[Federal Register Volume 64, Number 204 (Friday, October 22, 1999)] [Notices] [Pages 57094-57100] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 99-27588] ======================================================================= ----------------------------------------------------------------------- FEDERAL DEPOSIT INSURANCE CORPORATION Rescission of Policy Statement Regarding Independent External Auditing Programs of State Nonmember Banks, and Adoption of the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations AGENCY: Federal Deposit Insurance Corporation (FDIC or Corporation). ACTION: Rescission of a Policy Statement and Adoption of an Interagency Policy Statement. ----------------------------------------------------------------------- SUMMARY: In an effort to provide consistent guidance for banks and savings associations regardless of their primary federal supervisor, the FDIC is rescinding its Statement of Policy Regarding Independent External Auditing Programs of State Nonmember Banks (Current Policy Statement) and concurrently adopting the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (Interagency Policy Statement). Both policy statements encourage institutions to adopt an annual external auditing program, preferably an audit by an independent public accountant, and to establish an audit committee composed entirely of outside directors, where practicable. In addition, the Interagency Policy Statement includes two alternatives to an audit by an independent public accountant for institutions not subject to the audit requirement in section 36 of the Federal Deposit Insurance Act (FDI Act). The alternatives consist of (1) An attestation report on internal control over specified schedules of the institution's regulatory reports or (2) A report on the institution's balance sheet. Both must be performed by an independent public accountant. The Interagency Policy Statement also includes guidance regarding the responsibilities of boards of directors, audit committees, and senior management with respect to external auditing programs; the attributes and types of external auditing programs; and the review of external auditing programs by examiners. DATES: The Current Policy Statement is rescinded and the Interagency Policy Statement is effective for fiscal years beginning on or after January 1, 2000. FOR FURTHER INFORMATION CONTACT: Doris L. Marsh, Examination Specialist, Division of Supervision, (202) 898-8905, or A. Ann Johnson, Counsel, Legal Division, (202) 898-3573, FDIC, 550 17th Street, NW, Washington, DC 20429. SUPPLEMENTARY INFORMATION: I. Background The FDIC first adopted guidance on external auditing programs in its Policy Statement Regarding Independent External Auditing Programs of State Nonmember Banks in 1988 (53 FR 47871, November 28, 1988). In 1996, the FDIC reviewed the Current Policy Statement pursuant to section 303(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 and adopted several amendments to eliminate inconsistencies and outdated requirements (61 FR 32438, June 24, 1996). The Federal Financial Institutions Examination Council (FFIEC), on behalf of the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), collectively referred to as the ``banking agencies'' or the ``agencies,'' have each provided guidance on external audits to their supervised institutions, but a uniform policy did not exist. Under the auspices of the FFIEC, the agencies sought public comment on a proposed policy statement on External Auditing Programs of Banks and Savings Associations in February 1998 (63 FR 7796, February 17, 1998). The FFIEC received approximately 120 letters commenting on the proposed policy statement, and it revised the policy statement after considering the comments. On August 19, 1999, the FFIEC approved the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (Policy Statement) (64 FR 52319, September 28, 1999) and recommended that the banking agencies adopt it.1 --------------------------------------------------------------------------- \1\ The National Credit Union Administration (NCUA), also a member of the FFIEC, is not adopting the policy. --------------------------------------------------------------------------- II. Rescission of the Current Policy Statement and Adoption of the Interagency Policy Statement In order to minimize burden on institutions and holding companies and in the spirit of section 303 of the Riegle Community Development and Regulatory Improvement Act of 1994, the banking agencies seek to provide consistent and uniform guidance for supervised institutions. The banking agencies believe that an independent external audit provides reasonable assurance that an institution's financial statements are prepared in accordance with generally accepted accounting principles (GAAP). Accordingly, the banking agencies recommend that every institution have an external auditing program. To provide explicit guidance to institutions regarding these programs, the FFIEC approved a uniform Interagency Policy Statement on August 19, 1999. The FFIEC recommended to the banking agencies that they individually adopt the policy. Thus, the FDIC must replace its Current Policy Statement with the Interagency Policy Statement in order to achieve uniformity in this area. III. Comparison of the Current and Interagency Policy Statements For the most part, both the Current Policy Statement and the Interagency Policy Statement provide similar guidance. Both encourage each institution to have an annual audit of its financial statements performed by an independent public accountant. The Interagency Policy Statement also describes two alternatives to an audit that an institution may elect to have performed annually in order to have an acceptable external auditing program. These