Skip to Main Content

insightsarticles

CECL: Reasonable and supportable? Be ready to be ALLL in

01.10.17

Recently, federal banking regulators released an interagency financial institution letter on CECL, in the form of a Q&A. Read it here. While there weren’t a lot of new insights into expectations examiners may have upon adoption, here is what we gleaned, and what you need to know, from the letter.

ALLL Documentation: More is better

Your management will be required to develop reasonable and supportable forecasts to determine an appropriate estimate for their allowance for loan and lease losses (ALLL). Institutions have always worked under the rule that accounting estimates need to be supported by evidence. Everyone knows both examiners and auditors LOVE documentation, but how much is necessary to prove whether the new CECL estimate is reasonable and supportable? The best answer I can give you is “more”.

And regardless of the exact model institutions develop, there will be significantly more decision points required with CECL than with the incurred loss model. At each point, both your management and your auditors will need to ask, “Why this path vs. another?” Defining those decision points and developing a process for documenting the path taken while also exploring alternatives is essential to build a model that estimates losses under both the letter and the spirit of the new rules. This is especially true when developing forecasts. We know you are not fortune tellers. Neither are we.

The challenge will be to document the sources used for forecasts, making the connections between that information and its effect on your loss data as clear as possible, so the model bases the loss estimate on your institution’s historical experience under conditions similar to those you’re forecasting, to the extent possible.

Software may make this easier… or harder.               

The leading allowance software applications allow for virtually instantaneous switching between different models, permitting users to test various assumptions in a painless environment. These applications feature collection points that enable users to document the basis for their decisions that become part of the final ALLL package. Take care to try and ensure that the support collected matches the decisions made and assumptions used.

Whether you use software or not there is a common set of essential controls to help ensure your ALLL calculation is supported. They are:

  • Documented review and recalculation of the ALLL estimate by a qualified individual(s) independent of the preparation of the calculation
  • Control over reports and spreadsheets that include data that feed into the overall calculation
  • Documentation supporting qualitative factors, including reasonableness of the resulting reserve amounts
  • Controls over loan ratings if they are a factor in your model
  • Controls over the timeliness of charge-offs

In the process of implementing the new CECL guidance it can be easy to focus all of your effort on the details of creating models, collecting data and getting to a reasonable number. Based on the regulators’ new Q&A document, you’ll also want to spend some time making sure the ALLL number is supportable.  

Next time, we’ll look at a lesser known section of the CECL guidance that could have a significantly negative impact on the size of the ALLL and capital as a result: off-balance-sheet credit exposures.

Related Industries

Related Services

Consulting

Business Advisory

Related Professionals

Principals

BerryDunn experts and consultants

Read this if you are a CFO or controller.

The Governmental Accounting Standards Board (GASB) recently provided much needed guidance for governmental organizations struggling to account for relief provided in the Coronavirus Aid, Relief, and Economic Security Act (CARES Act). In their Technical Bulletin No. 2020-1, Accounting and Financial Reporting Issues Related to the CARES Act and Coronavirus Diseases, GASB addressed a number of pressing recognition and presentation questions that you should be aware of when preparing financial statements. The following is a summary of the guidance:

  • Resources received under the Coronavirus Relief Fund (CRF) subject to restrictions should be recognized as voluntary nonexchange transactions, subject to eligibility rather than purpose restrictions. As such, the entity should recognize resources received from the CRF as liabilities until the applicable eligibility requirements are met, including the incurrence of eligible expenditures. When the eligibility requirements have been met, revenue should be recognized for CRF resources received.
  • Provisions of the CARES Act that address the entity’s loss of revenue should be considered an eligibility requirement for purposes of revenue recognition. 
  • Any possible amendments to the CARES Act issued subsequent to the statement of net position date but before the issuance of financial statements, even when enacted with retroactive provisions, do not represent conditions that existed as of the period-end being reported and should only be reported as a nonrecognized subsequent event.
  • With the exception of CARES Act funds provided through the Provider Relief Fund's Uninsured Program (operating revenues), funds received under the CARES Act are subsidies and should be reported as nonoperating revenues and presented as noncapital finance activities in the statement of cash flows.
  • Outflows of resources incurred in response to the coronavirus disease due to actions taken to slow the spread of the virus or the implementation of "stay-at-home" orders should not be reported as extraordinary items or special items.
  • In addition to the guidance provided with the Technical Bulletin, the GASB also provides a number of additional stakeholder resources that may be useful during this period on its website, including an Emergency Toolbox that provides guidance on donated assets, management’s discussion and analysis (MD&A), asset impairment, and many more. 

