[Federal Register Volume 63, Number 31 (Tuesday, February 17, 1998)]
[Notices]
[Pages 7796-7802]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-3374]


=======================================================================
-----------------------------------------------------------------------

FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL


Policy Statement on External Auditing Programs of Banks and 
Savings Associations

AGENCY: Federal Financial Institutions Examination Council.

ACTION: Proposed policy statement; Request for comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Financial Institutions Examination Council (FFIEC) 
1 is requesting comments on a proposed Policy Statement on 
External Auditing Programs of Banks and Savings Associations (Policy 
Statement) which is intended to provide uniform guidance regarding 
independent external auditing programs. Because institutions with $500 
million or more in total assets must have an annual audit performed by 
an independent public accountant in accordance with section 36 of the 
Federal Deposit Insurance Act (FDI Act), as implemented by 12 CFR part 
363, this policy would apply only to institutions below that threshold 
that are not otherwise subject to audit requirements.
---------------------------------------------------------------------------

    \1\  The FFIEC consists of representatives from the Board of 
Governors of the Federal Reserve System (FRB), the Federal Deposit 
Insurance Corporation (FDIC), the Office of the Comptroller of the 
Currency (OCC), the Office of Thrift Supervision (OTS) (referred to 
as the ``banking agencies''), and the National Credit Union 
Administration. However, this guidance is not directed to credit 
unions.
---------------------------------------------------------------------------

    The Policy Statement expresses the banking agencies' belief that a 
well-planned external audit program, combined with a strong internal 
audit function, increases the ability of an institution to detect and 
correct any serious problems that exist. In this regard, the proposed 
guidance encourages each institution to adopt an external auditing 
program that includes an annual audit of its financial statements by an 
independent public accountant. If an institution's board of directors 
or audit committee determines that an audit is not appropriate for the 
institution, the proposal provides two alternative approaches for 
consideration. The alternatives, which should also be performed by an 
independent public accountant, consist of a report on the institution's 
balance sheet or an attestation report on internal control over 
specified schedules of its regulatory reports.
    The proposed Policy Statement also encourages institutions to 
establish an audit committee consisting entirely of outside directors, 
if practicable.

DATES: Comments must be received by April 20, 1998.

ADDRESSES: Comments should be directed to Joe M. Cleaver, Executive 
Secretary, Federal Financial Institutions Examination Council, 2100 
Pennsylvania Avenue, NW, Suite 200, Washington, DC 20037 (Fax number: 
(202) 634-6556). Comments will be available for public inspection 
during regular business hours at the above address. Appointments to 
inspect comments are encouraged and can be arranged by calling the 
FFIEC at (202) 634-6526.

FOR FURTHER INFORMATION CONTACT:

    FDIC: Doris L. Marsh, Examination Specialist, Division of 
Supervision, (202) 898-8905, or A. Ann Johnson, Counsel, Legal 
Division, (202) 898-3573, FDIC, 550 17th Street, N.W., Washington, DC 
20429.
    FRB: Charles H. Holm, Project Manager, (202) 452-3502, or Arthur 
Lindo, Supervisory Financial Analyst, (202) 452-2695, Division of 
Banking Supervision and Regulation, Board of Governors of the Federal 
Reserve System, 20th Street and Constitution Avenue, N.W., Washington, 
DC 20551.
    OCC: Thomas Rees, Senior Accountant, Chief Accountant's office, 
Core Policy Division, (202) 874-5411, or Bill Morris, National Bank 
Examiner, Core Policy Division, (202) 874-4915, Office of the 
Comptroller of the Currency, 250 E Street, S.W., Washington, DC 20219.
    OTS: Timothy J. Stier, Chief Accountant, Accounting Policy 
Division, (202) 906-5699, or Christine A. Smith, Policy Analyst, 
Accounting Policy Division, (202) 906-5740, Office of Thrift 
Supervision, 1700 G Street, N.W., Washington, DC 20552.

SUPPLEMENTARY INFORMATION:

