Federal Deposit Insurance Corporation
Office of Audits
Office of Inspector General
Washington, D.C. 20434

DATE: March 26, 2003

TO: Michael J. Zamorski, Director, Division of Supervision and Consumer Protection

FROM: Russell A. Rau [Electronically produced version; original signed by Russell A. Rau], Assistant Inspector General for Audits

SUBJECT: FDIC Examiner Use of Work Performed by Independent Public Accountants (IPAs) (Audit Report No. 03-021)

This report presents the results of an Office of Inspector General (OIG) audit of the Federal Deposit Insurance Corporation's (FDIC) examiner use of work performed by Independent Public Accountants (IPAs) for financial institutions supervised by the FDIC’s Division of Supervision and Consumer Protection (DSC). (Note: The Federal Deposit Insurance Corporation’s mission is to maintain the stability of and public confidence in the nation's financial system. To achieve this goal, the FDIC was created in 1933 to insure deposits and promote safe and sound banking practices. The FDIC’s Division of Supervision and Consumer Protection, in conjunction with other federal and state regulatory agencies, examines financial institutions to ensure they are conducting business in compliance with consumer protection rules and in a way that minimizes risk to their customers and to the deposit insurance funds. There are five categories of examinations: Community Reinvestment Act, Compliance, Information Systems & E-banking, Safety & Soundness, and Trust.) The overall objective of this audit was to evaluate FDIC examiner use of the work performed by IPAs who are engaged by FDIC-supervised financial institutions. (Note: The FDIC supervises more than 5,500 FDIC-insured state-chartered banks that are not members of the Federal Reserve System, described as state non-member banks. This includes state-licensed insured branches of foreign banks and state-chartered mutual savings banks. As supervisor, the FDIC performs safety and soundness examinations of FDIC-supervised institutions to assess their overall financial condition, management practices and policies, and compliance with applicable laws and regulations. Through the examination process, the FDIC also assesses the adequacy of management and internal control systems to identify and control risks. Procedures normally performed in completing this assessment may disclose the presence of fraud or insider abuse.) In accomplishing this objective, we reviewed:

• examination policies and procedures for evaluating the work of IPAs;
  
  
• resolution of differences between regulators and IPAs on matters affecting the safety and soundness of an institution (Note: Generally, an unsafe or unsound practice is any action or lack of action that is contrary to generally accepted standards of prudent operation, the possible consequences of which, if continued, would be abnormal risk of loss or damage to an institution, its shareholders, or the agencies administrating the insurance funds.); and
  
  
• followup on IPA findings and recommendations.

Appendix I of this report discusses our objective, scope, and methodology in more detail.

As described in the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (Interagency Policy Statement), approved by the Federal Financial Institutions Examination Council on August 19, 1999, the boards of directors and senior managers of insured depository institutions are responsible for ensuring that an institution operates in a safe and sound manner. (Note: The term insured depository institution means any bank or savings association, the deposits of which are insured by the FDIC.) To achieve this goal and meet the safety and soundness guidelines implementing section 39 of the Federal Deposit Insurance Act (FDI Act), 12 U.S.C. 1831p-1, the institution should maintain effective systems and internal control to produce reliable and accurate financial reports.

Accurate financial reporting is essential to an institution’s safety and soundness for numerous reasons. First, accurate financial information enables management to effectively manage the institution’s risks and make sound business decisions. In addition, FDIC-supervised institutions are required by 12 U.S.C. 1817a to provide accurate and timely financial reports (e.g., Reports of Condition and Income, also called Call Reports and Thrift Financial Reports) to the FDIC. (Note: Call Reports from banks and Thrift Financial Reports from savings associations are sworn statements of financial condition that are submitted to the FDIC quarterly in accordance with federal regulatory requirements. They consist of a balance sheet, income statement, and other supplemental information and provide detailed analyses of balances and related activity.) These reports serve an important role in the agency's risk-focused supervision programs by contributing to examiners’ pre-examination planning, DSC’s off-site monitoring programs, and examiners’ assessments of an institution’s capital adequacy and financial strength. (Note: The risk-focused examination process attempts to assess an institution's risk by evaluating its processes to identify, measure, monitor, and control risk. The risk-focused examination process seeks to strike an appropriate balance between evaluating the condition of an institution at a certain point in time and evaluating the soundness of the institution's processes for managing risk. Bank supervisors use on-site and off-site surveillance to identify banks likely to fail. The most useful tool for identifying problem institutions is on-site examination, in which the examiners travel to a bank and review all aspects of its safety and soundness. On-site examination is, however, costly to supervisors because of its labor-intensive nature and burdensome to bankers because of the intrusion into day-to-day operations. As a result, supervisors also monitor a bank’s condition off-site. Off-site surveillance yields an ongoing picture of a bank’s condition, enabling supervisors to schedule and plan exams efficiently. Off-site surveillance also provides banks with incentives to maintain safety and soundness between on-site visits. The FDIC’s off-site monitoring systems (Statistical CAMELS Offsite Rating (SCOR), Real Estate Stress Test (REST), and Quarterly Lending Alert) are largely based on Call Report data. A financial institution is expected to maintain capital commensurate with the nature and extent of risks to the institution and the ability of management to identify, measure, monitor, and control these risks. Capital adequacy, as it relates to quarterly Call Reports, can be evaluated to a limited extent based on certain financial information that includes amounts used in calculations of an institution's various regulatory capital amounts.) Further, reliable financial reports are necessary for the institution to raise capital. They provide data to stockholders, depositors and other funds providers, borrowers, and potential investors on the company’s financial position and results of operations. Such information is critical to effective market discipline of the financial institution.

