Sustaining internal controls over financial reporting: What the FDIC’s new thresholds mean for you

Internal Controls over Financial Reporting (ICFR) remain a cornerstone of financial integrity, even with the significant changes for reporting requirements. With the FDIC’s finalized rules adjusting regulatory thresholds, community banks should revisit audit plans in light of the new compliance standards to balance oversight with operational relief.

On January 1, 2026, new thresholds under Part 363 take effect, redefining reporting requirements for hundreds of banks:

• Institutions not subject to Part 363 under the new thresholds as of Jan. 1, 2026 do not need to comply with prior requirements.
• For banks already meeting the new thresholds, the relief is effective immediately.

These updates, driven by inflation adjustments and a commitment to reduce unnecessary burdens, will be reviewed every two years starting October 2027. While the changes simplify compliance for smaller institutions, they don’t negate the importance of robust internal controls for effective risk mitigation in institutions of all sizes.

What’s Changing?

The FDIC’s recent revisions significantly raise key compliance thresholds:

• Annual reporting now required at $1 billion in total assets (up from $500 million)
• ICFR attestation now required at $5 billion in total assets (up from $1 billion)
• Audit committee independence requirements rise in line with these regulatory changes
• Independent director compensation increased to $120,000 annually (up from $100,000)

Who Benefits?

The threshold changes create a clear divide between institutions that gain reporting relief and those that maintain higher compliance obligations:

• 778 banks under $1 billion in assets will see reporting relief
• 727 banks between $1 billion and $5 billion will experience reduced ICFR obligations

Ultimately, these changes result in lower compliance costs and fewer audit complexities for smaller institutions.

Impact on ICFR

Previously, banks with over $1 billion in assets faced stringent ICFR assessments and auditor attestations. Under the new rule:

• Below $1 billion in assets: Part 363 generally does not apply
• $1 billion – $5 billion: Annual, independent audit and management report remain, but ICFR attestation is no longer required
• Over $5 billion: Full ICFR requirements continue, including management assessment and auditor attestation

Despite relief for smaller banks, approximately 95% of industry assets remain under Part 363 oversight, and roughly 89% remain subject to ICFR requirements, preserving systemic stability.

Why Controls Still Matter

Don’t toss your risk control matrix just yet. ICFR exists for a reason: mitigating risks like fraud, cyberattacks, and material misstatements to maintain accurate, reliable financial statements. Without proper checks, risks can escalate quickly. While no system can eliminate risks entirely, strong controls significantly reduce their likelihood and the impact of potential issues. ICFR plays a vital role in supporting sound business decisions.

The FDIC’s recent threshold adjustments signal a broader trend toward simplifying compliance while maintaining accountability. For banks, this is an opportunity to rethink risk management holistically and build resilience across departments.

Breaking Down Silos: A Strategic Opportunity

Historically, ICFR, Internal Audit, and Enterprise Risk Management (ERM) have operated in silos. That’s changing. Leading organizations are moving toward a more collaborative approach that leverages the interconnections among these functions to build a unified, cross-functional risk strategy. To achieve this:

• Align ICFR with ERM by:
  
  • Mapping ICFR risks to enterprise-level risks
  • Adopting a common risk taxonomy for consistency
  • Incorporating ICFR into risk appetite and tolerance discussions
• Embed ICFR into audit planning by:
  
  • Including ICFR risk assessments in annual audit planning
  • Prioritizing audits based on control effectiveness and materiality
  • Using ICFR walkthroughs and testing results to inform audit scope and timing
• Enhance cross-functional collaboration by:
  
  • Fostering cooperation between Finance, Internal Audit, and IT
  • Holding joint planning sessions to agree on key risks and controls
  • Sharing findings and insights across teams to drive unified action

When ICFR is woven into audit planning and ERM frameworks, institutions can more effectively prioritize audits, anticipate control deficiencies, reduce duplication, and adapt quickly to change—leading to a more resilient and agile organization.

We Can Help

Strong internal controls are necessary for trust, transparency, and long-term success. Our Financial Services Group helps institutions:

• Evaluate the current ICFR framework
• Identify gaps in risk assessment, control activities, and monitoring
• Enhance reporting processes and reduce manual effort
• Align oversight mechanisms with business goals and regulatory expectations
• Support leadership with actionable insights and practical solutions

Contact us today to get started.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.