Common Themes in Banks’ Critical Audit Matters

Beginning in 2019, auditors of large accelerated filers that file with the U.S. Securities and Exchange Commission were required to communicate critical audit matters, or CAMs, in their audit opinions. An analysis of Form 10-K filings for U.S. depository institutions for reporting periods covering June 30, 2019, through Dec. 31, 2019, reveals common themes of interest to bankers. The 10-Ks of large accelerated filers with a Dec. 31, 2019 year-end represent the first time these required communications appeared in a significant amount of bank filings.

Banks that are classified as large accelerated filer might wonder how their CAMs compare to those of other banks; SEC filers that do not have the designation might wonder what to expect in their own audit opinions for fiscal years ending on or after Dec. 15, 2020.

Background
In 2017, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard 3101, which requires auditors to communicate CAMs in their audit opinions for audits of large accelerated filers with fiscal years ending on or after June 30, 2019.

The PCAOB defines a critical audit matter as “any matter arising from the audit … that was communicated or required to be communicated to the audit committee and that: (1) relates to accounts or disclosures that are material to the financial statements and (2) involved especially challenging, subjective, or complex auditor judgment.” CAMs are intended to provide insight beyond the boilerplate audit opinion and share important information with investors.

Each CAM included in the audit opinion should include:

  • What: Identification of the CAM.
  • Why: Principal considerations that led the auditor to determine the matter was a CAM.
  • How: A description of how the CAM was addressed in the audit, including a description of one or more of the following: (1) the auditor’s response or approach most relevant to the matter; (2) a brief overview of the audit procedures performed; (3) an indication of the outcome of the audit procedures; (4) key observations with respect to the matter.
  • Where: The relevant financial statement accounts or disclosures that relate to the CAM.

Number of CAMs
Crowe specialists analyzed the audit opinions of U.S. depository institutions that are large accelerated filers and filed directly with the SEC (“issuers”) with year-ends between June 30 and Dec. 31, 2019, using data from Audit Analytics.

In 2019, 150 depository institutions reported CAMs; and all depository institutions that both file with the SEC and are large accelerated filers reported at least one CAM. The average number of CAMs per issuer was just shy of 1.5. Approximately two-thirds of issuers reported just one CAM, while just under 10% of issuers reported more than two CAMs. Four CAMs was the maximum observed in any one depository institution, with only one institution reporting that number (Exhibit 1).

CAMs per issuer

CAM themes
Auditors of the 150 bank issuers reported a total of 221 CAMs. Unsurprisingly, the most common CAM was related to the allowance for loan and lease losses. This CAM appeared in every bank issuer’s opinion and constituted 68% of the total CAMs reported by bank auditors. In addition to the 150 CAMs specific to the allowance, eight CAMs were specific to the disclosure around the pending adoption of the Accounting Standards Update (ASU) 2016-13 (Accounting Standards Codification 326), commonly referred to as current expected credit losses accounting standard.

The second most common CAM topic — business combinations — appeared 35 times across 32 issuers’ opinions. Nearly three-fourths (27) of the business combination CAMs were specific to certain acquired assets and liabilities, most commonly loans and identifiable intangible assets. Six CAMs were more general in nature and covered entire acquisition transactions. Two CAMs were specific to Day 2 acquisition accounting.

Twenty-eight CAMs were outside of the common topics of the allowance, CECL and business combinations. These CAMs spanned topics including goodwill impairment, servicing rights valuations, deferred tax asset valuation allowances, contingencies, level three fair values and revenue recognition, among others (Exhibit 2).

Banking CAM topics

The number and nature of CAMs will vary over time, but the most frequently observed topics appearing in 2019 CAMs will likely always be prevalent in bank audit opinions. As more institutions adopt CECL, the incidence of CECL as a CAM almost certainly will increase.

The prevalence of CAMs related to business combinations likely will be directly related to the level of bank acquisitions that occur in a given period. Other CAM topics such as goodwill impairment, deferred tax asset valuation allowances, and fair value considerations might increase or decrease based on market conditions.

Coronavirus Considerations for Goodwill Impairment

Given the recent impact of Covid-19 on the economy, unemployment and operations, discussions around potential goodwill impairment — and the related testing — is a hot topic for many financial institutions as the March 31 quarter ended.