alternatives, which must be performed by an independent public accountant, are an attestation on internal control over financial reporting on certain schedules of the Reports of Condition and Income (Call Report) and an audit of the institution's balance sheet. The Interagency Policy Statement further indicates that for a smaller institution with less complex operations, the attestation on internal control may be less costly than an audit of its financial statements or its balance sheet and provide more useful information to management. Neither policy precludes the use of agreed- upon procedures/state-required examinations as an external auditing program. Both policy statements include sections discussing their applicability to institutions that are part of a holding company, newly chartered institutions, and institutions presenting supervisory concern. In addition, both policies recommend that each institution have an audit committee consisting entirely of outside directors, unless impracticable. Banks and savings associations (institutions) with $500 million or more in total assets must have an annual audit performed by an independent public accountant under section 36 of [[Page 57095]] the Federal Deposit Insurance Act (FDI Act), as implemented by 12 CFR part 363. Thus, both policy statements are directed toward institutions below that threshold that are not otherwise subject to audit requirements. The two policies differ in the extent of guidance provided rather than the content of the guidance. Accordingly, the Interagency Policy Statement includes some guidance regarding independent external auditing programs that is lacking in the Current Policy Statement. For example, it discusses the responsibilities of boards of directors, audit committees, and senior management in more detail than the Current Policy Statement. It also describes the attributes and types of external auditing programs available and includes a short description of each. Guidance on what examiners will be evaluating in their review of external auditing programs is also included in the Interagency Policy Statement. This policy statement also recommends that examiners have access to the auditor's workpapers concerning the auditing engagement. The following table shows the number and section title of each of the paragraphs in the Current Policy Statement and the section title of the corresponding provision in the Interagency Policy Statement: Paragraph Conversion Table ------------------------------------------------------------------------ Current policy Interagency policy Current policy statement: section statement: section paragaraph No. title title ------------------------------------------------------------------------ 1-3..................... Introduction.......... Introduction. 4....................... State Nonmember Banks Introduction. Not Subject to Part 363. 5....................... ...................... Overview of the External Auditing Program Audit Committee. 6....................... ...................... Examiner Guidance Review of the External Auditing Program. 7....................... Audit by an External Auditing Independent Public Programs Types of Accountant. External Auditing Programs. 8....................... ...................... External Auditing Programs Other Considerations--Timin g. 9-10.................... Alternatives to a External Auditing Financial Statement Programs External Audit. Auditing Programs. 11...................... Newly Insured Banks... Special Situations Newly Insured Institutions. 12-13................... Notification and Examiner Guidance Submission of Reports. Access to Reports. 14...................... Holding Company Special Situations Subsidiaries. Holding Company Subsidiaries. 15...................... Troubled Banks........ Special Situations Institutions Presenting Supervisory Concerns. Appendix A.............. Definitions........... Appendix A-- Definitions. ------------------------------------------------------------------------ The Interagency Policy Statement instructs institutions to provide copies of reports pertaining to the external auditing program, including any management letters, to the agencies and any state authority in accordance with their appropriate supervisory office's guidance. The FDIC requests that each state nonmember bank furnish a copy of any reports by the independent public accountant pertaining to the bank's external auditing program (regardless of the scope) to the appropriate FDIC regional office as soon as possible after the report is received by the bank. In addition, the FDIC requests each bank to promptly notify the appropriate FDIC regional office when any independent public accountant is initially engaged to perform external auditing work and when a change in, or termination of, its independent public accountant occurs. IV. Paperwork Reduction Act In accordance with the Paperwork Reduction Act of 1995 (PRA), the FDIC may not conduct or sponsor, and the respondent is not required to respond to, an information collection that does not display a currently valid Office of Management and Budget (OMB) control number. The FDIC submitted to OMB a request for approval of the information collection requested by this policy statement (64 FR 55926, October 15, 1999). V. Rescission and Adoption of Policy Statements For the reasons set forth in the preamble, the Board of Directors of the FDIC hereby rescinds the FDIC's Policy Statement Regarding Independent External Auditing Programs of State Nonmember Banks and adopts the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations. The text of the Interagency Policy Statement follows: Interagency Policy Statement On External Auditing Programs of Banks and Savings Associations Introduction The board