Printer Friendly

AT section 9501, an examination of an entity's internal control over financial reporting that is integrated with an audit of its financial statements: attest engagements interpretations of AT section 501.

1. Reporting Under Section 112 of the Federal Deposit Insurance Corporation Improvement Act

.01 Question--For purposes of compliance by insured depository institutions (IDIs) with Section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA) (Section 36, Independent Annual Audits of Insured Depository Institutions, of the Federal Deposit Insurance Act [Banks and Banking, U.S. Code Title 12, Section 1831m]) and its implementing regulation, Title 12 U.S. Code of Federal Regulations (CFR) Part 363 (12 CFR 363), an IDI that is a subsidiary of a holding company may use the consolidated holding company's financial statements to satisfy the audited financial statements requirement of 12 CFR 363, provided certain criteria are met. (1) For some IDIs, however, an examination of internal control over financial reporting is required at the IDI level. Paragraph. 18 of AT section 501, An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AICPA, Professional Standards, vol. 1), requires that an examination of internal control over financial reporting (internal control) be integrated with an audit of financial statements. For IDIs that require an examination of internal control at the IDI level, can the auditor meet the integrated audit requirement when the IDI does not prepare financial statements for external distribution? If so, how can the auditor report on the effectiveness of the IDI's internal control over financial reporting? .02 Interpretation--To comply with the integrated audit requirement in AT section 501, when the IDI uses the consolidated holding company's financial statements to satisfy the audited financial statements requirement of 12 CFR 363, the auditor would be required to perform procedures necessary to obtain sufficient appropriate audit evidence to enable the auditor to express an opinion on the IDI's financial statements and on its internal control over financial reporting. When the IDI does not prepare financial statements for external distribution, "financial statements" for this purpose may consist of the IDI's financial information in a reporting package or equivalent schedules and analyses that include the IDI information necessary for the preparation of the holding company's consolidated financial statements, including disclosures. The measurement of materiality is determined based on the IDI's financial information rather than the consolidated holding company's financial statements? If the auditor is unable to apply the procedures necessary to obtain sufficient appropriate audit evidence with respect to the IDI's financial information, the auditor is required by paragraph. 117 of AT section 501 to withdraw from the engagement or disclaim an opinion on the effectiveness of the IDI's internal control over financial reporting.

.03 As indicated in exhibit C, "Reporting Under Section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA)," of AT section 501, the FDIC indicated that financial reporting, at a minimum, includes financial statements prepared in accordance with generally accepted accounting principles (GAAP) and the schedules equivalent to the basic financial statements that are included in the IDI's appropriate regulatory report (for example, Schedules RC, RI, and RI-A in the Consolidated Reports of Condition and Income [call report]). When the IDI does not prepare financial statements for external distribution, the auditor is, nevertheless, required by paragraph .41 of AT section 501 to evaluate the IDI's period-end financial reporting process. This process includes, among other things, the IDI's procedures for preparing financial information for purposes of the consolidated holding company's financial statements, which are prepared in accordance with GAAP, and the schedules equivalent to the basic financial statements that are included in the IDI's appropriate regulatory report.

.04 The period-end financial reporting process may occur either at the IDI or the holding company, or both. The organizational structure, including where the controls relevant to the IDI's financial information operate, may affect how the auditor evaluates this process. For example:

a. When the period-end financial reporting process occurs at the holding company and the IDI comprises substantially all of the consolidated total assets, there may be no distinguishable difference between the IDI's and its holding company's process for purposes of the integrated audit. This is because the auditor's risk assessment, including the determination of significant accounts and disclosures and relevant assertions, the selection of controls to test, and the determination of the evidence necessary to conclude on the effectiveness of a given control, would likely be the same for the IDI and the holding company. (3) In this circumstance, the period-end financial reporting process of the holding company would be, in effect, the period-end financial reporting process of the IDI and, therefore, would be included in the scope of the integrated audit of the IDI.

b. When the period-end financial reporting process occurs at the holding company and the IDI does not comprise substantially all of the consolidated total assets, the IDI's financial reporting process may be sufficient for the auditor to meet the requirement in paragraph .41 of AT section 501, if the necessary GAAP information is prepared by the IDI or the holding company, and the process can be evaluated by the auditor. The auditor may determine that the IDI's preparation of the IDI's appropriate regulatory report, together with other financial information at the IDI level that is incorporated into the consolidated holding company's financial statements, is sufficient for this purpose. In this circumstance, both the period-end financial reporting process of the holding company, as it relates to the financial information of the IDI, and the period-end financial reporting process of the IDI, with respect to the preparation of the schedules equivalent to the basic financial statements that are included in the IDI's appropriate regulatory report, would be included in the scope of the integrated audit of the IDI.

