[Federal Register Volume 64, Number 204 (Friday, October 22, 1999)]
[Notices]
[Pages 57094-57100]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-27588]


=======================================================================
-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION


Rescission of Policy Statement Regarding Independent External 
Auditing Programs of State Nonmember Banks, and Adoption of the 
Interagency Policy Statement on External Auditing Programs of Banks and 
Savings Associations

AGENCY: Federal Deposit Insurance Corporation (FDIC or Corporation).

ACTION: Rescission of a Policy Statement and Adoption of an Interagency 
Policy Statement.

-----------------------------------------------------------------------

SUMMARY: In an effort to provide consistent guidance for banks and 
savings associations regardless of their primary federal supervisor, 
the FDIC is rescinding its Statement of Policy Regarding Independent 
External Auditing Programs of State Nonmember Banks (Current Policy 
Statement) and concurrently adopting the Interagency Policy Statement 
on External Auditing Programs of Banks and Savings Associations 
(Interagency Policy Statement). Both policy statements encourage 
institutions to adopt an annual external auditing program, preferably 
an audit by an independent public accountant, and to establish an audit 
committee composed entirely of outside directors, where practicable. In 
addition, the Interagency Policy Statement includes two alternatives to 
an audit by an independent public accountant for institutions not 
subject to the audit requirement in section 36 of the Federal Deposit 
Insurance Act (FDI Act). The alternatives consist of (1) An attestation 
report on internal control over specified schedules of the 
institution's regulatory reports or (2) A report on the institution's 
balance sheet. Both must be performed by an independent public 
accountant.
    The Interagency Policy Statement also includes guidance regarding 
the responsibilities of boards of directors, audit committees, and 
senior management with respect to external auditing programs; the 
attributes and types of external auditing programs; and the review of 
external auditing programs by examiners.

DATES: The Current Policy Statement is rescinded and the Interagency 
Policy Statement is effective for fiscal years beginning on or after 
January 1, 2000.

FOR FURTHER INFORMATION CONTACT: Doris L. Marsh, Examination 
Specialist, Division of Supervision, (202) 898-8905, or A. Ann Johnson, 
Counsel, Legal Division, (202) 898-3573, FDIC, 550 17th Street, NW, 
Washington, DC 20429.

SUPPLEMENTARY INFORMATION:

I. Background

    The FDIC first adopted guidance on external auditing programs in 
its Policy Statement Regarding Independent External Auditing Programs 
of State Nonmember Banks in 1988 (53 FR 47871, November 28, 1988). In 
1996, the FDIC reviewed the Current Policy Statement pursuant to 
section 303(a) of the Riegle Community Development and Regulatory 
Improvement Act of 1994 and adopted several amendments to eliminate 
inconsistencies and outdated requirements (61 FR 32438, June 24, 1996).
    The Federal Financial Institutions Examination Council (FFIEC), on 
behalf of the Board of Governors of the Federal Reserve System (FRB), 
the Federal Deposit Insurance Corporation (FDIC), the Office of the 
Comptroller of the Currency (OCC), and the Office of Thrift Supervision 
(OTS), collectively referred to as the ``banking agencies'' or the 
``agencies,'' have each provided guidance on external audits to their 
supervised institutions, but a uniform policy did not exist. Under the 
auspices of the FFIEC, the agencies sought public comment on a proposed 
policy statement on External Auditing Programs of Banks and Savings 
Associations in February 1998 (63 FR 7796, February 17, 1998). The 
FFIEC received approximately 120 letters commenting on the proposed 
policy statement, and it revised the policy statement after considering 
the comments. On August 19, 1999, the FFIEC approved the Interagency 
Policy Statement on External Auditing Programs of Banks and Savings 
Associations (Policy Statement) (64 FR 52319, September 28, 1999) and 
recommended that the banking agencies adopt it.1
---------------------------------------------------------------------------

    \1\ The National Credit Union Administration (NCUA), also a 
member of the FFIEC, is not adopting the policy.
---------------------------------------------------------------------------

II. Rescission of the Current Policy Statement and Adoption of the 
Interagency Policy Statement

    In order to minimize burden on institutions and holding companies 
and in the spirit of section 303 of the Riegle Community Development 
and Regulatory Improvement Act of 1994, the banking agencies seek to 
provide consistent and uniform guidance for supervised institutions. 
The banking agencies believe that an independent external audit 
provides reasonable assurance that an institution's financial 
statements are prepared in accordance with generally accepted 
accounting principles (GAAP). Accordingly, the banking agencies 
recommend that every institution have an external auditing program.
    To provide explicit guidance to institutions regarding these 
programs, the FFIEC approved a uniform Interagency Policy Statement on 
August 19, 1999. The FFIEC recommended to the banking agencies that 
they individually adopt the policy. Thus, the FDIC must replace its 
Current Policy Statement with the Interagency Policy Statement in order 
to achieve uniformity in this area.

