Life isn’t always fair, and for some bank CFOs and CROs being thrust deeper into a seeming state of perpetual audit and compliance is a hard pill to swallow—especially if not ready. As a result of continued low interest rates and COVID-19 stimulus programs, many banks have seen a rapid increase in their total asset balance from 2020 to 2021. Some of these banks may have started 2020 as a $750 million bank but ended 2020 over $1 billion in total assets. Of course, once the magical $1 billion in total assets threshold is crossed, compliance with the FDIC Improvement Act (FDICIA) and getting ready for an integrated audit is close behind.
Unfortunately, we see too many banks wait until the year they achieve $1 billion in total assets to start any activities related to meeting FDICIA requirements. We find that a well-paced and planned-out approach to helping a bank with FDICIA readiness takes anywhere from eight to nine months. Some banks have done this in as few as six months, but it was a very grueling period of time.
A better approach is to plan on getting started with FDICIA readiness when a bank is in the $700 to $800 million total assets range. Such an approach gives bank leadership time to adjust slowly and not make a massive financial investment and time commitment to FDICIA readiness in a condensed period. Rather, this bite-sized approach can be done in smaller stages from year to year so that if and when the bank reaches $1 billion in total assets, it’s smooth sailing and, generally, business as usual.
A sample bite-sized timeline might look similar to the asset-based approach shown below. An alternative approach is to stagger by calendar year as demonstrated in the second column.
| Total Assets | Year of Performance | FDICIA Readiness Activity | Estimated Hours | Completion Timeframe |
| $700 million | Year 1 | - Perform risk assessment over financial reporting
- Perform financial reporting process walkthroughs and document
- Design control activities to mitigate financial reporting risks
- Test controls for operating effectiveness
- Remediate deficiencies, as needed
- Update process narratives, as needed
- Test controls for operating effectiveness
- Remediate deficiencies, as needed
- Update process narratives, as needed
- Test controls for operating effectiveness
- Remediate deficiencies, as needed
| 75 | 45 days |
| $750 million | Year 2 | | 300 | 90 days |
| $800 million | Year 3 | | 225 | 75 days |
| FDICIA Readiness Complete – Annual Maintenance Starts |
| $850 million | Year 4 | | 250 | 90 days |
| $900 million | Year 5 | | 250 | 90 days |
Performing the risk assessment over the financial reporting activities of the bank by itself in the first year might seem like starting the process on an island, but if done properly, such a risk assessment could be completed in parallel with the larger internal audit universe risk assessment. This strategy also gives the CFO and other leadership time to assess all the critical components of risk relevant to the financial reporting process.
In the second year, performing the detailed process walkthroughs and documenting process/procedural narratives is an activity that is time consuming and best done when not in a rush. Taking this period of time to diligently document the processes and supporting key control activities will ensure it is done thoroughly and with great consideration of ‘current state’ activities, as well as planned system changes.
In year three, the bank can focus on performing tests of operating effectiveness on its population of FDICIA controls. Also, similar to the risk assessment, a properly designed strategy would see the FDICIA control testing integrated with core internal audit activities and making the best use of time while keeping audit requests and activities to a bare minimum.
Benefits of the Risk-Based, Control-Focused Approach
Overall, the benefits outweigh the cost/effort of starting FDICIA early. Banks are able to establish a stronger internal control framework and hold business units within the bank more accountable for their role in the bank’s enterprise-wide activities. Most internal audit functions in banks don’t design specific control activities to test on an annual basis but rely on audit activities focused on existing policies, procedures or regulatory guidance. The risk-based, control-focused approach employed by implementing FDICIA can then be leveraged in other key areas of a bank’s internal control environment, which provides leadership a greater level of oversight.
By breaking the FDICIA readiness exercise down into smaller, more manageable and distanced phases, banks have time on their side with the benefits of making the institution stronger from an internal controls perspective and doing more to mitigate risk.
About the Author
Kyle Konopasek is a Managing Director in the CBIZ MHM Kansas City (MO) office. He works closely with the Business and Technology Risk Services group and with clients in the financial and manufacturing sectors, among others. Have questions or comments? Don’t hesitate to contact Kyle directly at 816-945-5512 or kkonopasek@cbiz.com