A new approach to regulating small banks.CPAs gain an opportunity to provide a new assurance service. Bank regulators have proposed a new external audit policy for banks and thrifts with less than $500 million in assets. These smaller institutions, known as community banks, have not been subject to the audit requirements imposed on larger institutions by the Federal Deposit Insurance Corporation Federal Deposit Insurance Corporation (FDIC), an independent U.S. federal executive agency designed to promote public confidence in banks and to provide insurance coverage for bank deposits up to $100,000. (FDIC FDIC See: Federal Deposit Insurance Corporation FDIC See Federal Deposit Insurance Corporation (FDIC). ). The proposed policy encourages all banking institutions to obtain annual audits of their financial statements by independent CPAs. But, as an option, it permits a new alternative--an attestation The act of attending the execution of a document and bearing witness to its authenticity, by signing one's name to it to affirm that it is genuine. The certification by a custodian of records that a copy of an original document is a true copy that is demonstrated by his or her examination performed by a CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. . The community bank attestation would be comparable to other attestation engagements CPAs do, such as an attestation on compliance with government regulations or the one bank auditors do assuring that government regulations for student loans have been met. In this case, CPAs would examine a bank's internal controls and issue an opinion on whether or not the bank's management has fully disclosed any deficiencies in those controls. The new attestation is designed to spotlight the risk areas at the regulated institutions by focusing on controls rather than on account balances. It is significant for CPAs because it presents an opportunity to offer a new assurance service. The attestation examination tests management's statements regarding the strength of internal controls on matters covered by specified call report schedules and their preparation--the ones most relevant to bank risk. An attestation examination provides a CPA's opinion similar to that in an independent audit, but its focus is on internal controls rather than on financial statements. Also, because the scope is restricted to controls over a limited number of the most important schedules rather than all financial reports, the examination usually can be done quicker and cheaper than an audit. Attestation examinations will be slightly more expensive than the external reviews they replace, directors' examinations. Directors' exams consist of "agreed-upon procedures"--agreed upon by the institution and the person administering the examination. After some initial learning, attestations should not take longer or be more difficult than directors' exams and should yield considerably more useful information to all parties. The timing of attestation examinations is flexible. They can be performed conveniently at a quarter-end date that coincides with a required regulatory report. The Federal Financial Institutions Examination Council The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency body of the United States government empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of (FFIEC FFIEC Federal Financial Institutions Examination Council ) member agencies--the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB See Federal Reserve Board. ), the Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. (OCC OCC See: Options Clearing Corporation OCC See Options Clearing Corporation (OCC). ), the Office of Thrift Supervision The Office of Thrift Supervision (OTS) was established as a bureau of the Treasury Department in August 1989 as part of a major Reorganization Plan of the thrift regulatory structure mandated by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) (12 U.S.C.A. (OTS See Office of Thrift Supervision. ) and the National Credit Union Association (NCUA NCUA National Credit Union Administration (US government) NCUA Nbcs Control Unit Atm )--regulate the nation's banks, thrifts and credit unions. They are working together on this issue, as they have on others such as Y2K See Y2K problem and Y2K compliant. Y2K - Year 2000 and outsourcing (1) Contracting with outside consultants, software houses or service bureaus to perform systems analysis, programming and datacenter operations. Contrast with insourcing. See netsourcing, ASP, SSP and facilities management. , because a strong external audit program enables the institutions themselves to detect and correct problems early and also provides the agencies and the public with assurance that the institutions are following GAAP GAAP See: Generally Accepted Accounting Principles GAAP See generally accepted accounting principles (GAAP). . Although some of the FFIEC agencies have provided guidance on external audits to the institutions they supervise, the guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. , although substantially similar, have not been uniform. For example, the OCC discusses its policies on independent external audits for national banks in the Comptroller's Handbook for National Banks, Section 102, "Internal and External Audits," and the Comptroller's Manual for Corporate Activities. The FDIC adopted similar guidance in its Policy Statement Regarding Independent External Auditing Programs of State Nonmember Banks Nonmember bank Depository institution that is not a member of the Federal Reserve System. Specifically, a state-chartered commercial bank that has elected not to join the System. on November 16, 1988, and amended a·mend v. a·mend·ed, a·mend·ing, a·mends v.tr. 1. To change for the better; improve: amended the earlier proposal so as to make it more comprehensive. 