[Federal Register Volume 64, Number 187 (Tuesday, September 28, 1999)]
[Notices]
[Pages 52319-52327]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-25103]


=======================================================================
-----------------------------------------------------------------------

FEDERAL FINANCIAL INSTITUTIONS EXAMINATION COUNCIL

Federal Financial Institutions Examination Council


Interagency Policy Statement on External Auditing Programs of 
Banks and Savings Associations

ACTION: Notice of final interagency policy statement.

-----------------------------------------------------------------------

SUMMARY: The Federal Financial Institutions Examination Council (FFIEC) 
on behalf of the Board of Governors of the Federal Reserve System 
(FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of 
the Comptroller of the Currency (OCC), and the Office of Thrift 
Supervision (OTS), collectively referred to as the ``banking agencies'' 
or the ``agencies,'' is adopting an Interagency Policy Statement on 
External Auditing Programs of Banks and Savings Associations (Policy 
Statement). The National Credit Union Administration (NCUA), also a 
member of the FFIEC, does not plan to adopt the policy at this time. 
Banks and savings associations (institutions) with $500 million or more 
in total assets must have an annual audit performed by an independent 
public accountant under section 36 of the Federal Deposit Insurance Act 
(FDI Act), as implemented by 12 CFR Part 363. Thus, this Policy 
Statement applies only to institutions below that threshold that are 
not otherwise subject to audit requirements.
    Accurate financial reporting is essential to an institution's 
safety and soundness. To ensure accurate and reliable financial 
reporting, the agencies recommend that the board of directors of each 
institution establish and maintain an external auditing program. This 
Policy Statement provides guidance regarding independent external 
auditing programs encompassing: responsibilities of boards of 
directors, audit committees, and senior management; attributes and 
types of external auditing programs; special situations for 
institutions that are part of a holding company, newly chartered 
institutions, and institutions presenting supervisory concern; and 
examiner guidance for the review of external auditing programs. The 
Policy Statement also encourages institutions that are not otherwise 
required to do so, to establish an audit committee. This committee 
should consist entirely of outside directors, if practicable.

EFFECTIVE DATE: The Policy Statement is effective for fiscal years 
beginning on or after January 1, 2000.

FOR FURTHER INFORMATION CONTACT: FDIC: Doris L. Marsh, Examination 
Specialist, Division of Supervision, (202) 898-8905, or A. Ann Johnson, 
Counsel, Legal Division, (202) 898-3573, FDIC, 550 17th Street, N.W., 
Washington, DC 20429.
    FRB: Charles H. Holm, Manager, (202) 452-3502, or Arthur Lindo, 
Supervisory Financial Analyst, (202) 452-2695, Accounting Policy and 
Disclosure, Division of Banking Supervision and Regulation, Board of 
Governors of the Federal Reserve System, 20th Street and Constitution 
Avenue, N.W., Washington, DC 20551.
    OCC: Gene Green, Deputy Chief Accountant, Office of the Chief 
Accountant, (202) 874-4933, or Bill Morris, Senior Policy Analyst/
National Bank Examiner, (202) 874-4915, Core Policy Division, Office of 
the Comptroller of the Currency, 250 E Street, S.W., Washington, DC 
20219.
    OTS: Timothy J. Stier, Chief Accountant, (202) 906-5699, or 
Christine A. Smith, Policy Analyst, (202) 906-5740, Accounting Policy 
Division, Office of Thrift Supervision, 1700 G Street, N.W., 
Washington, DC 20552.

SUPPLEMENTARY INFORMATION:

I. Background

    An institution's internal and external auditing programs are 
critical to its safety and soundness. Many institutions currently have 
independent external audits. These audits are undertaken voluntarily or 
are required by section 36 of the FDI Act (12 U.S.C. 1831m) and its 
implementing regulation, 12 CFR part 363; the Securities and Exchange 
Act of 1934 (15 U.S.C. 78a); the Federal Reserve bank holding company 
reporting requirements in the FR Y-6 Annual Report of Bank Holding 
Companies; or other appropriate laws and regulations. When an 
institution lacks an internal auditing program or

[[Page 52320]]

has weaknesses in an existing program, examiners often encourage the 
institution to have an independent external audit 1 
performed. However, some institutions, particularly smaller 
institutions, still do not have an external audit for various reasons.
---------------------------------------------------------------------------

    \1\ An examination of the financial statements of an institution 
performed by an independent certified or licensed public accountant 
in accordance with generally accepted auditing standards (GAAS) and 
of sufficient scope to enable the independent public accountant to 
express an opinion on the institution's financial statements as to 
their presentation in accordance with generally accepted accounting 
principles (GAAP).
---------------------------------------------------------------------------

    The banking agencies believe that an independent external audit 
provides reasonable assurance that an institution's financial 
statements are prepared in accordance with generally accepted 
accounting principles (GAAP). Accordingly, the banking agencies 
encourage all institutions to obtain external audits. To provide 
explicit guidance to institutions regarding external audits, the FFIEC 
has approved a uniform Interagency Policy Statement. The FFIEC 
recommends to the banking agencies that they individually adopt the 
policy.
    This Policy Statement is generally consistent with the individual 
policies of the banking agencies. The agencies have provided guidance 
on external audits to their supervised institutions, but a uniform 
policy does not exist. For example, the OCC discusses its policies with 
regard to independent external audits for national banks in the 
Comptroller's Handbook for National Banks, Section 102, Internal and 
External Audits, and the Comptroller's Corporate Manual. The FDIC first 
adopted guidance on this subject in its Policy Statement Regarding 
Independent External Auditing Programs of State Nonmember Banks in 1988 
(53 FR 47871, November 28, 1988) and amended this policy in 1996 (61 FR 
32438, June 24, 1996). The OTS's policy on independent external audits 
is discussed in the Thrift Activities Regulatory Handbook, Section 350, 
Independent Audits. The FRB sets forth its policy on external audits in 
the FR Y-6--Annual Report of Bank Holding Companies and Section 1010, 
``External Audits,'' of the Commercial Bank Examination Manual.

