Audit Committee Members Face New Challenges


Audit committee members who participated in two separate roundtable discussions for public community banks at the Bank Director Peer Group sessions, held as part of the Bank Director Audit Committee Conference in Chicago on June 13, were able to let down their guard and share with their counterparts their experiences, uncertainties and pearls of wisdom. Despite being separated by thousands of miles, participants in both roundtable discussions shared their views on similar issues as if they were next-door neighbors.

audit11-peer.jpg

It quickly became clear that the institutions represented in both groups are very focused on responding to an increase in regulatory scrutiny of how audit committees oversee the management of certain risks. This increasing level of scrutiny is being experienced now and is expected only to increase further in the foreseeable future.

Historically, audit committee members have focused primarily on their institutions’ higher-level financial measures and performance against budgets. In addition, audit committees have devoted a significant amount of attention to the results of exams such as internal audit, regulatory safety and soundness, and external audit findings.

In response to the expected increase in the level of regulatory oversight, however, additional areas of focus are now becoming part of the regular responsibilities of audit committees over and above their past approach. These include:

  • Monitoring credit concentrations
  • Monitoring classified loans
  • Compliance-related issues
  • Monitoring the remediation of exceptions noted by regulatory examiners, as well as internal and external audit
  • Understanding new initiatives and their related risks

Furthermore, to remain current on new issues, audit committee members are using tools such as self-assessment checklists, while also seeking out educational opportunities about new and emerging regulatory and accounting matters. Clearly, expectations are rising regarding engaging in and documenting participation in learning activities.

audit11-peer2.jpg

The members also discussed their interactions with and expectations of management. Because their relationships with management are generally collegial, it can be challenging at times to maintain the fierce independence that is expected of audit committees. Members agreed that reminding each other on a regular basis of their responsibilities helps them meet this challenge.

In addition, roundtable participants considered other approaches to holding their colleagues accountable for being productive committee members including attendance and participation requirements and peer evaluations. They also agreed that maintaining a culture of open and frank communication is vital in maintaining effective audit committee performance.

A few distinctions emerged between the two community bank roundtable groups, which were divided by size of institution. For example, members representing larger institutions (generally with more than $1 billion in total assets) have heard more from their regulators about formally documenting the identification and measurement of risks their institutions face as well as the mitigation of those risks – in other words, enterprisewide risk management. Members from smaller institutions indicated that risk identification, measurement, and mitigation were being documented less formally and generally their regulators have not asked them to do more.

 

Dos and Don’ts of Risk: 10 Ways to Handle Risk on a Bank Board


Lots of banks say they have enterprise risk management programs in place, but they really don’t have a full program. Others are just getting started.

“You hear the regulators want it, but that’s not the reason to do it,’’ said Ed Burke, who is on the board of Beacon Federal Bancorp in East Syracuse, New York, a $1 billion-asset institution that is getting started creating a program. “It will cut down on risk and we’re in the risk business.”

Here are 10 tips for getting started or enhancing enterprise risk programs. Heavy debt for this list is owed to Christina Speh, director of new markets, enterprise risk management, at Wolters Kluwer Financial Services in Washington, D.C., as well as other speakers at Bank Director’s Bank Audit Committee conference in Chicago in June.

  1. Do get started. If you don’t have a complete enterprise risk management program in place, have a plan on how you’ll get there.
  2. Do set an appetite for risk inside your organization. A risk matrix is advisable.
  3. Do ask questions about future or emerging risks. What is not on the agenda that might happen? What hasn’t happened in the past but might in the future?
  4. Don’t let management set the agenda. The board sets the agenda for risk appetite and asks the hard questions about the organization’s potential risks.
  5. Do make sure that managers are getting together in different departments and creating a unified approach to measure risks.
  6. Do make sure the organization’s appetite for risk is ingrained in the strategic planning process.
  7. Do make sure your executive compensation structure takes into account the organization’s appetite for risk.
  8. Don’t let management pile on too much paperwork for the board. Insist on easy-to-understand executive summaries of risk inside an organization periodically. The executive summary should address the organization’s risks, what the potential impacts are and what the underlying assumptions involve.
  9. Don’t let the person who created the risk management framework go back and audit it.
  10. Do ask how the organization’s appetite for risk is being conveyed and monitored throughout the organization.

A CPA’s Perspective on Managing Outside Consultants


puzzle-piece.jpgAll financial institutions must hire an outside CPA firm to audit their financial statements as well as the accounting information system and controls that affect those statements. The relationship between the bank and the external consultant can be mutually beneficial–but only if the bank goes about selecting, hiring and working with the CPA firm in a systematic and effective way.

What You Should Expect–and Receive–From Your CPA

The CPA firm you hire should have industry expertise that is specifically targeted to financial institutions the size and complexity of yours, and the firm should have experience and expertise in your major lines of business. You should also expect the firm’s CPAs to have a deep knowledge of SEC regulations and professional standards such as those issued by the PCAOB.

In addition, you need to be confident that your CPA firm understands the broad spectrum of risks facing your bank, including the potential exposure and return of each. An understanding and audit of the tools that management uses to monitor the bank’s performance results is also essential.

It’s important for you to recognize the difference between your bank’s problems and the auditor’s problems. Don’t expect the auditors to take responsibility for problems that are actually management’s issues to deal with. Doing so only invites delays and a loss of independence on the part of the auditor.

The ideal CPA firm focuses on relationships. The external audit team needs to communicate and work well with the bank’s team. On both sides, clear and informative discussions upfront about roles, timelines, methodologies, controls testing, documentation and the like will go a long way toward ensuring smooth and efficient planning, auditing and reporting process. The audit team also needs to be able to communicate effectively with the bank’s audit committee as well as management.

The Match Game

When contemplating hiring a CPA firm, you must first define your objectives. Understand and communicate the scope of what you expect the firm to do. You can select the appropriate firm only if you know your own organization well–its business, community, management strategy, performance and risks. Think long and hard about the nature of your institution’s risks, and then seek a consultant whose strengths match up with those risks.

Meet face to face with representatives of firms you are considering hiring. Read reports, ask penetrating questions and compare what they say with your understanding of the CPA firm’s reputation, skill set, and culture. Provide input and a balanced approach. Follow through in providing direction to the organization. Think through the cause and effect of problems your institution faces and use the consultants you interview to confirm your conclusions. Act on the recommendations.

You Have Rights

You have the right to continue to be involved and receive clear communication from the consultants throughout the audit and reporting process. You also have the right to receive advance warning from the CPA firm of possible problems.

Take the time to understand the auditors’ perception of the risk profile of your bank and their conclusions about management, and ask questions if you don’t.

Changing Standards, Changing Role

The best-in-class banks anticipate tomorrow’s standards by which today’s actions will be judged. The ubiquitous implementation of enterprise risk management programs in recent years should not have been a surprise given all the chatter of the past several years. And in the near future? Our crystal ball says that “stress testing” will be required soon, so now is the time to embrace it.

The Center for Audit Quality and other groups are looking into the auditor’s role, which we expect to change just as it has done before–particularly in the aftermath of the thrift industry crisis (which led to the Federal Deposit Insurance Corporation Improvement Act) and the major corporate and accounting scandals of the 1990s (which led to Sarbanes-Oxley). Look for greater CPA involvement in10-Ks, and in risk factor disclosure in 10-Ks/Qs and MD&A.

More big changes might be on the horizon, particularly for privately held companies, in light of the analysis of the report of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committee, an analysis indicating that audit committee effectiveness depends on independence and the number of meetings.

Collaboration, Not Confrontation

A good working relationship between your team and the external audit team will enhance the financial reporting process, reduce surprises and generally make everyone’s life easier.

Audit Committee 101: Back to Basics


Duty of care, loyalty and good faith are the basic foundations for every board member as they strive to increase revenue and shareholder value for their institutions. As the regulatory requirements continue to expand, the role of the audit committee is quickly following suit, leaving many bank audit committee members concerned about their effectiveness.

At Bank Director’s Bank Audit Committee conference in Chicago on June 14-15th, Robert Fleetwood, partner for Chicago-based law firm Barack Ferrazzanno’s financial institutions group and Todd Sprang, partner at the certified public accounting firm Clifton Gunderson, took a crowded room of audit committee members back to basics during their Audit Committee 101 session.

audit-fleetwood-sprang.jpg

Cautioning that these are not one-size-fits-all requirements, Fleetwood and Sprang outlined a list of fundamentals and best practices for today’s audit committee members.

1.       Understand your duties. Sprang suggested if you are unsure of your role or responsibilities, seek a tutorial from outside counsel to ensure that every member is comfortable with their duties.

2.      Recognize the reputational risk to the organization and you as an individual. At the end of the day, you want to do the right thing by all parties. It’s never a good situation when a director has to admit that he/she didn’t read the materials or didn’t know what was going on at their institution.

3.      Oversight. The primary role of the audit committee is to evaluate the audit process, oversee financial reporting, and assess the risk and control environment. To do this effectively, committee members should be asking lots of questions, requesting feedback and regularly discussing concerns.

4.      Committee composition. Most boards typically look to local CPAs to fill their audit committee seats, yet having members with a wide range of expertise provides additional perspective and beneficial feedback.

5.      Yes, you need a committee charter. Not only should the charter be reviewed on a regular basis to ensure that the board is complying, but it happens to be a great tool for setting agendas.            

6.      To rotate or not to rotate? Fleetwood recommended that if you do implement a rotation requirement, that it take place after an extended period of time. The audit committee has a steep learning curve and rotating frequently creates the risk of losing members before they had a chance to peak.

7.     Build a relationship with the external auditors. Communication is the key.  Review your reports and materials ahead of time, and use the review session to ask them questions, get their perspectives on market trends, and request recommendations.

8.   Internal audit reviews. Whether your institution uses in-house resources or outsources this process, a major red flag is a report with no findings. Ask why. You should always be finding ways to improve, rather than just going through the motions.                

9.      Setting the agenda. The agenda should follow the committee charter as well as include an annual checklist to work through regularly. Delegate the legwork to your experts and include them on the agenda periodically.

10. Attend the meetings. Distribute materials ahead of time, whether in print or through board portals, and include only what is necessary to review. Read the materials beforehand and attend in person at least quarterly.

Enterprise risk management: what it is and what to do about it


When the Federal Deposit Insurance Corp. sued Washington Mutual’s executives in March over the bank’s failure, the government’s lawyers said they “took on enormous risk without proper risk management,” marginalized the chief risk officer, and pursued an aggressive lending policy despite being warned against it.

In part because of the financial meltdown at banks such as Wamu, regulators and bank boards are more interested in how risk is handled throughout an organization.

About 78 percent of financial institutions have adopted some kind of enterprise risk management program, according to the 2011 Deloitte Global Risk Management Survey, up from 36 percent who said so in the 2009 survey.

Regulators are asking more questions about what bankers are doing about risk, and more banks are starting the process of implementing an enterprise-wide program, according to speakers at Bank Director’s Bank Audit Committee conference in Chicago June 13-15.

bacc11-erm.jpg

Enterprise risk management is about more than just insuring against known risks. It’s about what could happen in the future that you don’t even know about, said Pat Langiotti, chairman of National Penn Bancshares enterprise-wide risk committee in Boyertown, Pennsylvania.

“What are you not monitoring? What is not on the agenda that could happen and what would the impact be, and what are we doing about that?” she said. “What risk are you taking and is there a reward for taking on that risk that’s adequate to the risk?”

Enterprise risk is about assessing all the risks of the institution, from operational, to information technology to reputational risk on an ongoing basis, establishing an appetite for risk, and making sure conformity to that risk appetite is monitored and pervades the institution.

Some banks, such as National Penn Banchsares, a $9.4 billion-asset publicly traded bank Boyertown, Pennsylvania, have a separate risk committee of the board to take responsibility for their enterprise risk management program, but some others handle it on the audit committee.

 “I don’t think a risk committee is operating to make sure there’s no risk,’’ said Tony LeVecchio, the audit committee chairman of ViewPoint Financial Group, a $2.8 billion publicly traded bank in Dallas, Texas. “It’s more of an understanding of what risk you’ve agreed to take. What you don’t want is to find out ‘oh my goodness, I didn’t know we had a risk here?’”

The risk appetite has to be factored into the bank’s strategic planning, said Christina Speh, director of new markets, enterprise risk management at Wolters Kluwer Financial Services in Washington, D.C.

“There is nothing more frustrating than having a process and spending energy and time on something that doesn’t do anything,’’ she said. “If you have no idea how this fits into your strategic plan, it’s possible you’re just doing paperwork for regulatory agencies.”

“At the end of the day, the reason you’re doing this is because you want to ensure your bank is successful and meets your strategic plan,’’ she said. “You have a plan and you want your bank to reach this in five or 10 years. But how do you get there? And how do you put processes in place to make sure that if risks are realized, you’re able to handle that?”

 

The Internal Auditor’s Role in Regulatory Compliance


risks.jpgThe compliance audit, like other audit activities, is intended to provide feedback to management and the audit committee about the control environment, ongoing compliance and conditions for potential risk. The compliance audit should evaluate the effectiveness of the compliance management program, including policies and procedures, training, monitoring and consumer complaint response. A financial institution’s audit committee should determine the scope of an audit and the frequency with which audits are conducted.

This topic is often a key component of regulatory compliance examination feedback, particularly when specific regulatory violations have occurred. We see examiners questioning institutions about their overall compliance program management and digging into the elements of policies and procedures, training, quality control assessment and the like. Overlying compliance program management is the role of internal audit. What was internal audit’s assessment of the institution’s compliance with individual regulations, and of the program overall?

Elements of a Compliance Management Program

Regulatory guidance and best practices have helped define which elements are necessary to help an organization mitigate risks associated with compliance.

Typically, the basic elements include:

  1. Designation of a compliance officer
  2. Policies
  3. Procedures (internal processes and controls)
  4. Regulatory change management
  5. Training
  6. Quality control (monitoring)
  7. Consumer complaint response process
  8. Audit

Historically, compliance has been viewed as an organizational stepchild rather than an essential core function of an organization. Integrating the compliance function into the culture of the business empowers those responsible for compliance with a framework to fulfill their mission. Successful integration encompasses shared communication and education about compliance-related responsibilities, which helps employees at all levels to understand their responsibilities.

The two elements of assessing the overall effectiveness of a compliance program are quality control and audit. Let’s expand more on those components.

1.    QUALITY CONTROL

The end goal of a quality control function is to monitor how well departmental policies and procedures are being executed. Ultimately, the function should be risk-based, focusing the most resources on the areas of greatest risk. An effectively designed quality control program has an employee–such as a supervisor or other employee independent of the originator of the activity–review an ongoing risk-based sample of the work performed in an applicable area. A quality control program should be designed to assess certain areas based on the residual risk exposure of non-compliance.

Completed quality control reviews should be aggregated and reported to the compliance officer for review. The compliance officer should assess applicable areas for overall effectiveness to identify any increasing trends within departments. This oversight allows management to allocate resources on a risk-based, quantifiable basis.

Finally, the compliance officer should provide a consolidated report to the board of directors or designated compliance committee for final oversight. The consolidated report should provide a broad overview of the organization’s compliance posture so the board can continue to provide big-picture, strategic direction.

2.       COMPLIANCE AUDIT

The compliance audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like the quality control program, the compliance audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory landscape, errors or violations, problems in the past, employee turnover in the compliance department or line of business and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the compliance audit.

The compliance audit results should be provided in formal, detailed reports that outline findings and management’s action plan to resolve each finding. These audits should be conducted by an individual independent of the compliance management function and reported in the same format, manner, and protocol as the organization’s overall audit function. Auditing the compliance function should be conducted on a less frequent basis than the quality control program; timing of the audits can be on a rotational basis and supported by the results of the risk assessment process.

It should be noted that the compliance audit scope can and should cover all of the elements of the compliance management program, including training and quality control, and not be limited to detailed testing of compliance with regulations. The resulting audit reports should be presented directly to the audit committee, and all findings should be tracked for resolution.

Compliance Across the Board

The current regulatory environment requires a new business model for compliance that stretches to all facets of an organization. The role of internal audit can enhance the success of a compliance management program by providing informative feedback that enhances the program’s effectiveness and sustainability.

What audit committees need to know


 

Robert Fleetwood, a partner in Chicago-based law firm Barack Ferrazzano who specializes in financial institutions, will be speaking at Bank Director’s Bank Audit Committee conference June 14-15 in Chicago.  Here, he discusses the increasing importance of audit committees understanding capital issues, the advent of risk committees, and the one thing all audit committee members should do.

What is the most important thing that audit committees should be focusing on in today’s environment?

I am always hesitant to say that there is one “most important” issue or factor on which audit committees should be focused. Proper governance and adhering to practical, sound procedures are always critical, and should never be dismissed or overlooked.

audit-mtg.jpgFrom an issue standpoint, it is critical that audit committees, as well as the entire board, understand the ever-increasing importance of capital in the industry’s current environment. The audit committee must understand the organization’s capital structure, the risks inherent within that structure, and the possible effects of Dodd-Frank, Basel III and the overall regulatory environment. As the past few years have illustrated, capital is key. An organization must have a clear plan regarding how to maximize its capital resources now, and how to keep its options open for the future. The audit committee can play a key and important role in that overall process.

How have the responsibilities for audit committees changed during the last few years?

One change that I have witnessed over the past few years is the audit committee’s evolving role in overall risk management. A few years ago, it was common to have the audit committee oversee the organization’s board-level risk management. As audit committees became more and more overwhelmed, enterprise risk management systems have developed and risk committees have become more common.

Recently, it has become more common that overall risk management is not centered with the audit committee, particularly at larger organizations, but instead with a risk committee or the board generally. This is filtering down to smaller organizations, but in my experience smaller companies still are more likely to have the audit committee involved in overall risk management practices. I expect that this trend will continue to evolve over the next few years.

Name a best practice that you would like to see more audit committees adopt.

There are actually a number of best practices that many audit committees do not adopt or implement, often for very good reasons. We stress that there is not a “one size fits all” when it comes to governance. Just because one of your peers implements something, does not mean that you have to adopt it, particularly if it doesn’t make sense within your organization.

One practice that is applicable to all companies, all boards and all committees, however, is the importance of having directors actively participate, ask questions and engage in meaningful dialogue with management, the company’s advisors and other directors. We often hear of situations in which directors have not asked any questions, or did not engage in any meaningful discussions, regarding important decisions affecting the company. Not only does this potentially hinder the decision-making process, but it may not allow the directors to adequately establish that they satisfied their fiduciary duties in the decision-making process. The lack of participation, or the lack of proper documentation of participation through meeting notes and other mechanisms, opens the organization, as well as the directors, to potential liability if the action ultimately has a negative impact on stakeholders.