I. Background

    An institution's internal auditing and external auditing programs 
are critical to its safety and soundness. When an institution lacks an 
internal auditing program or has weaknesses in an existing program, 
examiners often encourage the institution to obtain an independent 
external audit. Accordingly, many institutions now supplement their 
internal auditing programs by obtaining independent external audits, 
either voluntarily or as a result of the requirements of section 36 of 
the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831m) and its 
implementing regulation, 12 CFR part 363, the Securities and Exchange 
Act of 1934 (15 U.S.C. 78a), or the Federal Reserve bank holding 
company reporting requirements in the FR-Y-6 Annual Report of Bank 
Holding Companies. However, a number of institutions, particularly 
smaller institutions, do not have an external audit for various 
reasons.
    Because the banking agencies believe that an independent external 
audit provides reasonable assurance that an institution's financial 
statements are prepared in accordance with generally accepted 
accounting principles (GAAP), the banking agencies encourage all 
institutions to obtain external audits. In an effort to provide more 
explicit guidance to institutions regarding external audits, the FFIEC 
is proposing to approve a uniform Policy Statement. Upon FFIEC 
approval, the FFIEC would recommend to the banking agencies that they 
individually adopt the policy. This proposal is generally consistent 
with the individual policies of the banking agencies.
    Although some of the banking agencies have provided guidance on 
external audits to their supervised institutions, a uniform policy does 
not exist. For example, the OCC discusses its policies with regard to 
independent external audits for national banks in the Comptroller's 
Handbook for National Banks, Section 102, Internal and External Audits, 
and the Comptroller's Manual for Corporate Activities. The FDIC adopted 
similar guidance in its Policy Statement Regarding Independent External 
Auditing Programs of State Nonmember Banks on November 16, 1988, as 
published on November 28, 1988 (53 FR 47871), and amended on June 24, 
1996, (61 FR 32438). The OTS's policy on independent external audits is 
discussed in the Thrift Activities Regulatory Handbook, Section 350, 
Independent Audits. The FRB sets forth its policy on external audits in 
the FR-Y-6'Annual Report of Bank Holding Companies and Section 1010, 
``External Audits,'' of the Commercial Bank Examination Manual.

II. The Policy Statement

    The following paragraphs describe the principal provisions of the 
proposed Policy Statement.

[[Page 7797]]

Board of Directors' Responsibilities

External Auditing Program
    This section of the proposed Policy Statement expresses the banking 
agencies' belief that a well-planned external auditing program combined 
with a strong internal auditing function increases the ability of an 
institution to detect and correct any potentially serious problems. 
This section also emphasizes the importance to the institution's board 
of directors and management of establishing an effective internal 
control process to provide reasonable assurance that the institution 
achieves its objectives. The banking agencies believe that the board of 
directors should consider an external auditing program performed by an 
independent public accountant to be conducive to the safe and sound 
operation of the institution.
Audit Committee
    This section encourages institutions to establish an audit 
committee consisting entirely of outside directors, if practicable. 
Among its duties, the audit committee should identify the areas of 
greatest risk affecting financial reporting in the institution's 
operations. In addition, this section states that an institution's 
board of directors or audit committee should consider the 
appropriateness of an external auditing program for the institution. 
This evaluation should address what form of external auditing program 
will best assist the board or audit committee in obtaining reasonable 
assurance that the institution's financial statements and regulatory 
reports are reliably prepared. The results of this evaluation should be 
documented.

Alternative External Auditing Programs

    The proposal identifies the preferred external auditing program and 
two acceptable alternatives.2
---------------------------------------------------------------------------

    \2\ It is the understanding of the banking agencies that, under 
most state public accountancy laws, only an independent public 
accountant may perform a balance sheet audit or issue an attestation 
report on internal control.
---------------------------------------------------------------------------

Financial Statement Audit by an Independent Public Accountant
    The proposal encourages each institution to adopt an external 
auditing program that includes an annual audit of its financial 
statements by an independent public accountant. The banking agencies 
believe that a financial statement audit benefits management in 
carrying out its control responsibilities.
Report on the Balance Sheet Audit
    As an alternative to a financial statement audit, the proposed 
Policy Statement suggests that an institution consider engaging an 
independent public accountant to examine its assets, liabilities, and 
equity under generally accepted auditing standards (GAAS) and to opine 
on the fairness of the presentation on the balance sheet. Under this 
type of engagement, the accountant would not provide an opinion on the 
fairness of the presentation of the institution's income statement, 
statement of changes in equity capital, or statement of cash flows.
Attestation Report on Internal Control Assertion
    Another alternative to a financial statement audit is to engage an 
independent public accountant to provide a report attesting to 
management's assertion concerning the effectiveness of internal control 
over financial reporting. The report would cover certain schedules of 
its regulatory reports, including those relating to loans and 
securities. Under this alternative, management would review its 
internal control over the preparation of these schedules and document 
this review. Management would then provide a written assertion stating 
whether it believes its internal control is effective. The independent 
public accountant would examine management's assertion and provide an 
appropriate attestation report.
    The banking agencies believe that an institution's annual ongoing 
cost of an attestation report on internal control over certain 
schedules of its regulatory reports would be significantly less than 
the cost of an audit of its financial statements. However, the cost 
projections depend on the circumstances of each institution, and an 
institution may incur additional start-up costs to create the initial 
documentation of its internal control structure and procedures in the 
first year. This documentation is necessary to enable the independent 
public accountant to evaluate management's assertion on the 
effectiveness of internal control.
Holding Company Subsidiaries
    The proposal describes the responsibilities of the board or audit 
committee of a subsidiary of a holding company with respect to the 
institution's external auditing program. Specifically, the proposal 
says that an institution which is a subsidiary of a holding company may 
find it appropriate to express the scope of its external auditing 
program in terms of its relationship to the consolidated group. 
However, the board or audit committee should determine whether the 
subsidiary's activities involve unusual risks that are not adequately 
covered within the scope of the audit of the consolidated financial 
statements. If so, the proposal suggests that the board or audit 
committee consider implementing an appropriate alternative external 
auditing program.