Section 112 of FDICIA and Section 36 of the FDI Act: The Federal Deposit Insurance Corporation Improvement Act (FDICIA) of 1991 added Section 36 to the Federal Deposit Insurance Act (FDI Act), codified to 12 U.S.C. 1831m, and Part 363 of the FDIC Rules and Regulations, codified to 12 C.F.R. Part 363, implements Section 36 of the FDI Act. FDICIA contained accounting, corporate governance, and regulatory reforms designed to correct weaknesses in the deposit insurance system. Among other measures, the FDICIA’s early warning reforms provide for timely disclosure of internal control weaknesses. FDICIA also established audit and reporting requirements for insured depository institutions with total assets of $500 million or more and their independent public accountants. Section 36 of the FDI Act provides additional improvements in financial management reporting. Appendix III shows the reforms and key provisions of Section 36 of the Act.

Part 363 states that management of each financial institution covered by this regulation must:

• engage an independent public accountant;
• prepare annual financial statements in accordance with generally accepted accounting principles; and
• produce annual management reports.

These annual management reports, referred to as management’s report or management’s assertion, must contain a statement of management's responsibilities for preparing the financial statements, establishing and maintaining an internal control structure and procedures for financial reporting, and complying with laws and regulations relating to loans to insiders and dividend restrictions. The reports must also contain an evaluation by management of the effectiveness of the internal control structure and procedures for financial reporting, and an assessment of the institution's compliance with designated laws and regulations.

The independent public accountant engaged by the institution is responsible for:

• auditing and reporting on the institution's annual financial statements in accordance with generally accepted auditing standards and
• examining, attesting to, and reporting separately on the assertions of management concerning the institution's internal control structure and procedures for financial reporting.

Part 363 requires that insured depository institutions covered by this regulation submit reports and notifications to the FDIC. Under Part 363, the board of directors of each insured depository institution must also establish an independent audit committee. Table 1 summarizes the audit and reporting requirements.

Table 1: Part 363 Audit and Reporting Requirements

Source: FDIC Case Managers Procedures Manual

Part 363 requires that insured depository institutions covered by this regulation submit the following reports and notifications to the FDIC, the appropriate federal banking agency, and the appropriate state bank supervisor.

• Within 90 days after fiscal year-end, an annual report must be filed. The annual report must contain audited annual financial statements, the independent public accountant's audit report, management's statements and assessments, and the independent public accountant's attestation concerning the institution's internal control structure and procedures for financial reporting. (Note: Internal control is an integral component of an organization’s management that provides reasonable assurance of achieving effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.)
  
  
• Within 15 days after receipt, the institution must submit any management letter; the audit report and any qualification to the audit report; and any other report, including attestation reports, from the independent public accountant. (Note: Auditors are required to inform the audit committee (or its equivalent) about significant deficiencies in the design or operation of the internal control structure that come to their attention in the course of an audit. These are referred to as management letters. A qualified opinion states that, except for the effects of the matter to which the qualification relates, the financial statements present fairly, in all material respects, the financial position, results of operations, and cash flows in conformity with generally accepted accounting principles (GAAP). For more information on GAAP, see the discussion later in this report under "Independent Public Accountants—Roles and Standards.")
  
  
• Within 15 days of occurrence, the institution must provide written notice of the engagement of an independent public accountant, the resignation or dismissal of a previously engaged accountant, and the reasons for such an event.

Part 363 also requires certain filings from independent public accountants. The accountants must notify the FDIC and the appropriate federal banking supervisor when it ceases to be the accountant for an insured depository institution. The notification must be in writing, be filed within 15 days after the relationship is terminated, and contain the reasons for the termination. The accountant must also file a peer review report with the FDIC within 15 days of receiving the report or before commencing any audit under Part 363. (Note: Peer review is the process by which other accountants assess and test compliance with quality control systems for the accounting and auditing practices of SEC Practice Section (SECPS) members. The objectives of peer review are to determine whether the reviewed firm: (i) designed its system to meet Quality Control Standards established by the American Institute of Certified Public Accountants (AICPA); (ii) complied with its quality control system to provide reasonable assurance of complying with professional standards; and (iii) complied with SECPS membership requirements. Upon the completion of a review, the peer reviewer prepares a report and a letter of comments, which may recommend improvements to the firm's system of compliance.)

Each insured depository institution subject to Part 363 must establish an independent audit committee of its board of directors. The members of this committee must be outside directors who are independent of management. Their duties include overseeing the internal audit function, selecting the external auditor, and reviewing with management and the external auditor the scope of the audit, audit conclusions, and various management assertions and accountant attestations.

Part 363 also establishes additional requirements for audit committees of insured depository institutions with total assets of more than $3 billion. Two members of the audit committee must have banking or related financial management expertise. Large customers of the institution are excluded from the audit committee. The audit committee must also have access to its own outside counsel.

Sarbanes-Oxley Act of 2002: President Bush signed the Sarbanes-Oxley Act of 2002, P.L. 107-204, into law on July 30, 2002. This Act was in response to high profile accounting and financial reporting scandals and has a significant impact on executives, accountants, shareholders, and regulators. The Act significantly affects the regulation of accountants; imposes new responsibilities and liabilities on chief executive officers (CEO), chief financial officers (CFO), and Boards of Directors; and toughens criminal penalties, in terms of both fines and prison sentences, for corporate fraud, destruction of documents, and impeding investigations. The Act aims to restore investor confidence in the public markets and seeks to prevent corporate and accounting fraud. Among other things, the Act:

• establishes a new regulatory body to oversee public company auditors;
• redefines the relationship between auditors and their clients;
• places direct responsibility for the audit relationship on audit committees;
• requires certification of periodic reports by CEOs and CFOs;
• bans most loans by public companies to officers and directors;
• restricts certain executive officer and director transactions;
• holds the CEO and CFO responsible for restatements due to misconduct;
• requires reporting of insider stock transactions within two business days;
• imposes new obligations and responsibilities on audit committees;
• imposes new rules of professional responsibility for lawyers and analysts; and
• increases criminal penalties and enforcement measures for securities-related offenses.

