I. INTRODUCTION
The provisions of the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) are primarily directed toward those companies, including insured depository institutions, that have a class of securities registered with the Securities and Exchange Commission (SEC) or the appropriate federal banking agency under § 12 of the Securities Exchange Act of 1934 (i.e., public companies).
Since the enactment of Sarbanes-Oxley, questions have been raised about its applicability to nonpublic, insured depository institutions. The FDIC issued a guidance regarding certain issues raised by Sarbanes-Oxley, based on the status of an insured depository institution as public or nonpublic and based on the size of the institution.
II. FDIC–SUPERVISED BANKS THAT ARE PUBLIC COMPANIES OR SUBSIDIARIES OF PUBLIC COMPANIES
Some FDIC–supervised banks have registered their securities with the FDIC pursuant to Part 335 of the FDIC’s regulations and are, therefore, public companies. Other FDIC–supervised banks are subsidiaries of bank holding companies that are public companies. These public companies and their independent public accountants must comply with Sarbanes-Oxley and its implementing regulations – including provisions governing auditor independence, corporate responsibility and enhanced financial disclosures.
III. NON-PUBLIC FDIC–SUPERVISED BANKS WITH LESS THAN $500 MILLION IN TOTAL ASSETS
FDIC–supervised banks that have less than $500 million in total assets as of the beginning of their fiscal year are not subject to the annual audit and reporting requirements of § 36 of the Federal Deposit Insurance (FDI) Act. Banks in this size range that are not public companies, or subsidiaries of public companies generally do not fall within the scope of Sarbanes-Oxley and the SEC’s implementing regulations. Nevertheless, certain provisions of Sarbanes-Oxley mirror existing policy guidance related to corporate governance that the FDIC and the other banking agencies have issued. Other provisions of Sarbanes-Oxley represent sound corporate governance practices.
The following is a summary of selected provisions of Sarbanes-Oxley that the FDIC believes are of relevance to FDIC–supervised banks with less than $500 million in total assets that are not public companies. While these corporate governance practices are not mandatory for smaller, non-public institutions, the FDIC recommends that each insured depository institution consider implementing them to the extent feasible given their size, complexity, and risk profile.
A. Auditor Independence
To be considered independent, a registered public accounting firm that audits a public company’s financial statements is not permitted to provide, contemporaneously with the audit, any of the non-audit services listed in § 201. These prohibited services include: (a) bookkeeping or other services related to the accounting records or financial statements of the audit client; (b) financial information systems design and implementation; (c) appraisal or valuation services, fairness opinions or contribution-in-kind reports; (d) actuarial services; (e) internal audit outsourcing services; (f) management functions or human resources; (g) broker or dealer, investment advisor or investment banking services; and (h) legal services and expert services unrelated to the audit.
The FDIC encourages each bank whose financial statements are audited and its accounting firm to follow the internal audit outsourcing prohibition in § 201. Nevertheless, many banks have determined that the benefits of having a full-time internal auditor do not exceed the costs of such an arrangement. In addition, a bank may find that hiring separate firms to perform internal and external audit work is not cost-effective.
If a non-public bank is considering engaging its external auditor to perform both of these services, the bank’s audit committee (or board of directors if there is no audit committee) and the external auditor should pay particular attention to preserving the independence of both the internal and external audit functions.
The audit committee should also document that it has both preapproved the internal audit outsourcing to its external auditor and has considered the independence issues associated with this arrangement. In this regard, the audit committee should consider the independence guidance contained in the American Institute of Certified Public Accountants’ Code of Professional Conduct and the broad principles that the auditor should not perform management functions or act as an advocate for the client. The audit committee should also consider how the bank will oversee the external auditor’s performance under the internal audit outsourcing contract.
B. Audit Partner Rotation
A registered public accounting firm is not considered independent of a public company audit client if the lead audit partner having primary responsibility for the audit or the concurring audit partner responsible for reviewing the audit, has performed in this capacity for the audit client for five consecutive years. The SEC’s final rule on auditor independence requires the lead and concurring partners to rotate after five years and, upon rotation, to be subject to a five-year “time out” period. In addition, the SEC’s final rule imposes a seven-year rotation requirement on certain other audit partners on the audit client’s engagement team followed by a two-year “time out” period. These partner rotation rules are intended to strike a balance between the need to bring a fresh look to the audit engagement and the need to maintain continuity and audit quality.
The SEC’s final rules also contain an exemption from the rotation requirements for small accounting firms, (i.e., firms with fewer than five public company audit clients and fewer than 10 audit partners), provided an audit quality review condition is met.
For non-public banks, the FDIC considers the SEC’s standard of fewer than ten audit partners to be a reasonable boundary for defining an accounting firm to be a “small firm.” For non-public banks engaging an accounting firm that is not a small firm to perform its external auditing program, the FDIC encourages audit partner rotation and “time out” periods as described above, which may be achieved by incorporating them into the bank’s engagement letter with the firm.
