With the current focus on regional bank stability, banks must recognize the importance of information sources that provide transparency on their financial condition. One such source gaining prominence is the quarterly call report filed with the Federal Financial Institutions Examination Council (FFIEC). These reports, publicly available on the FFIEC’s website, offer a granular view of a bank’s operations and financial position that supplements quarterly and annual filings with the Securities and Exchange Commission (SEC). Furthermore, due date requirements are earlier for call reports, often making them publicly available prior to SEC filings. Bank directors may find themselves facing important questions when they start to understand the significance of these reports.
Unraveling differences
While many external directors spend significant time and effort understanding the control environment underpinning audited financial statements, they may not focus enough on the control environment surrounding other key information provided to regulators, such as the quarterly call report. As a result, many bank boardrooms are currently focused on regulatory reporting. Directors should consider posing the following inquiries:
Internal processes and controls
Directors should understand the internal processes and controls governing the preparation of call reports and other regulatory filings. Bank processes and controls are often designed differently, which may be influenced by risk assessments and may not have the same level of precision. The framework established by the Sarbanes-Oxley (SOX) reporting requirements provides a baseline for the precision of financial reporting data. However, since SOX primarily aligns with SEC reporting, the processes and controls related to regulatory reporting may differ. Furthermore, regulators receiving this information may have different precision expectations compared to the overall financial statement position.
Management’s testing process
Directors should also inquire about testing the data, processes and controls related to call reports. While quarterly and annual SEC financial reports are accompanied by certifications from senior management, including independent control testing (SOX testing), the same level of scrutiny may not be applied to other regulatory reports. In the case of the call report, although FDICIA requires management certification, directors should ascertain if the scope and rigor of these processes are consistent with SEC-reported financial information.
Inspection results and remediation
Internal audit functions also serve as a vital checkpoint for processes and controls. Directors should understand the scope of internal audits related to call reports. Further, they should inquire into the testing results and remediation status of any deficiencies identified through SOX inspections or internal audits. Deficiencies are typically risk-rated, with higher significance being conveyed to the board, along with periodic updates on remediation efforts. However, regulatory reporting deficiencies may not always be regarded with the same level of significance as SOX deficiencies.
External findings and regulatory communications
Be aware of any external findings or communications from regulators regarding regulatory reporting data. While management may not assign the same level of significance to regulatory report data, regulatory reviews encompass evaluation and secondary analysis of relevant data, potentially uncovering concerns that may not have been raised to the board.
External auditing
Determine whether external auditors perform audits of regulatory reports, such as call reports. Typically, external auditors conduct audits of annual financial statements and reviews of quarterly financial statements filed with the SEC. However, banks often do not request that auditors extend their procedures to call report data that differs from SEC-reported financial data. Although external auditors perform procedures over certain call report data, these procedures do not include auditing all the amounts in the regulatory reports and may involve a different scope or assessment of materiality compared to SEC-reported data.
As the banking landscape receives enhanced scrutiny, regulatory reports, including call reports, emerge as a valuable tool for outsiders seeking insights into an institution’s financial health. By posing the right questions regarding differences, internal processes, inspections and audits, directors gain a holistic understanding of the strengths and weaknesses of the data reporting process. Equipped with this knowledge, they can make informed decisions to improve the overall accuracy of the bank’s public reporting.
John Oliver is a trust solutions partner in PwC’s Banking and Capital Markets sector. In addition to leading PwC’s fintech audit practice, John supports the Governance Insight Center, serving boards of directors in the financial services sector.