The Act’s provisions become effective at different times, ranging from immediately upon enactment to later dates specified in the Act or the date on which the required implementing regulations become effective. The Act does not impose requirements with respect to public companies switching audit firms periodically (though the Act requires that the U.S. Securities and Exchange Commission (SEC) study this issue).

Key provisions within the Sarbanes-Oxley Act that impact registered public accounting firms performing services required by Part 363 of FDIC’s Rules and Regulations for insured depository institutions include (Note: The term "registered public accounting firm" means a public accounting firm registered with the Public Company Accounting Oversight Board in accordance with the Sarbanes-Oxley Act of 2002. The term "public accounting firm" means a proprietorship, partnership, incorporated association, corporation, limited liability company, limited liability partnership, or other legal entity that is engaged in the practice of public accounting or preparing or issuing audit reports; and to the extent so designated by the rules of the Board, any associated person of any such entity.):

• Creating a Public Company Accounting Oversight Board to oversee the auditing of public companies. The Board will consist of five members appointed by the SEC and will register public accounting firms as well as establish the standards for audits of public companies. In addition, the Board will conduct inspections, investigations, and disciplinary hearings of public accounting firms, and have the power to impose sanctions on public accounting firms.
  
  
• Prohibiting public accounting firms from performing specific services for their audit clients, including internal audit services and financial information systems design and implementation. The Act provides that auditors may engage in tax services or other services not specifically excluded if approved in advance by the Audit Committee. The Act requires that all non-audit services be pre-approved by the Audit Committee except for de minimus non-audit services. (Note: Non-audit services, according to the Sarbanes-Oxley Act of 2002, are any professional services provided to a securities issuer by a registered public accounting firm, other than those provided to an issuer in connection with an audit or a review of the financial statements of an issuer.) In addition to further approval by the Audit Committee of non-audit services, securities issuers are required to disclose to investors in their periodic reports the nature of such approval. The Act also requires that audit partners or reviewing audit partners cannot serve on the securities issuer’s account for more than 5 years. In addition, a company’s CEO, controller, CFO, chief accounting officer, or equivalent may not have been employed by the company’s auditors or participated in any capacity in the audit of the company during the 1-year period preceding the date of the initiation of the audit.
  
  
• Under the Act, the Audit Committee must be composed solely of independent directors. Members of the Audit Committee cannot receive any consulting or other fees other than board or committee fees. Audit Committee members cannot be "affiliated persons of the company or a subsidiary." The Act disqualifies for Audit Committee membership a director who owns a controlling interest in the company.

  The Audit Committee, under the Act, is responsible for appointment, compensation, and oversight of the public accounting firm. Significantly, the Audit Committee is now charged with resolving any disagreements between management and the independent accounting firm. The Act requires that the Audit Committee establish a complaints procedure for receipt, retention, and treatment of complaints regarding accounting, internal accounting control or auditing. The Audit Committee is specifically authorized to engage independent counsel and other advisors.

Role and Standards: Financial statements are often audited by an IPA for the purpose of opining on the fair presentation of an entity’s financial statements. The IPA’s standard report states that the financial statements present fairly, in all material respects, an entity’s financial position, results of operations, and cash flows in conformity with GAAP. (Note: Generally Accepted Auditing Standards (GAAS) are policies, guidelines, and procedures set forth by the AICPA that an auditor is required to follow in performing an audit in order to render an opinion on an organization's financial statements.) This conclusion may be expressed only when the independent accountant has formed such an opinion on the basis of an audit performed in accordance with generally accepted auditing standards (GAAS). (Note: Generally Accepted Auditing Standards (GAAS) are policies, guidelines, and procedures set forth by the AICPA that an auditor is required to follow in performing an audit in order to render an opinion on an organization's financial statements.) An IPA is defined as an accountant who is independent of a financial institution and registered or licensed to practice, and holds himself or herself out, as a public accountant, and who is in good standing under the laws of the state or other political subdivision of the United States in which the home office of the institution is located. (Note: Enactment of the Sarbanes-Oxley Act of 2002, changed the term used to describe accountants in the SEC Act of 1934. Section 10A of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1) was amended by the Sarbanes-Oxley Act of 2002 by striking "an independent public accountant" each place that term appears and inserting "a registered public accounting firm.") Prior to the implementation of the Sarbanes-Oxley Act of 2002, an IPA had to comply with the AICPA Code of Professional Conduct and any related guidance.

Limitations of Audits and Audited Financial Statements: According to the Federal Reserve Board’s Commercial Bank Examination Manual, although auditing standards are designed to require the use of due care and objectivity, a properly designed and executed audit does not necessarily guarantee that all misstatements of amounts or omissions of disclosure in the financial statements have been detected, nor does a properly designed and executed audit guarantee that the auditor addressed safety and soundness considerations. The following examples from this manual illustrate some common limitations of audits:

• The auditor is not responsible for deciding whether an institution operates wisely. An unqualified audit report means that the institution reports transactions and balances in accordance with GAAP. It does not mean that the transactions make business sense, the associated risks are managed in a safe and sound manner, or balances can be recovered upon disposition or liquidation.
  
  
• The auditor’s report concerning financial statements does not signify that underwriting standards, operating strategies, loan-monitoring systems, and workout procedures are adequate to mitigate losses if the environment changes. The auditor’s report that financial statements present fairly the bank’s financial position is based upon the prevailing evidence and current environment, and indicates that reported assets can be recovered in the normal course of business. In determining that reported assets can be recovered in the normal course of business, the auditor attempts to understand financial-reporting internal controls and can substitute other audit procedures when these controls are weak or nonexistent.
  
