Financial Institution Letter
FIL-122-2004
November 17, 2004
ANNUAL AUDIT AND REPORTING
REQUIREMENTS
Internal Control Attestation Standards for Independent Auditors
Summary: The FDIC is providing guidance on the internal control attestation standards that
auditors of insured institutions with $500 million or more in total assets should follow to comply
with the FDIC's audit and reporting requirements.
Distribution:
FDIC-Insured Institutions With $500 Million
or More in Assets
Suggested Routing:
Chief Executive Officer
Chief Financial Officer
Audit Committee
Related Topics:
Federal Deposit Insurance Act Section 36
Part 363 of the FDIC's Regulations
Attachment:
None
Contact:
FDIC Regional Accountant or Harrison
Greene, Senior Policy Analyst, Division of
Supervision and Consumer Protection
(202-898-8905, hgreene@fdic.gov)
Note:
For your reference, FDIC Financial
Institution Letters (FILs) may be accessed
from the FDIC's Web site at
www.fdic.gov/news/news/financial/2004/ind
ex.html.
To learn how to receive FILs electronically,
please visit
http://www.fdic.gov/news/news/announcem
ents/index.html.
Paper copies of FDIC financial institution
letters may be obtained through the FDIC's
Public Information Center, 801 17th Street,
NW, Room 100, Washington, DC 20434 (1-
877-275-3342 or 202-416-6940).
Highlights:
• The annual audit and reporting requirements for
insured institutions with $500 million or more in total
assets in Part 363 of the FDIC's regulations require
assessments of internal control over financial reporting
by both management and independent auditors.
• To date, auditors have followed the American Institute
of Certified Public Accountants' (AICPA) attestation
standards, known as "AT 501," when reporting on
internal control.
• Section 404 of the Sarbanes-Oxley Act imposes similar
internal control requirements on public companies.
Auditors of public companies will begin to follow the
Public Company Accounting Oversight Board's
(PCAOB) Auditing Standard No. 2 when reporting on
internal control.
• The FDIC has received questions about the
applicability of PCAOB Auditing Standard No. 2 to
institutions subject to Part 363.
• The auditor of a nonpublic institution need only follow
the AICPA's existing internal control attestation
standards in AT 501 – until any revisions to AT 501 on
which the AICPA is working take effect – to satisfy
Part 363.
• The auditor of a public institution that is a
non-accelerated filer need only follow AT 501 to satisfy
Part 363 until PCAOB Auditing Standard No. 2 takes
effect for non-accelerated filers in 2005.
Federal Deposit Insurance Corporation
550 17th Street NW, Washington, D.C. 20429-9990
FIL-122-2004
November 17, 2004
ANNUAL AUDIT AND REPORTING
REQUIREMENTS
Internal Control Attestation Standards for Independent Auditors
Summary: The FDIC is providing guidance on the internal control attestation standards that
auditors of insured institutions with $500 million or more in total assets should follow to comply
with the FDIC's audit and reporting requirements.
Distribution:
FDIC-Insured Institutions With $500 Million
or More in Assets
Suggested Routing:
Chief Executive Officer
Chief Financial Officer
Audit Committee
Related Topics:
Federal Deposit Insurance Act Section 36
Part 363 of the FDIC's Regulations
Attachment:
None
Contact:
FDIC Regional Accountant or Harrison
Greene, Senior Policy Analyst, Division of
Supervision and Consumer Protection
(202-898-8905, hgreene@fdic.gov)
Note:
For your reference, FDIC Financial
Institution Letters (FILs) may be accessed
from the FDIC's Web site at
www.fdic.gov/news/news/financial/2004/ind
ex.html.
To learn how to receive FILs electronically,
please visit
http://www.fdic.gov/news/news/announcem
ents/index.html.
Paper copies of FDIC financial institution
letters may be obtained through the FDIC's
Public Information Center, 801 17th Street,
NW, Room 100, Washington, DC 20434 (1-
877-275-3342 or 202-416-6940).
Highlights:
• The annual audit and reporting requirements for
insured institutions with $500 million or more in total
assets in Part 363 of the FDIC's regulations require
assessments of internal control over financial reporting
by both management and independent auditors.
• To date, auditors have followed the American Institute
of Certified Public Accountants' (AICPA) attestation
standards, known as "AT 501," when reporting on
internal control.
• Section 404 of the Sarbanes-Oxley Act imposes similar
internal control requirements on public companies.
Auditors of public companies will begin to follow the
Public Company Accounting Oversight Board's
(PCAOB) Auditing Standard No. 2 when reporting on
internal control.
• The FDIC has received questions about the
applicability of PCAOB Auditing Standard No. 2 to
institutions subject to Part 363.
• The auditor of a nonpublic institution need only follow
the AICPA's existing internal control attestation
standards in AT 501 – until any revisions to AT 501 on
which the AICPA is working take effect – to satisfy
Part 363.
• The auditor of a public institution that is a
non-accelerated filer need only follow AT 501 to satisfy
Part 363 until PCAOB Auditing Standard No. 2 takes
effect for non-accelerated filers in 2005.
