AUDIT SYSTEMS—External Auditing Programs of Banks and Savings Associations; Interagency Policy Statement

The board of directors and senior managers of a banking institution or savings association (institution) are responsible for ensuring that the institution operates in a safe and sound manner. To achieve this goal and meet the safety-and-soundness guidelines implementing section 39 of the Federal Deposit Insurance Act (FDI Act) (12 USC 1831p-1),¹ the institution should maintain effective systems and internal control² to produce reliable and accurate financial reports.

Accurate financial reporting is essential to an institution’s safety and soundness for numerous reasons. First, accurate financial information enables management to effectively manage the institution’s risks and make sound business decisions. In addition, institutions are required by law³ to provide accurate and timely financial reports (e.g., Reports of Condition and Income and Thrift Financial Reports) to their appropriate regulatory agency. These reports serve an important role in the agencies’⁴ risk-focused supervision programs by contributing to their pre-examination planning, off-site monitoring programs, and assessments of an institution’s capital adequacy and financial strength. Further, reliable financial reports are necessary for the institution to raise capital. They provide data to stockholders, depositors and other funds providers, borrowers, and potential investors on the company’s financial position and results of operations. Such information is critical to effective market discipline of the institution.

To help ensure accurate and reliable financial reporting, the agencies recommend that the board of directors of each institution establish and maintain an external auditing program. An external auditing program should be an important component of an institution’s overall risk-management process. For example, an external auditing program complements the internal auditing function of an institution by providing management and the board of directors with an independent and objective view of the reliability of the institution’s financial statements and the adequacy of its financial-reporting internal controls. Additionally, an effective external auditing program contributes to the efficiency of the agencies’ risk-focused examination process. By considering the significant risk areas of an institution, an effective external auditing program may reduce the examination time the agencies spend in such areas. Moreover, it can improve the safety and soundness of an institution substantially and lessen the risk the institution poses to the insurance funds administered by the Federal Deposit Insurance Corporation (FDIC).

This policy statement outlines the characteristics of an effective external auditing program and provides examples of how an institution can use an external auditor to help ensure the reliability of its financial reports. It also provides guidance on how an examiner may assess an institution’s external auditing program. In addition, this policy statement provides specific guidance on external auditing programs for institutions that are holding company subsidiaries, newly insured institutions, and institutions presenting supervisory concerns. The adoption of a financial-statement audit or other specified type of external auditing program is generally only required in specific circumstances. For example, insured depository institutions covered by section 36 of the FDI Act (12 USC 1831m), as implemented by part 363 of the FDIC’s regulations (12 CFR 363), are required to have an external audit and an audit committee. Therefore, this policy statement is directed toward banks and savings associations which are exempt from part 363 (i.e., institutions with less than $500 million in total assets at the beginning of their fiscal year) or are not otherwise subject to audit requirements by order, agreement, statute, or agency regulations.

The board of directors of an institution is responsible for determining how to best obtain reasonable assurance that the institution’s financial statements and regulatory reports are reliably prepared. In this regard, the board is also responsible for ensuring that its external auditing program is appropriate for the institution and adequately addresses the financial-reporting aspects of the significant risk areas and any other areas of concern of the institution’s business.

To help ensure the adequacy of its internal and external auditing programs, the agencies encourage the board of directors of each institution that is not otherwise required to do so to establish an audit committee consisting entirely of outside directors.⁵ However, if this is impracticable, the board should organize the audit committee so that outside directors constitute a majority of the membership.

The audit committee or board of directors is responsible for identifying at least annually the risk areas of the institution’s activities and assessing the extent of external auditing involvement needed over each area. The audit committee or board is then responsible for determining what type of external auditing program will best meet the institution’s needs (refer to the descriptions under “Types of External Auditing Programs”).

When evaluating the institution’s external auditing needs, the board or audit committee should consider the size of the institution and the nature, scope, and complexity of its operations. It should also consider the potential benefits of an audit of the institution’s financial statements or an examination of the institution’s internal control structure over financial reporting, or both. In addition, the board or audit committee may determine that additional or specific external auditing procedures are warranted for a particular year or several years to cover areas of particularly high risk or special concern. The reasons supporting these decisions should be recorded in the committee’s or board’s minutes.

If, in its annual consideration of the institution’s external auditing program, the board or audit committee determines, after considering its inherent limitations, that an agreed-upon procedures/state-required examination is sufficient, they should also consider whether an independent public accountant should perform the work. When an independent public accountant performs auditing and attestation services, the accountant must conduct his or her work under, and may be held accountable for departures from, professional standards. Furthermore, when the external auditing program includes an audit of the financial statements, the board or audit committee obtains an opinion from the independent public accountant stating whether the financial statements are presented fairly, in all material respects, in accordance with generally accepted accounting principles (GAAP). When the external auditing program includes an examination of the internal-control structure over financial reporting, the board or audit committee obtains an opinion from the independent public accountant stating whether the financial-reporting process is subject to any material weaknesses.

