FDICIA readiness: Is your bank prepared?
Increased mergers and acquisitions in the wake of the great recession have led to a decline in bank charters and growth in individual bank assets. As a result, more and more community banks are approaching FDICIA thresholds for additional regulatory requirements. The COVID-19 pandemic and resulting economic fallout is likely to further increase consolidation and resulting asset levels for many institutions. The FDICIA regulatory requirements go into effect when a bank reaches $500 million or more in asset size as of the first date of its fiscal year (January 1 for calendar-year-end companies). The requirements apply at the charter, not holding company or consolidated, level, and additional requirements come into play at the $1 billion mark.
What is your FDICIA readiness plan?
Preparing for compliance with the requirements is a significant undertaking, and early and focused planning is key. We recommend starting at least 18 to 24 months in advance. Additionally, for banks managing capital ratios during periods of recession, the FDICIA thresholds are important guideposts to consider in your strategic planning since meeting the requirements can be resource-intensive.
Preparing for compliance with the requirements is a significant undertaking, and early and focused planning is key.
Requirements when reaching $500 million in assets
Once your bank crosses the $500 million mark as of the first date of its fiscal year, you’ll need to meet several new requirements and take the following actions:
- Conduct an independent financial audit.
Nonpublic banks must conduct an audit within 120 days, while public banks must conduct the audit within 90 days. It’s important to note that the auditor for a bank reaching the $500 million mark must meet more stringent SEC/PCAOB independence standards than the AICPA standards you may have been adhering to previously. The SEC/PCAOB standards place additional prohibitions on services the independent auditor can provide, such as preparing financial statements and the annual tax provision, or supporting internal audit, and other risk management activities.
You’ll need to submit comparative financials with the audit, but the previous year’s reporting can be presented to regulators as unaudited.
- Establish an audit committee of (predominantly) outside directors.
Banks must establish an audit committee, responsible for the governance of financial reporting. To avoid potential conflicts of interest, the majority of audit committee members must be outside directors rather than members of management. The committee’s role is to engage and oversee the independent auditor and serve as the liaison between the bank and the auditor. The audit committee and auditor must communicate directly. To maintain independence of the audit, management shouldn’t be involved.
The audit committee and auditor must communicate directly. To maintain independence of the audit, management shouldn’t be involved.
- Prepare your annual report.
Banks are required to submit an annual report that includes the following, as determined by the FDIC’s Part 363 annual independent audits and reporting requirements:
- Audited, comparative financial statements
- Independent auditor’s report on the audited financial statements
- A management report, including but not limited to, a statement of management’s responsibility for preparing the financial statements, for establishing and maintaining an adequate internal control structure over financial reporting, and for complying with applicable rules and regulations on insider loans and dividend restrictions
- An assessment of management’s compliance with the above noted rules and regulations
- Independent auditor’s report to the audit committee, including all required annual communications
Planning ahead for the $500 million mark
Remember, it’s important that you consider starting the planning process 18 to 24 months in advance, with the following two steps.
- Perform an audit.
Have an audit performed the year before your bank crosses the $500 million mark. Without this, an opening balance sheet audit may need to be performed at the start of the fiscal year in which you reach the threshold.
- Assess auditor independence issues and impact.
The SEC/PCAOB standards for independence that you must follow after your bank reaches $500 million in asset-size call for a greater degree of auditor objectivity. Both the audit committee and management must ensure no potential conflicts arise and that the financial statement auditor:
- Has no mutual or conflicting interest between the audit firm and the institution.
- Isn’t put in a position to audit their own work.
- Doesn’t act as management or an employee.
- Doesn’t act as an advocate for the institution.
As a result, your financial statement auditor can’t perform certain nonattest services:
- Bookkeeping & financial statement preparation
- Designing & implementing financial information systems
- Appraisal or valuation services
- Actuarial services
- Internal audit
- Tax return preparation for individuals who oversee financial reporting
Requirements when reaching $1 billion in assets
If you own an individually chartered banks that reaches $1 billion in assets, you must submit all of the same items as when your bank reached $500 million. In addition, you must:
- Establish a completely independent audit committee.