Goodwill is defined as an asset representing the future economic benefits arising from other assets acquired in a business combination. Financial institutions record goodwill as a result of a merger or an acquisition. Accounting Standards Codification (ASC) 350, Intangibles – Goodwill and Other, states that entities must evaluate their goodwill for impairment at least annually. However, during interim periods, a goodwill impairment analysis could be necessary if the entity has an indication that the fair value of a reporting unit has fallen below carrying value, defined by the guidance as a triggering event. Determining whether a triggering event has occurred is challenging for many financial institutions.

Under the guidance of ASC 350, impairment testing for goodwill is required annually and upon a triggering event. Private entities electing the accounting alternative are only required to test upon a triggering event. Here are some examples of goodwill triggering events, according to ASC 350-20-35:

Macroeconomic conditions: deterioration in general economic conditions, limitations on accessing capital, fluctuations in foreign exchange rates or other developments in equity and credit markets. 

Industry and market considerations: deterioration in the environment in which an entity operates, an increased competitive environment, a decline in market-dependent multiples or metrics (consider in both absolute terms and relative to peers), a change in the market for an entity’s products or services, or a regulatory or political development. 

Overall financial performance: negative or declining cash flows, or a decline in actual or planned revenue or earnings compared with actual and projected results of relevant prior periods.

Other entity-specific events: changes in management, key personnel, strategy or customers; contemplation of bankruptcy or litigation.

Events affecting a reporting unit: a change in the composition or carrying amount of its net assets, a highly probable expectation of selling or disposing of all, or a portion, of a reporting unit, the testing for recoverability of a significant asset group within a reporting unit, or recognition of a goodwill impairment loss in the financial statements of a subsidiary that is a component of a reporting unit.

A sustained decrease in share price: to be considered in both absolute terms and relative to peers.

It is clear that Covid-19 has global impacts on some macroeconomic conditions. Financial institutions may want to assess whether they have experienced a triggering event; if they conclude there has been such an event, they will need to proceed to a goodwill impairment test. Assessing whether there has been a triggering event, as defined by ASC 350, involves judgment.

When it comes to a decline in stock price, the guidance in ASC 350 does not define what “sustained” means. In isolation, a decrease in share price is not an automatic indicator of a triggering event. The guidance suggests comparing the relative decrease to peers — if it is consistent among the industry, one may conclude that the decrease is related to general economic events and not specific to the institution individually. Banks may determine that an overall decline in the market could be indicative of macroeconomic conditions that impact the value of the company. Entities should consider forecasts and projections to determine whether the situation is expected to be temporary, and the reduction in stock price is reflective of short-term market volatility rather than a long-term, sustained decline in fair value.

The guidance does not suggest that the existence of one negative factor results in a triggering event. Rather, the guidance requires companies to assess various factors to determine whether it is probable that the company’s fair value is less than its carrying value. One way to consider the factors mentioned in the guidance is to weight them by their impact on the entity’s fair value. If the company concludes that a triggering event has occurred, then an impairment analysis should be performed to determine if in fact goodwill is impaired.

The determination of a triggering event, or lack thereof, involves judgment; management’s analysis and conclusion should be thoroughly documented. As the economic environment and resulting impacts of Covid-19 continue to shift and evolve, companies should revisit goodwill impairment triggers on a regular basis.

CECL Delay Opens Window for Risk Improvements

The delay in the current expected credit loss accounting model has created a window of opportunity for small banks.

The delay from the Financial Accounting Standards Board created two buckets of institutions. Most of the former “wave 1” institutions constitute the new bucket 1 group with a 2020 start. The second bucket, which now includes all former “wave 2 and 3” companies are pushed back to 2023 — giving these institutions the time required to optimize their approach to the regulation.

Industry concerns about CECL have focused on two of its six major steps: the requirement of a reasonable and supportable economic forecast and the expected credit loss calculation itself. It’s important to note that most core elements of the process are consistent with current industry best practices. However, they may take more time for banks to do it right than previously thought.

Auditors and examiners have long focused on the core of CECL’s six steps — data management and process governance, credit risk assessment, accounting, and disclosure and analytics. Financial institutions that choose to keep their pre-CECL process for these steps do so at their own peril, and risk falling behind competitors or heightened costs in a late rush to compliance. Strategically minded institutions, however, are forging ahead with these core aspects of CECL so they can fully vet all approaches, shore up any deficiencies and maintain business as usual before their effective date.