  
• The quality of management and how it manages risk are not considered in determining historical cost and its recoverability. Although certain assets and instruments are marked to market (for example, trading accounts), GAAP generally uses historical cost as the basis of presentation. (Note: According to FDIC Regional Directors Memorandum 98-059, issued July 9, 1998, New Examination Guidance and Procedures for Securities and Derivatives Activities, the term "marked-to-market" is the valuation of a security, such as a bond, share, or futures contract, according to current market prices. These instruments are marked-to-market at the end of each trading day, or on an intra-day basis, by the exchange clearinghouse. Position value changes are settled on a cash basis at least daily.) Historical cost assumes that the entity is a going concern. The going-concern concept allows certain marked-to-market losses to be deferred because management believes the cost basis can be recovered during the remaining life of the asset.
  
  
• GAAP financial statements offer only limited disclosures of risks and uncertainties, and other safety and soundness factors on which an institution’s viability depends.
  
  
• For purposes of determining the level of loan-loss reserves, GAAP does not consider losses that are ‘‘more likely than not,’’ ‘‘reasonably possible,’’ or ‘‘likely’’ to occur in future periods. Under GAAP, loan-loss reserves are only provided for ‘‘probable losses’’ and for losses currently ‘‘inherent’’ (that is, anticipated future charge-offs based on current repayment characteristics) in the portfolio.

Interagency Policy Statement: Before August 1999, the FDIC and the other bank regulatory agencies that are members of the Federal Financial Institutions Examination Council (FFIEC)) generally believed that an independent external audit provided reasonable assurance that an institution’s financial statements were prepared in accordance with GAAP. (Note: The Federal Financial Institutions Examination Council (FFIEC), is comprised of the Board of Governors of the Federal Reserve System (FRB), the FDIC, the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).) The independent audit process also subjected the internal controls and the accounting policies, procedures, and records of each banking organization to periodic review. Accordingly, the banking agencies recommended that every institution have an external auditing program to help ensure accurate and reliable financial reporting. (Note: The FDIC first adopted guidance on external auditing programs in its Policy Statement Regarding Independent External Auditing Programs of State Nonmember Banks in 1988 (53 FR 47871, November 28, 1988). In 1996, the FDIC reviewed the Current Policy Statement pursuant to section 303(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 and adopted several amendments to eliminate inconsistencies and outdated requirements (61 FR 32438, June 24, 1996).)

External Audit Programs: On August 19, 1999, the FFIEC approved and recommended the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations which was subsequently approved and became effective for fiscal years beginning on or after January 1, 2000. (Note: The NCUA, also a member of the FFIEC, did not adopt the policy at that time.)

The Interagency Policy Statement states that to help ensure accurate and reliable financial reporting, the FFIEC agencies recommend that the board of directors of each institution establish and maintain an external auditing program. Although many insured depository institutions with total assets below a $500 million threshold are not subject to the requirements of Section 36 of the FDI Act, the Interagency Policy Statement encourages these institutions to adopt its guidance.

The Interagency Policy Statement also states that an external auditing program should be an important component of an institution's overall risk management process. For example, an external auditing program complements the internal auditing function of an institution by providing management and the board of directors with an independent and objective view of the reliability of the institution's financial statements and the adequacy of its control over financial reporting. Additionally, an effective external auditing program contributes to the efficiency of the agencies' risk-focused examination process. By considering the significant risk areas of an institution, an effective external auditing program may reduce the examination time the agencies spend in such areas. Moreover, it can improve the safety and soundness of an institution substantially and lessen the risk that the institution poses to the insurance funds administered by the FDIC.

The federal banking agencies view a full-scope annual audit of a bank’s financial statements by an independent public accountant as preferable to other types of external auditing programs. The Interagency Policy Statement adopted by the regulatory agencies on or after January 2000 recognizes that a full-scope audit may not be feasible for every small bank. It therefore encourages those banks to pursue appropriate alternatives to a full-scope audit in cases where a full scope audit is not performed. These alternatives, which must be performed by an independent public accountant, are (1) an attestation on internal control over financial reporting on certain schedules of the Reports of Condition and Income (Call Report) or (2) an audit of the institution's balance sheet. The Interagency Policy Statement further indicates that, for a smaller institution with less complex operations, the attestation on internal control may be less costly than an audit of its financial statements or its balance sheet and may provide more useful information to management. Small banks are also encouraged to establish an audit committee consisting of outside directors.

Each year's March 31 Call Report requires an institution to report the type of its external auditing program for the prior year. Figure 1 shows the type of external auditing program and number of FDIC-supervised banks reporting. (Note: Figure 1 includes only FDIC-supervised state non-member banks as of December 31, 2001. It does not include 574 other FDIC-supervised institutions, such as state-chartered savings banks and U.S. branches of foreign banks.)

[This image appears in the non-508-compliant version of the audit report.]

Text description of Figure 1: Number of institutions per type of external audit: 323 banks with total assets of $500 million or more and 2,683 banks with total assets of less than $500 million had external Financial Statement Audit programs. 103 banks with total assets of less than $500 million had external Attestation audit programs. 1,483 banks with total assets of less than $500 million had external Balance Sheet Audit programs. 336 banks with total assets of less than $500 million had no external audit programs.

Source: FDIC, DSC Policy Branch - Accounting Section.

Risk-Focused Examination Process: On October 1, 1997, the FDIC, in conjunction with the Federal Reserve and the Conference of State Bank Supervisors, began implementing a new risk-focused examination process designed to focus bank examinations on bank functions that pose the greatest risk exposure. This new examination process represents a change from the traditional approach, with its heavy emphasis on predetermined tasks and a review of large samples of loans.

The risk-focused examination process attempts to assess an institution’s risk by evaluating its processes to identify, measure, monitor, and control risk. If management controls are properly designed and effectively applied, they should help ensure that satisfactory performance is achieved. In a rapidly changing environment, a bank’s condition at any given point in time may not be indicative of its future performance. The risk-focused examination process seeks to strike an appropriate balance between evaluating the condition of an institution at a certain point in time and evaluating the soundness of the institution’s processes for managing risk. Moreover, the risk-focused approach attempts to involve less regulatory burden by focusing on testing, rather than duplicating, the work of audit and control functions. Based on the institution’s size, complexity, and risk profile, an examiner can choose to test, evaluate, and accept the results from such controls as internal and external audits, loan policy, loan review, and loan grading systems.