II. The Proposed Policy Statement

    The FFIEC sought public comment on the proposed policy statement on 
External Auditing Programs of Banks and Savings Associations in 
February 1998 (63 FR 7796, February 17, 1998). A section-by-section 
summary of the proposal follows:

Board of Directors' Responsibilities

    The proposed policy statement expressed the banking agencies' 
belief that accurate financial reporting is essential to an 
institution's safety and soundness. To help ensure accurate and 
reliable financial reporting, the agencies recommended that the board 
of directors of each institution consider establishing and maintaining 
an external auditing program. The banking agencies believe that the 
board of directors should consider an external auditing program 
performed by an independent public accountant to be conducive to the 
safe and sound operation of the institution.
    The proposal also encouraged the board of each institution, that is 
not otherwise required to do so, to establish an audit committee 
consisting entirely of outside directors, if practicable. It stated 
that an institution's board of directors or audit committee should 
consider the appropriateness of an external auditing program for the 
institution. In addition, the board of directors or audit committee 
should consider what form of external auditing program would assure 
that the institution's financial statements and regulatory reports are 
prepared reliably.

Alternative External Auditing Programs

    The proposed policy statement identified a preferred external 
auditing program--a financial statement audit by an independent public 
accountant. The proposal also identified two alternatives--a report on 
the balance sheet audit and an attestation report on an internal 
control assertion.
    The proposal also stated that an institution which is a subsidiary 
of a holding company may express the scope of its external auditing 
program in terms of its relationship to the consolidated group. 
However, the board or audit committee of the subsidiary should 
determine whether the subsidiary's activities involve unusual risks 
that are not covered adequately within the scope of the audit of the 
consolidated financial statements. If so, the proposal suggested that 
the board or audit committee consider strengthening its internal 
auditing procedures or implementing an appropriate alternative external 
auditing program.

Other Matters Concerning an External Auditing Program

    The proposed policy statement recommended that an institution's 
external auditing program be performed as of a quarter-end date that 
coincides with a regulatory report date. The proposal explained that an 
independent public accountant should have access to examination 
reports, other documents, and reports of action related to the 
supervision of the institution by its appropriate federal or state 
banking agency.

Examiner Review of the External Auditing Program

    The proposal explained that examiners should consider an 
institution's size, the nature and scope of its activities, and any 
compensating controls when determining the adequacy of its external 
auditing program and making recommendations for improvement. Examiners 
should also consider whether the institution has undertaken a state-
required auditing program (the scope of which differs from the 
preferred and alternative programs set forth in the proposal) when 
determining whether to make recommendations for improvements to the 
institution's external auditing program.

Notification and Submission of Reports

    In the proposal, the agencies requested that each institution 
furnish, to its appropriate supervisory office, a copy of any reports 
by the independent public accountant pertaining to the external 
auditing program. The proposal also requested each institution to 
notify its appropriate supervisory office when an independent public 
accountant is engaged initially or when a change in, or termination of 
the services of, its accountant occurs.

Special Situations

    The proposed policy statement noted that the FDIC Statement of 
Policy on Applications for Deposit Insurance (57 FR 12822) requires 
newly insured institutions to adopt an appropriate external auditing 
program. The proposal also listed some of the conditions that might be 
present in a problem institution which would warrant imposing 
requirements for specific external auditing services.

Appendix A--Definitions

    Appendix A defined the terms used throughout the proposed policy 
statement. The agencies intended that these definitions be consistent 
with those used in current professional accounting and auditing 
literature and in the report of the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO Report), ``Internal 
Control--Integrated Framework.''

[[Page 52321]]

III. Discussion of Public Comments

A. General Comments

    The FFIEC received approximately 120 letters commenting on the 
proposed policy statement. Over 90 letters came from depository 
institutions whose size (based on total assets) ranged from about $2 
million to $250 million. Of those letters, 20 percent came from 
national banks, 70 percent from state nonmember banks, and 10 percent 
from state member banks. One savings association submitted a comment. 
The other letters primarily came from national and state bank trade 
associations, accounting trade associations, accounting firms, and 
state banking departments. Other commenters included an organization 
representing state bank supervisory authorities, an attorney, an 
auditor, a consultant and two bank holding companies with small 
community banks.
    Almost two-thirds of the commenters generally were opposed to the 
proposed policy statement. They cited the cost of requiring an audit by 
an independent public accountant as the reason for opposition. Those 
commenters warned that the cost of a financial statement audit would 
far outweigh its benefits for most small banks. In addition, over 40 
percent of commenters opposed any requirement that each institution 
have an independent public accountant perform any external auditing 
program.
    A number of commenters suggested that only institutions over a 
specified threshold be required to have an annual audit. The 
recommended thresholds ranged from $50 million to $250 million in total 
assets, with most respondents suggesting either $100 or $150 million in 
total assets as the appropriate size.
    In contrast, most of the state banking departments that commented 
on the proposal favored it as did three-quarters of the accounting 
organizations, two banks, and one national bank trade association.
    Several commenters questioned the timing of this proposal. 
Commenters suggested that the FFIEC not make it effective until after 
institutions had dealt with their Year 2000 computer problems. One 
state banking regulator suggested that the FFIEC phase in the proposal 
over a three year period to give states time to make their laws and 
regulations consistent with the proposed policy statement. Another 
state banking department recommended that the FFIEC exempt institutions 
in states with acceptable directors' examination requirements.

