FDIC regulations: Implications for banking industry

INTRODUCTION

The Board of Directors of the Federal Deposit Insurance Corporation (FDIC) approved the regulations implementing Section 112 of the FDIC Improvement Act of 1991 in May 1993.(1) The Board also provides guidelines to facilitate a better understanding, full compliance, and proper implementation of the provisions of the regulations. These regulations cover primarily four financial reporting areas of insured depository institutions: (1) preparation of audited annual financial statements; (2) management reporting to the FDIC and other regulatory agencies on internal controls and compliance with applicable laws and regulations; (3) establishment and maintenance of an effective audit committee comprised of independent, outside, non-executive directors; and (4) an independent auditor's attestation report regarding the institution's internal control structure and procedures of financial reporting.

The proper implementation of the new FDIC regulations ensures a more reliable financial reporting process and responsible corporate governance and accountability for affected financial institutions. These regulations apply to financial institutions with $500 million or more in total assets for fiscal years ending December 31, 1993, and thereafter. However, almost all institutions will be affected by the provisions of these regulations. These four financial reporting areas should be considered by all institutions as they will likely receive increased attention in the regulatory examination and rating process. The primary purpose of this article is to: (1) discuss the provisions of these four financial reporting requirements, and (2) provide guidelines for the proper and effective implementation of these regulations.

FDIC REGULATIONS ON FOUR AREAS OF FINANCIAL REPORTING

The 1991 FDIC Improvement Act issued a number of comprehensive new rules and regulations that create a higher responsibility for management in the areas of financial reporting and corporate governance. These regulations also place a heavier burden on banks' boards of directors and independent auditors involved in financial audit and compliance reporting areas.

Financial Reporting Requirement Disclosures

The new FDIC regulations mandate more comprehensive financial reporting and disclosure requirements for insured depository institutions. Section 363.2(a) of the regulations requires that affected institutions prepare and disseminate comparative financial statements for the two most recent fiscal years, including balance sheets, income statements, statements of cash flows, statements of changes in owner's equity, and related footnote disclosures in accordance with generally accepted accounting principles (GAAP). These financial statements should be audited by an independent auditor.

Management Report

Management of affected institutions should provide signed statements of financial activities and assertions. Section 363.2(b) of the regulations requires a management report signed by the chief executive officer and chief accounting or chief financial officer be included in the most recent annual report. This report by management should contain: (1) a statement indicating management is primarily responsible for the preparation of financial statements; (2) a statement of management's responsibilities for establishing and maintaining an adequate and effective internal control structure and complying with applicable laws and regulations; and (3) a statement of management's assertion regarding the effectiveness of internal controls over financial reporting and compliance with applicable laws and regulations related to safety and soundness, which are set by the FDIC and the appropriate federal banking agencies. These regulations place significant responsibility upon management for reliable financial reporting and responsible corporate governance.

The idea that management should be required to report on internal controls is not new. The National Commission on Fraudulent Financial Reporting (Treadway Commission), in its report issued in 1987,(2) recommended that the SEC require management to publicly report its responsibility for the establishment and maintenance of an adequate and effective internal control system and its assessment of the effectiveness of such a system in achieving established objectives. However, the SEC has yet to make the Treadway recommendations requirements for companies under its jurisdiction.

The FDIC regulations require an institution's management for the first time to make public statements regarding its responsibilities for the effectiveness of internal controls over financial reporting, operating activities, and compliance requirements. Therefore, it is essential that management should adequately document its understanding, determinations, assessments, and deficiencies in internal control at the end of the fiscal year and compliance with applicable laws and regulations during the entire fiscal year. The proper documentation will also assist independent auditors in ascertaining management's assertions on internal control. While the regulations do not specify a format for management's report on internal control, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) report entitled "Internal Control--Integrated Framework" provides excellent guidance for such a report.(3)

