When a financial institution approaches $500 million in assets, there are several issues to consider related to complying with the Federal Deposit Insurance Corporation (FDIC) regulation Part 363 – Annual Independent Audits and Reporting Requirements. This article will primarily focus on new reporting requirements, management representation and information on forming an audit committee that is included in the regulation. There are other items to consider in the regulation; however, these are usually the most significant.
An institution is subject to the FDIC Annual Independent Audits and Reporting Requirements (Part 363) when its total assets, measured on the first day of a fiscal year (FY), equal or exceed $500 million. If an institution goes over $500 million in the prior year but its total assets decline below this threshold before the first day of the next FY, the institution won’t be subject to the regulation.
For example, if an institution with a December 31 fiscal year-end goes over $500 million in total assets for the first time on April 30, 2016, but then goes down to $490 million in total assets by January 1, 2017, it wouldn’t be subject to the regulation for 2016 or 2017. However, if on January 1, 2017, the institution remained above $500 million, it would be required to comply with the regulation for the FY ended December 31, 2017.
Audited Financial Statements
There are several new reporting requirements for institutions that must comply with Part 363. The most significant requirement is obtaining an audit of their financial statements by an independent auditor stating the financial statements are in accordance with generally accepted accounting principles (GAAP).
The institution is required to provide the current and preceding fiscal year-end financial statements for comparison; however, only the current fiscal year-end financial statements are required to be audited. However, the auditor will usually have to audit beginning balance sheet accounts for the FY required to be audited to be able to issue an opinion.
The audit may be performed at the holding company parent level if 75 percent or more of its consolidated assets consist of the subsidiary financial institution. Otherwise, the audit must be performed at the financial institution level. Often, these financials have to be filed 120 days after year-end, making an early start imperative. Engaging an audit firm during its off-peak time can help institutions save on audit fees and early identify potential accounting or internal control issues.
Another challenge facing institutions is independence rules preventing them from engaging their audit firm to assist with financial statements preparation. These rules require institutions to seek help from third parties or internally hire individuals who can draft GAAP financial statements.
Management will be required to provide written representations to its primary bank regulators related to the institution's financial statements, internal controls over financial reporting and compliance with safety and soundness of laws and regulations pertaining to insider loans and dividend restrictions. These required representations are made through the issuance of management reports signed by management, which usually consists of the CEO and CFO.
Management is required to represent that the financial statements are management’s responsibility and are prepared in accordance with GAAP. As discussed above, this is significant in that management cannot obtain assistance from its independent audit firm to satisfy this representation. Management must have the ability or obtain the necessary resources to represent that the financial statements are properly stated.
Management is also required to represent its responsibility for establishing and maintaining adequate internal controls over financial reporting that prevent material misstatements in the financial statements. To ensure proper design and effectiveness of these controls, management needs to establish a formal evaluation and testing process. A bank with more than $500 million but less than $1 billion in total assets isn’t required to obtain an independent firm’s opinion on these controls; however, the opinion is required for banks with total assets in excess of $1 billion.
Part 363 also requires management to attest to compliance related to dividend restriction and insider loans. This usually requires management to have specific procedures verifying compliance with these laws and regulations.
The management reports usually accompany the audited financial statements and are required to be filed 120 days after the fiscal year-end. The full regulation provides example reports for management use.
Forming an Audit Committee
Institutions subject to Part 363 must form an audit committee independent of the board of directors and management. For institutions with assets between $500 million and $1 billion, the majority of committee members are required to be outside directors independent of management; for banks with more than $1 billion in total assets, all of the audit committee members must be outside directors independent of management. An outside director is defined as an individual who hasn’t been an officer or employee of the institution or its affiliate within the preceding year.
The independence rules are complex and require careful consideration of potential conflicts of interest, including compensation for services provided to the institution based on certain thresholds. The board of directors should formally review the independence of each committee member, taking into account the ownership of voting stock, previous experience with the institution or its affiliates and current or previous participation in the financial statement preparation. The board of directors should read Part 363 in detail and document its considerations in the board minutes.
The audit committee is responsible for engaging and overseeing an independent audit firm to ensure proper adherence to contractual responsibilities. The committee should meet with the audit firm and management to understand potential issues with controls over the audited financial statements.
In situations where an institution has difficulty finding independent committee members, the FDIC regulation offers a hardship exemption, under which a majority of the committee members don’t have to meet the above definition.
The Earlier, the Better
It’s important that the board of directors and management fully understand the regulation before surpassing the $500 million mark. This may require contacting third parties, e.g., law firms, public accounting firms and potential audit committee members. Without significant planning, it would be difficult for institutions to immediately implement proper internal controls over financial reporting or state their financials are in accordance with GAAP. The full detailed regulation and examples to help with proper implementation are available here.