Standing Vigilant

There were warning signs at $1.2-billion asset Tennessee Commerce Bank well before the regulators swooped in and closed the bank last January. The problems date back even before 2010, when the bank announced a consent order with regulators and later said its quarterly earnings statement “could no longer be relied upon.” In fact, investors-whose stock is now worthless-can look back on a history of discord at the bank and problems with internal controls.

In May 2008, the Franklin, Tennessee-based bank fired its chief financial officer, George Fort, who later sued, claiming he was let go for alerting the audit committee to irregularities at the bank. According to Fort, a Tennessee Commerce executive was creating minutes for asset-liability committee meetings that never happened, among other problems.

The company accused Fort of being the one who screwed up, alleging that he neglected his duties to get the bank into compliance with the Sarbanes-Oxley Act. The bank’s external auditing firm did say it found problems with internal controls, although the bank has said they were later corrected. The lawsuit was eventually settled.

Neither Fort, directors of the bank, the bank’s auditor nor executive officers would comment for this story, and it’s unclear who or what is to blame for the bank’s failure.

However, no director wants such high drama and such a disastrous outcome for the bank where they serve. The audit committee can play an important role making sure that these kinds of problems don’t occur. It is the most important committee for financial oversight of the bank-its responsibilities for ferreting out and preventing financial shenanigans of all sorts, ensuring accurate financial statements and proper internal controls are central to the bank staying out of the headlines, not to mention creating and maintaining shareholder value. The audit committee can do all these tasks if it keeps an eye out for red flags, communicates often with internal and external auditors, keeps itself fiercely independent from management and maintains confidentiality and high standards for the expertise and commitment of its committee members.

George Mark, president of internal audit at ICS Risk Advisors in New York, says banks need to focus on their early warning system. “If it gets to the point where the regulator is forcing these issues [as with Tennessee Commerce], a lot of value for shareholders has been lost every day in the process,” he says. Banks don’t just fail overnight. History has shown that early warning signs reveal themselves long before a bank fails, Mark adds.

Bert Otto, deputy comptroller for the Office of the Comptroller of the Currency (OCC) in Chicago, says examiners are putting more emphasis on the audit committee in this economic environment, when many banks are struggling. They want to know that audit committees are watching trends with delinquent loans and ensuring good internal controls, he says. If there are problems with internal controls, examiners want to make sure the audit committee knows about them, he says.

The examiners look at the engagement letter with the auditor to make sure the auditor is looking at the appropriate areas, especially if any of those areas are of concern for the regulator. “During a financial crisis, when banks are having trouble, they tend to cut back on controls,” Otto says. “It’s very common for institutions to cut back on areas that are not income producers. Internal audit and loan review are not income producers. I think that’s absolutely wrong for banks to cut back on those departments. We need to keep money from going out the back door.”

The OCC publication “Detecting Red Flags in Board Reports” says board members can look to regulatory exams for red flags. For example, a regulatory CAMELS rating of 3, 4 or 5 shows a weak financial condition that needs to be addressed. The OCC also quantifies each organization’s risk profile. A risk category described as “moderate and increasing” or “high” is a red flag. Board members should pay careful attention as well to “matters requiring attention” on the regulatory exam and repeat problems with internal controls.

No director wants to open an exam report and be surprised by the bank’s CAMELS rating or get hit with a significant regulator concern without any advance warning.

The audit committee can head off problems by getting involved before and during regulatory exams. Otto suggests outside directors meet with examiners before the exam for an informal discussion about the bank and its management. He also thinks someone on the audit committee should keep tabs on the exam while it’s going on. The audit committee chairman also can attend the examiner’s informal discussion with management before a formal report is produced.

Sometimes, the audit committee might disagree with regulators, however. As an example, regulators typically want the loan loss allowance relatively high to help protect the banking system while the bank’s auditor may recommend a different amount because the auditor’s objective is the fairness of the financial statements, says Larry Schwartz, partner-in-charge of the Northern Virginia office of accounting firm PBGH.

“You don’t always have to agree with the regulator,” says Bill Knibloe, partner in charge of the financial institutions audit group at Chicago-based Crowe Horwath LLP.

He thinks disagreements may come about because the examiner is new to the job or is getting pushed by political factors. Still, he cautions against going over the examiner’s head to that person’s supervisor to resolve the issue.

“It always has to be in the spirit of cooperation,” he says. “That’s the challenge of the audit committee. You need to keep the dialogue in a neutral position. The real goal is to get to the right economic answer. How is this financially going to turn out?”

Keeping track of the annual external audit also is a key responsibility for the committee. The audit committee’s most important job is to hire a qualified external auditor who has lots of experience with banks or thrifts of a similar size and structure. The committee is also responsible for overseeing the audit process and resolving disagreements between the auditor and management, or with the regulators, Knibloe says.

Jim Milano serves on the audit committee for S&T Bancorp, a $4-billion asset holding company for S&T Bank in Indiana, Pennsylvania, which meets regularly with external auditors throughout the year. As the audit committee’s responsibilities have grown in recent years, including oversight of a new enterprise risk management program and compliance with new government regulations, it has more frequent and longer meetings, Milano says. The committee spends about two hours on a pre-audit committee meeting with external auditors four times per year. “The full agenda [for audit committee meetings] has necessitated more information communication outside that forum of the regular meeting,” Milano says. “We’re asking: What are you seeing in terms of best practices? What are the issues for banks of a similar size?”

Milano says the meetings provide an opportunity to go over the audit and how it will be handled, as well as how the bank is accounting for sensitive areas such as the loan loss allowance or troubled debt restructuring, where estimates come into play and GAAP guidance can be “murky.”

The S&T audit committee always sets aside time for an executive session with external auditors, to make sure any concerns are discussed confidentially with the audit committee.

The committee members also go into executive session with various department heads, such as the head of risk management, to ask questions such as: “Do you have the resources you need to do your job?”

Such frank, off-the-record discussions can provide the early warning system the bank needs to avoid bigger problems later, says LaDawn Yesho, the chief audit executive at S&T Bank, whose responsibilities include the internal audit function.

The Sarbanes-Oxley Act established that auditing firms must make “timely reports” to the audit committee detailing policies and procedures to be used in the audit and explaining any alternative accounting practices that will be used, as well as disclose any material written communication with management.

Some in the auditing world still don’t think enough high-quality communication is going on, however.

“In particular, what investors have found disquieting about the lessons learned in the financial crisis is that audit committees and boards may have lacked the information necessary to assess whether better financial reporting and disclosure would have been appropriate,” said James Doty, chairman of the Public Company Accounting Oversight Board, which regulates public accountants and sets auditing standards and procedures, in a statement in December of 2011. “It is not necessarily a question of access to information, or volume, but of relevance and quality.”

The proposal clarifies when and how public accountants should communicate with the audit committee. Doty says investors are increasingly looking to the audit committee as an important line of defense to protect shareholder interests.

Schwartz, the PBGH accountant who also serves on two bank boards and their audit committees, says there is cause for concern-and possibly action-when management seems to be fighting against the company’s internal controls or resists attempts to strengthen them.

“What you expect is for management to fully cooperate, to operate the systems of controls as intended, and to promptly and fully remediate when they find a problem,” he says. “Their job is to execute.”

Schwartz recommends setting the right “tone at the top,” which means people are looking to management, the board and the audit committee to both model and enforce ethical behavior and standards and to champion full compliance with laws and regulations. Any deviance from that, such as a member of management filing false expense reports or undermining controls, simply can’t be tolerated, he says.

That audit committee’s independence from management is clearly one of the key elements of a highly functioning audit committee.

Francine McKenna, a former accountant who now writes about accounting for Forbes.com, says the most sensitive and highly challenging issues the audit committee will ever deal with are reports of possible fraud by senior executives, whistleblower reports and evaluating the likelihood of management override of internal controls.

Also, it can be extremely difficult to detect management override of such controls. One way to do this is to ensure automatic and direct submissions of all financial or internal control complaints against senior management to the audit committee, she says.

Lehman Brothers, which in September 2008 filed for bankruptcy at the depths of the financial crisis, asked its external auditor, Ernst & Young, to help with a whistleblower investigation in May 2008.

One of the things that the whistleblower told the Ernst & Young auditors was that Lehman had moved $50 billion of inventory off its balance sheet at quarter end then returned these assets back to the balance sheet a week later through what is known as “Repo 105” transactions, according to the bankruptcy examiner’s report. The off-balance sheet transactions temporarily removed securities from the balance sheet, but weren’t disclosed in financial statements to shareholders, a fact that caused the bankruptcy examiner to conclude that Lehman officers had “breached their fiduciary duties to Lehman and its shareholders by causing the company to file deficient and materially misleading financial statements.”

Ernst & Young knew about the transactions but didn’t report them to the audit committee, according to the examiner’s report, even though the audit committee chairman had asked to be informed of all the whistleblower’s allegations.

