After the passage of the Sarbanes-Oxley Act, audit committee members experienced an increase in the intensity of the spotlight the public and regulators placed on them—and the focus didn’t just affect public companies. The current financial crisis again has put a spotlight on the responsibilities that all boards and audit committee members face. Although audit committees are actively engaged with their management teams and internal and external auditors, it can be difficult to know what should be the focus of those ongoing discussions.
So what are the things that audit committees should be thinking about today? Highlighted here are three of the critical risk areas that audit committees should have on their minds.
1. Earnings and Growth Plans: Early Assessments of the Risks
The credit challenges and related complications of the financial crisis are improving for many banks. Management teams are focused on returning to sustainable profits. Lending groups are actively looking to build their portfolios, and management teams are considering new products and services and expanding existing programs.
Audit committees need to be aware of the strategies their organizations are considering and of the associated risks. Internal audit should be auditing those risks. Whether a bank is considering resurrecting an old lending strategy or launching a new product or service, early action by the audit committee and internal audit will safeguard the organization. Audit committees and internal audit should work to understand their organization’s initiatives, limits and controls, and understand the risk monitoring that exists at their institutions.
2. Compliance: Effective, Efficient, and Critical for Survival
Compliance doesn’t always seem like the most strategic topic, but a lack of compliance can have consequences that quickly become strategic. Consumer regulations have changed significantly over the past few years, and more changes are on the horizon as the regulatory focus on consumer compliance has increased noticeably.
Audit committees should understand not just the details of compliance for individual regulations, but the compliance program itself. Having a robust system in place to identify changes, assess the enterprise-wide effects, and respond effectively is the only way that ongoing compliance can be achieved. Internal audit cannot just rely on management monitoring systems; it must perform independent testing of the compliance program and of compliance risks. Audit committees should understand the risk assessment process and internal audit’s coverage approach with respect to consumer compliance, and they should be comfortable that the compliance program will produce consistent and efficient results across all regulations and lines of business.
3. Enterprise Risk Management: Present, Comprehensive, and Insightful
Enterprise risk management (ERM) has been a topic of conversation for many years, but the level of discussion within banks and regulatory examinations is greater today in light of the financial crisis. Companies need an ERM process that is designed to address all risks across an organization and that provides meaningful information to executive management and the board. In addition, in response to the Dodd-Frank Wall Street Reform and Consumer Protection Act, which requires a board-level risk committee for firms with more than $10 billion in consolidated assets, examiners sometimes are asking much smaller organizations to put programs in place that include board-level oversight.
Audit committees should understand their bank’s ERM program, and internal audit should evaluate its effectiveness. Questions to consider include: Does a program already exist, and, if so, who owns the program? Are the right people involved? Do the results prompt the right discussions (are the company’s biggest risks part of the conversation)? Do the board and executive management support the process and the outcomes?
The goal of ERM is not to simply to comply with a regulatory mandate, but to establish a disciplined process whereby the most significant risks are summarized for insightful discussion and response. As it does with all critical areas of its bank, an audit committee must make sure that the ERM function exists and that it is operating as intended.
Having confidence in the quality and scope of the internal audit function should be a priority for any bank’s audit committee. Though the three critical areas discussed above are not exhaustive, they represent some of the larger issues facing banks today. Ongoing changes are inevitable. Adding specific consideration of changing risks—and potential changes to audit plans—could be a useful topic for audit committees to add to their agendas.