Please contact Robert Smalley if you have questions on the latest GASB updates.
 

Article
GASB releases guidance for organizations receiving relief from the CARES Act

Recently the Governmental Accounting Standards Board (GASB) finished its Governmental Accounting Research System (GARS), a full codification of governmental accounting standards. The completion of the project allows preparers easy access to accounting guidance from GASB. The overall project, starting from the codification of older pre-1989 Financial Accounting Standards Board (FASB) pronouncements in 2010, was focused on pulling together all authoritative guidance, similar to what FASB had done in 2009.

Here’s what we found interesting.

Poking around the GARS (Basic View is free) I was struck by a paragraph surrounded by a thick-lined box that read “The provisions of this Codification need not be applied to immaterial items.” If you have ever read a GASB or FASB pronouncement, you have seen a similar box. But probably, like me, you didn’t fully consider its potential benefits. Understanding this, GASB published an article on its website aimed at (in my opinion) prompting financial statement preparers to consider reducing disclosure for the many clearly insignificant items often included within governmental financial statements.

After issuing more than 80 pronouncements since its inception in 1984, including 19 in the last five years, GASB accounting requirements continue to grow. Many expect the pace to continue, with issues like leases accounting, potential revision of the financial reporting model, and comprehensive review of revenue and expense recognition accounting currently in process. With these additional accounting standards come more disclosure requirements.

With many still reeling from implementation of the disclosure heavy pension guidance, GASB is already under pressure from stakeholders with respect to information overload. Users of financial statements can be easily overwhelmed by the amount of detailed disclosure, often finding it difficult to identify and focus on the most significant issues for the entity. Balancing the perceived need to meet disclosure requirements with the need to highlight significant information can be a difficult task for preparers. Often preparers lean towards providing too much information in an effort to “make sure everything is in there that should be”. So, what can you do to ease the pain?

While the concept of materiality is not addressed specifically in the GASB standards, by working with your auditors there are a number of ways to reduce the overall length and complexity of the statements. We recommend reviewing your financial statements periodically with your auditor, focusing on the following types of questions:

  • On the face of the financial statements, are we breaking out items that are clearly inconsequential in nature and the amount?
  • Are there opportunities to combine items where appropriate?
  • In the notes to the financial statements are we providing excessive details about insignificant items?
  • Do we have an excess amount of historical disclosure from years past?
  • In the management’s discussion & analysis, is the analysis completed to an appropriate level? Is there discussion on items that are insignificant?

The spirit behind the box is that GASB was specifically thinking about material amounts and disclosures. It was not their intention to clutter the financials with what their article referred to as “nickel and dime” items. With more disclosure requirements on the way, now might be the time to think INSIDE the box.  

For more guidance on this and other GASB information, please contact Rob Smalley.

Article
Extra information for GASB organizations: How to lessen information overload

By now you have heard that the Financial Accounting Standards Board’s (FASB) answer to the criticism the incurred-loss model for accounting for the allowance for loan and lease losses faced during the financial crisis has been released in its final form. The Current Expected Credit Loss model (CECL), which was developed through an arduous (and sometimes contentious) process following the crisis, will bring substantial changes to the way community banks account for expected losses in their loan portfolios. 

Working closely with community banks in the years building up to final issuance, we recognized an uncomfortable level of uncertainty created by the ever-changing proposals and lack of concrete examples. Now that the guidance is final, we feel a strong sense of responsibility to provide our interpretations, thoughts and insights where we can. As the FASB has shown recently with its new revenue pronouncement, there is a good chance that updates to the guidance will occur as we move closer to the implementation dates. The banking regulators who have thus far been mostly silent on the guidance will also have their interpretations.

