One billion dollars in assets is often considered a growth benchmark for community banks. When banks reach this size, they are subject to new annual reporting requirements that they didn’t have to worry about when they were smaller.
One of these is the requirement to obtain an assessment of the effectiveness of the bank’s internal control structure and procedures. If a bank has $1 billion in consolidated total assets at the beginning of its fiscal year, it must obtain this assessment as of the end of the fiscal year, even if assets drop below this level during the year.
What Must Be Included
According to Part 363 of the FDIC Improvement Act of 1991, this assessment must include the following:
- A statement identifying the internal control framework used by management to evaluate the effectiveness of the bank’s internal control over financial reporting (ICFR).
- A statement confirming that the assessment includes controls over the preparation of financial statements in accordance with regulatory reporting instructions.
- A statement expressing management’s conclusion as to whether the bank’s ICFR is effective.
In addition, management must disclose all identified material weaknesses in internal controls that haven’t been remediated before the end of the fiscal year. If one or more material weaknesses are identified, management may not conclude that ICFR is effective.
What Is ICFR?
The Center for Audit Quality has prepared a Guide to Internal Control Over Financial Reporting. The guide includes a simple definition: the controls specifically designed to address risks related to financial reporting. In other words, these are the controls that are designed to provide reasonable assurance that a business’s (or bank’s) financial statements are reliable and prepared in accordance with GAAP.
The Committee on Sponsoring Organizations of the Treadway Commission (COSO) has produced a framework to help businesses and banks structure and evaluate internal controls that address a broad range of risks. According to the COSO framework, there are five separate components to internal controls:
- Control Environment – This sets the tone of the organization, influences the control consciousness of employees, and provides discipline and structure. The framework identifies a number of different control environment factors, including the following:
- The integrity, ethical values, and competence of employees.
- The philosophy and operating style of management.
- How management assigns authority and responsibility and develops and organizes employees.
- The level of attention and direction provided by the board of directors.
- Risk Assessment – External and internal risks must be assessed and objectives must be established. The process of risk assessment involves identifying and analyzing how all relevant risks relate to the achievement of objectives and forming a basis for determining how these risks will be managed. Mechanisms should also identify and deal with the unique risks associated with changing economic, industry, regulatory, and operating conditions.
- Control Activities – These are the policies and procedures designed to help ensure that management directives are carried out and actions are taken that address relevant risks. These activities, which occur at all levels of the organization, include approvals, authorizations, verifications, reconciliations, security of assets, and reconciliation of duties.
- Information and Communication – Important information must be identified, captured, and communicated in a way that allows employees to carry out their internal control responsibilities. Information systems produce reports that deal with internally generated data, as well as information about external events, activities, and conditions that are necessary to allow informed decision-making and external reporting.
- Monitoring Activities – This involves ongoing assessment of the quality of the internal control system’s performance over time. Ongoing monitoring includes regular management and supervisory activities as well as other relevant actions taken by employees who are involved in ICFR.
Informed Judgments and Assumptions
The Guide to Internal Control Over Financial Reporting points out that financial reporting often requires sophisticated decision-making and the use of informed judgment. For banks, this includes things like estimating allowances for loan and lease losses, valuing illiquid securities, and determining whether intangible assets are impaired.
Bank management must make informed judgments in these areas regarding the use of assumptions and the likelihood of future events. In these scenarios, there is often a range of acceptable outcomes—not just one correct result.
Internal controls can’t remove the need for judgment in these situations or eliminate the variations in reporting that are inherent when a range of acceptable outcomes is possible. However, controls can be designed and implemented so the process used to make accounting judgments is addressed. This helps provide reasonable assurances that financial reports are presented in accordance with GAAP.
How to Prepare
If your bank is approaching the $1 billion threshold, you should start making preparations to meet the FDIC Improvement Act’s requirement that you obtain an assessment of the effectiveness of your internal control structure and procedures. The first step is to gather all the documentation that will be necessary for your assessment.
Next, you should identify the most important internal controls in the areas of loans, deposits, investments, payroll, IT, etc. There may be 100 or more different controls within a community bank, so testing and documentation could be a time-consuming process.
It’s usually a good idea to do a dry run of your internal control testing at least one year before you go live so you can address any problems or issues that arise. If control failures occur after you go live, this will be reflected in the assessment of your internal controls, which could cause issues with the examiners.
In-House vs. External Assessment
The assessment of the effectiveness of your bank’s internal control structure and procedures can theoretically be done in house. However, the reality is that few community banks of this size have the resources required to perform such an assessment effectively.
Instead, it usually makes sense to outsource the assessment to a CPA firm that has expertise in COSO. This will help ensure your bank meets all the requirements of the FDIC Improvement Act that are related to internal control assessment.
We can perform an assessment of the effectiveness of your bank’s internal control structure and procedures. Give us a call to learn more.