III. Comparison of the Current and Interagency Policy Statements

    For the most part, both the Current Policy Statement and the 
Interagency Policy Statement provide similar guidance. Both encourage 
each institution to have an annual audit of its financial statements 
performed by an independent public accountant. The Interagency Policy 
Statement also describes two alternatives to an audit that an 
institution may elect to have performed annually in order to have an 
acceptable external auditing program. These alternatives, which must be 
performed by an independent public accountant, are an attestation on 
internal control over financial reporting on certain schedules of the 
Reports of Condition and Income (Call Report) and an audit of the 
institution's balance sheet. The Interagency Policy Statement further 
indicates that for a smaller institution with less complex operations, 
the attestation on internal control may be less costly than an audit of 
its financial statements or its balance sheet and provide more useful 
information to management. Neither policy precludes the use of agreed-
upon procedures/state-required examinations as an external auditing 
program.
    Both policy statements include sections discussing their 
applicability to institutions that are part of a holding company, newly 
chartered institutions, and institutions presenting supervisory 
concern. In addition, both policies recommend that each institution 
have an audit committee consisting entirely of outside directors, 
unless impracticable.
    Banks and savings associations (institutions) with $500 million or 
more in total assets must have an annual audit performed by an 
independent public accountant under section 36 of

[[Page 57095]]

the Federal Deposit Insurance Act (FDI Act), as implemented by 12 CFR 
part 363. Thus, both policy statements are directed toward institutions 
below that threshold that are not otherwise subject to audit 
requirements.
    The two policies differ in the extent of guidance provided rather 
than the content of the guidance. Accordingly, the Interagency Policy 
Statement includes some guidance regarding independent external 
auditing programs that is lacking in the Current Policy Statement. For 
example, it discusses the responsibilities of boards of directors, 
audit committees, and senior management in more detail than the Current 
Policy Statement. It also describes the attributes and types of 
external auditing programs available and includes a short description 
of each. Guidance on what examiners will be evaluating in their review 
of external auditing programs is also included in the Interagency 
Policy Statement. This policy statement also recommends that examiners 
have access to the auditor's workpapers concerning the auditing 
engagement.
    The following table shows the number and section title of each of 
the paragraphs in the Current Policy Statement and the section title of 
the corresponding provision in the Interagency Policy Statement:

                       Paragraph Conversion Table
------------------------------------------------------------------------
                              Current policy        Interagency policy
     Current policy         statement: section      statement: section
     paragaraph No.                title                   title
------------------------------------------------------------------------
1-3.....................  Introduction..........  Introduction.
4.......................  State Nonmember Banks   Introduction.
                           Not Subject to Part
                           363.
5.......................  ......................  Overview of the
                                                   External Auditing
                                                   Program Audit
                                                   Committee.
6.......................  ......................  Examiner Guidance
                                                   Review of the
                                                   External Auditing
                                                   Program.
7.......................  Audit by an             External Auditing
                           Independent Public      Programs Types of
                           Accountant.             External Auditing
                                                   Programs.
8.......................  ......................  External Auditing
                                                   Programs Other
                                                   Considerations--Timin
                                                   g.
9-10....................  Alternatives to a       External Auditing
                           Financial Statement     Programs External
                           Audit.                  Auditing Programs.
11......................  Newly Insured Banks...  Special Situations
                                                   Newly Insured
                                                   Institutions.
12-13...................  Notification and        Examiner Guidance
                           Submission of Reports.  Access to Reports.
14......................  Holding Company         Special Situations
                           Subsidiaries.           Holding Company
                                                   Subsidiaries.
15......................  Troubled Banks........  Special Situations
                                                   Institutions
                                                   Presenting
                                                   Supervisory Concerns.
Appendix A..............  Definitions...........  Appendix A--
                                                   Definitions.
------------------------------------------------------------------------

    The Interagency Policy Statement instructs institutions to provide 
copies of reports pertaining to the external auditing program, 
including any management letters, to the agencies and any state 
authority in accordance with their appropriate supervisory office's 
guidance. The FDIC requests that each state nonmember bank furnish a 
copy of any reports by the independent public accountant pertaining to 
the bank's external auditing program (regardless of the scope) to the 
appropriate FDIC regional office as soon as possible after the report 
is received by the bank. In addition, the FDIC requests each bank to 
promptly notify the appropriate FDIC regional office when any 
independent public accountant is initially engaged to perform external 
auditing work and when a change in, or termination of, its independent 
public accountant occurs.