We find that with substantial new guidance breaking it down into bite size pieces can be the best approach to understanding and implementation. With that said, this is the first of a number of planned articles from BerryDunn to do just that.

Building your team

One of the first things your institution should do is create an implementation team. Building it now with staff from diverse backgrounds and experience including finance, lending and collections will bring significant rewards in the long run. This is also a good time to consider opportunities to include your auditor in the process. Ultimately, you will need them to perform audit procedures on your CECL allowance as part of your financial statement audit. That also means your model and the resulting estimate must be auditable. Including auditors in the early stages should also help your team think about implications the audit requirements may have for expectations related to retaining documentation and supporting assumptions. In addition, your auditor may be able to share observations based on how other institutions are implementing CECL that may be helpful for your team.  Auditors can do all this while maintaining independence if their services are structured properly.

When your team is assembled and is up-to-speed on the basics of what CECL is and isn’t, defining the team’s goals and creating a roadmap to get there will be your keys to success. And asking the right questions while creating the roadmap is a great place to start. 

Questions to consider:


What available method (under CECL) is the best fit for the institution?
We expect that largely most community institutions will start with a top-down approach using an adaption from their current loss-rate approach to reflect the change from the old incurred loss method to the “life of the loan” current expected credit loss method. We believe the following step-by-step model will be one practical approach that should fit most community banks and credit unions:

  1. Determine which loans for specific reserves are appropriate, much in the same manner as you’re likely doing now. The notion of “impaired” loans goes away with CECL; a loan should be evaluated specifically if the institution becomes aware of loan-specific information indicating it has an exposure to loss that differs from other loans it’s been pooled with. In practice, we think that’ll be largely the same loans that are currently being identified as impaired.
  2. Secondly, for the rest of the portfolio:
    1. Group loans by common characteristics – same as you are likely doing now. These groups can match your portfolio or class groupings used now in financial reporting, but can also be broken down further.
    2. For each group, create subgroups for each origination year. One of the disclosure requirements in the guidance suggests the current year and previous four years are the critical ones to focus on; anything older than five years could be combined together.
    3. For each subgroup:
      1. Establish economic and other relevant conditions for the average remaining term of loans in the subgroup. This will be a combination of forecasted conditions for the near future, probably based on the Fed’s three-year forecast, and long-term historical conditions for the remaining average loan term.
      2. Select an historical loss period that best approximates the conditions established in 2c(i).
      3. Determine average remaining lifetime losses for the historical loss period established in 2c(ii) for that loan type.
      4. Adjust the average determined in 2c(iii) for any current or expected conditions that you believe are different from this historical data. The regulators have indicated their expectation that these will likely be the types of items for which qualitative factors have been developed under the incurred loss model, or a subset thereof.

These adjustments should themselves be based on historical data, or peer historical data if institution-specific data isn’t available (for example, a new loan product); for example, a 25 basis point upward adjustment for actual and expected declines in real estate values beyond the average in the historical period in 2c(ii) should be supported by data that shows a 25 basis point increase in losses for this type of loan in previous periods in which real estate values had shown a similar decline.

What data do we need to start collecting?
The clock has started! The CECL model requires analysis of loss rates and environmental factors. Detailed loss-rate calculations for as far back as you can get is your goal. The next step after collecting the historical data on your losses is to document other factors that were in play during each period. You will also need to consider the factors that affected charge-off rates for different periods. Changes in overall economic conditions, underwriting (both risk and quality), the legal environment and other factors need to be documented and correlated to trends in charge-offs. Remember one of the first steps in preparing a CECL model is to decide which time period of losses best matches the current environment. Without considering the full picture, including the external forces in play, it will be impossible to select an appropriate time period.

How do we retain and access that data?
Many core providers restrict access to older loan level data, and in some cases historical information is readily available only for very short time periods. Knowing the restrictions on your older data will be key in planning for CECL. The model suggests that a starting point for considering historical data needs is to consider what time periods matter. This may vary for different types of loans.

