Home > News & Events > Financial Institution Letters




Financial Institution Letters



APPLICABILITY OF SELECTED PROVISIONS OF THE SARBANES-OXLEY ACT OF 2002 TO FDIC-SUPERVISED BANKS WITH LESS THAN $500 MILLION IN TOTAL ASSETS THAT ARE NOT PUBLIC COMPANIES


This attachment addresses selected provisions of the Sarbanes-Oxley Act of 2002. For each selected section of the act, a summary of the section, and any implementing regulation, is first presented. Each summary is followed by a description of related policy guidance issued by the banking agencies or comments concerning sound corporate governance practices that banks are encouraged to implement to the extent feasible given the bank's size, complexity, and risk profile.

As used in Attachment I, the term "bank" refers to an FDIC-supervised bank with less than $500 million in total assets that is not a public company or a subsidiary of a public company.

Title I - Public Company Accounting Oversight Board

Section 102. Registration with the Board.

Only an accounting firm or an accountant that has registered with the Public Company Accounting Oversight Board, i.e., a "registered public accounting firm," can audit the financial statements of a public company. This requirement is scheduled to take effect no later than October 23, 2003.

Related Policy Guidance for Banks

The 1999 Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations assigns responsibility to an institution's board of directors for ensuring that the scope of its external auditing program is appropriate for the institution. Under the policy statement, the agencies consider an annual audit of an institution's financial statements to be the preferred type of external auditing program. Acceptable alternatives are a balance sheet audit and an examination of management's assertion on the effectiveness of the institution's internal control over financial reporting. These three types of external auditing programs can only be performed by an independent public accountant. However, when selecting such an accountant, banks are not limited to "registered public accounting firms."

Title II - Auditor Independence

On January 22, 2003, the Securities and Exchange Commission (SEC) adopted final rules implementing the auditor independence provisions of Sections 201, 202, 203, and 206 of Title II of the Sarbanes-Oxley Act and the auditor reporting requirements of Section 204 of Title II.1

Section 201. Services Outside the Scope of Practice of Auditors. and Section 202. Preapproval Requirements.

To be considered independent, a registered public accounting firm that audits a public company's financial statements would not be permitted to provide, contemporaneously with the audit, any of the non-audit services listed in Section 201 or any other service the Oversight Board determines by regulation to be impermissible. These prohibited services include:

  • Bookkeeping or other services related to the accounting records or financial statements of the audit client;
  • Financial information systems design and implementation;
  • Appraisal or valuation services, fairness opinions, or contribution-in-kind reports;
  • Actuarial services;
  • Internal audit outsourcing services;
  • Management functions or human resources;
  • Broker or dealer, investment adviser, or investment banking services; and
  • Legal services and expert services unrelated to the audit.
In general, a registered independent public accountant can provide non-audit services that are not otherwise prohibited, including tax services, to a public company audit client only if the activity is approved in advance by the company's audit committee. Similarly, the audit committee of a public company generally must preapprove all audit and permissible non-audit services to be provided by the company's external auditor.

Sound Corporate Governance Practices for Banks

The FDIC encourages each bank whose financial statements are audited and its accounting firm to follow the internal audit outsourcing prohibition in Section 201. Nevertheless, many banks have determined that the benefits of having a full-time internal auditor do not exceed the costs of such an arrangement. In addition, a bank may find that hiring separate firms to perform internal and external audit work is not cost-effective. In this regard, for a bank with less complex operations and limited staff, the use of the independent public accountant to perform both an external audit and some or all of the bank's internal audit activities may help the FDIC achieve its safety and soundness objectives for the bank.

If a bank is considering engaging its external auditor to perform both of these services, the bank's audit committee (or board of directors if there is no audit committee) and the external auditor should pay particular attention to preserving the independence of both the internal and external audit functions. Furthermore, the audit committee should document both that it has preapproved the internal audit outsourcing to its external auditor and has considered the independence issues associated with this arrangement. In this regard, the audit committee should consider the independence guidance contained in the American Institute of Certified Public Accountants' Code of Professional Conduct and the broad principles that the auditor should not perform management functions or act as an advocate for the client. The audit committee should also consider how the bank will oversee the external auditor's performance under the internal audit outsourcing contract. This oversight should be provided by a competent employee who ideally has no managerial responsibility for the areas being audited under the outsourcing contract and who reports directly to the audit committee concerning internal audit issues.