B. Changes to the Proposal in Response to Comments

Introduction
    Many of the commenters misinterpreted the purpose, effect, and 
consequences of the proposed policy statement, believing that the 
agencies were requiring external audits of all institutions. For that 
reason, the FFIEC has expanded the Introduction to the Policy Statement 
and revised several parts of the document to better explain the 
recommendations.
Overview of External Auditing Programs
    The FFIEC has revised the overview to set forth the benefits of a 
strong external auditing program and to discuss the responsibilities of 
the board of directors and audit committee for such a program. Because 
of many commenters' misunderstanding that the proposed policy statement 
requires an audit, the final Policy Statement has been clarified to 
explain that both an institution's audit committee and the agencies' 
examiners should consider the size of the institution and the nature, 
scope, and complexity of its operations when evaluating its external 
auditing program.
    Nevertheless, many institutions already have an annual audit of 
their financial statements performed by an independent public 
accountant. In fact, almost 65 percent of institutions with total 
assets under $500 million either voluntarily or for other reasons have 
such an audit. More than 85 percent of the institutions with total 
assets under $500 million either have an audit or another type of 
external auditing program performed annually by an independent public 
accountant.2 Thus, the agencies do not believe that they 
need to establish a total asset threshold (below the $500 million 
threshold in 12 CFR 363) at which institutions would be required to 
have audits. However, the agencies expect those institutions that 
historically have had annual audits to continue to do so. For those 
having another type of external auditing program performed by an 
independent public accountant, the agencies expect them to continue to 
obtain the same, or a more extensive, external auditing program in 
future years.
---------------------------------------------------------------------------

    \2\ Of institutions under $500 million in total assets, annual 
audits are obtained by approximately 70 percent of national banks, 
65 percent of state member banks, and 58 percent of state nonmember 
banks. If other annual external auditing programs performed by an 
independent public accountant are included, approximately 90 percent 
of national banks, 86 percent of state member banks, and 82 percent 
of state nonmember banks already have external auditing programs 
that would likely meet the recommendations of the Policy Statement. 
With regard to all thrift institutions, about 97 percent currently 
have annual audits and 99 percent have an external auditing program 
performed by an independent public accountant.
---------------------------------------------------------------------------

    The proposed policy statement encouraged institutions that are not 
otherwise required to do so to have an audit committee consisting 
entirely of outside directors, if practicable. However, several 
commenters argued that small banks in rural communities may find it 
difficult to obtain knowledgeable persons outside of the institution 
who are willing to sit on a bank's board of directors. The agencies do 
not dispute this argument and for that reason, included a 
practicability exception in the proposal. This exception remains in the 
Policy Statement. As with the other provisions of this Policy 
Statement, an institution's board is encouraged to establish an audit 
committee entirely of outside directors, but is not required to do so.
External Auditing Programs
    The final Policy Statement includes a new section which provides an 
overview of the basic attributes of a sound external auditing program. 
This section should assist boards and audit committees in determining 
the type of program that is most suitable for their institution. The 
final Policy Statement continues to identify a preferred external 
auditing program (a financial statement audit by an independent public 
accountant) and two alternative programs (an attestation report on 
internal control and a report on the balance sheet audit). It includes 
an explanation of these alternatives.
    Several commenters argued that the cost of the balance sheet audit 
alternative was similar to that of a complete financial statement 
audit. Others stated that the internal control attestation report 
alternative is impractical because establishing and maintaining 
adequate internal control is very difficult in a small bank with few 
employees. The agencies agree that the cost of a balance sheet report 
audit may approach the cost of a financial statement audit, but in 
their opinion, it is a satisfactory alternative for many small banks. 
The internal control attestation alternative is generally the least 
costly of the three and may be the most beneficial choice for many 
small institutions. The agencies understand that small institutions 
will not have sufficient employees to establish as extensive an 
internal control system as larger institutions (for example, 
segregation of duties), but small institutions can use compensating 
controls to lessen the internal control risk.

[[Page 52322]]

    The final Policy Statement discusses the state-required 
examinations and agreed-upon procedures that are performed annually for 
some small institutions. The document does not preclude an institution 
from selecting one of these external auditing programs. The Policy 
Statement also describes when management should consider expanding the 
scope of the external auditing program.
    This section also recommends that an institution schedule an annual 
external auditing program as of year-end, or if that is not possible, 
at a quarter-end date that coincides with a regulatory report date. To 
minimize expense, several commenters suggested that the FFIEC recommend 
that external auditing programs be performed every 18 months, every 
other year, or every third year. The agencies did not change their 
recommendation, because they believe that external auditing programs 
are most effective if performed annually.
    The Policy Statement encourages institutions to use an independent 
public accountant to provide a recognized standard of knowledge and 
objectivity. It has been revised, however, to permit a person other 
than an independent public accountant to perform agreed-upon 
procedures/state required examinations when permitted under the 
appropriate state law or regulations. Nevertheless, the Policy 
Statement cautions that whoever does such work should have experience 
with financial institution accounting and auditing and should be 
knowledgeable about relevant laws and regulations.
Special Situations
    This section of the Policy Statement generally is unchanged from 
the proposal. It continues to address institutions that are holding 
company subsidiaries, newly insured institutions, and institutions that 
present supervisory concerns.
Examiner Guidance
    This section has been expanded to provide general guidance to 
examiners who will assess an institution's external auditing program, 
and to describe the basis for evaluating the institution's performance. 
For example, examiners are expected to evaluate whether (1) the board 
or audit committee has reviewed at least annually an institution's 
external auditing program; (2) the program is appropriate for the size 
and operations of the institution; (3) the external auditor is 
independent; (4) the board or audit committee has concluded that the 
auditor is competent and knowledgeable about banking; and (5) the 
external auditing program has been monitored properly. Nevertheless, in 
the agencies' opinion, an examiner should not automatically comment 
adversely to the board of directors of an institution with an otherwise 
satisfactory external auditing program merely because it does not 
engage an independent public accountant to audit its financial 
statements.
    In addition, this section reconfirms that an auditor should have 
access to examination reports and other communications between 
regulators and the institution. Institutions also are encouraged to 
submit, to their appropriate supervisory office on a timely basis, 
reports issued by their external auditor on the external auditing 
program. The section also states that the institution should obtain an 
engagement letter from the auditor which states that examiners will be 
granted immediate and full access to the external auditing reports and 
related workpapers prepared by the auditor.

