First person perspective of someone looking at a compass in their hand standing near an arrow marking on pavement

In October 2020, the Federal Deposit Insurance Corporation (FDIC) announced temporary relief from the Part 363 Audit and Reporting requirements with an Interim Final Rule. This rule allowed financial institutions that experienced significant but likely short-term asset growth (e.g., from Payroll Protection Program loans) a temporary freeze on implementing certain internal control requirements specified by the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), upon reaching either the $500 million or $1 billion asset thresholds, until Jan. 1, 2022. Many financial institutions that benefited from this temporary freeze still have inflated balance sheets from the government relief programs and will be required to implement these FDICIA regulations in their 2022 reporting to the banking regulators.

Crossing the $500 million threshold requires more stringent auditor independence standards, including prohibiting auditor preparation of financial statements and the formation of an audit committee. Management must also include statements attesting to their responsibilities related to preparing the institution's annual report and an assessment of the financial institution's compliance with safety and soundness laws and regulations during the fiscal year.

FDICIA requirements upon crossing the $1 billion threshold are even more involved. These requirements are: 1) the audit committee must be composed entirely of independent outside directors, 2) in addition to the reporting requirements at the $500 million threshold, management must provide an assessment of the financial institution's effectiveness of internal control structures and procedures, and 3) the financial institution's financial statement auditors are required to issue an opinion on the effectiveness of the financial institution's internal controls over financial reporting (ICFR). Preparing for the auditor's opinion on internal controls can be a daunting task for management. There is a great deal of documentation needed, including compiling a comprehensive inventory of internal controls and an assessment of the overall control environment. All of that takes time — lots of time.

Preparing for Your ICFR Audit
1. Identifying and Documenting the Key Processes

Whether beginning with your financial institution's existing documentation or creating it from scratch, you will need to thoroughly document the processes used to initiate, approve, process and record transactions. This will start with examining the financial institution's established policies and procedures and identifying key controls that verify transactions are properly approved and recorded. This effort should include process owners' perspectives on risk within the financial institution along with considering any issues noted from regulatory examiners or external auditors to fully document the control environment.

2. Key Controls

Management, possibly in combination with internal audit, will identify an inventory of significant key controls applicable to the financial reporting function. It is important to take a risk-based approach to identify these key controls as well as a top-down approach, focusing on broader detect controls in addition to critical transactional prevent controls. Several of these higher-level controls will undoubtedly be management review controls, which require significant knowledge and judgment to be completed, and are typically in the higher-risk areas of the financial institution.

Management review controls in particular draw significant regulatory scrutiny; thus, they require robust documentation of the procedures performed and the decision-making process of the individuals performing the controls. Management will need to thoroughly document and define the considerations, criteria and thresholds in a management review control identified as a key control.

In addition, it is important for management to document how they evaluated the completeness of the controls addressing the financial statement assertions. Equally important is how management ensures that any system-generated report used to perform a given control is itself complete and accurate.

Management will need to prepare a summary matrix of all key internal controls which will include all key controls, control owners, financial statement assertions addressed, description of controls and frequency of performing controls. Process owners will need to be responsible for the successful completion of these controls and ensuring the listing is accurate for any changes in controls or processes.

The listing of significant key controls should be reviewed with both external and internal auditors for completeness of the population and precision of the review. In the year of implementation, the level of focus on the documentation involved typically exposes necessary enhancements in the current procedures being performed by management.

3. Internal Audit

From the control matrix, your internal auditors will perform a walkthrough of the control processes to help ensure that control procedures are actually being performed as documented and to assist in developing test plans for each key control, including determining sample sizes, completeness and accuracy of the populations and any reliance on information technology processes or reports. These test plans will be used to evaluate and conclude upon the design and operating effectiveness of the controls during the period.

Internal audit will usually perform tests over internal controls early in the first half of the year to verify they are operating effectively and allow time to remediate any deficiencies noted. A second, and possibly third, round of testing will be scheduled later in the year to test additional controls for the remainder of the period (the roll-forward period) or test remediated deficiencies.

Remediation is the process of changing the design of a control or addressing its operation so that the control is functioning as intended. The first-year internal audit will likely identify internal controls that are either inappropriately designed or not operating effectively. The financial institution's internal auditor will create an action plan to address these deficiencies as they are identified and will work with financial institution management to develop a timeline for correction.

4. External Auditors

In order to issue an opinion on the financial institution's ICFR, the external auditors will test the controls management has identified as key to the financial reporting process. They may rely on some of the testing performed by internal audit in lower-risk areas but generally will perform their own independent testing of the more significant or judgmental internal controls to support their opinion. It is important to include your external auditors early in the process of identifying key controls to avoid surprises, such as incorrect assumptions about controls they were expecting to see at the end of the year. Coordination between external audit and internal audit regarding internal audit's sample size and timing of interim work is critical to facilitate the external auditor's ability to leverage that work. Any deficiencies noted and not remediated during the year may result in deficiencies noted in their audit opinion depending on the severity. 

The steps outlined above provide a comprehensive overview of the time, resources and communication needed for your financial institution's implementation of the required internal control audit under FDICIA. 

How Can DHG Help

DHG's experienced financial services industry audit professionals and resources are available to supplement your organization and help reduce the burden on your current teams. If your financial institution is also preparing for the adoption of the current expected credit loss (CECL) loan allowance model, together, these scenarios may strain resources and challenge your ability to meet reporting deadlines.

Our teams are experienced in considering FDICIA requirements and performing internal control documentation, testing and remediation through our vast experience in serving our internal audit and external audit clients and can provide the knowledge and experience needed to assist in completing your implementation. Our goal when providing FDICIA services is to exceed our clients' expectations.

Related FORsights

Let's Connect

Subscribe to our content or get in touch with us today

Subscribe Contact Us