2. on June 24, 1996. The OTS's policy on independent external audits is discussed in the Thrift thrift: see leadwort. Activities Regulatory, Handbook, Section 350, "Independent Audits." The FRB sets forth its policy on external audits in the FR-Y-6 Annual Report of Bank Holding Companies and Section 1010, "External Audits," of the Commercial Bank Examination Manual. These policies all encourage the regulated institutions to engage independent accountants to audit their financial statements but stop short of mandating audits except in very specific circumstances CIRCUMSTANCES, evidence. The particulars which accompany a fact. 2. The facts proved are either possible or impossible, ordinary and probable, or extraordinary and improbable, recent or ancient; they may have happened near us, or afar off; they are public or . For instance, the FDIC requires that newly chartered banks Chartered Bank A financial institution whose primary roles are to accept and safeguard monetary deposits from individuals and organizations, and to lend money out. The details vary from country to country, but usually a chartered bank in operation has obtained government permission engage CPAs to audit their statements for their first two years of operations. The NCUA, which is the only FFIEC member that did not adopt the external audit policy at this time, traditionally has insisted that the supervisory boards Supervisory board The board of directors that represents stakeholders in the governance of the corporation. of its member institutions be allowed to conduct the external audit function in whatever manner they deem most appropriate--CPAs are not necessarily involved. Accordingly, credit unions will not be affected by the FFIEC proposal. However, the recent passage of the Credit Union Membership Access Act of 1998 may prompt the NCUA to embrace this policy at some point in the future because credit unions soon will be subject to many of the same audit and accounting requirements as banks and thrifts. The FFIEC proposal appeared in the February 17, 1998, Federal Register (vol. 63, no. 31, page 7796) and also can be found at the Web sites of the FFIEC agencies, all of which can be reached through links with the FFIEC's, www.ffiec.gov. The comment period has expired and a final policy is expected in the first quarter of 1999. Meanwhile, the agencies have sent a letter to all the community banks they regulate, encouraging them to adopt the proposed policy even though some modifications suggested in the comments still are under consideration. The AICPA AICPA See American Institute of Certified Public Accountants (AICPA). banking committee has seen the comments, which include quite a few letters from community banks expressing concerns about increased external audit costs. Most of the banking trade organizations commented, and generally supported the policy, with reservations about higher costs. Some suggested allowing exemptions for the very smallest banks--a suggestion that may be incorporated in the final policy. Some of the banking trade organizations also requested that implementation be delayed until the states have had an opportunity to catch up and modify their regulations along the same lines. The new proposal is modeled on changes already in place for larger banks regulated by the FDIC. These changes were mandated by Congress in the FDIC Improvement Act (FDICIA FDICIA Federal Deposit Insurance Corporation Improvement Act of 1991 ) of 1991. FDICIA required "larger institutions" to engage CPAs to report on management's assertion of the effectiveness of an institution's internal controls and on the accuracy of its financial reporting. Based on the regulators' actions, the FDIC as an agency seems pleased with the FDICIA model, which focuses on controls rather than on account balances. Similarly, Congress and the banking industry lobby groups also are pressuring the other agencies in the FFIEC to reduce the regulatory burden on community banks and thrifts. To do so without jeopardizing their mission, the FFIEC agencies also are focusing their oversight
Oversight may refer to:
examiner, inspector - an investigator who observes carefully; "the examiner searched for clues" are willing to rely more on the work of external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. , but only if an effective external audit program is in place. In the past, community banks could offer regulators a directors' examination instead of an audit or the new option, an attestation. While directors' examinations often are performed by former agency examiners, they are not particularly effective for managing or evaluating risk because the procedures involved are an inadequate basis for an opinion on the controls. Instead, people performing these examinations report procedures and results without judgment. For example, the procedures may involve sending out confirmation letters for the accruals Accruals Accounts on a balance sheet that represent liabilities and non-cash-based assets used in accrual-based accounting. These accounts include, among many others, accounts payable, accounts receivable, goodwill, future tax liability and future interest expense. on deposits and loans. That leaves the bank regulators and the bank's management to read the lengthy reports on procedures and results and draw their own inferences. The attestations will differ from the directors' examinations in that CPAs will examine and offer an opinion on the adequacy of the pertinent PERTINENT, evidence. Those facts which tend to prove the allegations of the party offering them, are called pertinent; those which have no such tendency are called impertinent, 8 Toull. n. 22. By pertinent is also meant that which belongs. Willes, 319. internal controls, drawing attention to any deficiencies. Accordingly, a banker who wants to strengthen his or her institution's external audit program without bearing the full cost of a financial statement audit may find that an attestation examination suits the purpose well. The scope of the proposed attestation examination for community banks is limited to internal controls over specific schedules filed each quarter with the banking agencies. The FDICIA-required audit of all internal controls over financial reporting, in contrast, is much more comprehensive. The new FFIEC proposal's narrower scope allows smaller institutions to maximize the quality of the test of their internal controls while minimizing the cost, which smaller institutions can less readily afford. FDICIA allowed the FDIC to determine which institutions would be considered large, so the FDIC chose to limit its FDICIA-mandated rules to institutions with total assets over $500 million. All other FDIC-regulated financial institutions have remained subject to the FDIC's external audit policy statement issued in 1988 and amended in 1990. The 1988 policy provides for the directors' examination as an alternative to an audit. In most cases, the proposed attestation examination will supplant sup·plant tr.v. sup·plant·ed, sup·plant·ing, sup·plants 1. To usurp the place of, especially through intrigue or underhanded tactics. 