- FDIC Revises Annual Audit and Reporting Requirements
- July 7, 2009
- Law Firm: Kilpatrick Stockton LLP - Office
The Federal Deposit Insurance Fund (“FDIC”) has amended Part 363 of its regulations, which sets annual independent audit and reporting requirements for all insured depository institutions with assets in excess of specified thresholds. The amendments are intended to accommodate changes in the banking industry, certain practices incorporated in the Sarbanes-Oxley Act of 2002 and the FDIC’s experience in administering Part 363.
Part 363 and its authorizing statute are intended to facilitate early identification of problems in financial management at insured depository institutions. They do that through imposing several requirements imposed on institutions with assets of $500 million or more. The requirements include an annual independent audit and a management report containing a statement of management responsibilities and an assessment of compliance with laws and regulations regarding insider lending and dividend restrictions, as well as requirements regarding audit committee composition and duties. Institutions with more than $1 billion in assets are also subject to an assessment by management of the effectiveness of internal controls over financial reporting and compliance and an accountant’s attestation report on internal controls over reporting.
The amendments adopted by the FDIC include the following:
- Modification of the circumstances under which institutions may use audited holding company financial statements to satisfy the requirements of Part 363 to instances where the insured institution subsidiary (or multiple insured institutions subsidiaries) comprise at least 75% of the holding company’s consolidated assets.
- Imposition of a requirement that management’s assessment of compliance with laws and regulations governing insider loans and dividend restrictions include a clear statement as to management’s conclusions regarding compliance and disclosure of any noncompliance. Such disclosure will be publicly available as part of the institution’s annual report but need not identify specific directors or officers involved in a noncomplying insider loan.
- Imposition of a requirement that management’s assessment of internal controls over financial reporting identify the internal control framework that management uses to make its evaluations, include a clear statement as to management’s conclusion regarding the effectiveness of internal controls over financial reporting, disclose all material weaknesses identified by management and that management may not conclude that internal controls over financial reporting are effective if there are any material weaknesses.
- Addition of illustrative management reports for compliance and assessment of internal controls over financial reporting.
- Elimination of the requirement for filing a Part 363 annual report for an institution that is merged out of existence after the end of its fiscal year but before the deadline for filing the report.
- Elimination of the reporting requirements regarding internal controls over financial reporting related to businesses acquired by an institution during its fiscal year, provided that management’s report identifies the acquired business, states that the acquired business is excluded and indicates the significance of the acquired business to the institution’s consolidated financial statements.
- Addition of guidance regarding the attributes of a suitable internal control framework as to financial reporting.
- Imposition of specific requirements for the contents of the accountant’s attestation report on internal controls over financial reporting.
- Articulation of specific matters that must be communicated by the institution’s accountants to the audit committee, such as critical accounting policies, alternative accounting treatments discussed with management and written communications provided to management.
- Extension of the deadline from 90 days after its fiscal year end to 120 days after its fiscal year end by which an insured institution that is not a public company (or a subsidiary of a public company) must file its annual report. Public companies continue to have a 90 day period. Any institutions that cannot make a timely complete filing due to circumstances beyond its control must file a late notice instead of the current extension request. The lack of a timely filing would be considered an apparent violation of the regulation and the supervisory response would depend upon the facts and circumstances.
- Addition of a requirement that an institution’s board of directors have written criteria for determining whether audit committee members are “independent of management” for purposes of initial appointment and the required annual review. The basis for the board’s determination with respect to each existing and potential audit committee member must be contained in the board minutes. The regulatory framework for determining whether a board member is independent of management was revised to be more consistent with the rules of the Securities and Exchange Commission and the national securities exchanges.
- Addition of a requirement that the duties of the institution’s audit committee include the appointment, composition and oversight of the independent public accountant that performs services for the institution under Part 363.
- Establishment of a one year transition period for restructuring the audit committee to comply with Part 363 when a new requirement becomes applicable due to the institution’s achieving an asset threshold.
Some of the FDIC’s amendments are intended to make its audit, reporting and audit committee requirements more consistent with the requirements of the Sarbanes-Oxley Act applicable to public companies. Others are designed to address issues or problems that have arisen over time with respect to the administration of Part 363. Institutions that do not meet the asset thresholds set forth in Part 363 are not subject to its requirements. However, Part 363 is still noteworthy for such institutions because it sets forth financial reporting and corporate governance practices that the regulators deem desirable and which will apply to such institutions at some point given normal asset growth over the life of the institution.