Other Matters Concerning an External Auditing Program

Timing and Experience
    The proposed Policy Statement recommends that whatever external 
auditing program is adopted be performed at a quarter-end date that 
coincides with a regulatory report date. It states that the independent 
public accountant performing this program should be experienced in 
performing external auditing work for banks and savings associations.
Access to Regulatory Reports
    The proposal explains that an independent public accountant should 
have access to examination reports, other documents, and reports of 
action related to the supervision of the institution by its appropriate 
federal or state banking agency.

Examiner Review of the External Auditing Program

    The proposal explains that examiners should consider an 
institution's size, the nature and scope of its activities, and any 
compensating controls when determining the adequacy of the 
institution's external auditing program and making recommendations for 
improvement. Examiners should also consider whether the institution has 
undertaken a state-required auditing program (that differs from the 
programs set forth in this policy) when determining whether to make 
recommendations for improvements under this policy.

Notification and Submission of Reports

    In general, each institution should furnish its appropriate 
supervisory office with a copy of external auditing reports issued by 
its independent public accountant. However, the proposal also addresses 
the submission of the independent public accountant's report by holding 
company subsidiaries. This guidance reflects the banking agencies' 
current approach to supervising banking organizations which own more 
than one depository institution. Because each banking agency designates 
one

[[Page 7798]]

supervisory office to manage the supervision of an entire banking 
organization, any reports from the independent public accountant should 
be sent to the appropriate supervisory office of each banking agency 
which supervises the entire banking organization.

Special Situations

Newly Insured Institutions
    The proposed Policy Statement notes that the FDIC Statement of 
Policy on Applications for Deposit Insurance (57 FR 12822) requires 
newly insured institutions to adopt an appropriate external auditing 
program.
Institutions Presenting Supervisory Concerns
    This section of the proposal lists some of the conditions in a 
problem institution which would warrant the inclusion of a requirement 
for a strong external auditing program.

Performance of Other Services

    This section of the proposal explains that although each 
institution is encouraged to have an external auditing program 
performed by an independent public accountant, an institution may hire 
other firms for advisory and consulting services if it so desires.

Appendix A--Definitions

    Appendix A defines the terms used throughout the proposed Policy 
Statement. The banking agencies have tried to achieve consistency in 
these definitions with current professional accounting and auditing 
literature. In addition, references are consistent with terminology in 
the report of the Committee of Sponsoring Organizations of the Treadway 
Commission (COSO Report), ``Internal Control--Integrated Framework,'' 
which is the standard by which the vast majority of institutions 
evaluate internal control.

III. Comments

    The banking agencies encourage each institution to consider 
engaging an independent public accountant to perform an audit of its 
financial statements. If an institution's board or audit committee 
determines that an audit is not appropriate for the institution, the 
banking agencies encourage each institution to consider having one of 
the alternatives recommended in this proposal performed. Comments on 
the proposed Policy Statement are especially encouraged from any 
institution which has had its independent public accountant perform one 
of the alternatives (a report on the institution's balance sheet or an 
attestation report on internal control over specified schedules of its 
regulatory reports).
    Some states have state-required external auditing programs (e.g., 
directors' examinations) that differ from the external auditing 
programs set forth in this policy statement. Accordingly, comments are 
requested on the amount of time those states might need if they wish to 
modify their directors' examination requirements to be consistent with 
this Policy Statement.