In addition, if a bank is considering having its external auditor perform any of the other non-audit services prohibited by Section 201, the FDIC encourages the bank's audit committee (or board of directors) to discuss the implications of the performance of these services on the auditor's independence.

The FDIC and the other banking agencies are revising the 1997 Interagency Policy Statement on the Internal Audit Function and Its Outsourcing consistent with the discussion above. In addition, as a general corporate governance matter, the FDIC encourages the audit committee (or board of directors) of each bank to preapprove all audit and non-audit services to be provided by its external auditor.

Section 203. Audit Partner Rotation.

A registered public accounting firm would not be considered independent of a public company audit client if the lead audit partner having primary responsibility for the audit, or the concurring audit partner responsible for reviewing the audit, has performed in this capacity for the audit client for five consecutive years. The SEC's final rule on auditor independence requires the lead and concurring partners to rotate after five years and, upon rotation, to be subject to a five-year "time out" period. In addition, the SEC's final rule imposes a seven-year rotation requirement on certain other audit partners on the audit client's engagement team followed by a two-year "time out" period. These partner rotation rules are intended to strike a balance between the need to bring a fresh look to the audit engagement and the need to maintain continuity and audit quality.

The SEC's final rules also contain an exemption from the rotation requirements for small accounting firms, i.e., firms with fewer than five public company audit clients and fewer than ten audit partners, provided an audit quality review condition is met.

Sound Corporate Governance Practices for Banks

When dealing with accounting firms that perform audits of non-public banks, the FDIC considers the SEC's standard of fewer than ten audit partners to be a reasonable boundary for defining an accounting firm to be a small firm. When a bank engages an accounting firm that is not a small firm to perform its external auditing program, the FDIC encourages audit partner rotation and "time out" periods, which may be achieved by incorporating them into the bank's engagement letter with the firm.

Section 204. Auditor Reports to Audit Committees

Each registered public accounting firm that audits a public company's financial statements should report on a timely basis to the company's audit committee:

  • All critical accounting policies used by the company;
  • Alternative accounting treatments that the accounting firm has discussed with the company's management along with the potential ramifications of using those alternatives, and the treatment preferred by the accounting firm; and
  • Other written communications the accounting firm has provided to the company's management, such as a management letter or a schedule of unadjusted differences.
These reporting requirements are intended to strengthen the relationship between the audit committee and the auditor.

Sound Corporate Governance Practices for Banks

Effective communication between an external auditor and a bank's audit committee (or board of directors if there is no audit committee) will assist the audit committee in carrying out its responsibilities. Accordingly, the FDIC encourages each bank to institute these auditor reporting practices by incorporating them into its engagement letter with the auditor.

Section 206. Conflicts of Interest.

A registered public accounting firm would not be considered independent of a public company audit client if the client's chief executive officer, controller, chief financial officer, chief accounting officer or equivalent officer was employed by the accounting firm and participated in the audit of the client during the one-year period before the beginning of the current audit.

Sound Corporate Governance Practices for Banks

The FDIC encourages each bank and its external auditing firm to comply with this conflicts of interest requirement.

Title III - Corporate Responsibility

Section 301. Public Company Audit Committees.

The audit committee of each public company listed on a securities exchange or Nasdaq would be responsible for the appointment, compensation, and oversight of the work of a registered public accounting firm related to issuing audit reports. Each member of such an audit committee must be a member of the board of directors and shall otherwise be independent. In addition, the audit committee member cannot accept any consulting, advisory, or compensatory fee from the public company, other than fees for serving as a board or committee member, or be affiliated with the company or a subsidiary of the company. The audit committee must establish procedures for processing complaints and processing confidential, anonymous submissions by employees regarding accounting, internal control, and auditing matters.

Related Policy Guidance for Banks

The 1999 Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations already encourages the board of directors of each institution that is not otherwise required to do so to establish an audit committee consisting entirely of outside directors. The FDIC continues to encourage institutions to do so. The policy statement defines "outside directors" as directors "who are not officers, employees, or principal stockholders of the institution, its subsidiaries, or its affiliates, and who do not have any material business dealings with the institution, its subsidiaries, or its affiliates."