Some core providers have started reaching out to their institutions to discuss CECL and options for collection of data through webinars and one-on-one meetings. Consider reaching out directly to your provider to see what options in terms of data collection, retention and reporting will be available to your team.

What is the next step?
Build a simple model so that your team can better grasp and discuss the fundamentals of CECL. This can serve to solidify the concept of “life of loan losses” vs. the incurred loss method, as well as get your task force focused on what is important in collecting data.

Now that you’ve got your team assembled and have begun to tackle these questions, it’s time to look at other factors to consider. In our next installment, we’ll take you through how to implement CECL for loans obtained in a merger or acquisition. In the meantime, please call us if you have any questions.

Article
CECL: Where to start

Read this if you are a financial institution with income tax credit investments.

Financial institutions and other businesses that participate in tax credit investments designed to incentivize projects that produce social, economic, or environmental benefits could benefit from proposed rules that simplify the accounting treatment of such investments and result in a clearer picture of how these investments impact their bottom lines.

FASB proposal

On August 22, 2022, the Financial Accounting Standards Board (FASB), issued a proposal that would broaden the application of the accounting method currently available to account for investments in low-income housing tax credit (LIHTC) programs to other equity investments used to generate income tax credits. The proposal, titled “Investments – Equity Method and Joint Ventures (Topic 323): Accounting for Investments in Tax Credit Structures Using the Proportional Amortization Method”, would expand the eligibility of the proportional amortization method of accounting beyond LIHTC programs to other tax credit structures that meet certain eligibility criteria.  

FASB introduced the option to apply the proportional amortization method to account for investments made primarily for the purpose of receiving income tax credits and other income tax benefits in ASU 2014-01. However, the guidance limited the proportional amortization method to investments in LIHTC structures.

The proportional amortization method is a simplified approach for accounting for LIHTC investments in which the initial cost of the investment is amortized in proportion to the income tax credits and other benefits received (allocable share of depreciation deductions). The cost basis amortization and income tax credits received are presented net on the investor’s income statement as a component of income tax expense (benefit). Under existing guidance, investments in non-LIHTC projects are accounted for using either the equity method or cost method, depending on certain factors. 

The proposal aims to address the concerns that the equity and cost methods do not offer a fair representation of the economic characteristics for investments for which returns are primarily related to federal income tax credits. Supporters of the proposal argue that the accounting method applied should not be determined by the legislative program under which the tax credits are authorized, but instead by the economic intent under which the investment was made. The hope is the FASB proposal will create a heightened sense of uniformity in accounting for investments in income tax credit structures. 

Additional provisions

Other provisions within the proposal would require a reporting entity to “make an accounting policy election to apply the proportional amortization method on a tax-credit-program-by-tax-credit-program basis” and disclose the nature of its tax equity investments and the impact on its financial position and results of operations. 

The significance of this proposal is amplified by the uptick in tax credit programs in recent years, including the New Markets Tax Credit (NMTC), Historic Rehabilitation Tax Credit (HTC), and Renewable Energy Tax Credit (RETC). While the FASB has yet to declare an effective date for the implementation of the proposal, comment letters from stakeholders were due October 6, 2022. 

For more information

To discuss the impact this new accounting pronouncement may have on your financial institution, please contact the BerryDunn Financial Services team. We’re here to help.

Article
FASB proposes changes to accounting for income tax credits

On November 8, 2022, Massachusetts voters approved a constitutional amendment to alter the state’s flat 5% income tax to add a 4% surtax on annual income exceeding $1 million. The so-called “millionaires tax,” also referred to as the “Fair Share Amendment,” is effective for tax years beginning on or after Jan. 1, 2023. The annual income level subject to the surtax would be adjusted yearly to reflect increases in the cost of living.

This measure is expected to bring in revenue of between $1.2 and $2 billion annually. The proceeds from the increased tax collections will support state budgets in the areas of education, roads, bridges, and public transportation. The measure passed with 52% voter support and is the sixth attempt to change the state’s flat income tax rate since 1962. This amendment is expected to affect about 0.6% of the state’s population, or about 20,000 taxpayers.

If you expect your income to exceed $1 million in 2023 and have questions regarding the recent legislation, please contact a member of our state and local tax team.

Article
Massachusetts voters pass "Millionaires tax"

Read this if you are responsible for cybersecurity or are a member of a board of directors.

The board’s role in the oversight of organizational risk is increasingly complicated by cybersecurity concerns. Cybersecurity risk is pervasive and will affect companies in a variety of ways. The responsibility for detailed cyber risk oversight within the board should be well documented and communicated, and may often touch various committees across the board, including but not limited to risk, audit, and compliance. With the increasing complexity surrounding cybersecurity, it is also important for the board to evaluate existing experience and skills, identify gaps, and address those gaps through succession planning or leveraging advisors.

Additionally, all directors need to maintain continual knowledge about evolving cyber issues and management’s plans for allocating resources with respect to the preparedness in responding to cyber risks. Such knowledge helps boards assess the priority-driven and investment decisions put forth by management needed in critical areas.

Here are some critical questions that boards and management should be considering with respect to mitigating cyber security risk for their organizations. They may be useful as a starting point for boards to use in their discussions and as a guide when looking at their oversight of management’s plans for addressing potential cyber risks.

General

  • What is the threat profile and risk tolerance of our organization based on our business model and the type of data our organization holds?
  • Is the cyber risk management plan documented, including the identification, protection, and disposal of data?
  • Has the cyber risk management plan been tested?
  • Does our organization’s cybersecurity strategy align with our threat profile and risk tolerance?
  • Is our cybersecurity risk viewed as an enterprise-wide issue and incorporated into our overall risk identification, management, and mitigation process?
  • What percentage of our IT budget is dedicated to cybersecurity?
  • Does that allocation conform to industry standards?
  • Is it adequate based on our threat profile?
  • What are stakeholder demands and priorities for cybersecurity? Data privacy? Data governance? What interactions has the company or board had with shareholders regarding cybersecurity?
  • What is the interaction model between senior management and the board for communications regarding cybersecurity?
  • Has the regulatory focus on the board’s cybersecurity responsibility been increasing? If so, what is driving that focus?

Board cybersecurity oversight

  • How is oversight of cybersecurity structured (committee vs. full board) and why? Is this structure well documented in the appropriate governance charters?
  • Is cybersecurity an area considered and reported as a director competency? If so, have skill/experience gaps been identified together with plans to resolve those gaps?
  • Is there a cybersecurity expert on the board?

Overall cybersecurity strategy

  • Does the board play an active part in determining an organization’s cybersecurity strategy?
  • What are the key elements of a good cybersecurity strategy?
  • Is the organization’s cybersecurity preparedness receiving the appropriate level of time and attention from management and the board (or appropriate board committee)?
  • How do management and the board (or appropriate board committee) make this process part of the organization’s enterprise-wide governance framework?
  • How do management and the board (or appropriate board committee) support improvements to the organization’s process for conducting a cybersecurity assessment?

Risk assessment: risk profile

  • What are the potential cyber threats to the organization?
  • Who is responsible for management oversight of cyber risk?
  • Has a formal cyber assessment been performed? Does it need to be updated?
  • Do management and the board understand the organization’s vulnerabilities and how it may be targeted for cyber-attacks?
  • What do the results of the cybersecurity assessment mean to the organization as it looks at its overall risk profile?
  • Is management regularly updating the organization’s inherent risk profile to reflect changes in activities, services, and products?

Risk assessment: cyber maturity oversight

  • Who is accountable for assessing, managing, and monitoring the risks posed by changes to the business strategy or technology and are those individuals empowered to carry out those responsibilities?
  • Is there someone dedicated full-time to our cybersecurity mission and function, such as a Chief Information Security Officer (CISO)?
  • Is our cybersecurity function properly aligned within the organization? (Aligning the CISO under the CIO may not always be the best model as it may present a conflict. Many organizations align this function under the risk, compliance, audit, or legal functions, while others with a direct or “dotted line” reporting to the CEO.)
  • Do the inherent risk profile and cybersecurity maturity levels meet risk management expectations from management, the board, and shareholders? If there is misalignment, what are the proposed plans to bring them into alignment?

 Cybersecurity controls

  • Do the organization’s policies and procedures demonstrate management’s commitment to sustaining appropriate cybersecurity maturity levels?
  • What is the ongoing practice for gathering, monitoring, analyzing, and reporting risks?
  • How effective are the organization’s risk management activities and controls identified in the assessment?
  • Are there more efficient or effective means for achieving or improving the organization’s risk management and control objectives?
  • Are there controls in place to ensure adequate, accurate and timely reporting of cybersecurity related content?
  • How does the company remain apprised of laws and regulations and ensure compliance?
  • What cloud services does our organization use and how risky are they?
  • How are we protecting sensitive data?

Threat intelligence and collaboration

  • What is the process for gathering and validating inherent risk profile and cybersecurity maturity information?
  • Does our organization share threat intelligence with law enforcement?
  • What third parties does the organization rely on to support critical activities and does the organization regularly audit their level of access?
  • What is the process to oversee third parties and understand their inherent risks and cybersecurity maturity?

Cybersecurity metrics

  • Have we defined appropriate cybersecurity metrics, the format, and who should be reporting to the board?
  • How regularly should a board obtain IT metric information?
  • Is the information meaningful in a way that invokes a reaction and provides a clear understanding of the level of risk willing to be accepted, transferred, or mitigated?
  • How is the board actively monitoring progress or lack of progress and holding management accountable?

Cyber incident management and resilience

  • How does management validate the type and volume of cyber-attacks?
  • Does the organization have a comprehensive cyber incident response and recovery plan? Does it involve all key stakeholders—both internal and external? Does it include a business disaster recovery communication process?
  • How does an incident response and recovery plan fit into the overall cybersecurity strategy?
  • Is the board’s response role clearly defined?
  • Is the cyber incident response reviewed and rehearsed at least annually? Do rehearsals include cyber incident exercises?
  • Is there a culture of cyber awareness and reporting at all levels of the company?
  • Is the company adequately insured and is coverage reviewed at least annually?

Cybersecurity education

  • How does the board remain current on cybersecurity developments in the market and the regulatory environment?
  • Currently, how does the board evaluate directors' knowledge of the current cyber environment and cybersecurity issues impacting their organizations?
  • Do boards currently have the skill sets necessary to adequately oversee cybersecurity? How is the board identifying and evaluating the necessary director skills and experience in this area?
  • Are directors provided with educational opportunities in this area?
  • Is regular cybersecurity education provided to the entire organization?

Cybersecurity disclosure

  • Has oversight of cybersecurity reporting been defined for management and the board?
  • Are company policies and procedures to identify and manage cybersecurity risk, management’s role in implementing cybersecurity policies and procedures, board of directors’ cybersecurity expertise and its oversight of cybersecurity risk, being included within the financial statement and proxy disclosures?
  • Does the company have a mechanism for timely reporting of material cybersecurity incidents?
  • Have updates about previously reported material cybersecurity threats and incidents been included in the financial statements?

If you have any questions about cybersecurity programs, communicating with your board about cybersecurity, or have a specific question about your company or organization, please contact our IT security experts. We're here to help. 

Article
Board oversight of cybersecurity: Questions to ask

Thanks to a little-known law, eligible Massachusetts taxpayers will receive a tax credit in the form of a refund this fall—just in time for holiday shopping. Chapter 62F of the Massachusetts General Laws, a voter passed initiative from 1986, states that if state tax revenue collections exceed a cap tied to wage and salary growth, the surplus must be returned to the taxpayers. This tax credit was only triggered once before – 35 years ago.

According to the Mass.gov website, in Fiscal Year 2022, state tax revenues exceeded the cap by $2.941 billion—the sum of which will be returned to taxpayers by check or direct deposit in the coming months.

Governor Baker stated that a preliminary estimate of the refunds will be approximately 13% of the taxpayer’s personal income tax liability in 2021, though they will update that estimate in late October, once all 2021 tax returns have been filed.