Discussions over the impact of the CECL standard continue, including the potential for changes as the impacts from CECL bucket 1 filings are analyzed. Unknown changes, coupled with a three-year deadline, could easily lead to procrastination. Acting now to build a framework designed to handle the inevitable accounting and regulatory changes will give your bank the opportunity to begin CECL compliance with confidence and create a competitive advantage over your lagging peers.

Centering CECL practices as the core of a larger management information system gives institutions a way to improve their risk assessment and mitigation strategies and grow business while balancing risk and return. More widely, institutions can align the execution across the organization, engaging both management and shareholders.

Institutions can use their CECL preparations to establish an end-to-end credit risk management framework within the organization and enjoy strategic, incremental improvements across a range of functions — improving decision making and setting the stage for future standards. This can yield benefits in several areas.

Data management and quality: Firms starting to build their data histories with credit risk factors now can improve their current Allowance for Loan and Lease Losses process to ensure the successful implementation of CECL. Financial institutions frequently underestimate the time and effort required to put the required data and data management structures in place, particularly with respect to granularity and quality. For higher quality data, start sourcing data now.

Integration of risk and financial analysis: This can strengthen the risk modeling and provisioning process, leading to an improved understanding and management of credit quality. It also results in more appropriate provisions under the standard and can give an early warning of the potential impact. Improved communication between the risk and finance functions can lead to shared terminologies, methods and approaches, thereby building governance and bridges between the functions.

Analytics and transparency: Firms can run what-if scenario analysis from a risk and finance perspective, and then slice and dice, filter or otherwise decompose the results to understand the drivers of changes in performance. This transparency can then be used to drive firms’ business scenario management processes.

Audit and governance: Firms can leverage their CECL preparations to adopt an end-to-end credit risk management architecture (enterprise class and cloud-enabled) capable not only of handling quantitative compliance to address qualitative concerns and empower institutions to better answer questions from auditors, management and regulators. This approach addresses weaknesses in current processes that have been discovered by audit and regulators.

Business scenario management: Financial institutions can leverage these steps to quantify the impact of CECL on their business before regulatory deadlines, giving them a competitive advantage as others catch up. Mapping risks to potential rewards allows firms to improve returns for the firm.

Firms can benefit from CECL best practices now, since they are equally applicable to the current incurred loss process. Implementing them allows firms to continue building on their integration of risk and finance, improving their ALLL processes as they do. At the same time, they can build a more granular and higher quality historical credit risk database for the transition to the new CECL standards, whatever the timeframe. This ensures a smoother transition to CECL and minimizes the risk of nasty surprises along the way.

Evolving Considerations in the CECL Countdown


CECL-7-23-19.pngExecutives gearing up for the transition to the new loan loss accounting standard need to understand their methodologies and be prepared to explain them.

Many banks are well underway in their transition to the current expected credit loss methodology, or CECL, and coming up with a preliminary allowance estimate under the new standard. CECL will require banks to book their allowance based on expected credit losses for the life of their assets, rather than when the loss has been incurred.

The standard goes into effect for some institutions in 2020, which is slightly more than six months away. To prepare, executives are reviewing their bank’s initial CECL allowance, beginning to operationalize their process and preparing the documentation around their decision-making and approach. As they do this, they will need to keep in mind the following key considerations:

Bankers will need time to review their bank’s preliminary results and make adjustments as appropriate. Banks may be surprised by their initial allowance adjustments under CECL. Some banks with shorter-term portfolios have disclosed that they expect a decrease of their allowance under CECL, compared to the incurred loss estimate.

Some firms may find that they do not have the data needed to segment assets at the level they initially intended or to use certain loan loss methodologies. These findings will require a bank to spend more time evaluating different options, such as identifying simpler methodologies or switching to a segmentation approach that is less granular.

These preliminary CECL results may take longer to analyze and understand. Executives will need to understand how the assumptions the bank made influence the allowance. These assumptions include the periods from which the bank gathered its historical loss information for each segment, the reasonable and supportable forecast period, the reversion period, its prepayment assumptions, the contractual life of its loans—and how these interact. Bankers need to leave enough time for their institutions to iterate through this process and become comfortable with their results.

Incorporate less material or non-mainline loan asset classes into the overall process. Many banks spent last year determining and analyzing various loan loss methodologies and how those approaches would potentially impact their larger and more material asset classes. They should now broaden their focus to include less material or non-mainline asset classes as well.