Review of External Auditor Workpapers: When an institution has an external auditing program, examiners should be able to review the auditors’ workpapers as appropriate. Under section 36(g)(3)(A)(i) of the FDI Act, the audit services for institutions covered by Part 363 must be performed by an accountant who has agreed to provide examiners with access to the audit workpapers and the accountant’s policies and procedures, if requested. If holding company financial statements or a holding company attestation report on internal control over financial reporting has been submitted to the FDIC on behalf of a subsidiary institution that is subject to Part 363, the examiner of the subsidiary institution may examine the workpapers of the holding company audit or attestation.

Through the auditors’ workpapers, the examiner can review the external auditor’s evaluation of internal controls, assessment of audit risk in the institution (including risk of material misstatement of the financial statements due to fraud), significant account balances and transactions, and other audit areas pertinent to the examination. A workpaper review is recommended in those circumstances where it will provide the examiner a better understanding of one or more areas of the bank’s operations and the bases for some of the auditor’s evaluations in those areas. Thus, a review can be another source of information about the bank’s internal control and financial reporting practices and about the work that the auditor has performed in specific audit areas of the bank’s operations or activities. The review may help determine the scope of the examination procedures that should be carried out. The review can identify those areas where the independent public accountant performed audit work sufficient to enable the examiners to limit their procedures, and those areas of higher risk for which examination procedures should be expanded. However, the sufficiency and appropriateness of the external auditor’s procedures may be different from the procedures the examiner would perform during an examination. Reviewing audit workpapers may also acquaint an examiner assigned to an institution for the first time with what the auditor considers to be significant audit and internal control risks in that institution.

FDIC Case Managers’ Interest in IPA Work: The primary goal of the case manager program is to significantly enhance risk assessment and supervision activities by assigning responsibility and accountability for a caseload of institutions or companies to one individual, regardless of charter and location, and by encouraging a more proactive, but non-intrusive, coordinated supervisory approach. Case managers are involved in efforts designed to meet the FDIC's offsite monitoring and analysis goals as they relate to the assessment of risk to the deposit insurance funds, as well as the financial condition of the individual institutions within their caseloads. In that regard, they will analyze financial and other information filed or reported in accordance with regulatory requirements, as well as information from other sources. Case managers communicate and coordinate with regional specialists on substantive issues regarding institutions within their caseloads to ensure that risks presented by certain specialty areas, such as accounting, are identified and quantified, and to ensure that proper supervisory action is taken to minimize risk to the deposit insurance funds.

The case manager is responsible for review of annual Part 363 filings from covered and associated institutions in their caseloads. Case managers review an institution's annual Part 363 filing to ensure that it includes all of the required documents. In reviewing an institution's annual Part 363 filing, the case manager is responsible for obtaining the annual Part 363 filing and worksheet for the prior year to see if there were any issues noted. Finally, the case manager reviews the current year’s filing and completes the appropriate worksheet. The review concludes with the need to make a determination as to whether a change in supervisory strategy or follow-up action is needed. A worksheet is used to record the review of the annual Part 363 filing and is known as a Part 363 Annual Report Worksheet.

If an institution has been assigned a composite CAMELS rating of 4 or 5 or its annual report reveals significant concerns about matters that would have fallen within the scope of the work performed by the bank's external auditors, the case manager consults with the regional accountant. (Note: Financial institution regulators use the Uniform Financial Institutions Rating System to evaluate a bank's performance. Six areas of performance are evaluated and given a numerical rating of "1" through "5," with "1" representing the least degree of concern and "5" the greatest degree of concern. The six performance areas identified by the CAMELS acronym are: Capital adequacy, Asset quality, Management practices, Earnings performance, Liquidity position, and Sensitivity to market risk. A composite CAMELS rating is an overall rating given to a bank based on the six components of the CAMELS rating. A rating of "1" through "5" is given. A rating of "1" indicates strong performance; "2" reflects satisfactory performance; "3" represents below-average performance; "4" refers to marginal performance that could threaten the viability of the institution; and, "5" is considered critical, unsatisfactory performance that threatens the viability of the institution.) Together they determine when a review of the workpapers of the independent public accountant performing the external audit of the institution for the previous year will be performed.

Another worksheet known as a Periodic Reports Worksheet is used to document the review of any other reports submitted by either the financial institution or the public accountant. These reports include, but are not limited to: any management letter issued by the IPA; written notice of the engagement, resignation or dismissal of an IPA by an institution and the reasons for such an event; or, written notice from the IPA that it has ceased to be the accountant for an institution and the reasons for the termination.

Some institutions also submit a management letter with the annual report documents. The management letter is addressed to the board or audit committee. It details internal control weaknesses that were not considered reportable conditions or sufficiently material to include in the audit report. If a management letter has been submitted, the case manager should review the submission and complete a Part 363 Periodic Report Worksheet. The review should conclude with a determination as to whether a change in supervisory strategy, follow-up action, or review of the auditor's workpapers are needed.

Follow-Up Action or Change in Supervisory Strategy: If it is determined that follow-up action or a change in supervisory strategy is warranted for a state non-member bank, case managers should discuss the concerns with the field office supervisor, determine the appropriate supervisory strategy to address these concerns, and prepare a memorandum outlining the recommended course of action. Thus, a case manager's primary interest in an IPA's work is focused on the FDIC's role as a supervisor and an insurer.

If, in the case manager's judgment, an IPA product contains negative information that may be severe enough to warrant concern over the safety and soundness of the institution, the case manager should discuss the concerns with the field office supervisor. Together they should determine the appropriate supervisory strategy to address these concerns and prepare a memorandum outlining the recommended course of action.

