By Debra Cope
The FDIC has simplified audit and internal control requirements for hundreds of community and regional banks. For audit committees, the immediate effect is clear: less prescriptive oversight.
This is the cover story of the May-June 2026 edition of ABA Banking Journal Directors Briefing. Subscribe here.
The revisions to the rules known as Part 363 remove or scale back requirements for a significant share of the industry. But they do not eliminate the underlying responsibilities tied to financial reporting, controls and risk oversight, and that distinction is shaping how banks are responding.
Michelle Beard, an internal audit partner at Crowe, says management teams and audit committees are now making active decisions about how far to scale back. “They’ve had to determine what they are going to do,” she says. “Are they going to completely roll back, continue executing similarly, or do something in between?”
What banks are doing now
- Eliminating stand-alone ICFR testing but keeping core controls
- Reducing sample sizes or testing frequency
- Maintaining full programs to support growth or avoid rebuilding later
Even without an external opinion requirement, “management still needs to formally acknowledge responsibility for establishing and maintaining an adequate internal control structure over as part of the management report required by FDICIA,” Beard says.
For audit committees, that shifts the focus. Directors are no longer simply monitoring compliance with a defined rule set — they are evaluating whether management’s approach to assurance is credible.
“If I’m an audit committee member and my management team is telling me we’re going to roll back, my question is, what are we doing then to get comfortable that the controls are still operating effectively?” Beard explains.
One risk is gradual erosion. “There is risk that, with the relaxation, the operation of the controls relaxes as well,” she said.
At the same time, many banks are choosing not to pull back. Having invested heavily in documentation, accountability and control execution, they are wary of undoing that progress. “A lot of our banks are saying, I don’t really want to roll that back,” Beard says.
The easing of audit committee composition rules adds another dimension. With fewer structural requirements, effectiveness increasingly depends on how committees operate — especially their ability to challenge management.
“Audit committees aren’t really in the job of setting risk,” Beard says. “They’re in the job of understanding, validating, challenging management’s assessments.”
That challenge is more difficult in areas like cybersecurity, third-party risk and AI, where committees often rely on management’s framing. In response, many are leaning more heavily on internal audit and external advisors to build independent perspectives.
Internal audit, in particular, may take on a larger role. As external requirements ease, regulators may look more closely to internal audit as a source of assurance — raising the stakes for audit committees to engage with its findings.
The broader effect of regulatory easing is a shift from rules to judgment. “When that eases, then management’s kind of left trying to justify its determination,” Beard said.
Questions to ask in the boardroom
- How is management getting comfortable that controls are operating effectively?
- What testing or validation has been reduced — and why?
- Where are we relying on internal audit vs. management, and how do their risk assessments differ?
- What would it take to scale controls back up quickly if expectations change?
- Are we preserving the culture of control we’ve built?
