should be responsible for reviewing and approving the 
bank's internal and external auditing programs or

[[Page 32441]]

recommending adoption of these programs to the full board. Both the 
internal auditor and the external auditor should have unrestricted 
access to the audit committee without the need for any prior management 
knowledge or approval. Other duties of the audit committee should 
include reviewing the independence of the external auditor annually, 
being consulted by management when it seeks a second opinion on an 
accounting issue, overseeing the quarterly regulatory reporting 
process, and reporting its findings periodically to the full board of 
directors.
    Directors' Examination. A review by an independent third party that 
has been authorized by the bank's board of directors and is performed 
in accordance with the board's analysis of potential risk areas. 
Certain procedures may also be required as a result of state law. A 
directors' examination consisting solely of such procedures as cash 
counts and confirmations of loans and deposits would not normally be 
considered a well-planned directors' examination. (Sometimes directors' 
examinations are similar to so-called ``engagement audits'' or 
``operational audits.'' Nevertheless, no widely accepted national 
standards exist for the specific procedures that must be performed in 
directors' examinations or these ``audits.'')
    External Auditing Program. The performance of procedures to test 
and evaluate high risk areas of a bank's business by an independent 
auditor, who may or may not be a public accountant, sufficient for the 
auditor to be able to express an opinion on the financial statements or 
to report on the results of the procedures performed.
    Financial Statements. The statements of financial position, income, 
cash flows, and changes in shareholders equity together with related 
notes.
    Independent. No certified public accountant, public accountant, or 
other auditor will be recognized as independent who is not in fact 
independent. (Reference is made to Sec. 335.604 of the FDIC rules and 
regulations for the complete definition of the term ``independent.'')
    Outside Directors. Members of a bank's board of directors who are 
not officers, employees, or principal stockholders of the bank, its 
subsidiaries, or its affiliates, and do not have any material business 
dealings with the bank, its subsidiaries, or its affiliates.
    Public Accountant. A certified public accountant or licensed public 
accountant who is duly registered and in good standing as such under 
the laws of the place of his/her residence or principal office, who is 
licensed by the accounting regulatory authority of his/her state, and 
who possesses a permit to practice public accountancy.
    Report on the Balance Sheet. An examination of the balance sheet, 
accounting records, and other supporting evidence performed by an 
independent certified or licensed public accountant in accordance with 
generally accepted auditing standards.
    Risk Areas. The risk areas are those particular activities of a 
specific bank that expose the bank to potential losses if problems were 
to exist and go undetected. The highest risk areas in banks generally 
include, but are not necessarily limited to, the valuation of 
collectibility of loans (including the reasonableness of the allowance 
for loan losses), investments, and repossessed and foreclosed 
collateral; internal controls; and insider transactions.

    By order of the Board of Directors.

    Dated at Washington, D.C. this 17th day of June, 1996.

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Deputy Executive Secretary.
[FR Doc. 96-16047 Filed 6-21-96; 8:45 am]
BILLING CODE 6714-01-P