2. the directors' examination as bankers at smaller institutions and those institutions' boards may not believe their banks' risk profiles warrant audited financial statements. Banks still will be able to get directors' examinations if they want them, but they probably won't, except where required by state regulations. Although it is reasonable to expect that states will harmonize their requirements with those of the federal agencies, banking institutions may, at least for awhile a·while adv. For a short time. Usage Note: Awhile, an adverb, is never preceded by a preposition such as for, but the two-word form a while may be preceded by a preposition. , be in the unenviable situation of having to incur To become subject to and liable for; to have liabilities imposed by act or operation of law. Expenses are incurred, for example, when the legal obligation to pay them arises. An individual incurs a liability when a money judgment is rendered against him or her by a court. two examinations to satisfy two levels of regulatory requirements--federal and state. Because the new policy, like the old, is technically voluntary, many banking institutions may defer de·fer 1 v. de·ferred, de·fer·ring, de·fers v.tr. 1. To put off; postpone. 2. To postpone the induction of (one eligible for the military draft). v.intr. attestation engagements until the states change their statutory regulations to accept the new approach. So far, none of the states with conflicting statutes have, and it could be a slow process (see exhibit 1). [Exhibit 1 ILLUSTRATION OMITTED] THE ATTESTATION EXAMINATION IS AN IMPROVEMENT ON THE DIRECTORS' EXAMINATION Any person with significant banking industry experience can perform a directors' exam, which involves performing and reporting on the results of a set of agreed-upon procedures. Although there is some variation in the procedures each institution agrees to submit to--and state requirements may differ--routine directors' exams usually are quite similar to each other. While CPAs may want to do directors' examinations for their banking clients, professional standards put them at a competitive disadvantage. For CPAs, SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. no. 75, Engagements to Apply Agreed-Upon Procedures to Specified Elements, Accounts, or Items of a Financial Statement, says the responsibility for the sufficiency of the procedures resides with the users of the results of those procedures. Conversely con·verse 1 intr.v. con·versed, con·vers·ing, con·vers·es 1. To engage in a spoken exchange of thoughts, ideas, or feelings; talk. See Synonyms at speak. 2. , access to any reports on the procedures and results must be restricted to those who have agreed on their sufficiency. However, the regulators will not participate in the agreement over the procedures for the directors' exam; the regulators' position is that responsibility for designing adequate procedures lies entirely with the banks' management and boards. Yet CPAs know that the regulators must receive a copy of the directors' exam report. That puts CPAs in an uncomfortable professional bind. SAS no. 75 also provides that agreed-upon procedures for directors' examinations cannot be overly subjective and open to varying interpretations; that creates yet another bind for CPAs. Some states' regulations require both procedures and judgments on the part of the person performing the procedures. The FDIC's 1988 policy statement also requires the examiner to make subjective judgments on, for example, the adequacy of internal controls and on whether specified transactions comply with policies. Although a CPA can recast re·cast tr.v. re·cast, re·cast·ing, re·casts 1. To mold again: recast a bell. 2. such policies, either federal or state regulators might consequently determine that an engagement does not meet their minimum requirements. This dilemma often has left the administration of directors' examinations to former bank regulators or former bank employees, who can offer a bare-bones service that meets the letter of state regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. at a low cost. Although regulatory examiners don't get training in controls as CPAs do, they know operations extensively--often better than CPAs do. While the agreed-upon procedures that constitute a directors' examination provide bankers and regulators some comfort that the accounting records are accurate, they provide little assurance that the institution is managing risks appropriately. Neither state nor federal regulators assume responsibility for assessing the sufficiency of a financial institution's internal controls. In fact, under the FDIC's 1988 policy statement, the financial institution's management and board are responsible for establishing and maintaining effective internal controls. If the management and board don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. enough about internal controls and the controls have not been documented, those controls may in fact be inadequate and no one would be the wiser because no one outside the bank has scrutinized them. This is a big problem for the regulators charged with protecting the public. While these arguments may be convincing from some points of view, community banks and thrifts are not unhappy with the directors' exams. To the community banker, the directors' examination is quick, easy and cheap and can be conducted at any convenient time during the year. The procedures usually involve only operations and can be dealt with well down in the organization, taking up little management time. Since few community banks welcome the expense imposed by detailed federal regulations, and their risk profile doesn't always justify the expense of an independent audit, the newly proposed policy, while strongly encouraging audits by CPAs, permits banks to substitute an attestation examination. WHAT IS AN ATTESTATION ENGAGEMENT? The attestation examination must be performed by a CPA. If the FFIEC proposal becomes effective by yearend, as expected, this alternative will eventually succeed the directors' exam. Institutions that still want to engage third parties to perform agreed-upon procedures still can, although there would be little value added Value Added The enhancement a company gives its product or service before offering the product to customers. Notes: This can either increase the products price or value. in doing so except to meet state regulatory requirements. For the CPA, the objective of an attestation engagement is to probe management's assertion that internal controls over matters reported on specific schedules, and on the preparation of these schedules themselves, are effective. The proposal explicitly covers the regulatory reporting schedules for loans and lease financing receivables; past-due and nonaccrual loans; leases and