The Post-Pandemic Priorities for Audit and Risk Committees

Even as the Covid-19 pandemic continues to reshape the banking and financial services industries, forward-looking organizations are focusing on how they can adapt to a post-pandemic world. With many business processes and controls forever changed, boards of directors — including their audit and risk committees — acknowledge that their views on fundamental risk issues must change as well.

New Workplaces, New Risks
One of the pandemic’s most disruptive effects was the upheaval of the centralized workforce. For decades, employees gathered together in a central location to work. Businesses took great pride in these workplaces, even putting their names atop the buildings in which they were located.

However, the pandemic shattered that model — possibly permanently — along with the concept of regular office hours and the expectations that personal devices should not be used for company business. During the pandemic, employees worked from their kitchens and dining rooms, improvising as they adapted to new ways of operating that would have been impossible 20 years ago. Beyond the obvious physical, security and technical risks associated with this dispersal, board members should understand some of the less visible risks.

For example, corporate culture often is shaped from the ground up through casual workplace interactions, which can be lacking in a remote work arrangement. Similarly, if people cannot gather together physically to brainstorm ideas, innovation and creativity can suffer. Many executives also lament their inability to read body language, tone of voice and other nuances in employees’ behavior to spot potential problems.

These types of risks are inherently difficult to quantify. Nevertheless, risk committees should be aware of them and ascertain whether management is addressing them.

Of even more pressing concern, however, are the effects that a decentralized workforce has on a bank’s business processes and control environment. While the immediate responsibility for overseeing management’s response to these risks might be assigned to the audit and risk committees, ultimately all board members have oversight responsibility and should make a committed effort to understand these risks.

Audit and risk committee priorities
Previously, when audit committees addressed risks associated with business processes and controls, they had the advantage of operating in something like a laboratory. The bank controlled most of the variables such as access controls, approvals and validations. In the post-pandemic world, however, risk monitoring and mitigation efforts must address new variables outside the bank’s control.

One specific audit committee priority is the need to evaluate how a dispersed workforce affects the control environment. Controlling access to systems is an area of major risk; remote reconciliations, remote approvals and digital signatures also are important concerns.

While a virtual private network generally would be the preferred method of providing remote employee access, that capability often was unavailable during the pandemic. Other options became necessary. In addition, many controls had to be redesigned quickly, with little time for testing the adequacy of their design or the effectiveness of the implementation.

Now is the time for many audit committees to take a step back and look holistically at their banks’ control environments. In addition to system access, this overview should include controls governing the retention of sensitive data, timely execution of controls, coordination to resolve deficiencies and validation of secondary reviews.

In assessing such controls, committee members might be constrained by their limited understanding of the technology. Given the novel nature of today’s situation, audit committees should consider getting qualified technical assistance, independent of management, to evaluate the steps taken to accommodate the new work environment.

Strategic issues and board concerns
Both the risk committee and the full board should consider broader questions as well. At a strategic level, boards should explore whether management’s response to the pandemic is sustainable. In other words, should the new practices the bank established — including remote work arrangements — become permanent?

Bank management teams have issued many press releases recounting how successfully they responded to the crisis. As banks move into the post-pandemic world, board members should review these responses and ask whether the new practices will allow for growth and innovation so that their banks can thrive in the future while still maintaining a well-controlled work environment.

As they revisit documented policies, controls and procedures — and remeasure the associated risks — boards and management teams ultimately must decide whether the new control environment is consistent with the strategy of the bank and capable of sustaining its desired organizational culture.

An Audit Expert Explains What’s Changed

An audit committee seat can one of the biggest challenges — and one of the greatest responsibilities — for a bank director, even without a global pandemic and economic recession. The audit committee sets the tone at the top for the bank. How does its role change in a pandemic? It’s an increasingly important responsibility, says Jon Tomberlin, managing partner in Dixon Hughes Goodman LLP’s financial services practice, participating in a panel discussion focusing on audit matters at Bank Director’s BankBEYOND 2020 experience. “There’s a lot of risk and difficulty in being on the audit committee,” he says. “They are one of the most important elements of the bank.” The audit committee creates and maintains an conditions and expectations that support the integrity of the bank’s financial controls — an environment that may have altered or become strained under the pandemic’s forceful impact or the severe economic fallout. Tomberlin says he sees many roles for audit committee in this turbulent environment, overseeing and challenging the appropriateness of internal controls and management’s risk assessment. Joining Tomberlin in this conversation with Bank Director’s Editor-At-Large Jack Milligan were Michael Ososki, a partner at BKD LLP, and Mandi Simpson, a partner at Crowe LLP. You can access all of the BankBEYOND 2020 sessions by registering here.