Independent Auditor Report

The new regulations increase the independent auditor's responsibilities in the financial reporting process. Section 363.3(a) of the regulations requires that the annual financial statements be audited by an independent public accountant in accordance with generally accepted auditing standards (GAAS) and section 37 of the Federal Deposit Insurance Act. The auditor should express an opinion regarding the fair presentation of financial statements in conformity with GAAP unless the agencies specify more stringent standards. This section does not require anything beyond existing requirements under GAAS. However, section 363.3(b) of the regulations requires that an independent public accountant report on management's assertions about internal controls over financial reporting and perform agreed upon procedures to assess compliance with applicable laws and regulations. Currently, public accountants are using standards established in the Statement on Auditing Standards (SAS) No. 55 entitled "Consideration of the Internal Control Structure" in auditing financial statements and provisions of the COSO report in reporting on an institution's internal control structure.

Section 363.4 of the regulations requires that affected institutions should submit, within 90 days after the end of their fiscal year, to the FDIC and their primary federal and/or state regulators two copies of: (1) an annual report containing (a) audited financial statements and the independent auditor's report thereon and (b) management's report along with the independent auditor's attestation report on the internal control structure over financial reporting; and (2) the independent auditor's attestation report on the agreed upon procedures assessing compliance with applicable laws and regulations. While the disseminated annual report is a public document, the independent auditor's report on compliance with applicable laws and regulations is not a public report and is prepared for management use and filing requirements with the FDIC, the appropriate federal banking agency, and any appropriate state banking supervisor.

Any reports by independent auditors should be filed with the FDIC and their primary federal and/or state regulator regardless of when annual reports are being filed. Thus, the affected institutions should coordinate the filing time of all required reports to prevent having to file twice. The regulations [Sections 363.3(c) and 363.4(d)1 also require that both the institution and its independent public accountant notify the FDIC and the appropriate federal and/or state regulator in writing regarding the resignation and/or termination of the independent auditor within 15 days after the occurrence of such events, along with supporting statements of the reasons for any such events in reasonable detail. These requirements are similar to the existing requirements of the Securities and Exchange Commission (SEC) and the Office of Thrift Supervision (OTS); however, under the new regulations the independent auditor should file the termination notice independently of the institution's management.

Audit Committee's Role

During the past decade, various groups have suggested that corporations adopt audit committees to enhance the reliability of financial reporting and to ensure corporate governance and accountability. The United States General Accounting Office (GAO) suggested that banks establish audit committees to ensure reliable financial reporting and responsible corporate governance.(4) The GAO also issued a report which made several recommendations regarding the proper use, formation, and role of banks' audit committees. Section 363.5 of the regulations requires affected institutions to form an independent audit committee consisting of outside, non-executive directors who are not large customers of the institution. The duties of the audit committee include reviewing with management and the independent public accountant the basis for all required reports. The responsibility for determining and ensuring the independence of members of audit committees rests with the board of directors. The requirement for establishment of audit committees creates more responsibility for the institution's officers and directors involved in the audit area. Affected institutions should develop proper manuals addressing compliance procedures that directors should follow in meeting FDIC regulations.

Audit committees should be established by the institution's board of directors to oversee the financial reporting activities and to act as a liaison between the board and both internal and external auditors. In fulfilling their expanded oversight responsibilities, institutions' audit committees may rely on outside consultants and/or internal auditors for much of their information concerning institutions' activities. The Treadway Commission recommended that audit committees be informed, vigilant, and effective overseers for the financial reporting process and internal control.

IMPLICATIONS OF FDIC REGULATIONS FOR FINANCIAL INSTITUTIONS

Although FDIC regulations apply to institutions with total assets at or above $500 million, almost all financial institutions will be affected by the regulations. These regulations can be classified into two general groups: currently existing regulations and newly established regulations. Currently existing regulations are those that are already in effect for financial reporting purposes of financial institutions. These regulations require: (1) management to assure full responsibility for fair presentation of financial statements in conformity with GAAP; (2) management to establish and maintain an adequate and effective internal control structure to provide reasonable assurance that errors, irregularities, and noncompliance with applicable laws and regulations are being prevented, detected, and corrected; and (3) an independent auditor to express an opinion regarding the fair presentation of financial statements in conformity with GAAP. The above requirements already exist; and, accordingly, institutions need only change their reporting methods in documenting compliance with these requirements.

