FDIC Audit Requirements for Banks

Federal Deposit Insurance Corporation audit requirements sit at the intersection of safety-and-soundness supervision, consumer protection, and financial reporting accountability. This page covers the audit obligations that apply to FDIC-supervised banks — including state non-member banks and insured depository institutions — across independent financial statement audits, internal audit programs, and compliance examinations. Understanding these requirements is foundational for institutions navigating overlapping obligations under the FDIC, the Federal Reserve, the OCC, and the Consumer Financial Protection Bureau.

Definition and scope

FDIC audit requirements derive from multiple statutory and regulatory sources, not a single uniform mandate. The primary statutory authority is the Federal Deposit Insurance Act (FDI Act), which grants the FDIC supervisory authority over state-chartered banks that are not members of the Federal Reserve System. The most operationally significant audit regulation is Part 363 of the FDIC Rules and Regulations (12 C.F.R. Part 363), which implements Section 112 of the FDIC Improvement Act of 1991 (FDICIA).

Part 363 imposes annual independent audit and reporting requirements on insured depository institutions with total assets of $500 million or more. Institutions with assets of $1 billion or more face expanded requirements, including a separate management report on internal controls over financial reporting — a structure analogous to the integrated audit framework under Sarbanes-Oxley Section 404. Institutions below the $500 million threshold are not exempt from audit generally, but their requirements are governed by state banking law, internal policy, and examiner expectations rather than Part 363 specifically.

The scope of FDIC-related audit obligations extends beyond financial statements. Banks subject to Bank Secrecy Act (BSA) obligations must maintain independent testing of their BSA/AML compliance programs under 31 C.F.R. § 1020.210. Fair lending and Community Reinvestment Act compliance are evaluated during examinations, creating a de facto audit function that intersects with formal internal audit programs.

How it works

Under 12 C.F.R. Part 363, the annual audit cycle for a qualifying institution operates in discrete phases:

1. Engagement of an independent public accountant. The institution must retain a registered public accounting firm. For institutions with assets of $1 billion or more, the firm must be registered with the PCAOB and comply with PCAOB auditing standards. Smaller institutions may engage non-PCAOB-registered CPAs operating under Generally Accepted Auditing Standards (GAAS).

2. Annual financial statement audit. The auditor examines and issues an opinion on the institution's annual financial statements prepared in accordance with U.S. Generally Accepted Accounting Principles (GAAP). The audit must be completed and the report submitted to the institution's board of directors or audit committee.

3. Management report on internal controls. For institutions at the $1 billion asset threshold, management must report on the effectiveness of internal controls over financial reporting, referencing an established internal control framework — most commonly the COSO Internal Control — Integrated Framework. The independent auditor then attests to and reports on that management assessment.

4. Annual report submission to the FDIC. The completed audit report, management report, and attestation are submitted to the FDIC, the appropriate state banking supervisor, and the institution's own board or audit committee within 90 days of the fiscal year-end (12 C.F.R. § 363.4).

5. Audit committee oversight. Part 363 requires qualifying institutions to establish an independent audit committee. Institutions with assets between $500 million and $1 billion may include insiders on the audit committee, but those with $3 billion or more in assets must have fully independent committees composed entirely of outside directors. The audit committee's role includes appointing, compensating, and overseeing the external auditor.

6. Notification of auditor changes. Any dismissal or resignation of an independent auditor must be reported to the FDIC within 15 business days under 12 C.F.R. § 363.5, including a statement of any disagreements with the departing auditor.

Independent of Part 363, institutions of all sizes are expected to maintain an effective internal audit function as a component of sound risk management. The FDIC's Supervisory Insights publications and the Federal Financial Institutions Examination Council (FFIEC) examination handbooks establish examiner expectations for internal audit coverage, independence, and documentation — expectations that effectively function as soft requirements regardless of asset-size thresholds.

Common scenarios

Scenario 1: Community bank below $500 million in total assets.
A state-chartered non-member bank with $320 million in assets is not subject to Part 363. It is nonetheless subject to FDIC safety-and-soundness examinations conducted under the Uniform Financial Institutions Rating System (CAMELS framework). Examiners will assess the adequacy of internal controls and may comment on absent or weak internal audit programs in examination reports. BSA independent testing remains mandatory under 31 C.F.R. § 1020.210 regardless of asset size.

Scenario 2: Institution crossing the $500 million threshold.
When a bank's total assets cross $500 million — either organically or through acquisition — it becomes subject to Part 363 for the fiscal year following the calendar year-end in which the threshold was crossed. The FDIC provides a transitional period, but institutions frequently encounter resource gaps in audit committee independence requirements and auditor qualifications during this period.

Scenario 3: Institution at the $1 billion threshold.
An institution with $1.1 billion in assets must engage a PCAOB-registered auditor and produce a management report on internal controls over financial reporting. This mirrors, but does not fully replicate, the Sarbanes-Oxley Section 404 integrated audit process applicable to public companies. One key distinction: Part 363 applies to insured depository institutions based on asset size, whereas SOX Section 404 applies based on public reporting status under the Securities Exchange Act.

Scenario 4: BSA/AML audit.
A bank of any size that maintains a BSA compliance program — which is all federally insured depository institutions — must conduct independent testing of that program. The FFIEC BSA/AML Examination Manual specifies that independent testing should be conducted by either internal audit staff with no BSA compliance responsibilities or an external third party. This is structurally distinct from the Part 363 financial statement audit but frequently coordinated in the same annual audit cycle.

Decision boundaries

Several classification boundaries determine which specific audit requirements apply to a given institution.

FDIC-supervised vs. OCC- or Fed-supervised.
The FDIC directly supervises state non-member banks. National banks and federal savings associations are supervised by the Office of the Comptroller of the Currency (OCC), while state-chartered member banks fall under Federal Reserve supervision. Each agency applies its own examination procedures, but all federally insured institutions are subject to FDIC's deposit insurance authority and, where applicable, to Part 363 — because Part 363 applies to insured depository institutions regardless of charter type, as stated in 12 C.F.R. § 363.1.

External audit vs. regulatory examination.
The Part 363 annual audit is an external, independent engagement conducted by a CPA firm. The FDIC examination — conducted by FDIC examiners under the FDI Act — is a supervisory function, not an audit in the professional standards sense. The distinction between a bank examination and a financial audit is operationally significant: examiners do not issue audit opinions, and auditors do not conduct safety-and-soundness examinations. The outputs, evidence standards, and legal consequences differ materially.

Internal audit vs. independent testing vs. external audit.
Three distinct functions must not be conflated:

• Internal audit is an ongoing assurance and advisory function operating under the direction of the audit committee, governed by Institute of Internal Auditors (IIA) standards.
• Independent testing (e.g., BSA/AML) is a discrete periodic review performed by a function or party independent of compliance operations, not necessarily a licensed CPA.
• External audit under Part 363 is a licensed CPA engagement producing a formal opinion under GAAS or PCAOB standards.

These functions are complementary but legally and professionally separate. An institution may not substitute robust internal audit activity for the external CPA opinion required under Part 363.

Audit frequency and timing.
Part 363 mandates an annual audit cycle. The FDIC does not prescribe internal audit frequency by regulation, but FFIEC guidance and examiner expectations effectively require continuous or at minimum quarterly internal audit coverage for higher-risk areas such as credit, liquidity