Appendix A--Definitions

    Appendix A defines the terms used throughout the Policy Statement. 
The agencies made revisions only when needed to be consistent with any 
changes in the final Policy Statement.

C. Other Comments

    The agencies encouraged comments on the proposed policy statement 
from any institution that had its independent public accountant perform 
one of the proposed alternative external auditing programs, i.e., a 
report on the institution's balance sheet or an attestation report on 
internal control over specified schedules of its regulatory reports. 
Although many commenters objected to those alternatives, no respondents 
from banking organizations indicated that they had experience with 
these types of engagements.
    In addition, some states have state-required external auditing 
programs (e.g., directors' examinations) that differ from the types of 
external auditing programs described in the proposed policy statement. 
Accordingly, the FFIEC requested comments on the amount of time states 
needed to modify the agreed-upon procedures in state-required 
examinations to be consistent with the types of programs set forth in 
any final Policy Statement. One state suggested three years. Several 
states indicated that the policy would have little effect because all, 
or almost all, of the institutions within their states already obtain 
audits. Since this Policy Statement recommends, but does not require 
that institutions establish external auditing programs, the agencies 
are not providing a phase-in period as suggested by some commenters or 
a specifically defined transition period to allow states to modify 
their requirements.
    Several other state banking departments recommended state-required 
examinations as an alternative. Since these examinations differ among 
the states, and the states may, at any time, amend their requirements, 
the agencies did not believe that they should make any determination as 
to which state requirements should be considered acceptable. The final 
Policy Statement does not preclude an institution from using the state-
required examination as an alternative. However, as with all other 
external auditing programs, the institution's board or audit committee 
should determine whether such an examination meets the institution's 
needs, considering its size and the nature, scope, and complexity of 
its business activities.

IV. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (PRA), the 
Agencies may not conduct or sponsor, and the respondent is not required 
to respond to, an information collection that does not display a 
currently valid Office of Management and Budget (OMB) control number. 
The FFIEC's Proposed policy statement; Request for comment, which was 
published on February 17, 1998, at 63 FR 7796, fulfilled the first 
notice requirement required by the PRA. Four comments were received 
relating to the information collections in the FFIEC Proposed policy 
statement. Each Agency likely will adopt the Final FFIEC policy 
statement for its institutions, including the information collections, 
as appropriate. At that time, each Agency will respond to the comments 
received and determine what changes, if any, are appropriate for its 
supervised institutions.

V. Policy Statement

    The text of the Interagency Policy Statement follows:

Federal Financial Institutions Examination Council

Interagency Policy Statement on External Auditing Programs of Banks 
and Savings Associations

Introduction

    The board of directors and senior managers of a banking institution 
or savings association (institution) are responsible for ensuring that 
the institution operates in a safe and sound manner. To achieve this 
goal and meet

[[Page 52323]]

the safety and soundness guidelines implementing Section 39 of the 
Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831p-
1),1 the institution should maintain effective systems and 
internal control 2 to produce reliable and accurate 
financial reports.
---------------------------------------------------------------------------

    \1\ See 12 CFR Part 30 for national banks; 12 CFR Part 364 for 
state nonmember banks; 12 CFR Part 208 for state member banks; and 
12 CFR Part 510 for savings associations.
    \2\ This Policy Statement provides guidance consistent with the 
guidance established in the ``Interagency Policy Statement on the 
Internal Audit Function and its Outsourcing.''
---------------------------------------------------------------------------

    Accurate financial reporting is essential to an institution's 
safety and soundness for numerous reasons. First, accurate financial 
information enables management to effectively manage the institution's 
risks and make sound business decisions. In addition, institutions are 
required by law 3 to provide accurate and timely financial 
reports (e.g., Reports of Condition and Income [Call Reports] and 
Thrift Financial Reports) to their appropriate regulatory agency. These 
reports serve an important role in the agencies' 4 risk-
focused supervision programs by contributing to their pre-examination 
planning, off-site monitoring programs, and assessments of an 
institution's capital adequacy and financial strength. Further, 
reliable financial reports are necessary for the institution to raise 
capital. They provide data to stockholders, depositors and other funds 
providers, borrowers, and potential investors on the company's 
financial position and results of operations. Such information is 
critical to effective market discipline of the institution.
---------------------------------------------------------------------------

    \3\ See 12 U.S.C. 161 for national banks; 12 U.S.C. 1817a for 
state nonmember banks; 12 U.S.C. 324 for state member banks; and 12 
U.S.C. 1464(v) for savings associations.
    \4\ Terms defined in Appendix A are italicized the first time 
they appear in this policy statement.
---------------------------------------------------------------------------

    To help ensure accurate and reliable financial reporting, the 
agencies recommend that the board of directors of each institution 
establish and maintain an external auditing program. An external 
auditing program should be an important component of an institution's 
overall risk management process. For example, an external auditing 
program complements the internal auditing function of an institution by 
providing management and the board of directors with an independent and 
objective view of the reliability of the institution's financial 
statements and the adequacy of its financial reporting internal 
controls. Additionally, an effective external auditing program 
contributes to the efficiency of the agencies' risk-focused examination 
process. By considering the significant risk areas of an institution, 
an effective external auditing program may reduce the examination time 
the agencies spend in such areas. Moreover, it can improve the safety 
and soundness of an institution substantially and lessen the risk the 
institution poses to the insurance funds administered by the Federal 
Deposit Insurance Corporation (FDIC).
    This policy statement outlines the characteristics of an effective 
external auditing program and provides examples of how an institution 
can use an external auditor to help ensure the reliability of its 
financial reports. It also provides guidance on how an examiner may 
assess an institution's external auditing program. In addition, this 
policy statement provides specific guidance on external auditing 
programs for institutions that are holding company subsidiaries, newly 
insured institutions, and institutions presenting supervisory concerns.
    The adoption of a financial statement audit or other specified type 
of external auditing program is generally only required in specific 
circumstances. For example, insured depository institutions covered by 
Section 36 of the FDI Act (12 U.S.C. 1831m), as implemented by Part 363 
of the FDIC's regulations (12 CFR part 363), are required to have an 
external audit and an audit committee. Therefore, this policy statement 
is directed toward banks and savings associations which are exempt from 
Part 363 (i.e., institutions with less than $500 million in total 
assets at the beginning of their fiscal year) or are not otherwise 
subject to audit requirements by order, agreement, statute, or agency 
regulations.

