Dodd-Frank Audit and Reporting Provisions

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Pub. L. 111-203) imposed an extensive set of audit, reporting, and disclosure obligations across the financial services sector — touching public companies, swap dealers, broker-dealers, investment advisers, and systemically important financial institutions. These provisions distribute responsibility across the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), the Financial Stability Oversight Council (FSOC), and the Consumer Financial Protection Bureau (CFPB). Understanding which provisions apply to which entity types, and how audit obligations are structured within each, is foundational to compliance program design for regulated firms.

Definition and Scope

Dodd-Frank's audit and reporting framework spans Title I through Title X of the Act, with material audit implications concentrated in Titles I, II, VII, and X. The legislation does not create a single unified audit standard; instead, it layers new reporting, internal control, and oversight requirements onto existing frameworks — including PCAOB standards for public companies and SEC reporting rules — while establishing novel obligations for previously unregulated or lightly regulated entities such as over-the-counter (OTC) derivatives dealers.

Entities subject to Dodd-Frank audit and reporting provisions include:

  1. Bank holding companies and nonbank financial companies designated as systemically important by FSOC under Title I
  2. Registered swap dealers and major swap participants under Title VII (7 U.S.C. §6s)
  3. Broker-dealers subject to enhanced reporting under Title IX
  4. Publicly traded financial firms subject to amended SEC reporting under Title IX, §952
  5. Certain investment advisers newly required to register with the SEC under Title IV

The scope determination for any given firm turns on asset thresholds, registration status, and systemic designation. For bank holding companies with consolidated assets of $10 billion or more, the Act triggered enhanced prudential standards including independent audit requirements for internal stress testing programs (12 U.S.C. §5365). The Federal Reserve's Regulation YY implements these standards at the operational level.

How It Works

Dodd-Frank audit and reporting obligations operate through five discrete mechanisms:

  1. Annual Report and Internal Control Attestation — Publicly traded financial firms continue to comply with Sarbanes-Oxley Section 404, which Dodd-Frank left intact. Title IX, §989G of Dodd-Frank permanently exempted non-accelerated filers (generally companies with public float below $75 million) from the external auditor attestation requirement under SOX §404(b) (15 U.S.C. §7262(b)).

  2. Swap Dealer Reporting and Recordkeeping — Under Title VII, registered swap dealers must maintain daily trading records, submit reports to registered swap data repositories (SDRs), and undergo periodic audits of recordkeeping systems. The CFTC's Regulation 23.201 through 23.203 (17 C.F.R. Part 23) specifies the retention and audit trail obligations.

  3. Volcker Rule Compliance Program and CEO Attestation — Section 619 of Dodd-Frank (codified at 12 U.S.C. §1851) restricts proprietary trading. Banking entities with $10 billion or more in trading assets and liabilities must maintain a detailed compliance program, conduct annual CEO attestation of compliance, and subject that program to independent testing — which in practice functions as a specialized compliance audit. The OCC, FDIC, Federal Reserve, SEC, and CFTC jointly administer the rule.

  4. Resolution Plan (Living Will) Audit Components — Title II requires systemically important financial institutions to file resolution plans with the FDIC and Federal Reserve. These plans incorporate audited financial data and must reflect accurate assessments of operational dependencies verified through internal audit processes.

  5. CFPB Supervisory Examinations — Title X established the CFPB and granted it examination authority over depository institutions with assets exceeding $10 billion and their affiliates. CFPB examinations overlap with audit functions reviewed in detail at CFPB compliance audit overview.

Common Scenarios

Swap dealer audit trail compliance — A futures commission merchant registered as a swap dealer receives a CFTC inquiry regarding the completeness of its SDR submissions. An internal audit team reviews daily position records against SDR confirmation data to identify gaps, applying the recordkeeping standards under 17 C.F.R. §23.201. This engagement resembles the audit trail requirements reviewed in standard financial services contexts but applies commodity-specific technical formats.

Volcker Rule CEO attestation preparation — A bank holding company with $15 billion in trading assets assembles documentation for its annual CEO attestation. The internal audit function performs an independent review of the firm's covered fund exposure, proprietary trading metrics, and RENTD (Reasonably Expected Near-Term Demands) calculations. Findings feed directly into the compliance report submitted to the primary federal regulator.

FSOC-designated nonbank stress test audit — A large insurance group designated as systemically important under Title I must comply with Federal Reserve stress testing rules under Regulation YY. External auditors review the model governance documentation and data integrity controls that underpin the stress test submission — an engagement closely related to the stress testing audit framework more broadly.

Investment adviser registration and audit trigger — Title IV of Dodd-Frank raised the SEC registration threshold for investment advisers and shifted mid-sized advisers (managing between $25 million and $100 million) to state registration. Advisers managing private funds above the $150 million threshold are required to register with the SEC and become subject to SEC examination — and, if they manage hedge funds, to the custody rule audit requirement under 17 C.F.R. §275.206(4)-2. The investment adviser audit obligations page covers the custody rule in full.

Whistleblower program compliance review — Section 922 of Dodd-Frank established the SEC whistleblower program (15 U.S.C. §78u-6), which awards between 10% and 30% of sanctions exceeding $1 million to qualifying informants. Audit committees and internal audit functions at public financial firms periodically review internal reporting channels to confirm they are not structurally suppressing whistleblower disclosures, a dimension addressed in whistleblower protections in the financial audit context.

Decision Boundaries

Determining which Dodd-Frank audit obligations apply to a given entity requires resolving four classification questions:

1. Public company vs. private entity
Publicly traded financial firms face the full stack of SEC reporting requirements, including those amended or extended by Dodd-Frank Title IX. Private funds and unregistered entities face a narrower but distinct set of obligations triggered by registration thresholds rather than public listing.

2. Prudentially regulated vs. CFTC/SEC-regulated
Bank holding companies and FSOC-designated nonbank financial companies are subject to Federal Reserve and FDIC oversight with Regulation YY stress testing and resolution plan requirements. Swap dealers and futures commission merchants operate under CFTC authority with distinct recordkeeping and audit trail mandates under 17 C.F.R. Part 23. These two regulatory channels impose different audit documentation standards and should not be treated as interchangeable.

3. Asset-based threshold applicability
Multiple Dodd-Frank provisions activate at specific asset thresholds:
- $10 billion in consolidated assets: enhanced CFPB examination authority and Fed stress testing triggers
- $10 billion in trading assets and liabilities: Volcker Rule CEO attestation requirement
- $50 billion in consolidated assets (pre-2018): enhanced prudential standards under Title I (note — the Economic Growth, Regulatory Relief, and Consumer Protection Act of 2018 (Pub. L. 115-174) raised the general threshold to $250 billion for the most stringent standards)

4. Compliance audit vs. financial statement audit
Dodd-Frank creates obligations that fall into both categories but must be distinguished for engagement scoping purposes. The Volcker Rule compliance program audit and the swap dealer recordkeeping audit are compliance audits, not financial statement audits — they evaluate adherence to regulatory behavioral mandates rather than the accuracy of financial reporting. The resolution plan process incorporates both, requiring audited financial data embedded within a compliance-oriented planning document.

Understanding this boundary is material to auditor independence determinations — an external audit firm providing the SOX §404 financial statement attestation for a bank holding company faces independence constraints when asked to independently test the same firm's Volcker Rule compliance program, since both functions involve evaluating controls at the same entity ([PCAOB Rule 3526](https://pcaobus

📜 12 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Compound Interest Calculator

References