Update:
This article was originally published on March 9, 2018. It has been updated to reflect current statistics.
Key insights
- As banks continue to grow, it’s important to understand how asset size affects your institution’s accounting and internal control requirements.
- There are audit and other reporting requirements when your bank reaches either $500 million or $1 billion in assets.
- As your bank grows larger and approaches these asset thresholds, there are steps you can start today to help ease your audit committee, management team, and staff into this transition.
The banking industry continues to experience significant consolidation. The number of Federal Deposit Insurance Corporation (FDIC)-insured institutions is now below 5,000, down from approximately 7,000 10 years ago. This consolidation, along with a variety of other factors including inflation, government stimulus, and organic growth, has led to an unprecedented increase in the average size of a bank.
Learn what changes your institution may need to make.
With asset growth comes new financial, regulatory, and internal control-related challenges. When your bank is growing, knowing what changes your institution needs to make — and when you need to start making them — can help you better prepare for the task ahead and plan accordingly.
FDICIA affects organizations differently based on assets
The Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) was implemented in response to the savings and loan crisis to strengthen the power of the FDIC. Federal banking agencies were required to take supervisory actions when capital of an institution declined, and then grade institutions on a one to five scale (CAMELS rating). Prompt corrective action and least-cost resolution were also created as a part of this act.
In addition to the broad changes implemented by the act, which impact all institutions, there are also specific requirements from Part 363 of the FDIC’s regulations that affect institutions with either more than $500 million or $1 billion in assets. The measurement date for these asset thresholds is the beginning of the fiscal year (i.e., if the institution reaches one of these asset thresholds during its fiscal year, the items below would not be required until the following fiscal year assuming you do not fall below either threshold as of the beginning of the fiscal year).
FDICIA applies to individually chartered institutions, so asset thresholds are applicable on a bank-by-bank basis. For example, if a charter is acquired by a bank holding company, and the charter will remain separate, the FDICIA requirements will only apply to the individual charter once it exceeds $500 million in assets. If this charter is merged into another charter and the combined assets exceed $500 million, the FDICIA requirements are effective as of the beginning of the fiscal year following the merger.
Even if the charters are individually owned by the same holding company, Federal Reserve Y-6 includes a requirement that top-tier holding companies with consolidated assets of $500 million or more must have an annual audit of its consolidated financial statements by an independent accountant. In this instance, the consolidated holding company will require a consolidated audit, but FDICIA rules would not apply.
What the growth looks like
These numbers show just how significantly banks’ asset sizes have increased over recent years:
Date | Number of FDIC-insured I=institutions | Average asset size | 10-year % increase | Median asset size | 10-year % increase |
---|---|---|---|---|---|
6/30/2023 | 4,645 | $5,051,668 | 147% | $323,943 | 93% |
12/31/2017 | 5,721 | $3,046,146 | $210,040 | ||
12/31/2012 | 7,092 | $2,046,090 | $168,020 |
*Information is based on data extracted from filed call reports for all FDIC-insured banks for the relevant quarters.
With the increase in the average asset size of institutions over the last decade, more banks are nearing the FDICIA thresholds. As of June 30, 2023, there were just under 300 institutions with total assets between $400 million and $500 million, and another 150+ with assets between $850 million and $1 billion. Banks in these asset ranges would be wise to begin preparation for the implementation of FDICIA requirements.
Areas to consider when nearing $500 million in assets
If your bank is approaching $500 million in assets, critical components that may affect your institution once you have crossed the threshold include:
Your institution must submit audited financial statements to the appropriate federal bank agency within 120 days of the end of the fiscal year for a non-public institution, or 90 days if the institution is publicly traded. The financial statements must be comparative. If your bank has not been audited in the past, statements for the earlier year may be presented on an unaudited basis.
Financial statement auditor independence requirements become more stringent for non-public institutions. FDICIA requires the auditor comply with the most restrictive independence standards and interpretations of the American Institute of Certified Public Accountants, the Securities and Exchange Commission (SEC), and the Public Company Accounting Oversight Board (PCAOB). In most situations, the SEC and PCAOB rules are the most restrictive; thus, services such as tax return preparation for individuals in a financial reporting oversight role and various non-attest services are now restricted from being provided by the financial statement auditor and the audit requires partner rotation every five years.