IV. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (PRA), the 
FDIC may not conduct or sponsor, and the respondent is not required to 
respond to, an information collection that does not display a currently 
valid Office of Management and Budget (OMB) control number. The FDIC 
submitted to OMB a request for approval of the information collection 
requested by this policy statement (64 FR 55926, October 15, 1999).

V. Rescission and Adoption of Policy Statements

    For the reasons set forth in the preamble, the Board of Directors 
of the FDIC hereby rescinds the FDIC's Policy Statement Regarding 
Independent External Auditing Programs of State Nonmember Banks and 
adopts the Interagency Policy Statement on External Auditing Programs 
of Banks and Savings Associations.
    The text of the Interagency Policy Statement follows:

Interagency Policy Statement On External Auditing Programs of Banks 
and Savings Associations

Introduction

    The board of directors and senior managers of a banking institution 
or savings association (institution) are responsible for ensuring that 
the institution operates in a safe and sound manner. To achieve this 
goal and meet the safety and soundness guidelines implementing section 
39 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831p-
1),1 the institution should maintain effective systems and 
internal control 2 to produce reliable and accurate 
financial reports.
---------------------------------------------------------------------------

    \1\ See 12 CFR part 30 for national banks; 12 CFR part 364 for 
state nonmember banks; 12 CFR part 208 for state member banks; and 
12 CFR part 510 for savings associations.
    \2\ This Policy Statement provides guidance consistent with the 
guidance established in the ``Interagency Policy Statement on the 
Internal Audit Function and its Outsourcing.''
---------------------------------------------------------------------------

    Accurate financial reporting is essential to an institution's 
safety and soundness for numerous reasons. First, accurate financial 
information enables management to effectively manage the institution's 
risks and make sound business decisions. In addition, institutions are 
required by law 3 to provide accurate and timely financial 
reports (e.g., Reports of Condition and Income [Call Reports] and 
Thrift Financial Reports) to their appropriate regulatory agency. These 
reports serve an important role in the agencies' 4 risk-
focused supervision programs by contributing to their pre-examination 
planning, off-site monitoring programs, and assessments of an 
institution's capital adequacy and financial strength. Further, 
reliable financial reports are necessary for the institution to raise 
capital. They provide data to stockholders, depositors and other

[[Page 57096]]

funds providers, borrowers, and potential investors on the company's 
financial position and results of operations. Such information is 
critical to effective market discipline of the institution.
---------------------------------------------------------------------------

    \3\ See 12 U.S.C. 161 for national banks; 12 U.S.C. 1817a for 
state nonmember banks; 12 U.S.C. 324 for state member banks; and 12 
U.S.C. 1464(v) for savings associations.
    \4\ Terms defined in appendix A are italicized the first time 
they appear in this policy statement.
---------------------------------------------------------------------------

    To help ensure accurate and reliable financial reporting, the 
agencies recommend that the board of directors of each institution 
establish and maintain an external auditing program. An external 
auditing program should be an important component of an institution's 
overall risk management process. For example, an external auditing 
program complements the internal auditing function of an institution by 
providing management and the board of directors with an independent and 
objective view of the reliability of the institution's financial 
statements and the adequacy of its financial reporting internal 
controls. Additionally, an effective external auditing program 
contributes to the efficiency of the agencies' risk-focused examination 
process. By considering the significant risk areas of an institution, 
an effective external auditing program may reduce the examination time 
the agencies spend in such areas. Moreover, it can improve the safety 
and soundness of an institution substantially and lessen the risk the 
institution poses to the insurance funds administered by the FDIC.
    This policy statement outlines the characteristics of an effective 
external auditing program and provides examples of how an institution 
can use an external auditor to help ensure the reliability of its 
financial reports. It also provides guidance on how an examiner may 
assess an institution's external auditing program. In addition, this 
policy statement provides specific guidance on external auditing 
programs for institutions that are holding company subsidiaries, newly 
insured institutions, and institutions presenting supervisory concerns.
    The adoption of a financial statement audit or other specified type 
of external auditing program is generally only required in specific 
circumstances. For example, insured depository institutions covered by 
section 36 of the FDI Act (12 U.S.C. 1831m), as implemented by part 363 
of the FDIC's regulations (12 CFR part 363), are required to have an 
external audit and an audit committee. Therefore, this policy statement 
is directed toward banks and savings associations which are exempt from 
part 363 (i.e., institutions with less than $500 million in total 
assets at the beginning of their fiscal year) or are not otherwise 
subject to audit requirements by order, agreement, statute, or agency 
regulations.

