Regulation No. 18 - Audit and Risk Management Standards for Alabama State-Chartered Banks

Audit and Risk Management Standards For Alabama, State-chartered Banks¹

EFFECTIVE DATE: January 1, 2006²

WHEREAS, Section 5-2A-8 of the Alabama Banking Code provides that the Superintendent of Banks may, with the concurrence of a majority of the members of the State Banking Board, promulgate reasonable rules and regulations;

AND WHEREAS, Section 5-2A-22 of the Alabama Banking Code provides that the Superintendent of Banks shall by regulation establish minimum standards for audits and shall appoint an advisory committee to assist in promulgating minimum audit standards;

AND WHEREAS, The Superintendent of Banks, has appointed and consulted with such advisory committee and, with the concurrence of a majority of the members of the State Banking Board, recognizes the need to revise and update the previously issued Audit Standards Regulation;

NOW THEREFORE, be it known that the Superintendent of Banks, with the concurrence of the State Banking Board, does hereby promulgate the following revised regulation. GENERAL STATEMENT

The Code of Alabama, 1975, Section 5-2A-22, states in part, "The superintendent shall by regulation establish minimum standards for audits and reports, which shall include such matters as he shall require." 1 For purposes of this regulation, the term “Bank” shall include state-chartered trust companies. The requirements of this regulation are requirements of the Bank. These requirements may be fulfilled, as appropriate, at the parent, holding company of a Bank; however, all documentation and records necessary to determine compliance with this regulation must be made available to bank examiners and bank directors to the same extent that such records are available at the Bank level.

2 Phase-In - For the auditor and audit, the requirements are for any audit period or fiscal year ending on or after January 1, 2006. For requirements placed upon Banks, their management, boards, and audit committees, compliance also is required as of January 1, 2006; however, for Banks making a good faith effort to comply with the regulation, no violations will be cited at the first regulatory safety and soundness examination following January 1, 2006. At that first examination following the effective date, comments will be made by examiners in the Report of Examination regarding any additional measures needed to achieve full compliance with this regulation. Apparent violations of this regulation will then be cited for those Banks that are not in compliance with this regulation after the first safety and soundness examination following the effective date.

Alabama Audit and Risk Management Standards Regulation No. 18 This Section further requires:

1. The Board of Directors of each Alabama, state-chartered bank, or holding company thereof, to, at least once in each calendar year, have an audit made of the institution’s books and affairs;
2. The annual audit to include any accounts held in a fiduciary capacity;
3. The annual audit to be conducted by independent auditors approved by the Superintendent of Banks (“Superintendent”); and,
4. The annual audit to be conducted in accordance with audit standards established by the Superintendent.

Each Alabama, state-chartered bank (“Bank”) shall comply with the applicable parts of this regulation unless the Bank is granted an exception, modification, extension, or exemption by the Superintendent.

PART ONE – MINIMUM STANDARDS

I. Board³ and Management Responsibilities

A. The Board of Directors (“Board”) of each Bank shall have an annual4 audit conducted in accordance with the following sections according to the institution’s size, complexity, and regulatory ratings. The Board shall engage an independent auditor to conduct such audit.

B. The Board shall provide for an annual, independent review of accounts held in a fiduciary capacity5 that is commensurate with the size, complexity and risk associated with fiduciary activities. Such independent review of accounts held in a fiduciary capacity may be performed by internal or external auditors; however, the Superintendent reserves the right to require (by written notification to the

Bank) performance of such review of fiduciary accounts by an independent external auditor.

C. The Board shall require in its engagement of the independent auditor that all auditor workpapers6 and other documentation related to audits of Banks shall be made available to, and are subject to inspection by, examiners of the Alabama Banking Department (“Department”).

3. For purposes of this regulation, Board responsibilities may be delegated to an audit or other committee of the board and all references to Board in this regulation shall apply to such committee.
4. For purposes of this regulation, audits and financial statements shall cover a 12-month period.
5. This is a requirement of Section 5-2A-22 of the Alabama Banking Code and may not be waived by the Superintendent. This only applies to Banks exercising trust powers.
6. Work papers should include the auditor’s definition(s) of materiality and the equivalent dollar amount(s) considered material used by the auditor in conducting the audit.

Alabama Audit and Risk Management Standards Regulation No. 18

D. The Board shall require that executive management ascertain and report the external auditor’s general qualifications as specified in Section IV of this Part. If the Board determines that the independent, external auditor does not meet the required qualifications, the Board shall not concur in the engagement of such auditor.

E. Management is responsible for providing the Board and the external auditor accurate, complete, and timely information as requested or required to fulfill the Board’s or auditor’s responsibilities under this regulation. Similarly, the Board is responsible for establishing reporting policies to require that such accurate, complete, and timely information be provided.

II. Audit Requirements

A. All Banks not otherwise required to have an audit conducted in accordance with generally accepted auditing standards (“Opinion Audit”), and which meet the criteria set forth in Paragraph B, may elect the alternative attestation engagement (“Directors’ Exam”) contained in Section III of this Part. B. To be eligible to elect the Directors’ Exam, a Bank must:

1. Have maintained a composite rating of 1 or 2 under the Uniform Financial Institution Rating System (“CAMELS Rating”) at all times on or after December 31, 2005;
2. Have been chartered prior to December 31, 2002;
3. Have no outstanding and ongoing conditions imposed as a result of an enforcement action, charter application, or other application approval which requires the Bank to have an Opinion Audit; and
4. Have $50,000,000 or less in total assets7.

C. All Banks not eligible to elect or not electing to have the Directors’ Exam contained in Section III of this Part One must have an Opinion Audit conducted in accordance with generally accepted auditing standards.

III. Alternative Attestation Engagement (Directors’ Exam) Requirements

A. Attestation Engagement Such an engagement is to be performed by an independent auditor and will be performed under generally accepted standards for attestation engagements as established by the American Institute of Certified Public Accountants (“AICPA.”) 7 This will be measured as reported on the Bank’s December 31 Report of Condition (Call Report). For Banks exceeding $50 million in total assets after the effective date of this regulation, the requirement for an Opinion Audit will take effect on the second January 1 following the Bank’s passing the $50 million threshold. For example, if a 2-rated Bank reaches $51 million in total assets on December 31, 2005, the Bank would have to have an Opinion Audit for fiscal years starting on or after January 1, 2007.

Alabama Audit and Risk Management Standards Regulation No. 18

B. Minimum Procedures

1. These procedures are minimum requirements for compliance with the Code of Alabama, Section 5-2A-22, and recognize the responsibility of the Board of Directors to request that the independent auditor perform additional procedures commensurate with a Bank’s risk profile.

2. The independent auditor will apply such specific procedures as are reasonably required to fulfill the auditor’s responsibility under the attestation engagement. The independent auditor will supplement and modify these procedures at the request of the Superintendent pursuant to review of the auditor’s work papers by Department staff.

3. The Superintendent may provide, after consultation with the advisory committee appointed under Code of Alabama Section 5-2A-22, guidance on specific procedures required of auditors in conducting such attestation engagements for Banks. Guidance provided by the Superintendent will be through official opinion transmitted to all Banks and/or their independent auditors.

4. In no case will the specific procedures for the alternative attestation engagement, when taken as a whole, constitute or require an Opinion Audit.

IV. General Qualifications of the Independent Auditor

A. The Superintendent reserves the right to disqualify an auditor or firm from being engaged to provide audit or attest services to a Bank or Banks.

B. The auditor must, by professional standards and in the opinion of the Superintendent, be independent 8.

C. The independent auditor must be a certified public accountant licensed by the Alabama Board of Public Accountancy or hold a temporary annual permit to practice in Alabama.

D. The independent auditor shall be in compliance with the AICPA Code of Professional Conduct and Interpretations, and applicable State Board of Accountancy and State Society Codes of Professional Ethics, and, if applicable to the auditor, Public Company Accounting Oversight Board (“PCAOB”) or other federal requirements.

