The Federal Deposit Insurance Corporation Improvement Act (FDICIA) was signed into law in 1991 and raised the compliance bar for banks at both the $500 million and $1 billion thresholds. Though compliance requirements were already known to be stringent, institutions over the $1 billion threshold are now subject to even more rigorous audit requirements under Statement of Auditing Standards (SAS) No. 130.
Although the compliance threshold is high, many institutions procrastinate when it comes to preparing for FDICIA compliance.
Those that fail to consider the realistic volume of work necessary to satisfy requirements at the $1 billion threshold could find themselves rushing internal audits prior to the deadline—and risking noncompliance.
Learn how your organization can prepare in advance of deadlines, which could result in time and cost-saving measures.
When an organization faces the challenge of FDICIA compliance requirements, it’s never too soon to start planning.
These time-consuming processes include financial statement mapping, organization-wide risk assessment, and business segment identification. They require coordination from beginning to end, with total buy-in from all business units and levels within the organization.
Additional time must also be devoted to mapping risks associated with information technology. Applications, operating systems, and database types should be assessed across the organization with risks documented for each significant account or business process.
Realistic timelines should be established well in advance and remain flexible as the project unfolds. Delays are almost certain to occur as controls are assessed, examined, and tested—often for the first time.
Budgets should also remain cautiously flexible. Remediation testing for control failures isn’t known until the final phases of testing and can increase both time and costs.
Establish Key Controls
The process of identifying the key controls of an organization involves extensive analysis across systems and processes within the organization as a whole, and should be performed by qualified and experienced individuals.
It involves reviewing all business segments for the purpose of identifying and distinguishing between:
- Activities—procedures which generally support established policy objectives
- Internal controls—activities which specifically serve to mitigate risk within the organization
- Internal controls over financial reporting (ICFR)—internal controls which prevent or detect errors in financial reporting
- Key controls—indispensable controls over financial reporting which may cover more than one risk and, if failed, might not detect a misstatement in a timely manner by management
Components of Internal Control
Frequently, organizations in their first year working to adopt FDICIA discover the strong internal control culture they believed to be in place is largely based on procedural activities. Procedural activities can be quite beneficial to the organization when consistently applied. However, they need to include components of internal control to qualify for FDICIA purposes. These components—as defined by the Committee of Sponsoring Organizations (COSO) 2013 Framework—include:
- The control environment is a set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. According to The Institute of Internal Auditors, a control environment strives to: achieve strategic objectives; provide reliable financial reporting; operate business efficiently and effectively; comply with applicable laws and regulations; and safeguard its assets.
- Risk assessment forms the basis of determining how risks will be managed, and requires management to consider the impacts of changes internal and external to the organization.
- Control activities preventative and detective actions that help management mitigate risks to ensure achievement of its objectives.
- Information either obtained or generated by management to support control components, and communicated in order to support meeting requirements and expectations.
- Monitoring activities are periodic and ongoing evaluations to verify that each of the components on internal control are present and functioning.
Without these components, procedural activities won’t result in effective ICFR or key controls.
As a result, identifying and establishing key controls can take far longer than anticipated, run over budget, and quickly become a matter of concern.
Establish Adequate Documentation
Once a set of key controls has been identified and a testing plan put in place, another challenge is establishing an adequate trail of audit documentation.
Often times, day-to-day procedures have been performed by operational staff the same way for many years, but have never been subject to audit. As such, no one has attempted to verify the controls are in place and actually performing as intended, or assessed evidence that controls are being maintained. A first-time examination of these processes tends to identify significant gaps in both the design of the control and the audit trail.
An audit trail exists only when there’s sufficient and appropriate audit evidence to confirm a control is operating effectively as designed.
If any part of the control can’t be verified and documented by the auditor, the control test will fail. Once a control fails, remediation testing is then required at a later date, and will result in additional time spent on the audit—whether or not it’s reflected in the budget.
Instead of taking a reactive stance to testing control documentation, time should be allocated up-front to examine the audit trail for each key control prior to commencement of the testing phase. Then, the following steps need to be taken:
- Deficiencies and gaps corrected
- Adequate documentation preserved
- Relevant operational staff trained in any new procedures designed to maintain audit trails going forward
Failure to spend this time up-front will undoubtedly result in spending an equal amount of time in remediation testing later in the process—and every year thereafter until adequate audit trails can be established and maintained.
Coordinate with External Financial Auditors
As external auditors are tasked with assessing if material weaknesses exist in ICFR as of the date of management’s assessment, it’s crucial that coordination be established early in the FDICIA adoption process. Failure to adequately coordinate could result in inefficiencies in the external audit.
Input from external auditors should be sought as key controls are identified by management and testing plans are set in motion. If specific controls are tested by external auditors, those should be included within management’s assessment of key controls.
Additionally, the frequency of controls should be assessed, compared with external auditors’ expectations, and required sample sizes for testing should be agreed upon prior to testing.
If external auditors can place partial reliance on management’s testing, the more efficient form of re-performance testing can be employed.
However, if there are gaps in controls and sample sizes don’t line up, the less efficient form of independent testing by the external auditor must be employed. This could result in additional audit hours and audit fees.
Benefits of Outsourcing
An independent, open-minded view of the control systems and processes that exist within the company can provide the following:
- In-depth understanding of the COSO control framework
- Ability to coordinate organization-wide implementation
- Cost-effectiveness due to third-party industry knowledge and procedures and previously developed tools
- Efficient communication between management and external independent auditors
- Strong coordination and cooperation between auditors and third parties who understand the requirements and procedures they follow, resulting in less duplicative effort
We’re Here to Help
Understanding a financial institution’s ICFR requirements and coordinating them with the efforts of its independent external auditors is complex and important. To learn more, contact your Moss Adams professional.