This article was originally published on March 9, 2018. It has been updated to reflect the COVID-19 impact as well as current statistics.
The banking industry continues to experience significant consolidation. The number of Federal Deposit Insurance Corporation (FDIC)-insured institutions hovers around 5,000 today, down from approximately 8,000 10 years ago. This consolidation, along with a variety of other factors, has led to an unprecedented increase in the average size of a bank.
With asset growth comes new financial, regulatory, and internal control-related challenges. When your bank is growing, knowing what changes your institution needs to make — and when you need to start making them — can help you better prepare for the task ahead and plan accordingly.
FDICIA affects organizations differently based on assets
The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) was implemented in response to the savings and loan crisis to strengthen the power of the FDIC. Federal banking agencies were required to take supervisory actions when capital of an institution declined, and then grade institutions on a one to five scale (CAMELS rating). Prompt corrective action and least cost resolution were also created as a part of this act.
In addition to the broad changes implemented by the act, which impact all institutions, there are also specific requirements that affect organizations with either more than $500 million or $1 billion in assets. The measurement date for these asset thresholds is the beginning of the fiscal year (i.e., if the institution reaches one of these asset thresholds during its fiscal year, the items below would not be required until the following fiscal year).
FDICIA applies to individually chartered institutions, so asset thresholds are applicable on a bank-by-bank basis. For example, if a charter is acquired by a bank holding company, and the charter will remain separate, the FDICIA requirements will only apply to the individual charter once it exceeds $500 million in assets. But if this charter is merged into another charter and the combined assets exceed $500 million, the FDICIA requirements are effective as of the beginning of the fiscal year following the merger. However, even if the charters are individually owned by the same holding company, Federal Reserve Y-6 includes a requirement that top-tier holding companies with consolidated assets of $500 million or more must have an annual audit of its consolidated financial statements by an independent accountant. In this instance, the consolidated holding company will require a consolidated audit, but FDICIA rules would not apply.
Average size of banks continues to grow
The average size of FDIC-insured institutions has grown 114 percent since 2012, and the median size has grown 67 percent. These numbers show just how significantly banks’ asset sizes have increased over recent years:
|Date||Number of FDIC-insured I=institutions||Average asset size||8-year % increase||Median asset size||8-year % increase|
Information based on data extracted from filed call reports for all FDIC-insured banks for the relevant quarters.
With the increase in the average size of institutions over the last decade, more and more banks are nearing the FDICIA thresholds. As of December 31, 2020, there were 315 institutions with total assets between $400 million and $500 million, and another 136 with assets between $850 million and $1 billion. Banks in these asset ranges would be wise to begin preparation for the implementation of FDICIA requirements.
Impact of the COVID-19 pandemic on FDICIA requirements
As a response to the inflated balance sheets of many institutions due to the COVID-19 pandemic, the FDIC board of directors approved an interim final rule on October 20, 2020, providing temporary relief to the FDICIA requirements. This final rule allows the institution to determine whether they are subject to FDICIA requirements for the fiscal years ending in 2021 based on the lesser of their (a) consolidated total assets as of December 31, 2019, or (b) consolidated total assets as of the beginning of their fiscal years ending in 2021. This is intended to be a temporary relief for institutions, so if your institution will surpass the $500 million or $1 billion thresholds in 2021, it is prudent to utilize this time to prepare for the applicable requirements.
Crossing $500 million in assets
If your bank is approaching $500 million in assets, critical components that will affect your institution once you have crossed the threshold include:
Your institution must submit audited financial statements to the appropriate federal bank agency within 120 days of the end of the fiscal year for a non-public institution, or 90 days if the institution is publically traded. The financial statements must be comparative. If your bank has not been audited in the past, statements for the earlier year may be presented on an unaudited basis.
Financial statement auditor independence requirements become more stringent for non-public institutions. FDICIA requires that the auditor comply with the most restrictive independence standards and interpretations of the American Institute of Certified Public Accountants, the Securities and Exchange Commission (SEC), and the Public Company Accounting Oversight Board (PCAOB). In most situations, the SEC and PCAOB rules are the most restrictive; thus, services such as preparation of tax returns for individuals in a financial reporting oversight role and various nonattest services are now restricted from being provided by the financial statement auditor, and the audit requires partner rotation.