FDIC as Insurer: As insurer, the FDIC continually evaluates how changes in the economy, financial markets, banking system, and individual financial institutions affect the adequacy and viability of the deposit insurance funds. To protect the insurance funds, the FDIC identifies risks by analyzing economic, financial, and banking trends, as well as IPA work products, and communicates these findings to the industry and the other federal banking agencies and state authorities. As the insurer, the FDIC, by statute, has special insurance authority for all insured depository institutions. Should the FDIC identify significant emerging risks or have serious concerns raised in IPA work about any insured depository institution not primarily supervised by the FDIC, the FDIC and the institution's primary federal supervisor work together to address them. (Note: The institution’s charter determines which federal banking agency is the "primary federal supervisor" of the particular institution.)

As a supervisor, the FDIC is the primary federal banking regulator of all state non-member banks. In that regard, the FDIC performs safety and soundness examinations, visitations, and investigations of FDIC-supervised institutions to assess their overall financial condition, management practices and policies, and compliance with applicable laws and regulations. Through the examination process, the FDIC also assesses the adequacy of management and internal control systems to identify and control risks. An IPA's work may complement an institution's internal audit function by providing another independent and objective view of the reliability of the institution's financial statements and the adequacy of its financial reporting internal controls. Procedures normally performed in completing this assessment may disclose the presence of fraud or insider abuse.

FDIC examiners made reasonable use of the work performed by IPAs. For those institutions with CAMELS ratings of 1, 2, or 3, FDIC examiners and case managers considered IPA reports, management letters, and other available documentation in conjunction with their safety and soundness examinations and in devising the overall supervisory strategy. FDIC examiners expanded their examination testing and review when an IPA uncovered or reported irregularities or problems in an area and the examiners followed up on the institution’s corrective actions. Examiners also effectively resolved differences with IPAs. In addition to the above, for poorly rated institutions – those with CAMELS ratings of 4 or 5 – examiners reviewed the IPA’s workpapers, thoroughly documenting their review. FDIC examiners reviewed IPA workpapers to gain an understanding of the IPA's scope and results of work performed including, for example, in the areas of internal control, the risk of material misstatement due to fraud, or asset valuation concerns.

In general, the FDIC has established sound examination policies and procedures for evaluating the effectiveness of a financial institution’s external audit program. While the FDIC’s risk-focused examination policy, as stated in Regional Directors Memorandums 1998-100, dated December 16, 1998 and 1999-011, dated March 23, 1999, could be interpreted to require testing of IPA work in order to reduce the scope of examinations, such testing would only be possible by reviewing the IPA’s workpapers. However, we do not consider routinely reviewing the IPA’s workpapers to be necessary or practical for all examinations of better-rated institutions. The FDIC’s approach of deciding on a case-by-case basis whether to review the work of IPAs on examinations of better-rated institutions provides appropriate balance between risk and use of examination resources.

Appendix II discusses the detailed results of our audit, including three instances of noncompliance with FDIC policy and procedures. These were deemed insignificant.

On March 20, 2003, the Director, DSC, provided a written response to the draft report, although the report did not contain recommendations. The response is presented in Appendix IV of this report. The Director of DSC stated the Division would continue to be proactive in addressing their evaluations of external audit activity through their own efforts and through interagency initiatives.

AICPA

American Institute of Certified Public Accountants

CAMELS

Ratings for Capital adequacy, Asset quality, Management practices, Earnings performance, Liquidity position, and Sensitivity to market risk.

CEO

Chief Executive Officer

CFO

Chief Financial Officer

DSC

Division of Supervision and Consumer Protection (formerly the Division of Supervision)

FDI Act

Federal Deposit Insurance Act

FDIC

Federal Deposit Insurance Corporation

FDICIA

Federal Deposit Insurance Corporation Improvement Act of 1991

FFIEC

Federal Financial Institutions Examination Council

FRB

Federal Reserve Board (Board of Governors of the Federal Reserve System)

GAAP

Generally Accepted Accounting Principles

GAAS

Generally Accepted Auditing Standards

IPA

Independent Public Accountant

NCUA

National Credit Union Association

OCC

Office of the Comptroller of the Currency

OIG

Office of Inspector General

OTS

Office of Thrift Supervision

SEC

U.S. Securities and Exchange Commission

TFR

Thrift Financial Report

The overall objective was to evaluate FDIC examiner use of work performed by IPAs who are engaged by FDIC-supervised financial institutions. In accomplishing our objective, we reviewed:

• examination policies and procedures for evaluating the work of IPAs,
  
  
• resolution of differences between regulators and IPAs on matters affecting safety and soundness considerations, and
  
  
• followup on IPA findings and recommendations.

To accomplish our audit objective, the OIG interviewed DSC headquarters and Dallas, San Francisco, Chicago, Memphis, Boston, and New York regional office personnel. We interviewed selected examiners and supervisory examiners who worked on the examinations we reviewed. We also reviewed the DSC Manual of Examination Policies, FDIC Case Managers Procedures Manual, Regional Directors Memoranda, FDIC Financial Institution Letters, and the Risk Scoping Activities and Reviews of External Auditor Workpaper ED Modules to obtain an understanding of the policies and procedures that determine the scope and requirements for the use of and reliance on IPA work. Additionally, we reviewed FDIC compliance with applicable laws and regulations. Finally, we reviewed current news articles, proposed legislation, and other agency and regulator reports and related documents to gain an understanding of concerns and viewpoints of the regulators’ role and responsibilities in working with IPA data and reports.

We reviewed 30 institution examination files along with the related correspondence and administrative files. Initially, we judgmentally selected 33 examinations from the seven regional offices based on institution size and geographic location. Based on our initial results for the 30 institutions reviewed, we eliminated the 3 selected institutions in the Atlanta region based on the consistent facts we found in the other 6 regions. The 33 original examinations were specifically selected from two groups of institutions. The first selection was of institutions that had an examination composite CAMELS rating of 4 or 5. Next, we selected institutions that were either over $500 million in asset size or were between $250 and $500 million. Of the 33 institutions selected, 1 institution had an examination composite CAMELS rating of 1, 19 were rated 2, 4 were rated 3, 7 were rated 4, and 2 were rated 5. We reviewed the DSC examination workpapers, the general safety and soundness correspondence/administrative files, IPA audit reports, and various FDIC and state examination reports. In addition, we reviewed matters relating to external auditors’ involvement in verifying a financial institution’s call or thrift financial report data, providing internal audit services, and retaining certain documentation related to engagements.

