FDIC Examiner Use of Work Performed by
DATE: March 26, 2003
TO: Michael J. Zamorski, Director, Division of Supervision and Consumer Protection
FROM: Russell A. Rau [Electronically produced version; original signed by Russell A. Rau], Assistant Inspector General for Audits
SUBJECT: FDIC Examiner Use of Work Performed by Independent Public Accountants (IPAs) (Audit Report No. 03-021)
This report presents the results of an Office of Inspector General (OIG) audit of the Federal Deposit Insurance Corporation's (FDIC) examiner use of work performed by Independent Public Accountants (IPAs) for financial institutions supervised by the FDICís Division of Supervision and Consumer Protection (DSC). (Note: The Federal Deposit Insurance Corporationís mission is to maintain the stability of and public confidence in the nation's financial system. To achieve this goal, the FDIC was created in 1933 to insure deposits and promote safe and sound banking practices. The FDICís Division of Supervision and Consumer Protection, in conjunction with other federal and state regulatory agencies, examines financial institutions to ensure they are conducting business in compliance with consumer protection rules and in a way that minimizes risk to their customers and to the deposit insurance funds. There are five categories of examinations: Community Reinvestment Act, Compliance, Information Systems & E-banking, Safety & Soundness, and Trust.) The overall objective of this audit was to evaluate FDIC examiner use of the work performed by IPAs who are engaged by FDIC-supervised financial institutions. (Note: The FDIC supervises more than 5,500 FDIC-insured state-chartered banks that are not members of the Federal Reserve System, described as state non-member banks. This includes state-licensed insured branches of foreign banks and state-chartered mutual savings banks. As supervisor, the FDIC performs safety and soundness examinations of FDIC-supervised institutions to assess their overall financial condition, management practices and policies, and compliance with applicable laws and regulations. Through the examination process, the FDIC also assesses the adequacy of management and internal control systems to identify and control risks. Procedures normally performed in completing this assessment may disclose the presence of fraud or insider abuse.) In accomplishing this objective, we reviewed:
Appendix I of this report discusses our objective, scope, and methodology in more detail.
As described in the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations (Interagency Policy Statement), approved by the Federal Financial Institutions Examination Council on August 19, 1999, the boards of directors and senior managers of insured depository institutions are responsible for ensuring that an institution operates in a safe and sound manner. (Note: The term insured depository institution means any bank or savings association, the deposits of which are insured by the FDIC.) To achieve this goal and meet the safety and soundness guidelines implementing section 39 of the Federal Deposit Insurance Act (FDI Act), 12 U.S.C. 1831p-1, the institution should maintain effective systems and internal control to produce reliable and accurate financial reports.
Accurate financial reporting is essential to an institutionís safety and soundness for numerous reasons. First, accurate financial information enables management to effectively manage the institutionís risks and make sound business decisions. In addition, FDIC-supervised institutions are required by 12 U.S.C. 1817a to provide accurate and timely financial reports (e.g., Reports of Condition and Income, also called Call Reports and Thrift Financial Reports) to the FDIC. (Note: Call Reports from banks and Thrift Financial Reports from savings associations are sworn statements of financial condition that are submitted to the FDIC quarterly in accordance with federal regulatory requirements. They consist of a balance sheet, income statement, and other supplemental information and provide detailed analyses of balances and related activity.) These reports serve an important role in the agency's risk-focused supervision programs by contributing to examinersí pre-examination planning, DSCís off-site monitoring programs, and examinersí assessments of an institutionís capital adequacy and financial strength. (Note: The risk-focused examination process attempts to assess an institution's risk by evaluating its processes to identify, measure, monitor, and control risk. The risk-focused examination process seeks to strike an appropriate balance between evaluating the condition of an institution at a certain point in time and evaluating the soundness of the institution's processes for managing risk. Bank supervisors use on-site and off-site surveillance to identify banks likely to fail. The most useful tool for identifying problem institutions is on-site examination, in which the examiners travel to a bank and review all aspects of its safety and soundness. On-site examination is, however, costly to supervisors because of its labor-intensive nature and burdensome to bankers because of the intrusion into day-to-day operations. As a result, supervisors also monitor a bankís condition off-site. Off-site surveillance yields an ongoing picture of a bankís condition, enabling supervisors to schedule and plan exams efficiently. Off-site surveillance also provides banks with incentives to maintain safety and soundness between on-site visits. The FDICís off-site monitoring systems (Statistical CAMELS Offsite Rating (SCOR), Real Estate Stress Test (REST), and Quarterly Lending Alert) are largely based on Call Report data. A financial institution is expected to maintain capital commensurate with the nature and extent of risks to the institution and the ability of management to identify, measure, monitor, and control these risks. Capital adequacy, as it relates to quarterly Call Reports, can be evaluated to a limited extent based on certain financial information that includes amounts used in calculations of an institution's various regulatory capital amounts.) Further, reliable financial reports are necessary for the institution to raise capital. They provide data to stockholders, depositors and other funds providers, borrowers, and potential investors on the companyís financial position and results of operations. Such information is critical to effective market discipline of the financial institution.