IV. Paperwork Reduction Act

    As part of their continuing effort to reduce paperwork and 
respondent burden, the banking agencies invite the general public and 
other Federal agencies to take this opportunity to comment on proposed 
and/or continuing information collections, as required by the Paperwork 
Reduction Act of 1995. Currently, the banking agencies are soliciting 
comments concerning this proposed FFIEC policy statement, as there is a 
likelihood that each of the banking agencies will adopt it for their 
institutions. The banking agencies expect to submit the information 
collection to OMB for review in conjunction with FFIEC's approval of 
the final policy statement, and will invite public comment again in the 
Federal Register notice that publishes the final policy statement.
    Written comments regarding the information collection aspects of 
the proposed policy statement should be submitted to any one or all of 
the addresses listed under the ADDRESSES section of this Federal 
Register notice. A copy of the comments may also be submitted to the 
OMB Desk Officer for the banking agencies: Alexander T. Hunt, Office of 
Information and Regulatory Affairs, Office of Management and Budget, 
New Executive Office Building, Room 3208, Washington, DC 20503.
    Requests for information regarding the collections of information 
contained in the proposed policy statement may be sent to:
    FDIC: Steven F. Hanft, FDIC Clearance Officer, (202) 898-8766, 
Office of the Executive Secretary, Federal Deposit Insurance 
Corporation, 550 17th Street, NW, Washington, DC 20429.
    FRB: Mary M. McLaughlin, Federal Reserve Board Clearance Officer 
(202) 452-3829, Division of Research and Statistics, Board of Governors 
of the Federal Reserve System, Washington, DC 20551. Telecommunications 
Device for the Deaf (TDD) users may contact Diane Jenkins, (202) 452-
3544, Board of Governors of the Federal Reserve System, 20th Street and 
Constitution Avenue, N.W., Washington, DC 20551.
    OCC: Jessie Gates, OCC Clearance Officer, (202) 874-5090, 
Legislative and Regulatory Activities Division, Office of the 
Comptroller of the Currency, 250 E Street, SW, Washington, DC 20219.
    OTS: Christine Smith, Policy Analyst, (202) 906-5740, Timothy 
Stier, Chief Accountant, (202) 906-5699, Accounting Policy, Office of 
Thrift Supervision, 1700 G Street, NW, Washington, DC 20552.

Abstract

    The title of this proposed information collection is ``External 
Auditing Programs (<$500MM).'' The information would be collected from 
all institutions with less than $500 million in total assets and 
consists of: (a) A recordkeeping requirement that institutions maintain 
management assertions regarding certain regulatory report schedules, 
and (b) reporting requirements that institutions submit to the 
appropriate supervisory office: (1) A notification when an independent 
public accountant is initially engaged to perform external auditing 
work and when a change in, or termination of, an independent public 
accountant occurs; and either (2) a copy of any reports by the 
independent public accountant pertaining to the external auditing 
program, including any management letters; or (3) when an institution's 
financial information is included in the audited consolidated financial 
statements of its parent company, a copy of the audited financial 
statements of the consolidated company, any other reports by the 
independent public accountant, and any notifications of changes in, or 
terminations of, the consolidated company's independent public 
accountant, with a transmittal letter identifying the institutions 
covered.
    Type of Review: New collection.
    Affected Public: Businesses or other for-profit.

Number of Respondents:
    FDIC: 5,960.
    FRB: 900.
    OCC: 2,200.
    OTS: 1,050.

    Total Annual Respones: The banking agencies estimate 2 responses 
per respondent.
    Frequency of Response: Annually and On occasion.

[[Page 7799]]



                        Total Annual Burden Hours                       
------------------------------------------------------------------------
                                                                        
------------------------------------------------------------------------
FDIC................  Recordkeeping Burden...  1,490 hours.             
                      Reporting Burden.......  2,980 hours.             
                        Total Burden.........  4,470 hours.             
FRB.................  Recordkeeping Burden...  225 hours.               
                      Reporting Burden.......  450 hours.               
                        Total Burden.........  675 hours.               
OCC.................  Recordkeeping Burden...  550 hours.               
                      Reporting Burden.......  1,100 hours.             
                        Total Burden.........  1,650 hours.             
OTS.................  Recordkeeping Burden...  263 hours.               
                      Reporting Burden.......  525 hours.               
                        Total Burden.........  788 hours.               
------------------------------------------------------------------------

Comments

    Comments submitted in response to this notice will be summarized 
and/or included in each agency's request for OMB approval. All comments 
will become a matter of public record. Comments are invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the agency, including whether 
the information shall have practical utility;
    (b) The accuracy of the agency's estimate of the burden of the 
collection of information;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or startup costs and costs of operation, 
maintenance, and purchase of services to provide the required 
information.
    The text of the proposed Policy Statement follows:

Federal Financial Institutions Examination Council

Policy Statement On External Auditing Programs of Banks and Savings 
Associations 1

Introduction
    The banking agencies 2 believe that a well-planned 
annual external auditing program 3 is an important component 
of a bank's or savings association's (hereafter referred to as ``an 
institution'') risk management process. Furthermore, an external 
auditing program complements the internal auditing function of an 
institution by providing management and the board of directors with an 
independent and objective view of the reliability of the institution's 
financial statements. Additionally, an effective external auditing 
program contributes to the efficiency of the banking agencies' risk-
focused examination process. By emphasizing the financial reporting 
aspects of the significant risk areas of an institution, an effective 
external auditing program may also reduce the examination time spent in 
these areas.
---------------------------------------------------------------------------