The Board’s Role in the Transition to CECL

CECL-9-30-16.pngThis summer, the Financial Accounting Standards Board (FASB) completed its project on credit losses with the issuance of a new standard that brings one of the most significant changes to financial reporting that financial institutions have seen in decades: The incurred loss model for estimating credit losses will be replaced with a new model, the current expected credit loss (CECL) model. In many cases, the new credit loss calculations are expected to result in an increase in the allowance, and, thus, might have a significant impact on capital requirements. Banks will need sufficient time to prepare and adjust capital planning and capital management strategies.

Banks are educating themselves on the changes, and boards of directors should be aware of the challenges faced by the banks they oversee.

As with any major initiative, a successful transition to the new standard will require the active involvement of the audit committee, the board of directors, and senior management. Given the audit committee’s responsibility for overseeing financial reporting, it has a critical role to play in overseeing implementation.

Recently, speakers from the Securities and Exchange Commission’s (SEC’s) Office of the Chief Accountant have emphasized the role that audit committees should have in implementing new significant accounting standards. In his speeches at Baruch College and the AICPA Bank Conference, Wes Bricker, interim chief accountant, addressed CECL implementation. Likewise, the federal financial institution regulatory agencies have addressed the role of the board in implementing the new credit loss standard. The agencies issued a joint statement on June 17, and in March the Federal Reserve System (Fed) released an article, “New Rules on Accounting for Credit Losses Coming Soon.” The speeches, joint statement, and article highlight tasks that boards of directors and audit committees may consider during transition, including:

  • Evaluate management’s implementation plan, including the qualified resources allocated for execution.
  • Monitor the progress of the implementation plan, including any concerns raised by the auditors or management that might affect future financial reporting.
  • Understand the changes to the accounting policies that are required for implementation.
  • Understand management’s transition to any new information systems, modeling methodologies, or processes that might be necessary to capture the data to implement the standard.
  • Oversee any changes to internal control over financial reporting in transitioning to the new standard.
  • Review impact assessments of the new standards, including impact on financial statements; key performance metrics, including credit loss ratios, that might be disclosed to investors outside the financial statements; regulatory capital; and other aspects of the organization such as compensation arrangements and tax-planning strategies.
  • Understand management’s plan to communicate the impact of the new standard on key stakeholders, including the new disclosures required by the standards and disclosures made leading up to the adoption date. Those who file with the SEC will need to disclose information about standards effective in future periods, including the expected impact when adopted.

In evaluating management’s implementation plan, it is important to develop an understanding of management’s timeline for implementing the new standards and to be aware of the effective date. Recognizing that the definition of a public business entity (PBE) under FASB includes many financial service entities, the FASB split the definition to provide additional time for PBEs that are not SEC filers.

  • For PBEs that are SEC filers, the standard is effective in fiscal years beginning after Dec. 15, 2019, and interim periods in those fiscal years. For calendar year-end SEC filers, it first applies to the March 31, 2020, interim financial statements.
  • For PBEs that are not SEC filers, the standard is effective in fiscal years beginning after Dec. 15, 2020.
  • For all other entities, the effective date includes fiscal years beginning after Dec. 15, 2020, and interim periods in fiscal years beginning after Dec. 15, 2021.
  • Early adoption is permitted for all entities in fiscal years beginning after Dec. 15, 2018, and interim periods in those fiscal years. That means, any calendar year-end entity may adopt as early as the March 31, 2019, interim financial statements.

While those dates might seem somewhat distant, there really is no time to lose in preparing for the transition.

How Technology Could Improve a Bank’s Audit

technology-6-28-16.png“It’s never simply the hammer that creates a finely crafted home. The result of the work hinges on the skills and experience of the carpenter who wields the tool.

So, too, it’s not so much the powerful cognitive intelligence software, the data and analytics tools, and the data visualization techniques that are beginning to open up opportunities for audit quality and insight enhancements from a financial statement audit. The skills and experiences of the auditors and their firms that implement these technological advancements will make the difference in the months and years ahead.”

When we think of the latest in technological innovations, we inevitably focus on the tools and techniques that benefit consumers. And, while that thinking is understandable, it would be a mistake to believe there are fewer technological advancement opportunities available for banks and other businesses. The litany of technological improvements include major commercial advances in the quality of databases, analytical capabilities and artificial intelligence.

In our world, one of the most compelling possibilities is the use of cognitive technology in the audit of financial statements. Cognitive technology enables greater collaboration between humans and information systems by providing the ability to learn over time and through repetition, to communicate in natural language and analyze massive amounts of data to deliver insights more quickly. Think of the improvements possible in the quality of audits when machine learning can be applied to deliver more actionable insights to guide and focus an auditor’s work or provide feedback on our perceptions of risks to an audit committee and management team at a bank.

While still in their infancy, there is vast potential in developing cognitive intelligence capabilities, especially given the exponential increase in the volume and variety of structured and unstructured data—this is particularly welcome given the ever increasing expectations on auditors, audit committees and management teams.

A prime example of an audit-based application of cognitive technology is the ability to test a bank’s grading or rating control over its loan portfolio. KPMG has developed a bold use case and is building a prototype that will machine “read” a bank’s credit loan files and provide a reasoned judgment on our view of the appropriate loan grade. The KPMG loan grade is compared to the bank grade, with our auditors focused on evaluating the loans with the greatest probability of a difference between the KPMG and bank loan grades.

While still in the development stage, we are encouraged by how cognitive intelligence could be applied to help us improve the quality of our bank audits. Currently, auditors carefully select a sample of loans to test from a bank’s loan portfolio. The sample is selected to provide both coverage of the loan types and grades, as well as where the auditor believes there is the greatest chance of loans being graded incorrectly. Aside from only reviewing a sample of the overall portfolio, today’s audit process is intensely manual. With the prototype being developed, the auditor would be able to select all the loans in a particular portfolio (say, oil and gas) or eventually the complete population of graded loans. The potential benefits to audit quality are very exciting—there is a distinct possibility that every loan in a banks’ portfolio could be reviewed and graded, while bringing outliers to an auditor’s attention. The bulk of the audit effort would then be focused on evaluating these potential outliers.

Further, using the combination of cognitive technologies, data visualization, predictive analytics, and overall digital automation would permit a much more granular evaluation of a bank’s enormous pool of internal and external information. Consider the potential insights that could be extracted when these powerful tools are linked to sources of market indicators. Looking into the future, the possibility exists for building a loan-grading tool to focus on grading commercial mortgage real estate loans tied to a market index of credit-quality values on commercial mortgage bonds, for example.

A tool that reviews changes in the market index against changes in a bank’s portfolio of commercial mortgage real estate loans could both improve audit quality and provide valuable insights into whether the two are consistent. If they are not consistent, those working with this technology—who are freed up from the manual duties–could spend valuable time determining whether or not there is any valid explanation for the inconsistency, better assess the remaining audit risk, and pass along the findings to a bank’s management and audit committee.

And, since such a tool would not be used in a vacuum, each bank’s results and weighted average loan grade could be compared across our portfolio of clients or a select segment of similarly sized institutions.

Even though cognitive intelligence is a powerful tool, it is important to remember that it is just a tool. The real value in cognitive and artificial intelligence is in its ability to allow human beings—in this case bank auditors—the time to think about, and respond to, the results of the testing, then work with audit committees to develop innovative solutions to real-world challenges confronting the industry.

Top Trends Impacting Audit Committees in 2016

audit-committee-6-10-16.pngIf you’re serving on an audit committee, congratulations. That may be the toughest and most time consuming committee of a bank board. If you find that it isn’t getting any easier, you’re not alone.

As Bank Director gears up for next week’s Bank Audit & Risk Committees Conference in Chicago, we spoke to accountants and consultants who advise banks on the biggest trends impacting audit committees this year.

Audit committees are clamoring to learn how to be more strategic. Jennifer Burke, a partner at Crowe Horwath LLP, says she gets lots of questions from audit committees about how they should focus more on big picture issues, and not get bogged down in all the details. They have the usual responsibilities: supervising an internal auditor, hiring an external auditor, reviewing audits and following up to make sure problems are fixed, but they have a lot more to keep track of as well, including a widening array of new regulations and accounting pronouncements, as well as, in some cases, risk management and cyber risk issues. “It’s not easy to be on an audit committee these days,’’ she says. “There’s not a box to check to make sure your bank will survive.”

