Don't let information technology trip up your FDICIA compliance.
The FDIC Improvement Act (FDICIA) has a significant impact on banks crossing the $500 Million or $1 Billion asset thresholds. While most bankers are well informed about the requirements related to financial reporting standards, FDICIA also impacts information technology choices that growing institutions should consider.
Here are a few suggested areas for consideration:- Regulations prohibit an institution's audit firm from providing certain services such as:
- Information systems design and management upon which your financial systems rely.
- Writing of IT policies and risk assessments (auditing their work).
- Acting as an advocate for your institution.
Action Item: Determine where conflicts of interest occur and create a resolution plan.
FDICIA requires an institution's financial statement audits to be supported by appropriate controls and testing at its third-party vendor service providers, including those vendors that manage, have access to or host their data. This applies to managed service providers, core systems, online banking vendors, and other entities. Look for the following:
- SOC audits on each third-party vendor
- Technology Service Provider (TSP) Exams, if available, are performed by the FDIC, OCC, and FRB at each vendor.
- Risk Assessments of the third-party vendors.
Action Item: Ensure that SOC audits and TSP exams are regularly received and reviewed, with annual vendor risk assessments performed and submitted to the board.
Pro-Tip: Confirm that the SOC audits received are for the third-party vendor the institution has contracted with and not only for their sub-service organizations or fourth party vendors (see next item).
- Remember to include your vendors' vendors or the subcontractors providing a part of the service deliverable to your institution. All vendor due to diligence practices should also be applied to each subcontractor that supports the vendors you rely upon.
- The AICPA considers both third-and fourth-party vendors to be sub-service organizations and represent a special class of vendors. That is defined as "a service organization used by another service organization to perform some of the services provided to user entities relevant to those user entities' internal control."
- Start early. Starting 12 to 18 months ahead of the fiscal year in which you plan to cross an FDICIA asset threshold will allow you to identify and correct potential material weaknesses and internal control deficiencies before the institution's date to send internal control reports to Federal regulators.
Crossing an FDICIA threshold requires more stringent auditor independence standards and more effort from your institution. Management must also attest to the accurate preparation of the institution's reporting and compliance with laws and regulations. Having trusted advisors independent of your financial statement auditors is a solid step in successfully making your next growth step.
As you plan for your institution's next growth phase, BankOnIT welcomes you to schedule a 30-minute discovery session to help determine whether your current IT set-up is ready to take your institution to its next growth milestone. Contact Us.