Banks may be able to use a simplified methodology for these assets, but they will still need to be integrated into the bank’s core CECL process to satisfy internal controls and management and financial reporting.

Own the model and calculations. Executives will need to support their methodology elections and model calculations. This means they will need to explain the data and detailed calculations they used to develop their bank’s CECL estimate. It includes documenting why they decided that certain models or methodologies were the most appropriate for their institution and for specific portfolios, how they came to agree upon their key assumptions and what internal processes they use to validate and monitor their model’s performance.

Auditors and regulators expect the same level of scrutiny from executives whether the bank uses an internally developed model, engages with a vendor or purchases peer data. Executives may need specialized resources or additional internal governance and oversight to aid this process.

Know the qualitative adjustments. Qualitative adjustments may shift in the transition from an incurred loss approach to an expected lifetime one. Executives will need a deep understanding of the bank’s portfolios and how their concentration of risk has changed over time. They will also need to have an in-depth knowledge of the models and calculations their bank uses to determine the CECL allowance, so they can understand which credit characteristics and macro-economic variables are contemplated in the models. This knowledge will inform the need for additional qualitative adjustments.

Anticipate stakeholder questions. CECL adoption will require most banks to take a one-time capital charge to adjust the allowance. Executives will need to explain this charge to internal and external stakeholders. Moving from a rate versus volume attribution to a more complex set of drivers of the allowance estimate, including the incorporation of forecasted conditions, will require the production of additional analytics to properly assess and report on the change. Executives will need ensure their bank has proper reporting framework and structure to produce analytics at the portfolio, segment and, ultimately, loan level.

What’s The Same – And What’s Not – In Assessing Credit Quality


assessment-7-30-18.pngSince the 1970s, there has been an inevitable march toward a macro, quantitative assessment of credit quality. Technology and big data ensured its emergence to complement the more traditional, transactional counterpart of credit risk management.

Since the adoption of the 2006 allowance for loan and lease losses (ALLL) guidance, and the ferocity of loan losses during the great recession, we have seen the growing confluence among credit, accounting, regulatory and investor constituencies attempting to answer the same age-old questions: How much loss is embedded in the loan portfolio? How much is this portfolio worth?

While having comparable goals, each level of management has its priorities, biases and specialized methodologies for answering those questions. For directors, there may be a need to connect the dots to determine the objective of these measures.

Today’s ALLL
The current loss methodology was also used in 2006, prior to the massive, mainly real estate, credit losses from the great recession. The 2006 methodology included pool, formula-driven and specific impairment loss estimates. The incurred loss bias of the current methodology–often known as a “run-rate” approach–inflates the most recent credit quality performances. With no significant losses prior to the crisis, the industry was largely pushed into the abyss with low loss reserves–unable to raise reserves for forecasted losses. Given the relatively benign state of credit currently, it could be said that we are back to the future, having to defend ALLL levels, largely with qualitative justifications.

Tomorrow’s CECL
The soon-to-be implemented current expected credit loss (CECL) methodology is the inevitable reaction to the roller coaster nature of today’s ALLL. Some even consider it a fall back to the failed bid, about eight years ago, to impose mark-to-market valuations on the entirety of banks’ loan portfolios. Regardless of the pejorative “crystal ball” moniker often describing CECL–not to mention estimates of significant Day One implementation increases in reserves–its integration of historical losses, current conditions and reasonable forecasts is designed to be the more holistic, life-of-loan estimation of losses.

There is a high presumption in CECL that quantitative measures, such as discounted cash flows or probabilities of default (PDs)/loss given defaults (LGDs), overlaid by recovery lags, will be used to project future losses. In theory, it may be a more reliable estimate than the current guidance; however, its greatest hindrance is the perception that it is yet another de facto variant layer of capital buffer mandated by the Dodd-Frank Act, and Basel III.

Exit Price Notion
This accounting-based fair value measure disclosure (ASU 2016-01), often referred to as fair value/exit pricing, is new for 2018 and specifies the method by which public financial institutions calculate the fair value of their loan portfolios for purposes of disclosure. Fair value is the amount that would be received to sell an asset or paid to transfer a liability at the measure date. The estimate of fair value must be supported through specified protocols of valuation and calculation. Credit-based assessments, coupled with ties to loan review and risk grade migrations, will be key to justifying a reasonable, point-in-time fair value calculation.

Credit Mark in Mergers & Acquisitions (M&A)
Speaking of fair value, in M&A, it is truly in the eye of the beholder. How skeptical is the buyer? How much does the buyer want the deal? Determining a credit mark, or rational estimate (or range) of discounts to be applied to a prospective purchased loan portfolio, is very much a credit-based, symbiotic marriage between a traditional, more qualitative loan review and the more quantitative metrics of PDs, LGDs, risk grade migrations, yield marks, recovery lags and probabilistic modeling. Using one approach, without the informing nature of the other, is problematic and increases inaccuracies. What is sacrosanct in credit mark, is that an institution never wants to undershoot the estimates. Accounting plays a greater role when the deal-negotiated credit mark is refreshed at the deal’s completion, known as Day One accounting.

The credit discipline has often described as a qualitative decision stacked on an array of quantitative metrics. That remains an apt description for transactional credit–where it all begins. However, the new frontier in managing credit risk, even at smaller financial institutions, is in the ever-evolving, mostly mandated, macro, quantitative measures–some of which are described above. Each of these, not unlike a Venn diagram, has similarities and overlapping portions, but each has separate purposes, as well. Directors, like credit officers, need to understand and embrace these quantitative measures, which will, in turn, lead to better decision making for the bank.

Fair Lending Compliance Is Becoming More Complex and More Challenging


5-19-15-Crowe.pngCompliance with fair lending regulations has become dramatically more complex over the past several years. Although the underlying regulations have been in place for decades, monitoring by the Consumer Financial Protection Bureau’s (CFPB) Office of Fair Lending and Equal Opportunity, coupled with vigorous enforcement by the U.S. Department of Justice (DOJ), have increased lenders’ risk factors substantially.

Fair lending forbids discrimination based on “prohibited basis” factors: race, religion, ethnicity, national origin, gender, marital status, age, familial status, disability, receipt of income from public assistance sources, and the applicant’s exercise of rights under the Consumer Credit Protection Act. Problems can arise when lenders fail to monitor risk factors:

  • Underwriting. Lenders need to monitor and document any disparities in underwriting outcomes based on a prohibited basis as well as any inequitable application of exceptions to underwriting policies.
  • Pricing. Statistically significant differences in interest rates, fees, or other characteristics offered to applicants by prohibited basis create pricing risk.
  • Steering. It is illegal to steer members of a prohibited basis class to less favorable—often more costly—loan products. Offering similar if not identical products with different pricing through different business units can have the same effect as steering.
  • Servicing. Once all the loan documents have been signed and the customer is on board, posting of loan payments or waiving of late fees needs to be done equitably across a client base.
  • Redlining. Lenders need to be careful when analyzing where their customers live to avoid unintentionally redlining, which involves drawing red lines on a map around neighborhoods where lenders do not want to do business.

Enforcement Trends
In February 2010, the DOJ established the Fair Lending Unit to focus on potential abuses in the consumer lending sector. Since then, the DOJ has filed or resolved 36 lending matters under the Equal Credit Opportunity Act, the Fair Housing Act, and the Servicemembers Civil Relief Act. Settlements have provided more than $1.2 billion in relief for affected communities and individual borrowers.

Although much of this money came from settlements with major lenders, in 2013 the DOJ reached settlements with four community banks that each had less than $400 million in assets. Many of these settlements—large and small—involved pricing discrimination against minority borrowers.

Proposed HMDA Reporting Requirements
On July 24, 2014, the CFPB issued a proposed rule for the expansion of data that lenders need to report under the Home Mortgage Disclosure Act (HMDA). The CFPB wants to use HMDA data to increase awareness of the housing market and, more broadly, the availability of credit. The most significant changes to the HMDA would include:

  • Mandatory reporting of home equity lines of credit (HELOCs) and reverse mortgages
  • Quarterly reporting for large institutions
  • Changes to reporting thresholds—a 25-loan minimum for depository institutions
  • Inclusion of an additional 37 data fields, some of which involve qualitative factors, expanded borrower data, or items related to qualified-mortgage and ability-to-pay rules

Banks and their boards can begin to prepare for the changes by discussing the following questions:

  • How do we currently collect HMDA data?
  • Can our existing staff collect and record the required data values?
  • What steps are the developers of the mortgage application or underwriting system that we use taking to prepare for the changes?
  • Do individuals responsible for potentially newly covered areas such as HELOCs and reverse mortgages have sufficient experience with the HMDA?
  • Have we conducted data reviews to confirm accurate recording of HMDA data?
  • Are we prepared for the potential implications of the new data disclosures? Regulators, consumer rights organizations, advocacy groups, competitors, and others will be looking at HMDA data.

Raising the Ante on Compliance
Compliance with fair lending regulations requires a greater focus on data integrity and the ability to manage statistical models than in prior years. Lenders that have not yet made the investment in internal and external resources to handle the new, expanded and increasingly sophisticated tasks need to consider steps to remain competitive in a challenging marketplace.

Rules of Engagement: Dealing With External Auditors


2-16-15-DC.pngBanks’ financial statements tell their performance story to the outside world. Because the banks’ independent external auditor’s reports provide assurance about the quality of the information in the financial statements, the audit committee’s relationship with the bank’s external, independent auditor is very important. The auditor/audit committee relationship is key to the committee’s ability to monitor financial reporting risk, to oversee management of regulatory compliance risk, and to perform the committee’s other oversight and monitoring functions. Your audit committee’s management of this relationship is critical to the discharge of your obligations under most committee charters.

Because the external auditor’s product is assurance, the auditor will measure the efficacy and operation of the bank’s systems of control to determine where the auditor believes the financial reporting risks— errors or fraud—are greatest. The auditor will test the bank’s control systems, to determine the extent to which the auditor can rely upon the control systems to produce reliable financial statements and required related financial information. Because auditors’ judgments about the auditor’s risk, for example, failing to find misstatements that exist, or determining there is a misstatement when there is not, help determine the nature and extent of the audit procedures, questions between auditor and audit committee shape the audit scope, and the nature and extent of the procedures the auditor performs.

There are two key aspects of the information exchange process between auditor and audit committee:  Required communications and auditor/audit committee meetings. 

Required auditor communications are determined under the American Institute of Certified Public Accountants (AICPA) “Codification of Statements on Auditing Standards.”  AICPA AU-C-260 “Communications with Those Charged with Governance” (previously AICPA SAS 61 and SAS 114) deals with required communications from the external auditor.  Additional authority for publicly traded banks is found in the Securities and Exchange Act of 1934, Section 10(A) and Public Company Accounting Oversight Board (PCAOB) Auditing Standard 16.  Communications regarding significant deficiencies and material weaknesses in controls identified in the audit are covered under AICPA AU-C-265 and PCAOB AS5 (previously AICPA SAS 115).

PCAOB AS16, governing public issuers of securities (including publicly traded banks) requires certain matters to be communicated in writing by the auditor. In the planning stage, they include the following:

  • Written engagement letter defining the scope and terms of the engagement
  • That the auditor has discussed with the audit committee any matters known to the committee and relevant to the audit, including possible violations of law or regulation
  • An overview of the overall audit strategy, including the timing of the audit
  • Significant risks identified during the auditor’s risk assessment procedures

After most audit procedures have been performed, and generally communicated concurrent with the issuance of the auditor’s report, the external auditor’s communication should include the following:

  • Changes in critical and significant accounting policies and the adequacy of, application of, and disclosures regarding accounting policy changes
  • Critical accounting estimates (e.g. for a bank, the allowance for loan and lease losses or ALLL)
  • Significant unusual transactions
  • Difficult or contentious matters for which the auditor consulted outside the engagement team and that the auditor reasonably determined are relevant to the audit committee’s oversight of the financial reporting process
  • When the auditor is aware that management consulted with other accountants about significant auditing or accounting matters and the auditor has identified a concern regarding such matters
  • A schedule of current year uncorrected, immaterial misstatements and corrected errors that were brought to management’s attention by the auditor

On this last point, the auditor is not a component of the bank’s system of controls. Errors caught and corrected within the bank’s system of control are indicative of a control system that is working; auditor-found errors are indicative of a control system that may have weaknesses.

Apart from the required written communications, scheduled but less formal discussions at audit committee meetings, between auditor and audit committee, can be very productive financial reporting risk management tools.

