Home > News & Events > Financial Institution Letters
Financial Institution Letters
APPLICABILITY OF SELECTED PROVISIONS OF THE SARBANES-OXLEY ACT OF 2002 TO INSURED INSTITUTIONS WITH $500 MILLION OR MORE IN TOTAL ASSETS
Attachment I summarizes selected provisions of the Sarbanes-Oxley Act. The FDIC is considering possible amendments to Part 363 of its regulations that would extend certain provisions of the Sarbanes-Oxley Act that were described in Attachment I to all insured institutions with $500 million or more in total assets (covered institutions), whether or not they are public companies or subsidiaries of public companies. Any amendments to Part 363 would be developed in consultation with the other banking agencies and would be published in proposed form for public comment in the Federal Register.
This attachment discusses the relationship between three elements of the Sarbanes-Oxley Act and the annual audit and reporting requirements of Section 36 of the Federal Deposit Insurance Act and Part 363 of the FDIC's regulations. It then explains how FDIC-supervised covered institutions that are not public companies should view the other provisions of the Sarbanes-Oxley Act.
Appendix A to Part 363, Guidelines and Interpretations, presents the views of the FDIC on the interpretation of the annual audit and reporting requirements prescribed by Section 36 of the Federal Deposit Insurance Act. Guideline 14 addresses the qualifications of an independent public accountant engaged by an insured institution subject to Part 363 and states that the accountant should be "in compliance with the AICPA's Code of Professional Conduct and meet the independence requirements and interpretations of the SEC and its staff."
Thus, the guidelines provide for each covered institution, whether or not it is a public company, and its external auditor to comply with the SEC's auditor independence requirements (17 C.F.R. Section 210.2-01) that are in effect during the period covered by the audit of the institution's financial statements. If a covered institution satisfies the annual independent audit requirement by relying on the audit of its parent holding company, the holding company's external auditor should meet the SEC's independence requirements. Accordingly, all covered institutions should review the final rules on auditor independence that the SEC adopted on January 22, 2003, and ensure that they and their external auditors take appropriate actions to comply with these rules consistent with the time frames specified in the transition guidance.
The SEC's final rules on auditor independence implement the provisions of Sections 201, 202, 203, and 206 of Title II of the Sarbanes-Oxley Act. In summary, the final rules:
For purposes of the FDIC's Part 363 auditor independence guideline, the accounting firm for a covered institution, whether or not it is a public company or a subsidiary of a public company, should meet the SEC's audit partner rotation requirements, unless the SEC's small firm exemption would apply to the firm because it has fewer than five public company audit clients and fewer than ten audit partners.
Management's Responsibility for Financial Reporting and Controls
As noted in Attachment I, Section 302 of the Sarbanes-Oxley Act requires a certification by the principal executive officer and the principal financial officer in each quarterly and annual report that a public company files under the Securities Exchange Act of 1934. The SEC adopted a final rule implementing Section 302 that became effective August 29, 2002.7 This final rule prescribes the specific wording of the required certification and this wording may not be changed in any respect. In addition, each principal executive officer and principal financial officer of a public company must provide a separate certification.
Section 36 of the FDI Act and Part 363 of the FDIC's regulations require each covered institution must include a management report in the annual report it files with the FDIC, its primary federal regulator (if other than the FDIC), and any appropriate state supervisor. The management report must be signed by the institution's chief executive officer and chief accounting or chief financial officer. It must contain a statement of management's responsibilities for:
With certain exceptions, this management report requirement may be satisfied by an insured institution's holding company if the services and functions comparable to those required of the institution by Section 36 and Part 363 are provided at the holding company level.
The content of the certification required by Section 302 is sufficiently different from the content of the management report required by Section 36 and Part 363 that an insured institution that is a public company, or a subsidiary of a public holding company, may not submit a Section 302 certification in place of the required management report.
Furthermore, in recent reviews of management reports filed by insured institutions subject to Section 36 and Part 363, the FDIC has found that many institutions are failing to fully comply with the requirements governing the content of these reports. Managements of institutions are frequently omitting one or more of the following from these reports:
Management's Assessment of Internal Controls and Accountant's Attestation on This Assessment
In addition to the management report requirements pertaining to the internal control structure and procedures for financial reporting discussed above, Section 36 and Part 363 require a covered institution's independent public accountant to examine, attest to, and report separately on management's assertion concerning internal control. This attestation report must be included in the annual report the covered institution files with the FDIC, its primary federal regulator (if other than the FDIC), and any appropriate state supervisor.
Other Provisions of the Sarbanes-Oxley Act
Unless and until the FDIC adopts any amendments to Part 363 in response to other provisions of the Sarbanes-Oxley Act and the SEC's implementing regulations, FDIC-supervised covered institutions that are not public companies should review the guidance in Attachment I concerning corporate governance practices that the FDIC encourages non-public institutions to implement to the extent feasible given the institution's size, complexity, and risk profile.
|Last Updated firstname.lastname@example.org|