other assets other assets Assets of relatively small value. For financial reporting purposes, firms frequently combine small assets into a single category rather than listing each item separately. ; allowances for credit losses; and securities. These schedules are included in the regulatory report that banking institutions file quarterly with the relevant banking agencies. The proposal also holds management and the board of directors responsible for identifying other areas of risk particular to their financial institution. The attestation examination should involve these as well. One example of the kinds of things management should point out: off-balance-sheet items. Of course, not every bank has formally asserted that it has effective internal controls on the matters covered by the specified call schedules, but it implicitly does so to the regulatory agencies regulatory agency Independent government commission charged by the legislature with setting and enforcing standards for specific industries in the private sector. The concept was invented by the U.S. each time it files its quarterly reports. At least for now, the proposal will require financial institutions opting for the attestation examination to prepare such a document formally. However, the Auditing Standards Board In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public recently approved amendments to SSAE SSAE Statement on Standards for Attestation Engagements (auditing) SSAE Stamped Self-Addressed Envelope SSAE Standard South African English SSAE Society Of Senior Aerospace Executives (Washington, DC) nos. 1, 2, and 3 to allow, and in some cases require, an opinion on the substance of the effectiveness of controls, rather than management's assertion, effective June 30, 1999. In the attestation document, management should identify known internal control deficiencies. If the examination supports an assertion that notes any deficiencies, the attestation report Noun 1. attestation report - a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else attestation service would include the identified deficiency as an explanatory ex·plan·a·to·ry adj. Serving or intended to explain: an explanatory paragraph. ex·plan paragraph but would not be qualified otherwise, although that will change after June 30. After that date, CPAs will have to qualify their opinion whenever the controls are deficient de·fi·cient adj. 1. Lacking an essential quality or element. 2. Inadequate in amount or degree; insufficient. deficient a state of being in deficit. , whether or not management has acknowledged the deficiency. Discovery of any deficiency not identified in management's assertion would mandate a qualified opinion. With management's assertion about the effectiveness of controls in hand, the CPA firm then sets out to test its fairness. The following procedures were developed in the course of the pilot project mentioned in the case study. To maximize effectiveness and efficiency, practitioners performing attestation examinations should consider adopting them. A FIVE-STEP PRESCRIPTION FOR TESTING INTERNAL CONTROLS 1. Identify and document the accounting processes. Accounting processes are the intermediate procedures that change what form accounting information takes, through records in the general ledger General Ledger A company's accounting records. This formal ledger contains all the financial accounts and statements of a business. Notes: The ledger uses two columns: one records debits, the other has offsetting credits. and, ultimately, financial statements and call report schedules. The call report schedules specified in the proposed policy statement concern two transaction cycles: loans and investments. Therefore, the accounting processes for the loan cycle and the investment cycle should be understood and documented. There are several ways to document these processes--flowcharts, descriptive narratives and questionnaires. Flowcharts and narratives are more effective than questionnaires as they offer more flexibility and can be tailored to each engagement. The critical points in an accounting system are where financial information changes form, such as when a transaction is entered into a computer. Attestation examiners should follow the information pathway pathway /path·way/ (path´wa) 1. a course usually followed. 2. the nerve structures through which an impulse passes between groups of nerve cells or between the central nervous system and an organ or muscle. , noting where transaction information is captured, processed and assembled. Controls are needed at each of the critical points to ensure that all the relevant economic events are captured and that processes modifying financial information do not introduce errors. CPAs should differentiate control procedures from transaction processing Updating the appropriate database records as soon as a transaction (order, payment, etc.) is entered into the computer. It may also imply that confirmations are sent at the same time. Transaction processing systems are the backbone of an organization because they update constantly. procedures. The latter are the transactions that flow through the accounting system to the financial statements, whereas control procedures help managers prevent, detect and correct errors that might occur during the processing and recording of transactions. Information processing information processing: see data processing. information processing Acquisition, recording, organization, retrieval, display, and dissemination of information. Today the term usually refers to computer-based operations. can generate errors; controls cannot. For example, the recording of a loan is not a control. However, a procedure that prevents a loan disbursement DISBURSEMENT. Literally, to take money out of a purse. Figuratively, to pay out money; to expend money; and sometimes it signifies to advance money. 2. before the loan is approved is a control. Identifying and documenting the accounting processes is the most time-consuming step in the attestation examination. CPAs shouldn't take shortcuts See Win Shortcuts. here. Senior CPAs should be thoroughly involved at this stage--experience is the essential guide to choosing which internal controls to test and how to test them. The extent of testing will depend on whether the controls are documented--auditors can't do much testing of undocumented controls. In fact, the attestation engagements may help some banks improve their controls simply by requiring them to document at least some of their control procedures. In most cases, there will be more controls in the lending and investing cycles than it is necessary to document. For efficiency, CPAs shouldn't bother to document any controls that won't be tested. These decisions require considerable judgment, which is why experience is especially important at this stage of the examination. 