363.2—Annual reporting requirements.

(a) Audited financial statements. Each insured depository institution shall prepare annual financial statements in accordance with GAAP, which shall be audited by an independent public accountant. The annual financial statements must reflect all material correcting adjustments necessary to conform with GAAP that were identified by the independent public accountant.
(b) Management report. Each insured depository institution annually shall prepare, as of the end of the institution's most recent fiscal year, a management report that must contain the following:
(1) A statement of management's responsibilities for preparing the institution's annual financial statements, for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and for complying with laws and regulations relating to safety and soundness that are designated by the FDIC and the appropriate Federal banking agency;
(2) An assessment by management of the insured depository institution's compliance with such laws and regulations during such fiscal year. The assessment must state management's conclusion as to whether the insured depository institution has complied with the designated safety and soundness laws and regulations during the fiscal year and disclose any noncompliance with these laws and regulations; and
(3) For an insured depository institution with consolidated total assets of $1 billion or more as of the beginning of such fiscal year, an assessment by management of the effectiveness of such internal control structure and procedures as of the end of such fiscal year that must include the following:
(i) A statement identifying the internal control framework 14 used by management to evaluate the effectiveness of the insured depository institution's internal control over financial reporting;

Code of Federal Regulations


Footnote(s): 14 For example, in the United States, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission has published Internal Control—Integrated Framework, including an addendum on safeguarding assets. Known as the COSO report, this publication provides a suitable and available framework for purposes of management's assessment.
(ii) A statement that the assessment included controls over the preparation of regulatory financial statements in accordance with regulatory reporting instructions including identification of such regulatory reporting instructions; and
(iii) A statement expressing management's conclusion as to whether the insured depository institution's internal control over financial reporting is effective as of the end of its fiscal year. Management must disclose all material weaknesses in internal control over financial reporting, if any, that it has identified that have not been remediated prior to the insured depository institution's fiscal year-end. Management is precluded from concluding that the institution's internal control over financial reporting is effective if there are one or more material weaknesses.
(c) Management report signatures. Subject to the criteria specified in § 363.1(b) :
(1) If the audited financial statements requirement specified in § 363.2(a) is satisfied at the insured depository institution level and the management report requirement specified in § 363.2(b) is satisfied in its entirety at the insured depository institution level, the management report must be signed by the chief executive officer and the chief accounting officer or chief financial officer of the insured depository institution;
(2) If the audited financial statements requirement specified in § 363.2(a) is satisfied at the holding company level and the management report requirement specified in § 363.2(b) is satisfied in its entirety at the holding company level, the management report must be signed by the chief executive officer and the chief accounting officer or chief financial officer of the holding company; and
(3) If the audited financial statements requirement specified in § 363.2(a) is satisfied at the holding company level and (i) the management report requirement specified in § 363.2(b) is satisfied in its entirety at the insured depository institution level or (ii) one or more of the components of the management report specified in § 363.2(b) is satisfied at the holding company level and the remaining components of the management report are satisfied at the insured depository institution level, the management report must be signed by the chief executive officers and the chief accounting officers or chief financial officers of both the holding company and the insured depository institution and the management report must clearly indicate the level (institution or holding company) at which each of its components is being satisfied.