We are creeping up on the $500 million in assets threshold. Since I started with the Bank, have been documenting controls while preparing my audits, as well as started an Audit Committee consisting solely of outside directors.

I am unable to find, and I am curious, as to how the auditing department will change when this threshold is reached.

Any links, documentation or thoughts that anyone is able to provide is greatly appreciated.

Surprisingly, there is limited written guidance on the requirements of FDICIA...at least from the regulators. I would contact your external auditor for assistance.

Some of the main changes will be: 1) senior management will have to positively assert that the bank's internal control structure is in place and is effective as of December 31 of each year (after it becomes applicable to you, of course); 2) you will probably need to adopt an internal control framework (i.e. COSO's Internal Control - Integrated Framework is the predominate one) to use as a benchmark for making the assertion; 3) Your internal control documentation will need to be extensive...you will probably need to document your risk assessment, starting with the bank's and each department's objectives, the specific risks involved, and the controls in place to mitigate the risks. You will also have to document that these controls were tested and are effective. If you already have this documentation, or some of it where you can just cross reference to it, you don't have to generate new documentation just to satisfy FDICIA; 4) your extenal auditors will have to review your documentation, test some of the controls themselves, and attest to the internal control assertion made by your CEO and CFO...and of course charge you about $10,000 for this (they actually have to do extensive review and testing, so maybe they earn it).

Again, I would start with your external auditors...ask them exactly what they want to see when they do their review. They should have sample worksheets and checklists for you to start with.

When the bank I was previously with hit that benchmark, finding resources on implementing or putting together your FIDICIA documentation became somewhat of a task. Our external auditors did not have any other institution over $500M, so together we came up with banks of similiar size and structure for which we had some contacts and visited with them. At least two of them shared their program and documentation format. However, if you are regulated by OCC, you should look to 12 CFR 363 for guidance on requirements.

Another item you will need to consider. Your audit committee has to be made up of members who meet certain criteria, which is determined by answering about 5 questions. Simply being outside directors may not be enough. Their status, in relation to the questions, should be reviewed annually and approved by the board. Again, see the CFR referenced above. In addition, we had our external auditors hold a "special meeting" to explain the new requirements to them and what their resonsibilites w/b in relation to that. They need to know that they are responsible for ensuring risk is adequately identified, disclosed and managed, and that they are in effect the auditors supervisor. Our department always met with them after the a/c meeting without any other officers or employees present for candid discussions or questions. The regulators really like that!

The examiners will want to see a strong program with detailed workpapers. I found the attestation and format, although a requirement, were not the main focus during the exam. They were more concerned with the audit program, my qualifications, resources (usage and adequacy), and my workpapers. That is where our E/A's were a huge help. We decided to mirror my w/p format after theirs, which also helped them at y/e to move through them quickly and use a lot of what I had already done. And, at least once or twice a year one of them would come review the w/p's, provide suggestions for improvement and/or bless the program, reports and recommendations. The system worked well and was "strongly" accepted by the examiners.

The Financial Managers Society puts on a seminar entitled Complying with FDICIA that is pretty good. I would highly recommend it for an auditor at a bank that is about to exceed $500M. Here's the link:

http://www.fmsinc.org/cms/?pid=27463

Another good resource to consider would be the FDIC Rules and Regulations - Part 363 - which establishes audit and reporting requirements for FDIC insured institutions with total assets of $500 million or more. Can be found on the FDIC's website.

Is there a requirement for a formal risk management structure at the $500 million level? It certainly doesn't seem to be spelled out. 12 CFR 364 App A (II)(A)(2)looked like the clearest thing, although App. A to Part 363, guideline #10 states that it's up to each institution to determine their own standards for internal controls.

12 CFR 364 says it's applicable to banks that are subject to Section 39 of the FDI Act. Section 39 seems to have no restrictions, but points to Sec. 36, which says $150 million or a higher amount as set by regulation.

I wish they'd come out with a "FDICIA - getting it right" guide!

Any help where I can find the reference to this? I have seen references to a "FDICIA Risk Assessment." Also, what relation to this is the "framework for risk-focused supervision of Large Complex Institutions"?