of directors and senior managers of a banking institution or savings association (institution) are responsible for ensuring that the institution operates in a safe and sound manner. To achieve this goal and meet the safety and soundness guidelines implementing section 39 of the Federal Deposit Insurance Act (FDI Act) (12 U.S.C. 1831p- 1),1 the institution should maintain effective systems and internal control 2 to produce reliable and accurate financial reports. --------------------------------------------------------------------------- \1\ See 12 CFR part 30 for national banks; 12 CFR part 364 for state nonmember banks; 12 CFR part 208 for state member banks; and 12 CFR part 510 for savings associations. \2\ This Policy Statement provides guidance consistent with the guidance established in the ``Interagency Policy Statement on the Internal Audit Function and its Outsourcing.'' --------------------------------------------------------------------------- Accurate financial reporting is essential to an institution's safety and soundness for numerous reasons. First, accurate financial information enables management to effectively manage the institution's risks and make sound business decisions. In addition, institutions are required by law 3 to provide accurate and timely financial reports (e.g., Reports of Condition and Income [Call Reports] and Thrift Financial Reports) to their appropriate regulatory agency. These reports serve an important role in the agencies' 4 risk- focused supervision programs by contributing to their pre-examination planning, off-site monitoring programs, and assessments of an institution's capital adequacy and financial strength. Further, reliable financial reports are necessary for the institution to raise capital. They provide data to stockholders, depositors and other [[Page 57096]] funds providers, borrowers, and potential investors on the company's financial position and results of operations. Such information is critical to effective market discipline of the institution. --------------------------------------------------------------------------- \3\ See 12 U.S.C. 161 for national banks; 12 U.S.C. 1817a for state nonmember banks; 12 U.S.C. 324 for state member banks; and 12 U.S.C. 1464(v) for savings associations. \4\ Terms defined in appendix A are italicized the first time they appear in this policy statement. --------------------------------------------------------------------------- To help ensure accurate and reliable financial reporting, the agencies recommend that the board of directors of each institution establish and maintain an external auditing program. An external auditing program should be an important component of an institution's overall risk management process. For example, an external auditing program complements the internal auditing function of an institution by providing management and the board of directors with an independent and objective view of the reliability of the institution's financial statements and the adequacy of its financial reporting internal controls. Additionally, an effective external auditing program contributes to the efficiency of the agencies' risk-focused examination process. By considering the significant risk areas of an institution, an effective external auditing program may reduce the examination time the agencies spend in such areas. Moreover, it can improve the safety and soundness of an institution substantially and lessen the risk the institution poses to the insurance funds administered by the FDIC. This policy statement outlines the characteristics of an effective external auditing program and provides examples of how an institution can use an external auditor to help ensure the reliability of its financial reports. It also provides guidance on how an examiner may assess an institution's external auditing program. In addition, this policy statement provides specific guidance on external auditing programs for institutions that are holding company subsidiaries, newly insured institutions, and institutions presenting supervisory concerns. The adoption of a financial statement audit or other specified type of external auditing program is generally only required in specific circumstances. For example, insured depository institutions covered by section 36 of the FDI Act (12 U.S.C. 1831m), as implemented by part 363 of the FDIC's regulations (12 CFR part 363), are required to have an external audit and an audit committee. Therefore, this policy statement is directed toward banks and savings associations which are exempt from part 363 (i.e., institutions with less than $500 million in total assets at the beginning of their fiscal year) or are not otherwise subject to audit requirements by order, agreement, statute, or agency regulations. Overview of External Auditing Programs Responsibilities of the Board of Directors The board of directors of an institution is responsible for determining how to best obtain reasonable assurance that the institution's financial statements and regulatory reports are reliably prepared. In this regard, the board is also responsible for ensuring that its external auditing program is appropriate for the institution and adequately addresses the financial reporting aspects of the significant risk areas and any other areas of concern of the institution's business. To help ensure the adequacy of its internal and external auditing programs, the agencies encourage the board of directors of each institution that is not otherwise required to do so to establish an audit committee consisting entirely of outside directors.5 However, if this is impracticable, the board should organize the audit committee so that outside directors constitute a majority of the membership. --------------------------------------------------------------------------- \5\ Institutions with $500 million or more in total assets must establish an independent audit committee made up of outside directors who are independent of management. See 12 U.S.C. 1831m(g)(1) and 12 CFR 363.5. --------------------------------------------------------------------------- Audit Committee The audit committee or board of directors is responsible for identifying at least annually the risk areas of the institution's activities and assessing the extent of external auditing involvement needed over each area. The audit committee or board is then responsible for determining what type of external auditing program will best meet the institution's needs (refer to the descriptions under ``Types of External Auditing Programs''). When evaluating the institution's external auditing needs, the board or audit committee should consider the size of the institution and the nature, scope, and complexity of its operations. It should also consider the potential benefits of an audit of the institution's financial statements or an examination of the institution's internal control structure over financial reporting, or both. In addition, the board or audit committee may determine that additional or specific external auditing procedures are warranted for a particular year or several years to cover areas of particularly high risk or special concern. The reasons supporting these decisions should be recorded in the committee's or board's minutes. If, in its annual consideration of the institution's external auditing program, the board or audit committee determines, after considering its inherent limitations, that an agreed-upon procedures/ state-required examination is sufficient, they should also consider whether an independent public accountant should perform the work. When an independent public accountant performs auditing and attestation services, the accountant must conduct his or her work under, and may be held accountable for departures from, professional standards. Furthermore, when the external auditing program includes an audit of the financial statements, the board or audit committee obtains an opinion from the independent public accountant stating whether the financial statements are presented fairly, in all material respects, in accordance with generally accepted accounting principles (GAAP). When the external auditing program includes an examination of the internal control structure over financial reporting, the board or audit committee obtains an opinion from the independent public accountant stating whether the financial reporting process is subject to any material weaknesses. Both the staff performing an internal audit function and the independent public accountant or other external auditor should have unrestricted access to the board or audit committee without the need for any prior management knowledge or approval. Other duties of an audit committee may include reviewing the independence of the external auditor annually, consulting with management, seeking an opinion on an accounting issue, and overseeing the quarterly regulatory reporting process. The audit committee should report its findings periodically to the full board of directors. External Auditing Programs Basic Attributes External auditing programs should provide the board of directors with information about the institution's financial reporting risk areas, e.g., the institution's internal control over financial reporting, the accuracy of its recording of transactions, and the completeness of its financial reports prepared in accordance with GAAP. The board or audit committee of each institution at least annually should review the risks inherent in its particular activities to determine the scope of its external auditing program. For most institutions, the lending and [[Page 57097]] investment securities activities present the most significant risks that affect financial reporting. Thus, external auditing programs should include specific procedures designed to test at least annually the risks associated with the loan and investment portfolios. This includes testing of internal control over financial reporting, such as management's process to determine the adequacy of the allowance for loan and lease losses and whether this process is based on a comprehensive, adequately documented, and consistently applied analysis of the institution's loan and lease portfolio. An institution or its subsidiaries may have other significant financial reporting risk areas such as material real estate investments, insurance underwriting or sales activities, securities broker-dealer or similar activities (including securities underwriting and investment advisory services), loan servicing activities, or fiduciary activities. The external auditing program should address these and other activities the board or audit committee determines present significant financial reporting risks to the institution. Types of External Auditing Programs The agencies consider an annual audit of an institution's financial statements performed by an independent public accountant to be the preferred type of external auditing program. The agencies also consider an annual examination of the effectiveness of the internal control structure over financial reporting or an audit of an institution's balance sheet, both performed by an independent public accountant, to be acceptable alternative external auditing programs. However, the agencies recognize that some institutions only have agreed-upon procedures/state-required examinations performed annually as their external auditing program. Regardless of the option chosen, the board or audit committee should agree in advance with the external auditor on the objectives and scope of the external