Sound Corporate Governance Practices for Banks

In addition, it is a sound corporate governance practice for a bank to establish procedures for processing complaints and employee submissions. Accordingly, each bank's audit committee should establish a mechanism, appropriate to the size and complexity of the bank, for employees to submit confidentially and anonymously concerns to the committee about questionable accounting, internal accounting control or auditing matters. The audit committee also should set up procedures for the timely investigation of complaints received and the retention for a reasonable time period of documentation concerning the complaint and its subsequent resolution. Where the board of directors fulfills the audit committee responsibilities, the procedures should provide for the submission of employee concerns to an outside director.

Section 302. Corporate Responsibility for Financial Reports.

A public company's principal executive officer and principal financial officer must include a certification in each quarterly and annual report filed under the Securities Exchange Act of 1934. According to the SEC's final rule implementing Section 302,2 which became effective on August 29, 2002, these officers each must certify that:

  • He or she has reviewed the quarterly or annual report;
  • Based on his or her knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact; and
  • Based on his or her knowledge, the financial statements and other financial information included in the report fairly present in all material respects the public company's financial condition, results of operations, and cash flows.
The officers' certifications also must address matters pertaining to disclosure controls and procedures and internal control.

Sound Corporate Governance Practices for Banks

When a bank files its Reports of Condition and Income (Call Report), an authorized officer of the bank must sign a declaration that the reports are true to the best of the officer's knowledge and belief. In addition, two bank directors must declare that they have examined the report and attest to its correctness. Banks that issue audited financial statements to their shareholders or others may also want to consider including with the financial statements a certification by the bank's principal executive officer and principal financial officer. The certification would state that the officers have reviewed the financial statements and, based on their knowledge, the statements are true and fairly present in all material respects the bank's financial condition, results of operations, and cash flows.

Section 303. Improper Influence on Conduct of Audits.

No officer or director of a public company or anyone acting under their direction can mislead, coerce, manipulate, or fraudulently influence a registered independent public accounting firm preparing an audit report for the purpose of rendering it materially misleading.

Sound Corporate Governance Practices for Banks

The FDIC strongly encourages compliance with Section 303 regardless of the type of external auditing program an institution has implemented. Improper influence over external auditing work may be deemed an unsafe and unsound practice.

Title IV - Enhanced Financial Disclosures

Section 401. Disclosures in Periodic Reports.

Financial reports filed with the SEC must reflect material correcting adjustments identified by a registered public accounting firm. The reports shall disclose all material off-balance sheet transactions, arrangements, obligations, and relationships that may have a material current or future effect on the company.3

Sound Corporate Governance Practices for Banks

The FDIC strongly encourages banks to make all material correcting adjustments identified by external auditors regardless of the type of external auditing program the bank has implemented. If the bank issues audited financial statements, the FDIC encourages disclosure of material off balance sheet transactions to ensure that examiners and other users of the financial statements are aware of them and can include them in their evaluation of the condition and risk profile of the bank.

Section 402. Enhanced Conflict of Interest Provisions.

Public companies would be prohibited from extending credit in the form of a loan to any director or executive officer. Certain consumer loans are permitted if made in the ordinary course of the consumer credit business of the company, are generally available to the public, and made on market terms. This provision does not apply to any loan made by an insured depository institution if the loan is subject to the insider lending restrictions under section 22(h) of the Federal Reserve Act and Federal Reserve Regulation O.

Related Policy Guidance for Banks

All banks should continue to comply with Regulation O in their lending to directors and executive officers.

Section 404. Management Assessment of Internal Controls.

In their annual reports, public companies must include an internal control report that states that management is responsible for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report must also contain an assessment, as of the end of the most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. The company's registered public accounting firm must attest to and report on management's assessment.

Related Policy Guidance for Banks

The 1999 Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations identifies a management assessment of internal controls over financial reporting and an independent public accountant's attestation on management's assessment as an acceptable alternative external auditing program for an institution that chooses not to have an audit of its financial statements.