E. Auditors engaged to provide conflicting non-audit services may not provide the annual external audit for a year in which the auditor performed such conflicting non-audit services. 9 Conflicting non-audit services are bookkeeping, loan review, internal audit, financial information systems design and implementation, appraisal or valuation services, management or human resources services; broker/dealer, investment advisor, investment banking, or legal services; other expert or consulting services unrelated to the audit for the purpose of advocating the Bank's interest in litigation or in regulatory or administrative proceedings or investigation, and other services later identified by federal regulations applicable to the Bank or later determined by the Superintendent to be incompatible with auditor independence. 8 To ascertain whether the auditor is approved and considered independent by the Superintendent, the Board need only request the Superintendent’s approval as required by this regulation. 9 The external auditor or firm may not audit or rely on their or its own work. For example, if an audit firm provided conflicting non-audit services in 2006, the firm

may not perform the external audit of the 2006 financial statements, but could perform the audit of the 2007 financial statements if it provided no conflicting non-audit services during the period covered by the 2007 financial statements.

F. The independent auditor must have received, or be enrolled in, a peer review program that meets the following guidelines:

1. The external peer review should be conducted by an organization independent of the accountant or firm being reviewed, as frequently as is consistent with professional accounting practices; and,
2. The peer review should be generally consistent with AICPA and PCAOB standards to which the auditor is subject. The peer review reports will be made available to the State Banking Department upon request.

V. Filing and Notice Requirements

A. Upon delivery of the audit report (Opinion Audit or Directors’ Exam report), the independent auditor shall provide a written statement to the Board or Audit Committee certifying the independent auditor’s compliance with this Regulation10 or, if not fully complied with by the independent auditor, a statement detailing areas of noncompliance with these Standards. This certification of compliance may be done in the audit report or by separate letter signed by the auditor.

B. Within 15 days of the Board’s or Audit Committee's election of a new independent auditor, the Board of Directors or Audit Committee shall request the Superintendent's approval of the change in auditors. Such request for approval shall include information sufficient to determine whether the proposed auditor meets the minimum qualifications outlined in Section IV of this Part One. Services should not commence prior to the Board's receipt of such approval. Management may request the Superintendent’s approval of the independent auditor prior to the auditor’s election by the Board or Audit Commit.

10 In this certification, the independent auditor will certify compliance with the specific requirements applicable to the independent auditor and would not be required to certify compliance with other requirements that may only apply to the Board or management of the bank. PART TWO - DEFINITIONS Alternative Procedures, Alternative Attestation Engagement - an examination of specified financial statement accounts, records and supporting control functions performed by an independent certified or licensed public accountant in accordance with generally accepted standards for attestation engagement.

Audit, Opinion Audit, External Audit - an examination of the financial statements, accounting records, and other supporting evidence of a Bank performed by an independent certified or licensed public accountant in accordance with generally accepted auditing standards (“GAAS” or “AICPA Standards”) and standards of the Public Company Accounting Oversight Board (United States) (“PCAOB Standards”), as applicable, and of sufficient scope to enable the independent public accountant to express an opinion on the institution's financial statements as to their presentation in accordance with generally accepted accounting principles and/or other generally accepted standards for such financial statements.

Executive Officer - as defined by Regulation O of the Board of Governors of the Federal Reserve System.

Independent Auditor, External Auditor, Independent Public Accountant (are used as equivalent terms) - an accountant who is independent of the institution, and is licensed by the Alabama Board of Public Accountancy or holds a temporary annual permit to practice in the State of Alabama. The independent public accountant shall comply with the American Institute of Certified Public Accountants' Code of Professional Conduct and any related guidance adopted by the Independence Standards Board, the Public Company Accounting Oversight Board, and/or the Federal Financia l Institutions Examination Council. No certified public accountant that is not independent, both in fact and in appearance, will be recognized as independent.

Internal Audit - an independent assessment function established within a Bank to examine and evaluate its system of internal controls, and the efficiency with which the various units of the institution are carrying out their assigned tasks. The objective of internal auditing is to assist management and directors of the institution in the effective discharge of their responsibilities. To this end, internal auditing furnishes management with analyses, evaluations, recommendations, counsel, and information concerning the activities reviewed.

Management - officers and non-officers who perform senior managerial and decision-making functions.

Specified Procedures - procedures agreed upon by the institution and the auditor to test its activities in designated areas. The auditor reports findings and test results, but does not express an opinion on controls or balances. Such procedures shall be performed under generally accepted standards for attestation engagements.

January 14, 2005 Anthony Humphries Superintendent of Banks