IMPLEMENTING FDICIA AT A SMALL BANK

By Mark E. Steadman and Thomas E. McKee

"Hi Bob, this is Jim at the bank. I guess you heard about our pending acquisition of ABC Bank. One item came up near the end of the negotiations that I don't know anything about. Since we're gaining $50 million in assets, we crossed something called the 'FDICIA floor.' As our CPA, I thought you could probably tell us about FDICIA. What is it, how does it affect us, and most importantly, what's it going to cost?"

Many CPAs could be getting a similar phone call in the future as their banking clients grow. Providing quality service to existing banking clients or obtaining new clients in the industry will depend upon how these questions are answered.

In 1991, Congress passed the Federal Deposit Insurance Corporation Improvement Act (FDICIA) to help the banking industry avoid the solvency problems of the savings and loan crisis. Section 36 of FDICIA significantly affects the public accounting profession. This section requires financial institutions with more then $500 million in total assets to document, evaluate, and report on the effectiveness of the entity's internal control. (Approximately 1,000 of the nation's 14,000 banks exceeded the $500 million threshold.) Additionally, the institution's independent CPA must attest to management's assertions concerning internal control. This provision expands the responsibilities of many CPAs for their banking clients.

A real life example of how a CPA firm and a small financial institution implemented the internal control requirements may be helpful in understanding the act. The name of the bank has been changed to Small Bank Inc. and that of its auditors to Accountants & Auditors (A&A). In addition, the reports on internal control have been revised to conform to the language contained in SSAE No. 6, Reporting on an Entity's Internal Control over Financial Reporting: an Amendment to Statement on Standards for Attestation Engagements No. 2.

FDICIA Requirements

The savings and loan crisis of the 1980s resulted in public concern over the health of financial institutions in the U.S. As a partial response to this concern, in 1991 Congress passed FDICIA in an attempt to stabilize the industry by implementing additional controls over financial institutions. Key FDICIA requirements include the following:

* Audit committees must be comprised of independent outside directors--regardless of bank size.

* Institutions must have an adequate system of internal control according to some generally accepted framework. [Most institutions have selected the report of the Committee on Sponsoring Organizations of the Treadway Commission (COSO) as an internal control framework.]

* Section I agreed-upon-procedures testing of compliance with laws and regulations must be performed by either internal audit or the entity's independent public accountants.

* Section II agreed-upon-procedure testing of compliance with laws and regulations must be performed by the entity's independent public accountant if management elected to have internal auditors perform Section I agreed-upon procedures.

* Management must perform its own investigation and review of the effectiveness of internal controls and compliance with laws.

* A management report must be submitted and signed by the chief executive officer and chief accountant (or chief financial officer), which states management's responsibility for the internal control system, an assessment of the effectiveness of the system at fiscal year-end, and an assessment of compliance with laws and regulations during the fiscal year.

* An independent public accountant's report that attests to management's assertions concerning the bank's internal control and procedure for financial reporting is required.

Process for Implementing FDICIA

Small Bank was first subject to FDICIA's requirements for its fiscal year ending June 30, 1994. The documentation, review, and testing process began much earlier. The board of directors, management of the bank, and the external auditors concluded that full utilization of the institution's existing internal audit staff was the most cost effective manner to implement FDICIA. The following chronology provides an overview of significant activities:

* October 1993. Financial officers discussed the requirements with the board of directors and external auditors.

* December 1993. Board of directors approved independent public accountant's role in process and authorized fee.

* February 1994. Internal auditors met with all departmental heads to explain FDICIA requirements and process to be followed by Small Bank to comply.

* March­April 1994. Internal auditors assisted individual department managers as requested.

* May 1994. A&A reviewed initial results and provided some redirection.

* June­July 1994. Internal audit performed testing.

* July­Sept. 1994. A&A performed testing.

* September 1994. Various FDICIA reports issued.

The Role of the Auditors

The internal audit department at Small Bank assumed the responsibility for facilitating management's compliance with the act. A&A, however, was heavily involved in all phases of the work. Early in the implementation planning phase, A&A met with management and the board of directors to discuss FDICIA requirements. Also in this phase, A&A provided an implementation guide to the internal audit staff. After the internal documentation process had begun, A&A provided redirection in May 1994. At this time, A&A advised the internal audit staff to perform more detailed tests of internal control and provided the staff with additional worksheets to complete this testing. These worksheets resulted in added documentation of the internal control system that significantly aided the internal audit assessment.

Upon completion of the internal review and testing, the internal audit department issued a report to the board of directors (see Exhibit 1­Internal Audit Agreed-Upon Procedures Report). After receiving this report, management reported to the board of directors providing their assertion concerning internal controls (see Exhibit 2­ Management Report on Financial Statements, Assessment of the Internal Control over Financial Reporting, and Compliance with Laws and Regulations).

Upon completion of the internal documentation and reporting, A&A performed its own tests of controls. The procedures and findings of its examination are listed in Exhibit 3­Independent Accountant's Agreed-Upon Procedures Report. Procedure 3 in the report illustrates the reliance A&A placed upon the work of the internal audit staff. Procedures 4, 5, 6, and 7 in the report list their additional tests. The reliance upon the work of the internal audit staff and the additional tests provided sufficient evidence for A&A to attest management's assertion concerning internal controls (see Exhibit 4­Independent Accountants' Report).

Lessons Learned

Management at Small Bank relied heavily on its internal and external auditors to guide them through the FDICIA compliance process. Its experience and that of A&A can provide useful lessons to CPAs in public practice with financial institution clients and to CPAs working in the banking industry.

Get Involved Early and Help Your Client. A&A participated in the initial discussions with management and the audit committee on how to best comply with FDICIA. After these discussions, top management at Small Bank turned the documentation process over to internal audit and department managers. An information session provided by the external CPA early in the process may have eased some of the potential concerns of management.

Provide Flowchart Training and Utilize Standard Flowcharting Techniques. Flowcharts were a primary form of internal control documentation. However, many of the department heads were asked to complete flowcharts without ever having any formal training in doing so. Thus, in some cases, the flowcharts developed by the department heads were inadequate. Also, some of the flowcharts were not comparable because different methods were used. Flowchart software and training should be provided to each person responsible for developing a flowchart. The external CPA could be a valuable resource in this area and can benefit by having the documentation in a form more readily useable.

Standardize the Reporting Process. The use of individuals throughout the organization to report on the control effectiveness in their responsibility area can speed up the review and involve the entire organization. However, as in the case of flowcharts, reports from various individuals were not consistent concerning materiality, the comprehensiveness of the review, and other relevant issues. The external CPA can provide guidance in this area and develop an acceptable standard report.

Help Management Consider the Personnel Factor. The entire evaluation and documentation process can involve thousands of hours. Overtime may be required and other tasks may be set aside during the process. Also, halfway through the process at Small Bank, one member of the internal audit staff resigned. External CPAs can assist in the planning phase of the process and make sure time estimates are realistic.

Develop a Clear Understanding with Internal Audit in Planning Phase. A misunderstanding between the internal audit staff and A&A occurred during the evaluation process. The problem arose because the level of documentation of internal controls was not sufficient for A&A's purpose. After the initial work was performed, A&A informed Small Bank the work was not sufficiently detailed. Thus, internal audit had to backtrack into areas they believed were finished. The external CPA should explicitly inform the client's staff of audit expectations during the planning phase. *

Mark E. Steadman, PhD, CPA, is an associate professor and Thomas E. McKee, PhD, CPA, is chairman and a professor at East Tennessee State University.