Overview of External Auditing Programs

Responsibilities of the Board of Directors
    The board of directors of an institution is responsible for 
determining how to best obtain reasonable assurance that the 
institution's financial statements and regulatory reports are reliably 
prepared. In this regard, the board is also responsible for ensuring 
that its external auditing program is appropriate for the institution 
and adequately addresses the financial reporting aspects of the 
significant risk areas and any other areas of concern of the 
institution's business.
    To help ensure the adequacy of its internal and external auditing 
programs, the agencies encourage the board of directors of each 
institution that is not otherwise required to do so to establish an 
audit committee consisting entirely of outside directors.5 
However, if this is impracticable, the board should organize the audit 
committee so that outside directors constitute a majority of the 
membership.
---------------------------------------------------------------------------

    \5\ Institutions with $500 million or more in total assets must 
establish an independent audit committee made up of outside 
directors who are independent of management. See 12 U.S.C. 
1831m(g)(1) and 12 CFR 363.5.
---------------------------------------------------------------------------

Audit Committee
    The audit committee or board of directors is responsible for 
identifying at least annually the risk areas of the institution's 
activities and assessing the extent of external auditing involvement 
needed over each area. The audit committee or board is then responsible 
for determining what type of external auditing program will best meet 
the institution's needs (refer to the descriptions under ``Types of 
External Auditing Programs'').
    When evaluating the institution's external auditing needs, the 
board or audit committee should consider the size of the institution 
and the nature, scope, and complexity of its operations. It should also 
consider the potential benefits of an audit of the institution's 
financial statements or an examination of the institution's internal 
control structure over financial reporting, or both. In addition, the 
board or audit committee may determine that additional or specific 
external auditing procedures are warranted for a particular year or 
several years to cover areas of particularly high risk or special 
concern. The reasons supporting these decisions should be recorded in 
the committee's or board's minutes.
    If, in its annual consideration of the institution's external 
auditing program, the board or audit committee determines, after 
considering its inherent limitations, that an agreed-upon procedures/
state-required examination is sufficient, they should also consider 
whether an independent public accountant should perform the work. When 
an independent public accountant performs auditing and attestation 
services, the accountant must conduct his or her work under, and may be 
held accountable for departures from, professional standards. 
Furthermore, when the external auditing program includes an audit of 
the financial statements, the board or audit committee obtains an 
opinion from the independent public accountant stating whether the 
financial statements are presented fairly, in all material respects, in 
accordance with generally accepted accounting principles (GAAP). When 
the external auditing program includes

[[Page 52324]]

an examination of the internal control structure over financial 
reporting, the board or audit committee obtains an opinion from the 
independent public accountant stating whether the financial reporting 
process is subject to any material weaknesses.
    Both the staff performing an internal audit function and the 
independent public accountant or other external auditor should have 
unrestricted access to the board or audit committee without the need 
for any prior management knowledge or approval. Other duties of an 
audit committee may include reviewing the independence of the external 
auditor annually, consulting with management, seeking an opinion on an 
accounting issue, and overseeing the quarterly regulatory reporting 
process. The audit committee should report its findings periodically to 
the full board of directors.

External Auditing Programs

Basic Attributes
    External auditing programs should provide the board of directors 
with information about the institution's financial reporting risk 
areas, e.g., the institution's internal control over financial 
reporting, the accuracy of its recording of transactions, and the 
completeness of its financial reports prepared in accordance with GAAP.
    The board or audit committee of each institution at least annually 
should review the risks inherent in its particular activities to 
determine the scope of its external auditing program. For most 
institutions, the lending and investment securities activities present 
the most significant risks that affect financial reporting. Thus, 
external auditing programs should include specific procedures designed 
to test at least annually the risks associated with the loan and 
investment portfolios. This includes testing of internal control over 
financial reporting, such as management's process to determine the 
adequacy of the allowance for loan and lease losses and whether this 
process is based on a comprehensive, adequately documented, and 
consistently applied analysis of the institution's loan and lease 
portfolio.
    An institution or its subsidiaries may have other significant 
financial reporting risk areas such as material real estate 
investments, insurance underwriting or sales activities, securities 
broker-dealer or similar activities (including securities underwriting 
and investment advisory services), loan servicing activities, or 
fiduciary activities. The external auditing program should address 
these and other activities the board or audit committee determines 
present significant financial reporting risks to the institution.
Types of External Auditing Programs
    The agencies consider an annual audit of an institution's financial 
statements performed by an independent public accountant to be the 
preferred type of external auditing program. The agencies also consider 
an annual examination of the effectiveness of the internal control 
structure over financial reporting or an audit of an institution's 
balance sheet, both performed by an independent public accountant, to 
be acceptable alternative external auditing programs. However, the 
agencies recognize that some institutions only have agreed-upon 
procedures/state-required examinations performed annually as their 
external auditing program. Regardless of the option chosen, the board 
or audit committee should agree in advance with the external auditor on 
the objectives and scope of the external auditing program.
    Financial Statement Audit by an Independent Public Accountant. The 
agencies encourage all institutions to have an external audit performed 
in accordance with generally accepted auditing standards (GAAS). The 
audit's scope should be sufficient to enable the auditor to express an 
opinion on the institution's financial statements taken as a whole.
    A financial statement audit provides assurance about the fair 
presentation of an institution's financial statements. In addition, an 
audit may provide recommendations for management in carrying out its 
control responsibilities. For example, an audit may provide management 
with guidance on establishing or improving accounting and operating 
policies and recommendations on internal control (including internal 
auditing programs) necessary to ensure the fair presentation of the 
financial statements.
    Reporting by an Independent Public Accountant on an Institution's 
Internal Control Structure Over Financial Reporting. Another external 
auditing program is an independent public accountant's examination and 
report on management's assertion on the effectiveness of the 
institution's internal control over financial reporting. For a smaller 
institution with less complex operations, this type of engagement is 
likely to be less costly than an audit of its financial statements or 
its balance sheet. It would specifically provide recommendations for 
improving internal control, including suggestions for compensating 
controls, to mitigate the risks due to staffing and resource 
limitations.
    Such an attestation engagement may be performed for all internal 
controls relating to the preparation of annual financial statements or 
specified schedules of the institution's regulatory reports.\6\ This 
type of engagement is performed under generally accepted standards for 
attestation engagements (GASAE).\7\
---------------------------------------------------------------------------

