1. Applicability

The FDIC proposed to amend Sec. 363.1(a) to more clearly state that part 363 applies to any insured depository institution that has consolidated total assets of $500 million or more at the beginning of its fiscal year.

One commenter that represents over 30 community banks recommended that the FDIC raise the asset size threshold from $500 million to $1 billion for requiring compliance with part 363. In November 2005, when the FDIC increased the asset size threshold for assessments of internal control over financial reporting from $500 million to $1 billion, it concluded that exempting all institutions below this higher size level from all of the requirements of part 363 would not be consistent with the objective of the underlying statute, i.e., early identification of needed improvements in financial management. The Federal banking agencies rely upon financial information to evaluate the condition of insured depository institutions and to determine the adequacy of regulatory capital. Accurate and reliable measurement of an institution's loans, other assets, and earnings has a direct bearing on the determination of regulatory capital. The agencies are able to place greater reliance on measurements contained in financial statements that have been subject to an independent audit. Independent audits help to identify weaknesses in internal control over financial reporting and risk management at institutions and reinforce corrective measures, thus complementing supervisory efforts in contributing to the safety and soundness of insured depository institutions. Therefore, after considering this comment, the FDIC has determined that, except where a $1 billion or higher asset threshold already applies, the $500 million asset size threshold continues to be the appropriate level for requiring compliance with part 363.

2. Compliance by Subsidiaries of Holding Companies

At present, an insured depository institution that is a subsidiary of a holding company may use consolidated holding company financial statements to satisfy the audited financial statements requirement of part 363 regardless of whether the assets of the insured depository institution subsidiary or subsidiaries of the holding company represent substantially all or only a minor portion of the holding company's consolidated total assets. When the assets of insured depository institution subsidiaries do not comprise a substantial portion of a holding company's consolidated total assets, the FDIC staff has found that the holding company's consolidated financial statements, including the accompanying notes to the financial statements, do not tend to provide sufficient information that is indicative of the financial position and results of operations of these institutions. Also, when the insured depository institution subsidiaries do not contribute significantly to the holding company's financial position and results of operations, the extent of audit coverage given to these institutions in the audit of the consolidated holding company may be limited. Such limited audit coverage would not be consistent with the purpose and intent of section 36 of the FDI Act, which focuses on insured depository institutions rather than holding companies. In this situation, the assurance that would be provided by an independent audit performed substantially at the level of the insured depository institution subsidiaries is not otherwise available.

Therefore, given the differing characteristics of the holding companies that own insured depository institutions as well as the relationship of an insured depository institution's total assets to the consolidated total assets of its parent holding company, and in keeping with the intent and purpose of section 36 of the FDI Act, the FDIC proposed to amend Sec. Sec. 363.1(b)(1) and (2) by revising the criteria for determining whether the audited financial statements requirement and the other requirements of part 363 may be satisfied at a holding company level. More specifically, in order for a covered institution to be eligible to comply with the requirements of part 363 at the toptier or any other midtier holding company level, the FDIC proposed that the consolidated total assets of the insured depository institution (or the consolidated total assets of all of the holding company's insured depository institution subsidiaries, regardless of size, if the toptier or midtier holding company owns or controls more than one insured depository institution) must comprise 75 percent or more of the consolidated total assets of the toptier or midtier holding company. The FDIC believes that this percentageofassets threshold should ensure that the extent of independent audit work performed at the insured depository institution level is sufficient to satisfy the intent of section 36 of the FDI Act, that is, the early identification of needed improvements in financial management at insured institutions. The FDIC also believes that this threshold will continue to provide flexibility to the vast majority of covered institutions that are part of a holding company structure with respect to the level at which they may comply with part 363.

When determining an appropriate percentageofassets threshold for compliance with part 363 at a holding company level, the FDIC considered the range of percentageofassets ratios for covered institutions that are part of a holding company structure. The vast majority of insured institutions subject to part 363 that are in a holding company structure are subsidiaries of organizations where the assets of the insured depository institution
[[Page 35730]]
subsidiaries of the holding company comprise 90 percent or more of the holding company's consolidated total assets. Of the remaining institutions subject to part 363 that are in a holding company structure, most are subsidiaries of organizations where the assets of the insured institutions comprise either from 75 to 90 percent or less than 25 percent of the toptier parent company's consolidated total assets. Smaller numbers of institutions are subsidiaries of organizations where the assets of the insured institutions comprise from 25 to 50 percent or from 50 to 75 percent of the toptier parent company's consolidated total assets. However, in a number of cases where the insured institution subsidiaries comprise less than 75 percent of the toptier holding company's consolidated total assets, the insured institution subsidiaries that are subject to part 363 currently comply with the regulation at a midtier holding company level where the assets of the insured institution subsidiaries comprise 90 percent or more of the midtier holding company's consolidated total assets. Thus, these institutions would not need to change how they comply with part 363 in response to the establishment of the proposed 75 percent threshold, provided they continue to comply at the same mid tier holding company level and this holding company continues to meet the 75 percent threshold.

To assist it in considering the costs and benefits of a threshold, the FDIC specifically requested comment as to whether 75 percent or more of consolidated total assets is an appropriate threshold. Six commenters expressed views that the 75 percent threshold is reasonable, is in the public's best interest, and provides ease of application while obtaining appropriate audit coverage of the insured depository institutions.

Three commenters were opposed to the proposed 75 percent threshold. These commenters expressed the following concerns:

The FDIC agrees with the comment that institutions that currently report at the holding company level, but do not meet the 75percentof consolidatedtotalassets threshold, should be afforded sufficient time to comply with this new requirement. Accordingly, the FDIC has decided to delay the effective date for implementing this threshold until fiscal years ending on or after June 15, 2010. Thus, for fiscal years ending on or before June 14, 2010, all insured depository institutions may continue to satisfy the audited financial statements requirement of part 363 at a holding company level whether or not the institution's consolidated total assets (or the consolidated total assets of all of its parent holding company's insured institutions) comprise 75 percent or more of the holding company's consolidated total assets at the beginning of the fiscal year.

Guideline 3 to part 363, Compliance by Holding Company Subsidiaries, states that when a holding company submits audited consolidated financial statements and other reports or notices required by part 363 on behalf of any subsidiary institution, an accompanying cover letter should identify all subsidiary institutions to which the statements, reports, or other notices pertain. Because many cover letters received by the FDIC have not sufficiently identified these subsidiary institutions, the FDIC proposed to amend guideline 3 to clarify what information should be included in the cover letter. No comments were received on this aspect of the proposal.

3. Financial Reporting

The FDIC proposed to add a new Sec. 363.1(c) and a new guideline 4A, Financial Reporting, to specify that ``financial reporting'' includes both financial statements prepared in accordance with generally accepted accounting principles and those prepared for regulatory reporting purposes. Also, as proposed, guideline 4A clarifies that financial statements prepared for regulatory reporting purposes consist of the schedules equivalent to the basic financial statements that are included in an institution's appropriate regulatory report and that financial statements prepared for regulatory reporting purposes do not include regulatory reports prepared by a nonbank subsidiary of a holding company or an institution.

One commenter recommended that the FDIC further clarify the definition of financial reporting for purposes of part 363 to more clearly align it with current reporting practices. This commenter also stated that, when reporting at a holding company level, ``regulatory reporting'' would not extend to assertions about internal control over financial reporting at the subsidiary institution level. Another commenter, an accountants' trade organization, stated that the proposed amendment seems to imply that institutions' regulatory reports may not be prepared in conformity with generally accepted accounting principles (GAAP). This commenter recommended that the FDIC clarify the definition of financial reporting to state that both financial statements and the regulatory reports be prepared in accordance with GAAP to make it consistent with current practice.

While the FDIC believes that the proposed amendments are consistent with explanatory guidance it issued on this subject in December 1994,\2\ the FDIC has decided to modify the proposed definition of financial reporting set forth in Sec. 363.1(c) and guideline 4A, Financial Reporting, to state more clearly that, when reporting at a holding company level, it includes the financial statements and regulatory reports of an institution's holding company. The modified definition would also state that, for recognition and measurement purposes, regulatory reporting requirements shall conform to GAAP. \2\ See FDIC Financial Institution Letter (FIL) 8694, dated December 23, 1994.
[[Page 35731]]

4. Definitions

The FDIC proposed to add Sec. 363.1(d), Definitions, to define several common terms used in part 363 and the guidelines and received no comments on these definitions.
B. Annual Reporting Requirements (Sec. 363.2 and Guidelines 512) 1. Audited Financial Statements

Consistent with sound management practices and the objective of internal control over financial reporting, the FDIC proposed to amend Sec. 363.2(a) to require that the annual financial statements reflect all material correcting adjustments identified by the independent public accountant. Financial statements issued by insured depository institutions that are public companies or by their parent holding companies that are public companies are already subject to such a requirement pursuant to section 401 of SOX. The FDIC believes this requirement should also apply to institutions subject to part 363 that are not public companies.

In response to a commenter's recommendation, the FDIC revised this proposed requirement to provide additional context regarding the phrase ``material correcting adjustments identified by the independent public accountant'' by explaining that these adjustments should be those that are necessary for the financial statements to conform with GAAP. 2. Part 363 Management Report Contents

The FDIC has noted differences in the content of the management reports included in Part 363 Annual Reports and the adequacy of the information in these management reports regarding the results of management's assessments of the effectiveness of internal control over financial reporting and compliance with the laws and regulations pertaining to insider loans and dividend restrictions. Identified material weaknesses in internal control over financial reporting and instances of noncompliance with insider lending requirements and dividend restrictions have not always been disclosed.

In addition, management's assessment of internal control over financial reporting has often failed to disclose the internal control framework used to perform the assessment of the effectiveness of these controls and to clearly state whether controls over the preparation of the regulatory financial statements have been included within the scope of management's assessment. The omission of this information from an institution's management report reduces the usefulness of the report as a means of identifying needed improvements in financial management, which is the objective of section 36 of the FDI Act. The regulations adopted by the Securities and Exchange Commission (SEC) in 2003 implementing the requirement in section 404 of SOX for a management report on internal control over financial reporting requires management to identify the internal control framework it used to evaluate the effectiveness of these controls and to disclose any identified material weakness.

To provide clearer guidance on the information that should be included in the management report, the FDIC proposed to expand Sec. 363.2(b) to require management's assessment of compliance with the laws and regulations pertaining to insider loans and dividend restrictions to include a clear statement as to management's conclusion regarding compliance and to disclose any noncompliance with such laws and regulations. In addition, the proposed amendment to Sec. 363.2(b) would require management's assessment of internal control over financial reporting to identify the internal control framework that management used to make its evaluation, include a statement that the evaluation included controls over the preparation of regulatory financial statements, include a clear statement as to management's conclusion regarding the effectiveness of internal control over financial reporting, disclose all material weaknesses identified by management, and preclude management from concluding that internal control over financial reporting is effective if there are any material weaknesses.

The FDIC specifically requested comment as to whether the disclosure in the management report of instances of noncompliance with the laws and regulations pertaining to insider loans and dividend restrictions should be made available for public inspection or be designated as privileged and confidential and not be made available to the public by the FDIC. Three commenters supported public availability only for disclosures of ``material'' noncompliance and twelve commenters were not supportive of public availability of disclosures of noncompliance. These commenters were concerned that minor errors may be mistaken for a systemic compliance failure and stated that noncompliance should be addressed through the examination process.

The FDIC has considered these comments and notes that all insured depository institutions, regardless of size, are required to comply with the designated safety and soundness laws and regulations that deal with insider loans and dividend restrictions. Moreover, these laws and regulations have not substantially changed since part 363 was first implemented in 1993. Thus, well before an insured depository institution reaches $500 million in total assets and becomes subject to part 363, it should already have appropriate policies, procedures, controls, and systems in place to monitor insider lending activities and assess its dividendpaying capacity and thereby ensure compliance with the safety and soundness laws and regulations in these two designated areas. Public availability of disclosures of instances of noncompliance with these designated laws and regulations should act as a further stimulus to management's efforts to ensure that its policies, procedures, controls, and systems are sound and operating effectively. Therefore, the FDIC has concluded that, to reinforce the importance of management's responsibility for complying with the laws and regulations pertaining to insider loans and dividend restrictions, instances of noncompliance with these laws and regulations should be disclosed in management's assessment (that is included in the management report) and made available to the public.

Nevertheless, based on the comments it received on this issue, the FDIC believes it would be useful to provide further guidance regarding disclosure of noncompliance with the designated safety and soundness laws and regulations. Accordingly, the FDIC is adding guideline 8C, Management's Disclosure of Noncompliance with Designated Laws and Regulations, to Appendix A to part 363. This guideline states that management is not required to specifically identify the individual or individuals (e.g., officers or directors) who were responsible for or were the subject of any such noncompliance and provides general parameters for making the disclosure. For example, the disclosure should include appropriate qualitative and quantitative information to describe the nature, type, and severity of the noncompliance. Also, similar instances of noncompliance may be aggregated.

While the majority of commenters did not comment on the proposed revisions applicable to management's report on internal control over financial reporting, four commenters expressed concerns or made recommendations as follows:

Management has been required to assess and report on the effectiveness of an institution's internal control over financial reporting since part 363 was first implemented in 1993. In November 2005, when the FDIC increased the asset size threshold for internal control assessments from $500 million to $1 billion, it concluded, and continues to believe, that the $1 billion asset size threshold is appropriate for requiring assessments and reports on internal control over financial reporting. Therefore, the FDIC has decided to retain the $1 billion asset size threshold for requiring assessments and reports on internal control over financial reporting. Also, for the reasons previously stated, the FDIC does not believe that a ``delayed phase in'' of the requirement for assessing and reporting on internal control over financial reporting is necessary or appropriate. Moreover, a phasein of the requirement for management to assess and report on internal control over financial reporting in effect already exists because this requirement takes effect only when an institution's total assets exceed $1 billion, not when the institution first becomes subject to the other audit and reporting requirements of section 36 and part 363 when its assets reach $500 million.

With respect to management's reporting on the material weaknesses it has identified in the management report component of its Part 363 Annual Report, the FDIC notes that section 36 of the FDI Act requires management to perform an assessment of internal control over financial reporting as of yearend. Therefore, to clarify management's reporting responsibility, the FDIC has revised Sec. 363.2(b)(3)(iii) to explain that management must disclose all material weaknesses in internal control over financial reporting that it has identified and that have not been remediated prior to the end of the institution's fiscal year.

Because part 363 and its guidelines provide only limited guidance concerning the contents of the management report and the related signature requirements for this report, institutions and auditors have expressed interest in examples of acceptable reports. Therefore, to assist managements of insured depository institutions in complying with the annual reporting requirements of Sec. 363.2, the FDIC proposed to add Appendix B to Part 363Illustrative Management Reports. Appendix B provides guidance regarding reporting scenarios that satisfy the annual reporting requirements of part 363, illustrative management reports, and an illustrative cover letter for use when an institution complies with the annual reporting requirements at the holding company level. The FDIC also states in Appendix B that the use of the illustrative management reports and cover letter is not required. The FDIC encourages the managements of insured depository institutions to tailor the wording of their management reports to fit their particular circumstances, especially when reporting on material weaknesses in internal control over financial reporting or noncompliance with designated laws and regulations.

Two commenters stated that the illustrative management reports are helpful and will mitigate regulatory burden. Another commenter suggested that the illustrative management reports would be better suited in an accounting and auditing guide that could be updated regularly to reflect changes in professional standards or other requirements that would affect these reports and that the accounting and auditing guide could illustrate the differences in reporting under AICPA and PCAOB standards. This commenter also stated that the illustrative management report on internal control over financial reporting at the holding company level is inconsistent with current practice and that it does not clearly and appropriately describe the scope of the internal control assessments by management or the independent public accountant. This commenter added that the language in the illustrative management report on internal control at the holding company level does not make it clear to a reader whether management has separately assessed the effectiveness of internal control over financial reporting at each subsidiary institution listed in the report.

The FDIC has considered this commenter's suggestion that the illustrative management reports would be better suited in an accounting and auditing guide. In this regard, the FDIC notes that auditing and attestation standards require auditors to evaluate the elements that management is required to present in its report on its assessment of internal control over financial reporting, but these standards do not fully address the requirements of part 363 for management reports on internal control nor do they provide guidance to management regarding the preparation of management reports for part 363 purposes. Given the varying degrees of familiarity of institution management with professional auditing and attestation standards as well as the lack of availability of illustrative management reports that satisfy the requirements of part 363, the FDIC has determined that the illustrative management reports should be provided in Appendix B to part 363. However, in response to this commenter's statements concerning the illustrative management reports on internal control over financial reporting at the holding company level, the FDIC has revised the text of these illustrative management reports, which are presented in sections 5(c) and (d) and 6(b) of Appendix B. More specifically, the sample text in these illustrative reports that identifies the subsidiary institutions that are subject to part 363 has been revised by removing the language stating that these institutions are included in the scope of management's assessment of internal control over financial reporting. The FDIC believes that the revised illustrative management reports on internal control over financial reporting at the holding company level are consistent with current practices and professional auditing and attestation standards.

Regarding management's responsibility for assessing compliance with the laws and regulations pertaining to insider loans and dividend restrictions, the FDIC proposed to revise and update Table 1 to Appendix A of part 363 to reflect changes in these laws and regulations that have occurred since this table was last revised in 1997. The FDIC received no comments on the revised and updated Table 1.

3. Management Report Signatures

Section 36(b)(2) of the FDI Act requires an institution's management report to be signed by the chief executive officer and the chief accounting officer or chief financial
[[Page 35733]]
officer. In its reviews of management reports, the FDIC has noted that these reports are often not signed by the officers at the appropriate corporate level when the audited financial statements requirement is satisfied at the holding company level or when one or more of the components of the management report is satisfied at the holding company level and the remaining components of the management report are satisfied at the insured depository institution level. Therefore, the FDIC proposed to add Sec. 363.2(c) to specify which corporate officers must sign the management report and also the level of the corporate signers (i.e., insured depository institution level or the holding company level). No comments were received on this aspect of the proposal.

4. Institutions Merged Out of Existence

To reduce regulatory burden and provide certainty for merging institutions, the FDIC proposed to add guideline 5A, Institutions Merged Out of Existence, to explicitly provide relief from filing a Part 363 Annual Report for an institution that is merged out of existence after the end of its fiscal year, but before the deadline for filing its Part 363 Annual Report. However, a covered institution that is acquired after the end of its fiscal year, but retains its separate corporate existence rather than being merged out of existence, would continue to be required to file a Part 363 Annual Report for that fiscal year. Three commenters commented in support of this aspect of the proposal, one of whom stated that the proposed amendment will reduce both regulatory burden and uncertainty.
5. Management's Assessment of the Effectiveness of Internal Control Over Financial Reporting

The FDIC has publicly advised institutions with $1 billion or more in total assets that are public companies or subsidiaries of public companies that they have considerable flexibility in determining how best to satisfy the SEC's requirements for management's assessment of internal control over financial reporting which implement section 404 of SOX, and the FDIC's requirements in part 363.\3\ The reporting flexibility available to institutions subject to both the section 404 and the part 363 requirements was initially described in the preamble to the SEC's section 404 final rule release (68 FR 36642, June 18, 2003). This final rule release explained that the flexible reporting approach described in the preamble had been developed by the SEC staff in consultation with the staff of the Federal banking agencies. To codify this reporting flexibility in part 363, the FDIC proposed to add guideline 8A, Management's Assessment of the Effectiveness of Internal Control Over Financial Reporting. For an institution with $1 billion or more in total assets that is subject to both part 363 and the SEC's rules implementing section 404 of SOX (or whose parent holding company is subject to section 404 and the condition in Sec. 363.1(b)(2) is met), the proposed guideline describes two options for complying with the filing requirements regarding management's report on internal control over financial reporting. These options are to prepare (1) two separate reports, one to satisfy the FDIC's part 363 requirements and another to satisfy the SEC's section 404 requirements, or (2) a single report that satisfies all of the FDIC's part 363 requirements and all of the SEC's section 404 requirements. No comments were received on proposed new guideline 8A.
\3\ 70 FR 71231, November 28, 2005; 70 FR 44295, August 2, 2005; FDIC Financial Institution Letter (FIL) 1372004, December 21, 2004. 6. Internal Control Reports for Acquired Businesses

Currently, under the reporting requirements of part 363, both management's and the independent public accountant's evaluation of an institution's internal control over financial reporting must include controls at an institution in its entirety, including all of its consolidated businesses, including businesses that were recently acquired. However, like the SEC staff, the FDIC recognizes that it may not always be possible for management to conduct an evaluation of the internal control over financial reporting of an acquired business in the period between the consummation date of the acquisition and the due date of management's internal control evaluation. The SEC staff has provided guidance to public companies stating that the staff would not object to the exclusion of the acquired business from management's evaluation of internal control over financial reporting, provided certain disclosures are made and other conditions are met.\4\ The FDIC has received and granted several written requests from institutions subject to the internal control reporting requirements of part 363 to exclude recently acquired businesses from the scope of management's internal control evaluation.
\4\ See Question 3 in the SEC staff's Frequently Asked Questions on Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports at http://www.sec.gov/info/accountants/controlfaq1004.htm.

To reduce regulatory burden, including the burden of submitting written requests to the FDIC, and provide certainty to institutions, the FDIC proposed to add guideline 8B, Internal Control Reports for Acquired Businesses, to explicitly provide relief from the reporting requirements regarding internal control over financial reporting related to business acquisitions made by an institution during its fiscal year. As proposed and consistent with the SEC staff's guidance, guideline 8B would permit management's evaluation of internal control over financial reporting to exclude internal control over financial reporting for the acquired business, provided management's report identifies the acquired business, states that the acquired business is excluded from management's evaluation of internal control over financial reporting, and indicates the significance of the acquired business to the institution's consolidated financial statements. Also, proposed guideline 8B would clarify that if the acquired business is an insured depository institution that is subject to part 363 and it is not merged out of existence before the deadline for filing its Part 363 Annual Report, the acquired business (institution) must continue to comply with all of the applicable requirements of part 363. One commenter commented on this aspect of the proposal and supported the amendment as proposed, stating that it will reduce both regulatory burden and uncertainty.

7. Standards for Internal Control

At present, guideline 10, Standards for Internal Control, provides that each institution should determine its own standards for establishing, maintaining, and assessing the effectiveness of its internal control over financial reporting, but it does not describe the characteristics of a suitable internal control framework. The FDIC proposed to amend guideline 10 to provide guidance regarding the attributes of a suitable internal control framework. The proposed attributes are consistent with the attributes the SEC described in the preamble to the SEC's section 404 final rule release (68 FR 36648, June 18, 2003). The FDIC believes that a framework with these attributes is appropriate for all institutions whether or not they are public companies. No comments were received on this aspect of the proposal. [[Page 35734]]
C. Independent Public Accountant (Sec. 363.3 and Guidelines 1321) 1. Internal Control Over Financial Reporting

As with its experience in reviewing the portion of the management report in which management provides its assessment of the effectiveness of the institution's internal control over financial reporting, the FDIC has found some independent public accountants' internal control attestation reports to be less than sufficiently informative. Such attestation reports are, therefore, inconsistent with the objectives of section 36 of the FDI Act. As a consequence, the FDIC proposed to amend Sec. 363.3(b), which governs the independent public accountant's report on internal control over financial reporting, to specify that, consistent with generally accepted standards for attestation engagements, the Public Company Accounting Oversight Board's (PCAOB) auditing standards, and related PCAOB staff implementation guidance, the accountant's report must:

The FDIC also proposed to amend guideline 18, Attestation Report, to be consistent with Sec. 363.3(b)(2) by reiterating that the attestation report on internal control over financial reporting should include a statement as to regulatory reporting.

The majority of commenters did not comment on the independent public accountant's report on internal control over financial reporting. However, four commenters expressed concerns or made recommendations as follows:

Independent public accountants have been required to examine, attest to, and report on management's assertion concerning the effectiveness of an institution's internal control over financial reporting since part 363 was first implemented in 1993. This requirement is also set forth in section 36 of the FDI Act. In November 2005, the FDIC increased the asset size threshold for internal control assessments from $500 million to $1 billion for both management and the independent public accountant. At that time, the FDIC noted that recent and impending changes to the auditing and attestation standards governing internal control assessments that were making them more robust had and would continue to increase the cost and burden of the audit and reporting requirements of part 363. The FDIC concluded then that the increase to a $1 billion asset size threshold for requiring assessments and reports on internal control over financial reporting achieved an appropriate balance between burden reduction and maintaining safety and soundness for institutions subject to part 363. The FDIC continues to believe today that $1 billion remains a suitable size threshold for internal control assessments. Also, for the reasons previously stated in Section III.B.2, the FDIC does not believe that a ``delayed phasein'' of the requirement for the independent public accountant to report on management's assertion regarding internal control over financial reporting is necessary or appropriate. Additionally, the FDIC notes that under the SEC's most recent amendments, a nonaccelerated filer need not file the auditor's attestation report on internal control over financial reporting until it files an annual report for a fiscal year ending on or after December 15, 2009. Since part 363 has long required such internal control audits, the FDIC believes that it would be contrary to the objectives of section 36 of the FDI Act to allow institutions subject to part 363 with $1 billion or more in total assets, that are not accelerated filers or subsidiaries of accelerated filers for Federal securities law purposes, to discontinue undergoing assessments of the effectiveness of their internal control over financial reporting by their external auditors until the SEC requires such audits for nonaccelerated filers.

In response to the comments regarding the disclosure of material weaknesses in internal control over financial reporting, the FDIC has revised Sec. 363.3(b)(3) to clarify that the independent auditor's internal control report must disclose all material weaknesses that the independent auditor has identified and that have not been remediated prior to the end of the institution's fiscal year.

The FDIC has considered the suggestion that the rule be revised to refer to the existing standards of the auditing standard setters rather than including specific requirements in the rule. In this regard, both the current and proposed rule state that the independent public accountant's attestation and report on internal control over financial reporting shall be made in accordance with generally accepted standards for attestation engagements. However, as previously noted, the FDIC has found some independent public accountants' internal control attestation reports to be less than sufficiently informative, and
[[Page 35735]]
given the varying degrees of familiarity of institution management and audit committee members with professional auditing standards, the FDIC has decided to retain the specific requirements set forth in the proposed rule. The FDIC also believes that including these requirements in the proposed rule will assist audit committee members in the performance of their duties regarding the oversight of the external auditor. However, the FDIC has revised Sec. 363.3(b) to clarify that the auditor's report on internal control over financial reporting should satisfy the requirements set forth in both part 363 and applicable professional standards. In this regard, and consistent with guidance the FDIC issued in February 2008,\5\ the FDIC has also revised Sec. 363.3(b) and added guideline 18A to clarify that the attestation report on internal control over financial reporting may be made in accordance with the PCAOB's auditing standards even if the institution is a nonpublic company or a subsidiary of a nonpublic company. \5\ See FDIC Financial Institution Letter (FIL) 52008, dated February 1, 2008.

2. Communications With Audit Committee

According to section 204 of SOX, an accountant who audits a public company's financial statements shou

FOR FURTHER INFORMATION CONTACT

Harrison E. Greene, Jr., Senior Policy Analyst (Bank Accounting), Division of Supervision and Consumer Protection, at hgreene@fdic.gov or (202) 8988905; or Michelle Borzillo, Senior Counsel, Corporate and Legal Operations Section, Legal Division, at mborzillo@fdic.gov or (202) 8987400.