We recommend reviewing the “Internal and External Audits” booklet of the Comptroller’s Handbook and the OCC’s Director’s Book, in addition to reviewing the relevant provisions of 12 CFR 363 for banks with assets of $500 million or more but less than $1 billion. Your bank also may be exempt under a recent FDIC rule providing relief from Part 363 for institutions that experienced asset growth due to participation in the Paycheck Protection Program and other COVID-related federal relief programs.
The Internal and External Audits booklet addresses external audit programs in detail and includes 12 CFR 363 Report Worksheets, which OCC examiners may use to determine an institution’s compliance with the regulation. The Director’s Book discusses audit programs and establishing an independent audit committee, which banks with $500 million or more in total assets are required to have.
Additionally, note that the FDIC recently adopted a final rule for fiscal years ending in 2021, in which an institution’s consolidated total assets will be determined based on the lesser of its consolidated total assets as of December 31, 2019, or as of the beginning of its fiscal year ending in 2021. Consequently, if your bank’s consolidated total assets were less than $500 million as of December 31, 2019, you would not be subject to 12 CFR 363 for your fiscal year ending in 2021.
For resources related to our guidance, please see:
- Comptroller’s Handbook, Internal and External Audits (July 2019), page 41 (“An external audit program provides the bank board with information about the bank’s financial reporting risk areas, e.g., the bank’s internal controls over financial reporting, the accuracy of its recording of transactions, and the completeness of its financial reports prepared in accordance with applicable accounting standards. Through its external audit program the bank board or its audit committee engages an independent auditor or audit firm, commonly known as the ‘external auditor,’ for planning and execution of the external audit plan.”)
- Comptroller’s Handbook, Internal and External Audits (July 2019), page 41 (“The goal of an effective external audit function should be to provide the bank board and management with
- reasonable assurance that the financial statements present fairly, in all material respects, the financial position of the bank in conformity with generally accepted accounting principles (GAAP), and, as applicable, that internal controls over financial reporting are operating effectively.
- an independent and objective view of the bank’s financial statements, and, as applicable, the bank’s processes related to financial reporting.
- timely oral and written communications that are useful to directors and management in maintaining the bank’s risk management processes.”)
- Comptroller’s Handbook, Internal and External Audits (July 2019), Appendix D (“The Worksheet: 12 CFR 363 Annual Report Review is a tool to be prepared each year on receipt of either the annual report or the Laws and Regulations Attestation Report. Review of any other reports received periodically should be recorded on the 12 CFR 363 Periodic Reports Worksheet. Use of these worksheets is not mandatory.”)
- OCC, Director’s Book (November 2020), page 65 (“Well-planned, properly structured audit programs are essential to effective risk management and internal control systems and are also a critical defense against fraud.96 The audit program consists of an internal audit function and an external audit function. . . . The external audit function complements the internal audit function by providing management and the board with an independent and objective view of the reliability of the bank’s financial statements and the adequacy of its system of internal controls over the bank’s financial statements.”)
- OCC, Director’s Book (November 2020), page 96 (“The audit committee should oversee the bank’s audit program and ensure that it is sufficiently robust to identify, test, and report on all key activities in the bank. Establishing an independent audit committee to oversee and maintain the audit functions is a good, and sometimes required, practice. The bank’s size and activities dictate the composition of the audit committee. The audit committee’s responsibilities should include the following . . .”)
- Annual Independent Audits and Reporting Requirements, 12 CFR 363.5(a) (“Composition and duties. Each insured depository institution shall establish an audit committee of its board of directors, the composition of which complies with paragraphs (a)(1), (2), and (3) of this section. The duties of the audit committee shall include the appointment, compensation, and oversight of the independent public accountant who performs services required under this part, and reviewing with management and the independent public accountant the basis for the reports issued under this part.”)
- Annual Independent Audits and Reporting Requirements, 12 CFR 363.5(a)(2) (“Each insured depository institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year shall establish an audit committee of its board of directors, the members of which shall be outside directors, the majority of whom shall be independent of management of the institution. The appropriate Federal banking agency may, by order or regulation, permit the audit committee of such an insured depository institution to be made up of less than a majority of outside directors who are independent of management, if the agency determines that the institution has encountered hardships in retaining and recruiting a sufficient number of competent outside directors to serve on the audit committee of the institution.”)
- Annual Independent Audits and Reporting Requirements, 12 CFR 363.1(a)(1) (“This part applies to any insured depository institution with respect to any fiscal year in which its consolidated total assets as of the beginning of such fiscal year are $500 million or more. Notwithstanding the foregoing and for all requirements in this part, with respect to any fiscal year ending in 2021, an insured depository institution’s consolidated total assets shall be determined based on the lesser of (a) an insured depository institution’s consolidated total assets as of December 31, 2019, or (b) an insured depository institution’s consolidated total assets as of the beginning of its fiscal year ending in 2021. The requirements specified in this part are in addition to any other statutory and regulatory requirements otherwise applicable to an insured depository institution.”)
- FDIC, Final Rule, Applicability of Annual Independent Audits and Reporting Requirements for Fiscal Years Ending in 2021, 85 Fed. Reg. 67427, 67430 (October 23, 2020) (“Under the IFR, the FDIC seeks to negate the cost and burden effects of potentially temporary asset growth associated with pandemic-related programs and similar impacts. The IFR accomplishes this by allowing IDIs to determine the applicability of part 363 of the FDIC’s regulations for fiscal years ending in 2021 based on the lesser of the IDI’s (a) consolidated total assets as of December 31, 2019, or (b) consolidated total assets as of the beginning of their fiscal years ending in 2021. For example, an IDI with a fiscal year beginning July 1, 2020, and ending June 30, 2021, would normally determine part 363 compliance requirements as of its fiscal year ended June 30, 2020. Under the IFR, an IDI experiencing growth would instead use its consolidated total assets as of December 31, 2019, for purposes of determining its compliance requirements with part 363. . . .”)