The second group of newly established regulations are those that had not been in existence prior to the issuance of the FDIC's report or were voluntarily established. These regulations require: (1) management to assess the effectiveness of the internal control structure over financial reporting and safeguarding of assets, as well as compliance with the applicable laws and regulations; (2) an independent auditor's attestation report on management's assessment of the internal control structure over financial reporting for public use; (3) an independent auditor's report on agreed-upon procedures assessing management's compliance with applicable laws and regulations for specific management or regulatory use; and (4) notification from the independent auditor to the FDIC and the appropriate federal and/or state regulators in writing of withdrawal from an audit engagement within 15 days after the occurrence of such event and detailed reasons for such termination independent of management. Note, that in accordance with the existing requirements of the SEC and OTS, the accountant's termination filing is effectively a response to management's filing; (5) institutions should submit their required reports, including annual and compliance reports, to the FDIC and their primary federal and/or state regulators within 90 days after the end of their fiscal year. Institutions are also required to file any reports received from their independent auditors within 15 days of receipt; and (6) the board of directors of affected institutions need to establish an independent audit committee consisting of outside, non-executive directors to ensure reliable financial reporting and responsible governance.

These newly established regulations require management to make a positive assertion publicly regarding the fair presentation of financial statements, effectiveness of internal controls, and compliance with applicable laws and regulations. Thus, these regulations require establishment and maintenance of a sound financial reporting process, including accounting information systems and an internal control structure to ensure adequate documentation and sufficient support for management's representations.

CONCLUSIONS

Recently, the FDIC approved new regulations regarding management financial and internal control reporting, audit committees, and independent audit requirements. These regulations have significantly changed management, audit committee, and independent auditor reporting responsibilities to ensure reliable financial reporting and responsible corporate governance for almost all financial institutions. However, these regulations did not provide any specific guidelines for establishment and maintenance of a financial reporting system and internal control structure, as well as procedures to assess the adequacy and effectiveness of the internal control structure, and the formation, role, and responsibilities of audit committees. To ensure compliance with these regulations in view of the lack of definitive guidance, affected financial institutions should take into consideration the recommendations of the Treadway Commission regarding the structure, role, and responsibilities of audit committees and the provisions of the COSO report on determining the objectives of an adequate internal control system and criteria used in evaluating its effectiveness, evaluation tools, format, and content of external reporting of internal controls. Finally, affected financial institutions should consult their independent public accounting firms for assistance in developing proper implementation plans to ensure compliance with these regulations.

ENDNOTES

1. Supervisory Guidance on the Implementation of Section 112 of the Federal Deposit Insurance Corporation Improvement Act, 1991, The Board of Directors of the FDIC, May 11 , 1993.

2. National Commission on Fraudulent Financial Reporting, "Report of the National Commission of Fraudulent Financial Reporting," October 1987.

3. Committee of Sponsoring Organizations of the Treadway Commission (COSO), "Internal Control--Integrated Framework," Coopers & Lybrand, September 1992, Volume 1-4.

4. Audit Committee: Legislation Needed to Strengthen Bank Controls, U.S. General Accounting Office (GAO/AFMD 92-19), October 21, 1991.

* Associate Professor of Accounting, Middle Tennessee State University, P.O. Box 50, Murfreesboro, TN 37312, Tel (615) 898-2558, Fax (615) 898-5045.

Copyright National Association for Bank Cost & Management Accounting 1994
Provided by ProQuest Information and Learning Company. All rights Reserved