More details on the tax refund:

  • Taxpayers, both resident and non-resident, who have filed a 2021 state tax return on or before September 15, 2023, are eligible for the refund.
  • The expected time frame for the issuance of refunds is expected to begin November 2022.
  • Individual refunds may be reduced by refund intercepts, such as unpaid child support or unpaid tax liability.
  • Massachusetts taxpayers can use this online refund estimator to calculate their estimated refund using information from their 2021 tax returns.

If you have questions, please contact a member of our state and local tax team.

Article
Chapter 62F law to give Massachusetts taxpayers a bonus refund

Read this if you are responsible for cybersecurity at your organization.

Cybersecurity threats aren’t just increasing in number—they’re also becoming more dangerous and expensive. Cyberattacks affect organizations around the globe, but the most expensive attacks occur in the US, where the average cost of a data breach is $9.44 million, according to IBM’s 2022 Cost of a Data Breach Report. The same report shows that the cost of a breach is $10.10 million in the healthcare industry, $5.97 million in the financial industry, $5.01 million in the pharmaceuticals industry, and $4.97 million in the technology industry.

Cyber threat actors are a serious danger to your company, and your customers, stakeholders, and shareholders know this. They expect you to be prepared to defend against and manage cybersecurity threats. How can you demonstrate your cybersecurity controls are up to par? By obtaining a SOC for cybersecurity report.

What is a SOC for cybersecurity report?

It provides an independent assessment of an organization’s cybersecurity risk management program. Specifically, it determines how effectively the organization’s internal controls monitor, prevent, and address cybersecurity threats.

What’s included in a SOC for cybersecurity report?

The report is made up of three key components:

  1. Management’s description of their cybersecurity risk management program, aligned with a control framework (more on that below) and 19 description criteria laid out by the AICPA.
  2. Management’s assertion that controls are effective to achieve cybersecurity objectives.
  3. Service auditor’s opinion on both management’s description and management’s assertion.

Why should you consider a SOC for cybersecurity report?

A SOC for cybersecurity report offers several important benefits for your organization, which include:

  • Align with evolving regulatory requirements. The cybersecurity regulatory environment is constantly evolving. In particular, the SEC’s cybersecurity guidelines are becoming stricter over time. A SOC for cybersecurity report can demonstrate you’re aligned with these guidelines. If you’re a public company or are considering going public in the future, you need to be prepared to meet not just the SEC’s guidelines of today, but their evolved guidelines in the future.
  • Keep your board of directors informed. Your board is responsible for ensuring the business is effectively addressing and mitigating risks—and that includes cyber risk. A SOC for cybersecurity report offers your board a clear and practical illustration of your organization’s cybersecurity risk management controls.
  • Attract and retain more customers. It’s becoming increasingly common for companies to require that their vendors have a SOC for cybersecurity report. Even for companies that don’t require such a report, it’s important to know their vendors are keeping their data safe. Having this report differentiates you from vendors who have not prepared one.
  • Improve your cybersecurity posture. A SOC for cybersecurity report can identify current gaps in your cybersecurity risk management program. Once you’ve addressed these gaps, you can show your customers, stakeholders, and shareholders that you’re continuously improving and evolving your cybersecurity risk management approach.

How do I prepare for my SOC for cybersecurity assessment?

There are several steps you should take to prepare for your assessment.

  1. Choose your control framework. You have several options, including the NIST Cybersecurity Framework, ISO 27002, and the Secure Controls Framework (SCF). There are multiple online resources to help you choose the framework that’s right for your organization.
  2. Determine who your key internal stakeholders are for your cybersecurity risk management program. You’ll need to select a point person to be responsible for ensuring the independent services auditor has all the documentation they need to complete their assessment and act as liaison across internal and external stakeholders.
  3. Collect all cybersecurity-related documentation in one location. Make sure you have an organizational system that makes sense to your point person so it’s easy for them to pull the appropriate materials to give to the independent services auditor.
  4. Conduct a readiness assessment. You can work with an independent services auditor to conduct such an assessment which will identify gaps you can address before performing the attestation.
  5. Select an independent services auditor to perform the attestation. SOC for cybersecurity services are provided by independent CPAs approved by the AICPA. Ideally, you’ll want to select a firm that is experienced in your industry, has a diverse and robust team of cybersecurity professionals, and is accessible when and where you need them.