Section 112 of FDICIA and Section 36 of the FDI Act: The Federal Deposit Insurance Corporation Improvement Act (FDICIA) of 1991 added Section 36 to the Federal Deposit Insurance Act (FDI Act), codified to 12 U.S.C. 1831m, and Part 363 of the FDIC Rules and Regulations, codified to 12 C.F.R. Part 363, implements Section 36 of the FDI Act. FDICIA contained accounting, corporate governance, and regulatory reforms designed to correct weaknesses in the deposit insurance system. Among other measures, the FDICIAís early warning reforms provide for timely disclosure of internal control weaknesses. FDICIA also established audit and reporting requirements for insured depository institutions with total assets of $500 million or more and their independent public accountants. Section 36 of the FDI Act provides additional improvements in financial management reporting. Appendix III shows the reforms and key provisions of Section 36 of the Act.
Part 363 states that management of each financial institution covered by this regulation must:
These annual management reports, referred to as managementís report or managementís assertion, must contain a statement of management's responsibilities for preparing the financial statements, establishing and maintaining an internal control structure and procedures for financial reporting, and complying with laws and regulations relating to loans to insiders and dividend restrictions. The reports must also contain an evaluation by management of the effectiveness of the internal control structure and procedures for financial reporting, and an assessment of the institution's compliance with designated laws and regulations.
The independent public accountant engaged by the institution is responsible for:
Part 363 requires that insured depository institutions covered by this regulation submit reports and notifications to the FDIC. Under Part 363, the board of directors of each insured depository institution must also establish an independent audit committee. Table 1 summarizes the audit and reporting requirements.
Table 1: Part 363 Audit and Reporting Requirements
Source: FDIC Case Managers Procedures Manual
Part 363 requires that insured depository institutions covered by this regulation submit the following reports and notifications to the FDIC, the appropriate federal banking agency, and the appropriate state bank supervisor.
Part 363 also requires certain filings from independent public accountants. The accountants must notify the FDIC and the appropriate federal banking supervisor when it ceases to be the accountant for an insured depository institution. The notification must be in writing, be filed within 15 days after the relationship is terminated, and contain the reasons for the termination. The accountant must also file a peer review report with the FDIC within 15 days of receiving the report or before commencing any audit under Part 363. (Note: Peer review is the process by which other accountants assess and test compliance with quality control systems for the accounting and auditing practices of SEC Practice Section (SECPS) members. The objectives of peer review are to determine whether the reviewed firm: (i) designed its system to meet Quality Control Standards established by the American Institute of Certified Public Accountants (AICPA); (ii) complied with its quality control system to provide reasonable assurance of complying with professional standards; and (iii) complied with SECPS membership requirements. Upon the completion of a review, the peer reviewer prepares a report and a letter of comments, which may recommend improvements to the firm's system of compliance.)
Each insured depository institution subject to Part 363 must establish an independent audit committee of its board of directors. The members of this committee must be outside directors who are independent of management. Their duties include overseeing the internal audit function, selecting the external auditor, and reviewing with management and the external auditor the scope of the audit, audit conclusions, and various management assertions and accountant attestations.
Part 363 also establishes additional requirements for audit committees of insured depository institutions with total assets of more than $3 billion. Two members of the audit committee must have banking or related financial management expertise. Large customers of the institution are excluded from the audit committee. The audit committee must also have access to its own outside counsel.
Sarbanes-Oxley Act of 2002: President Bush signed the Sarbanes-Oxley Act of 2002, P.L. 107-204, into law on July 30, 2002. This Act was in response to high profile accounting and financial reporting scandals and has a significant impact on executives, accountants, shareholders, and regulators. The Act significantly affects the regulation of accountants; imposes new responsibilities and liabilities on chief executive officers (CEO), chief financial officers (CFO), and Boards of Directors; and toughens criminal penalties, in terms of both fines and prison sentences, for corporate fraud, destruction of documents, and impeding investigations. The Act aims to restore investor confidence in the public markets and seeks to prevent corporate and accounting fraud. Among other things, the Act:
The Actís provisions become effective at different times, ranging from immediately upon enactment to later dates specified in the Act or the date on which the required implementing regulations become effective. The Act does not impose requirements with respect to public companies switching audit firms periodically (though the Act requires that the U.S. Securities and Exchange Commission (SEC) study this issue).
Key provisions within the Sarbanes-Oxley Act that impact registered public accounting firms performing services required by Part 363 of FDICís Rules and Regulations for insured depository institutions include (Note: The term "registered public accounting firm" means a public accounting firm registered with the Public Company Accounting Oversight Board in accordance with the Sarbanes-Oxley Act of 2002. The term "public accounting firm" means a proprietorship, partnership, incorporated association, corporation, limited liability company, limited liability partnership, or other legal entity that is engaged in the practice of public accounting or preparing or issuing audit reports; and to the extent so designated by the rules of the Board, any associated person of any such entity.):
Independent Public Accountants
Role and Standards: Financial statements are often audited by an IPA for the purpose of opining on the fair presentation of an entityís financial statements. The IPAís standard report states that the financial statements present fairly, in all material respects, an entityís financial position, results of operations, and cash flows in conformity with GAAP. (Note: Generally Accepted Auditing Standards (GAAS) are policies, guidelines, and procedures set forth by the AICPA that an auditor is required to follow in performing an audit in order to render an opinion on an organization's financial statements.) This conclusion may be expressed only when the independent accountant has formed such an opinion on the basis of an audit performed in accordance with generally accepted auditing standards (GAAS). (Note: Generally Accepted Auditing Standards (GAAS) are policies, guidelines, and procedures set forth by the AICPA that an auditor is required to follow in performing an audit in order to render an opinion on an organization's financial statements.) An IPA is defined as an accountant who is independent of a financial institution and registered or licensed to practice, and holds himself or herself out, as a public accountant, and who is in good standing under the laws of the state or other political subdivision of the United States in which the home office of the institution is located. (Note: Enactment of the Sarbanes-Oxley Act of 2002, changed the term used to describe accountants in the SEC Act of 1934. Section 10A of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1) was amended by the Sarbanes-Oxley Act of 2002 by striking "an independent public accountant" each place that term appears and inserting "a registered public accounting firm.") Prior to the implementation of the Sarbanes-Oxley Act of 2002, an IPA had to comply with the AICPA Code of Professional Conduct and any related guidance.
Limitations of Audits and Audited Financial Statements: According to the Federal Reserve Boardís Commercial Bank Examination Manual, although auditing standards are designed to require the use of due care and objectivity, a properly designed and executed audit does not necessarily guarantee that all misstatements of amounts or omissions of disclosure in the financial statements have been detected, nor does a properly designed and executed audit guarantee that the auditor addressed safety and soundness considerations. The following examples from this manual illustrate some common limitations of audits:
Interagency Policy Statement: Before August 1999, the FDIC and the other bank regulatory agencies that are members of the Federal Financial Institutions Examination Council (FFIEC)) generally believed that an independent external audit provided reasonable assurance that an institutionís financial statements were prepared in accordance with GAAP. (Note: The Federal Financial Institutions Examination Council (FFIEC), is comprised of the Board of Governors of the Federal Reserve System (FRB), the FDIC, the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).) The independent audit process also subjected the internal controls and the accounting policies, procedures, and records of each banking organization to periodic review. Accordingly, the banking agencies recommended that every institution have an external auditing program to help ensure accurate and reliable financial reporting. (Note: The FDIC first adopted guidance on external auditing programs in its Policy Statement Regarding Independent External Auditing Programs of State Nonmember Banks in 1988 (53 FR 47871, November 28, 1988). In 1996, the FDIC reviewed the Current Policy Statement pursuant to section 303(a) of the Riegle Community Development and Regulatory Improvement Act of 1994 and adopted several amendments to eliminate inconsistencies and outdated requirements (61 FR 32438, June 24, 1996).)
External Audit Programs: On August 19, 1999, the FFIEC approved and recommended the Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations which was subsequently approved and became effective for fiscal years beginning on or after January 1, 2000. (Note: The NCUA, also a member of the FFIEC, did not adopt the policy at that time.)
The Interagency Policy Statement states that to help ensure accurate and reliable financial reporting, the FFIEC agencies recommend that the board of directors of each institution establish and maintain an external auditing program. Although many insured depository institutions with total assets below a $500 million threshold are not subject to the requirements of Section 36 of the FDI Act, the Interagency Policy Statement encourages these institutions to adopt its guidance.
The Interagency Policy Statement also states that an external auditing program should be an important component of an institution's overall risk management process. For example, an external auditing program complements the internal auditing function of an institution by providing management and the board of directors with an independent and objective view of the reliability of the institution's financial statements and the adequacy of its control over financial reporting. Additionally, an effective external auditing program contributes to the efficiency of the agencies' risk-focused examination process. By considering the significant risk areas of an institution, an effective external auditing program may reduce the examination time the agencies spend in such areas. Moreover, it can improve the safety and soundness of an institution substantially and lessen the risk that the institution poses to the insurance funds administered by the FDIC.
The federal banking agencies view a full-scope annual audit of a bankís financial statements by an independent public accountant as preferable to other types of external auditing programs. The Interagency Policy Statement adopted by the regulatory agencies on or after January 2000 recognizes that a full-scope audit may not be feasible for every small bank. It therefore encourages those banks to pursue appropriate alternatives to a full-scope audit in cases where a full scope audit is not performed. These alternatives, which must be performed by an independent public accountant, are (1) an attestation on internal control over financial reporting on certain schedules of the Reports of Condition and Income (Call Report) or (2) an audit of the institution's balance sheet. The Interagency Policy Statement further indicates that, for a smaller institution with less complex operations, the attestation on internal control may be less costly than an audit of its financial statements or its balance sheet and may provide more useful information to management. Small banks are also encouraged to establish an audit committee consisting of outside directors.