Both the staff performing an internal audit function and the independent public accountant or other external auditor should have unrestricted access to the board or audit committee without the need for any prior management knowledge or approval. Other duties of an audit committee may include reviewing the independence of the external auditor annually, consulting with management, seeking an opinion on an accounting issue, and overseeing the quarterly regulatory reporting process. The audit committee should report its findings periodically to the full board of directors.

External auditing programs should provide the board of directors with information about the institution’s financial-reporting risk areas, e.g., the institution’s internal control over financial reporting, the accuracy of its recording of transactions, and the completeness of its financial reports prepared in accordance with GAAP. The board or audit committee of each institution at least annually should review the risks inherent in its particular activities to determine the scope of its external auditing program. For most institutions, the lending and investment-securities activities present the most significant risks that affect financial reporting. Thus, external auditing programs should include specific procedures designed to test at least annually the risks associated with the loan and investment portfolios. This includes testing of internal control over financial reporting, such as management’s process to determine the adequacy of the allowance for loan and lease losses and whether this process is based on a comprehensive, adequately documented, and consistently applied analysis of the institution’s loan and lease portfolio.

An institution or its subsidiaries may have other significant financial-reporting risk areas such as material real estate investments, insurance underwriting or sales activities, securities broker-dealer or similar activities (including securities underwriting and investment advisory services), loan-servicing activities, or fiduciary activities. The external auditing program should address these and other activities the board or audit committee determines present significant financial-reporting risks to the institution.

The agencies consider an annual audit of an institution’s financial statements performed by an independent public accountant to be the preferred type of external auditing program. The agencies also consider an annual examination of the effectiveness of the internal-control structure over financial reporting or an audit of an institution’s balance sheet, both performed by an independent public accountant, to be acceptable alternative external auditing programs. However, the agencies recognize that some institutions only have agreed-upon procedures/state-required examinations performed annually as their external auditing program. Regardless of the option chosen, the board or audit committee should agree in advance with the external auditor on the objectives and scope of the external auditing program.

Financial-statement audit by an independent public accountant. The agencies encourage all institutions to have an external audit performed in accordance with generally accepted auditing standards (GAAS). The audit’s scope should be sufficient to enable the auditor to express an opinion on the institution’s financial statements taken as a whole. A financial-statement audit provides assurance about the fair presentation of an institution’s financial statements. In addition, an audit may provide recommendations for management in carrying out its control responsibilities. For example, an audit may provide management with guidance on establishing or improving accounting and operating policies and recommendations on internal control (including internal auditing programs) necessary to ensure the fair presentation of the financial statements.

Reporting by an independent public accountant on an institution’s internal-control structure over financial reporting. Another external auditing program is an independent public accountant’s examination and report on management’s assertion on the effectiveness of the institution’s internal control over financial reporting. For a smaller institution with less complex operations, this type of engagement is likely to be less costly than an audit of its financial statements or its balance sheet. It would specifically provide recommendations for improving internal control, including suggestions for compensating controls, to mitigate the risks due to staffing and resource limitations.

Such an attestation engagement may be performed for all internal controls relating to the preparation of annual financial statements or specified schedules of the institution’s regulatory reports.⁶ This type of engagement is performed under generally accepted standards for attestation engagements (GASAE).⁷

Balance-sheet audit performed by an independent public accountant. With this program, the institution engages an independent public accountant to examine and report only on the balance sheet. As with the audit of the financial statements, this audit is performed in accordance with GAAS. The cost of a balance-sheet audit is likely to be less than a financial-statement audit. However, under this type of program, the accountant does not examine or report on the fairness of the presentation of the institution’s income statement, statement of changes in equity capital, or statement of cash flows.

Agreed-upon procedures/state-required examinations. Some state-chartered depository institutions are required by state statute or regulation to have specified procedures performed annually by their directors or independent persons.⁸ The bylaws of many national banks also require that some specified procedures be performed annually by directors or others, including internal or independent persons. Depending upon the scope of the engagement, the cost of agreed-upon procedures or a state-required examination may be less than the cost of an audit. However, under this type of program, the independent auditor does not report on the fairness of the institution’s financial statements or attest to the effectiveness of the internal-control structure over financial reporting. The findings or results of the procedures are usually presented to the board or the audit committee so that they may draw their own conclusions about the quality of the financial reporting or the sufficiency of internal control.