In addition to the submission of audited financial statements, your bank is also required to submit a statement of management’s responsibilities, and an assessment of these responsibilities, for:
- Preparing the institution’s annual financial statements
- Establishing and maintaining adequate procedures and an internal control structure for financial reporting
- Complying with laws and regulations relating to safety and soundness that are designed by the FDIC and the appropriate federal banking agency
As a part of a financial statement audit, your bank will also receive the following reports from your auditors, which need to be filed with the appropriate federal banking agency within 15 days of receipt:
- Governance communication — required communication with governance (contains the auditor’s responsibilities, corrected and uncorrected misstatements, any disagreements with management, etc.)
- Internal control communication (if applicable) — communication of any material weaknesses or significant deficiencies in internal controls noted during the audit
If your bank has more than $500 million in assets, you are required to have a separate audit committee, and the majority of members of this audit committee must be outside directors and a majority of the members must be independent of management. There are specific requirements outlined in FDICIA that define what would disqualify the independence of an outside director. These requirements also outline specific duties for your audit committee.
Implementation plan for institutions crossing $500 million in assets
It is important for your institution to create a strategic plan for compliance with the FDICIA regulations as you approach this assets threshold. Here are some items for consideration to assist with the transition in the year prior to crossing $500 million in assets:
If your bank has never been subjected to a financial statement audit, a balance sheet audit should be considered in the year prior to crossing $500 million. This provides significant efficiencies in transition, as:
- The auditor will not need to audit opening balances in the year of FDICIA implementation because the balance sheet audit will fulfill that requirement.
- This will allow the auditor to assess internal controls over financial reporting (ICOFR) in a more timely fashion, which will identify any potential material weaknesses or significant deficiencies in internal controls. Your bank can then work to remedy control deficiencies prior to the requirement to send internal control reports to the applicable federal regulatory agency.
If you are working with one accounting firm that provides a variety of services, you must carefully determine if you can use the firm for your financial statement audit, and then identify which nonattest services that firm can and cannot provide. Given the heightened independence requirements, your management and audit committee must ensure that the relationship or provision of service by the firm engaged to provide the external audit has not or will not:
- Create a mutual or conflicting interest between the audit firm and the institution
- Place the auditor in the position of auditing their own work
- Result in the auditor acting as management or an employee of your institution
- Place the auditor in a position of being an advocate for your institution
Regulations specifically prohibit an external audit firm from providing certain non-audit services, including:
- Bookkeeping or other services related to your accounting records or financial statements
- Financial information systems design and implementation
- Appraisal or valuation services
- Actuarial services
- Internal audit outsourcing services
- Preparation of tax returns for individuals overseeing financial reporting
SEC independence rules do not allow the financial statement auditor to prepare the financial statements that they are auditing. There are several things your bank can consider when preparing these financial statements:
- If your bank does not feel it has the appropriate staff or experience to prepare a set of financial statements in accordance with Generally Accepted Accounting Principles (GAAP), you could consider hiring additional internal personnel with the requisite knowledge, or engage with an outside firm for assistance in preparing the financial statements.
- Most banks who have previously relied on the financial statement auditor to draft financial statements and footnotes have a more successful transition to this requirement if they begin the practice before the FDICIA requirement is effective. Oftentimes, the auditor has created additional documentation, schedules, or reports to aid in financial statement preparation. Your management will need to take responsibility for these items, as well as determine if proper controls over both preparation and review are in place. Some common examples include calculating the impact of GAAP on deferred loan fees or mortgage servicing rights; maintenance of depreciation schedules, deferred tax inventories, and calculations; and summarizing credit quality information for required disclosures.
- Many institutions find it helpful to locate resources such as accounting alerts and disclosure checklists, or attend GAAP educational events to keep up to date on industry and GAAP changes impacting financial reporting.
Work to identify potential independent audit committee members to ensure that these individuals are a majority of the audit committee. This may require naming additional members or removing current members.
Your audit committee is responsible for engaging and overseeing an independent audit firm, which includes ensuring adherence to contractual responsibilities. Effective and timely communications generally require discussions in the planning and reporting phases of the audit. The committee should have effective two-way communication with the independent audit firm, including but not limited to:
- Discussions regarding critical accounting policies and practices
- Alternative accounting treatments
- Internal control matters
- Unadjusted differences
- Any other written communications provided to management
Crossing $1 billion in assets
For banks looking to cross $1 billion in assets, consider starting much earlier on your implementation plan (ideally two years prior to crossing this asset threshold). All of the rules for banks crossing $500 million in assets apply, with the following additions and modifications:
If your bank has more than $1 billion in assets, you are required to have a separate audit committee, and all members of the committee must be outside directors that are independent of management. Your institution should work to identify potential independent audit committee members to ensure that only independent members are on your audit committee. This may require removing current members.
Management must provide an assessment of the effectiveness of your bank’s internal control structure and procedures, which include:
- A statement identifying the internal control framework used by management to evaluate the effectiveness of your institution’s ICOFR.
- A statement that the assessment included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions, including identification of regulatory reporting instructions.
- A statement expressing management's conclusion as to whether your bank’s ICOFR is effective as of the end of its fiscal year. Your management must disclose all material weaknesses in your ICOFR, if any, that have not been remediated prior to the insured depository institution's fiscal year-end.
As a part of the financial statement audit, your management is required to issue an attestation, and your financial statement auditors are required to issue an opinion on the effectiveness of your bank’s ICOFR, which is also provided to the appropriate federal banking agency. In order to issue these reports, significant modifications will most likely need to be made in how internal controls are documented and tested.
Implementation plan for ICOFR when crossing $1 billion in assets
Your first step when preparing for these new requirements is developing an overall ICOFR methodology. This will be a helpful document to promote an understanding of the process throughout your bank, and can be reviewed by your auditors to gain concurrence timely. Some items to include in your methodology are identification of the internal control framework, specific guidelines for testing and reporting, and the impact of information technology.
Abiding by an internal control framework
When providing the FDICIA-required written assessment of your internal controls’ effectiveness, include a statement identifying the internal control framework used by management to evaluate your ICOFR’s effectiveness. This framework must be a suitable, recognized control framework established by a body of experts that followed due-process procedures, and it must be widely available to users of management’s report. The most widely used framework is Internal Control – Integrated Framework, sponsored by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which includes 17 principles supporting five components.
For effective internal controls, the framework requires that each of the five components and the 17 relevant principles be present and functioning, and the five components must operate together in an integrated manner. Management is responsible to evaluate and document whether the internal controls related to the relevant principles and components are present and functioning. Compliance with these requirements can vary based on the size and complexity of the institution, but usually can be demonstrated by incorporating the principles and components into a formal methodology document, testing certain entity level controls, and correlating existing key controls to the principles.
ICOFR testing and reporting
The attestation and opinion on ICOFR usually poses the biggest challenge for banks, largely because of the extent of personnel, time, documentation, and potential cost involved. But timely communication and planning can help your institution avoid common difficulties encountered in the year of implementation, including:
Management should determine if there is a clear methodology for risk assessment, sample sizes, frequency of testing, responsibility of testing, documentation, evaluation of control deficiencies, remediation, reporting, and communication with governance and the external audit firm. This methodology should be documented clearly and agreed upon annually with any outsourced parties and your external audit firm.
While it’s natural to assume that your existing internal audit is already FDICIA-compliant, it may not be true. An enterprise risk assessment completed or updated annually to determine the significant lines of business and support functions within your bank. From there, you should evaluate time and resources to determine if independent individuals within your institution or your consultants have sufficient skills, training, and budgets to test and report on FDICIA controls.
While the internal audit should spend time evaluating operational efficiencies and controls, the FDICIA requirement focuses on ICOFRs. Therefore, FDICIA compliance is a component, albeit a significant one, of the overall risk management function.
Key controls are those that, if they fail, could lead to a material misstatement on your financial statements or regulatory reports. So while escheatment of unclaimed cashiers’ checks might be a necessary operational process, the control over this process is usually less than likely to cause a material misstatement. However, new loan boarding, review of management estimates, wire transfers, and reconciliation of the main correspondent bank are areas much more likely to have controls designed to detect, prevent, or correct potential material misstatements.