2. Design a testing strategy. The extent and types of tests depend on the characteristics of the controls to be tested. Again, this requires the examiner to exercise discrimination based on expertise. Controls can be documented or undocumented, manual or electronic, preventive preventive /pre·ven·tive/ (pre-vent´iv) prophylactic. pre·ven·tive or pre·ven·ta·tive adj. Preventing or slowing the course of an illness or disease; prophylactic. n. or detective. Documented controls can be tested by sampling, reperformance or inquiry and observation. Reperforming a control procedure involves proving the same control by an alternate means--for example, does a hands-on test produce the same result as an electronic test? When controls are undocumented, most possible tests consist of inquiry and observation, although occasionally reperformance can shed some light on whether the control is effective. Electronic controls, which are inherently consistent, can be tested quite effectively by inquiry and observation. Finally, since controls that prevent errors are stronger than those that detect errors after they have been introduced, the testing strategy should give priority to preventive controls. 3. Perform the tests. The actual testing takes surprisingly little time, even when a large number of controls are selected for testing. Even tests that involve a lot of sampling go very quickly. Before deciding which and how many tests to perform, CPAs should assess the potential for errors in the general control environment. This assessment is no different from one made in connection with a financial statement audit and involves, among other factors, evaluating the attitude of management toward effective internal control. Do the officers welcome it? Are they wary of it? Are they cavalier cavalier (kăv'əlĭr`), in general, an armed horseman. In the English civil war the supporters of Charles I were called Cavaliers in contradistinction to the Roundheads, the followers of Parliament. about it? CPAs should perform more tests whenever the general control environment is more risky. The examiner should bear in mind that, when general controls are very weak, the entire accounting system may fail to be effective no matter how many specific controls may be in place. 4. Evaluate deviations. Control test failures or errors are referred to as "deviations." Any deviations should be evaluated and the examiner should determine whether the control is completely ineffective or whether additional tests might prove the control to be effective. However, it may not make sense to continue to take more samples for a given test. After a few deviations have occurred, the auditor probably will find, ultimately, that the control is ineffective. CPAs should consider the cost of excessive sampling when deciding whether to test a control repeatedly. However, CPAs should also resist the temptation Temptation Terror (See HORROR.) apple as fruit of the tree of knowledge in Eden, has come to epitomize temptation. [O.T.: Genesis 3:1–7; Br. Lit. to label deviations as "isolated" without backing that up with further testing. A CPA who jumps to such a conclusion with inadequate support could give an inappropriate opinion, at considerable cost to his or her firm's reputation. Accordingly, CPAs should consider a deviation DEVIATION, insurance, contracts. A voluntary departure, without necessity, or any reasonable cause, from the regular and usual course of the voyage insured. 2. an indication that an internal control is not effective, unless additional evidence proves otherwise. Instead of retesting deviations endlessly, the examiner can look for compensating controls that accomplish the same control objective. If the compensating controls test effective, they may provide sufficient support for the auditor's opinion. CPAs should discuss deviations with management. Sometimes a banker has a good explanation for a specific problem and can assure the examiners that it was detected and corrected well before the examiners arrived on the scene. If that is true, the self-correcting mechanisms may be adequate controls. However, CPAs should take pains Verb 1. take pains - try very hard to do something be at pains endeavor, endeavour, strive - attempt by employing effort; "we endeavor to make our customers happy" to corroborate To support or enhance the believability of a fact or assertion by the presentation of additional information that confirms the truthfulness of the item. The testimony of a witness is corroborated if subsequent evidence, such as a coroner's report or the testimony of other any management claims to this effect. 5. Report results. After the tests of controls are complete and all deviations evaluated satisfactorily, the examiner can render an opinion. At least until the SSAE amendments become effective, that opinion should concern only whether or not management's assertion is materially correct. The opinion should be qualified if the auditor has seen significant deviations indicating that internal controls are ineffective. Any weaknesses that management has disclosed in its assertion should be highlighted by an explanatory paragraph. In addition, the examiner should offer to prepare an advisory letter outlining areas where controls could be strengthened and suggesting how this might be accomplished. An advisory letter should maximize the report's value to management and the board. ALMOST EVERYONE BENEFITS FROM THE PROUD CHANGE Of course, a lot of retired bankers and former bank examiners may lose their directors' examination work if and when this proposal becomes effective. However, almost everyone else will benefit if attestation examinations replace directors' exam/nations. Attestation examinations are good for regulatory agencies because they help regulators protect the public. How? They should motivate management to improve internal controls and, consequently, the safety and soundness of the institutions examined. Also, the regulatory agencies may be able to zero in on potential problems more quickly with the aid of attestations. The management and boards of banks and thrifts will be able to use their independent CPAs' feedback on the strength and effectiveness of the institutions' internal controls as a management tool. Directors, especially, will sleep better knowing something about the effectiveness of internal control in the riskiest areas of the bank. Furthermore, CPAs executing attestation examinations are not at all disruptive disruptive /dis·rup·tive/ (-tiv) 1. bursting apart; rending. 