Now that the Federal Deposit Insurance Corp. has handed down the long-awaited regulations and guidelines for the audit provisions of the 1991 banking law, senior managements must get on with the task of implementation.
As unnerving as this may at first seem, with proper planning the implementation process can be much less daunting than many have feared.
The key is to act now to appoint an implementation team to establish, document, and test the system of internal controls. This team should work closely with the institution's independent auditors.
The obvious first step in the implementation process is to thoroughly review the final regulations and related guidelines to identify the specific requirements applicable to your institution.
While the final regulations retained many of the general provisions contained in last September's proposal, there are significant differences you'll want to be aware of.
Once this is done, you can begin choosing members of your implementation team. Ideally, the team will consist of senior management, line managers from all significant areas of operations, internal auditors, compliance officers and accounting personnel (including those responsible for regulatory reporting).
Selecting the Framework
Once the implementation team is in place, management must then select an acceptable framework to assess the effectiveness of internal controls'
Though the final regulations left the choice of criteria up to each institution, the FDIC did refer to existing regulatory and auditing literature as providing a general framework to measure the effectiveness of internal controls.
Moreover, the FDIC also required that asset safeguards and other operational controls, such as loan underwriting and documentation, should be included.
Use of criteria such as that contained in the "Internal Control-integrated Framework" published by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, should not require any significant changes to an institution's existing system of internal controls.
For most institutions, internal controls are already well-established and functioning properly. Chances are, however, that the level and type of documentation supporting the system may be incomplete or outdated.
The team should perform a preliminary assessment of existing internal controls for all significant operating areas. This task, most reliably handled by the internal audit department a applicable lie managers, will provide an initial assessment of the existing systems and will help determine how much time and resources to allocate later.
In general, the most effective way to evaluate existing controls is through the use of internal control questionnaires or descriptions of controls typically found in an operating area.
Questionnaires and suggested controls are usually available from published sources as well as from your independent auditor. Beware, however, of "canned" approaches which usually fall short of expectations of management and regulator. We believe that publicly available approaches need to be appropriately tailored to fit your circumstances.
When the results are in, it becomes a matter of judgment whether the appropriate level of controls is sufficient.
In general, an informed decision can be made by comparing the existing controls with selected criteria, such as COSO's five basic components of internal controls: the control environment, risk assessment, control activities, information and communication, and monitoring.
Documenting the controls comes next. Many institutions do this by using a combination of questionnaires, flowcharts, narratives, and policies and procedures manuals. What are important here are not the types of documentation used, but that they be consistent across all areas of operations and tailored to your institution.
Next comes the testing phase, during which all the controls are reviewed and analyzed to ensure they are functioning properly.
Once the results are in for each operating area, the evaluations should be compiled and reviewed with senior management. Management should have enough data at this point to make an informed judgment on the institution's overall system.
At the same time, corrective actions to remedy deficiencies or weaknesses should be set in motion and follow-up evaluations scheduled.
If the implementation team has done its job correctly, the required independent auditors' testing should begin with of a review of the documentation the team has pulled together.
Bringing the independent auditor into the process early will help ensure that the efforts are not duplicated and in many cases will reduce the costs associated with the independent auditors' subsequent testing and reporting.
One caveat: It must be understood from the outset that management retains primary responsibility for its own testing and assessment of internal controls. That task can not be delegated to others outside the institution.
Throughout this process, the audit committee should be kept informed. It is responsible for reviewing contents and conclusions of management reports and the related independent auditors' reports.
For most institutions, the internal control reporting provisions will require the most effort. Management's assessment of compliance with the two designated areas of laws and regulations - dividend restrictions and loans to insiders - along with the related independent auditors' procedures reports, should not be overly burdensome, except perhaps for multibank or thrift holding companies.
For those holding companies, assessment must generally be performed at the subsidiary level, though many of these requirements can be satisfied through a consolidated report.
In order to effectively test compliance, institutions need to fully understand which transactions, if any, fall within the designated areas of laws and regulations.
Although most institutions already monitor these areas, certain computer system enhancements or other operating modifications may be needed to capture and document compliance.
The final regulation, unlike the proposal, explicitly allows internal auditors to perform a significant portion of the agreed - upon procedures work. Independent auditors perform test work on an additional, smaller sample. This option may reduce the cost of complying with that portion of the regulation.
The final regulations stipulate that annual reports are due to the FDIC and other regulators within 90 days after the end of the fiscal year. The independent auditors' agreed-upon procedures report on compliance also is due within 90 days of year end.
Because of the delay in issuing the final regulations, the FDIC agreed to grant institutions time to restructure or form audit committees.
So at the earliest, you'll have until the first annual meeting or one year after the regulations become effective to comply with the audit committee membership requirements. Those institutions that don't currently have audit committees will have four months to put them together.
Mr. Mauriello, a KPMG Peat Marwick partner, is national director of the firm's thrift practice in Short Hills, N.J.