Overview of External Auditing Programs

Responsibilities of the Board of Directors

    The board of directors of an institution is responsible for 
determining how to best obtain reasonable assurance that the 
institution's financial statements and regulatory reports are reliably 
prepared. In this regard, the board is also responsible for ensuring 
that its external auditing program is appropriate for the institution 
and adequately addresses the financial reporting aspects of the 
significant risk areas and any other areas of concern of the 
institution's business.
    To help ensure the adequacy of its internal and external auditing 
programs, the agencies encourage the board of directors of each 
institution that is not otherwise required to do so to establish an 
audit committee consisting entirely of outside directors.5 
However, if this is impracticable, the board should organize the audit 
committee so that outside directors constitute a majority of the 
membership.
---------------------------------------------------------------------------

    \5\ Institutions with $500 million or more in total assets must 
establish an independent audit committee made up of outside 
directors who are independent of management. See 12 U.S.C. 
1831m(g)(1) and 12 CFR 363.5.
---------------------------------------------------------------------------

Audit Committee

    The audit committee or board of directors is responsible for 
identifying at least annually the risk areas of the institution's 
activities and assessing the extent of external auditing involvement 
needed over each area. The audit committee or board is then responsible 
for determining what type of external auditing program will best meet 
the institution's needs (refer to the descriptions under ``Types of 
External Auditing Programs'').
    When evaluating the institution's external auditing needs, the 
board or audit committee should consider the size of the institution 
and the nature, scope, and complexity of its operations. It should also 
consider the potential benefits of an audit of the institution's 
financial statements or an examination of the institution's internal 
control structure over financial reporting, or both. In addition, the 
board or audit committee may determine that additional or specific 
external auditing procedures are warranted for a particular year or 
several years to cover areas of particularly high risk or special 
concern. The reasons supporting these decisions should be recorded in 
the committee's or board's minutes.
    If, in its annual consideration of the institution's external 
auditing program, the board or audit committee determines, after 
considering its inherent limitations, that an agreed-upon procedures/
state-required examination is sufficient, they should also consider 
whether an independent public accountant should perform the work. When 
an independent public accountant performs auditing and attestation 
services, the accountant must conduct his or her work under, and may be 
held accountable for departures from, professional standards. 
Furthermore, when the external auditing program includes an audit of 
the financial statements, the board or audit committee obtains an 
opinion from the independent public accountant stating whether the 
financial statements are presented fairly, in all material respects, in 
accordance with generally accepted accounting principles (GAAP). When 
the external auditing program includes an examination of the internal 
control structure over financial reporting, the board or audit 
committee obtains an opinion from the independent public accountant 
stating whether the financial reporting process is subject to any 
material weaknesses.
    Both the staff performing an internal audit function and the 
independent public accountant or other external auditor should have 
unrestricted access to the board or audit committee without the need 
for any prior management knowledge or approval. Other duties of an 
audit committee may include reviewing the independence of the external 
auditor annually, consulting with management, seeking an opinion on an 
accounting issue, and overseeing the quarterly regulatory reporting 
process. The audit committee should report its findings periodically to 
the full board of directors.

External Auditing Programs

Basic Attributes

    External auditing programs should provide the board of directors 
with information about the institution's financial reporting risk 
areas, e.g., the institution's internal control over financial 
reporting, the accuracy of its recording of transactions, and the 
completeness of its financial reports prepared in accordance with GAAP.
    The board or audit committee of each institution at least annually 
should review the risks inherent in its particular activities to 
determine the scope of its external auditing program. For most 
institutions, the lending and

[[Page 57097]]

investment securities activities present the most significant risks 
that affect financial reporting. Thus, external auditing programs 
should include specific procedures designed to test at least annually 
the risks associated with the loan and investment portfolios. This 
includes testing of internal control over financial reporting, such as 
management's process to determine the adequacy of the allowance for 
loan and lease losses and whether this process is based on a 
comprehensive, adequately documented, and consistently applied analysis 
of the institution's loan and lease portfolio.
    An institution or its subsidiaries may have other significant 
financial reporting risk areas such as material real estate 
investments, insurance underwriting or sales activities, securities 
broker-dealer or similar activities (including securities underwriting 
and investment advisory services), loan servicing activities, or 
fiduciary activities. The external auditing program should address 
these and other activities the board or audit committee determines 
present significant financial reporting risks to the institution.