In addition to submitting audited financial statements, your bank is also required to submit a statement of management’s responsibilities, and an assessment of these responsibilities, for:
- Preparing the institution’s annual financial statements
- Establishing and maintaining adequate procedures and an internal control structure for financial reporting
- Complying with laws and regulations relating to safety and soundness designed by the FDIC and the appropriate federal banking agency
As a part of a financial statement audit, your bank will also receive the following reports from your auditors, which need to be filed with the appropriate federal banking agency within 15 days of receipt:
- Governance communication — required communication with governance (contains the auditor’s responsibilities, critical accounting policies, corrected and uncorrected misstatements, any disagreements with management, etc.)
- Internal control communication (if applicable) — communication of any material weaknesses or significant deficiencies in internal controls noted during the audit
Once you cross $500 million in assets, you are required to have a separate audit committee, and the majority of members of this audit committee must be outside directors and a majority of the members must be independent of management. There are specific requirements outlined in FDICIA defining what would disqualify the independence of an outside director.
These requirements are critical for your institution to be compliant. For example, an outside director would not be considered "independent of management" if they have been an employee, provided consulting services, participated in the preparation of the financial statements, or received more than $100,000 of compensation from the institution in the last three years.
Implementation plan for institutions crossing $500 million in assets
It’s important for your institution to create a strategic plan for compliance with the FDICIA regulations as you approach this asset threshold. Here are some items to help with the transition in the year prior to crossing $500 million in assets:
If your bank has never been subjected to a financial statement audit, a balance sheet audit should be considered in the year prior to crossing $500 million. This provides significant efficiencies in transition, as:
- The auditor will not need to audit opening balances in the year of FDICIA implementation because the balance sheet audit will fulfill that requirement.
- This will allow the auditor to assess internal controls over financial reporting (ICOFR) in a timelier fashion, which will identify any potential material weaknesses or significant deficiencies in internal controls. Your bank can then work to remedy control deficiencies prior to the requirement to send internal control reports to the applicable federal regulatory agency.
If you are working with one CPA firm for variety of services, you must carefully determine if you can use the firm for your financial statement audit, and then identify which non-attest services that firm can and cannot provide. Given the heightened independence requirements, your management and audit committee must verify the relationship or services by the firm engaged to provide the external audit has not or will not:
- Create a mutual or conflicting interest between the audit firm and the institution
- Place the auditor in the position of auditing their own work
- Result in the auditor acting as management or an employee of your institution
- Place the auditor in a position of being an advocate for your institution
Regulations specifically prohibit an external audit firm from providing certain non-audit services, including:
- Bookkeeping or other services related to your accounting records or financial statements, which includes drafting financial statements
- Financial information systems design and implementation
- Appraisal or valuation services
- Actuarial services
- Internal audit outsourcing services
- Tax return preparation for individuals overseeing financial reporting
FDICIA independence rules do not allow the financial statement auditor to prepare the financial statements they audit. There are several things your bank can consider when preparing these financial statements:
- If your bank does not feel it has the appropriate staff or experience to prepare a set of financial statements in accordance with generally accepted accounting principles (GAAP), you could consider hiring additional internal personnel with the requisite knowledge or engage with an outside firm other than your external audit firm for financial statement preparation assistance.
- Most banks that have previously relied on the financial statement auditor to draft financial statements and footnotes have a more successful transition to this requirement if they begin the practice before the FDICIA requirement is effective. Often, the auditor has created additional documentation, schedules, or reports to aid in financial statement preparation. Your management will need to take responsibility for these items, as well as determine if proper controls over both preparation and review are in place.
- Identify external training resources for accounting alerts and disclosure checklists or attend GAAP educational events to keep up to date on industry and GAAP changes impacting financial reporting.
Develop a plan to identify potential independent audit committee members to verify these individuals are a majority of the audit committee. This may require naming additional members or removing current members.