.05 The illustrative reports in exhibit A, "Illustrative Reports," of AT section 501 may be used to report on the effectiveness of the IDI's internal control over financial reporting. Because 12 CFR 363 does not require the auditor to issue a separate auditor's report on the IDI's financial statements, the requirement in paragraph. 109 of AT section 501 to add a paragraph to the internal control report that references the financial statement audit will not apply when the auditor does not issue a separate auditor's report on the IDI's financial statements. In accordance with paragraph. 107 of AT section 501. the auditor's report on internal control is required to include a definition of internal control that uses the same description of internal control as management uses m its report. The following is an illustrative definition paragraph that may be used when an IDI that is not subject to Section 404 of the Sarbanes-Oxley Act of 2002 elects to report on controls for FDICIA purposes at the IDI level, and the IDI uses the consolidated holding company's financial statements to satisfy the audited financial statements requirement of 12 CFR 363:
 An entity's internal control over financial
 reporting is a process effected by those
 charged with governance, management, and
 other personnel, designed to provide reasonable
 assurance regarding the preparation of
 reliable financial statements in accordance
 with generally accepted accounting principles.
 Because management's assessment and
 our examination were conducted to meet
 the reporting requirements of Section 112
 of the Federal Deposit Insurance Corporation
 Improvement Act (FDICIA)'. our examination
 of [IDI's] internal control over financial
 reporting included controls over the preparation
 of financial information for purposes
 of [consolidated holding campany's] financial
 statements in accordance with accounting
 principles generally accepted in the United
 States of America and controls over the
 preparation of schedules equivalent to basic
 financial statements in accordance with the
 Federal Financial Institutions Examination
 Council Instructions for "Consolidated
 Reports of Condition and income (call report
 instructions), An entity's internal control
 over financial reporting includes those policies
 and procedures that (1) pertain to the
 maintenance of records that, in reasonable
 detail, accurately and fairly reflect the transactions
 and dispositions of the assets of the
 entity; (2) provide reasonable assurance that
 transactions are recorded as necessary to permit
 preparation of financial statements in
 accordance with generally accepted accounting
 principles, and that receipts and expenditures
 of the entity are being made only in
 accordance with authorizations of management
 and those charged with governance;
 and (3) provide reasonable assurance
 regarding prevention, or timely detection
 and correction of unauthorized acquisition,
 use, or disposition of the entity's assets that
 could have a material effect on the financial
 statements.


.06 Management may evaluate and report on the effectiveness of the IDI's internal control based on the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) report. Internal Control--Integrated Framework. Because COSO establishes control objectives relating to the preparation of reliable published" financial statements. the COSO criteria, as modified for purposes of reporting under Section 112 of FDICIA, is appropriate only for the IDI and its regulatory agencies. Accordingly, the report is required to be restricted as tO use? An example of such a restriction is as follows:
 This report is intended solely for the information
 and use of management, [identify the
 body or individuals charged with governance],
 others within the organization, the Federal
 Deposit Insurance Corporation and [other
 federal bank regulatory agency] and is not
 intended to be and should not be used by
 anyone other than these specified parties.


.07 Likewise, the auditor's report and management's assertion refer to the modified COSO criteria. For example, the following may be used to identify the criteria: "criteria established in Internal Control--Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as modified for the express purpose of meeting the regulatory requirements of Section 112 of the Federal Deposit Insurance Corporation Improvement Act (FDICIA)."

[Issue Date: September 2010.]

(1.) Refer to Section 36 of the Federal Deposit Insurance Act (FDI Act), Section 363.1: Scope and Definitions, for the requirements pertaining to compliance by subsidiaries of holding companies.

(2.) See paragraph. 11 of AU section 312, Audit Risk and Materiality in Conducting an Audit (AICPA, Professional Standards, vol. 1).

(3.) See paragraph .23 of AT section 501, An Examination of an Entity's Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AICPA, Professional Standards, vol. 1).

(4.) Paragraph .78 of AT section 101, Attest Engagements (AICPA, Professional Standards, vol. 1), requires the report to be restricted as to use "when the criteria used to evaluate the subject matter are determined by the practitioner to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria." Although reports on internal control issued in accordance with this interpretation are required to be restricted as to use. Section 36 of the FDI Act and Title 12 U.S. Code of Federal Regulations (CFR) Part 363 require that these reports be available for public inspection.
COPYRIGHT 2010 American Institute of CPA's
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2010 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Journal of Accountancy
Date:Nov 1, 2010
Words:1780
Previous Article:Health care reform mandates immediate changes.
Next Article:Statement on auditing standards - related parties (redrafted).
Topics:

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters