On November 17, 2004, the Federal Deposit Insurance Corporation ("FDIC") provided guidance on the internal control attestation standards that auditors of insured institutions with $500 million or more in total assets should follow to comply with the FDIC's audit and reporting requirements. The guidance is meant to address various questions raised by institutions in light of the new requirements imposed under Section 404 of the federal Sarbanes-Oxley Act of 2002, which requires, among other things, an annual assessment by management of the effectiveness of a public institution's internal control over financial reporting and an attestation report by the public institution's independent auditor with respect to this assessment.
The FDIC's guidance provides that the auditor of a nonpublic institution need only follow the American Institute of Certified Public Accountants' existing internal control attestation standards, known as "AT 501", to satisfy 12 C.F.R. Part 363 (but note that the AICPA is currently working on revisions to that standard, in which case these ). Although public institutions are subject to Section 404 of Sarbanes-Oxley and the Public Company Accounting Oversight Board's Auditing Standard No. 2, these provisions are currently in effect only for "accelerated filers". Until this standard takes effect with respect to nonaccelerated filers (years ending on and after July 15, 2005), public institutions that are nonaccelerated filers need only follow AT 501 to satisfy FDIC's regulation.
For questions about this letter and/or how it impacts your institution, please contact Andrew Bulgin at (410) 576-4280.