Sound Corporate Governance Practices for Banks

Even when a bank chooses to have a financial statement audit as its external auditing program, which the external auditing policy statement describes as the preferred type of program, the FDIC encourages banks to consider the benefits and costs of supplementing the audit with an internal control assessment by management and an attestation of this assessment by the bank's independent public accountant.

Section 406. Code of Ethics for Senior Financial Officers.

Each public company must disclose in financial reports filed under the Securities Exchange Act of 1934 whether the company has adopted a code of ethics that applies to its principal executive officer, principal financial officer, principal accounting officer, and controller. If not, the company must disclose the reasons why. Disclosure on a current basis is also required of amendments to and waivers from the company's ethics code for senior financial officers. In a final rule adopted on January 15, 2003,4 the SEC defined the term "code of ethics" to mean written standards that are reasonably designed to deter wrongdoing and to promote:

  • Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships;
  • Full, fair, accurate, timely, and understandable disclosure in reports and documents the public company files under the federal securities laws and in other public communications the company makes;
  • Compliance with applicable rules and regulations;
  • Prompt internal reporting to an appropriate person of violations of the code; and
  • Accountability for adherence to the code.
Related Policy Guidance for Banks

The FDIC issued "Guidelines for Compliance with the Federal Bank Bribery Law" in 1987.5 These guidelines encourage all FDIC-supervised banks to adopt internal codes of conduct or written policies, or amend their present codes of conduct, to include provisions that explain the general provisions of the bank bribery law. The guidelines also encourage banks to prohibit, in their codes of conduct or policies, their bank officials from self-dealing or otherwise trading on their positions with the bank. In addition, the guidelines recommend that bank codes of conduct or policies require that bank officials disclose all potential conflicts of interest, including those in which they have been inadvertently placed due to either business or personal relationships with customers, suppliers, business associates, or competitors of the bank. The guidelines define "bank official" as any employee, officer, director, agent, or attorney of an FDIC-supervised bank.

Sound Corporate Governance Practices for Banks

The FDIC continues to encourage each bank to adopt a code of ethics for senior financial officers. If the bank decides not to do so, the FDIC encourages it to explain, perhaps in the minutes of the board of directors, the reasons why. The FDIC also encourages periodic disclosure of the existence of a code of ethics, or lack thereof, to shareholders.

Section 407. Disclosure of Audit Committee Financial Expert.

Each public company must disclose whether the audit committee is comprised of at least one member who is an "audit committee financial expert." If not, the company must disclose the reasons why. In a final rule adopted on January 15, 2003, the SEC defined the term "audit committee financial expert" as a person who:

  • Understands generally accepted accounting principles (GAAP) and financial statements;
  • Is able to assess the general application of GAAP in connection with the accounting for estimates, accruals, and reserves;
  • Has experience in preparing, auditing, analyzing, or evaluating financial statements of a breadth and complexity comparable to that of the public company's financial statements, or has experience actively supervising one or more persons engaged in such activities;
  • Understands internal controls and procedures for financial accounting; and
  • Understands audit committee functions.
A person can acquire such attributes through one or more means, including education and experience as, or experience actively supervising, a public accountant, auditor, controller,, principal accounting officer, or principal financial officer.

Sound Corporate Governance Practices for Banks

The extent to which audit committee members (or directors) at public companies will be able to meet the SEC's definition of an "audit committee financial expert" is not known. Although the FDIC does not expect a bank to disclose whether or not it has a financial expert on its audit committee, a bank may choose to make such a disclosure on its own.

1The SEC's final rule can be accessed at http://www.sec.gov/rules/final/33-8183.htm.

2The SEC's final rule can be accessed at http://www.sec.gov/rules/final/33-8124.htm.

3The SEC's final rule on disclosure about off-balance sheet arrangements, which was adopted on January 22, 2003, can be accessed at http://www.sec.gov/rules/final/33-8182.htm.

4The SEC's final rule can be accessed at http://www.sec.gov/rules/final/33-8177.htm. This final rule implements both Sections 406 and 407 of the Sarbanes-Oxley Act.

5"Guidelines for Compliance with the Federal Bank Bribery Law" can be found on pages 5289-91 of the FDIC's Laws, Regulations, and Related Acts.

Last Updated 03/05/2003 communications@fdic.gov