A CDC must operate in accordance with the following requirements:
(a) In general. CDCs must meet all 504 Loan Program Requirements. In its Area of Operations, a CDC must market the 504 program, package and process 504 loan applications, close and service 504 loans, and if authorized by SBA, liquidate and litigate 504 loans. It must supply to SBA current and accurate information about all certification and operational requirements, and maintain the records and submit all reports required by SBA.
(b) Operations and internal controls. Each CDC's board of directors must adopt an internal control policy which provides adequate direction to the institution for effective control over and accountability for operations, programs, and resources. The board adopted internal control policy must, at a minimum:
(1) Direct management to assign the responsibility for the internal control function (covering financial, credit, credit review, collateral, and administrative matters) to an officer or officers of the CDC;
(2) Adopt and set forth procedures for maintenance and periodic review of the internal control function;
(3) Direct the operation of a program to review and assess the CDC's 504-related loans. For the 504 review program, the internal control policies must specify the following:
(i) Loan, loan-related collateral, and appraisal review standards, including standards for scope of selection (for review of any such loan, loan-related collateral or appraisal) and standards for work papers and supporting documentation;
(ii) Loan quality classification standards consistent with the standardized classification systems used by the Federal Financial Institution Regulators;
(iii) Specific control requirements for the CDC's oversight of Lender Service Providers; and
(iv) Standards for training to implement the loan review program; and
(4) Address other control requirements as may be established by SBA.
(c) Annual Audited/Reviewed Financial Statements. Each CDC with a 504 loan portfolio balance of $30 million or more (as calculated by SBA) must have its financial statements audited annually by a certified public accountant that is independent and experienced in auditing financial institutions. The audit must be performed in accordance with generally accepted auditing standards as adopted by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). The auditor must be independent, as defined by the AICPA, of the CDC. Annually, the auditor must issue an opinion as to the fairness of the CDC's financial statements and their compliance with GAAP. For CDCs with a 504 portfolio balance of less than $30 million (as calculated by SBA), the CDC's annual financial statements submitted to SBA must be reviewed by an independent CPA in accordance with GAAP, except that the D/OCRM may require a CDC with a portfolio balance of less than $30 million to submit an audited financial statement in the event the D/OCRM determines, in his or her discretion, that such audit is necessary or appropriate when the CDC is in material noncompliance with Loan Program Requirements.
(d) Auditor qualifications. The audit or review must be conducted by an independent certified public accountant who:
(1) Is registered or licensed to practice as a public accountant, and is in good standing, under the laws of the state or other political subdivision of the United States in which the CDC's principal office is located;
(2) Agrees in the engagement letter with the CDC to provide the SBA with access to and copies of any work papers, policies, and procedures relating to the services performed;
(3)
(i) Is in compliance with the AICPA Code of Professional Conduct; and
(ii) Meets the independence requirements and interpretations of the Securities and Exchange Commission and its staff;
(4) Has received a peer review or is enrolled in a peer review program that meets AICPA guidelines; and
(5) Is otherwise acceptable to SBA.
[73 FR 75518, Dec. 11, 2008, as amended at 84 FR 66295, Dec. 4, 2019]