2. causing confusion or disorder. to bank operations. The CPAs' work should be invisible to most of an institution's employees, except for the few implementing the actual controls being tested. Finally, CPAs will be able to offer a new assurance service--the attestation examination. This should be fun and profitable. Most practitioners will find attestation engagements more fulfilling than performing agreed-upon procedures that do not make much use of their skills and experience. Certainly the attestation examination is better aligned with the CPAs' professional obligations. Also, CPAs should gain a much deeper understanding of their clients' operations which will increase their value as consultants and business advisers. Exhibit 2: The Pros and Cons pros and cons Noun, pl the advantages and disadvantages of a situation [Latin pro for + con(tra) against] of Attestation Engagements from Three Points of View BANKERS Pro * Less disruption disruption /dis·rup·tion/ (dis-rup´shun) a morphologic defect resulting from the extrinsic breakdown of, or interference with, a developmental process. to operations. * Increased awareness of the control environment. * Immediate feedback from auditors. * Better return on professional fees--meaningful feedback. * Opportunity to improve and strengthen controls. * Ability of internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. to assist the external auditors. Con * Change--some will never like it. * Difficulty in eliminating some control deficiencies (for example, segregation segregation: see apartheid; integration. of duties). * Greater management involvement in the audit process. REGULATORS Pro * Strengthened controls in higher risk areas. * More useful reported information. * Access to management advisory letters. Con * Too many glaring glar·ing adj. 1. Shining intensely and blindingly: the glaring noonday sun. 2. Tastelessly showy or bright; garish. 3. deficiencies demanding attention the first year. * Accounting firm workpapers harder to understand--less uniformity. CPAS Pro * Opportunity for new business. * Can apply audit skills. * Much more challenging intellectually. * Provides clients with a more meaningful service, improving the relationship. Con * Less standardized approach According to International Convergence of Capital Measurement and Capital Standards, known as Basel II, the standardized approach is a set of risk measurement techniques for banking institutions. The term may be used in the context of credit risk or operational risk. . * Fewer hours delegated to junior staff. * Increased risk due to issuance of opinion. * More planning required. Exhibit 3: Ways to Reduce the Costs of an Attestation Engagement * Plan thoroughly; with CPA firm manager participation. * Document processes where information changes form, not paper flow. * Test only the most important controls. * Plan testing strategy to avoid overauditing. RELATED ARTICLE: EXECUTIVE SUMMARY * THE FEDERAL BANK REGULATORY AGENCIES are encouraging community banks to hire CPAs for attestation engagements. Directors' examinations, which are less rigorous and can be performed by people who are not CPAs, may become obsolete OBSOLETE. This term is applied to those laws which have lost their efficacy, without being repealed, 2. A positive statute, unrepealed, can never be repealed by non-user alone. 4 Yeates, Rep. 181; Id. 215; 1 Browne's Rep. Appx. 28; 13 Serg. & Rawle, 447. . The new policy is expected to become effective in the first quarter of 1999. * ATTESTATION ENGAGEMENTS SPOTLIGHT INTERNAL controls rather than account balances. CPAs will issue short formal opinions on the fairness of management's assertion of the adequacy of community banks' internal controls. * ATTESTATION ENGAGEMENTS WILL BE LIMITED in scope to controls affecting the information in, and preparation of the most important schedules--including those about the loan and investment cycles. * 20 STATES' REGULATIONS MAY LAG lag - netlag federal regulations and continue to require directors' examinations. * FINANCIAL INSTITUTIONS WILL HAVE TO disclose weaknesses in their internal controls. * THE MOST TIME-CONSUMING PART of an attestation engagement: Identifying and documenting the accounting processes and judging what needs testing and how much testing it should get. * THE CPA's OPINION SHOULD ADDRESS only whether management's assertions about controls are materially correct. * CPAs SHOULD PREPARE A SEPARATE ADVISORY critique of the effectiveness of internal controls for the client bank's management and board. KEITH NEWTON Keith Robert Newton (23 June 1941 - 15 June 1998) was an English footballer. Newton was born 1941 in Manchester. He played football for Blackburn Rovers, Everton and Burnley. He signed for Blackburn Rovers in October 1960. , CPA, is a partner at the Dallas office of Grant Thornton LLP  This article or section is written like an .Please help [ rewrite this article] from a neutral point of view. Mark blatant advertising for , using . . With more than 20 years' experience as a bank auditor, he serves on the AICPA banks and savings institutions committee. His e-mail address See Internet address. e-mail address - electronic mail address is: knewton@gt.com. RELATED ARTICLE: CASE STUDY THE PILOT PROJECT: AN ATTESTATION ENGAGEMENT AT A NEBRASKA BANK Before circulating cir·cu·late v. cir·cu·lat·ed, cir·cu·lat·ing, cir·cu·lates v.intr. 1. To move in or flow through a circle or circuit: blood circulating through the body. 2. the proposed policy statement for comment, the FFIEC agencies asked the AICPA to conduct at least one pilot attestation examination on a community bank. The AICPA banking and savings institutions committee asked its members whether their firms would be interested in such a test. Since I am a member of that committee, and my firm, Grant Thornton, performs a significant number of directors' examinations, we volunteered to conduct the pilot examination. We wanted both to assist the industry and the profession and to understand these examinations thoroughly so we could be in a position to help our clients as they adopt the new policy. We selected a state chartered bank in Nebraska with approximately $110 million in assets and $13 million in equity. We wanted a bank that was typical of those interested in attestation examinations--a bank in good standing with regulators and with accounting systems that reliably