auditing program. Financial Statement Audit by an Independent Public Accountant. The agencies encourage all institutions to have an external audit performed in accordance with generally accepted auditing standards (GAAS). The audit's scope should be sufficient to enable the auditor to express an opinion on the institution's financial statements taken as a whole. A financial statement audit provides assurance about the fair presentation of an institution's financial statements. In addition, an audit may provide recommendations for management in carrying out its control responsibilities. For example, an audit may provide management with guidance on establishing or improving accounting and operating policies and recommendations on internal control (including internal auditing programs) necessary to ensure the fair presentation of the financial statements. Reporting by an Independent Public Accountant on an Institution's Internal Control Structure Over Financial Reporting. Another external auditing program is an independent public accountant's examination and report on management's assertion on the effectiveness of the institution's internal control over financial reporting. For a smaller institution with less complex operations, this type of engagement is likely to be less costly than an audit of its financial statements or its balance sheet. It would specifically provide recommendations for improving internal control, including suggestions for compensating controls, to mitigate the risks due to staffing and resource limitations. Such an attestation engagement may be performed for all internal controls relating to the preparation of annual financial statements or specified schedules of the institution's regulatory reports.6 This type of engagement is performed under generally accepted standards for attestation engagements (GASAE).7 \6\ Since the lending and investment securities activities generally present the most significant risks that affect an institution's financial reporting, management's assertion and the accountant's attestation generally should cover those regulatory report schedules. If the institution has trading or off-balance sheet activities that present material financial reporting risks, the board or audit committee should ensure that the regulatory report schedules for those activities also are covered by management's assertion and the accountant's attestation. (See Note.) However, the schedules listed in the Note are not intended to address all possible risks in an institution. \7\ An attestation engagement is not an audit. It is performed under different professional standards than an audit of an institution's financial statements or its balance sheet. --------------------------------------------------------------------------- Note: For banks and savings associations, the lending, investment securities, trading, and off-balance sheet schedules consist of: ---------------------------------------------------------------------------------------------------------------- Reports of condition and income Area schedules schedules Thrift financial report ---------------------------------------------------------------------------------------------------------------- Loans and Lease Financing Receivables......... RC-C, Part I................... SC, CF. Past Due and Nonaccrual Loans, Leases, and RC-N........................... PD. Other Assets. Allowance for Credit Losses................... RI-B........................... SC, VA. Securities.................................... RC-B........................... SC, SI, CF. Trading Assets and Liabilities................ RC-D........................... SO, SI. Off-Balance Sheet Items....................... RC-L........................... SI, CMR. ---------------------------------------------------------------------------------------------------------------- Balance Sheet Audit Performed by an Independent Public Accountant. With this program, the institution engages an independent public accountant to examine and report only on the balance sheet. As with the audit of the financial statements, this audit is performed in accordance with GAAS. The cost of a balance sheet audit is likely to be less than a financial statement audit. However, under this type of program, the accountant does not examine or report on the fairness of the presentation of the institution's income statement, statement of changes in equity capital, or statement of cash flows. Agreed-Upon Procedures/State-Required Examinations. Some state- chartered depository institutions are required by state statute or regulation to have specified procedures performed annually by their directors or independent persons.8 The bylaws of many national banks also require that some specified procedures be performed annually by directors or others, including internal or independent persons. Depending upon the scope of the engagement, the cost of agreed-upon procedures or a state-required examination may be less than the cost of an audit. However, under this type of program, the independent auditor does [[Page 57098]] not report on the fairness of the institution's financial statements or attest to the effectiveness of the internal control structure over financial reporting. The findings or results of the procedures are usually presented to the board or the audit committee so that they may draw their own conclusions about the quality of the financial reporting or the sufficiency of internal control. --------------------------------------------------------------------------- \8\ When performed by an independent public accountant, ``specified procedures'' and ``agreed-upon procedures'' engagements are performed under standards, which are different professional standards than those used for an audit of