Audit committees will begin asking questions about the implementation of Financial Accounting Standards Board (FASB)’s new standard on loan loss impairment. The organization is expected to publish final rules in the next week or two for what’s known as the Current Expected Credit Loss Impairment Model (CECL). “It’s the biggest accounting change for banks we’ve seen in a decade,’’ says Carol Larson, a partner at Deloitte & Touche LLP. Under the current incurred loss model, banks reserve for loan losses based on incurred losses. Under CECL, which is expected to go into effect in 2020, banks will have to reserve for estimated losses over the life of the loan, based on the experience with other, similar types of loans. As soon as a bank makes a loan, it will likely have to record a reserve for that loan. “Banks don’t like this model we’re moving to,’’ Larson says. “It’s going to significantly increase their reserves. You can imagine regulators really like it a lot.” Since banks will want to run the new model for a year in advance of the rule going into effect, Larson suggests banks should try to have a concrete plan and timeline for implementation this fall.

Audit committees increasingly burdened with bank-related compliance issues are trying to be more efficient. Larson says boards often hand over compliance-related problems and oversight of new regulations to audit committees, which have seen such work escalate since the financial crisis. It used to be fairly uncommon for a bank to get hit with a regulatory “matters requiring attention” notice. Now, it’s fairly common for a bank to have 20, Larson says. “It’s mind numbing on some level,’’ she says. It’s fair for an audit committee to ask questions not just about adding employees to the compliance department, but how to add them efficiently. Perhaps the old way of doing business is no longer the most efficient way, and data analytics could help banks in some ways handle the compliance burden effectively.

Cyber risk is a huge concern. Bank boards are worried about cyber security, there’s no doubt about it, and much of this oversight is handled at the audit committee level, especially for smaller banks. About 28 percent of bank audit committees handle cyber risk in the audit committee, with smaller banks more likely to handle this in audit than banks over $5 billion in assets, according to Bank Director’s 2016 Risk Practices Survey. A good practice is not to assume you can plug every leak, but to get prepared for the almost inevitable data breach, Larson says. Just like a natural disaster, data breaches aren’t necessarily preventable, but you can prepare with a good disaster plan.

Three Critical Challenges for Bank Audit Committees

audit-committee-5-17.pngAs the effects of the banking crisis continue to recede, regulatory agencies have shifted their focus. As asset quality concerns gradually diminish, regulators are scrutinizing corporate governance and risk management issues more closely.

In this environment, audit committees are being challenged to meet a higher standard regarding their understanding of their organization’s risk profile and often must adapt their approach to reflect changing business priorities. Three areas of concern merit special attention as they present audit committees with significant challenges.

Challenge 1: Cybersecurity Risk
Cybersecurity is a paramount issue in financial institutions today, ranking as the number one concern of bank executives and board members in the annual Bank Director Risk Practices Survey for two years running. In the 2016 survey, 77 percent of the respondents said cybersecurity was their top concern, and more than half said preparing for cyber attacks is one of their biggest risk management challenges.

Those numbers are not surprising because banks are a natural target for hackers. But the challenge of managing cybersecurity risk is complicated by banks’ natural reluctance to publicize breaches due to their legitimate fear of alerting other hackers to their vulnerabilities. Unfortunately, this justifiable secrecy makes it more difficult for other banks to learn from their peers’ experiences and hinders banks’ ability to recognize comparable weaknesses in their own systems and third-party relationships.

Another complicating factor is the makeup of the audit committee itself. Committee members very rarely have professional IT backgrounds, so they must rely on qualified third parties to provide insights into risks and mitigation strategies.

Recent regulatory guidance can help overcome this challenge to some extent. Audit committee members should be thoroughly familiar with the Federal Financial Institutions Examination Council’s two-part Cybersecurity Assessment Tool, which was issued in 2015 to help institutions identify their risk exposure and determine if their risk management programs are appropriately aligned. The audit committee should make sure management completes this assessment and integrates its principles into the overall risk management effort.