capture and record transactions accurately. The pilot bank is subject to state regulations but also is regulated by the FDIC. The bank's management does its best to comply with all the FDIC's external audit polio polio: see poliomyelitis. , its, even when compliance is voluntary. The bank is well capitalized Capitalized Recorded in asset accounts and then depreciated or amortized, as is appropriate for expenditures for items with useful lives longer than one year. . Its external audit program has consisted of a directors' examination conducted annually by my firm. We have used the agreed-upon procedures established by the state of Nebraska, including such standard procedures as sending out confirmation letters for accruals on loans and deposits. Our directors' exams haven't turned up any serious or systematic problems at the bank. However, there were a few minor problems which required follow-up on confirmation replies and adjustments to prepaid expenses Prepaid Expense An asset that arises on a balance sheet because of the payment of something in advance (prepayment). Services for the payment will be received in the near future. . My firm also prepared an advisory letter to management and the board with a critique based on its team's observations. When we initially approached the bank's management about participating in the pilot test, they were somewhat apprehensive. For one thing, at the time the bank did not have much documentation for its internal controls. Since the bank was relatively small, management didn't think it could spare the personnel qualified to prepare the documentation from their routine tasks in time for the test tun. Management also was worried that it might get a report that would trigger undue interest from the FDIC. Management's particular concern was that, in the investment area, duties were not as segregated as they might have been at a larger institution. The same person performed both the accounting processes and the controls. If that weakness were to cause my firm to issue a modified report, the examination could raise a red flag inviting a lot of regulatory scrutiny--and possibly even action against the bank. The bank and my firm have a long relationship, and despite these reservations the officers trusted the firm not to get them involved in a project against their bank's best interests. Also, the bank wanted to help the agency evaluate whether these new engagements would fulfill ful·fill also ful·fil tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils 1. To bring into actuality; effect: fulfilled their promises. 2. the FDIC's expectations. Accordingly, management agreed to proceed with the pilot. After all, the bank's board should know of any weaknesses that might increase the risk of bank failure and has a fiduciary duty Noun 1. fiduciary duty - the legal duty of a fiduciary to act in the best interests of the beneficiary legal duty - acts which the law requires be done or forborne to the shareholders to insist that management take corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or . The initial step was for management to assert that the bank has effective internal controls in place for the relevant call report schedules. The suggested format for management assertion letters is contained in the attestation standards The introduction to this article provides insufficient context for those unfamiliar with the subject matter. Please help [ improve the introduction] to meet Wikipedia's layout standards. You can discuss the issue on the talk page. . In this case, management used file standard format and initially provided a letter to the auditors asserting that it had effective internal controls over all the relevant call report schedules. The first task for my firm's attestation engagement team was to help management identify and document the internal controls for the areas to be examined. As this process was under way, it became clear that the initial assertion of fully effective controls needed modification--a predictable problem when an institution documents its controls for the first time. Accordingly, management sent a new letter to the auditors outlining control weaknesses in the investment area. The relevant passage read as follows: "We have maintained effective internal control over financial reporting ... except as follows: Certain personnel responsible for initiating and managing the loan and securities portfolios also have access to such assets through the ability to generate accounting entries, including changes to master files. In addition, the general EDP (Electronic Data Processing) The first name used for the computer field. EDP - Electronic Data Processing control environment is deficient in that management reports available are either not generated or are not timely reviewed by appropriate personnel." As the first of its kind, the pilot attestation examination of the bank caused my firm to expend ex·pend tr.v. ex·pend·ed, ex·pend·ing, ex·pends 1. To lay out; spend: expending tax revenues on government operations. See Synonyms at spend. 2. a lot of energy in the planning stages. The planning took several days, primarily because the team was not familiar with audits of internal controls. The engagement team wanted to approach and conduct the examination in the most efficient manner possible while minimizing the risk of forming improper
With the exception of time incurred to document the internal controls initially, the attestation examination took about the same time is the directors' exam had. However, the attestation examination used higher level staff at both my firm and the bank, making it somewhat more expensive, but also more useful. In the end, Grant Thornton delivered an attestation report to management and the board, with an explanatory paragraph pointing out the internal control weakness acknowledged in the second assertion letter but no other qualifications (see the exhibit, this page). Exhibit 4: Codes for Regulatory Report Schedules Covered by Attestation Examinations
Reports of Condition
Area and Income Schedules(1)
Loans and lease
financing receivables RC-C, Part 1
Past-due and nonaccrual
loans, leases and other assets RC-N
Allowance for credit losses R I-B
Securities RC-B
Trading assets and liabilities(3) RC-D
Off-balance-sheet items(3) RC-L
Thrift Financial
Area Report Schedules(2)
Loans and lease
financing receivables SC, CF
Past-due and nonaccrual
loans, leases and other assets PD
Allowance for credit losses SC, VA
Securities SC, SI, CF
Trading assets and liabilities(3) SO, SI
Off-balance-sheet items(3) SI, CMR
