OFI Bulletin 01-2005 Audit and Auditor Requirements and New Examination Procedures

OFI BULLETIN BL-01-2005 (B,SB,SL) February 1, 2005 TO: THE CHAIRMAN OF THE AUDIT COMMITTEE AND CHIEF EXECUTIVE OFFICER/MANAGER OF ALL BANKS AND THRIFTS FROM: SIDNEY E. SEYMOUR, CEM CHIEF EXAMINER SUBJECT: AUDIT / AUDITOR REQUIREMENTS AND NEW EXAMINATION PROCEDURES The purpose of this bulletin is to provide additional information regarding internal and external audit requirements, clarify some common misconceptions regarding these requirements, and explain the latest auditor independence requirements. This will also detail what examiners will be reviewing in these areas at future examinations. Internal Audit Requirements In addition to an external audit, the Interagency Policy Statement on the Internal Audit Function and its Outsourcing requires every bank and thrift to have an internal audit function that is appropriate based on the size, nature, and scope of its activities. At a minimum, each institution’s internal audit function should include the following: (1) an annual control risk assessment, (2) an internal audit plan based on the risk assessment, (3) an internal audit program, (4) written audit reports, and (5) appropriate responses by management in resolving and correcting deficiencies noted in audit reports. OFFICE OF FINANCIAL INSTITUTIONS

2 This interagency policy states that the Audit Committee should oversee the internal audit function and evaluate its performance, as well as determine whether actions taken by management to correct any internal audit deficiencies are acceptable. The following guidance is available concerning internal audit requirements: • Interagency Policy Statement on the Internal Audit Function and its Outsourcing dated March 17, 2003 • FIL-17-2003, dated March 5, 2003, entitled, “Corporate Governance, Audits, and Reporting Requirements and Applicability of Selected Provisions of the Sarbanes-Oxley Act of 2002 to FDIC-Supervised Banks with Less than $500 Million in Total Assets that are not Public Companies” • Appendix A, Sections II(A) and (B) of Part 364 of the FDIC’s Rules and Regulations regarding Standards for Safety and Soundness (for state nonmember banks and savings banks) • Appendix D-1, Sections II(A) and (B) of Part 208 of Regulation H regarding Standards for Safety and Soundness (for state member banks) • Appendix A, Sections II(A) and (B) of Part 570 of the OTS’ Rules and Regulations regarding Standards for Safety and Soundness (for state-chartered savings and loan associations) External Audit Requirements An annual external audit forms the basis for the Directors’ Examination reporting requirements contained in Louisiana Law and a companion Directors’ Examination Rule. Pursuant to the rule, state-chartered banks and thrifts with total assets of less than $500 million at the beginning of their fiscal year may satisfy the Directors’ Examination external audit requirements by obtaining one of four types of audit services. Institutions with total assets of $500 million or more at the beginning of their fiscal year must obtain a full financial audit in compliance with Part 363 of the FDIC Rules and Regulations for banks and Section 562.4 of the OTS Rules and Regulations for savings and loan associations. Audit committees should review the following state and federal rules, regulations, and policy statements in order to better understand current external audit requirements:

3 State Guidance: • LSA-R.S. 6:290: Directors’ Examinations of Bank (Banks) • LSA-R.S. 6:793: Directors’ Examination of Associations (S&Ls) • LSA-R.S.6: 1310: Annual Directors’ Examinations (Savings Banks) • LAC 10:III.701-703: Directors’ Examination Requirements (Rule) • OFI Bulletin-07-2003, dated December 15, 2003, entitled “Directors Exam Requirements” • OFI Cover Sheet that must be filed with each Directors’ Examination Federal Guidance: • Interagency Policy Statement on External Auditing Programs of Banks and Savings Associations dated September 1999 is attached to FIL-96-99 dated October 25, 1999, for state nonmember banks and savings banks, SR 99- 33(SUP) dated November 18, 1999, for state member banks, and the OTS updated their handbook through RB 32-25 on July 25, 2002, for state-chartered savings and loan associations • Part 363 of the FDIC’s Rules and Regulations for banks or Section 562.4 of the OTS’ Rules and Regulations —Annual Independent Audits and Reporting Requirements. (Note: This Part only applies to FDIC-insured institutions with total assets of $500 million or more at the beginning of the institution’s fiscal year.) Audit Committee Requirements Pursuant to state law and Section 701B of the Directors Examination Rule, the Board of Directors of each state-chartered bank, savings association, and savings bank must elect an Audit Committee composed of not less than three members, a majority of which should be outside directors. The Audit Committee is required to engage a CPA firm and secure an annual examination of the financial condition of the institution. The Audit Committee is also responsible for overseeing the annual