    \6\ Since the lending and investment securities activities 
generally present the most significant risks that affect an 
institution's financial reporting, management's assertion and the 
accountant's attestation generally should cover those regulatory 
report schedules. If the institution has trading or off-balance 
sheet activities that present material financial reporting risks, 
the board or audit committee should ensure that the regulatory 
report schedules for those activities also are covered by 
management's assertion and the accountant's attestation. See Note 
above for further information.
    \7\ An attestation engagement is not an audit. It is performed 
under different professional standards than an audit of an 
institution's financial statements or its balance sheet.

    Note: For banks and savings associations, the lending, 
investment securities, trading, and off-balance sheet schedules 
consist of:

------------------------------------------------------------------------
                                     Reports of
              Area                  condition and      Thrift financial
                                  income schedules     report schedules
------------------------------------------------------------------------
Loans and Lease Financing        RC-C, Part I......  SC, CF.
 Receivables.
Past Due and Nonaccrual Loans,   RC-N..............  PD.
 Leases, and Other Assets.
Allowance for Credit Losses....  RI-B..............  SC, VA.
Securities.....................  RC-B..............  SC, SI, CF.
Trading Assets and Liabilities.  RC-D..............  SO, SI.
Off-Balance Sheet Items........  RC-L..............  SI, CMR.
------------------------------------------------------------------------


[[Page 52325]]

    These schedules are not intended to address all possible risks 
in an institution.

    Balance Sheet Audit Performed By An Independent Public Accountant. 
With this program, the institution engages an independent public 
accountant to examine and report only on the balance sheet. As with the 
audit of the financial statements, this audit is performed in 
accordance with GAAS. The cost of a balance sheet audit is likely to be 
less than a financial statement audit. However, under this type of 
program, the accountant does not examine or report on the fairness of 
the presentation of the institution's income statement, statement of 
changes in equity capital, or statement of cash flows.
    Agreed-Upon Procedures/State-Required Examinations. Some state-
chartered depository institutions are required by state statute or 
regulation to have specified procedures performed annually by their 
directors or independent persons.\8\ The bylaws of many national banks 
also require that some specified procedures be performed annually by 
directors or others, including internal or independent persons. 
Depending upon the scope of the engagement, the cost of agreed-upon 
procedures or a state-required examination may be less than the cost of 
an audit. However, under this type of program, the independent auditor 
does not report on the fairness of the institution's financial 
statements or attest to the effectiveness of the internal control 
structure over financial reporting. The findings or results of the 
procedures are usually presented to the board or the audit committee so 
that they may draw their own conclusions about the quality of the 
financial reporting or the sufficiency of internal control.
---------------------------------------------------------------------------

    \8\ When performed by an independent public accountant, 
``specified procedures'' and ``agreed-upon procedures'' engagements 
are performed under standards, which are different professional 
standards than those used for an audit of an institution's financial 
statements or its balance sheet.
---------------------------------------------------------------------------

    When choosing this type of external auditing program, the board or 
audit committee is responsible for determining whether these procedures 
meet the external auditing needs of the institution, considering its 
size and the nature, scope, and complexity of its business activities. 
For example, if an institution's external auditing program consists 
solely of confirmations of deposits and loans, the board or committee 
should consider expanding the scope of the auditing work performed to 
include additional procedures to test the institution's high risk 
areas. Moreover, a financial statement audit, an examination of the 
effectiveness of the internal control structure over financial 
reporting, and a balance sheet audit may be accepted in some states and 
for national banks in lieu of agreed-upon procedures/state-required 
examinations.
Other Considerations
    Timing. The preferable time to schedule the performance of an 
external auditing program is as of an institution's fiscal year-end. 
However, a quarter-end date that coincides with a regulatory report 
date provides similar benefits. Such an approach allows the institution 
to incorporate the results of the external auditing program into its 
regulatory reporting process and, if appropriate, amend the regulatory 
reports.
    External Auditing Staff. The agencies encourage an institution to 
engage an independent public accountant to perform its external 
auditing program. An independent public accountant provides a 
nationally recognized standard of knowledge and objectivity by 
performing engagements under GAAS or GASAE. The firm or independent 
person selected to conduct an external auditing program and the staff 
carrying out the work should have experience with financial institution 
accounting and auditing or similar expertise and should be 
knowledgeable about relevant laws and regulations.

