Front-burner Issues for the Audit Committee

When it comes to serving as audit committee chairman at BankAnnapolis, Carter Heim finds himself spending twice as much time at board and staff meetings compared with 2005, a few years before the financial crisis. One reason: increasing demands by regulators. One recent task included reviewing management’s efforts to meet regulator scrutiny on how the $434 million Maryland bank calculates its allowance for loan and lease losses. Regulators wanted more of an emphasis on recent performance, meaning the audit committee had to review how the bank was constructing its algorithms to estimate potential losses, which in turn would determine how much capital it must set aside.

Overseeing this task was just one of many new things the bank’s audit committee has had to tackle during these tougher times for banks. “Because of the changing world and regulations, our policies and procedures are changing,” Heim says. “We are very cognizant we could miss something. Are we comprehensive enough and are we complete enough in what we are doing?”

Turning up the heat

Audit committees across the banking industry are asking the same questions. Once considered a rubber-stamp role at many financial institutions, today’s audit committees have exponentially more responsibilities and authority. With increasing independence from management, audit committees not only now just concern themselves with ensuring financial soundness through credit review, but also are an integral part of monitoring risk across the entire bank. While each bank differs, the expanded role of the audit committee can now include risk oversight of credit, information technology, and the bank’s overall reputation.

Committees also face seemingly constant changes in legislation, including the passage by Congress in May of the financial regulatory bill, viewed as the most wide-ranging reform since the Great Depression. The bill, expected to be signed into law by President Obama in July, would create broadly expanded government oversight of the banking system and financial markets. The legislation would create a “financial stability oversight council,” which would include the heads of the Treasury and Federal Reserve, the comptroller of the currency, and the director of the new consumer financial protection bureau. It would regulate derivatives trading at large financial institutions.

“Audit committees everywhere are facing the same issues,” says Leon Holschbach, president and chief executive officer of Midland States Bank, a $1.7 billion institution in Effingham, Illinois. “The audit committee’s role is expanding dramatically. Part of that expanded role is to make sure the whole board gets the elevated risk management business that we’re all in.”

Keeping up with the changing landscape is a challenge. “It is not easy for the audit committee to feel comfortable with enterprise risk management and how to deal with it,” says John White, chief executive officer and principal of ICS Compliance, a New York-based consulting firm. “You have to understand how it is integrated into the business plan.”

For publicly held bank holding companies, audit committees have a taller task thanks in part to a new ruling issued by the Securities and Exchange Commission. As of Feb. 28, public companies must disclose information about the board’s oversight in risk when the compensation policy is likely to have a “material adverse effect” on the business. They also must disclose the background and qualifications of director nominees and the board leadership structure. “A lot of banks are assigning this to the audit committee,” says Frederick Lipman, a partner at law firm Blank Rome LLP in Philadelphia. “The role of the audit committee is morphing” into a function that handles enterprise risk analysis, he explains.

In fact, 31% of audit committee members say enterprise risk management is their biggest fear, according to a 2010 survey conducted by Bank Director and Grant Thornton LLP. Risk has become such an issue that 35% of banks have created a risk committee separate from the audit committee, according to the survey. And 65% of all respondents have created a chief risk officer position, up from 40% three years ago.

“Audit committees are taking more of an enterprise risk management perspective to understand and manage risk,” says David Burns, northeast region financial institutions industry practice leader at Grant Thornton. “They need to understand the risk appetite of the organization.”

Fueling the fire

To be sure, the financial crisis and economic recession have been the drivers in a changing landscape for the audit committee. “The audit committee today has to be thinking about how the economic slowdown and the market conditions are going to impact management and management’s direction,” Burns says.

Blame much of the trouble on underwater commercial and real estate loans. “The decline in real estate valuations is causing a lot of the problems, and therefore gets the attention of audit committees,” says Lipman, who also serves as president of the Association of Audit Committee Members.

On the other side of the fence, regulators are keeping audit committee members on their toes, increasing pressure on banks. The Federal Deposit and Insurance Corp. cited 104 enforcement matters in March, up from 67 in February-and exceeding the total for 2009, according to ICS Compliance. The actions in April included 43 cease-and-desist consent orders, 22 civil money penalties, 20 removal and prohibition orders, and eight prompt corrective actions.

Meanwhile, banks keep failing. Through April 30, 64 banks had failed, according to the FDIC. That’s up from 29 for the same period in 2009.

“The vast majority of these banks had imbalanced risk and it wasn’t identified and quantified,” says Jay Brew, chair of the audit committee of $465 million Embassy Bank for the Lehigh Valley, Bethlehem, Pennsylvania. “You had regulatory failure, but you can’t blame it on the regulators. You also had a failure of the board to be able to recognize what that was.”

In other words, banks can’t wait for regulators to police them. Brew points to the failed Georgian Bank, which opened its doors in 2001 and had grown to $2.2 billion in assets by 2009. The bank received a CAMELS 1 rating for asset quality from 2004 to 2007, the highest standard for a regulatory rating that considers capital, assets, management, earnings, liquidity, and sensitivity (to systemic risk). This was despite acquisition, development, and construction loans averaging about 50% of its portfolio during the period. The bank was shut down by the FDIC Sept. 25, 2009.

“What it says to me as chair of the audit committee is ‘We have a responsibility,’” says Brew, who is also chief bank strategist at m.rae resources, a consulting firm in Allentown, Pennsylvania. “We cannot be dependent on the regulators. The regulators failed to alert this bank as they were taking risks. We as directors have to be more involved in terms of really being able to look at the overall risk of the institutions and be able to recognize that.”

John Hurlock, a director in Sheshunoff Consulting + Solution’s enterprise risk consulting services in Austin, Texas, likens relying on regulators to a driver in a new car, traveling within the speed limit on a highway. A police car appears in the rearview mirror, lights flashing. The driver, concerned, pays too much attention to the mirror, missing the danger of a car wreck in front of him. “You fail to see the accident,” he says. “You are so focused on the regulators that you are not seeing the pending issue you should be focusing on.”

There’s plenty of work down the road for Robert Schultz, chairman of the audit committee at Holschbach’s Midland States Bank, where credit risk, interest rate risk, and IT risk top the pile of his concerns. “Those are three things that could impact this bank quickly,” he says.

Schultz also serves on the loan committee, giving him comfort that he has a handle on credit risk. Midland uses an outside firm to help gauge interest rate risk. It also relies on outside support to help manage IT risk, in addition to hiring staff to deal with the security of its network. “There isn’t anything out of bounds that has to do with risk management and risk mitigation in our company for the audit committee,” Schultz adds. “What the audit committee did two years ago is about 20% of what we do today.”

Credit issues: a slow burn

Of course, today, audit committees are much more involved in discussions with management over credit quality. At BankAnnapolis, Heim and the audit committee have overseen management’s efforts to meet regulators’ demands. Over time, the bank has adjusted algorithms that estimate its allowance for loan losses. While it reserved 0.93% of loans at the end of 2007, according to the FDIC, it steadily added to its reserves as the economy worsened. At the end of 2009, the bank had 2.81% reserved. But regulators have wanted more emphasis on recent performance in the algorithm used to calculate reserves needed. Heim says that the calculations used are a moving target: Regulators could request the period used to calculate reserves be lengthened as the economy improves in order to end up with a more conservative algorithm.

Meanwhile, loan review has been increased. Instead of reviewing a sample of loans from the portfolio once a year, now all loans are being reviewed as often as every six months. “We have dramatically shortened the internal look at the credits,” Heim says. “Management is reporting to us and we are discussing what we are doing.”

Add measuring liquidity to the list. Banks are recognizing the need to stress-test their cash holdings-just how liquid are they in the event of a credit crunch? That means another job for the audit committee, says Grovetta Gardineer, managing director for corporate and internal activities at the Office of Thrift Supervision. “The audit committee needs to make sure that new policies and procedures are being implemented and any new guidance that is coming from regulators is being adhered to,” Gardineer says.

Communications and resources

If audit committees are doing their job, it also means internal audit will be busier. Committees should be asking questions that cover the whole risk pie, including information technology, operational risk, loan review, and compliance, says Ken Glascock, senior vice president of internal audit at United Western Bank, a $2.6 billion institution in Denver. That translates to more reporting and more flexibility to update risk assessments and more discussion of risk outside of formal meetings.

“The audit committee is asking for more contact,” Glascock says. “There is more questioning of internal audit. Chairs are interested to know if there are any impediments to doing our job.”

Audit committees also should now have direct oversight of the chief audit executive, Glascock adds. The committee should have a close working relationship with the executive, with frequent formal and informal communication via telephone, e-mail, and in person. “Ensure the audit function has the stature in the organization, and the support of the board and the audit committee,” Glascock says. It must have “the resources to provide the independent and objective assurance that the board and audit committee need and want. Part of that entails the audit committee really owning the internal audit-its oversight, its budget, evaluation, communication-and not letting the process be too cozy with management.”

External audit should also be a resource for audit committees. With all the bank failures, external audit probably failed to bring up enough of the red flags, says Brew of m.rae resources. “They may not view it as their job,” Brew says. “But that sits there and puts that much more of a burden on the audit committee as well as the board overall.”

The pace of change

Audit committees of fast-growing banks face additional tasks. When Holschbach came to Midland States as president and chief executive officer in 2007, the bank had $380 million in assets. Last year, it took over Strategic Capital Bank, a Champaign, Illinois, institution that was placed into receivership by the FDIC, doubling its size to $1.1 billion. With current assets approaching $2 billion, it plans to go public down the road.

Schultz says his committee needs to keep up with the pace of change. For one, crossing the $1 billion threshold threw Midland States into a new level of accounting, testing, and auditing procedures. That includes the audit committee working with the corporate risk officer and chief financial officer to make sure it is meeting requirements under FDICIA (FDIC Insurance Act).

The aim to go public brings up issues of qualifications for the audit committee. For Schultz, the public offering will mean looking for his replacement. Though Schultz has a finance background, he is not a certified public accountant and has not worked as an audit committee chairman with a public company. “Our audit committee is as much about building ourselves to where we know this bank is going as it is about where we are today.”

All of the new demands on audit committees means standards have risen. They must understand risk management practices, along with a wide range of issues including corporate governance, financial controls, and human resources. Committee members “need to understand the industry and the relationship between deposits and loans and all the aspects of banking such as off-balance-sheet transactions,” says White of ICS Compliance.

“Audit committees are looking at themselves and asking, ‘Do we really have the right skill sets to deal with the risks and complexity of the banks we are asked to look after?’” says Tony Anzevino, partner-in-charge of KPMG LLP’s banking and finance practice.

In that vein, audit committees must also be pressing to educate themselves on emerging issues and getting new members up to speed, experts note. Webinars, conferences, articles, and meetings can all serve to educate committee members on the issues. At BankAnnapolis, the chief financial officer briefs members on new legislation and regulations, Heim says. Internal auditors also give them information on what is new and changing.

Despite the expanding role, those banks with solid audit committees will be more competitive and will strengthen a besieged industry. “A good audit committee adds tremendous value to the organization,” Anzevino says. “All of that is positive for the banking industry as a whole. This is all going in the right direction.”