Your audit committee is responsible for engaging and overseeing an independent audit firm, which includes adherence to contractual responsibilities. Effective and timely communications generally require discussions in the planning and reporting phases of the audit. The committee should have effective two-way communication with the independent audit firm, including but not limited to:
- Discussions regarding critical accounting policies and practices
- Alternative accounting treatments
- Internal control matters
- Unadjusted differences
- Any other written communications provided to management
Crossing $1 billion in assets
For banks looking to cross $1 billion in assets, consider starting much earlier on your implementation plan (ideally two years prior to crossing this asset threshold). All the rules for banks crossing $500 million in assets apply, with the following additions and modifications:
If your bank has more than $1 billion in assets, you are required to have a separate audit committee, and all members of the committee must be outside directors independent of management. Your institution should work to identify potential independent audit committee members so only independent members are on your audit committee. This may require change from current members.
Management must provide an attestation of the effectiveness of your bank’s internal control structure and procedures, which include:
- A statement identifying the internal control framework used by management to evaluate the effectiveness of your institution’s ICOFR.
- A statement that the assessment included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions, including identification of regulatory reporting instructions.
- A statement expressing management’s conclusion whether your bank’s ICOFR are effective as of the end of its fiscal year. Your management must disclose all material weaknesses in your ICOFR, if any, that have not been remediated prior to the insured depository institution’s fiscal year-end.
As a part of the external financial statement audit, the auditors are required to issue an opinion on the effectiveness of your bank’s ICOFR, which is also provided to the appropriate federal banking agency. In order to issue the management reports listed above and your external audit reports, significant modifications will most likely need to be made in how ICOFR are documented and tested.
Implementation plan for ICOFR when crossing $1 billion in assets
Your first step when preparing for these new requirements is developing an overall ICOFR methodology. This will be a helpful document to promote an understanding of the process throughout your bank and can be reviewed by your auditors to gain concurrence timely. Some items to include in your methodology are identification of the internal control framework, specific guidelines for testing and reporting, and the impact of information technology.
Begin your annual ICOFR process
Following strong practices in the year leading up to implementation can make crossing these significant asset thresholds less cumbersome. As you near this transitional phase for your bank, make sure your team is adequately preparing for next steps.
Abiding by an internal control framework
When providing the FDICIA-required written assessment of your internal controls’ effectiveness, include a statement identifying the internal control framework used by management to evaluate your ICOFR’s effectiveness. This framework must be a suitable, recognized control framework established by a body of professionals who followed due-process procedures, and it must be widely available to users of management’s report. The most widely used framework is Internal Control – Integrated Framework, sponsored by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which includes 17 principles supporting five components.
For effective internal controls, the framework requires each of the five components and the 17 relevant principles be present and functioning, and the five components must operate together in an integrated manner. Management is responsible to evaluate and document whether the internal controls related to the relevant principles and components are present and functioning. Compliance with these requirements can vary based on the size and complexity of the institution, but usually can be demonstrated by incorporating the principles and components into a formal methodology document, testing certain entity level controls, and correlating existing key controls to the principles.
ICOFR documentation, testing and reporting
The attestation and opinion on ICOFR usually pose the biggest challenge for banks, largely because of the extent of personnel, time, documentation, and potential cost involved. Timely communication and planning can help your institution avoid common difficulties encountered in the year of implementation, including:
Good practice starts with educating, and obtaining buy-in, of all stakeholders including individual control operational owners all the way to the board of directors. Setting the tone for the threshold requirements and explaining the importance of the key controls is essential for cooperation and improving results.
While it’s natural to assume your existing internal audit function is already FDICIA-compliant, it may not be true. There are requirements on verifying the entire fiscal year has been included in testing populations for all FDICIA controls, and sample size requirements may differ from your existing internal audit plans. Evaluate time and resources to determine if independent individuals within your institution or your consultants have sufficient skills, training, and budgets to test and report on FDICIA controls.
Watch for instances where the internal audit function (or outsourced internal audit) is actually the control operator. If the function is performing reconciliations, reviewing maintenance changes, assuming responsibility for employee deposit review, etc., then it’s the control. Because it’s not independent of the control, your institution cannot assert on your own work.
Management should determine if there is a clear methodology for risk assessment, sample sizes, frequency of testing, responsibility of testing, documentation, evaluation of control deficiencies, remediation, reporting, and communication with governance and the external audit firm. This methodology should be documented clearly and agreed upon annually with any outsourced parties and your external audit firm.
Your bank may understandably get lost in the documentation of your processes and, if not careful, spend time and resources focused on operational processes instead of ICOFRs. When documenting, take care your controls are defined. Including the who, what, where, why, and how can be very helpful in your control documentation.
Not sufficient: “Operations prints and e-mails Eric a report for his review.”
Sufficient: “Daily, Eric compares report X to the listing Y provided to him by operations and determines if the report totals agree.”
While the internal audit should spend time evaluating operational efficiencies and controls, the FDICIA requirement focuses on ICOFRs. FDICIA compliance is a component, albeit a significant one, of the overall risk management function. There is no special number of controls — each institution is distinct.
Key controls are those that, if they fail, could lead to a material misstatement on your financial statements or regulatory reports. While escheatment of unclaimed cashiers’ checks might be a necessary operational process, the control over this process is usually less than likely to cause a material misstatement. New loan boarding, review of management estimates, wire transfers, and reconciliation of the main correspondent bank are areas much more likely to have controls designed to detect, prevent, or correct potential material misstatements.
Institutions crossing either asset threshold should also evaluate and test key information technology (IT) controls, especially those relating to or impacting the financial reporting process. Give consideration to core processors, investment safekeeping, payroll processing, and accounting systems. Many institutions annually review their IT general controls to gain an overall impression of their systems. This review, while important, might need more extensive testing of certain key elements including, but not limited to, system access, key input and output controls, and user controls required by service organizations to satisfy management’s attestation and the external auditor’s opinion.
Attention should be given to the design and operating effectiveness of key controls. In many instances, sighting evidence of the reviewer’s initials on a reconciliation is not sufficient to conclude the control is designed and operating effectively. It might be necessary to include attributes such as verifying completeness and accuracy of the underlying data, inquiry, or observation of the control operator, and re-performance of the steps within the control in order to determine the control can be relied on.
Management should begin testing early to allow for inevitable control deficiencies. When detected in a timely manner, management can identify the root cause, evaluate the deficiency, correct the underlying control environment, and still have sufficient time during the year to determine if the control then operates effectively. If your bank waits until near the end of the year to perform testing, any control deficiencies noted may have to be reported because management no longer has enough instances of the control to remediate and test to conclude otherwise.
Many internal audit functions have existing internal audit plans testing controls on a rolling basis during the year. For example, your wire transfer audit might be done each year as of June 30, based on the previous 12 months’ wire activity. However, the ICOFR attestation and opinion are as of the end of the institution’s fiscal year. If a key control has not been tested since June, there is generally not enough evidence to say the control is designed and operating effectively as of year-end.
While it’s acceptable to test during the year, we recommend testing a portion of your sample size as of or near year-end. Any samples selected from a prior year’s annual reporting period do not provide evidence of control design and operation for the current year’s attestation and opinion.
While your bank’s controls may be designed properly, there may not be sufficient documentation to show your controls operate effectively. For example, your control operator might only review reports online, which are not retained or are written over by the system. It takes practice and planning to gather and retain documentation of the control’s existence and the underlying information, as well as leave a documentation trail of the review and what it entailed. Each individual control owner should understand what information needs to be retained to evidence the performance of a key control for an effective audit trail.
Next, the internal audit function subsequently testing the control must also retain evidence of this documentation and testing. This step is pivotal, as the external auditor must re-perform a sample of the internal auditor’s work, which generally hinges on the existence of this documentation. Because the external auditor may select another instance of the control’s operation (one the internal auditor did not test), the original documentation must exist. It often takes more than a year for all parties to get a handle on how to document and retain control information, and in the first few years of implementation we typically see many internal control deficiencies caused by absence of documentation
ICOFR reporting doesn’t need to be extensive and cumbersome, but it needs to be timely, accurate, and indicative of a plan to remediate, if necessary. This information should be presented quarterly to management, governance, and the external auditor. This allows for all parties to agree on the evaluation of the deficiency, the impact on the remainder of the year’s testing, and any necessary remediation. Lack of timely reporting increases the potential of the external auditor reporting a significant deficiency or material weakness that might have otherwise been avoided.
How we can help
As your bank grows larger and approaches these asset thresholds, there are steps you can start today to help ease your audit committee, management team, and staff into this transition. CLA's banking industry professionals can help you through all stages of growth and provide financial statement audits and FDICIA control testing and consulting.