an institution's financial statements or its balance sheet. --------------------------------------------------------------------------- When choosing this type of external auditing program, the board or audit committee is responsible for determining whether these procedures meet the external auditing needs of the institution, considering its size and the nature, scope, and complexity of its business activities. For example, if an institution's external auditing program consists solely of confirmations of deposits and loans, the board or committee should consider expanding the scope of the auditing work performed to include additional procedures to test the institution's high risk areas. Moreover, a financial statement audit, an examination of the effectiveness of the internal control structure over financial reporting, and a balance sheet audit may be accepted in some states and for national banks in lieu of agreed-upon procedures/state-required examinations. Other Considerations Timing. The preferable time to schedule the performance of an external auditing program is as of an institution's fiscal year-end. However, a quarter-end date that coincides with a regulatory report date provides similar benefits. Such an approach allows the institution to incorporate the results of the external auditing program into its regulatory reporting process and, if appropriate, amend the regulatory reports. External Auditing Staff. The agencies encourage an institution to engage an independent public accountant to perform its external auditing program. An independent public accountant provides a nationally recognized standard of knowledge and objectivity by performing engagements under GAAS or GASAE. The firm or independent person selected to conduct an external auditing program and the staff carrying out the work should have experience with financial institution accounting and auditing or similar expertise and should be knowledgeable about relevant laws and regulations. Special Situations Holding Company Subsidiaries When an institution is owned by another entity (such as a holding company), it may be appropriate to address the scope of its external audit program in terms of the institution's relationship to the consolidated group. In such cases, if the group's consolidated financial statements for the same year are audited, the agencies generally would not expect the subsidiary of a holding company to obtain a separate audit of its financial statements. Nevertheless, the board of directors or audit committee of the subsidiary may determine that its activities involve significant risks to the subsidiary that are not within the procedural scope of the audit of the financial statements of the consolidated entity. For example, the risks arising from the subsidiary's activities may be immaterial to the financial statements of the consolidated entity, but material to the subsidiary. Under such circumstances, the audit committee or board of the subsidiary should consider strengthening the internal audit coverage of those activities or implementing an appropriate alternative external auditing program. Newly Insured Institutions Under the FDIC Statement of Policy on Applications for Deposit Insurance, applicants for deposit insurance coverage are expected to commit the depository institution to obtain annual audits by an independent public accountant once it begins operations as an insured institution and for a limited period thereafter. Institutions Presenting Supervisory Concerns As previously noted, an external auditing program complements the agencies' supervisory process and the institution's internal auditing program by identifying or further clarifying issues of potential concern or exposure. An external auditing program also can greatly assist management in taking corrective action, particularly when weaknesses are detected in internal control or management information systems affecting financial reporting. The agencies may require a financial institution presenting safety and soundness concerns to engage an independent public accountant or other independent external auditor to perform external auditing services.9 Supervisory concerns may include: --------------------------------------------------------------------------- \9\ The Office of Thrift Supervision requires an external audit by an independent public accountant for savings associations with a composite rating of 3, 4, or 5 under the Uniform Financial Institution Rating System, and on a case-by-case basis. ---------------------------------------------------------------------------Inadequate internal control, including the internal auditing program; A board of directors generally uninformed about internal control; Evidence of insider abuse; Known or suspected defalcations; Known or suspected criminal activity; Probable director liability for losses; The need for direct verification of loans or deposits; Questionable transactions with affiliates; or The need for improvements in the external auditing program. The agencies may also require that the institution provide its appropriate supervisory office with a copy of any reports, including management letters, issued by the independent public accountant or other external auditor. They also may require the institution to notify the supervisory office prior to any meeting with the independent public accountant or other external auditor at which auditing findings are to be presented. Examiner Guidance Review of the External Auditing Program The review of an institution's external auditing program is a normal part of the agencies' examination procedures. An examiner's evaluation of, and any recommendations for improvements in, an institution's external auditing program will consider the institution's size; the