    \1\ Insured depository institutions covered by Section 36 of the 
Federal Deposit Insurance Act, as implemented by 12 CFR part 363, 
are required to have an external audit and an audit committee. 
Therefore, this guidance only applies to banks and savings 
associations which are not subject to part 363 (i.e., institutions 
with less than $500 million in total assets at the beginning of 
their fiscal year) or are not otherwise subject to audit 
requirements by agreement, statute, or agency regulations. Such 
banks and savings associations are referred to in this policy 
statement as ``institutions.''
    \2\ References to the banking agencies throughout this document 
mean the Board of Governors of the Federal Reserve System (FRB), the 
Federal Deposit Insurance Corporation (FDIC), the Office of the 
Comptroller of the Currency (OCC), and the Office of Thrift 
Supervision (OTS).
    \3\ Terms defined in Appendix A are italicized the first time 
they appear in this policy statement.
---------------------------------------------------------------------------

    This policy statement outlines key elements of an effective 
external auditing program and describes how an institution's external 
auditing program will be reviewed by examiners. Specifically, this 
policy encourages institutions to adopt an external auditing program 
and establish an audit committee, and it describes some acceptable 
external auditing programs that institutions may consider. In addition, 
this policy statement provides guidance on external auditing for 
institutions that are subsidiaries of a holding company, newly insured 
institutions, and institutions presenting supervisory concerns.
Board of Directors' Responsibilities
    External Auditing Program. The banking agencies encourage the board 
of directors of each institution to adopt an external auditing program. 
The banking agencies believe that the board of directors should 
consider an external auditing program performed by an independent 
public accountant to be conducive to the safe and sound operation of 
the institution. The board of directors should evaluate whether its 
external auditing program adequately addresses the financial reporting 
aspects of the significant risk areas of the institution's business. 
The ability to detect and correct potentially serious problems in these 
areas substantially improves the safety and soundness of an 
institution's operations and thereby lessens the risk the institution 
poses to the FDIC-administered insurance funds.
    An external auditing program also gives the institution's 
management and board of directors information about the reliability of 
its financial statements and often provides information useful to them 
in discharging their responsibilities for effective internal control, 
such as safeguarding assets and identifying weaknesses in the internal 
control structure. In addition, an external auditing program may help 
directors exercise reasonable care in protecting the assets of the 
institution.
    Audit Committee. The banking agencies also encourage the board of 
directors of each institution to establish an audit committee. Ideally, 
the audit committee should consist entirely of outside directors. 
However, if this is impracticable, the banking agencies believe that at 
least a majority of the audit committee members should be outside 
directors.
    An audit committee or board of directors should periodically (at 
least annually) identify the risk areas of the institution's activities 
and assess the extent of external auditing involvement needed over each 
area. The audit committee or board should determine whether the 
institution's needs will best be met by an audit of its financial 
statements in accordance with generally accepted auditing standards 
(GAAS) or by an alternative external auditing program. (Recommended 
alternatives are described below.)
    When evaluating the alternatives for the institution's external 
auditing program, the committee or board should consider the cost and 
potential benefits of an annual financial statement audit and ensure 
that the selected program provides sufficient coverage of the financial 
reporting aspects of the institution's significant risk areas and any 
other areas of concern. The committee or board also should consider how 
to best obtain reasonable assurance that the institution's financial

[[Page 7800]]

statements and regulatory reports are reliably prepared.
    If the audit committee or board of directors decides to engage an 
independent public accountant to conduct an alternative external 
auditing program rather than an audit of the institution's financial 
statements, the reasons for that decision should be documented in its 
minutes.
Alternative External Auditing Programs
    Financial Statement Audit by an Independent Public Accountant. The 
banking agencies encourage each bank and savings association to have 
its financial statements audited by an independent public accountant. 
Although other alternatives are acceptable, a financial statement audit 
provides the most comprehensive assurance about the fair presentation 
of an institution's financial statements.
    In addition, an external audit provides information that benefits 
management in carrying out its control responsibilities. For example, 
an external audit may provide management with guidance on establishing 
or improving accounting and operating policies, recommendations on 
internal control (including internal auditing programs), and 
evaluations of management information systems necessary to ensure the 
fair presentation of the financial statements.
    Report on the Balance Sheet. An institution's audit committee or 
board of directors may determine, based on its assessment of the 
institution's risk areas and scope of operations during a particular 
year, that a financial statement audit is not the institution's best 
alternative. In such cases, the institution may prefer to engage an 
independent public accountant to examine and report on the balance 
sheet. If this alternative is chosen, the balance sheet on which the 
accountant will report should be prepared in conformity with generally 
accepted accounting principles (GAAP). Furthermore, the independent 
public accountant should perform the engagement in accordance with 
GAAS.
    Attestation Report on Internal Control Assertion. 
4 Another alternative to a financial statement audit is to 
engage an independent public accountant to examine and report on 
management's assertion concerning the effectiveness of the 
institution's internal control over financial reporting in all or 
specified schedules of the institution's regulatory reports. A board or 
audit committee that elects this alternative should review and assess 
the institution's activities and determine its high risk areas with 
respect to financial reporting. In addition, management should evaluate 
and provide a written assertion about the effectiveness of the 
institution's internal control over financial reporting in the 
identified risk areas as of one designated regulatory report date. This 
assertion should specify the criteria on which management based its 
evaluation of internal control. Furthermore, management's evaluation 
should be adequately documented.
    In most institutions, the lending and investment securities 
activities present the most significant risks that affect financial 
reporting. Therefore, management's assertion should generally cover the 
following regulatory report schedules every year:

----------------------------------------------------------------------------------------------------------------
                                                                                      Thrift financial report   
                 Area                  Reports of condition and  income schedules            schedules          
----------------------------------------------------------------------------------------------------------------
Loans and Lease Financing Receivables  RC-C, Part I..............................  SC, CF                       
Past Due and Nonaccrual Loans,         RC-N......................................  PD                           
 Leases, and Other Assets.                                                                                      
Allowance for Credit Losses..........  RI-B......................................  SC, VA                       
Securities...........................  RC-B......................................  SC, SI, CF                   
----------------------------------------------------------------------------------------------------------------

    If the board or audit committee determines that trading or off-
balance sheet activities present material financial reporting risks to 
the institution, the regulatory report schedules for one or both of 
these areas should also be covered by management's assertion and the 
accountant's attestation:

----------------------------------------------------------------------------------------------------------------
                                                                                      Thrift financial report   
                 Area                   Reports of condition and income schedules            schedules          
----------------------------------------------------------------------------------------------------------------
Trading Assets and Liabilities.......  RC-D......................................  SO, SI.                      
Off-Balance Sheet Items..............  RC-L......................................  SI, CMR.                     
----------------------------------------------------------------------------------------------------------------

    The regulatory report schedules listed in this policy statement 
address the most common high risk areas for financial reporting in 
institutions. However, these schedules do not address all possible 
risks in an institution. Therefore, each institution should review the 
risks inherent in its particular activities annually to determine 
whether to expand the scope of its external auditing program to include 
other financial reporting risk areas. For example, if an institution or 
its subsidiaries has significant real estate investments, insurance 
underwriting or sales activities, securities broker-dealer or similar 
activities (including securities underwriting and investment advisory 
services), loan servicing activities, or fiduciary activities, the 
institution should consider whether its external auditing program 
should cover these areas.
    Holding Company Subsidiaries. When the audit committee or board of 
directors of any institution owned by another company (such as a 
holding company) considers its external auditing program, it may find 
it appropriate to address the scope of its program in terms of the 
institution's relationship to the consolidated group. The banking 
agencies do not expect an institution owned by another company to 
obtain a separate audit of its financial statements if the group's 
consolidated financial statements for the same fiscal year are audited. 
Nevertheless, the board of directors or audit committee of the 
subsidiary may determine that it has activities that involve risks 
which were not within the procedural scope of the audit of the 
financial statements of the consolidated entity. For example, the risks 
arising from some of the subsidiary's activities may be immaterial to 
the financial statements of the consolidated entity. Under such 
circumstances, the audit committee or board of the subsidiary 
institution should consider strengthening its internal auditing 
procedures to cover these activities or implementing an appropriate 
alternative external auditing program.
---------------------------------------------------------------------------

    \4\ An attestation engagement is not an audit. It is performed 
under different professional standards than an audit of an 
institution's financial statements or its balance sheet.

---------------------------------------------------------------------------

[[Page 7801]]

Other Matters Concerning an External Auditing Program
    Timing. Whatever external auditing program an institution decides 
to implement, it preferably should be performed as of the institution's 
fiscal year-end. However, using a quarter-end date that coincides with 
a regulatory report date is also acceptable. Such an approach would 
permit the institution to use the audited financial statements to 
verify and, if appropriate, amend the regulatory report. In this 
regard, an institution may also find it cost-effective to have its 
financial statements audited during the accounting firm's off-peak 
period.
    Experience. The banking agencies generally believe that the 
independent public accountant that an institution selects to perform 
its financial statement audit or its alternative external auditing 
program should be experienced in auditing the financial statements of 
banks and savings associations and knowledgeable about relevant laws 
and regulations.
    Access to Regulatory Reports. Regardless of the external auditing 
approach chosen, management should inform the independent public 
accountant of, and provide the independent public accountant with 
access to, all examination reports and written communication between 
the institution and the banking agencies or state banking authorities 
since the last external auditing activity. The independent public 
accountant also should be provided access to any supervisory memoranda 
of understanding, written agreements, administrative orders, reports of 
action initiated or taken by a federal or state banking agency under 
section 8 of the Federal Deposit Insurance Act (or a similar state 
law), or civil money penalties assessed against the institution or an 
institution-related party, and any associated correspondence. The 
independent public accountant must maintain the confidentiality of 
examination reports and other confidential supervisory information.
Examiner Review of the External Auditing Program
    A review of an institution's external auditing program will 
continue to be part of the banking agencies' examination procedures. An 
examiner's evaluation of and any recommendations for improvements in an 
institution's external auditing program will consider the institution's 
size, the nature and complexity of its business activities, its risk 
profile, any actions taken or planned by the institution to minimize or 
eliminate identified weaknesses, and any compensating controls that are 
in place.
Notification and Submission of Reports
    Regardless of the type of external auditing program chosen, the 
banking agencies request that each institution furnish a copy of any 
reports 5 by the independent public accountant pertaining to 
the external auditing program, including any management letters, to its 
appropriate supervisory office in a timely manner.
---------------------------------------------------------------------------

    \5\ The institution's engagement letter is not expected to be 
submitted as a ``report.''
---------------------------------------------------------------------------

    In addition, the banking agencies request each institution to 
promptly notify its appropriate supervisory office when an independent 
public accountant is initially engaged to perform external auditing 
work and when a change in, or termination of, its independent public 
accountant occurs.
    When an institution's financial information is included in the 
audited consolidated financial statements of its parent company, the 
institution may send its appropriate supervisory office one copy of the 
audited financial statements of the consolidated company, any other 
reports by the independent public accountant, and any notifications of 
changes in, or terminations of, the consolidated company's independent 
public accountant. If several institutions are owned by one parent 
company, a single copy of the reports and any notifications applicable 
to the consolidated company may be submitted to the appropriate 
supervisory office of each banking agency supervising one or more of 
the affiliated institutions and the holding company. A transmittal 
letter should identify the institutions covered.
Special Situations
    Newly Insured Institutions. The FDIC Statement of Policy on 
Applications for Deposit Insurance requires an applicant for deposit 
insurance coverage to obtain an audit of its financial statements by an 
independent public accountant.
    Institutions Presenting Supervisory Concerns. An independent 
external auditing program complements the banking agencies' supervisory 
process and the institution's internal auditing program by identifying 
or further clarifying issues of potential concern or exposure. It can 
also greatly assist management in taking corrective action, 
particularly when weaknesses are detected in internal control or 
management information systems. For these reasons, the banking agencies 
may require an annual audit of an institution's financial statements by 
an independent public accountant for an institution presenting 
supervisory concerns. However, if it is more appropriate, either (1) a 
report on the balance sheet; (2) an attestation report on management's 
assertions concerning internal control over financial reporting; (3) 
procedures agreed upon by the institution, independent public 
accountant, and appropriate banking agency; or (4) other engagements 
may be required if any of the following conditions exist:
    (a) Internal control, including the internal auditing program, is 
inadequate;
    (b) The board of directors is generally uninformed in the area of 
internal control;
    (c) There is evidence of insider abuse;
    (d) There are known or suspected defalcations;
    (e) There is known or suspected criminal activity;
    (f) It is probable that director liability for losses exists;
    (g) Direct verification of loans or deposits is warranted;
    (h) Questionable transactions with affiliates have occurred; or
    (i) Other conditions exist that warrant improvements in the 
external auditing program.
    Such an action may also require, among other things, that the 
institution provide its banking agency's supervisory office a copy of 
any reports, including management letters, issued by the independent 
public accountant. In addition, it may require the institution to 
notify the supervisory office prior to any meeting with the independent 
public accountant at which auditing findings are to be presented.
Performance of Other Services
    This policy statement does not preclude institutions from engaging 
entities other than independent public accountants to perform advisory 
and other services that do not require licensing under applicable state 
public accountancy statutes. For example, an institution may hire 
individuals or firms who are not independent public accountants to 
provide independent loan reviews, give advice on consumer compliance 
issues, suggest improvements to increase operational efficiency in 
specific departments (e.g., information processing), or assist in areas 
of taxation or management information systems. In addition, if 
acceptable under applicable state laws, these firms may perform state-
required directors' examinations; however, such services may not 
constitute or replace

[[Page 7802]]

an external auditing program performed by an independent public 
accountant.