Attention should be given to the design and operating effectiveness of key controls. In many instances, sighting evidence of the reviewer’s initials on a reconciliation is not sufficient to conclude that the control is designed and operating effectively. It might be necessary to include attributes such as verifying completeness and accuracy of the underlying data, inquiry, or observation of the control operator, and re-performance of the steps within the control in order to determine that the control can be relied upon.
Your bank may understandably get lost in the documentation of your processes and, if not careful, spend time and resources focused on operational processes instead of ICOFRs. When documenting, take care that your controls are defined.
Not sufficient: “Operations prints and emails Eric a report for his review.”
Sufficient: “Daily, Eric compares report X to the listing Y provided to him by operations and determines if the report totals agree.”
Watch for instances in which the internal audit function (or outsourced internal audit) is actually the control operator. If the function is performing reconciliations, reviewing maintenance changes, assuming responsibility for employee deposit review, etc., then it is the control. Because it is not independent of the control, your institution cannot assert on your own work.
We recommend management begin testing early to allow for inevitable control deficiencies. When detected in a timely manner, management can identify the root cause, evaluate the deficiency, correct the underlying control environment, and still have sufficient time during the year to determine if the control then operates effectively. If your bank waits until near the end of the year to perform testing, any control deficiencies noted may have to be reported because management no longer has enough instances of the control to remediate and test to conclude otherwise.
Many internal audit functions have existing internal audit plans that test controls on a rolling basis during the year. For example, your wire transfer audit might be done each year as of June 30, based on the previous 12 months’ wire activity. However, the ICOFR attestation and opinion are as of the end of the institution’s fiscal year. Therefore, if a key control has not been tested since June, there is generally not enough evidence to say the control is designed and operating effectively as of year-end.
While it is acceptable to test during the year, we recommend testing a portion of your sample size as of or near year-end. In addition, any samples selected that came from a prior year’s annual reporting period do not provide evidence of control design and operation for the current year’s attestation and opinion.
While your bank’s controls may be designed properly, there may not be sufficient documentation to show that your controls operate effectively. For example, your control operator might only review reports online, which are not retained or are written over by the system. It takes practice and planning to gather and retain documentation of the control’s existence and the underlying information, as well as leave documentation trail of the review and what it entailed.
Next, the internal audit function subsequently testing the control must also retain evidence of this documentation and testing. This step is pivotal, as the external auditor must re-perform a sample of the internal auditor’s work, which generally hinges on the existence of this documentation. Because the external auditor may select another instance of the control’s operation (one that the internal auditor did not test), the original documentation must exist. It often takes more than a year for all parties to get a handle on how to document and retain control information, and in the first few years of implementation we typically see many internal control deficiencies caused by absence of documentation.
ICOFR reporting doesn’t need to be extensive and cumbersome, but it does need to be timely, accurate, and indicative of a plan to remediate, if necessary. This information should be presented quarterly to management, governance, and the external auditor periodically. This allows for all parties to agree on the evaluation of the deficiency, the impact on the remainder of the year’s testing, and any necessary remediation. Lack of timely reporting increases the potential of the external auditor reporting a significant deficiency or material weakness that might have otherwise been avoided.
Testing information technology controls
Institutions crossing either asset threshold should also evaluate and test key information technology (IT) controls, especially those that relate to or impact the financial reporting process. Give consideration to core processors, investment safekeeping, payroll processing, and accounting systems. Many institutions annually review their IT general controls to gain an overall impression of their systems. This review, while important, might need more extensive testing of certain key elements including, but not limited to, system access, key input and output controls, and user controls required by service organizations to satisfy management’s attestation and the external auditor’s opinion.
Begin your annual ICOFR process
Following strong practices in the year leading up to implementation can make crossing these significant asset thresholds less cumbersome. As you near this transitional phase for your bank, take time to make sure your team is adequately preparing for next steps.
How we can help
As your bank grows larger and approaches these asset thresholds, there are steps you can start today to help ease your audit committee, management team, and staff into this transition. CLA's bank professionals can help you through all stages of growth and provide financial statement audits and FDICIA control testing and consulting.