The Audit Committee: Help Them Help You

audit-committee-11-19-15.pngAn effective audit committee is a critical component of a financial institution’s corporate governance, but such a committee is not the result of an accident. It is formed through a deliberate process that includes appointing qualified individuals, providing adequate resources and offering other appropriate support.

The Right People
Every effective team begins with an effective leader to serve as chairperson. To fill that role for the audit committee, the board must select an independent director who, at a minimum, possesses an understanding of U.S. generally accepted accounting principles and the importance of internal controls. The audit chairperson should have a sense of the pressure points where the institution might be particularly vulnerable to fraud. Often, board members are business owners, managers in other organizations, or educators and will need help to acquire the requisite skill sets to lead or participate on the audit committee.

The Right Resources
With accounting standards, regulatory compliance requirements and risk factors continuing to change at a rapid pace, boards need to commit time and money to keep the chairperson and the audit committee up to speed. New accounting rules revisit some long-standing techniques in order to establish a more transparent level of reporting. Also, the introduction of the Consumer Financial Protection Bureau (CFPB) added complexity to regulatory compliance, and a bank that runs afoul of the new rules could suffer substantial harm to its reputation. In addition, technology and customer demands for access to services through nontraditional channels add risks never contemplated 10 years ago.

To help the audit committee stay current, the board should provide it access to outside training on these and other relevant areas. Boards also can obtain valuable guidance by monitoring the activities at other banks. Their publicized experiences (for example, in alerts from the Office of the Comptroller of the Currency) can serve as a road map of areas that require regular attention from the audit committee. Audit committee members must be intimately familiar not just with their own bank—but also with the banking industry as a whole.

The Right Support
Although it is management’s responsibility to establish processes and controls to manage risk, it is the audit committee’s responsibility to confirm that such processes and controls are established and monitored. The internal audit group, already charged with risk assessment and monitoring, can play an important role in satisfying this responsibility.

As with the audit committee, the success of internal audit hinges on the training and experience of the team members and on the provision of necessary resources. The importance of these elements increases significantly when the bank’s management is responsible for reporting on the design and effectiveness of the internal controls over financial reporting, as is required of publicly traded companies, because management must attest that controls are well-designed and operating effectively and is held responsible if its attestation proves false.

Bear in mind that a bank’s growth often is not mirrored in changes in internal audit. As a result, issues can go unidentified. Even if new issues are appropriately identified, the review cycles will be prolonged if internal audit has insufficient personnel. When the board looks strategically at the organization, it must align the expansion of the business with the risk mitigation process—including internal audit resources. Even the most capable audit committee will prove ineffective without a well-armed internal audit team.

The board also should recognize that its attitude and that of management toward internal audit frequently contributes to its success (or lack thereof). Leadership should address findings on a timely basis, and the board and audit committee should monitor the responsiveness of corrective action, especially for those issues flagged as higher risk. If management is dismissive of findings, and the audit committee or board is disinterested in follow-up, the value of the internal audit role will erode quickly.

The Right Approach
Board members are elected to oversee the activities of their bank, and the audit committee is an integral part of that oversight. It is in the board’s—and the bank’s—best interest to provide both the audit committee and internal audit with the training and resources necessary to execute their responsibilities.

Rules of Engagement: Dealing With External Auditors

2-16-15-DC.pngBanks’ financial statements tell their performance story to the outside world. Because the banks’ independent external auditor’s reports provide assurance about the quality of the information in the financial statements, the audit committee’s relationship with the bank’s external, independent auditor is very important. The auditor/audit committee relationship is key to the committee’s ability to monitor financial reporting risk, to oversee management of regulatory compliance risk, and to perform the committee’s other oversight and monitoring functions. Your audit committee’s management of this relationship is critical to the discharge of your obligations under most committee charters.

Because the external auditor’s product is assurance, the auditor will measure the efficacy and operation of the bank’s systems of control to determine where the auditor believes the financial reporting risks— errors or fraud—are greatest. The auditor will test the bank’s control systems, to determine the extent to which the auditor can rely upon the control systems to produce reliable financial statements and required related financial information. Because auditors’ judgments about the auditor’s risk, for example, failing to find misstatements that exist, or determining there is a misstatement when there is not, help determine the nature and extent of the audit procedures, questions between auditor and audit committee shape the audit scope, and the nature and extent of the procedures the auditor performs.

There are two key aspects of the information exchange process between auditor and audit committee:  Required communications and auditor/audit committee meetings. 

Required auditor communications are determined under the American Institute of Certified Public Accountants (AICPA) “Codification of Statements on Auditing Standards.”  AICPA AU-C-260 “Communications with Those Charged with Governance” (previously AICPA SAS 61 and SAS 114) deals with required communications from the external auditor.  Additional authority for publicly traded banks is found in the Securities and Exchange Act of 1934, Section 10(A) and Public Company Accounting Oversight Board (PCAOB) Auditing Standard 16.  Communications regarding significant deficiencies and material weaknesses in controls identified in the audit are covered under AICPA AU-C-265 and PCAOB AS5 (previously AICPA SAS 115).

PCAOB AS16, governing public issuers of securities (including publicly traded banks) requires certain matters to be communicated in writing by the auditor. In the planning stage, they include the following:

  • Written engagement letter defining the scope and terms of the engagement
  • That the auditor has discussed with the audit committee any matters known to the committee and relevant to the audit, including possible violations of law or regulation
  • An overview of the overall audit strategy, including the timing of the audit
  • Significant risks identified during the auditor’s risk assessment procedures

After most audit procedures have been performed, and generally communicated concurrent with the issuance of the auditor’s report, the external auditor’s communication should include the following:

  • Changes in critical and significant accounting policies and the adequacy of, application of, and disclosures regarding accounting policy changes
  • Critical accounting estimates (e.g. for a bank, the allowance for loan and lease losses or ALLL)
  • Significant unusual transactions
  • Difficult or contentious matters for which the auditor consulted outside the engagement team and that the auditor reasonably determined are relevant to the audit committee’s oversight of the financial reporting process
  • When the auditor is aware that management consulted with other accountants about significant auditing or accounting matters and the auditor has identified a concern regarding such matters
  • A schedule of current year uncorrected, immaterial misstatements and corrected errors that were brought to management’s attention by the auditor

On this last point, the auditor is not a component of the bank’s system of controls. Errors caught and corrected within the bank’s system of control are indicative of a control system that is working; auditor-found errors are indicative of a control system that may have weaknesses.

Apart from the required written communications, scheduled but less formal discussions at audit committee meetings, between auditor and audit committee, can be very productive financial reporting risk management tools.

I serve as chairman of an audit committee for a bank, and when our audit committee meets with our external auditors, the committee is free to ask whatever they wish. Some members prepare questions in advance; others will wait until the required communications have been made to form their questions. Management is excluded from the question-and-answer session with the external auditor. Questions generally take a skeptical but respectful tone, and frequently include the following:

  • Did anything found during your work surprise you?
  • Did anything found during your work surprise management?
  • Were there any times during the audit when you believed management was not fully prepared or forthcoming in responding to requests?
  • Were there any other difficulties encountered during the audit?
  • Are there tools the bank’s management team is using (as to operations and financial reporting) that are obsolete or inefficient given your observations at banks of similar size and complexity?
  • What regulatory matters are you seeing that are receiving more or less scrutiny than in the past?
  • What are the emerging accounting topics that could have future impact on the bank’s financial reporting?
  • Do you believe the accounting and financial reporting functions in the bank have adequate resources?  If not, are there suggestions the auditor could make?
  • Were you able to rely in any way on the work performed by internal auditors?
  • Were there any repeat matters of concern or concerns from prior audits that were unresolved?
  • What is the required partner rotation to maintain auditor independence and what is the plan and time frame for the next rotation?
  • What unplanned audit procedure did you perform to surprise management and what was the outcome of the procedure?

While not meant to be all inclusive, the questions listed above help provide the basis for a frank and useful discussion with the bank’s external auditors. By always taking your bank’s and management’s unique characteristics and attributes into account, you can develop your own questions to help the audit committee and the auditors discharge their financial reporting risk management functions.

Scandals and Internal Audit: Where Banks Can Do Better

7-28-14-Bishop.pngMany well-known banks are paying billions of dollars to settle allegations of a wide range of wrongdoing. Directors at all financial institutions would be wise to ask how these things could happen without internal controls preventing or timely detecting them. Is there a systemic weakness in internal controls that could also affect your institution? Studying The Institute of Internal Auditors’ (IIA) last Global Audit Survey in light of recent events suggests there is such a weakness and that it impairs 62 percent of the internal audit functions in the financial services industry.

Widespread noncompliance
So what’s the issue? Essentially, an alarmingly high proportion of internal audit functions are failing to comply with the “International Standards for the Professional Practice of Internal Auditing,” which set out basic requirements that the IIA considers essential for an internal audit function. The IIA mandates that members comply fully with its Standards. Failure to do so is a violation of the IIA’s Rule of Conduct 4.2.

This is not just a paperwork issue: it is substantive and affects the quality and reliability of internal audits. According to the IIA’s Global Internal Audit Survey, last conducted in 2010, only 38 percent of finance industry chief audit executives self-reported that their internal audit function complied fully with the IIA’s quality assurance standard, AS 1300: Quality Assurance and Improvement Program. Self-reported compliance with other IIA standards was higher, but still worryingly short of what investors, regulators and bank directors might reasonably expect. Only 60.6 percent of chief audit executives said they complied fully with PS 2600: Resolution of Senior Management’s Acceptance of Risks. This standard requires them to inform the board of directors if management failed to resolve risk-taking that the chief audit executive believed to be excessive—an extremely important issue for directors.

Looking at two of the simplest, most basic standards, while 76.1 percent complied with AS 1200: Proficiency and Due Professional Care, that still means that nearly a quarter of internal audit employees in the finance industry apparently operated without the skills necessary to do their job properly or failed to conduct their work with appropriate care. For AS 1100: Independence and Objectivity, chief audit executives self-reported 83.4 percent compliance, suggesting that one-sixth of internal audit departments in finance failed to meet the requirements to be independent and objective, a fundamental tenet of auditing.

I have many friends who are internal auditors whom I respect highly, yet the internal audit profession has allowed the IIA standards to be widely disregarded without disciplinary consequences. This situation has been going on for years, is well-known within the internal audit profession, but has not been well communicated to the broader financial community.

In addition to putting their reputation at risk, bank directors who allow such noncompliance to occur at their financial institution may expose themselves to allegations of negligence and breach of their duty of care.

Actions You Can Take
Some actions you can take to help your bank deal with this issue are:

  • Ask your chief audit executive whether the internal audit function operates in full compliance with all IIA standards. If it is not, ask why and whether there’s a plan to come quickly into compliance. Probe, with professional skepticism, any negative responses.
  • If there is noncompliance, identify potential legal, regulatory, financial and reputational risks, as well as the potential impact on the effectiveness of the entity’s enterprise risk management.
  • Work with your chief audit executive, chief financial officer, chief executive officer and board chair to implement any appropriate changes to bring your bank’s internal audit promptly into full compliance with all IIA standards as a minimum level of quality. Going beyond the minimum standards may also be necessary for more sophisticated entities and those with high risks.

Internal audit is a key internal control for preventing and detecting major fraud and other wrongdoing at banks. Customers, investors and other stakeholders can reasonably expect bank directors to ensure that their internal audit functions meet, or exceed, IIA standards. Bank directors can help internal audit get sufficient moral and financial support from management and the board to comply fully with IIA standards

The Role of the Audit Committee

In addition to understanding financial, audit and risk management issues, audit committee members are being asked to take on more responsibilities and perform at higher levels than ever before.  In this video, John Palmer, managing partner of ICS Consulting Partners, reviews the basic skills and requirements that every audit committee needs be successful today.

10 Best Practices for Audit Committee Members

6-28-13_Naomi_Article.pngServing on the audit committee can be one of the toughest jobs on the board, which is why audit committee members often are paid more than what members of other committees receive. Audit committee members have more duties than ever before, thanks to heightened regulatory scrutiny that banks have received in recent years, and are under more pressure than ever to get it right.

Sal Inserra, a partner at accounting and advisory firm Crowe Horwath LLP, spoke at Bank Director’s Bank Audit Committee Conference in Chicago recently, and laid out some of the qualities of highly functioning audit committee members. This is not his list, but was created based on his talk.

  1. Be a skeptic.
    “If you notice inconsistencies, ask the question,’’ Inserra said. “It’s not necessarily wrong. You are just trying to find out.”
  2. Understand your business.
    If you enter a new business line, you must understand that new line of business. Trust departments present banks with a minefield of compliance issues, for example.
  3. Meet with regulators.
    Examiners are more likely now to have a discussion with board members than years past. Regulators are interested in learning about the audit committee’s understanding of the risks in the organization. Attend some meetings with examiners to get a flavor for the bank’s relationship with its regulators and to prepare you for any problems ahead of time.
  4. Support the internal audit department and its findings.
    Make sure the department is adequately funded and staffed. “I have seen way too many situations where internal audit was not a functional unit of the bank because no one respected them,’’ Inserra said. The internal audit chief should report directly to the audit committee chairman.
  5. Look for red flags.
    Red flags include when management delivers the audit committee book without sufficient time for members to digest it before the audit committee meetings. Other red flags include problematic findings that remain unaddressed between audits.
  6. Take control of the audit committee meetings.
    Don’t let management control the meeting agenda by burying you under a mountain of detail. It’s your meeting. Put the priorities at the beginning of the meeting, instead of starting with the easiest things. Get summaries of reports with the most important points highlighted. Who can read a 600 page audit in two nights?
  7. Make sure every member is contributing.
    Three to six people should serve on the audit committee. If it’s politically problematic to remove someone who is no longer contributing, add people you do need on the audit committee.
  8. Hold management accountable.
    Actively monitor management’s action plans. If remediation plans aren’t followed or completed on time, why not?
  9. Communicate with internal and external auditors.
    Be proactive. Have executive sessions with members of the internal auditing staff on a regular basis, as well as with external auditors.
  10. Improve the committee’s knowledge of technology by recruiting an IT expert to be a member, or hire a consultant to advise the board.
    If you are getting third party reports on your bank’s information security you don’t fully understand, then you need help.

Of course, there are many more aspects of being a great audit committee member. This is just a small sample. But at a time when audit committees have an increasing amount of responsibilities, it is important that the audit committee performs at the top of its game.