Mergers or strong internal growth can quickly send a small financial institution’s assets soaring past the $1 billion mark. But that milestone comes with additional requirements from the Federal Deposit Insurance Corp. that, if not tackled early, can become arduous and time-consuming.
When a bank reaches that benchmark, as measured at the start of its fiscal year, the FDIC requires an annual report that must include:
- Audited comparative annual financial statements.
- The independent public accountant’s report on the audited financial statements.
- A management report that contains:
- A statement of certain management responsibilities.
- An assessment of the institution’s compliance with laws pertaining to insider loans and dividend restrictions during the year.
- An assessment on the effectiveness of the institution’s internal control structure over financial reporting, as of the end of the fiscal year.
- The independent public accountant’s attestation report concerning the effectiveness of the institution’s internal control structure over financial reporting.
Management Assessment of Internal Controls
Complying with Internal Controls over Financial Reporting (ICFR) requirements can be exhaustive, but a few early steps can help:
- Identify key business processes around financial reporting/systems in scope.
- Conduct business process walk-throughs of the key business processes.
- For each in-scope business process/system, identify related IT general control (ITGC) elements.
- Create a risk control matrix (RCM) with the key controls and identity gaps in controls.
To assess internal controls and procedures for financial reporting, start with control criteria as a baseline. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission provides criteria with a fairly broad outline of internal control components that banks should evaluate at the entity level and activity or process level.
Implementation Phases, Schedule and Events
A FDICIA implementation approach generally includes a four-phase program designed with the understanding that a bank’s external auditors will be required to attest to and report on management’s internal control assessment.
Phase One: Business Risk Assessment and COSO Evaluation
Perform a high-level business risk assessment COSO evaluation of the bank. This evaluation is a top-down approach that allows the bank to effectively identify and address the five major components of COSO. This review includes describing policies and procedures in place, as well as identifying areas of weakness and actions needed to ensure that the bank’s policies and procedures are operating with effective controls.
Phase One action steps are:
- Educate senior management and audit committee/board of directors on reporting requirements.
- Establish a task force internally, evaluate resources and communicate.
- Identify and delegate action steps, including timeline.
- Identify criteria to be used (COSO).
- Determine which processes and controls are significant.
- Determine which locations or business units should be included.
- Coordinate with external auditor when applicable.
- Consider adoption of a technology tool to provide data collection, analysis and graphical reporting.
Phase Two: Documenting the Bank’s Control Environment
Once management approves the COSO evaluation and has identified the high-risk business lines and support functions of the bank, it should document the internal control environment and perform a detailed process review of high-risk areas. The primary goals of this phase are intended to identify and document which controls are significant, evaluate their design effectiveness and determine what enhancements, if any, they must make.
Phase Three: Testing and Reporting of the Control Environment
The bank’s internal auditor validates the key internal controls by performing an assessment of the operating effectiveness to determine if they are functioning as designed, intended and expected. The internal auditor should help management determine which control deficiencies, if any, constitute a significant deficiency or material control weakness. Management and the internal auditor should consult with the external auditor to determine if they have performed any of the tests and if their testing can be leveraged for FDICIA reporting purposes.
Phase Four: Ongoing Monitoring
A primary component of an effective system of internal control is an ongoing monitoring process. The ongoing evaluation process of the system of internal controls will occasionally require modification as the business adjusts. Certain systems may require control enhancements to respond to new products or emerging risks. In other areas, the evaluation may point out redundant controls or other procedures that are no longer necessary. It’s useful to discuss the evaluation process and ongoing monitoring when making such improvement determinations.