Each year's March 31 Call Report requires an institution to report the type of its external auditing program for the prior year. Figure 1 shows the type of external auditing program and number of FDIC-supervised banks reporting. (Note: Figure 1 includes only FDIC-supervised state non-member banks as of December 31, 2001. It does not include 574 other FDIC-supervised institutions, such as state-chartered savings banks and U.S. branches of foreign banks.)
Figure 1: Number and Type of External Audit Programs of FDIC-Supervised State Non-Member Banks
[This image appears in the non-508-compliant version of the audit report.]
Text description of Figure 1: Number of institutions per type of external audit: 323 banks with total assets of $500 million or more and 2,683 banks with total assets of less than $500 million had external Financial Statement Audit programs. 103 banks with total assets of less than $500 million had external Attestation audit programs. 1,483 banks with total assets of less than $500 million had external Balance Sheet Audit programs. 336 banks with total assets of less than $500 million had no external audit programs.
Source: FDIC, DSC Policy Branch - Accounting Section.
FDIC Examination Policy
Risk-Focused Examination Process: On October 1, 1997, the FDIC, in conjunction with the Federal Reserve and the Conference of State Bank Supervisors, began implementing a new risk-focused examination process designed to focus bank examinations on bank functions that pose the greatest risk exposure. This new examination process represents a change from the traditional approach, with its heavy emphasis on predetermined tasks and a review of large samples of loans.
The risk-focused examination process attempts to assess an institutionís risk by evaluating its processes to identify, measure, monitor, and control risk. If management controls are properly designed and effectively applied, they should help ensure that satisfactory performance is achieved. In a rapidly changing environment, a bankís condition at any given point in time may not be indicative of its future performance. The risk-focused examination process seeks to strike an appropriate balance between evaluating the condition of an institution at a certain point in time and evaluating the soundness of the institutionís processes for managing risk. Moreover, the risk-focused approach attempts to involve less regulatory burden by focusing on testing, rather than duplicating, the work of audit and control functions. Based on the institutionís size, complexity, and risk profile, an examiner can choose to test, evaluate, and accept the results from such controls as internal and external audits, loan policy, loan review, and loan grading systems.
Review of External Auditor Workpapers: When an institution has an external auditing program, examiners should be able to review the auditorsí workpapers as appropriate. Under section 36(g)(3)(A)(i) of the FDI Act, the audit services for institutions covered by Part 363 must be performed by an accountant who has agreed to provide examiners with access to the audit workpapers and the accountantís policies and procedures, if requested. If holding company financial statements or a holding company attestation report on internal control over financial reporting has been submitted to the FDIC on behalf of a subsidiary institution that is subject to Part 363, the examiner of the subsidiary institution may examine the workpapers of the holding company audit or attestation.
Through the auditorsí workpapers, the examiner can review the external auditorís evaluation of internal controls, assessment of audit risk in the institution (including risk of material misstatement of the financial statements due to fraud), significant account balances and transactions, and other audit areas pertinent to the examination. A workpaper review is recommended in those circumstances where it will provide the examiner a better understanding of one or more areas of the bankís operations and the bases for some of the auditorís evaluations in those areas. Thus, a review can be another source of information about the bankís internal control and financial reporting practices and about the work that the auditor has performed in specific audit areas of the bankís operations or activities. The review may help determine the scope of the examination procedures that should be carried out. The review can identify those areas where the independent public accountant performed audit work sufficient to enable the examiners to limit their procedures, and those areas of higher risk for which examination procedures should be expanded. However, the sufficiency and appropriateness of the external auditorís procedures may be different from the procedures the examiner would perform during an examination. Reviewing audit workpapers may also acquaint an examiner assigned to an institution for the first time with what the auditor considers to be significant audit and internal control risks in that institution.
FDIC Case Managersí Interest in IPA Work: The primary goal of the case manager program is to significantly enhance risk assessment and supervision activities by assigning responsibility and accountability for a caseload of institutions or companies to one individual, regardless of charter and location, and by encouraging a more proactive, but non-intrusive, coordinated supervisory approach. Case managers are involved in efforts designed to meet the FDIC's offsite monitoring and analysis goals as they relate to the assessment of risk to the deposit insurance funds, as well as the financial condition of the individual institutions within their caseloads. In that regard, they will analyze financial and other information filed or reported in accordance with regulatory requirements, as well as information from other sources. Case managers communicate and coordinate with regional specialists on substantive issues regarding institutions within their caseloads to ensure that risks presented by certain specialty areas, such as accounting, are identified and quantified, and to ensure that proper supervisory action is taken to minimize risk to the deposit insurance funds.
