While reporting requirements under the Federal Deposit Insurance Act (FDICIA) for financial institutions aren’t new, larger nonpublic institutions are noticing increased attention being placed on internal control over financial reporting (ICFR). The emphasis stems from regulatory interest in controls, external auditor application to nonpublic banks of the integrated audit under Statement of Auditing Standards (SAS) 130, and the natural evolution of the auditing profession.
To help break down this complex topic, here’s a list of some of the most common client questions.
What changes to FDICIA reporting requirements and internal controls are happening for financial institutions?
Historically, independent auditors could examine and report on management’s assertions about the effectiveness of an institution’s ICFR. Now, the American Institute of CPAs (AICPA) has removed that option, requiring an integrated audit of both financial statements and ICFR in order to meet the regulatory requirements under FDICIA.
Integrated audits aren’t new to the auditing profession; they’re required for many SEC issuers. We see this change causing external auditors to plan and perform FDICIA audits more in line with public company audits that follow Section 404 of the Sarbanes-Oxley Act (SOX). Due to this added rigor around internal controls from external auditors, many financial institutions will likely realize they need more help to meet the higher level of expectations.
Typically, banking regulators don’t directly focus on ICFR in their examinations, however we’ve seen increased regulatory scrutiny around the rigor and oversight of the ICFR framework from an internal audit and management perspective. We expect this to continue.
Which institutions will be most affected by this change?
Institutions with more than $1 billion in consolidated assets as of the beginning of their fiscal year have the FDICIA requirement related to ICFR and are most likely to feel the pressure to enhance their historical approach to ICFR. Institutions approaching the $1 billion threshold, rapidly growing through acquisition, intending to go public, or working with auditors or regulators with higher expectations should also begin assessing their internal controls. It’s imperative to begin preparing well ahead of becoming formally subject to the ICFR audit requirement.
Is this something my auditor can help me implement?
No. At $500 million in total assets, FDICIA requires external auditors to maintain the same level of independence as with an SEC issuer. External auditors providing internal audit-type services is expressly prohibited under those independence rules.
How will this affect the way my institution evaluates its internal controls?
It starts with better understanding the process, the causes of risk, and the processes that reduce it as well as evaluating whether or not these systems are robust enough. The things that worked better when an institution was smaller may not work now, or may be subject to increased documentation expectations. Management may get feedback that its controls aren’t as robust as previously thought.
How rigorous does the IT approach need to be?
IT is a critical component of internal control at a financial institution, but it’s also a very broad topic. Certain elements of IT such as cybersecurity aren’t directly relevant to financial reporting and compliance regarding FDICIA. It’s important to map business process controls to IT systems to map dependencies, and evaluate application controls and SOC 1 reports related to in-scope systems.
What steps can institutions take to improve?
Institutions can look to their own internal audit staff and help upgrade their skills by making sure they can do risk assessments, walkthroughs, and assessment plans. However, while institutions could do all of their own risk assessment and control evaluations, this can be cost prohibitive and require an extensive amount of work. Outsourcing this effort could help with preparation and compliance while removing the burden from staff, as well as allowing access to external expertise in areas such as IT.
We’re Here to Help
For more information about FDICIA reporting guidelines and making sure your financial institution is prepared, contact your Moss Adams professional.