I serve as chairman of an audit committee for a bank, and when our audit committee meets with our external auditors, the committee is free to ask whatever they wish. Some members prepare questions in advance; others will wait until the required communications have been made to form their questions. Management is excluded from the question-and-answer session with the external auditor. Questions generally take a skeptical but respectful tone, and frequently include the following:

  • Did anything found during your work surprise you?
  • Did anything found during your work surprise management?
  • Were there any times during the audit when you believed management was not fully prepared or forthcoming in responding to requests?
  • Were there any other difficulties encountered during the audit?
  • Are there tools the bank’s management team is using (as to operations and financial reporting) that are obsolete or inefficient given your observations at banks of similar size and complexity?
  • What regulatory matters are you seeing that are receiving more or less scrutiny than in the past?
  • What are the emerging accounting topics that could have future impact on the bank’s financial reporting?
  • Do you believe the accounting and financial reporting functions in the bank have adequate resources?  If not, are there suggestions the auditor could make?
  • Were you able to rely in any way on the work performed by internal auditors?
  • Were there any repeat matters of concern or concerns from prior audits that were unresolved?
  • What is the required partner rotation to maintain auditor independence and what is the plan and time frame for the next rotation?
  • What unplanned audit procedure did you perform to surprise management and what was the outcome of the procedure?

While not meant to be all inclusive, the questions listed above help provide the basis for a frank and useful discussion with the bank’s external auditors. By always taking your bank’s and management’s unique characteristics and attributes into account, you can develop your own questions to help the audit committee and the auditors discharge their financial reporting risk management functions.

There’s a New Framework for Internal Controls: What Boards Need to Know


10-17-14-Moss-Adams.pngThe COSO framework, which stands for Committee of Sponsoring Organizations of the Treadway Commission, is used by most public companies when reporting on the effectiveness of their internal control over financial reporting in compliance with the Sarbanes-Oxley Act.

The organization, whose sponsoring members include the American Institute of CPAs and the Institute of Internal Auditors, released an updated version of its major guidance document in May of 2013, called Internal Control—Integrated Framework.

As a member of a bank board or audit committee, it is important to have an understanding of how these changes might impact your bank.

Banking regulators are putting more pressure on banks to diversify lending while simultaneously improving credit risk management and reporting, and they are also after banks to focus on IT security. The 2013 framework creates a more formal structure for designing and evaluating the effectiveness of internal controls by codifying the fundamental concepts associated with them. A set of 17 broad principles relating to internal controls, which were present but deeply buried in the earlier framework, now supplement the five components held over from the 1992 framework. These components and associated principles are:

  • Control environment

    • Demonstrates commitment to integrity and ethical values
    • Exercises oversight responsibility
    • Establishes structure, authority and responsibility
    • Demonstrates commitment to competence
    • Enforces accountability
  • Risk assessment

    • Specifies suitable objectives
    • Identifies and analyzes risk
    • Assesses fraud risk
    • Identifies and analyzes significant change
  • Control activities

    • Selects and develops control activities
    • Selects and develops general controls over technology
    • Deploys through policies and procedures
  • Information and communication

    • Uses relevant information
    • Communicates internally
    • Communicates externally
  • Monitoring activities

    • Conducts ongoing or separate evaluations
    • Evaluates and communicates deficiencies

Entities must demonstrate compliance with the principles associated with each component above to conclude that the component is present and functioning.

Also new to the 2013 framework are 75 points of focus that relate to external financial reporting. These specific considerations relate to each principle above, principles such as “assesses fraud risk,” and are important characteristics to consider in determining whether the corresponding principle is, in COSO’s terms, “present and functioning.” Not all points of focus need be met to conclude that a principle is present and functioning.

A key first step is determining how the 2013 framework will affect your internal controls’ design, documentation and evaluation. While many businesses have an abundance of transaction controls but gaps in other areas, banks—which operate in a regulated environment with frequent examinations—are more likely to have implemented many of the entity-level and monitoring controls that other companies lack. Still, since some of these controls may not have previously been identified as key SOX controls, additional documentation may be necessary.

Your staff should begin by matching existing documented controls with the new principles and associated points of focus. Next, they should compare each principle and point of focus to your existing controls to assess whether the controls are sufficient to conclude that each principle is present and functioning. A fair amount of judgment is involved in determining which controls address a specific principle or point of focus, and undoubtedly there will be many relationships between your existing controls and the COSO principles and points of focus.

If you can conclude that the principles are covered, no further analysis is necessary. But if it appears a principle isn’t covered, your staff should determine whether the unmet principle or point of focus is due to an entirely missing control—an activity the institution doesn’t perform—or an undocumented control. Many apparent gaps are often the result of missing documentation, not necessarily missing controls.