Ernst & Young issued a statement in response to this story saying, in part: “We firmly believe that our work met all applicable professional standards, applying the rules that existed at the time. Lehman’s demise was caused by the global financial crisis that impacted the entire financial sector, not by accounting or financial reporting issues.”

In other circumstances, McKenna thinks it’s the audit committee’s fault when red flags go unheeded.

“Usually the auditors, they do a bang up job,” she says. “They are going to tell the audit committee every single thing. They usually have three balloon heads sitting there [on the audit committee] friendly with management saying we have to stifle this. They’re going to be more worried about how they’re going to play golf with [management] the next day.”

Schwartz says most audit committees are populated by directors who take the job seriously and are high level contributors who understand their responsibility to shareholders.

“We learn by others mistakes and by our own,” he says. “The situations that turn out the worst are the ones where the audit committee subordinates its judgment [to someone else].”

Still, the relationship with management also can get tense when times are tough.

“You see some [audit committees] where they want to place blame,” Knibloe says. “It creates a defensive environment. On the other hand, I’ve seen audit committees not get engaged to the extent they need to on issues. However, both parties, a high percentage of the time, really want to get to the right answer.”

Gordon Budke, audit committee chairman for Banner Corp., a publicly traded, $4.3-billion asset holding company for Banner Bank in Walla Walla, Washington, says Banner’s external auditing firm, Moss Adams, “has never hesitated to call me and say: ‘We have a difference of opinion with management.”‘

Fostering that constant communication with external auditors can do more than head off surprises and help the audit committee do its job. It can also save the bank money.

Budke asked Moss Adams to take a look at how the bank’s internal audit department could better coordinate and communicate to save external auditors money.

The external auditors came up with a list of items. For example, just submitting a Supplemental Executive Retirement Plan report in January instead of later could save the bank thousands of dollars.

“We didn’t even know they wanted it in January,” Budke says.

The bank ended up saving $50,000 in 2010 and $25,000 in 2011 in audit costs following the changes.

John Hancock, group leader for Moss Adams, says the audit committee is saving money and enhancing communication at the same time.

“Everybody knows we have a role to be open and fair and operate with no surprises,” he says. “I think there is nothing worse than to communicate with the audit committee something that management was unaware of. We will disagree on occasion. We talk about the issues. It’s not adversarial. It’s an open and honest discussion of what the issues are and how we view them.”

Sarbanes-Oxley requires all publicly traded companies to have audit committees made up exclusively of independent directors but many private banks do so as well. Sarbanes-Oxley also requires public companies to disclose whether they have a financial expert on the audit committee, an obvious incentive to get one. It describes a financial expert as someone who understands financial statements of a similar complexity to the bank in question as well as generally accepted accounting practices, or GAAP, because they served previously as an accountant, chief financial officer or chief administrative officer.

Financial experts on the audit committee have helped increase the level of understanding of complex accounting issues, and even private companies are adding them.

“We like to have some members [on the audit committee] with a financial background, ” says Otto, the OCC deputy comptroller. “In community banks, they’re not necessarily financial experts but we like to see that they have a financial background.”

For instance, even though it is not publicly traded, High Country Bank, a $181-million asset bank in the tiny Colorado town of Salida, which sits amid the Rocky Mountain range, has as an accountant-Rich Young-as its audit committee chairman.

It helps the external auditors to have someone with that kind of experience serving on the audit committee, says David Kast, partner at Stockman Kast Ryan + Co. in Colorado Springs, Colorado, which handles High Country’s audit.

Young began requiring Stockman Kast to copy him on all communications with the bank a few years ago after the audit committee was left out of the loop about a problem with its taxes. The accounting change ended up benefiting the bank, but the surprise was a motivator for Young to get more involved.

That may be overkill for some board members, who are supposed to be in a supervisory, rather than day-to-day, management role.

Debra Hopkins is a director and financial expert on the audit committee for Sycamore, Illinois-based National Bank & Trust, a $650-million asset bank. She doesn’t think board members should be monitoring emails.

She does agree with having financial experts on the bank’s audit committee as a way to head off problems in financial reporting and accounting. As the director of the CPA Review at Northern Illinois University, she says she understands where the greatest risk areas are in accounting and “when you have to recognize a loss.”

Staying independent, keeping a financial expert on the committee, balancing a relationship of constant communication between auditors, regulators and the internal auditors, are all best practices for the audit committee. When there is disagreement, getting to the right answer is the fundamental job of the audit committee.

As Hopkins says: “With the financial oversight of the bank, we want no surprises.”