How Banks Can Leverage Continuous Auditing, Continuous Monitoring

Continuous auditing and continuous monitoring are one of the most misunderstood and under-utilized concepts in business. While continuous auditing and continuous monitoring, or CA and CM, may be two distinct concepts, they operate under the same development umbrella. When institutions design, build and implement them correctly, both can deliver targeted and dynamic results.

To leverage the power of this methodology, bankers should start by understanding the overlooked differences between the two approaches. Continuous auditing and continuous monitoring are two distinct disciplines.

The first key difference between the two is frequency. A confusing aspect of the CACM methodology is the name. Everyone hears the word “continuous” and believes this type of work goes on forever, without any consideration. That could not be further from the truth. Continuous auditing has a distinct start and finish; in contrast, continuous monitoring can be started and stopped at any time and has no set length of execution.

Like any type of formalized testing, a CA program must contain a time frame in which the work will be performed so a conclusion on the control effectiveness for the same period can be made. Conversely, a CM program can be started, stopped and restarted again for any length of time because it is not being executed to provide a conclusion on the control environment. Rather, it delivers an indication that a specific control or set of controls produces the expected results within acceptable performance limits.

The second key distinction is the testing specifics. The CA approach has detailed control process descriptions that provide information to develop the corresponding steps to be reperformed — in order to confirm the results. In contrast, the CM approach selects a control or controls and verifies the outcomes are within the acceptable limits of the business process requirements. At no time does a CM review, examine or reperform the control steps to validate results. The only information obtained and examined in the CM review is the result. If those results are within the acceptable control parameters, there is no additional verification performed. The CA approach provides a more comprehensive validation of the control environment compared to the CM approach.

Common Uses for the CACM Methodology
One of the most appealing aspects of the CACM methodology is that it can be applied to any business process in any industry. However, there are considerations to include in the evaluation process before selecting your target business processes. The most effective way to communicate these considerations is not by telling you the best business processes to target, but providing you with the business areas that should be avoided when developing your CACM methodology.

This does sound contradictory, but to avoid methodological pitfalls, there are limitations to consider when selecting a target CACM area. While you can apply the CACM methodology to any process, in any industry, it is important to consider using a new methodology to proactively validate your existing control environment and identify potential future challenges.

To do that, there are two areas to avoid when selecting your target CACM business processes: complexity and judgment. Regarding complexity, the methodology is going to ask you to identify the most critical control or controls in the process that directly impact the outcome. It will be difficult, if not impossible, to identify one or two critical controls in any complex business process. With judgment, the process allows for overrides, which potentially creates false positives in the CACM. Even with detailed approval guidelines, the subjective nature of the process makes it a challenging selection for a CACM.

At Baker Tilly, we recommend banks incorporate CACM into their compliance business process. Most compliance processes have very specific, detailed and documented process requirements with almost zero judgment. Compliance rules and regulations do not provide a significant amount of grey area. Those types of processes make it easier to incorporate your CACM process because the business requirements are clear and you will have an easier time selecting the most critical control points.

Continuous auditing and continuous monitoring provides organizations with a proactive review approach that help identify potential control breakdowns. This proactive approach allows organizations to enhance their current control environment, strengthen their compliance processes, mitigate risk and build a stronger business culture to mitigate risk and potentially eliminate future losses.

Staff Shortages Snarl Fraud Oversight

For some community banks, workforce attrition and hiring pressures could be adding an extra layer of difficulty to their ability to combat fraud. 

Concurrent with the Great Resignation, financial institutions have been fending off fraud of all kinds, from spear phishing attacks to account takeovers to check fraud, sometimes with a digital twist. In response, boards should understand where their organizations might be vulnerable and what kinds of proactive measures they might take. 

“That intersection of increasing fraud attacks with the strain on the workforce — I would say that is the biggest thing that we are seeing our clients struggle with,” says Vikas Agarwal, financial crimes unit leader at PwC. 

Specialized anti-fraud talent is in high demand, and prospective employees can command higher wages than they could before.

Seventy-eight percent of the senior executives and directors who responded to Bank Director’s 2022 Compensation Survey in March and April say that it’s been harder to attract and retain talent in the past year. Forty-one percent indicate that their bank increased risk and compliance staffing in 2021, and 29% expect to fill more of these positions in the year ahead. 

Attrition in the risk and compliance functions can eventually lead to a backlog of alerts to work through, experts say. 