C. Conflicts of Interest
Under the SEC’s new independent rules for public companies, a registered public accounting firm is not considered independent of a public company audit client if the client’s chief executive officer, controller, chief financial officer, chief accounting officer or equivalent officer was employed by the accounting firm and participated in the audit of the client during the one-year period before the beginning of the current audit.
Non-public banks with less than $500 million in assets and their external auditing firm are encouraged by the FDIC to comply with these conflicts-of-interest requirements.
D. Audit Committees
The audit committee of each public company listed on a securities exchange or NASDAQ is responsible for the appointment, compensation and oversight of the work of a registered public accounting firm related to issuing audit reports. Each member of such an audit committee must be a member of the board of directors and must otherwise be independent. Audit committee members may not accept any consulting, advisory or compensatory fee from the public company (other than fees for serving as a board or committee member) or be affiliated with the company or a subsidiary of the company. The audit committee must additionally establish procedures for processing complaints and processing confidential anonymous submissions by employees regarding accounting, internal control and auditing matters.
The FDIC has encouraged all non-public, FDIC-supervised banks with less than $500 million in total assets to establish an audit committee consisting entirely of outside directors. The audit committee should also establish a mechanism for employees to submit confidential and anonymous concerns to the committee about questionable accounting, internal accounting control or auditing matters. The existing interagency policy statement on external auditing programs of banks and saving associations already define “outside directors” as directors “who are not officers, employees or principal stockholders of the institution, its subsidiaries or its affiliates and who do not have any material business dealings with the institution its subsidiaries, or its affiliates.”
E. Enhanced Financial Disclosures Financial reports filed with the SEC must reflect material correcting adjustments identified by a registered public accounting firm. The reports must disclose all material off-balance sheet transactions, arrangements, obligations and relationships that may have a material current or future effect on the company. The FDIC strongly encourages non-public FDIC–supervised banks with less than $500 million in total assets to record all material correcting adjustments identified by the external auditors. If the bank issues audited financial statements, the FDIC also encourages disclosure of material off-balance sheet transactions to ensure examiners and other users of the financial statements are aware of them and can include them in their evaluation of the condition and risk profile of the bank. F. Internal Controls Assessment Even when a non-public, FDIC-supervised bank with less than $500 million in total assets chooses to have a financial statement audit as its external auditing program, the FDIC encourages such banks to consider the benefits and costs of supplementing the audit with an internal control assessment by management and an attestation of this assessment by the bank’s independent public accountant.
Banks with total assets exceeding $500 million must comply with the auditor independence requirements outlined in Sarbanes-Oxley. As a result, the external auditor will be prohibited from performing certain nonaudit services, including internal audit outsourcing. Such banks must allow adhere to the SEC’s audit partner rotation requirements. The SEC’s final rule on auditor independence requires the lead partner having primary responsibility for the audit, and the concurring audit partner responsible for reviewing the audit, to rotate after five years and, upon rotation, to be subject to a five-year “timeout.” In addition, the SEC’s final rule imposes a seven-year rotation requirement on certain other audit partners on the audit client’s engagement team followed by a two-year “timeout” period. The SEC’s final rules also contain an exemption from the rotation requirements for small accounting firms (i.e., firms with fewer than five public company audit clients and fewer than 10 audit partners), provided an audit quality review condition is met.
B. Audited Financial Statements
Consistent with sound management practices and the objective of internal control over financial reporting, the annual audited financial statements are required to reflect all material correcting adjustments identified by the independent public accountant. (Adjustments that are necessary for the financial statements to conform with GAAP).
C. Financial Reporting and Controls
Under § 36 of the FDI Act and Part 363 of FDIC regulations, banks with total assets exceeding $500 million must continue to file management reports in the annual report it files with the FDIC, its primary federal regulator (if other than the FDIC) and any appropriate state supervisor. The management report must be signed by the institution’s chief executive officer and chief accounting or chief financial officer. It must contain a statement of management’s responsibilities for: (a) preparing the institution’s annual financial statements; (b) establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (c) complying with designated safety and soundness regulations.
The management report must also include assessments by management of the effectiveness of the internal control structure and procedures for financial reporting as of the end of the fiscal year and the institution’s compliance with the designated safety and soundness regulations during the fiscal year, along with an independent public accountant’s attestation report on internal control over financial reporting. The management certification under Sarbanes-Oxley cannot be substituted for the management report.
Management’s compliance assessment is required to disclose noncompliance with insider loan regulations and dividend restrictions. (For additional guidance, see guideline 8C, Management’s Disclosure of Noncompliance with Designated Laws and Regulations, to Appendix A to Part 363). In addition, the management report must disclose all material weaknesses identified by management and disclose material weaknesses that have not been corrected prior to the fiscal year-end. (For additional guidance, see Appendix B to Part 363-Illustrive Management Reports).
D. Independent Audit Committee
Each covered institution’s Board of Directors must establish an independent audit committee comprised of outside directors. For an institution with between $500 million and $1 billion in total assets, a majority of the members of the audit committee are required to be independent of management of the institution. For a larger institution, all of the members of the audit committee must be independent of management.