In an environment of mergers and acquisitions, acquiring banks face a higher level of regulatory scrutiny when crossing the billion-dollar total asset threshold. The control environment can easily be overlooked during daily operational considerations, but management should be aware of the workload that comes with concluding on the effectiveness of internal control over financial reporting (ICFR). This change will affect most employees of the bank by creating a shift in thought process of routine job functions. Is your bank ready for the change?
Concluding on the effectiveness of ICFR by the chief executive officer (CEO) and chief financial officer (CFO) is a regulatory requirement directed by the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), Part 363. Although a bank is subject to most aspects of Part 363 when reaching the $500 million threshold, the requirements increase when total assets rise above $1 billion. Two major requirements banks should consider when nearing the billion-dollar threshold are:
- The audit committee must be completely independent from management.
- Management has to conclude and an independent audit firm has to opine on the effectiveness of the bank’s ICFR each fiscal year.
These requirements can cause several problems when evaluating closely held community banks. First, regarding independence, the audit committee should be evaluated to determine if members have any affiliation with the bank, including majority and minority shareholders who don’t serve in management roles. Further, if any member of the committee serves in a management function, the bank won’t be in compliance with Part 363.
Second, the CEO and CFO have to conclude on the effectiveness of ICFR when total assets are at least at a billion dollars at the start of the fiscal year. This is interpreted as if assets are greater than a billion dollars at midnight on the first day of the fiscal year. Even if the asset size dropped immediately to below a billion dollars and stayed at that level for the remainder of the year, the bank still would be subject to the ICFR requirements. The bank’s asset size is remeasured the first day of every fiscal year; therefore, if management intends to maintain the asset level below a billion dollars in future periods, control testing can be eliminated from the audit plan. However, due to the time spent to implement FDICIA control testing, management should consider conducting a cost-benefit analysis of discontinuing testing after the bank has gone through the implementation process, especially if management intends for the bank to cross back over a billion dollars in future years.
At first glance, these changes probably don’t seem too different from what your bank is doing now—but when truly considering all aspects of the ICFR process, a bank’s workload likely would become much more encompassing than its current practices. For the CEO and CFO to conclude on the control effectiveness, a bank will need to have documentation showing all key controls are designed and operating properly. Internally, we follow a four-step approach to guide the process:
- Document the internal control environment.
- Select key controls.
- Test key controls:
- Walk through the design of the key controls to assess whether they’re operating as intended.
- Test if all controls are operating throughout the year.
- If errors are found in the steps above, put the controls into remediation and correct them by the end of the year.
- Report to management, regulators and external auditors the results of testing.
Educating your process owners and team members on the above procedures is the first step to a successful implementation. However, there are other important factors to consider when starting the planning stages.
Management should consider if the bank has appropriate internal expertise to identify and test whether the key controls are in alignment with a risk management framework, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework. Key controls are determined by management to align with the selected framework and provided to the external auditors, who will in turn give guidance on whether the documentation meets the firm’s internal requirements. External auditors aren’t allowed to provide the bank with key controls, as this would put them in the management function and impair independence. Further, management needs to determine if those individuals with the expertise have enough time to spend on implementing the testing plan and remediating issues when found. This process typically takes between 200 and 400 hours during the first year.
Due to the time required, it’s important to start planning for the FDICIA implementation process a year before the bank expects to cross the billion-dollar threshold. This allows management to consider the additional requirements examined in this article and create an appropriate testing plan.
For more information, look for additional guidance in future BKD Thoughtware® articles or contact Stephanie or your trusted BKD advisor.