We are a small community Bank - (approx. 125M assets - OCC regulated)and have an internal auditor. My question is - is it mandatory for a bank our size to have a financial audit by an external source. I know they would need to perform functions to support financial statement if they were auditing it - so is it mandatory to have your financial statement audited by an external source?

Thanks

The FDICIA requirements come into play at $500 million. Sometimes other entities might require them though, such as a secondary market lending investor.

I think the Call Report actually might explain the different "levels" of an external audit. Let me see if I can find what I think I'm talkign about.

If the regulators believe the bank may not be recording various transactions in accordance with GAAP, they might request the Bank have an audit performed.

found it!

http://www.fdic.gov/regulations/resources/call/crinst/2014-03/314RC_033114.pdf

It starts on page 20 - you might fit into one of the scenarios.

we are about the same size and under the OCC. it was "suggested" we have an external director's exam every 3-5 years.

When we were smaller, I did the Director's exam as the independent internal auditor. We had an external firm come in and review my work once every 5 years. It was easier and cheaper. Might want to see if that would satisfy the "suggestion."

http://www.bankersonline.com/articles/bhv15n11/bhv15n11a1.html

A final rule issued by FDIC (FR71226-11/28/05) raises the financial institution asset threshold to $1 billion from $500 million for internal control assessments by management and external auditors, and for members of the audit committee to be independent of management.

At the present time the FDIC Improvement Act of 1991, known as FDICIA, requires each bank with $500 million or more in assets to have an annual independent audit of its financial statement; an internal control assessment by both management and external auditors, and an independent audit committee.

Effective since its enactment, Section 112 of the FDIC Improvement Act of 1991 (FDICIA) mandates a number of corporate reporting and governance reforms for insured depository institutions with total assets exceeding $500 million. Included are requirements that management acknowledge responsibility for preparing the bank's financial statements, and that it has evaluated the effectiveness of the internal controls over financial reporting as of year-end. Section 112 also requires that the bank's auditors examine and attest to management's statements regarding the financial institution's internal control structure.

Ten years after FDICIA, Congress passed the Sarbanes-Oxley Act (SOX) which encompasses many of the aspects of FDICIA. Section 404 of SOX imposes new requirements regarding internal controls over financial reporting. As under FDICIA, the auditor must provide an independent evaluation and report regarding management's assertions. The biggest difference between the two, says expert Chris Brockett of Enterprise Financial, is the weight of the examination on the auditor. "Under FDICIA the auditor makes no direct conclusion regarding the effectiveness of the actual internal controls - only management's assertions. Under SOX the auditor must evaluate both management's assessment process and the effectiveness of internal control over financial reporting. Therefore, auditors must expand work around the actual internal controls to include design effectiveness, documentation, and testing."

Terms of the final rule stipulate that privately held banks up to $1 billion are no longer required to have an independent audit committee. Nor is it mandated that an internal control assessment be done by management and external auditors. However, it will still be necessary that banks with assets of $500 million or more to have an annual independent audit of their financial statements and publicly held banks must comply with the Sarbanes-Oxley Act requirements. The new rule will be effective December 28, 2005. Details are on http://www.fdic.gov/news/board/05nov8finalauditreg.pdf