As always, if you have questions about your specific situation or would like more information about SOC for cybersecurity services, please contact our IT security experts. We’re here to help.

Article
Yes, you need a SOC for cybersecurity report—here's why

Read this if you are a community bank.

The Federal Deposit Insurance Corporation (FDIC) recently issued its second quarter 2022 Quarterly Banking Profile. The report provides financial information based on call reports filed by 4,771 FDIC-insured commercial banks and savings institutions. The report also contains a section specific to community bank performance. In second quarter 2022, this section included the financial information of 4,333 FDIC-insured community banks. BerryDunn’s key takeaways from the report are as follows:

Community banks see quarterly growth in net income despite year-over-year decline.

Community bank quarterly net income increased to $7.6 billion in second quarter 2022, despite being down $523.0 million from one year ago. Higher noninterest expense, lower noninterest income, and higher provision expense offset growth in net interest income. Nearly three-quarters of community banks reported higher net income than one quarter ago. More than two-thirds of community banks reported an increase in net interest income from the year-ago quarter.


Loan and lease balances continue to show widespread growth in second quarter 2022.

Community banks saw a $82.3 billion increase in loan and lease balances from first quarter 2022. All major loan categories except commercial & industrial (C&I) and agricultural production grew year over year, and 69.9% of community banks reported annual loan growth. Total loan and lease balances increased $125.4 billion, or 7.7%, from one year ago. Excluding Paycheck Protection Program loans, annual total loan growth would have been 14.0% and annual C&I growth would have been 21.9%.

Community bank net interest margin (NIM) increased to 3.33% due to strong interest income growth.

Community bank NIM increased eight basis points from the year-ago quarter and 22 basis points from first quarter 2022. Net interest income growth exceeded the pace of average earning asset growth. The average yield on earning assets rose 25 basis points while the average cost of funding earning assets rose three basis points from the previous quarter. The quarterly increase in NIM was the largest reported since second quarter 1985. However, NIM remains below the pre-pandemic average of 3.63%. 

Slightly more than half of community banks reported quarter-over-quarter reductions in noncurrent loan balances.

The allowance for credit losses (ACL) as a percentage of total loans and leases decreased six basis points from the year-ago quarter to 1.25%. The coverage ratio for community banks is 46.4 percentage points above the coverage ratio for noncommunity banks. The coverage ratio increased 54.1 percentage points from the year-ago quarter to 245.4%, a record high since Quarterly Banking Profile data collection began in first quarter 1984.

It has been a time of momentous change for the banking industry; this has been the case since the pandemic but continues to hold true. The Federal Open Market Committee (FOMC) had already risen the target federal funds rate by 225 basis points in 2022 at the time of writing this summary, with further increases throughout the remainder of 2022 anticipated. Although rising rates have been the largest contributor to strengthening net interest margins, the impact these rate increases will have on the long-term economy is still to be seen.

Inflation also continues to run rampant, with rate increases thus far seeming to be ineffective in slowing inflation. The continued inflation has many wondering if rate increases are not the answer and that there may be other, inalterable forces at play. If this is the case, the FOMC’s target rate increases could have the effect of worsening an economic slowdown. Furthermore, although loan growth remained relatively strong in quarter two, deposit growth waned. Community banks saw only a 0.4% increase in deposits from a quarter ago. This has put some institutions in a liquidity crunch, having to rely more heavily on wholesale funding to fund loan growth. However, making funding decisions has proven to be difficult, given the economic uncertainty and potential target rate increases.

Community banks will have to continue to remain vigilant and remain a resource to their customers. Banks’ customers are facing many of the same challenges that banks are facing—interest rate uncertainty, rising costs, staffing shortages, etc. Therefore, as we’ve previously mentioned, it continues to be important for banks to maintain open dialogue with customers. As always, please don’t hesitate to reach out to BerryDunn’s Financial Services team if you have any questions. You can also visit our Ask the Advisor page to submit your questions.

Article
FDIC Issues its Second Quarter 2022 Quarterly Banking Profile