nature, scope, and complexity of its business activities; its risk profile; any actions taken or planned by it to minimize or eliminate identified weaknesses; the extent of its internal audit program; and any compensating controls in place. Examiners will exercise judgment and discretion in evaluating the adequacy of an institution's external auditing program. Specifically, examiners will consider the policies, processes, and personnel surrounding an institution's external auditing program in determining whether: The board of directors or its audit committee adequately reviews and approves external auditing program policies at least annually. The external auditing program is conducted by an independent public accountant or other independent auditor and is appropriate for the institution. The engagement letter covering external auditing activities is adequate. The report prepared by the auditor on the results of the external auditing program adequately explains the auditor's findings. The external auditor maintains appropriate independence regarding relationships with the institution under relevant professional standards. [[Page 57099]] The board of directors performs due diligence on the relevant experience and competence of the independent auditor and staff carrying out the work (whether or not an independent public accountant is engaged). The board or audit committee minutes reflect approval and monitoring of the external auditing program and schedule, including board or committee reviews of audit reports with management and timely action on audit findings and recommendations. Access to Reports Management should provide the independent public accountant or other auditor with access to all examination reports and written communication between the institution and the agencies or state bank supervisor since the last external auditing activity. Management also should provide the accountant with access to any supervisory memoranda of understanding, written agreements, administrative orders, reports of action initiated or taken by a federal or state banking agency under section 8 of the FDI Act (or a similar state law), and proposed or ordered assessments of civil money penalties against the institution or an institution-related party, as well as any associated correspondence. The auditor must maintain the confidentiality of examination reports and other confidential supervisory information. In addition, the independent public accountant or other auditor of an institution should agree in the engagement letter to grant examiners access to all the accountant's or auditor's workpapers and other material pertaining to the institution prepared in the course of performing the completed external auditing program. Institutions should provide reports 10 issued by the independent public accountant or other auditor pertaining to the external auditing program, including any management letters, to the agencies and any state authority in accordance with their appropriate supervisory office's guidance.11 Significant developments regarding the external auditing program should be communicated promptly to the appropriate supervisory office. Examples of those developments include the hiring of an independent public accountant or other third party to perform external auditing work and a change in, or termination of, an independent public accountant or other external auditor. --------------------------------------------------------------------------- \10\ The institution's engagement letter is not a ``report'' and is not expected to be submitted to the appropriate supervisory office unless specifically requested by that office. \11\ When an institution's financial information is included in the audited consolidated financial statements of its parent company, the institution should provide a copy of the audited financial statements of the consolidated company and any other reports by the independent public accountant in accordance with their appropriate supervisory office's guidance. If several institutions are owned by one parent company, a single copy of the reports may be supplied in accordance with the guidance of the appropriate supervisory office of each agency supervising one or more of the affiliated institutions and the holding company. A transmittal letter should identify the institutions covered. Any notifications of changes in, or terminations of, a consolidated company's independent public accountant may be similarly supplied to the appropriate supervisory office of each supervising agency. --------------------------------------------------------------------------- Appendix A--Definitions Agencies. The agencies are the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). Appropriate supervisory office. The regional or district office of the institution's primary federal banking agency responsible for supervising the institution or, in the case of an institution that is part of a group of related insured institutions, the regional or district office of the institution's federal banking agency responsible for monitoring the group. If the institution is a subsidiary of a holding company, the term ``appropriate supervisory office'' also includes the federal banking agency responsible for supervising the holding company. In addition, if the institution is state-chartered, the term ``appropriate supervisory office'' includes the appropriate state bank or savings association regulatory authority. Audit. An examination of the financial statements, accounting records, and other supporting evidence of an institution performed by an independent certified or licensed public accountant in accordance with generally accepted auditing standards (GAAS) and of sufficient scope to enable the independent public accountant to