Federal Deposit Insurance Corporation
550 17th Street NW, Washington, D.C. 20429-9990
Financial Institution Letter
FIL-122-2004
November 17, 2004
2
ANNUAL AUDIT AND REPORTING REQUIREMENTS
Internal Control Attestation Standards for Independent Auditors
Section 36 of the Federal Deposit Insurance Act (FDI Act) and Part 363 of the FDIC’s
regulations impose annual audit and reporting requirements on insured depository
institutions with $500 million or more in total assets. The annual report that these
institutions file with the FDIC and other federal and state supervisors, as appropriate,
must include a statement of management’s responsibilities for establishing and
maintaining an adequate internal control structure and procedures for financial reporting.
For purposes of Part 363, financial reporting encompasses both financial statements
prepared in accordance with generally accepted accounting principles and those prepared
for regulatory reporting purposes.
In addition, the Part 363 annual report must contain an assessment by management of the
effectiveness of internal control over financial reporting as of year-end as well as a report
by the institution’s independent auditor on management’s assertion concerning internal
control. To date, independent auditors have performed the attestation work necessary to
satisfy the FDIC’s reporting requirements by following Section 501 of the American
Institute of Certified Public Accountants’ (AICPA) attestation standards, Reporting on an
Entity’s Internal Control Over Financial Reporting, commonly referred to as “AT 501.”
Using language substantially similar to that in Section 36 of the FDI Act, Section 404 of
the Sarbanes-Oxley Act requires public companies1 to include in their annual reports
under the federal securities laws a statement of management’s responsibilities for internal
control over financial reporting, management’s assessment of the effectiveness of this
internal control, and an attestation report on this assessment by the public company’s
independent auditor. The independent auditor’s attestation and reporting on the
effectiveness of internal control for public companies must be performed in accordance
with the Public Company Accounting Oversight Board’s (PCAOB) Auditing Standard
No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction
with an Audit of Financial Statements. The Securities and Exchange Commission’s
(SEC) regulations implementing Section 404 and PCAOB Auditing Standard No. 2 take
effect for “accelerated filers”2 for fiscal years ending on of after November 15, 2004.
Other public companies (“non-accelerated filers”) must begin to comply with these
internal control requirements in fiscal years ending on or after July 15, 2005.
Taken together, the SEC’s Section 404 regulations and PCAOB Auditing Standard No. 2
establish more extensive testing and documentation requirements for internal control over
1 Public companies are companies subject to the reporting requirements of the Securities Exchange Act of
1934.
2 In general, accelerated filers are public companies whose common equity has an aggregate market value
of $75 million or more.
FIL-122-2004
November 17, 2004
2
ANNUAL AUDIT AND REPORTING REQUIREMENTS
Internal Control Attestation Standards for Independent Auditors
Section 36 of the Federal Deposit Insurance Act (FDI Act) and Part 363 of the FDIC’s
regulations impose annual audit and reporting requirements on insured depository
institutions with $500 million or more in total assets. The annual report that these
institutions file with the FDIC and other federal and state supervisors, as appropriate,
must include a statement of management’s responsibilities for establishing and
maintaining an adequate internal control structure and procedures for financial reporting.
For purposes of Part 363, financial reporting encompasses both financial statements
prepared in accordance with generally accepted accounting principles and those prepared
for regulatory reporting purposes.
In addition, the Part 363 annual report must contain an assessment by management of the
effectiveness of internal control over financial reporting as of year-end as well as a report
by the institution’s independent auditor on management’s assertion concerning internal
control. To date, independent auditors have performed the attestation work necessary to
satisfy the FDIC’s reporting requirements by following Section 501 of the American
Institute of Certified Public Accountants’ (AICPA) attestation standards, Reporting on an
Entity’s Internal Control Over Financial Reporting, commonly referred to as “AT 501.”
Using language substantially similar to that in Section 36 of the FDI Act, Section 404 of
the Sarbanes-Oxley Act requires public companies1 to include in their annual reports
under the federal securities laws a statement of management’s responsibilities for internal
control over financial reporting, management’s assessment of the effectiveness of this
internal control, and an attestation report on this assessment by the public company’s
independent auditor. The independent auditor’s attestation and reporting on the
effectiveness of internal control for public companies must be performed in accordance
with the Public Company Accounting Oversight Board’s (PCAOB) Auditing Standard
No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction
with an Audit of Financial Statements. The Securities and Exchange Commission’s
(SEC) regulations implementing Section 404 and PCAOB Auditing Standard No. 2 take
effect for “accelerated filers”2 for fiscal years ending on of after November 15, 2004.
Other public companies (“non-accelerated filers”) must begin to comply with these
internal control requirements in fiscal years ending on or after July 15, 2005.
Taken together, the SEC’s Section 404 regulations and PCAOB Auditing Standard No. 2
establish more extensive testing and documentation requirements for internal control over
1 Public companies are companies subject to the reporting requirements of the Securities Exchange Act of
1934.
2 In general, accelerated filers are public companies whose common equity has an aggregate market value
of $75 million or more.