In addition, the Office of the Comptroller of the Currency (OCC) regularly issues joint statements with other bank regulatory bodies on specific cybersecurity concerns such as new malware developments, extortion attempts, and other current trends. Committee members should stay abreast of the most recent OCC statements on the agency’s website and confirm that management is following the specific preventive steps listed in those statements.

Challenge 2: Reallocating Audit Resources
In the current industry environment of shrinking margins and growing cost pressures, audit committees often must address increasing regulatory compliance demands and growing cybersecurity risk while struggling with resource constraints. Fortunately, there often are unrecognized opportunities to control risk management costs by reallocating resources to reflect changing business models.

For example, as customer habits and access methods change, some financial institutions are reassessing whether it is cost-effective to continue applying the same level of risk mitigation activity at the branch level. Steps such as lengthening the intervals between traditional branch audits and reassigning certain risk control responsibilities to operational managers make it possible to reallocate some internal audit resources to new, more pressing areas of risk. Audit committee members should be alert to such opportunities to reassess and fine-tune the audit approach to reflect today’s business reality.

Challenge 3: Adapting to New Strategies
Shrinking margins also are leading banks to look for opportunities to diversify their revenue strategies. But every new revenue stream requires new operational and support functions and opens up new categories of risk that must be assessed, controlled, and managed. One of the important responsibilities of the audit committee is to actively assess how a new business line will affect the institution’s risk parameters and to determine how those parameters can be addressed effectively and efficiently.

New revenue streams and changing business strategies are nothing new, of course. Historically, bank directors always have been challenged to adapt to shifts in economic and business priorities. In today’s environment, however, with greater regulatory emphasis on the management of risk, the challenges to audit committees are intensified. An effective response to these challenges can have a direct, significant and positive effect on an institution’s long-term success.

FASB’s New Standards for Financial Instruments: What Banks Need to Know

FASB-2-15-16.pngAt 232 pages, Accounting Standards Update (ASU) No. 2016-01, issued in January of 2016, might be intimidating, but we will boil down the essentials you need to know as a bank accountant, chief financial officer, or member of an audit committee. In 2010, the Financial Accounting Standards Board (FASB) issued a massive proposal with many significant changes including marking the majority of a bank’s balance sheet (securities, loans and deposits) to fair value. The FASB has come a long way since then and completes part one of its financial instruments project with the issuance of this standard. When boiled down, the standard contains eight or nine significant changes of interest to banks. Not every bank will be affected by all of the changes, and whether you view these changes as positive or negative depends upon whether you are a preparer or user.

Two of the changes—both of which the banking industry views as favorable—may be adopted early for financial statements not yet issued:

  • Liabilities using the fair value option: Under current generally accepted accounting principles (GAAP), the change in fair value resulting from instrument-specific credit risk is presented in earnings, which has an interesting result. As a bank’s own credit worthiness declines, income is recorded because the value of the liability declines, usually the bank’s debt. Many found that to be an odd outcome—and the FASB agreed. This ASU corrects that and those changes now will be recorded in other comprehensive income (OCI) instead of earnings, and consistent with regulatory capital treatment.
  • Disclosures of fair value of financial instruments: In an effort to provide relief, the FASB is dropping this requirement, which was born in Financial Accounting Standards (FAS) No. 107, for non-public business entities (non-PBEs). Beware, though: The definition of PBE is very broad and extends far beyond those who file with the SEC. Many banks have been surprised to learn they are considered to be PBEs.

The most significant change is that PBEs will have to calculate fair values using the exit price notion, obtaining a fair value using what a market participant would use. This is a big deal because under current GAAP, there is a provision that permits banks to calculate these fair values using a discounted cash flow approach known as entrance pricing. For example, the fair value of loans commonly is computed by discounting the cash flows using the current rates at which similar loans would be made to borrowers with mirroring credit ratings and remaining maturities. Requiring exit pricing could prove challenging, particularly for loans. A small but positive change for PBEs is the elimination of the requirement to disclose the methods and significant assumptions used.

The next big area of change is for equity investments, with general exceptions for those using the equity method or those that are consolidated. The unpopular change for banks is that, going forward, changes in fair value will run through earnings. Under current GAAP, equity investments can be classified as available for sale (AFS) with fair values changes running through OCI, or trading with fair value changes running through earnings. This change eliminates the AFS option.

There is good news, however, for equity investments without readily determinable fair values. Banks will have the option to measure these at cost minus impairment, if any, plus or minus changes resulting from qualifying observable price changes. This means investments can be written up with proper observable transactions. The FASB also simplified the impairment assessment by using a qualitative assessment.

Two more changes:

  • Deferred tax assets (DTAs) on AFS securities: Currently there is diversity in practice on evaluating such DTAs separately (given management has control because the securities can be sold) or in combination with other DTAs. The FASB chose the latter.
  • Measurement category: Financial assets and liabilities must be presented by measurement category (such as fair value or amortized cost) and form of financial asset (securities, loans or receivables) on the balance sheet or in the footnotes.

When Is This Effective?

For PBEs, the changes take effect for fiscal years beginning after Dec. 15, 2017, including interim periods within (which means first quarter of 2018 for calendar year-end reporting companies).

For non-PBEs, the changes take effect for fiscal years beginning after Dec. 15, 2018, and interim periods beginning after Dec. 15, 2019 (which means Dec. 31, 2019, for calendar year-ends).

The FASB plans to issue part two of its financial instruments project, a final standard on credit losses, in the first part of 2016 and part three, a proposal on hedging, in the second quarter of 2016.

The Audit Committee: Help Them Help You

audit-committee-11-19-15.pngAn effective audit committee is a critical component of a financial institution’s corporate governance, but such a committee is not the result of an accident. It is formed through a deliberate process that includes appointing qualified individuals, providing adequate resources and offering other appropriate support.

The Right People
Every effective team begins with an effective leader to serve as chairperson. To fill that role for the audit committee, the board must select an independent director who, at a minimum, possesses an understanding of U.S. generally accepted accounting principles and the importance of internal controls. The audit chairperson should have a sense of the pressure points where the institution might be particularly vulnerable to fraud. Often, board members are business owners, managers in other organizations, or educators and will need help to acquire the requisite skill sets to lead or participate on the audit committee.

The Right Resources
With accounting standards, regulatory compliance requirements and risk factors continuing to change at a rapid pace, boards need to commit time and money to keep the chairperson and the audit committee up to speed. New accounting rules revisit some long-standing techniques in order to establish a more transparent level of reporting. Also, the introduction of the Consumer Financial Protection Bureau (CFPB) added complexity to regulatory compliance, and a bank that runs afoul of the new rules could suffer substantial harm to its reputation. In addition, technology and customer demands for access to services through nontraditional channels add risks never contemplated 10 years ago.

To help the audit committee stay current, the board should provide it access to outside training on these and other relevant areas. Boards also can obtain valuable guidance by monitoring the activities at other banks. Their publicized experiences (for example, in alerts from the Office of the Comptroller of the Currency) can serve as a road map of areas that require regular attention from the audit committee. Audit committee members must be intimately familiar not just with their own bank—but also with the banking industry as a whole.

The Right Support
Although it is management’s responsibility to establish processes and controls to manage risk, it is the audit committee’s responsibility to confirm that such processes and controls are established and monitored. The internal audit group, already charged with risk assessment and monitoring, can play an important role in satisfying this responsibility.

As with the audit committee, the success of internal audit hinges on the training and experience of the team members and on the provision of necessary resources. The importance of these elements increases significantly when the bank’s management is responsible for reporting on the design and effectiveness of the internal controls over financial reporting, as is required of publicly traded companies, because management must attest that controls are well-designed and operating effectively and is held responsible if its attestation proves false.

Bear in mind that a bank’s growth often is not mirrored in changes in internal audit. As a result, issues can go unidentified. Even if new issues are appropriately identified, the review cycles will be prolonged if internal audit has insufficient personnel. When the board looks strategically at the organization, it must align the expansion of the business with the risk mitigation process—including internal audit resources. Even the most capable audit committee will prove ineffective without a well-armed internal audit team.

The board also should recognize that its attitude and that of management toward internal audit frequently contributes to its success (or lack thereof). Leadership should address findings on a timely basis, and the board and audit committee should monitor the responsiveness of corrective action, especially for those issues flagged as higher risk. If management is dismissive of findings, and the audit committee or board is disinterested in follow-up, the value of the internal audit role will erode quickly.

The Right Approach
Board members are elected to oversee the activities of their bank, and the audit committee is an integral part of that oversight. It is in the board’s—and the bank’s—best interest to provide both the audit committee and internal audit with the training and resources necessary to execute their responsibilities.

Rules of Engagement: Dealing With External Auditors

2-16-15-DC.pngBanks’ financial statements tell their performance story to the outside world. Because the banks’ independent external auditor’s reports provide assurance about the quality of the information in the financial statements, the audit committee’s relationship with the bank’s external, independent auditor is very important. The auditor/audit committee relationship is key to the committee’s ability to monitor financial reporting risk, to oversee management of regulatory compliance risk, and to perform the committee’s other oversight and monitoring functions. Your audit committee’s management of this relationship is critical to the discharge of your obligations under most committee charters.

Because the external auditor’s product is assurance, the auditor will measure the efficacy and operation of the bank’s systems of control to determine where the auditor believes the financial reporting risks— errors or fraud—are greatest. The auditor will test the bank’s control systems, to determine the extent to which the auditor can rely upon the control systems to produce reliable financial statements and required related financial information. Because auditors’ judgments about the auditor’s risk, for example, failing to find misstatements that exist, or determining there is a misstatement when there is not, help determine the nature and extent of the audit procedures, questions between auditor and audit committee shape the audit scope, and the nature and extent of the procedures the auditor performs.

There are two key aspects of the information exchange process between auditor and audit committee:  Required communications and auditor/audit committee meetings. 

Required auditor communications are determined under the American Institute of Certified Public Accountants (AICPA) “Codification of Statements on Auditing Standards.”  AICPA AU-C-260 “Communications with Those Charged with Governance” (previously AICPA SAS 61 and SAS 114) deals with required communications from the external auditor.  Additional authority for publicly traded banks is found in the Securities and Exchange Act of 1934, Section 10(A) and Public Company Accounting Oversight Board (PCAOB) Auditing Standard 16.  Communications regarding significant deficiencies and material weaknesses in controls identified in the audit are covered under AICPA AU-C-265 and PCAOB AS5 (previously AICPA SAS 115).

PCAOB AS16, governing public issuers of securities (including publicly traded banks) requires certain matters to be communicated in writing by the auditor. In the planning stage, they include the following:

  • Written engagement letter defining the scope and terms of the engagement
  • That the auditor has discussed with the audit committee any matters known to the committee and relevant to the audit, including possible violations of law or regulation
  • An overview of the overall audit strategy, including the timing of the audit
  • Significant risks identified during the auditor’s risk assessment procedures

After most audit procedures have been performed, and generally communicated concurrent with the issuance of the auditor’s report, the external auditor’s communication should include the following:

  • Changes in critical and significant accounting policies and the adequacy of, application of, and disclosures regarding accounting policy changes
  • Critical accounting estimates (e.g. for a bank, the allowance for loan and lease losses or ALLL)
  • Significant unusual transactions
  • Difficult or contentious matters for which the auditor consulted outside the engagement team and that the auditor reasonably determined are relevant to the audit committee’s oversight of the financial reporting process
  • When the auditor is aware that management consulted with other accountants about significant auditing or accounting matters and the auditor has identified a concern regarding such matters
  • A schedule of current year uncorrected, immaterial misstatements and corrected errors that were brought to management’s attention by the auditor

On this last point, the auditor is not a component of the bank’s system of controls. Errors caught and corrected within the bank’s system of control are indicative of a control system that is working; auditor-found errors are indicative of a control system that may have weaknesses.

Apart from the required written communications, scheduled but less formal discussions at audit committee meetings, between auditor and audit committee, can be very productive financial reporting risk management tools.

I serve as chairman of an audit committee for a bank, and when our audit committee meets with our external auditors, the committee is free to ask whatever they wish. Some members prepare questions in advance; others will wait until the required communications have been made to form their questions. Management is excluded from the question-and-answer session with the external auditor. Questions generally take a skeptical but respectful tone, and frequently include the following:

  • Did anything found during your work surprise you?
  • Did anything found during your work surprise management?
  • Were there any times during the audit when you believed management was not fully prepared or forthcoming in responding to requests?
  • Were there any other difficulties encountered during the audit?
  • Are there tools the bank’s management team is using (as to operations and financial reporting) that are obsolete or inefficient given your observations at banks of similar size and complexity?
  • What regulatory matters are you seeing that are receiving more or less scrutiny than in the past?
  • What are the emerging accounting topics that could have future impact on the bank’s financial reporting?
  • Do you believe the accounting and financial reporting functions in the bank have adequate resources?  If not, are there suggestions the auditor could make?
  • Were you able to rely in any way on the work performed by internal auditors?
  • Were there any repeat matters of concern or concerns from prior audits that were unresolved?
  • What is the required partner rotation to maintain auditor independence and what is the plan and time frame for the next rotation?
  • What unplanned audit procedure did you perform to surprise management and what was the outcome of the procedure?

While not meant to be all inclusive, the questions listed above help provide the basis for a frank and useful discussion with the bank’s external auditors. By always taking your bank’s and management’s unique characteristics and attributes into account, you can develop your own questions to help the audit committee and the auditors discharge their financial reporting risk management functions.

Scandals and Internal Audit: Where Banks Can Do Better

7-28-14-Bishop.pngMany well-known banks are paying billions of dollars to settle allegations of a wide range of wrongdoing. Directors at all financial institutions would be wise to ask how these things could happen without internal controls preventing or timely detecting them. Is there a systemic weakness in internal controls that could also affect your institution? Studying The Institute of Internal Auditors’ (IIA) last Global Audit Survey in light of recent events suggests there is such a weakness and that it impairs 62 percent of the internal audit functions in the financial services industry.

Widespread noncompliance
So what’s the issue? Essentially, an alarmingly high proportion of internal audit functions are failing to comply with the “International Standards for the Professional Practice of Internal Auditing,” which set out basic requirements that the IIA considers essential for an internal audit function. The IIA mandates that members comply fully with its Standards. Failure to do so is a violation of the IIA’s Rule of Conduct 4.2.

This is not just a paperwork issue: it is substantive and affects the quality and reliability of internal audits. According to the IIA’s Global Internal Audit Survey, last conducted in 2010, only 38 percent of finance industry chief audit executives self-reported that their internal audit function complied fully with the IIA’s quality assurance standard, AS 1300: Quality Assurance and Improvement Program. Self-reported compliance with other IIA standards was higher, but still worryingly short of what investors, regulators and bank directors might reasonably expect. Only 60.6 percent of chief audit executives said they complied fully with PS 2600: Resolution of Senior Management’s Acceptance of Risks. This standard requires them to inform the board of directors if management failed to resolve risk-taking that the chief audit executive believed to be excessive—an extremely important issue for directors.

Looking at two of the simplest, most basic standards, while 76.1 percent complied with AS 1200: Proficiency and Due Professional Care, that still means that nearly a quarter of internal audit employees in the finance industry apparently operated without the skills necessary to do their job properly or failed to conduct their work with appropriate care. For AS 1100: Independence and Objectivity, chief audit executives self-reported 83.4 percent compliance, suggesting that one-sixth of internal audit departments in finance failed to meet the requirements to be independent and objective, a fundamental tenet of auditing.

I have many friends who are internal auditors whom I respect highly, yet the internal audit profession has allowed the IIA standards to be widely disregarded without disciplinary consequences. This situation has been going on for years, is well-known within the internal audit profession, but has not been well communicated to the broader financial community.

In addition to putting their reputation at risk, bank directors who allow such noncompliance to occur at their financial institution may expose themselves to allegations of negligence and breach of their duty of care.

Actions You Can Take
Some actions you can take to help your bank deal with this issue are:

  • Ask your chief audit executive whether the internal audit function operates in full compliance with all IIA standards. If it is not, ask why and whether there’s a plan to come quickly into compliance. Probe, with professional skepticism, any negative responses.
  • If there is noncompliance, identify potential legal, regulatory, financial and reputational risks, as well as the potential impact on the effectiveness of the entity’s enterprise risk management.
  • Work with your chief audit executive, chief financial officer, chief executive officer and board chair to implement any appropriate changes to bring your bank’s internal audit promptly into full compliance with all IIA standards as a minimum level of quality. Going beyond the minimum standards may also be necessary for more sophisticated entities and those with high risks.

Internal audit is a key internal control for preventing and detecting major fraud and other wrongdoing at banks. Customers, investors and other stakeholders can reasonably expect bank directors to ensure that their internal audit functions meet, or exceed, IIA standards. Bank directors can help internal audit get sufficient moral and financial support from management and the board to comply fully with IIA standards