express an opinion on the institution's financial statements as to their presentation in accordance with generally accepted accounting principles (GAAP). Audit committee. A committee of the board of directors whose members should, to the extent possible, be knowledgeable about accounting and auditing. The committee should be responsible for reviewing and approving the institution's internal and external auditing programs or recommending adoption of these programs to the full board. Balance sheet audit performed by an independent public accountant. An examination of an institution's balance sheet and any accompanying footnotes performed and reported on by an independent public accountant in accordance with GAAS and of sufficient scope to enable the independent public accountant to express an opinion on the fairness of the balance sheet presentation in accordance with GAAP. Engagement letter. A letter from an independent public accountant to the board of directors or audit committee of an institution that usually addresses the purpose and scope of the external auditing work to be performed, period of time to be covered by the auditing work, reports expected to be rendered, and any limitations placed on the scope of the auditing work. Examination of the internal control structure over financial reporting. See Reporting by an Independent Public Accountant on an Institution's Internal Control Structure Over Financial Reporting. External auditing program. The performance of procedures to test and evaluate high risk areas of an institution's business by an independent auditor, who may or may not be a public accountant, sufficient for the auditor to be able to express an opinion on the financial statements or to report on the results of the procedures performed. Financial statement audit by an independent public accountant. See Audit. Financial statements. The statements of financial position (balance sheet), income, cash flows, and changes in equity together with related notes. Independent public accountant. An accountant who is independent of the institution and registered or licensed to practice, and holds himself or herself out, as a public accountant, and who is in good standing under the laws of the state or other political subdivision of the United States in which the home office of the institution is located. The independent public accountant should comply with the American Institute of Certified Public Accountants' (AICPA) Code of Professional Conduct and any related guidance adopted by the Independence Standards Board and the agencies. No certified public accountant or public accountant will be recognized as independent who is not independent both in fact and in appearance. Internal auditing. An independent assessment function established within an institution to examine and evaluate its system of internal control and the efficiency with which the various units of the institution are carrying out their assigned tasks. The objective of internal auditing is to assist the management and directors of the institution in the effective discharge of their responsibilities. To this end, internal auditing furnishes management with analyses, evaluations, recommendations, counsel, and information concerning the activities reviewed. Outside directors. Members of an institution's board of directors who are not officers, employees, or principal stockholders of the institution, its subsidiaries, or its affiliates, and who do not have any material business dealings with the institution, its subsidiaries, or its affiliates. Regulatory reports. These reports are the Reports of Condition and Income (Call Reports) for banks, Thrift Financial Reports (TFRs) for savings associations, Federal Reserve (FR) Y reports for bank holding companies, and the H-(b)11 Annual Report for thrift holding companies. Reporting by an independent public accountant on an institution's internal control structure over financial reporting. [[Page 57100]] Under this engagement, management evaluates and documents its review of the effectiveness of the institution's internal control over financial reporting in the identified risk areas as of a specific report date. Management prepares a written assertion, which specifies the criteria on which management based its evaluation about the effectiveness of the institution's internal control over financial reporting in the identified risk areas and states management's opinion on the effectiveness of internal control over this specified financial reporting. The independent public accountant is engaged to perform tests on the internal control over the specified financial reporting in order to attest to management's assertion. If the accountant concurs with management's assertion, even if the assertion discloses one or more instances of material internal control weakness, the accountant would provide a report attesting to management's assertion. Risk areas. Those particular activities of an institution that expose it to greater potential losses if problems exist and go undetected. The areas with the highest financial reporting risk in most institutions generally are their lending and investment securities activities. Specified procedures. Procedures agreed-upon by the institution and the auditor to test its activities in certain areas. The auditor reports findings and test results, but does not express an opinion on controls or balances. If performed by an independent public accountant, these procedures should be performed under generally accepted standards for attestation engagements (GASAE). By order of the Board of Directors. Dated at Washington, DC this 15th day of October, 1999. Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. [FR Doc. 99-27588 Filed 10-21-99; 8:45 am] BILLING CODE 6714-01-P