At this point, staff should determine whether undocumented controls should be formally documented as part of your bank’s SOX program or if new controls are necessary to mitigate the missing controls. This is an important point and should be considered carefully. Although your SOX program may be based on the 2013 framework, not all points of focus need to be covered by a key SOX control.

The process of mapping your internal control documentation to the principles and points of focus and mapping each principle and point of focus to your documented controls will help you evaluate your mix of control activities, the levels at which activities are applied, and segregation of duties. This exercise will determine how close you are to complying with the COSO 2013 framework—and put you on the path to full compliance.

Tax Due Diligence: It’s Not Just for Acquisitions


11-1-13-Crowe.pngWhen you hear the phrase “tax due diligence,” you probably think about investigating the tax situation of a target company in a potential acquisition transaction. But what about performing due diligence on your own management’s ability to accurately administer, account for, and report your company’s tax positions? Taxes are typically one of a bank’s largest expenses. Deferred tax assets are often a sizable balance sheet asset and regulatory capital component. Taxes also are a key focus of Securities and Exchange Commission financial statement reviews and a frequent cause of financial statement restatements and material weakness citations. So perhaps a bank’s board of directors, or at least its audit committee, should perform periodic tax due diligence on its own organization.

But what questions would you ask, particularly given a board’s role is one of policy-setting, strategic direction, and high-level oversight rather than daily management? If you understand what management should be doing to control risk in this area and where or why controls malfunction, you can tailor your queries to effectively address your organization’s tax complexity profile.

What Should the Controls Be?

Consider these four areas of risk and control in the administration and financial reporting of income taxes:

  • Are the bank’s tax expense and balance sheet positions accurately computed?
  • Are these positions recorded in the general ledger and reported in financial statements accurately and adequately?
  • Are tax payments and tax filings made timely and accurately? Are tax notices responded to promptly?
  • Are the individuals involved in tax administration staying abreast of and adequately addressing developments in tax law, accounting rules, and the company’s own activities?

Critical to the first three items are adequate checks and balances. That means management should be making sure that tasks are actually completed and completed correctly, and that there is a reconciliation of general ledger tax activity to the financial statement computations and to the return filings, particularly if the three areas are handled by different people or groups.

Vital to the fourth item is knowledge about changes in tax or accounting rules and the firm’s activities. For instance, the bank might have opened a loan production office in a new state or bought an investment banking firm in a new country that will affect the company’s taxes. Do the relevant people have a process to discover the event, the requisite skills and resources to understand how it affects the company’s taxes, and the ability to incorporate those effects into tax computations and returns?

Another due diligence focus for the board is oversight of the company’s internal controls.

Where or Why Do Internal Controls Malfunction?

There are myriad reasons controls break down, but consider these three factors:

  • Personnel turnover might lead to replacements who might not bring the same level of tax knowledge and who need time to learn the company and establish internal communication channels. Additionally, balls could drop while vacated positions are being filled.
  • The company is large and dynamic, has many personnel in many divisions and locations, is taxable in many jurisdictions, and undertakes numerous acquisitions or other changes in processes, service offerings and markets. It has a complex tax profile where application of the law is not always clear and tax authorities could easily disagree.
  • Internal auditors, whose job it is to test the effectiveness of company processes and controls, might lack the requisite specialized tax knowledge to adequately assess the tax function and controls, thus missing potential warning signs.

Tailoring Queries to Your Organization

For a smaller community bank, the personnel issue might be most critical and the board more hands on about tax matters. Ask about the tax qualifications of the people performing the work, particularly those reviewing it, and what management’s process is for making sure there is adequate internal tax knowledge and coverage. Ask whether outside experts are involved if needed.

For a large organization with sizable tax and finance departments, the ever-changing and complex environment might lead you to ask about management’s process for identifying and determining whether to take any aggressive tax positions and how tax personnel learn of corporate developments.

For an organization of any size, you might inquire how comfortable the internal auditor is with assessing the effectiveness of the tax function and its controls and whether a third-party expert should be used for this purpose. Don’t hesitate to ask the financial statement audit team for comments on management’s tax processes and abilities.

Consider the potential for sizable error in your company’s tax positions, and don’t hesitate to perform a little in-house tax due diligence.