When choosing this type of external auditing program, the board or audit committee is responsible for determining whether these procedures meet the external auditing needs of the institution, considering its size and the nature, scope, and complexity of its business activities. For example, if an institution’s external auditing program consists solely of confirmations of deposits and loans, the board or committee should consider expanding the scope of the auditing work performed to include additional procedures to test the institution’s high-risk areas. Moreover, a financial-statement audit, an examination of the effectiveness of the internal-control structure over financial reporting, and a balance-sheet audit may be accepted in some states and for national banks in lieu of agreed-upon procedures/state-required examinations.

Timing. The preferable time to schedule the performance of an external auditing program is as of an institution’s fiscal year-end. However, a quarter-end date that coincides with a regulatory report date provides similar benefits. Such an approach allows the institution to incorporate the results of the external auditing program into its regulatory reporting process and, if appropriate, amend the regulatory reports.

External auditing staff. The agencies encourage an institution to engage an independent public accountant to perform its external auditing program. An independent public accountant provides a nationally recognized standard of knowledge and objectivity by performing engagements under GAAS or GASAE. The firm or independent person selected to conduct an external auditing program and the staff carrying out the work should have experience with financial-institution accounting and auditing or similar expertise and should be knowledgeable about relevant laws and regulations.

When an institution is owned by another entity (such as a holding company), it may be appropriate to address the scope of its external audit program in terms of the institution’s relationship to the consolidated group. In such cases, if the group’s consolidated financial statements for the same year are audited, the agencies generally would not expect the subsidiary of a holding company to obtain a separate audit of its financial statements. Nevertheless, the board of directors or audit committee of the subsidiary may determine that its activities involve significant risks to the subsidiary that are not within the procedural scope of the audit of the financial statements of the consolidated entity. For example, the risks arising from the subsidiary’s activities may be immaterial to the financial statements of the consolidated entity, but material to the subsidiary. Under such circumstances, the audit committee or board of the subsidiary should consider strengthening the internal-audit coverage of those activities or implementing an appropriate alternative external auditing program.

Under the FDIC statement of policy on applications for deposit insurance, applicants for deposit insurance coverage are expected to commit the depository institution to obtain annual audits by an independent public accountant once it begins operations as an insured institution and for a limited period thereafter.

As previously noted, an external auditing program complements the agencies’ supervisory process and the institution’s internal auditing program by identifying or further clarifying issues of potential concern or exposure. An external auditing program also can greatly assist management in taking corrective action, particularly when weaknesses are detected in internal-control or management information systems affecting financial reporting.

The agencies may require a financial institution presenting safety and soundness concerns to engage an independent public accountant or other independent external auditor to perform external auditing services.⁹ Supervisory concerns may include—

The agencies may also require that the institution provide its appropriate supervisory office with a copy of any reports, including management letters, issued by the independent public accountant or other external auditor. They also may require the institution to notify the supervisory office prior to any meeting with the independent public accountant or other external auditor at which auditing findings are to be presented.

The review of an institution’s external auditing program is a normal part of the agencies’ examination procedures. An examiner’s evaluation of, and any recommendations for improvements in, an institution’s external auditing program will consider the institution’s size; the nature, scope, and complexity of its business activities; its risk profile; any actions taken or planned by it to minimize or eliminate identified weaknesses; the extent of its internal audit program; and any compensating controls in place. Examiners will exercise judgment and discretion in evaluating the adequacy of an institution’s external auditing program.

Specifically, examiners will consider the policies, processes, and personnel surrounding an institution’s external auditing program in determining whether—

Management should provide the independent public accountant or other auditor with access to all examination reports and written communication between the institution and the agencies or state bank supervisor since the last external auditing activity. Management also should provide the accountant with access to any supervisory memoranda of understanding, written agreements, administrative orders, reports of action initiated or taken by a federal or state banking agency under section 8 of the FDI Act (or a similar state law), and proposed or ordered assessments of civil money penalties against the institution or an institution-related party, as well as any associated correspondence. The auditor must maintain the confidentiality of examination reports and other confidential supervisory information.

In addition, the independent public accountant or other auditor of an institution should agree in the engagement letter to grant examiners access to all the accountant’s or auditor’s workpapers and other material pertaining to the institution prepared in the course of performing the completed external auditing program.

Institutions should provide reports¹⁰ issued by the independent public accountant or other auditor pertaining to the external auditing program, including any management letters, to the agencies and any state authority in accordance with their appropriate supervisory office’s guidance.¹¹ Significant developments regarding the external auditing program should be communicated promptly to the appropriate supervisory office. Examples of those developments include the hiring of an independent public accountant or other third party to perform external auditing work and a change in, or termination of, an independent public accountant or other external auditor.