The case manager is responsible for review of annual Part 363 filings from covered and associated institutions in their caseloads. Case managers review an institution's annual Part 363 filing to ensure that it includes all of the required documents. In reviewing an institution's annual Part 363 filing, the case manager is responsible for obtaining the annual Part 363 filing and worksheet for the prior year to see if there were any issues noted. Finally, the case manager reviews the current yearís filing and completes the appropriate worksheet. The review concludes with the need to make a determination as to whether a change in supervisory strategy or follow-up action is needed. A worksheet is used to record the review of the annual Part 363 filing and is known as a Part 363 Annual Report Worksheet.
If an institution has been assigned a composite CAMELS rating of 4 or 5 or its annual report reveals significant concerns about matters that would have fallen within the scope of the work performed by the bank's external auditors, the case manager consults with the regional accountant. (Note: Financial institution regulators use the Uniform Financial Institutions Rating System to evaluate a bank's performance. Six areas of performance are evaluated and given a numerical rating of "1" through "5," with "1" representing the least degree of concern and "5" the greatest degree of concern. The six performance areas identified by the CAMELS acronym are: Capital adequacy, Asset quality, Management practices, Earnings performance, Liquidity position, and Sensitivity to market risk. A composite CAMELS rating is an overall rating given to a bank based on the six components of the CAMELS rating. A rating of "1" through "5" is given. A rating of "1" indicates strong performance; "2" reflects satisfactory performance; "3" represents below-average performance; "4" refers to marginal performance that could threaten the viability of the institution; and, "5" is considered critical, unsatisfactory performance that threatens the viability of the institution.) Together they determine when a review of the workpapers of the independent public accountant performing the external audit of the institution for the previous year will be performed.
Another worksheet known as a Periodic Reports Worksheet is used to document the review of any other reports submitted by either the financial institution or the public accountant. These reports include, but are not limited to: any management letter issued by the IPA; written notice of the engagement, resignation or dismissal of an IPA by an institution and the reasons for such an event; or, written notice from the IPA that it has ceased to be the accountant for an institution and the reasons for the termination.
Some institutions also submit a management letter with the annual report documents. The management letter is addressed to the board or audit committee. It details internal control weaknesses that were not considered reportable conditions or sufficiently material to include in the audit report. If a management letter has been submitted, the case manager should review the submission and complete a Part 363 Periodic Report Worksheet. The review should conclude with a determination as to whether a change in supervisory strategy, follow-up action, or review of the auditor's workpapers are needed.
Follow-Up Action or Change in Supervisory Strategy: If it is determined that follow-up action or a change in supervisory strategy is warranted for a state non-member bank, case managers should discuss the concerns with the field office supervisor, determine the appropriate supervisory strategy to address these concerns, and prepare a memorandum outlining the recommended course of action. Thus, a case manager's primary interest in an IPA's work is focused on the FDIC's role as a supervisor and an insurer.
If, in the case manager's judgment, an IPA product contains negative information that may be severe enough to warrant concern over the safety and soundness of the institution, the case manager should discuss the concerns with the field office supervisor. Together they should determine the appropriate supervisory strategy to address these concerns and prepare a memorandum outlining the recommended course of action.
FDIC as Insurer: As insurer, the FDIC continually evaluates how changes in the economy, financial markets, banking system, and individual financial institutions affect the adequacy and viability of the deposit insurance funds. To protect the insurance funds, the FDIC identifies risks by analyzing economic, financial, and banking trends, as well as IPA work products, and communicates these findings to the industry and the other federal banking agencies and state authorities. As the insurer, the FDIC, by statute, has special insurance authority for all insured depository institutions. Should the FDIC identify significant emerging risks or have serious concerns raised in IPA work about any insured depository institution not primarily supervised by the FDIC, the FDIC and the institution's primary federal supervisor work together to address them. (Note: The institutionís charter determines which federal banking agency is the "primary federal supervisor" of the particular institution.)
As a supervisor, the FDIC is the primary federal banking regulator of all state non-member banks. In that regard, the FDIC performs safety and soundness examinations, visitations, and investigations of FDIC-supervised institutions to assess their overall financial condition, management practices and policies, and compliance with applicable laws and regulations. Through the examination process, the FDIC also assesses the adequacy of management and internal control systems to identify and control risks. An IPA's work may complement an institution's internal audit function by providing another independent and objective view of the reliability of the institution's financial statements and the adequacy of its financial reporting internal controls. Procedures normally performed in completing this assessment may disclose the presence of fraud or insider abuse.
RESULTS OF AUDIT
FDIC examiners made reasonable use of the work performed by IPAs. For those institutions with CAMELS ratings of 1, 2, or 3, FDIC examiners and case managers considered IPA reports, management letters, and other available documentation in conjunction with their safety and soundness examinations and in devising the overall supervisory strategy. FDIC examiners expanded their examination testing and review when an IPA uncovered or reported irregularities or problems in an area and the examiners followed up on the institutionís corrective actions. Examiners also effectively resolved differences with IPAs. In addition to the above, for poorly rated institutions Ė those with CAMELS ratings of 4 or 5 Ė examiners reviewed the IPAís workpapers, thoroughly documenting their review. FDIC examiners reviewed IPA workpapers to gain an understanding of the IPA's scope and results of work performed including, for example, in the areas of internal control, the risk of material misstatement due to fraud, or asset valuation concerns.
In general, the FDIC has established sound examination policies and procedures for evaluating the effectiveness of a financial institutionís external audit program. While the FDICís risk-focused examination policy, as stated in Regional Directors Memorandums 1998-100, dated December 16, 1998 and 1999-011, dated March 23, 1999, could be interpreted to require testing of IPA work in order to reduce the scope of examinations, such testing would only be possible by reviewing the IPAís workpapers. However, we do not consider routinely reviewing the IPAís workpapers to be necessary or practical for all examinations of better-rated institutions. The FDICís approach of deciding on a case-by-case basis whether to review the work of IPAs on examinations of better-rated institutions provides appropriate balance between risk and use of examination resources.
Appendix II discusses the detailed results of our audit, including three instances of noncompliance with FDIC policy and procedures. These were deemed insignificant.
CORPORATION COMMENTS AND OIG EVALUATION
On March 20, 2003, the Director, DSC, provided a written response to the draft report, although the report did not contain recommendations. The response is presented in Appendix IV of this report. The Director of DSC stated the Division would continue to be proactive in addressing their evaluations of external audit activity through their own efforts and through interagency initiatives.
Table 2: GLOSSARY
OBJECTIVE, SCOPE, AND METHODOLOGY
The overall objective was to evaluate FDIC examiner use of work performed by IPAs who are engaged by FDIC-supervised financial institutions. In accomplishing our objective, we reviewed:
To accomplish our audit objective, the OIG interviewed DSC headquarters and Dallas, San Francisco, Chicago, Memphis, Boston, and New York regional office personnel. We interviewed selected examiners and supervisory examiners who worked on the examinations we reviewed. We also reviewed the DSC Manual of Examination Policies, FDIC Case Managers Procedures Manual, Regional Directors Memoranda, FDIC Financial Institution Letters, and the Risk Scoping Activities and Reviews of External Auditor Workpaper ED Modules to obtain an understanding of the policies and procedures that determine the scope and requirements for the use of and reliance on IPA work. Additionally, we reviewed FDIC compliance with applicable laws and regulations. Finally, we reviewed current news articles, proposed legislation, and other agency and regulator reports and related documents to gain an understanding of concerns and viewpoints of the regulatorsí role and responsibilities in working with IPA data and reports.
We reviewed 30 institution examination files along with the related correspondence and administrative files. Initially, we judgmentally selected 33 examinations from the seven regional offices based on institution size and geographic location. Based on our initial results for the 30 institutions reviewed, we eliminated the 3 selected institutions in the Atlanta region based on the consistent facts we found in the other 6 regions. The 33 original examinations were specifically selected from two groups of institutions. The first selection was of institutions that had an examination composite CAMELS rating of 4 or 5. Next, we selected institutions that were either over $500 million in asset size or were between $250 and $500 million. Of the 33 institutions selected, 1 institution had an examination composite CAMELS rating of 1, 19 were rated 2, 4 were rated 3, 7 were rated 4, and 2 were rated 5. We reviewed the DSC examination workpapers, the general safety and soundness correspondence/administrative files, IPA audit reports, and various FDIC and state examination reports. In addition, we reviewed matters relating to external auditorsí involvement in verifying a financial institutionís call or thrift financial report data, providing internal audit services, and retaining certain documentation related to engagements.
From the sample of 30 exams, we also reviewed the pre-examination scope memorandum comments that related to IPA audit work. This review was essential for developing an understanding of any risk-scoping or pre-examination planning activities performed by examiners to risk-focus the examination based on IPA work. For all 30 examinations, we assessed the extent to which the examiner used the IPA data or reports and how such information impacted the examination.
The limited nature of the audit objective did not require reviewing related performance measures under the Government Performance and Results Act, testing for fraud or illegal acts, or determining the reliability of computer-processed data obtained from the FDICís computerized systems. We gained an understanding of relevant internal control activities by examining DSCís applicable policies and procedures as presented in DSC manuals, Regional Directors Memoranda, and Examination Documentation Modules. We decided not to test internal control activities because we concluded that the audit objective could be met more efficiently by conducting substantive tests rather than placing reliance on the internal control system.
We performed fieldwork at the Dallas, San Francisco, Chicago, Memphis, Boston, and New York regional offices and at 10 field offices within those regions. We reviewed examinations performed during the period of January 1, 2000 through December 31, 2001. We performed our audit from April 2002 through January 2003, in accordance with generally accepted government auditing standards.
EXAMINER AND CASE MANAGER COMPLIANCE WITH FDIC POLICY
In our review of 30 institutions, we identified three instances where examiners and case managers did not comply with FDIC policies and procedures. First, a review of an IPAís workpapers was not initiated timely because of examiner oversight. Second, case manager files and examination workpapers contained no evidence that one institutionís Part 363 filing was reviewed, as a result of confusion during the institutionís merger. Finally, in one instance, examiners did not follow up on an IPAís management letter that explained concerns the IPA had about internal controls at the bank, because of misunderstandings surrounding the institution changing its IPA. As a result, examiners may not have adequately assessed potential problems and weak internal controls that may have existed at the three affected institutions. However, we did not identify any specific negative effect in these instances.
Workpaper Reviews in Downgraded Institutions
Examiners did not initiate a workpaper review timely for one of the three downgraded institutions in our sample. The examiners had overlooked scheduling a review of the IPAís workpapers until they were notified of our visit to the field office in conjunction with this audit. However, the workpaper review was initiated before the bankís next scheduled examination.
FDIC Regional Directors Memorandum 2000-055, Reviews of External Auditorsí Workpapers, issued November 30, 2000, states that when an institution is downgraded to a 4- or 5-rating after an examination, arrangements should be made to review the IPAís workpapers (if not already reviewed) within 3 months of the downgrade unless the downgrade occurs within the last 3 months of the institutionís fiscal year. In that case, the workpaper review should be performed on that fiscal yearís audit within 3 months after the completion of the audit early the following year.
Further, according to FDIC Regional Directors Memorandum 2000-019, Reviews of External Auditorsí Workpapers, dated March 21, 2000, examiners, through the auditorsí workpapers, can review the external auditorís evaluation of internal controls, assessment of audit risk in the institution (including risk of material misstatement of the financial statements due to fraud), significant account balances and transactions, and other audit areas pertinent to the examination. A workpaper review is recommended in those circumstances where it will provide the examiner a better understanding of one or more areas of the bankís operations and the bases for some of the auditorís evaluations in those areas. Thus, a review can be another source of information about the bankís internal control and financial reporting practices and about the work that the auditor has performed in specific audit areas of the bankís operations or activities. The review may help determine the scope of the examination procedures that should be carried out. The review can identify those areas where the independent public accountant performed audit work sufficient to enable the examination procedures in those areas to be limited, and those areas of higher risk on which examination procedures should be expanded. However, the sufficiency and appropriateness of the external auditorís procedures may be different from the procedures the examiner would perform during an examination. Reviewing audit workpapers may also acquaint an examiner assigned to an institution for the first time with what the auditor considers to be audit and internal control risks in that institution.
Examination workpapers revealed that for one of the three downgraded institutions in our sample, examiners had not initiated a workpaper review as required within 3 months of the institution being downgraded. In response to notification of this audit, examiners initiated a review of the IPA's workpapers 9 months after the previous examination. However, because the rating downgrade occurred within the last 3 months of the institutionís fiscal year, examiners should have performed a workpaper review within 3 months after the completion of the IPA audit early the following year.
FDIC examiners completed their examination of the downgraded bank October 17, 2001. The bankís fiscal year ended December 31, 2001, and the IPA completed the bankís audit on February 14, 2002. Accordingly, a workpaper review should have been initiated within 3 months of February 14, 2002, or by May 14, 2002. However, examiners overlooked scheduling a review of the IPAís workpapers. The review was not initiated until June 3, 2002, in response to our visit to the field office conducting the examination. Nevertheless, the examinerís request to review the IPAís workpapers was only 3 weeks late and the workpaper review was initiated before the bankís next scheduled examination.
Review of Part 363 Filings
FDIC case manager files and examiner workpapers for 1 of the 19 Part 363 institutions in our sample did not contain any evidence of review of required financial statements provided by a financial institution with more than $500 million in total assets. This situation occurred because of confusion surrounding the merger of the institution into a larger institution and the subsequent transfer of files between case managers in different FDIC regional offices. As a result, we could not determine whether the case managers had fulfilled their responsibility to ensure that the institution had complied with its Part 363 audit and reporting requirements. However, the bank had received composite CAMELS ratings of 1 in each annual examination since 1997, and the bank merged into a 2-rated bank.
Part 363 of the FDIC Rules and Regulations establishes audit and reporting requirements for insured depository institutions with total assets of $500 million or more and their independent public accountants. The reports and notifications must be submitted to the FDIC, the appropriate primary federal regulatory agency, and the appropriate state banking authority.
Under Part 363, management of each institution covered by this regulation must engage a public accountant, prepare annual financial statements in accordance with GAAP, and produce annual reports. The independent public accountant engaged by the institution is responsible for auditing and reporting on the institution's financial statements in accordance with generally accepted auditing standards, and examining, attesting to, and reporting separately on the assertions of management concerning the institution's internal control structure and procedures for financial reporting. Furthermore, Section 13 of the FDIC Case Managers Procedures Manual, Part 363 - Annual Audit and Reporting Requirements, states that case managers are responsible for reviewing Part 363 filings from covered and associated institutions in their caseloads.