Special Situations

Holding Company Subsidiaries
    When an institution is owned by another entity (such as a holding 
company), it may be appropriate to address the scope of its external 
audit program in terms of the institution's relationship to the 
consolidated group. In such cases, if the group's consolidated 
financial statements for the same year are audited, the agencies 
generally would not expect the subsidiary of a holding company to 
obtain a separate audit of its financial statements. Nevertheless, the 
board of directors or audit committee of the subsidiary may determine 
that its activities involve significant risks to the subsidiary that 
are not within the procedural scope of the audit of the financial 
statements of the consolidated entity. For example, the risks arising 
from the subsidiary's activities may be immaterial to the financial 
statements of the consolidated entity, but material to the subsidiary. 
Under such circumstances, the audit committee or board of the 
subsidiary should consider strengthening the internal audit coverage of 
those activities or implementing an appropriate alternative external 
auditing program.
Newly Insured Institutions
    Under the FDIC Statement of Policy on Applications for Deposit 
Insurance, applicants for deposit insurance coverage are expected to 
commit the depository institution to obtain annual audits by an 
independent public accountant once it begins operations as an insured 
institution and for a limited period thereafter.
Institutions Presenting Supervisory Concerns
    As previously noted, an external auditing program complements the 
agencies' supervisory process and the institution's internal auditing 
program by identifying or further clarifying issues of potential 
concern or exposure. An external auditing program also can greatly 
assist management in taking corrective action, particularly when 
weaknesses are detected in internal control or management information 
systems affecting financial reporting.
    The agencies may require a financial institution presenting safety 
and soundness concerns to engage an independent public accountant or 
other independent external auditor to perform external auditing 
services.\9\ Supervisory concerns may include:
---------------------------------------------------------------------------

    \9\ The Office of Thrift Supervision requires an external audit 
by an independent public accountant for savings associations with a 
composite rating of 3, 4, or 5 under the Uniform Financial 
Institution Rating System, and on a case-by-case basis.
---------------------------------------------------------------------------

     Inadequate internal control, including the internal 
auditing program;
     A board of directors generally uninformed about internal 
control;
     Evidence of insider abuse;
     Known or suspected defalcations;
     Known or suspected criminal activity;
     Probable director liability for losses;
     The need for direct verification of loans or deposits;
     Questionable transactions with affiliates; or
     The need for improvements in the external auditing 
program.
    The agencies may also require that the institution provide its 
appropriate supervisory office with a copy of any reports, including 
management letters, issued by the independent public accountant or 
other external auditor. They also may require the institution to notify 
the supervisory office prior to any meeting with the independent public 
accountant or other external auditor at which auditing findings are to 
be presented.

[[Page 52326]]

Examiner Guidance

Review of the External Auditing Program
    The review of an institution's external auditing program is a 
normal part of the agencies' examination procedures. An examiner's 
evaluation of, and any recommendations for improvements in, an 
institution's external auditing program will consider the institution's 
size; the nature, scope, and complexity of its business activities; its 
risk profile; any actions taken or planned by it to minimize or 
eliminate identified weaknesses; the extent of its internal audit 
program; and any compensating controls in place. Examiners will 
exercise judgment and discretion in evaluating the adequacy of an 
institution's external auditing program.
    Specifically, examiners will consider the policies, processes, and 
personnel surrounding an institution's external auditing program in 
determining whether:
     The board of directors or its audit committee adequately 
reviews and approves external auditing program policies at least 
annually.
     The external auditing program is conducted by an 
independent public accountant or other independent auditor and is 
appropriate for the institution.
     The engagement letter covering external auditing 
activities is adequate.
     The report prepared by the auditor on the results of the 
external auditing program adequately explains the auditor's findings.
     The external auditor maintains appropriate independence 
regarding relationships with the institution under relevant 
professional standards.
     The board of directors performs due diligence on the 
relevant experience and competence of the independent auditor and staff 
carrying out the work (whether or not an independent public accountant 
is engaged).
     The board or audit committee minutes reflect approval and 
monitoring of the external auditing program and schedule, including 
board or committee reviews of audit reports with management and timely 
action on audit findings and recommendations.
Access to Reports
    Management should provide the independent public accountant or 
other auditor with access to all examination reports and written 
communication between the institution and the agencies or state bank 
supervisor since the last external auditing activity. Management also 
should provide the accountant with access to any supervisory memoranda 
of understanding, written agreements, administrative orders, reports of 
action initiated or taken by a federal or state banking agency under 
section 8 of the FDI Act (or a similar state law), and proposed or 
ordered assessments of civil money penalties against the institution or 
an institution-related party, as well as any associated correspondence. 
The auditor must maintain the confidentiality of examination reports 
and other confidential supervisory information.
    In addition, the independent public accountant or other auditor of 
an institution should agree in the engagement letter to grant examiners 
access to all the accountant's or auditor's workpapers and other 
material pertaining to the institution prepared in the course of 
performing the completed external auditing program.
    Institutions should provide reports 10 issued by the 
independent public accountant or other auditor pertaining to the 
external auditing program, including any management letters, to the 
agencies and any state authority in accordance with their appropriate 
supervisory office's guidance.11 Significant developments 
regarding the external auditing program should be communicated promptly 
to the appropriate supervisory office. Examples of those developments 
include the hiring of an independent public accountant or other third 
party to perform external auditing work and a change in, or termination 
of, an independent public accountant or other external auditor.
---------------------------------------------------------------------------

    \10\ The institution's engagement letter is not a ``report'' and 
is not expected to be submitted to the appropriate supervisory 
office unless specifically requested by that office.
    \11\ When an institution's financial information is included in 
the audited consolidated financial statements of its parent company, 
the institution should provide a copy of the audited financial 
statements of the consolidated company and any other reports by the 
independent public accountant in accordance with their appropriate 
supervisory office's guidance. If several institutions are owned by 
one parent company, a single copy of the reports may be supplied in 
accordance with the guidance of the appropriate supervisory office 
of each agency supervising one or more of the affiliated 
institutions and the holding company. A transmittal letter should 
identify the institutions covered. Any notifications of changes in, 
or terminations of, a consolidated company's independent public 
accountant may be similarly supplied to the appropriate supervisory 
office of each supervising agency.
---------------------------------------------------------------------------

