Date: October 7, 1999
Description: External Audit
The guidance attached to this bulletin continues to apply to federal savings associations.
On September 28, 1999, the Federal Financial Institutions Examination Council (FFIEC) adopted the attached "Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations." This policy statement is directed to banks and savings associations that are exempt from 12 CFR 363 (i.e., institutions with less than $500 million in total assets) or are not otherwise subject to audit requirements by order, agreement, statute, or agency regulations. It provides unified interagency guidance regarding independent external auditing programs of community banks and savings associations. The policy complements the interagency policy statement on internal auditing (OCC 98–1) and outlines
- The responsibilities of boards of directors and audit committees;
- Attributes and types of preferred external auditing programs;
- Special situations regarding external auditing programs for holding company subsidiaries, newly chartered banks and savings associations, and institutions presenting supervisory concerns; and
- Examiner guidance when reviewing external auditing programs.
The policy statement, which becomes effective for fiscal years beginning on or after January 1, 2000, is consistent with existing OCC guidance regarding external audits at community national banks. It does not place any additional burdens on community national banks by mandating external auditing programs or additional filing or reporting requirements. Rather, the policy reiterates the long-standing OCC philosophy of encouraging all national banks to have independent external audits of their operations and financial records. Those audits can range from financial statement audits by independent public accountants to agreed upon procedures (i.e., directors' examinations) performed by other independent and qualified persons. Currently, the vast majority of community national banks with total assets less than $500 million already have an external audit that meets the policy statement's guidelines. The OCC anticipates that those banks that historically have had those external audits will continue to do so.
Internal control weaknesses and the lack of an effective audit program are common deficiencies at many problem banks. Consequently, the OCC is concerned about recent trends among some banks to cut back on control and audit resources in an effort to reduce overhead expenses. It remains the responsibility of the bank's board of directors to establish and maintain effective audit functions. A well-planned annual external auditing program complements a bank's internal auditing function, is conducive to a bank's safe and sound operation, and offers other benefits, such as assisting banks in establishing strong internal controls, internal auditing programs, and management information systems, and helping banks develop operating policies and methods of operations.
External auditing functions can provide the board of directors and management with an independent and objective view of the bank's activities. Such functions give the board and management information useful in fulfilling their fiduciary and risk control responsibilities. Those responsibilities encompass assessing the effectiveness of internal controls over financial reporting, including the accurate and timely recording of transactions, and the filing of accurate and complete financial and regulatory reports.
As a normal part of OCC supervisory activities, OCC examiners will continue to review the extent or absence of external auditing programs at community national banks. The OCC continues to encourage all national banks to have independent external audits; however, examiners will not criticize or comment adversely simply because a community national bank does not have an external auditing program or does not have one of the types described in the policy statement. Examiners should use judgment and discretion when evaluating external auditing work, including any audit reports, reviews or opinions issued, or the basis for the board's decision not to have an external audit. Examiners should consider
- The bank's size;
- The nature, scope, and complexity of its activities;
- Its risk profile;
- Actions taken or planned to minimize or eliminate identified weaknesses;
- The extent of its internal auditing program; and
- Any compensating internal controls in place.
For more information, contact Bill Morris, senior policy analyst, Core Policy Development, or Gene Green, deputy chief accountant, Office of the Chief Accountant, at (202) 649-6550.
Vernon H. Stafford, Jr.
Acting Deputy Comptroller for Core Policy