From the sample of 30 exams, we also reviewed the pre-examination scope memorandum comments that related to IPA audit work. This review was essential for developing an understanding of any risk-scoping or pre-examination planning activities performed by examiners to risk-focus the examination based on IPA work. For all 30 examinations, we assessed the extent to which the examiner used the IPA data or reports and how such information impacted the examination.

The limited nature of the audit objective did not require reviewing related performance measures under the Government Performance and Results Act, testing for fraud or illegal acts, or determining the reliability of computer-processed data obtained from the FDIC’s computerized systems. We gained an understanding of relevant internal control activities by examining DSC’s applicable policies and procedures as presented in DSC manuals, Regional Directors Memoranda, and Examination Documentation Modules. We decided not to test internal control activities because we concluded that the audit objective could be met more efficiently by conducting substantive tests rather than placing reliance on the internal control system.

We performed fieldwork at the Dallas, San Francisco, Chicago, Memphis, Boston, and New York regional offices and at 10 field offices within those regions. We reviewed examinations performed during the period of January 1, 2000 through December 31, 2001. We performed our audit from April 2002 through January 2003, in accordance with generally accepted government auditing standards.

In our review of 30 institutions, we identified three instances where examiners and case managers did not comply with FDIC policies and procedures. First, a review of an IPA’s workpapers was not initiated timely because of examiner oversight. Second, case manager files and examination workpapers contained no evidence that one institution’s Part 363 filing was reviewed, as a result of confusion during the institution’s merger. Finally, in one instance, examiners did not follow up on an IPA’s management letter that explained concerns the IPA had about internal controls at the bank, because of misunderstandings surrounding the institution changing its IPA. As a result, examiners may not have adequately assessed potential problems and weak internal controls that may have existed at the three affected institutions. However, we did not identify any specific negative effect in these instances.

Examiners did not initiate a workpaper review timely for one of the three downgraded institutions in our sample. The examiners had overlooked scheduling a review of the IPA’s workpapers until they were notified of our visit to the field office in conjunction with this audit. However, the workpaper review was initiated before the bank’s next scheduled examination.

FDIC Regional Directors Memorandum 2000-055, Reviews of External Auditors’ Workpapers, issued November 30, 2000, states that when an institution is downgraded to a 4- or 5-rating after an examination, arrangements should be made to review the IPA’s workpapers (if not already reviewed) within 3 months of the downgrade unless the downgrade occurs within the last 3 months of the institution’s fiscal year. In that case, the workpaper review should be performed on that fiscal year’s audit within 3 months after the completion of the audit early the following year.

Further, according to FDIC Regional Directors Memorandum 2000-019, Reviews of External Auditors’ Workpapers, dated March 21, 2000, examiners, through the auditors’ workpapers, can review the external auditor’s evaluation of internal controls, assessment of audit risk in the institution (including risk of material misstatement of the financial statements due to fraud), significant account balances and transactions, and other audit areas pertinent to the examination. A workpaper review is recommended in those circumstances where it will provide the examiner a better understanding of one or more areas of the bank’s operations and the bases for some of the auditor’s evaluations in those areas. Thus, a review can be another source of information about the bank’s internal control and financial reporting practices and about the work that the auditor has performed in specific audit areas of the bank’s operations or activities. The review may help determine the scope of the examination procedures that should be carried out. The review can identify those areas where the independent public accountant performed audit work sufficient to enable the examination procedures in those areas to be limited, and those areas of higher risk on which examination procedures should be expanded. However, the sufficiency and appropriateness of the external auditor’s procedures may be different from the procedures the examiner would perform during an examination. Reviewing audit workpapers may also acquaint an examiner assigned to an institution for the first time with what the auditor considers to be audit and internal control risks in that institution.

Examination workpapers revealed that for one of the three downgraded institutions in our sample, examiners had not initiated a workpaper review as required within 3 months of the institution being downgraded. In response to notification of this audit, examiners initiated a review of the IPA's workpapers 9 months after the previous examination. However, because the rating downgrade occurred within the last 3 months of the institution’s fiscal year, examiners should have performed a workpaper review within 3 months after the completion of the IPA audit early the following year.

FDIC examiners completed their examination of the downgraded bank October 17, 2001. The bank’s fiscal year ended December 31, 2001, and the IPA completed the bank’s audit on February 14, 2002. Accordingly, a workpaper review should have been initiated within 3 months of February 14, 2002, or by May 14, 2002. However, examiners overlooked scheduling a review of the IPA’s workpapers. The review was not initiated until June 3, 2002, in response to our visit to the field office conducting the examination. Nevertheless, the examiner’s request to review the IPA’s workpapers was only 3 weeks late and the workpaper review was initiated before the bank’s next scheduled examination.

FDIC case manager files and examiner workpapers for 1 of the 19 Part 363 institutions in our sample did not contain any evidence of review of required financial statements provided by a financial institution with more than $500 million in total assets. This situation occurred because of confusion surrounding the merger of the institution into a larger institution and the subsequent transfer of files between case managers in different FDIC regional offices. As a result, we could not determine whether the case managers had fulfilled their responsibility to ensure that the institution had complied with its Part 363 audit and reporting requirements. However, the bank had received composite CAMELS ratings of 1 in each annual examination since 1997, and the bank merged into a 2-rated bank.