Types of External Auditing Programs

    The agencies consider an annual audit of an institution's financial 
statements performed by an independent public accountant to be the 
preferred type of external auditing program. The agencies also consider 
an annual examination of the effectiveness of the internal control 
structure over financial reporting or an audit of an institution's 
balance sheet, both performed by an independent public accountant, to 
be acceptable alternative external auditing programs. However, the 
agencies recognize that some institutions only have agreed-upon 
procedures/state-required examinations performed annually as their 
external auditing program. Regardless of the option chosen, the board 
or audit committee should agree in advance with the external auditor on 
the objectives and scope of the external auditing program.
    Financial Statement Audit by an Independent Public Accountant. The 
agencies encourage all institutions to have an external audit performed 
in accordance with generally accepted auditing standards (GAAS). The 
audit's scope should be sufficient to enable the auditor to express an 
opinion on the institution's financial statements taken as a whole.
    A financial statement audit provides assurance about the fair 
presentation of an institution's financial statements. In addition, an 
audit may provide recommendations for management in carrying out its 
control responsibilities. For example, an audit may provide management 
with guidance on establishing or improving accounting and operating 
policies and recommendations on internal control (including internal 
auditing programs) necessary to ensure the fair presentation of the 
financial statements.
    Reporting by an Independent Public Accountant on an Institution's 
Internal Control Structure Over Financial Reporting. Another external 
auditing program is an independent public accountant's examination and 
report on management's assertion on the effectiveness of the 
institution's internal control over financial reporting. For a smaller 
institution with less complex operations, this type of engagement is 
likely to be less costly than an audit of its financial statements or 
its balance sheet. It would specifically provide recommendations for 
improving internal control, including suggestions for compensating 
controls, to mitigate the risks due to staffing and resource 
limitations.
    Such an attestation engagement may be performed for all internal 
controls relating to the preparation of annual financial statements or 
specified schedules of the institution's regulatory 
reports.6 This type of engagement is performed under 
generally accepted standards for attestation engagements 
(GASAE).7

    \6\ Since the lending and investment securities activities 
generally present the most significant risks that affect an 
institution's financial reporting, management's assertion and the 
accountant's attestation generally should cover those regulatory 
report schedules. If the institution has trading or off-balance 
sheet activities that present material financial reporting risks, 
the board or audit committee should ensure that the regulatory 
report schedules for those activities also are covered by 
management's assertion and the accountant's attestation. (See Note.) 
However, the schedules listed in the Note are not intended to 
address all possible risks in an institution.
    \7\ An attestation engagement is not an audit. It is performed 
under different professional standards than an audit of an 
institution's financial statements or its balance sheet.
---------------------------------------------------------------------------

    Note: For banks and savings associations, the lending, 
investment securities, trading, and off-balance sheet schedules 
consist of:

----------------------------------------------------------------------------------------------------------------
                                                Reports of condition and income
                Area schedules                              schedules                Thrift financial  report
----------------------------------------------------------------------------------------------------------------
Loans and Lease Financing Receivables.........  RC-C, Part I...................  SC, CF.
Past Due and Nonaccrual Loans, Leases, and      RC-N...........................  PD.
 Other Assets.
Allowance for Credit Losses...................  RI-B...........................  SC, VA.
Securities....................................  RC-B...........................  SC, SI, CF.
Trading Assets and Liabilities................  RC-D...........................  SO, SI.
Off-Balance Sheet Items.......................  RC-L...........................  SI, CMR.
----------------------------------------------------------------------------------------------------------------

    Balance Sheet Audit Performed by an Independent Public Accountant. 
With this program, the institution engages an independent public 
accountant to examine and report only on the balance sheet. As with the 
audit of the financial statements, this audit is performed in 
accordance with GAAS. The cost of a balance sheet audit is likely to be 
less than a financial statement audit. However, under this type of 
program, the accountant does not examine or report on the fairness of 
the presentation of the institution's income statement, statement of 
changes in equity capital, or statement of cash flows.
    Agreed-Upon Procedures/State-Required Examinations. Some state-
chartered depository institutions are required by state statute or 
regulation to have specified procedures performed annually by their 
directors or independent persons.8 The bylaws of many 
national banks also require that some specified procedures be performed 
annually by directors or others, including internal or independent 
persons. Depending upon the scope of the engagement, the cost of 
agreed-upon procedures or a state-required examination may be less than 
the cost of an audit. However, under this type of program, the 
independent auditor does

