Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all Financial Institutions articles

Crossing the FDICIA Floor
June 01, 2005

Preparing for compliance may take up to a year. Will your financial institution be ready?

You may be entirely comfortable with the quality of your financial institution’s internal controls, but reaching a $500 million total asset mark can dramatically change your institution’s comfort level. That’s when compliance with the requirements of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) becomes necessary.

Preparing for FDICIA compliance can consume considerable resources, and getting ready could take over a year. Few organizations realize the lead time necessary or the actions required to fulfill the newly acquired responsibilities that come with the $500 million threshold.

What’s more, significant changes to FDICIA are expected by the end of 2005; regulators are currently evaluating various methods of improving FDICIA.  Most likely, the FDICIA guidelines will be changed to reflect some of the differences between FDICIA and Sarbanes-Oxley Section 404. 

Reviewing FDICIA requirements

Congress passed FDICIA to help the financial institution industry avoid the solvency problems of the 1980s savings-and-loan crisis. The act attempts to stabilize the industry by requiring institutions to have adequate internal control systems according to a generally accepted framework. Many institutions select the Committee on Sponsoring Organizations of the Treadway Commission (COSO) as the de facto standard framework.

FDICIA guidelines address internal controls over a financial institution’s financial reporting, as well as internal controls over compliance with laws and regulations. Financial institutions are required to provide reasonable assurance about the reliability of their financial reporting, the effectiveness of their operations, and their compliance with laws and regulations. Management must certify that its internal control systems are designed and operating effectively, and management must produce an annual report that supports its assertion. Such evaluations must be conducted annually as long as the institution maintains assets in excess of $500 million.

Within the FDICIA control environment, management must first perform an investigation to evaluate the effectiveness of the Institution’s company-level controls and a risk assessment of the financial reporting processes using both quantitative and qualitative factors. Examples of qualitative factors that can be used include transaction complexity, transaction volume, susceptibility to fraud, subjectivity in estimate/valuation, risk of contingent liability, exposure to loss, nature of the account, and change tolerance.

This process should fully assess all risks and implement mitigating control activities. The information regarding internal controls must be captured and communicated, and the entire system must be tested and monitored for effectiveness.

According to FDICIA, management has the responsibility for asserting to the effectiveness of the internal controls over financial reporting and compliance with laws and regulations.  In order to accomplish this, internal testing of the controls must be completed by management and the institution’s internal audit department. The institution’s independent auditors can use some of the work performed by these internal parties; however, ultimately, the auditors must come to their own conclusions on the adequacy of the institution’s annual assertion about its internal control system.

The institution’s written assertion and the auditors’ report are then provided to the FDIC and are also made available to the public.

Elements of internal controls

Financial institutions working toward FDICIA compliance should allow ample lead time for the process of documenting, reviewing, and testing their internal controls. It will involve the institution’s board of directors, management, internal audit and key institution personnel, as well as independent auditors.

When defining internal controls, institutions should take into consideration four important elements. First is the institution’s control environment. This consists of the culture, discipline, and organizational structure that will support and promote control efficiencies and, ultimately, the system’s effectiveness.

Second is the need to conduct a thorough risk assessment. Management must design a comprehensive risk management plan that identifies, measures, and mitigates risk both on a quantitative and qualitative basis.

Third is the documentation of essential control policies and procedures and identification of key controls within the institution’s material processes. Comprehensive documentation helps to ensure that employees throughout the institution understand, adhere to, and can properly execute management’s directives. Similarly, institutions should review their communication processes and information-exchange structures so as to support the fulfillment of internal control responsibilities.

Fourth, and finally, is testing and monitoring. The effectiveness of the internal control system must be put to the test and its quality monitored over time. FDICIA requires that controls be evaluated for their design as well as their operating effectiveness as of the end of the institution’s fiscal year.

Overall, the major FDICIA implementation tasks include planning, documenting systems, evaluating risks, identifying mitigating actions, testing, remedying deficiencies, and evaluating results.

Getting good guidance

It is important for financial institutions to get their independent auditors involved early, preferably in the planning phase.  The auditors can provide oversight to the process to help ensure the work being done will meet the expectations for the attestation work.

An information session with auditors at the outset can ease management concerns, set realistic personnel considerations, establish auditor expectations, and identify the best and most efficient route to compliance.

Auditors can also provide help and training to the internal team regarding documentation and can serve as a valuable resource for forms, flowcharts, and templates. Individuals throughout the institution will be required to conclude on the effectiveness of controls, and an institution’s auditors will expect that standard documentation templates were used to prevent inconsistencies and avoid insufficiencies.

Ultimately, the independent auditors can help save an institution’s time and resources, especially by establishing a clear understanding of audit expectations during the planning phase and communicating with the FDICIA implementation team throughout the process. And with the probable changes to FDICIA guidelines later this year, proper planning and ongoing communications will become even more crucial to the institution’s compliance success.