Part 363 of the FDIC Rules and Regulations establishes audit and reporting requirements for insured depository institutions with total assets of $500 million or more and their independent public accountants. The reports and notifications must be submitted to the FDIC, the appropriate primary federal regulatory agency, and the appropriate state banking authority.

Under Part 363, management of each institution covered by this regulation must engage a public accountant, prepare annual financial statements in accordance with GAAP, and produce annual reports. The independent public accountant engaged by the institution is responsible for auditing and reporting on the institution's financial statements in accordance with generally accepted auditing standards, and examining, attesting to, and reporting separately on the assertions of management concerning the institution's internal control structure and procedures for financial reporting. Furthermore, Section 13 of the FDIC Case Managers Procedures Manual, Part 363 - Annual Audit and Reporting Requirements, states that case managers are responsible for reviewing Part 363 filings from covered and associated institutions in their caseloads.

However, FDIC case manager files and examiner workpapers for 1 of the 19 Part 363 institutions in our sample did not indicate that the case manager reviewed and determined whether the institution fulfilled its audit and reporting requirements. Although examiners in the Dallas field office examined the bank in question, the responsible case manager resided in the Kansas City regional office. The bank was then sold to a holding company within the jurisdiction of the FDIC's San Francisco regional office and is currently overseen by a case manager in the San Francisco regional office. Followup with the Dallas field office and case managers in both regional offices determined that none of them had a copy of a Part 363 Worksheet to evidence a case manager's review. We believe it was either lost during the transfer of files between regional offices or none was ever completed. As a result, we could not determine whether either of the FDIC case managers (1) determined whether the institution fulfilled its audit and reporting requirements, (2) reviewed the institution's Part 363 prior year submission to see if there were any issues noted, and (3) reviewed the institution’s Part 363 submission for completeness to ensure it included all required documents.

However, the bank in question merged with another, larger institution effective June 15, 2002. In addition, the bank had received composite CAMELS ratings of 1 in each annual examination since 1997.

In one instance in our sample, examiners did not follow up on an IPA’s management letter that explained concerns the IPA had about internal controls at the bank. This lack of followup occurred because of misunderstandings surrounding the institution changing its IPA. The FDIC’s senior examiner could not explain specifically why examiners had not followed up on the IPA’s management letter. As a result of not following up on the management letter, possible internal control weaknesses at the institution, potential problems resulting from those weaknesses, and bank management's response and actions regarding these problems may not have been adequately reviewed by examiners at the subsequent examination.

FDIC Regional Directors Memorandum 2000-019, Reviews of External Auditors’ Workpapers, dated March 21, 2000, states that before or during each examination, examiners should obtain from management all correspondence between the external auditor and the bank. The correspondence to be reviewed includes the management letter and any other letters or documents in which any weaknesses in internal control may be discussed. The examiner should also review management’s responses and actions planned to alleviate any internal control weaknesses that were noted by the auditor. For any material weaknesses and reportable conditions identified by the auditor, the examiner should ensure that management has planned appropriate corrective actions and determine whether the institution has implemented the actions planned to correct the deficiencies. If the examiner believes that management’s actions are inadequate, the examiner should make recommendations for improvement, according to the Regional Directors Memorandum.

During our review of a regional case manager’s file, we found an IPA’s management letter that explained concerns the IPA had about internal controls at the bank. The letter was addressed to the management and audit committee of the institution. It was also forwarded to the responsible FDIC regional office where we found it in the case manager’s files. However, we could not find a copy of the management letter in the field office examination workpapers or any notation as to whether examiners had followed up on it.

Finding no evidence of followup in the examination workpapers, we asked the FDIC senior examiner to contact bank management to obtain a copy of management's response to the IPA's management letter. Bank management advised that they did not respond to the IPA's management letter because the bank’s audit committee had been in the process of replacing the IPA. The bank had submitted the required notice alerting federal regulators that the bank had replaced its external auditor.

In addition, the senior examiner contacted one of the examiners who worked on the subsequent examination and learned that the examiners looked at the successor IPA’s information. The examination workpapers did contain evidence of the examiner’s review of correspondence between the new external auditor and the bank. However, no followup was performed to determine whether bank management had responded to the former IPA’s management letter. According to the senior examiner, the subsequent examination was conducted jointly with a state bank regulator, and a state examiner was tasked with evaluating the institution’s external audit program. The examiner contacted did not have an explanation as to why the state’s examiner did not follow up on the former IPA’s management letter.

Although examiners should follow up on IPA management letters, we believe this was an isolated instance, based on the results of our sample. Additionally, the institution involved received composite 1 CAMELS ratings from 1997 through 2000, and a composite 2 rating at the conclusion of the 2001 examination conducted by FDIC and the state agency.

Source: FDI Act Section 36.

Federal Deposit Insurance Corporation
550 17th St. NW Washington, DC, 20429
Division of Supervision and Consumer Protection

March 20, 2003

TO: Stephen M. Beard, Deputy Assistant Inspector General for Audits

FROM: Michael J. Zamorski [Electronically produced version; original signed by Michael J. Zamorski], Director, Division of Supervision and Consumer Protection

SUBJECT: Draft Report Entitled FDIC Examiner Use of Work Performed by Independent Public Accountants (IPAs) (Assignment No. 2002-805)

Thank you for the opportunity to review and respond to the Office of Inspector General’s (OIG) draft report entitled FDIC Examiner Use of Work Performed by Independent Public Accountants (IPAs). The draft report states that the Division of Supervision and Consumer Protection (DSC) has established sound examination policies and procedures for evaluating the effectiveness of a financial institution’s external audit program. Because of these findings, the OIG has made no formal recommendations regarding the assessment of independent public accountants.

DSC is pleased to receive your statements supporting the FDIC risk-focused examination program and the validation of our sound processes for evaluating external audit activity. DSC will continue to be pro-active in addressing this subject area through our own efforts and through interagency initiatives. We appreciate the OIG’s recognition of our efforts in this area and we thank the OIG for the courtesies extended by your staff.