All members of your audit committee now must consist only of outside directors, independent of management. This may require current audit committee or board members to be replaced, another reason to start the compliance process early.
- Prepare expanded documentation.
Documentation includes a management assessment and attestation of internal controls over financial reporting comprising:
- A statement identifying the internal control framework used, COSO in nearly all cases, and asserting its effectiveness
- A statement that the assessment included controls over the preparation of regulatory reporting
- An independent auditor’s attestation that the internal control environment was operating effectively with respect to year-end financial reporting. Of course, all material weaknesses are required to be disclosed, if not remediated.
Planning ahead for the $1 billion mark
One billion dollars in asset size represents another significant milestone for your bank, and preparing to meet FDICIA requirements at this level is no small undertaking for your management team or your auditor. Start early and work together to:
- Designate an FDICIA implementation leader and team.
The team should include key business process owners, executive management, your audit committee, and both your external and internal auditors, among others. Internal auditors usually play a major role in both implementation consulting and testing.
- Conduct and/or update your risk assessment.
If you don’t currently do so, conduct or update your business risk assessment in efforts to identify the financial institution’s auditable entities and related risks. These entities will be used not only for internal audit testing purposes but also for FDICIA testing purposes. The end result of your risk assessment will be your risk-based internal audit plan, which serves as your institution’s base for its testing plan.
- Conduct a materiality and mapping analysis to identify in-scope business areas.
Once your auditable entities are identified, conduct a financial statement materiality and mapping analysis to identify your key business entities. These areas, whereby key financial reporting controls operate, will be tested for FDICIA compliance. Typically, they may include lending, deposit operations, accounting and finance, investments, human resources/payroll, cash/wires, allowance for loan and lease losses and information technology (IT).
- Conduct business process walkthroughs and identify key controls.
Perform a walkthrough of every business process involved, focusing on processes for recording and reporting transactions. For each business process, look for the critical points that ensure recorded information is accurate and use what you find to identify your key financial reporting controls. Business process owners should review these, as it will serve as the basis for your key controls and testing plan. As the old saying goes, “garbage in, garbage out.” Inaccurate narratives can lead to both incorrect testing results and key control deficiencies, which will consume much valuable time. Take the time upfront.
You’ll also need to pay close attention to your IT controls, which now, above the $1 billion threshold, require more extensive and rigorous testing than regular IT General Controls reviews. Areas such as core processors, investment safekeeping and bond accounting, and payroll processing are likely to receive greater auditor scrutiny.
- Summarize key controls and obtain “buy-in.”
Prepare a “Risk Control Matrix” or RCM. This will make it easy to keep track of all of your FDICIA key controls and the required information for identified control, including the nature of the control and frequency of the control. Is it annual, semiannual, quarterly, monthly, daily, or continuous? Consider the related test plan and sample size, driven by the aforementioned frequency of the control. This document will also serve as your future results and remediation “tracker.”
“Buy-in” is important for both business managers and external auditors. Business managers must confirm the accuracy of the controls included on the RCM’s. External auditors will often identify missing key controls that they will require to be tested. They will also have their opinions on your sampling test plan. Better to know ahead of time, than to find out at the end, that your test plan is deficient, causing you additional testing at the end of the year, when you will not have time to remediate, any testing control problems.
- Key Control Design Analysis/Remediation.
Planning ahead for your FDICIA Implementation allows you to evaluate the results of the actual design of the key controls. You will want to review carefully the design of the control so that deficiencies can be corrected immediately. This is the benefit of implementing FDICIA 18 to 24 months ahead of time. It allows you enough time to correct the design without pressure and not have to wait for enough transactions to process after the new test. Oftentimes, if you wait, you simply may run out of time.
- Don’t forget information technology.
Though IT may be the last area on your mind, and in this case, it clearly should not be. IT-related FDICIA key controls are critical to identify and are woven throughout the organization. Making sure you have a strong IT resource to assist throughout this process will be the difference between a solid FDICIA testing plan, and a potentially weak one, which may not be approved by your external auditors and could cause you additional time and resources. The IT area will have its own business process documentation and its own section of key controls as included on the RCM. IT provides a critical piece of a successful testing plan.
Now, you’re ready and you have implemented FDICIA — time to comply with FDICIA!
So now that you have implemented FDICIA and are properly prepared, you have done the following:
- Identified your FDICIA implementation and testing team
- Conducted a risk assessment and financial statement materiality analysis
- Identified key business processes
- Conducted business process walkthroughs and identified key financial reporting controls
- Evaluated the design of these key financial reporting controls
- Summarized your test plan in an RCM
- Obtained buy-in from your business process owners and external audit
You are ready to comply with FDICIA.
FDICIA testing is often combined with your internal audit testing plan to make the most efficient and effective use of resources. Here is a brief summary of the FDICIA portion of the testing.
- Test key controls: a two-phase process.
Identify your two-phased approach: initial testing phase and remediation/rollforward testing. You will also need to break down your samples into these two phases for enough transactions are covering the majority of the year. It’s also critical for you to agree on the time frame for these phases. You need to allow enough time between the initial phase and the remediation/rollforward phase, in case deficiencies are identified. You will need to “fix” or remediate the control and allow for enough transactions to be processed with the new control to allow to be tested.
Work with each business process owner during your initial phase to test your key financial reporting controls to identify any weaknesses or inaccuracies. Determine the root cause of any deficiency identified. The nature and number of deficiencies noted will drive the remediation plan. Remember early identification will ensure that there is enough time for remediation.
A few additional points to note: First, internal audit isn’t a control. Revisit any business process that relies on internal audit as the control and identify the appropriate remediation. This ties right back to the concept of evaluating the design of the control.
In addition, be sure your control testing, and the transactions you select for testing, cover the entire fiscal-year period. Identifying the two testing phases upfront will ensure that you have the appropriate testing period.
Last but not least, you’ll want to leave an audit trail of your control. Maintain documentation so both internal and external auditors can see what was done.
- Collaborate, communicate, and coordinate with auditors.
Involve your external auditor early to ensure they’re in agreement with the risks you’ve identified and your testing approach and timing. From the start, make sure your business process owners agree on the controls that represent their processes. Then, share those controls with your external auditor for feedback before you start testing. If you coordinate well, your external auditor can follow your internal testing, and you can leverage the results for greater efficiency.
- Develop and execute your remediation plan.
This is where you’ll both address any issues noted during testing and update your risk control documentation to accurately reflect actual processes. Be aware that when a control issue is identified, the auditor must look back at the entire period of time that control wasn’t operating. The earlier you spot those issues, the more time you have to remediate and ensure effective operation.
- Report regularly.
Regular reporting on testing status and results for the year to senior management, your audit committee, and your auditor are useful in the first year. Since issues will arise, management and the audit committee need to be aware of what’s being done to correct them, particularly since material weaknesses and significant deficiencies will be included in your auditor’s reporting.
As your bank increases its asset size and approaches the $500 million and $1 billion thresholds, you must understand FDICIA requirements and — we can’t emphasize enough — plan accordingly and ideally, 18 to 24 months in advance. Without advanced planning, FDICIA implementation can be accomplished in the required year. Rushed preparation only complicates the process and adds cost, drawing valuable resources away from the initiatives contributing to your bank’s continued growth and success.
If you have any questions about FDICIA readiness, implementation, and related requirements, feel free to contact us. Our banking team has assisted many institutions in this industry and compliance through our tools, templates, and broad suite of services. We can help streamline your preparations.