Appendix A--Definitions

    Appropriate supervisory office. The regional or district office of 
the institution's primary federal banking agency which is responsible 
for supervising the institution, or, in the case of an institution that 
is part of a group of related insured institutions, the regional or 
district office of the institution's federal banking agency which is 
responsible for monitoring the group. If the institution is a 
subsidiary of a holding company, the term ``appropriate supervisory 
office'' also includes the federal banking agency responsible for 
supervising the holding company. In addition, if the institution is 
state-chartered, the term ``appropriate supervisory office'' includes 
the appropriate state bank or savings association regulatory authority.
    Audit. An examination of the financial statements, accounting 
records, and other supporting evidence of an institution performed by 
an independent certified or licensed public accountant in accordance 
with generally accepted auditing standards (GAAS) and of sufficient 
scope to enable the independent public accountant to express an opinion 
on the institution's financial statements as to their presentation in 
accordance with generally accepted accounting principles (GAAP).
    Audit Committee. A committee of the board of directors whose 
members should, to the extent possible, be knowledgeable about 
accounting and auditing. The committee should be responsible for 
reviewing and approving the institution's internal and external 
auditing programs or recommending adoption of these programs to the 
full board. Both the internal auditor and the independent public 
accountant should have unrestricted access to the audit committee 
without the need for any prior management knowledge or approval. Other 
duties of the audit committee may include reviewing the independence of 
the independent public accountant annually, consulting with management 
when management seeks a second opinion on an accounting issue, and 
overseeing the quarterly regulatory reporting process. The audit 
committee should report its findings periodically to the full board of 
directors.
    Directors' Examination. An engagement performed by an independent 
third party that has been authorized by the institution's board of 
directors and is required by state law. (A directors' examinations is 
called an ``engagement audit'' or ``operational audit.'' Nevertheless, 
it is often not performed in accordance with GAAS nor do widely 
accepted national standards exist for its performance.)
    External Auditing Program. The testing and evaluation of risk areas 
of an institution's business by an independent public accountant 
sufficient to enable the accountant to express an opinion on the 
financial statements or balance sheet. Under professional standards, 
this engagement should be performed in accordance with GAAS. 
Alternatively, an independent public accountant may attest to 
management's assertion concerning the effectiveness of the 
institution's internal control over financial reporting. Under 
professional standards, the independent public accountant is expected 
to perform this attestation engagement in accordance with the generally 
accepted standards for attestation engagements (GASAE).
    Financial Statements. The statements of financial position (balance 
sheet), income, cash flows, and changes in equity together with related 
notes.
    Independent Public Accountant. An accountant who is independent of 
the institution and registered or licensed to practice as a public 
accountant, and is in good standing, under the laws of the state or 
other political subdivision of the United States in which the home 
office of the institution is located. No certified public accountant or 
public accountant will be recognized as independent who is not in fact 
independent. The independent public accountant also should comply with 
the American Institute of Certified Public Accountants' (AICPA) Code of 
Professional Conduct and any related guidance adopted by the banking 
agencies.
    Internal auditing. An independent assessment function established 
within an institution to examine and evaluate its system of internal 
control and the efficiency with which the various units of the 
institution are carrying out their assigned tasks. The objective of 
internal auditing is to assist the management and directors of the 
institution in the effective discharge of their responsibilities. To 
this end, internal auditing furnishes management with analyses, 
appraisals, recommendations, counsel, and information concerning the 
activities reviewed.
    Outside Directors. Members of an institution's board of directors 
who are not officers, employees, or principal stockholders of the 
institution, its subsidiaries, or its affiliates, and do not have any 
material business dealings with the institution, its subsidiaries, or 
its affiliates.
    Regulatory Reports. These reports are the Reports of Condition and 
Income (Call Reports) for banks and Thrift Financial Reports (TFRs) for 
savings associations.
    Report on the Balance Sheet. An examination of an institution's 
balance sheet performed and reported on by an independent public 
accountant in accordance with GAAS and of sufficient scope to enable 
the independent public accountant to express an opinion on the fairness 
of the balance sheet presentation in accordance with GAAP.
    Risk Areas. Those particular activities of an institution that 
expose it to greater potential losses if problems exist and go 
undetected. The areas with the highest financial reporting risk in most 
institutions generally are their lending and investment securities 
activities.

    Dated: February 5, 1998.
Joe M. Cleaver,
Executive Secretary, Federal Financial Institutions Examination 
Council.
[FR Doc. 98-3374 Filed 2-13-98; 8:45 am]
BILLING CODE 6210-01-P, 6720-01-P, 6714-01-P, 4810-01-P