[[Page 57098]]

not report on the fairness of the institution's financial statements or 
attest to the effectiveness of the internal control structure over 
financial reporting. The findings or results of the procedures are 
usually presented to the board or the audit committee so that they may 
draw their own conclusions about the quality of the financial reporting 
or the sufficiency of internal control.
---------------------------------------------------------------------------

    \8\ When performed by an independent public accountant, 
``specified procedures'' and ``agreed-upon procedures'' engagements 
are performed under standards, which are different professional 
standards than those used for an audit of an institution's financial 
statements or its balance sheet.
---------------------------------------------------------------------------

    When choosing this type of external auditing program, the board or 
audit committee is responsible for determining whether these procedures 
meet the external auditing needs of the institution, considering its 
size and the nature, scope, and complexity of its business activities. 
For example, if an institution's external auditing program consists 
solely of confirmations of deposits and loans, the board or committee 
should consider expanding the scope of the auditing work performed to 
include additional procedures to test the institution's high risk 
areas. Moreover, a financial statement audit, an examination of the 
effectiveness of the internal control structure over financial 
reporting, and a balance sheet audit may be accepted in some states and 
for national banks in lieu of agreed-upon procedures/state-required 
examinations.

Other Considerations

    Timing. The preferable time to schedule the performance of an 
external auditing program is as of an institution's fiscal year-end. 
However, a quarter-end date that coincides with a regulatory report 
date provides similar benefits. Such an approach allows the institution 
to incorporate the results of the external auditing program into its 
regulatory reporting process and, if appropriate, amend the regulatory 
reports.
    External Auditing Staff. The agencies encourage an institution to 
engage an independent public accountant to perform its external 
auditing program. An independent public accountant provides a 
nationally recognized standard of knowledge and objectivity by 
performing engagements under GAAS or GASAE. The firm or independent 
person selected to conduct an external auditing program and the staff 
carrying out the work should have experience with financial institution 
accounting and auditing or similar expertise and should be 
knowledgeable about relevant laws and regulations.

Special Situations

Holding Company Subsidiaries

    When an institution is owned by another entity (such as a holding 
company), it may be appropriate to address the scope of its external 
audit program in terms of the institution's relationship to the 
consolidated group. In such cases, if the group's consolidated 
financial statements for the same year are audited, the agencies 
generally would not expect the subsidiary of a holding company to 
obtain a separate audit of its financial statements. Nevertheless, the 
board of directors or audit committee of the subsidiary may determine 
that its activities involve significant risks to the subsidiary that 
are not within the procedural scope of the audit of the financial 
statements of the consolidated entity. For example, the risks arising 
from the subsidiary's activities may be immaterial to the financial 
statements of the consolidated entity, but material to the subsidiary. 
Under such circumstances, the audit committee or board of the 
subsidiary should consider strengthening the internal audit coverage of 
those activities or implementing an appropriate alternative external 
auditing program.

Newly Insured Institutions

    Under the FDIC Statement of Policy on Applications for Deposit 
Insurance, applicants for deposit insurance coverage are expected to 
commit the depository institution to obtain annual audits by an 
independent public accountant once it begins operations as an insured 
institution and for a limited period thereafter.

Institutions Presenting Supervisory Concerns

    As previously noted, an external auditing program complements the 
agencies' supervisory process and the institution's internal auditing 
program by identifying or further clarifying issues of potential 
concern or exposure. An external auditing program also can greatly 
assist management in taking corrective action, particularly when 
weaknesses are detected in internal control or management information 
systems affecting financial reporting.
    The agencies may require a financial institution presenting safety 
and soundness concerns to engage an independent public accountant or 
other independent external auditor to perform external auditing 
services.9 Supervisory concerns may include:
---------------------------------------------------------------------------

    \9\ The Office of Thrift Supervision requires an external audit 
by an independent public accountant for savings associations with a 
composite rating of 3, 4, or 5 under the Uniform Financial 
Institution Rating System, and on a case-by-case basis.
---------------------------------------------------------------------------

     Inadequate internal control, including the internal 
auditing program;
     A board of directors generally uninformed about internal 
control;
     Evidence of insider abuse;
     Known or suspected defalcations;
     Known or suspected criminal activity;
     Probable director liability for losses;
     The need for direct verification of loans or deposits;
     Questionable transactions with affiliates; or
     The need for improvements in the external auditing 
program.
    The agencies may also require that the institution provide its 
appropriate supervisory office with a copy of any reports, including 
management letters, issued by the independent public accountant or 
other external auditor. They also may require the institution to notify 
the supervisory office prior to any meeting with the independent public 
accountant or other external auditor at which auditing findings are to 
be presented.