Agencies. The agencies are the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).

Appropriate supervisory office. The regional or district office of the institution’s primary federal banking agency responsible for supervising the institution or, in the case of an institution that is part of a group of related insured institutions, the regional or district office of the institution’s federal banking agency responsible for monitoring the group. If the institution is a subsidiary of a holding company, the term “appropriate supervisory office” also includes the federal banking agency responsible for supervising the holding company. In addition, if the institution is state-chartered, the term “appropriate supervisory office” includes the appropriate state bank or savings association regulatory authority.

Audit. An examination of the financial statements, accounting records, and other supporting evidence of an institution performed by an independent certified or licensed public accountant in accordance with generally accepted auditing standards (GAAS) and of sufficient scope to enable the independent public accountant to express an opinion on the institution’s financial statements as to their presentation in accordance with generally accepted accounting principles (GAAP).

Audit committee. A committee of the board of directors whose members should, to the extent possible, be knowledgeable about accounting and auditing. The committee should be responsible for reviewing and approving the institution’s internal and external auditing programs or recommending adoption of these programs to the full board.

Balance-sheet audit performed by an independent public accountant. An examination of an institution’s balance sheet and any accompanying footnotes performed and reported on by an independent public accountant in accordance with GAAS and of sufficient scope to enable the independent public accountant to express an opinion on the fairness of the balance-sheet presentation in accordance with GAAP.

Engagement letter. A letter from an independent public accountant to the board of directors or audit committee of an institution that usually addresses the purpose and scope of the external auditing work to be performed, period of time to be covered by the auditing work, reports expected to be rendered, and any limitations placed on the scope of the auditing work.

Examination of the internal-control structure over financial reporting. See Reporting by an independent public accountant on an institution’s internal-control structure over financial reporting.

External-auditing program. The performance of procedures to test and evaluate high-risk areas of a institution’s business by an independent auditor, who may or may not be a public accountant, sufficient for the auditor to be able to express an opinion on the financial statements or to report on the results of the procedures performed.

Financial-statement audit by an independent public accountant. See Audit.

Financial statements. The statements of financial position (balance sheet), income, cash flows, and changes in equity together with related notes.

Independent public accountant. An accountant who is independent of the institution and registered or licensed to practice, and holds himself or herself out, as a public accountant, and who is in good standing under the laws of the state or other political subdivision of the United States in which the home office of the institution is located. The independent public accountant should comply with the American Institute of Certified Public Accountants’ (AICPA) Code of Professional Conduct and any related guidance adopted by the Independence Standards Board and the agencies. No certified public accountant or public accountant will be recognized as independent who is not independent both in fact and in appearance.

Internal auditing. An independent assessment function established within an institution to examine and evaluate its system of internal control and the efficiency with which the various units of the institution are carrying out their assigned tasks. The objective of internal auditing is to assist the management and directors of the institution in the effective discharge of their responsibilities. To this end, internal auditing furnishes management with analyses, evaluations, recommendations, counsel, and information concerning the activities reviewed.

Outside directors. Members of an institution’s board of directors who are not officers, employees, or principal stockholders of the institution, its subsidiaries, or its affiliates, and who do not have any material business dealings with the institution, its subsidiaries, or its affiliates.

Regulatory reports. These reports are the Reports of Condition and Income (call reports) for banks, Thrift Financial Reports (TFRs) for savings associations, Federal Reserve (FR) Y reports for bank holding companies, and the H-(b)11 Annual Report for thrift holding companies.

Reporting by an independent public accountant on an institution’s internal-control structure over financial reporting. Under this engagement, management evaluates and documents its review of the effectiveness of the institution’s internal control over financial reporting in the identified risk areas as of a specific report date. Management prepares a written assertion, which specifies the criteria on which management based its evaluation about the effectiveness of the institution’s internal control over financial reporting in the identified risk areas and states management’s opinion on the effectiveness of internal control over this specified financial reporting. The independent public accountant is engaged to perform tests on the internal control over the specified financial reporting in order to attest to management’s assertion. If the accountant concurs with management’s assertion, even if the assertion discloses one or more instances of material internal-control weakness, the accountant would provide a report attesting to management’s assertion.

Risk areas. Those particular activities of an institution that expose it to greater potential losses if problems exist and go undetected. The areas with the highest financial-reporting risk in most institutions generally are their lending and investment-securities activities.

Specified procedures. Procedures agreed upon by the institution and the auditor to test its activities in certain areas. The auditor reports findings and test results, but does not express an opinion on controls or balances. If performed by an independent public accountant, these procedures should be performed under generally accepted standards for attestation engagements (GASAE).