4 external audit program and shall require that a written report of the external audit be presented to the Board of Directors and documented in the board minutes. Common Misconceptions of Internal and External Audits Since many state-chartered institutions secure an annual financial audit, Audit Committees may believe that the external audit meets both the internal and external audit requirements mentioned above. Many have assumed that because an auditor must obtain an understanding of internal controls to perform their audit, the CPA firm has audited the institution’s internal controls. Financial statement audits performed by independent CPAs do not meet the internal audit requirements included in the interagency policy statement. Although CPAs are required by professional auditing standards to obtain an understanding of a client’s internal control structure, they do not perform an internal audit function as described in the interagency policy statement. The Board, through the Audit Committee, is responsible for establishing appropriate internal controls and an effective internal audit function. Independence Requirements for Certified Public Accountants Some Audit Committees have asked if the certified public accounting firm (CPA firm) that performs the external audit could assist in performing the internal audit function as well. The committee should secure, from their CPA firm, a letter explaining how the institution and firm can maintain the independence requirements contained in Interpretation 101-3 of Section 100 of the American Institute of Certified Public Accountant’s (AICPA’s) Code of Professional Conduct (Code). While the AICPA’s Code may allow the same accounting firm to perform external audits and outsourced internal audit services for clients not subject to the Sarbanes￾Oxley Act (generally clients that are privately held with less than $500 million in assets), it does so with several restrictions. These restrictions are contained in Code Section 100, Rule 101 of this Section and several interpretations of Rule 101. Audit Committees are cautioned about these restrictions because if a CPA firm or institution management fails to meet the specific requirements contained in this rule and its interpretations, the CPA firm’s independence will be impaired. The institution’s external audit report will not meet the annual Directors’ Examination requirements if the CPA firm’s independence is impaired. The interpretations of Rule 101 may be obtained from AICPA’s website at www.aicpa.org. Once the AICPA home page is accessed, select “Code of Conduct,” which will bring up a Table of Contents for the AICPA Professional Standards.

5 Select, “ET Section 100 – Independence, Integrity, and Objectivity.” This section of the AICPA web site provides interpretations 101-1 through 101-14 of Rule 101. Each Audit Committee should print and review these interpretations to ensure their CPA firm’s compliance. These interpretations not only provide guidance for internal audit services, they also provide restrictions concerning loans from financial institution clients and other independence requirements each CPA firm must meet to preserve independence. Peer Reviews of Certified Public Accountant Firms The State Board of Certified Public Accountants, as well as the AICPA and SEC, require CPA firms to periodically undergo an audit of their practices and audit workpapers by an independent CPA firm, a “peer firm,” that submits a report to the CPA firm. Each CPA firm then submits copies of the peer review reports as well as any responses to the reports to the AICPA and other bodies, if applicable. The AICPA posts these reports on their website. As a part of the Audit Committee’s due diligence in determining the competency of the CPA firm to perform such services, the Audit Committee should secure the CPA firm’s most recent peer review report. A firm’s peer review can be found at the following address at the AICPA website: http://peerreview.aicpaservices.org/publicfile/default.asp. The peer review information includes the CPA firm's most recent peer review report, letter of comments by the peer firm (if any), the CPA firm’s response thereto (if any), the CPA firm's three most recent annual reports to the AICPA, and other relevant documents. Examiners will also review the CPA firm’s peer review reports as part of a limited CPA firm workpaper review conducted prior to an examination. Expanded Examination Procedures Starting in late 2003, examination procedures were expanded to place greater emphasis on areas that have a potential for operational weaknesses. These efforts have been rewarding without causing undue hardship to financial institutions. This year, the review will be expanded in an attempt to answer the following questions: • Does the institution have proper policies and procedures in place to ensure that executive expenses are properly documented, approved, and paid? • Does the institution adhere to its policies and procedures with an emphasis on the maintenance of sufficient documentation to justify the business purpose for expenditures?

6 • Does the institution ensure that business entertainment expense reimbursements meet IRS deductibility requirements? • Does the institution ensure that expense reimbursements are in the form of bank-issued checks to provide an audit trail? • Does the institution ensure that original invoices are attached to company credit card account statements to substantiate the business purpose of all charges? Examiners will meet with Audit Committees at future examinations to discuss their duties and responsibilities, including such areas as enforcement of the institution’s policies and procedures and the approval and payment of executive expenses. Please contact OFI’s CPA, Ms. Dale Jacobs, at 225/922-0632 if you have any questions regarding this bulletin. The bulletin will be posted on OFI’s website at www.ofi.state.la.us.