Examiner Guidance

Review of the External Auditing Program

    The review of an institution's external auditing program is a 
normal part of the agencies' examination procedures. An examiner's 
evaluation of, and any recommendations for improvements in, an 
institution's external auditing program will consider the institution's 
size; the nature, scope, and complexity of its business activities; its 
risk profile; any actions taken or planned by it to minimize or 
eliminate identified weaknesses; the extent of its internal audit 
program; and any compensating controls in place. Examiners will 
exercise judgment and discretion in evaluating the adequacy of an 
institution's external auditing program.
    Specifically, examiners will consider the policies, processes, and 
personnel surrounding an institution's external auditing program in 
determining whether:
     The board of directors or its audit committee adequately 
reviews and approves external auditing program policies at least 
annually.
     The external auditing program is conducted by an 
independent public accountant or other independent auditor and is 
appropriate for the institution.
     The engagement letter covering external auditing 
activities is adequate.
     The report prepared by the auditor on the results of the 
external auditing program adequately explains the auditor's findings.
     The external auditor maintains appropriate independence 
regarding relationships with the institution under relevant 
professional standards.

[[Page 57099]]

     The board of directors performs due diligence on the 
relevant experience and competence of the independent auditor and staff 
carrying out the work (whether or not an independent public accountant 
is engaged).
     The board or audit committee minutes reflect approval and 
monitoring of the external auditing program and schedule, including 
board or committee reviews of audit reports with management and timely 
action on audit findings and recommendations.

Access to Reports

    Management should provide the independent public accountant or 
other auditor with access to all examination reports and written 
communication between the institution and the agencies or state bank 
supervisor since the last external auditing activity. Management also 
should provide the accountant with access to any supervisory memoranda 
of understanding, written agreements, administrative orders, reports of 
action initiated or taken by a federal or state banking agency under 
section 8 of the FDI Act (or a similar state law), and proposed or 
ordered assessments of civil money penalties against the institution or 
an institution-related party, as well as any associated correspondence. 
The auditor must maintain the confidentiality of examination reports 
and other confidential supervisory information.
    In addition, the independent public accountant or other auditor of 
an institution should agree in the engagement letter to grant examiners 
access to all the accountant's or auditor's workpapers and other 
material pertaining to the institution prepared in the course of 
performing the completed external auditing program.
    Institutions should provide reports 10 issued by the 
independent public accountant or other auditor pertaining to the 
external auditing program, including any management letters, to the 
agencies and any state authority in accordance with their appropriate 
supervisory office's guidance.11 Significant developments 
regarding the external auditing program should be communicated promptly 
to the appropriate supervisory office. Examples of those developments 
include the hiring of an independent public accountant or other third 
party to perform external auditing work and a change in, or termination 
of, an independent public accountant or other external auditor.
---------------------------------------------------------------------------

    \10\ The institution's engagement letter is not a ``report'' and 
is not expected to be submitted to the appropriate supervisory 
office unless specifically requested by that office.
    \11\ When an institution's financial information is included in 
the audited consolidated financial statements of its parent company, 
the institution should provide a copy of the audited financial 
statements of the consolidated company and any other reports by the 
independent public accountant in accordance with their appropriate 
supervisory office's guidance. If several institutions are owned by 
one parent company, a single copy of the reports may be supplied in 
accordance with the guidance of the appropriate supervisory office 
of each agency supervising one or more of the affiliated 
institutions and the holding company. A transmittal letter should 
identify the institutions covered. Any notifications of changes in, 
or terminations of, a consolidated company's independent public 
accountant may be similarly supplied to the appropriate supervisory 
office of each supervising agency.
---------------------------------------------------------------------------

Appendix A--Definitions

    Agencies. The agencies are the Board of Governors of the Federal 
Reserve System (FRB), the Federal Deposit Insurance Corporation 
(FDIC), the Office of the Comptroller of the Currency (OCC), and the 
Office of Thrift Supervision (OTS).
    Appropriate supervisory office. The regional or district office 
of the institution's primary federal banking agency responsible for 
supervising the institution or, in the case of an institution that 
is part of a group of related insured institutions, the regional or 
district office of the institution's federal banking agency 
responsible for monitoring the group. If the institution is a 
subsidiary of a holding company, the term ``appropriate supervisory 
office'' also includes the federal banking agency responsible for 
supervising the holding company. In addition, if the institution is 
state-chartered, the term ``appropriate supervisory office'' 
includes the appropriate state bank or savings association 
regulatory authority.
    Audit. An examination of the financial statements, accounting 
records, and other supporting evidence of an institution performed 
by an independent certified or licensed public accountant in 
accordance with generally accepted auditing standards (GAAS) and of 
sufficient scope to enable the independent public accountant to 
express an opinion on the institution's financial statements as to 
their presentation in accordance with generally accepted accounting 
principles (GAAP).
    Audit committee. A committee of the board of directors whose 
members should, to the extent possible, be knowledgeable about 
accounting and auditing. The committee should be responsible for 
reviewing and approving the institution's internal and external 
auditing programs or recommending adoption of these programs to the 
full board.
    Balance sheet audit performed by an independent public 
accountant. An examination of an institution's balance sheet and any 
accompanying footnotes performed and reported on by an independent 
public accountant in accordance with GAAS and of sufficient scope to 
enable the independent public accountant to express an opinion on 
the fairness of the balance sheet presentation in accordance with 
GAAP.
    Engagement letter. A letter from an independent public 
accountant to the board of directors or audit committee of an 
institution that usually addresses the purpose and scope of the 
external auditing work to be performed, period of time to be covered 
by the auditing work, reports expected to be rendered, and any 
limitations placed on the scope of the auditing work.
    Examination of the internal control structure over financial 
reporting. See Reporting by an Independent Public Accountant on an 
Institution's Internal Control Structure Over Financial Reporting.
    External auditing program. The performance of procedures to test 
and evaluate high risk areas of an institution's business by an 
independent auditor, who may or may not be a public accountant, 
sufficient for the auditor to be able to express an opinion on the 
financial statements or to report on the results of the procedures 
performed.
    Financial statement audit by an independent public accountant. 
See Audit.
    Financial statements. The statements of financial position 
(balance sheet), income, cash flows, and changes in equity together 
with related notes.
    Independent public accountant. An accountant who is independent 
of the institution and registered or licensed to practice, and holds 
himself or herself out, as a public accountant, and who is in good 
standing under the laws of the state or other political subdivision 
of the United States in which the home office of the institution is 
located. The independent public accountant should comply with the 
American Institute of Certified Public Accountants' (AICPA) Code of 
Professional Conduct and any related guidance adopted by the 
Independence Standards Board and the agencies. No certified public 
accountant or public accountant will be recognized as independent 
who is not independent both in fact and in appearance.
    Internal auditing. An independent assessment function 
established within an institution to examine and evaluate its system 
of internal control and the efficiency with which the various units 
of the institution are carrying out their assigned tasks. The 
objective of internal auditing is to assist the management and 
directors of the institution in the effective discharge of their 
responsibilities. To this end, internal auditing furnishes 
management with analyses, evaluations, recommendations, counsel, and 
information concerning the activities reviewed.
    Outside directors. Members of an institution's board of 
directors who are not officers, employees, or principal stockholders 
of the institution, its subsidiaries, or its affiliates, and who do 
not have any material business dealings with the institution, its 
subsidiaries, or its affiliates.
    Regulatory reports. These reports are the Reports of Condition 
and Income (Call Reports) for banks, Thrift Financial Reports (TFRs) 
for savings associations, Federal Reserve (FR) Y reports for bank 
holding companies, and the H-(b)11 Annual Report for thrift holding 
companies.
    Reporting by an independent public accountant on an 
institution's internal control structure over financial reporting.

[[Page 57100]]

Under this engagement, management evaluates and documents its review 
of the effectiveness of the institution's internal control over 
financial reporting in the identified risk areas as of a specific 
report date. Management prepares a written assertion, which 
specifies the criteria on which management based its evaluation 
about the effectiveness of the institution's internal control over 
financial reporting in the identified risk areas and states 
management's opinion on the effectiveness of internal control over 
this specified financial reporting. The independent public 
accountant is engaged to perform tests on the internal control over 
the specified financial reporting in order to attest to management's 
assertion. If the accountant concurs with management's assertion, 
even if the assertion discloses one or more instances of material 
internal control weakness, the accountant would provide a report 
attesting to management's assertion.
    Risk areas. Those particular activities of an institution that 
expose it to greater potential losses if problems exist and go 
undetected. The areas with the highest financial reporting risk in 
most institutions generally are their lending and investment 
securities activities.
    Specified procedures. Procedures agreed-upon by the institution 
and the auditor to test its activities in certain areas. The auditor 
reports findings and test results, but does not express an opinion 
on controls or balances. If performed by an independent public 
accountant, these procedures should be performed under generally 
accepted standards for attestation engagements (GASAE).

    By order of the Board of Directors.

    Dated at Washington, DC this 15th day of October, 1999.

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 99-27588 Filed 10-21-99; 8:45 am]
BILLING CODE 6714-01-P