Eighteen months ago in the Second Quarter 2003 issue of SRC Insights, I first discussed the potential impact of The Sarbanes-Oxley Act of 2002 on financial institutions. As I noted, many of the provisions in Sarbanes-Oxley merely codify the internal controls and corporate governance requirements prescribed for financial institutions through FIRREA, FDICIA, and the Board of Governor’s Regulation O, Loans to Executive Officers, Directors, and Principal Shareholders of Member Banks. I believed then and believe today that most financial institutions already have the fundamentals of corporate governance entrenched in their operations and that the significant majority of financial institutions already have rigorous processes to select qualified directors, ensure that the directors can devote an adequate commitment of time to the bank, provide continuous director training, provide solid management information, and balance the power of the CEO and directorate.
However, as they say, the proof of the pudding is in the eating, and we are finding more anecdotal evidence that compliance with the intricacies of Sarbanes-Oxley is more difficult than originally anticipated. Based on comments at our recent Bankers’ Forums, section 404, in particular, is of increasing concern to many Third District institutions.
On June 17, 2004, the Securities and Exchange Commission approved the Public Company Accounting Oversight Board’s (PCAOB) Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Conducted in Conjunction With an Audit of Financial Statements. The 161-page Auditing Standard No. 2, which addresses audits of internal control over financial reporting required by Section 404(b) of the Sarbanes-Oxley Act, is effective for fiscal years ending on or after November 15, 2004 for accelerated filers and for fiscal years ending on or after July 15, 2005 for all other filers. The issues in this area are so complex that the PCAOB has issued three documents addressing a total of 36 questions and answers related to internal control over financial reporting. 1
Due to their limited resources, many small public institutions are finding it difficult and costly to keep up with the documentation of internal controls required under section 404. Some bankers have stated that as much as five percent of earnings are being allocated toward section 404 compliance. Others have noted that the costs of documenting internal control reviews, which had been documented in the past but which now must be documented consistent with the standards necessary under section 404, has tripled. Many bankers report that a large part of the increase is driven by higher audit fees. In addition, some small institutions are finding it difficult to hire external auditors to perform the internal controls audit in conjunction with financial statement audits since firms’ scare resources are focused on their larger clients. Finally, even when an external auditor is hired, it is taking financial institutions and their auditors a significant amount of time to work through all of the section 404 requirements, and many companies believe they will not be ready by the prescribed deadlines.
Other challenges, for institutions both large and small, arise when a merger is consummated near year-end. While pre-merger due diligence activities, under most circumstances, include a review of internal controls, typically a review of the scope required by section 404 is not performed. However, some relief might be available in this area. The SEC does have a process to consider management requests to limit the scope of management’s assessment of internal control over financial reporting under certain circumstances, which might include when a merger is consummated near year-end and a complete assessment of the target institution’s internal controls before the financial statement issuance date is not practical. When management is granted this scope waiver, PCAOB Standard No. 2 allows the auditor to limit the audit in the same manner and report without reference to the limitation in scope, subject to an evaluation of the reasonableness of management’s conclusion.
Publicly Held Banking Organizations
The federal banking agencies are aware of the concerns of institutions subject to both section 404 and Part 363 of the FDIC’s regulations (also known as FDICIA 112). Publicly held banking organizations that are subject to both section 404 and Part 363 may submit a single report to satisfy both the SEC and Part 363 requirements if the report meets the following five tests.
On November 17, 2004, the FDIC issued FIL-122-2004, Annual Audit and Reporting Requirements Internal Control Attestation Standards for Independent Auditors. 2 FIL-122-2004 provides additional guidance in this area, including guidance on reporting when an institution subject to Part 363 is a subsidiary of a public company but is not itself a public company.
Non-Publicly Held Banking Organizations
SR Letter 02-20, The Sarbanes-Oxley Act, which was issued on October 29, 2002, discussed the main provisions of the Act and their potential application to publicly traded banking
institutions. 3 SR 02-20 noted that banking organizations that are not public companies generally are not covered by the provisions of the Act, but may be subject to similar requirements under other laws or Federal Reserve or FDIC regulations. For example, insured depository institutions with total assets of $500 million or more must have an annual audit conducted by an independent public accountant and must have an audit committee composed entirely of directors that are independent of management. Top-tier bank holding companies that are required to file a FR Y-6 and that have total assets of $500 million or more must also have an annual audit of their consolidated financial statements conducted by an independent public accountant. These audits should be conducted following the AICPA’s existing internal control attestation standards in AT-501. 4
Additional guidance for nonpublic banking organizations is available in the FDIC’s FIL-122-2004.
As the Federal Reserve System and other banking regulators work through section 404, PCAOB Standard No. 2, and other accounting and disclosure issues, the number and pace of which have accelerated in the wake of corporate scandals, we will continue to ensure that safety and soundness principles remain part of the dialogue. This has already taken place in areas such as the interrelationships between Sarbanes-Oxley and Regulation O; loan loss provisions and allowances; loan participations; and impairment. Dialogue between the bank supervisory agencies and the FASB, AICPA, and SEC remains an important contributor to sound public policy.
Regulations and policies that are misaligned with market realities will, in all likelihood, not be sustained, and we should expect to see further refinement and practical application of many of today's rules. Nevertheless, the current environment and the need to restore confidence in financial markets have taken us to where we are today. Ethical behavior, sound execution, and prudent business practices will help us set a new regulatory steady state.
Finally, while you work to ensure compliance with section 404 and other regulations, it is important not to lose sight of the need to think strategically and continue to make sound business decisions.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.