(1) Forms filed by institutions regulated by the FDIC, the OCC, and the FRB, primary banks and bank ho]ding 1. ding - Synonym for feep. Usage: rare among hackers, but commoner in the Real World. 2. ding - "dinged": What happens when someone in authority gives you a minor bitching about something, especially something trivial. "I was dinged for having a messy desk." companies. (2) Forms filed by institutions regulated by the OTS, primarily thrifts. (3) Encouraged when the board determines that the financial reporting risk of these areas is material to the institution. Source: FFIEC's policy proposal statement. The firm also sent an advisory letter suggesting how the bank's controls could be further strengthened and identifying other, less significant areas where there were no controls or the existing controls could be improved. For instance, the attestation team suggested a compensating control in the investment cycle. If the bank implements that control satisfactory, that qualification no longer would be necessary. Ultimately, the bank's management told my audit team that they were both relieved and satisfied. The bankers especially liked the immediate feedback we gave them. The bankers had been accustomed to waiting for weeks or more before getting any feedback on directors' examination results. The attestation examination process resulted in meaningful suggestions for improving and strengthening controls. The examination of the institution's controls was much more comprehensive than the procedures that made up the same bank's directors' examination and much more focused on the areas posing the greatest risk--the loan and investment portfolios. Now management can be confident that the outcome of annual attestation examinations will be continuous improvement, with stronger controls resulting in unqualified reports over time. In this case, everyone came out ahead. Members of the audit team came away with a much deeper knowledge of the bank and its operations. Regulators were satisfied that the important weaknesses had been fully disclosed and the public interest served. The bank's board fulfilled ful·fill also ful·fil tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils 1. To bring into actuality; effect: fulfilled their promises. 2. its fiduciary duties well. Management learned something about potential problem areas. RELATED ARTICLE: THE INDEPENDENT ACCOUNTANTS' ATTESTATION REPORT Board of Directors Pilot Bank & Trust Co.(*) We have examined management's assertion, included in its representation letter dated May 7, 1997, that Pilot Bank & Trust Co.(*) maintained effective internal control over financial reporting of loans and securities presented in conformity with Federal Financial Institutions Examination Council instructions for Schedule RI-B Charge-offs and Recoveries and Changes in Allowance for Loan and Lease Losses Schedule RC-B Securities, Schedule RC-C Loans and Lease Financing Receivables and Schedule RC-N Past Due and Nonaccrual Loans, Leases, and Other Assets of the Consolidated Reports of Condition and Income as of March 31, 1997. Our examination was made in accordance Accordance is Bible Study Software for Macintosh developed by OakTree Software, Inc.[] As well as a standalone program, it is the base software packaged by Zondervan in their Bible Study suites for Macintosh. with standards established by the American Institute of Certified Public Accountants With over 330,525 CPA members (in August 2006), the American Institute of Certified Public Accountants (AICPA) is the largest professional organization of Certified Public Accountants (CPAs) in the United States of America. and, accordingly, included obtaining an understanding of the internal control over financial reporting, testing and evaluating the design and operating effectiveness of the internal control, and such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of inherent limitations in any internal control, errors or irregularities may occur and not be detected. Also projections of any evaluation of the internal control over financial reporting to future periods are subject to the risk that the internal control may become inadequate because of changes in conditions or that the degree of compliance with the policies or procedures may deteriorate de·te·ri·o·rate v. 1. To grow worse in function or condition. 2. To weaken or disintegrate. . In our opinion, management's assertion that, except for the effect of the material weaknesses described in its representation letter dated May 7, 1997, Pilot Bank & Trust Co. maintained an effective internal control over certain financial reporting as described in the first paragraph of this report, is fairly stated, in all material respects, based upon the internal Control--Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. . As discussed in management's assertion, the following material weaknesses exist in the design or operation of the internal control of Pilot Bank & Trust Co. in effect at March 31, 1997: (a) Certain personnel responsible for initiating and managing the loan and securities portfolios also have access to such assets though the ability to generate accounting entries, including changes to master files. Such controls increase the likelihood that the loan and securities portfolios reflect the objectives of bank management. (b) The general EDP control environment is deficient in that management reports available are either not generated or are not timely reviewed by' appropriate personnel. Such controls increase the likelihood that unauthorized transactions or inadvertent errors are prevented or detected in a timely manner. A material weakness is a condition that precludes the entity's internal control from providing reasonable assurance that material misstatements in the financial statements. will be prevented or detected in a timely basis. This report is intended solely the information and use of the board of directors and management of Pilot Bank & Trust Co. and the Federal Deposit Insurance Corporation and should not be used for any other purpose. GRANT THORNTON LIP Lincoln, Nebraska The City of Lincoln is the capital and the second most populous city of the U.S. state of Nebraska. Lincoln is also the county seat of Lancaster County and the home of the University of Nebraska. May 7, 1997 (*) Fictitious name Noun 1. fictitious name - (law) a name under which a corporation conducts business that is not the legal name of the corporation as shown in its articles of incorporation DBA, Doing Business As, assumed name substituted for privacy. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion