Things to Consider When Outsourcing FDICIA or Performing Procedures In-House
As banks start researching the FDICIA implementation process when reaching the billion-dollar threshold, the decision to outsource the implementation process or perform the process in-house is mixed. Many banks have chosen to outsource, or seek assistance, with certain elements of the internal control reporting and auditing requirements. Other banks can implement the FDICIA requirements internally with only minimal external assistance.
We are often asked by banks what level of internal control outsourcing is appropriate and what a typical FDICIA engagement might look like. The answer depends on if the three considerations described below are fully accessible to the bank: the knowledge and expertise of the Committee of Sponsoring Organizations (COSO) framework; personnel experienced with identifying, designing, and testing internal controls; and the resources available to ensure a timely implementation and make the process repeatable and sustainable.
Evaluate Internal Implementation Options
Below are some common FDICIA implementation considerations when evaluating internal capabilities for FDICIA readiness:
COSO Skills, Knowledge, & Experience
The FDICIA rules require the design of internal controls over financial reporting be based on a nationally recognized framework. In 1992, the Committee of Sponsoring Organizations of the Treadway Commission developed an internal control framework as part of its mission to provide thought leadership that enhances internal control, risk management, governance, and fraud deterrence. The COSO framework was updated in 2013 and introduced 17 principles that further described the five components from the original framework. Due to the popularity of this framework, a majority of banks elect to use the COSO framework during the FDICIA implementation process and for recurring operating effectiveness testing.
FDICIA controls must be designed to meet all the COSO framework components, including control environment, risk assessment, control activities, information and communication, and monitoring activities across operations, reporting and compliance functions, and covering entity, division, and operating unit functions. While bank executives are familiar with the framework, the level of detail to test the components is often overlooked; therefore, it is important to have a certified public accountant with control testing experience involved in the development and testing of the key controls identified. This individual also should understand how to map the 17 points of focus to the key controls selected. When making the decision on outsourcing or performing the FDICIA implementation in-house, banks should evaluate their internal COSO skills, knowledge, and experience before deciding how much, if any, external help is needed.
Key Control Identification, Design, & Documentation
The second consideration when evaluating internal capabilities is the experience of personnel in identifying key controls, how those key controls should be designed, and then documenting the significant attributes associated with each control. Community bank internal controls have developed over time as needed for operations or as recommended by regulators and auditors. These changes have increased the level of detail, creating a complex process to identify and test controls for most institutions reaching the billion-dollar threshold as described in FDIC Part 363 that typically have only a few employees in the internal audit department. There should be enough documentation to determine the frequency of controls (how often the control operates), robust descriptions around attributes used to test the key controls, how to test the completeness of information provided by the entity, and the IT system that affects each control.
If internal controls are not documented, management will find it difficult to assert that controls are effective. Further, external auditors will be unable to rely on the testing performed by management and could cause an adverse opinion on the internal control structure. Therefore, the longer the timeline to complete the implementation process, the more time bank personnel have to get used to performing their new functions and work through any gaps noted.
At the same time, including irrelevant processes or controls in a FDICIA project can create inefficiencies for a bank and its auditors. Determining the proper mix of key controls that are relevant for financial reporting purposes is critical.
Banks should have the ability to assess whether key controls have been designed, tailored, and documented to meet FDICIA and external auditor requirements while also providing benefit to the bank.
FDICIA Project Resources Available
Another consideration for bank executives to consider when starting the decision process is the length of time prior to crossing the billion-dollar threshold. The measurement date of assets is the first of January; therefore, if based on the bank’s forecasting of assets it will be reaching the billion-dollar threshold in the next year or two, then it should start the implementation process. The closer to the measurement date the bank waits to implement, the less time internal resources have to handle all the process discussions, gap analysis, control mapping, and testing of the designed controls. Resource constraints can make FDICIA implementation a challenge in a shortened time frame.
Further, banks implementing FDICIA commonly designate a project leader or leaders to manage the implementation. The project leader should be an executive familiar with financial reporting and/or risk management. The project manager will help identify the executives, process owners, and other personnel responsible for key controls. Internal audit can assist management in the FDICIA testing but should not be a key control owner. They should act as the independent function in this process to effectively test internal controls.
Banks should review the personnel available for the FDICIA implementation process and review testing plans together with other responsibilities to help ensure adequate time is available to complete the documentation.
Evaluate Outsourcing Options
As community banks approaching the billion-dollar threshold evaluate the considerations described above and determine that at least one of the three are considered missing, the next step is to determine if outsourcing the implementation and testing is beneficial. This testing can be tailored to specifically address your institution’s needs. This can take many shapes, including:
- Consultation with management and the board to provide training and education for board members, executives, and/or control owners
- Documentation of control process, which would include identifying, designing, and documenting controls using the COSO framework through narrative discussions held with process owners
- Testing the design of key controls through walk-throughs and testing the operating effectiveness of internal controls using samples that meet management and external auditor needs
- Full implementation, which would include all of the above, including project facilitation with executive management, mapping of key controls to the COSO framework, mapping financial statement line items to key controls, and consultation on improving gaps discovered in the narrative process
Unlike bank financial performance measures, which are publicly available through call reports, internal control information is not publicly available. Another benefit of outsourcing is an independent third party can identify the existence of deficiencies in design or operation of controls based on experience obtained through external audits and other FDICIA implementation projects. Audit or consulting firms specializing in banking can be a valuable resource for addressing FDICIA requirements.
Due to independence requirements, the bank’s external auditors are prohibited from providing FDICIA implementation services for banks they also audit. However, it is normal and beneficial for outsourced FDICIA consultants to work with a bank’s external auditors when assisting a bank with FDICIA implementation or testing.
Regardless of the approach selected, bank executives should expect to derive benefit from the FDICIA implementation process. Rather than treating FDICIA as a compliance exercise, banks should view FDICIA as an opportunity to improve their control structure, as risks can increase with a bank’s size and complexity.
For more information, reach out to your BKD Trusted Advisor™ or submit the Contact Us form below.