Once your bank reaches an asset size of $1 billion or more, it will be subject to enhanced requirements for its independent audit committee, management reporting, and audit program as of the beginning of its next fiscal year, in addition to the requirements that already apply to your institution by virtue of crossing the $500 million asset threshold.
As a bank with assets of $1 billion or more, your board’s independent audit committee must consist of outside directors who are independent of the bank’s management. This differs from the requirements for banks with $500 million or more but less than $1 billion in total assets, for which the independent audit committee must consist of only a majority of independent outside directors.
Additionally, you must include an assessment of the effectiveness of your internal control system in your management reports. This assessment must include statements that: “(1) identify the internal control framework used to evaluate the effectiveness of controls, (2) indicate controls were considered during the assessment, (3) express management’s conclusion as to whether the institution’s internal control over financial reporting is effective as of the end of the fiscal year, and (4) disclose any material weaknesses in internal controls that were not remediated prior to the fiscal year-end.”
Further, the independent public accountant who audits your bank’s financial statements must examine, attest to, and report separately on the assertions of management concerning the bank’s internal control structure and procedures for financial reporting.
There are several high-quality articles outlining these requirements as well as other best practices for banks that have crossed the $1 billion asset threshold, which are linked in the resources below.
For resources related to our guidance, please see:
- Annual Independent Audits and Reporting Requirements, 12 CFR 363.5(a) (“Composition and Duties. Each insured depository institution shall establish an audit committee of its board of directors, the composition of which complies with paragraphs (a)(1), (2), and (3) of this section. The duties of the audit committee shall include the appointment, compensation, and oversight of the independent public accountant who performs services required under this part, and reviewing with management and the independent public accountant the basis for the reports issued under this part.
(1) Each insured depository institution with total assets of $1 billion or more as of the beginning of its fiscal year shall establish an independent audit committee of its board of directors, the members of which shall be outside directors who are independent of management of the institution.
(2) Each insured depository institution with total assets of $500 million or more but less than $1 billion as of the beginning of its fiscal year shall establish an audit committee of its board of directors, the members of which shall be outside directors, the majority of whom shall be independent of management of the institution. The appropriate Federal banking agency may, by order or regulation, permit the audit committee of such an insured depository institution to be made up of less than a majority of outside directors who are independent of management, if the agency determines that the institution has encountered hardships in retaining and recruiting a sufficient number of competent outside directors to serve on the audit committee of the institution.
(3) An outside director is a director who is not, and within the preceding fiscal year has not been, an officer or employee of the institution or any affiliate of the institution.”)
- FDIC, Risk Management Manual of Examination Policies, Section 4.2 – Internal Routine and Controls, page 11 (“Management reports at institutions with $1 billion or more in consolidated assets must also provide an assessment of the effectiveness of the institution’s internal control system and include statements that:
- Identify the internal control framework used to evaluate the effectiveness of controls,
- Indicate controls were considered during the assessment,
- Express management’s conclusion as to whether the institution’s internal control over financial reporting is effective as of the end of the fiscal year, and
- Disclose any material weaknesses in internal controls that were not remediated prior to the fiscal year-end.”)
- Annual Independent Audits and Reporting Requirements, 12 CFR 363.2(b) (“Management report. Each insured depository institution annually shall prepare, as of the end of the institution’s most recent fiscal year, a management report that must contain the following:
* * * * *
(3) For an insured depository institution with consolidated total assets of $1 billion or more as of the beginning of such fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures as of the end of such fiscal year that must include the following:
- (i) A statement identifying the internal control framework used by management to evaluate the effectiveness of the insured depository institution’s internal control over financial reporting;
- (ii) A statement that the assessment included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions including identification of such regulatory reporting instructions; and
- (iii) A statement expressing management’s conclusion as to whether the insured depository institution’s internal control over financial reporting is effective as of the end of its fiscal year. Management must disclose all material weaknesses in internal control over financial reporting, if any, that it has identified that have not been remediated prior to the insured depository institution’s fiscal year-end. Management is precluded from concluding that the institution’s internal control over financial reporting is effective if there are one or more material weaknesses.”)
- FDIC, Risk Management Manual of Examination Policies, Section 4.2 – Internal Routine and Controls, page 11 (“The independent public accountant engaged by the institution is responsible for:
- Auditing and reporting on the institution’s annual financial statements in accordance with GAAS or PCAOB standards; and
- Examining, attesting to, and reporting separately on the assertions of management concerning the institution’s internal control structure and procedures for financial reporting on institutions with total assets of $1 billion or more.”)
- Annual Independent Audits and Reporting Requirements, 12 CFR 363.3(b) (“Internal control over financial reporting. For each insured depository institution with total assets of $1 billion or more at the beginning of the institution’s fiscal year, the independent public accountant who audits the institution’s financial statements shall examine, attest to, and report separately on the assertion of management concerning the effectiveness of the institution’s internal control structure and procedures for financial reporting. The attestation and report shall be made in accordance with generally accepted standards for attestation engagements or the PCAOB’s auditing standards, if applicable. The accountant’s report must not be dated prior to the date of the management report and management’s assessment of the effectiveness of internal control over financial reporting. Notwithstanding the requirements set forth in applicable professional standards, the accountant’s report must include the following:
(1) A statement identifying the internal control framework used by the independent public accountant, which must be the same as the internal control framework used by management, to evaluate the effectiveness of the insured depository institution’s internal control over financial reporting;
(2) A statement that the independent public accountant’s evaluation included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions including identification of such regulatory reporting instructions; and
(3) A statement expressing the independent public accountant’s conclusion as to whether the insured depository institution’s internal control over financial reporting is effective as of the end of its fiscal year. The report must disclose all material weaknesses in internal control over financial reporting that the independent public accountant has identified that have not been remediated prior to the insured depository institution’s fiscal year-end. The independent public accountant is precluded from concluding that the insured depository institution’s internal control over financial reporting is effective if there are one or more material weaknesses.”)
- Crowe, Crossing the Threshold: 5 Things Banks Should Do as They Approach $1 Billion in Assets (February 26, 2020)
- CLA, What to Expect When Your Bank Reaches Either $500 Million or $1 Billion in Assets (March 11, 2021)