Effective January 1, 2026, the FDIC updated the asset‑based thresholds under 12 CFR Part 363 (FDICIA), providing regulatory relief for many community and regional banks.1 As a result, certain institutions are no longer required to obtain an auditor’s opinion on internal control over financial reporting (ICFR) or provide management’s ICFR attestation based on asset size alone.
While this change reduces prescriptive compliance requirements, it does not decrease the underlying risks associated with financial reporting, operations, or governance. Regulators, boards, and audit committees still expect strong internal controls and independent assurance, regardless of whether an institution technically falls under FDICIA thresholds.
What Changed?
For institutions below the revised thresholds, FDICIA Part 363 no longer mandates:
- Annual ICFR management attestation
- An external auditor’s ICFR opinion
- Certain audit committee composition requirements for institutions under $5 billion in assets
What Did Not Change
Despite this regulatory relief:
- Management remains responsible for maintaining effective internal controls.
- The board and audit committee retain oversight responsibility for control effectiveness.
- Regulators still expect reliable financial reporting, strong governance, and independent assurance.
In short, the rules changed, but the expectations did not.
The Post‑FDICIA Assurance Reality
Banks exiting FDICIA often ask, “If we’re no longer required to do FDICIA testing, what replaces it?” The answer lies in different assurance instead of less assurance.
After FDICIA, internal audit typically becomes the primary independent assurance function supporting the audit committee. Instead of following a checklist driven by regulatory thresholds, assurance moves to a risk‑based model. This approach keeps the discipline that FDICIA embedded while aligning coverage more closely with the institution’s actual risk profile.
That makes the approach risk‑driven rather than threshold‑driven, scalable and cost‑effective, and defensible to regulators, external auditors, and boards.
What Happens to Former FDICIA Controls?
A critical misconception is that leaving FDICIA means scrapping former “key controls.” In practice, effective institutions reevaluate these controls instead of discarding them.
Former FDICIA controls often stay in scope when they address material financial reporting risk, support high‑risk or judgmental processes, and have a history of findings or regulatory focus.
What does change is how often and how deeply those controls are tested. Mandatory annual testing gives way to a documented, risk‑based testing cadence approved by the audit committee. This preserves oversight while avoiding unnecessary duplication.
Testing Rigor Still Matters
FDICIA may no longer prescribe sample sizes or testing methods for institutions below the thresholds, but testing rigor does not disappear. Leading internal audit functions continue to apply reasonable, consistent sample sizes; scale testing based on volume, complexity, and prior results; and maintain year‑over‑year comparability to support trend analysis.
This helps ensure that assurance remains credible, repeatable, and defensible, especially during regulatory examinations.
Being Examiner‑Ready
When regulators or stakeholders ask how assurance coverage has changed post‑FDICIA, institutions should have a clear, consistent message ready. For example:
“Following the FDICIA Part 363 threshold changes effective January 1, 2026, the institution transitioned from prescriptive FDICIA testing to a risk‑based internal audit assurance model that continues to provide independent coverage over key financial reporting and operational controls.”
This framing reinforces that assurance has evolved instead of eroded.
What This Means for Audit Committees
In a post‑FDICIA environment, the audit committee plays a critical role. Internal audit is expected to provide primary independent assurance over financial reporting and key operational risks; clearly document scope, testing decisions, and results; and transparently report issues, trends, and remediation status.
At the same time, audit committees remain responsible for approving scope decisions and overseeing control effectiveness, supported by clear, defensible reasoning for any changes in coverage or frequency.
The Bottom Line
FDICIA compliance may no longer be required, but FDICIA‑level risks still exist.
Institutions that navigate this transition successfully are those that preserve the control discipline FDICIA created, while thoughtfully right‑sizing assurance to their evolving risk profile. Post‑FDICIA, internal audit goes beyond a compliance function to become a cornerstone of strong governance and regulatory confidence.
How Forvis Mazars Can Help
Forvis Mazars supports banks as they transition from FDICIA compliance to a disciplined, risk‑based internal audit assurance model. Our focus isn’t just reducing testing, but helping institutions keep the value of their former FDICIA discipline while right‑sizing assurance to their current risk profile.
We work with management and audit committees to help:
- Translate former FDICIA requirements into defensible, risk‑based internal audit coverage.
- Re‑evaluate legacy FDICIA key controls to gauge what should remain in scope and why.
- Establish documented, audit committee-approved testing cadence decisions.
- Maintain examiner‑ready positioning that clearly explains changes in the assurance approach.
- Avoid over‑engineering or under‑scoping assurance as regulatory thresholds change.
We can provide a practical, scalable approach that is designed to stand up to regulatory scrutiny without unnecessary duplication of effort. If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.
- 1“Rules and Regulations: Federal Register Vol. 90, No. 231,” fdic.gov, December 4, 2025.