However, FDIC case manager files and examiner workpapers for 1 of the 19 Part 363 institutions in our sample did not indicate that the case manager reviewed and determined whether the institution fulfilled its audit and reporting requirements. Although examiners in the Dallas field office examined the bank in question, the responsible case manager resided in the Kansas City regional office. The bank was then sold to a holding company within the jurisdiction of the FDIC's San Francisco regional office and is currently overseen by a case manager in the San Francisco regional office. Followup with the Dallas field office and case managers in both regional offices determined that none of them had a copy of a Part 363 Worksheet to evidence a case manager's review. We believe it was either lost during the transfer of files between regional offices or none was ever completed. As a result, we could not determine whether either of the FDIC case managers (1) determined whether the institution fulfilled its audit and reporting requirements, (2) reviewed the institution's Part 363 prior year submission to see if there were any issues noted, and (3) reviewed the institutionís Part 363 submission for completeness to ensure it included all required documents.
However, the bank in question merged with another, larger institution effective June 15, 2002. In addition, the bank had received composite CAMELS ratings of 1 in each annual examination since 1997.
Followup on Management Letters
In one instance in our sample, examiners did not follow up on an IPAís management letter that explained concerns the IPA had about internal controls at the bank. This lack of followup occurred because of misunderstandings surrounding the institution changing its IPA. The FDICís senior examiner could not explain specifically why examiners had not followed up on the IPAís management letter. As a result of not following up on the management letter, possible internal control weaknesses at the institution, potential problems resulting from those weaknesses, and bank management's response and actions regarding these problems may not have been adequately reviewed by examiners at the subsequent examination.
FDIC Regional Directors Memorandum 2000-019, Reviews of External Auditorsí Workpapers, dated March 21, 2000, states that before or during each examination, examiners should obtain from management all correspondence between the external auditor and the bank. The correspondence to be reviewed includes the management letter and any other letters or documents in which any weaknesses in internal control may be discussed. The examiner should also review managementís responses and actions planned to alleviate any internal control weaknesses that were noted by the auditor. For any material weaknesses and reportable conditions identified by the auditor, the examiner should ensure that management has planned appropriate corrective actions and determine whether the institution has implemented the actions planned to correct the deficiencies. If the examiner believes that managementís actions are inadequate, the examiner should make recommendations for improvement, according to the Regional Directors Memorandum.
During our review of a regional case managerís file, we found an IPAís management letter that explained concerns the IPA had about internal controls at the bank. The letter was addressed to the management and audit committee of the institution. It was also forwarded to the responsible FDIC regional office where we found it in the case managerís files. However, we could not find a copy of the management letter in the field office examination workpapers or any notation as to whether examiners had followed up on it.
Finding no evidence of followup in the examination workpapers, we asked the FDIC senior examiner to contact bank management to obtain a copy of management's response to the IPA's management letter. Bank management advised that they did not respond to the IPA's management letter because the bankís audit committee had been in the process of replacing the IPA. The bank had submitted the required notice alerting federal regulators that the bank had replaced its external auditor.
In addition, the senior examiner contacted one of the examiners who worked on the subsequent examination and learned that the examiners looked at the successor IPAís information. The examination workpapers did contain evidence of the examinerís review of correspondence between the new external auditor and the bank. However, no followup was performed to determine whether bank management had responded to the former IPAís management letter. According to the senior examiner, the subsequent examination was conducted jointly with a state bank regulator, and a state examiner was tasked with evaluating the institutionís external audit program. The examiner contacted did not have an explanation as to why the stateís examiner did not follow up on the former IPAís management letter.
Although examiners should follow up on IPA management letters, we believe this was an isolated instance, based on the results of our sample. Additionally, the institution involved received composite 1 CAMELS ratings from 1997 through 2000, and a composite 2 rating at the conclusion of the 2001 examination conducted by FDIC and the state agency.
Table, Appendix III: Federal Deposit Insurance Act Section 36 Ė Early Identification of Needed Improvements in Financial Management for Institutions with More than $500 Million in Total Assets
Source: FDI Act Section 36.
March 20, 2003
TO: Stephen M. Beard, Deputy Assistant Inspector General for Audits
FROM: Michael J. Zamorski [Electronically produced version; original signed by Michael J. Zamorski], Director, Division of Supervision and Consumer Protection
SUBJECT: Draft Report Entitled FDIC Examiner Use of Work Performed by Independent Public Accountants (IPAs) (Assignment No. 2002-805)
Thank you for the opportunity to review and respond to the Office of Inspector Generalís (OIG) draft report entitled FDIC Examiner Use of Work Performed by Independent Public Accountants (IPAs). The draft report states that the Division of Supervision and Consumer Protection (DSC) has established sound examination policies and procedures for evaluating the effectiveness of a financial institutionís external audit program. Because of these findings, the OIG has made no formal recommendations regarding the assessment of independent public accountants.
DSC is pleased to receive your statements supporting the FDIC risk-focused examination program and the validation of our sound processes for evaluating external audit activity. DSC will continue to be pro-active in addressing this subject area through our own efforts and through interagency initiatives. We appreciate the OIGís recognition of our efforts in this area and we thank the OIG for the courtesies extended by your staff.
|Last Updated 04/09/2003|