Appendix A--Definitions
    Agencies. The agencies are the Board of Governors of the Federal 
Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), 
the Office of the Comptroller of the Currency (OCC), and the Office of 
Thrift Supervision (OTS).
    Appropriate supervisory office. The regional or district office of 
the institution's primary federal banking agency responsible for 
supervising the institution or, in the case of an institution that is 
part of a group of related insured institutions, the regional or 
district office of the institution's federal banking agency responsible 
for monitoring the group. If the institution is a subsidiary of a 
holding company, the term ``appropriate supervisory office'' also 
includes the federal banking agency responsible for supervising the 
holding company. In addition, if the institution is state-chartered, 
the term ``appropriate supervisory office'' includes the appropriate 
state bank or savings association regulatory authority.
    Audit. An examination of the financial statements, accounting 
records, and other supporting evidence of an institution performed by 
an independent certified or licensed public accountant in accordance 
with generally accepted auditing standards (GAAS) and of sufficient 
scope to enable the independent public accountant to express an opinion 
on the institution's financial statements as to their presentation in 
accordance with generally accepted accounting principles (GAAP).
    Audit committee. A committee of the board of directors whose 
members should, to the extent possible, be knowledgeable about 
accounting and auditing. The committee should be responsible for 
reviewing and approving the institution's internal and external 
auditing programs or recommending adoption of these programs to the 
full board.
    Balance sheet audit performed by an independent public accountant. 
An examination of an institution's balance sheet and any accompanying 
footnotes performed and reported on by an independent public accountant 
in accordance with GAAS and of sufficient scope to enable the 
independent public accountant to express an opinion on the fairness of 
the balance sheet presentation in accordance with GAAP.
    Engagement letter. A letter from an independent public accountant 
to the board of directors or audit committee of an institution that 
usually addresses the purpose and scope of the external auditing work 
to be performed, period of time to be covered by the auditing work, 
reports expected to be rendered, and any limitations placed on the 
scope of the auditing work.
    Examination of the internal control structure over financial 
reporting. See Reporting by an Independent Public Accountant on an 
Institution's Internal

[[Page 52327]]

Control Structure Over Financial Reporting.
    External auditing program. The performance of procedures to test 
and evaluate high risk areas of a institution's business by an 
independent auditor, who may or may not be a public accountant, 
sufficient for the auditor to be able to express an opinion on the 
financial statements or to report on the results of the procedures 
performed.
    Financial statement audit by an independent public accountant. See 
Audit.
    Financial statements. The statements of financial position (balance 
sheet), income, cash flows, and changes in equity together with related 
notes.
    Independent public accountant. An accountant who is independent of 
the institution and registered or licensed to practice, and holds 
himself or herself out, as a public accountant, and who is in good 
standing under the laws of the state or other political subdivision of 
the United States in which the home office of the institution is 
located. The independent public accountant should comply with the 
American Institute of Certified Public Accountants' (AICPA) Code of 
Professional Conduct and any related guidance adopted by the 
Independence Standards Board and the agencies. No certified public 
accountant or public accountant will be recognized as independent who 
is not independent both in fact and in appearance.
    Internal auditing. An independent assessment function established 
within an institution to examine and evaluate its system of internal 
control and the efficiency with which the various units of the 
institution are carrying out their assigned tasks. The objective of 
internal auditing is to assist the management and directors of the 
institution in the effective discharge of their responsibilities. To 
this end, internal auditing furnishes management with analyses, 
evaluations, recommendations, counsel, and information concerning the 
activities reviewed.
    Outside directors. Members of an institution's board of directors 
who are not officers, employees, or principal stockholders of the 
institution, its subsidiaries, or its affiliates, and who do not have 
any material business dealings with the institution, its subsidiaries, 
or its affiliates.
    Regulatory reports. These reports are the Reports of Condition and 
Income (Call Reports) for banks, Thrift Financial Reports (TFRs) for 
savings associations, Federal Reserve (FR) Y reports for bank holding 
companies, and the H-(b)11 Annual Report for thrift holding companies.
    Reporting by an independent public accountant on an institution's 
internal control structure over financial reporting. Under this 
engagement, management evaluates and documents its review of the 
effectiveness of the institution's internal control over financial 
reporting in the identified risk areas as of a specific report date. 
Management prepares a written assertion, which specifies the criteria 
on which management based its evaluation about the effectiveness of the 
institution's internal control over financial reporting in the 
identified risk areas and states management's opinion on the 
effectiveness of internal control over this specified financial 
reporting. The independent public accountant is engaged to perform 
tests on the internal control over the specified financial reporting in 
order to attest to management's assertion. If the accountant concurs 
with management's assertion, even if the assertion discloses one or 
more instances of material internal control weakness, the accountant 
would provide a report attesting to management's assertion.
    Risk areas. Those particular activities of an institution that 
expose it to greater potential losses if problems exist and go 
undetected. The areas with the highest financial reporting risk in most 
institutions generally are their lending and investment securities 
activities.
    Specified procedures. Procedures agreed-upon by the institution and 
the auditor to test its activities in certain areas. The auditor 
reports findings and test results, but does not express an opinion on 
controls or balances. If performed by an independent public accountant, 
these procedures should be performed under generally accepted standards 
for attestation engagements (GASAE).

    Dated: September 22, 1999.
Keith J. Todd,
Executive Secretary, Federal Financial Institutions Examination 
Council.
[FR Doc. 99-25103 Filed 9-27-99; 8:45 am]
BILLING CODE 6210-01-P; 6720-01-P; 6714-01-P; 4810-33-P