“With turnover, you lose institutional knowledge and some efficiencies with how to run a risk and compliance department. As you have turnover, backlogs may build up,” says Kevin Toomey, a partner with the law firm Arnold & Porter. “Backlogs are a scary concept for banks, but also for the boards of banks. It could mean that not everything is running like a well-oiled machine.”  

Higher turnover could also make an institution more vulnerable to phishing and spear phishing attacks, says Ron Hulshizer, managing director at the accounting firm FORVIS. Those are both types of email impersonation attacks, used to install malware or gain access to information; spear phishing tends to be targeted to a specific individual. Noting that his firm has seen an increase in ransomware and extortion attacks against banks, Hulshizer says phishing attempts often give fraudsters a foot in the door.  

“It’s typically a phishing email that comes in, somebody falls for something, eventually, [and] the really bad malware gets installed,” he says. “Then it starts doing its thing and destroying files.”  

Scams, account takeovers and synthetic identity fraud are among the more common forms of fraud that community banks are dealing with right now. A LexisNexis Risk Solutions study published earlier this year identified synthetic ID as a big driver of fraud losses and also noted a rise in phishing scams during the pandemic. Scams have gotten particularly sophisticated, says Christina Williams, financial crimes consulting manager at the accounting and consulting technology firm Crowe. In some cases, she says, scammers have spoofed a financial institution’s 800-number to fool customers into giving up information that is then used to gain account access. 

But fraud seldom ever goes extinct, and some financial institutions have seen a resurgence in various types of check fraud since the pandemic began. Many businesses still rely on paper checks and physical mailboxes, both of which can be compromised, says Williams. Remote deposit capture tools can also be vulnerable to check fraud. Williams says that in some cases, fraudsters have been able to make a phony deposit using the image of a check on another device. Often, the scammer will stick to amounts under $1,000 or $5,000 to avoid triggering a review before the fraudster is able to withdraw the money. 

“A lot of the automated systems don’t necessarily pick up on it,” Williams says, emphasizing the importance of having adequate staff to carry out those reviews. “The fraudsters are aware of this; they still are trying to operate under dollar amounts where they believe there won’t be a secondary review.” 

Debit card fraud has also been a perennial pain point for community banks, Hulshizer says. 

Though the board doesn’t need to get involved in day-to-day fraud oversight, directors should know enough to ask the right questions of senior management. In the first place, that means understanding the organization’s baseline: how many and what type of fraud attempts does it experience in a given period, and how much of that fraud is stopped? 

“Do they understand, month to month, is it trending up or is it trending down?” says Agarwal. “Oftentimes, we find that people don’t have simple metrics that help them gauge if their risk to fraud is increasing as an institution or decreasing.” 

Agarwal adds that it’s worth asking whether the bank can contract a third-party firm in the event of a staffing shortage. 

Boards can ask whether management is looking into any new fraud-mitigating technologies, like biometric features meant to curb password fraud, says Hulshizer. 

And make sure that existing technology is regularly updated. “When technology gets old, over time, it ends up not being supported,” Hulshizer says. “When we do audits, we’ll find old operating systems that Microsoft no longer supports.”  

Not only should directors ask about trends in fraud and risk, but they should also be prepared to question senior management about trends in the bank’s staffing and resources, says Toomey. 

“What directors were asking a year ago may be different than what they’re asking 6 months from now,” says Toomey. “And to effectively exercise their oversight responsibilities, they need to start asking these questions now, to assure that their bank isn’t one of the ones that you read about in the papers.” 

Information Overload

One of the biggest challenges facing all bank directors is the voluminous amount of information they need to read and comprehend before every board and committee meeting. More than a third of the board members responding to Bank Director’s 2021 Governance Best Practices Survey reported that not all directors review materials before board meetings — reducing the effectiveness of their boards.

Board and committee meeting packets — most of which are distributed electronically through secure board portals — can easily reach several hundred pages, particularly at large banks with complex operations. The packets are typically distributed several days in advance of board and committee meetings, often on a Thursday or a Friday, so directors have the weekend to read through them.

It is difficult to subscribe a best practice to board packets because they often reflect what board and committee members want to see. But there are certain standards that should apply. At a minimum, the board packet should provide a comprehensive overview of the bank’s performance, while highlighting any issues of concern that require the board’s attention. At the committee level, the packet should provide an overview of relevant areas that a particular committee is working on.

Packets should be well organized and include a complete agenda for each board and committee meeting, along with any supplemental information that is provided. There is a general tendency to provide more information than less, but it should be easily accessible to the directors.

It’s also important that the information be contextualized. The quality and utility of the information from a governance oversight perspective is generally more important than the sheer quantity of what’s being provided.

James A. McAlpin Jr., a partner and global leader of the banking practice group at Bryan Cave Leighton Paisner, says that board packets often include too much irrelevant information. McAlpin also sits on the board of Hyperion Bank, a $300 million asset community bank in Philadelphia. “I don’t need a listing of every new loan, because I don’t know these borrowers,” he says. “I need a listing of what the trends are. What is the net interest margin? What are the concentrations?” Concentration risk was a big problem for many banks during the financial crisis, McAlpin adds. “It didn’t happen over a period of one or two months, it happened over a period of time, and no one got it because no one was focused on that as a trip wire,” he says.

And the packets themselves shouldn’t be viewed as stone tablets that came down from Mount Sinai. Boards should periodically review whether the packets’ structure and organization, as well as the information being provided, still meets directors’ needs. “You may be comfortable with the board package, but when was the last time everybody, including your committee chairs, said, ‘Do we like the format? Do we like the information presented?’” says McAlpin. “‘What’s missing?’ Very few boards have that conversation.”

The board at Community Bank System, a $15 billion regional bank holding company headquartered in DeWitt, New York, meets 10 times a year. There is also a separate board for Community Bank, N.A., the holding company’s banking subsidiary. Holding company directors also serve on the bank board; the meetings occur back to back. Meetings of the board’s three standing committees — audit, compensation and governance — usually occur before the two board meetings.  Lead Director Sally A. Steele, who joined the board in 2003 and served as chair from 2017 to 2021, says the holding company and bank boards, as well as each committee, receive their own packet with a separate agenda and supplemental information.

There’s a lot to read before meetings, according to Steele. The audit committee packet in particular can be expansive, running to as many as 300 pages. The packets for the compensation and governance committees, as well as the holding company and bank boards, are generally smaller. But taken all together, Steele says, the information “can be really voluminous.”

Should a director attempt to read every single page if the board packet runs several hundred pages? That may be impractical — and perhaps unnecessary. Steele practices something that might be described as selective reading. “It depends on which [packet] you’re talking about,” she says. Steele is not a member of the audit committee and thus does not attempt to dig through that particular pile of information, even though she and all other non-audit committee members receive it. “Do the folks on [the audit] committee read all of it? I honestly believe they do. You can tell by the questions they ask,” she says.

As the board’s lead director, and previously as its chair, Steele reads both board packets in their entirety, as well as the packets of the committees she does serve on. “I would guess most directors focus on the committees they’re on, and the material that’s there, and then probably the bank board and holding company material,” she says. “It’s a lot of information.”

Steele believes it is the responsibility of every director to come to board and committee meetings well prepared. That includes having sufficiently reviewed the information that has been sent out in advance, even if members haven’t read every word. In fact, the Community Bank System board goes through an annual assessment process that is administered by its governance committee, and preparedness is a key part of the evaluation. “In our boardroom, it would not go over very well if people were not prepared,” she says. “I think it’s part of your fiduciary obligation to be prepared for meetings. Goes without saying.”

Plowing through an expansive board packet can be a challenging exercise for new directors who don’t have enough experience to prioritize what they must read word for word over what they can more lightly review. McAlpin believes it would be helpful if one of the more experienced directors “would offer to talk to them over lunch, or meet privately and go through the packet with them to get some sense of what has happened historically and what the packet is,” he says. “I think most boards do not do a very good job of new director orientation.

When Community Bank System recruits a new director, the board tries to lighten the new member’s load by assigning the individual to only one committee. But Steele sees no way around the fact that most new directors will have a steep learning curve, and that includes plowing through the board packet and knowing how to prioritize what’s in it.

“I’ve never found that you can have too much information,” Steele says. “There comes a point in time where you understand what’s important and what’s not. Then you get to choose if you feel it’s important enough for you to spend time on. … I just think there’s a price you pay for being a new director, and it’s figuring out and understanding what’s important and what’s not important.”

The Post-Pandemic Priorities for Audit and Risk Committees

Even as the Covid-19 pandemic continues to reshape the banking and financial services industries, forward-looking organizations are focusing on how they can adapt to a post-pandemic world. With many business processes and controls forever changed, boards of directors — including their audit and risk committees — acknowledge that their views on fundamental risk issues must change as well.

New Workplaces, New Risks
One of the pandemic’s most disruptive effects was the upheaval of the centralized workforce. For decades, employees gathered together in a central location to work. Businesses took great pride in these workplaces, even putting their names atop the buildings in which they were located.

However, the pandemic shattered that model — possibly permanently — along with the concept of regular office hours and the expectations that personal devices should not be used for company business. During the pandemic, employees worked from their kitchens and dining rooms, improvising as they adapted to new ways of operating that would have been impossible 20 years ago. Beyond the obvious physical, security and technical risks associated with this dispersal, board members should understand some of the less visible risks.

For example, corporate culture often is shaped from the ground up through casual workplace interactions, which can be lacking in a remote work arrangement. Similarly, if people cannot gather together physically to brainstorm ideas, innovation and creativity can suffer. Many executives also lament their inability to read body language, tone of voice and other nuances in employees’ behavior to spot potential problems.

These types of risks are inherently difficult to quantify. Nevertheless, risk committees should be aware of them and ascertain whether management is addressing them.

Of even more pressing concern, however, are the effects that a decentralized workforce has on a bank’s business processes and control environment. While the immediate responsibility for overseeing management’s response to these risks might be assigned to the audit and risk committees, ultimately all board members have oversight responsibility and should make a committed effort to understand these risks.

Audit and risk committee priorities
Previously, when audit committees addressed risks associated with business processes and controls, they had the advantage of operating in something like a laboratory. The bank controlled most of the variables such as access controls, approvals and validations. In the post-pandemic world, however, risk monitoring and mitigation efforts must address new variables outside the bank’s control.

One specific audit committee priority is the need to evaluate how a dispersed workforce affects the control environment. Controlling access to systems is an area of major risk; remote reconciliations, remote approvals and digital signatures also are important concerns.

While a virtual private network generally would be the preferred method of providing remote employee access, that capability often was unavailable during the pandemic. Other options became necessary. In addition, many controls had to be redesigned quickly, with little time for testing the adequacy of their design or the effectiveness of the implementation.

Now is the time for many audit committees to take a step back and look holistically at their banks’ control environments. In addition to system access, this overview should include controls governing the retention of sensitive data, timely execution of controls, coordination to resolve deficiencies and validation of secondary reviews.

In assessing such controls, committee members might be constrained by their limited understanding of the technology. Given the novel nature of today’s situation, audit committees should consider getting qualified technical assistance, independent of management, to evaluate the steps taken to accommodate the new work environment.

Strategic issues and board concerns
Both the risk committee and the full board should consider broader questions as well. At a strategic level, boards should explore whether management’s response to the pandemic is sustainable. In other words, should the new practices the bank established — including remote work arrangements — become permanent?

Bank management teams have issued many press releases recounting how successfully they responded to the crisis. As banks move into the post-pandemic world, board members should review these responses and ask whether the new practices will allow for growth and innovation so that their banks can thrive in the future while still maintaining a well-controlled work environment.

As they revisit documented policies, controls and procedures — and remeasure the associated risks — boards and management teams ultimately must decide whether the new control environment is consistent with the strategy of the bank and capable of sustaining its desired organizational culture.

An Audit Expert Explains What’s Changed

An audit committee seat can one of the biggest challenges — and one of the greatest responsibilities — for a bank director, even without a global pandemic and economic recession. The audit committee sets the tone at the top for the bank. How does its role change in a pandemic? It’s an increasingly important responsibility, says Jon Tomberlin, managing partner in Dixon Hughes Goodman LLP’s financial services practice, participating in a panel discussion focusing on audit matters at Bank Director’s BankBEYOND 2020 experience. “There’s a lot of risk and difficulty in being on the audit committee,” he says. “They are one of the most important elements of the bank.” The audit committee creates and maintains an conditions and expectations that support the integrity of the bank’s financial controls — an environment that may have altered or become strained under the pandemic’s forceful impact or the severe economic fallout. Tomberlin says he sees many roles for audit committee in this turbulent environment, overseeing and challenging the appropriateness of internal controls and management’s risk assessment. Joining Tomberlin in this conversation with Bank Director’s Editor-At-Large Jack Milligan were Michael Ososki, a partner at BKD LLP, and Mandi Simpson, a partner at Crowe LLP. You can access all of the BankBEYOND 2020 sessions by registering here.

The Board’s Role in the Transition to CECL


CECL-9-30-16.pngThis summer, the Financial Accounting Standards Board (FASB) completed its project on credit losses with the issuance of a new standard that brings one of the most significant changes to financial reporting that financial institutions have seen in decades: The incurred loss model for estimating credit losses will be replaced with a new model, the current expected credit loss (CECL) model. In many cases, the new credit loss calculations are expected to result in an increase in the allowance, and, thus, might have a significant impact on capital requirements. Banks will need sufficient time to prepare and adjust capital planning and capital management strategies.

Banks are educating themselves on the changes, and boards of directors should be aware of the challenges faced by the banks they oversee.

As with any major initiative, a successful transition to the new standard will require the active involvement of the audit committee, the board of directors, and senior management. Given the audit committee’s responsibility for overseeing financial reporting, it has a critical role to play in overseeing implementation.

Recently, speakers from the Securities and Exchange Commission’s (SEC’s) Office of the Chief Accountant have emphasized the role that audit committees should have in implementing new significant accounting standards. In his speeches at Baruch College and the AICPA Bank Conference, Wes Bricker, interim chief accountant, addressed CECL implementation. Likewise, the federal financial institution regulatory agencies have addressed the role of the board in implementing the new credit loss standard. The agencies issued a joint statement on June 17, and in March the Federal Reserve System (Fed) released an article, “New Rules on Accounting for Credit Losses Coming Soon.” The speeches, joint statement, and article highlight tasks that boards of directors and audit committees may consider during transition, including:

  • Evaluate management’s implementation plan, including the qualified resources allocated for execution.
  • Monitor the progress of the implementation plan, including any concerns raised by the auditors or management that might affect future financial reporting.
  • Understand the changes to the accounting policies that are required for implementation.
  • Understand management’s transition to any new information systems, modeling methodologies, or processes that might be necessary to capture the data to implement the standard.
  • Oversee any changes to internal control over financial reporting in transitioning to the new standard.
  • Review impact assessments of the new standards, including impact on financial statements; key performance metrics, including credit loss ratios, that might be disclosed to investors outside the financial statements; regulatory capital; and other aspects of the organization such as compensation arrangements and tax-planning strategies.
  • Understand management’s plan to communicate the impact of the new standard on key stakeholders, including the new disclosures required by the standards and disclosures made leading up to the adoption date. Those who file with the SEC will need to disclose information about standards effective in future periods, including the expected impact when adopted.

In evaluating management’s implementation plan, it is important to develop an understanding of management’s timeline for implementing the new standards and to be aware of the effective date. Recognizing that the definition of a public business entity (PBE) under FASB includes many financial service entities, the FASB split the definition to provide additional time for PBEs that are not SEC filers.

  • For PBEs that are SEC filers, the standard is effective in fiscal years beginning after Dec. 15, 2019, and interim periods in those fiscal years. For calendar year-end SEC filers, it first applies to the March 31, 2020, interim financial statements.
  • For PBEs that are not SEC filers, the standard is effective in fiscal years beginning after Dec. 15, 2020.
  • For all other entities, the effective date includes fiscal years beginning after Dec. 15, 2020, and interim periods in fiscal years beginning after Dec. 15, 2021.
  • Early adoption is permitted for all entities in fiscal years beginning after Dec. 15, 2018, and interim periods in those fiscal years. That means, any calendar year-end entity may adopt as early as the March 31, 2019, interim financial statements.

While those dates might seem somewhat distant, there really is no time to lose in preparing for the transition.

How Technology Could Improve a Bank’s Audit


technology-6-28-16.png“It’s never simply the hammer that creates a finely crafted home. The result of the work hinges on the skills and experience of the carpenter who wields the tool.

So, too, it’s not so much the powerful cognitive intelligence software, the data and analytics tools, and the data visualization techniques that are beginning to open up opportunities for audit quality and insight enhancements from a financial statement audit. The skills and experiences of the auditors and their firms that implement these technological advancements will make the difference in the months and years ahead.”

When we think of the latest in technological innovations, we inevitably focus on the tools and techniques that benefit consumers. And, while that thinking is understandable, it would be a mistake to believe there are fewer technological advancement opportunities available for banks and other businesses. The litany of technological improvements include major commercial advances in the quality of databases, analytical capabilities and artificial intelligence.

In our world, one of the most compelling possibilities is the use of cognitive technology in the audit of financial statements. Cognitive technology enables greater collaboration between humans and information systems by providing the ability to learn over time and through repetition, to communicate in natural language and analyze massive amounts of data to deliver insights more quickly. Think of the improvements possible in the quality of audits when machine learning can be applied to deliver more actionable insights to guide and focus an auditor’s work or provide feedback on our perceptions of risks to an audit committee and management team at a bank.

While still in their infancy, there is vast potential in developing cognitive intelligence capabilities, especially given the exponential increase in the volume and variety of structured and unstructured data—this is particularly welcome given the ever increasing expectations on auditors, audit committees and management teams.

A prime example of an audit-based application of cognitive technology is the ability to test a bank’s grading or rating control over its loan portfolio. KPMG has developed a bold use case and is building a prototype that will machine “read” a bank’s credit loan files and provide a reasoned judgment on our view of the appropriate loan grade. The KPMG loan grade is compared to the bank grade, with our auditors focused on evaluating the loans with the greatest probability of a difference between the KPMG and bank loan grades.

While still in the development stage, we are encouraged by how cognitive intelligence could be applied to help us improve the quality of our bank audits. Currently, auditors carefully select a sample of loans to test from a bank’s loan portfolio. The sample is selected to provide both coverage of the loan types and grades, as well as where the auditor believes there is the greatest chance of loans being graded incorrectly. Aside from only reviewing a sample of the overall portfolio, today’s audit process is intensely manual. With the prototype being developed, the auditor would be able to select all the loans in a particular portfolio (say, oil and gas) or eventually the complete population of graded loans. The potential benefits to audit quality are very exciting—there is a distinct possibility that every loan in a banks’ portfolio could be reviewed and graded, while bringing outliers to an auditor’s attention. The bulk of the audit effort would then be focused on evaluating these potential outliers.

Further, using the combination of cognitive technologies, data visualization, predictive analytics, and overall digital automation would permit a much more granular evaluation of a bank’s enormous pool of internal and external information. Consider the potential insights that could be extracted when these powerful tools are linked to sources of market indicators. Looking into the future, the possibility exists for building a loan-grading tool to focus on grading commercial mortgage real estate loans tied to a market index of credit-quality values on commercial mortgage bonds, for example.

A tool that reviews changes in the market index against changes in a bank’s portfolio of commercial mortgage real estate loans could both improve audit quality and provide valuable insights into whether the two are consistent. If they are not consistent, those working with this technology—who are freed up from the manual duties–could spend valuable time determining whether or not there is any valid explanation for the inconsistency, better assess the remaining audit risk, and pass along the findings to a bank’s management and audit committee.

And, since such a tool would not be used in a vacuum, each bank’s results and weighted average loan grade could be compared across our portfolio of clients or a select segment of similarly sized institutions.

Even though cognitive intelligence is a powerful tool, it is important to remember that it is just a tool. The real value in cognitive and artificial intelligence is in its ability to allow human beings—in this case bank auditors—the time to think about, and respond to, the results of the testing, then work with audit committees to develop innovative solutions to real-world challenges confronting the industry.

Top Trends Impacting Audit Committees in 2016


audit-committee-6-10-16.pngIf you’re serving on an audit committee, congratulations. That may be the toughest and most time consuming committee of a bank board. If you find that it isn’t getting any easier, you’re not alone.

As Bank Director gears up for next week’s Bank Audit & Risk Committees Conference in Chicago, we spoke to accountants and consultants who advise banks on the biggest trends impacting audit committees this year.

Audit committees are clamoring to learn how to be more strategic. Jennifer Burke, a partner at Crowe Horwath LLP, says she gets lots of questions from audit committees about how they should focus more on big picture issues, and not get bogged down in all the details. They have the usual responsibilities: supervising an internal auditor, hiring an external auditor, reviewing audits and following up to make sure problems are fixed, but they have a lot more to keep track of as well, including a widening array of new regulations and accounting pronouncements, as well as, in some cases, risk management and cyber risk issues. “It’s not easy to be on an audit committee these days,’’ she says. “There’s not a box to check to make sure your bank will survive.”

Audit committees will begin asking questions about the implementation of Financial Accounting Standards Board (FASB)’s new standard on loan loss impairment. The organization is expected to publish final rules in the next week or two for what’s known as the Current Expected Credit Loss Impairment Model (CECL). “It’s the biggest accounting change for banks we’ve seen in a decade,’’ says Carol Larson, a partner at Deloitte & Touche LLP. Under the current incurred loss model, banks reserve for loan losses based on incurred losses. Under CECL, which is expected to go into effect in 2020, banks will have to reserve for estimated losses over the life of the loan, based on the experience with other, similar types of loans. As soon as a bank makes a loan, it will likely have to record a reserve for that loan. “Banks don’t like this model we’re moving to,’’ Larson says. “It’s going to significantly increase their reserves. You can imagine regulators really like it a lot.” Since banks will want to run the new model for a year in advance of the rule going into effect, Larson suggests banks should try to have a concrete plan and timeline for implementation this fall.

Audit committees increasingly burdened with bank-related compliance issues are trying to be more efficient. Larson says boards often hand over compliance-related problems and oversight of new regulations to audit committees, which have seen such work escalate since the financial crisis. It used to be fairly uncommon for a bank to get hit with a regulatory “matters requiring attention” notice. Now, it’s fairly common for a bank to have 20, Larson says. “It’s mind numbing on some level,’’ she says. It’s fair for an audit committee to ask questions not just about adding employees to the compliance department, but how to add them efficiently. Perhaps the old way of doing business is no longer the most efficient way, and data analytics could help banks in some ways handle the compliance burden effectively.

Cyber risk is a huge concern. Bank boards are worried about cyber security, there’s no doubt about it, and much of this oversight is handled at the audit committee level, especially for smaller banks. About 28 percent of bank audit committees handle cyber risk in the audit committee, with smaller banks more likely to handle this in audit than banks over $5 billion in assets, according to Bank Director’s 2016 Risk Practices Survey. A good practice is not to assume you can plug every leak, but to get prepared for the almost inevitable data breach, Larson says. Just like a natural disaster, data breaches aren’t necessarily preventable, but you can prepare with a good disaster plan.

Three Critical Challenges for Bank Audit Committees


audit-committee-5-17.pngAs the effects of the banking crisis continue to recede, regulatory agencies have shifted their focus. As asset quality concerns gradually diminish, regulators are scrutinizing corporate governance and risk management issues more closely.

In this environment, audit committees are being challenged to meet a higher standard regarding their understanding of their organization’s risk profile and often must adapt their approach to reflect changing business priorities. Three areas of concern merit special attention as they present audit committees with significant challenges.

Challenge 1: Cybersecurity Risk
Cybersecurity is a paramount issue in financial institutions today, ranking as the number one concern of bank executives and board members in the annual Bank Director Risk Practices Survey for two years running. In the 2016 survey, 77 percent of the respondents said cybersecurity was their top concern, and more than half said preparing for cyber attacks is one of their biggest risk management challenges.

Those numbers are not surprising because banks are a natural target for hackers. But the challenge of managing cybersecurity risk is complicated by banks’ natural reluctance to publicize breaches due to their legitimate fear of alerting other hackers to their vulnerabilities. Unfortunately, this justifiable secrecy makes it more difficult for other banks to learn from their peers’ experiences and hinders banks’ ability to recognize comparable weaknesses in their own systems and third-party relationships.

Another complicating factor is the makeup of the audit committee itself. Committee members very rarely have professional IT backgrounds, so they must rely on qualified third parties to provide insights into risks and mitigation strategies.

Recent regulatory guidance can help overcome this challenge to some extent. Audit committee members should be thoroughly familiar with the Federal Financial Institutions Examination Council’s two-part Cybersecurity Assessment Tool, which was issued in 2015 to help institutions identify their risk exposure and determine if their risk management programs are appropriately aligned. The audit committee should make sure management completes this assessment and integrates its principles into the overall risk management effort.

In addition, the Office of the Comptroller of the Currency (OCC) regularly issues joint statements with other bank regulatory bodies on specific cybersecurity concerns such as new malware developments, extortion attempts, and other current trends. Committee members should stay abreast of the most recent OCC statements on the agency’s website and confirm that management is following the specific preventive steps listed in those statements.

Challenge 2: Reallocating Audit Resources
In the current industry environment of shrinking margins and growing cost pressures, audit committees often must address increasing regulatory compliance demands and growing cybersecurity risk while struggling with resource constraints. Fortunately, there often are unrecognized opportunities to control risk management costs by reallocating resources to reflect changing business models.

For example, as customer habits and access methods change, some financial institutions are reassessing whether it is cost-effective to continue applying the same level of risk mitigation activity at the branch level. Steps such as lengthening the intervals between traditional branch audits and reassigning certain risk control responsibilities to operational managers make it possible to reallocate some internal audit resources to new, more pressing areas of risk. Audit committee members should be alert to such opportunities to reassess and fine-tune the audit approach to reflect today’s business reality.

Challenge 3: Adapting to New Strategies
Shrinking margins also are leading banks to look for opportunities to diversify their revenue strategies. But every new revenue stream requires new operational and support functions and opens up new categories of risk that must be assessed, controlled, and managed. One of the important responsibilities of the audit committee is to actively assess how a new business line will affect the institution’s risk parameters and to determine how those parameters can be addressed effectively and efficiently.

New revenue streams and changing business strategies are nothing new, of course. Historically, bank directors always have been challenged to adapt to shifts in economic and business priorities. In today’s environment, however, with greater regulatory emphasis on the management of risk, the challenges to audit committees are intensified. An effective response to these challenges can have a direct, significant and positive effect on an institution’s long-term success.

FASB’s New Standards for Financial Instruments: What Banks Need to Know


FASB-2-15-16.pngAt 232 pages, Accounting Standards Update (ASU) No. 2016-01, issued in January of 2016, might be intimidating, but we will boil down the essentials you need to know as a bank accountant, chief financial officer, or member of an audit committee. In 2010, the Financial Accounting Standards Board (FASB) issued a massive proposal with many significant changes including marking the majority of a bank’s balance sheet (securities, loans and deposits) to fair value. The FASB has come a long way since then and completes part one of its financial instruments project with the issuance of this standard. When boiled down, the standard contains eight or nine significant changes of interest to banks. Not every bank will be affected by all of the changes, and whether you view these changes as positive or negative depends upon whether you are a preparer or user.

Two of the changes—both of which the banking industry views as favorable—may be adopted early for financial statements not yet issued:

  • Liabilities using the fair value option: Under current generally accepted accounting principles (GAAP), the change in fair value resulting from instrument-specific credit risk is presented in earnings, which has an interesting result. As a bank’s own credit worthiness declines, income is recorded because the value of the liability declines, usually the bank’s debt. Many found that to be an odd outcome—and the FASB agreed. This ASU corrects that and those changes now will be recorded in other comprehensive income (OCI) instead of earnings, and consistent with regulatory capital treatment.
  • Disclosures of fair value of financial instruments: In an effort to provide relief, the FASB is dropping this requirement, which was born in Financial Accounting Standards (FAS) No. 107, for non-public business entities (non-PBEs). Beware, though: The definition of PBE is very broad and extends far beyond those who file with the SEC. Many banks have been surprised to learn they are considered to be PBEs.

The most significant change is that PBEs will have to calculate fair values using the exit price notion, obtaining a fair value using what a market participant would use. This is a big deal because under current GAAP, there is a provision that permits banks to calculate these fair values using a discounted cash flow approach known as entrance pricing. For example, the fair value of loans commonly is computed by discounting the cash flows using the current rates at which similar loans would be made to borrowers with mirroring credit ratings and remaining maturities. Requiring exit pricing could prove challenging, particularly for loans. A small but positive change for PBEs is the elimination of the requirement to disclose the methods and significant assumptions used.

The next big area of change is for equity investments, with general exceptions for those using the equity method or those that are consolidated. The unpopular change for banks is that, going forward, changes in fair value will run through earnings. Under current GAAP, equity investments can be classified as available for sale (AFS) with fair values changes running through OCI, or trading with fair value changes running through earnings. This change eliminates the AFS option.

There is good news, however, for equity investments without readily determinable fair values. Banks will have the option to measure these at cost minus impairment, if any, plus or minus changes resulting from qualifying observable price changes. This means investments can be written up with proper observable transactions. The FASB also simplified the impairment assessment by using a qualitative assessment.

Two more changes:

  • Deferred tax assets (DTAs) on AFS securities: Currently there is diversity in practice on evaluating such DTAs separately (given management has control because the securities can be sold) or in combination with other DTAs. The FASB chose the latter.
  • Measurement category: Financial assets and liabilities must be presented by measurement category (such as fair value or amortized cost) and form of financial asset (securities, loans or receivables) on the balance sheet or in the footnotes.

When Is This Effective?

For PBEs, the changes take effect for fiscal years beginning after Dec. 15, 2017, including interim periods within (which means first quarter of 2018 for calendar year-end reporting companies).

For non-PBEs, the changes take effect for fiscal years beginning after Dec. 15, 2018, and interim periods beginning after Dec. 15, 2019 (which means Dec. 31, 2019, for calendar year-ends).

The FASB plans to issue part two of its financial instruments project, a final standard on credit losses, in the first part of 2016 and part three, a proposal on hedging, in the second quarter of 2016.