10 Best Practices for Audit Committee Members

6-28-13_Naomi_Article.pngServing on the audit committee can be one of the toughest jobs on the board, which is why audit committee members often are paid more than what members of other committees receive. Audit committee members have more duties than ever before, thanks to heightened regulatory scrutiny that banks have received in recent years, and are under more pressure than ever to get it right.

Sal Inserra, a partner at accounting and advisory firm Crowe Horwath LLP, spoke at Bank Director’s Bank Audit Committee Conference in Chicago recently, and laid out some of the qualities of highly functioning audit committee members. This is not his list, but was created based on his talk.

  1. Be a skeptic.
    “If you notice inconsistencies, ask the question,’’ Inserra said. “It’s not necessarily wrong. You are just trying to find out.”
  2. Understand your business.
    If you enter a new business line, you must understand that new line of business. Trust departments present banks with a minefield of compliance issues, for example.
  3. Meet with regulators.
    Examiners are more likely now to have a discussion with board members than years past. Regulators are interested in learning about the audit committee’s understanding of the risks in the organization. Attend some meetings with examiners to get a flavor for the bank’s relationship with its regulators and to prepare you for any problems ahead of time.
  4. Support the internal audit department and its findings.
    Make sure the department is adequately funded and staffed. “I have seen way too many situations where internal audit was not a functional unit of the bank because no one respected them,’’ Inserra said. The internal audit chief should report directly to the audit committee chairman.
  5. Look for red flags.
    Red flags include when management delivers the audit committee book without sufficient time for members to digest it before the audit committee meetings. Other red flags include problematic findings that remain unaddressed between audits.
  6. Take control of the audit committee meetings.
    Don’t let management control the meeting agenda by burying you under a mountain of detail. It’s your meeting. Put the priorities at the beginning of the meeting, instead of starting with the easiest things. Get summaries of reports with the most important points highlighted. Who can read a 600 page audit in two nights?
  7. Make sure every member is contributing.
    Three to six people should serve on the audit committee. If it’s politically problematic to remove someone who is no longer contributing, add people you do need on the audit committee.
  8. Hold management accountable.
    Actively monitor management’s action plans. If remediation plans aren’t followed or completed on time, why not?
  9. Communicate with internal and external auditors.
    Be proactive. Have executive sessions with members of the internal auditing staff on a regular basis, as well as with external auditors.
  10. Improve the committee’s knowledge of technology by recruiting an IT expert to be a member, or hire a consultant to advise the board.
    If you are getting third party reports on your bank’s information security you don’t fully understand, then you need help.

Of course, there are many more aspects of being a great audit committee member. This is just a small sample. But at a time when audit committees have an increasing amount of responsibilities, it is important that the audit committee performs at the top of its game.

Fifth Third CEO: We Have 335 People Working Full Time in Risk Management

6-18_5th3rd.pngThe $122-billion asset Fifth Third Bancorp learned the hard way that risk management is important.

“As recently as 2000, when we were a $40 billion bank, we operated with a limited degree of sophistication in enterprise risk,’’ said Kevin Kabat, Fifth Third’s CEO and vice chairman, speaking at Bank Director’s Bank Audit Committee Conference June 6 in Chicago. “I guess you could say we didn’t really even have such a function. We learned the hard way, early in the last decade, that we needed to do something about that.”

After regulators including the Federal Reserve Bank of Cleveland came down on the bank in March of 2003 and ordered a review of risk management and internal control practices, Cincinnati-based Fifth Third got to work.

“Looking now in the rear-view mirror, it was a watershed event for the bank,’’ said Kabat, who was president of the Michigan operation at the time, and was promoted to CEO in 2007.

Regulatory compliance moved into the enterprise risk function. Fifth Third started a risk and compliance committee of the board, appointed a chief risk officer who reported directly to the board and also gave each business unit its own risk officer. The bank created a full risk dashboard in 2004 that enabled senior management and the board to assess its risk profile in different areas, years before many other banks. The code of conduct was revised to build a risk culture among the bank’s more than 21,000 employees. By 2006, Internet fraud threats such as phishing were identified as emerging threats and comprehensive training for employees was developed to address them.

Fifth Third avoided exposure to subprime mortgages. It started to do stress tests of its balance sheet before the government required it for other big banks.

Although no banks walked unscathed through the financial crisis of 2007-2008, Fifth Third already had a risk team in place when the crisis hit and was able to take action early, suspending lending to homebuilders and cutting off home equity lines created by brokers. The bank cut its dividend by two-thirds, conserving $665 million of common equity, and it raised $3 billion in capital in 2008, making itself the last bank to raise trust preferred securities that year.

“To our knowledge, we were the first large institution in the United States to get in front of the crisis by announcing our internal stress test, including our expectation for 2009 losses, and a capital plan to meet it,’’ Kabat said.

The bank made it through the financial crisis well capitalized. However, it has been extremely costly to have such a huge risk management function. In 2003, maybe a dozen people worked in risk management for the bank. Now, about 335 people work full time in risk management, not counting the credit staff, or about 1.5 percent of the workforce.

For Kabat, such a function has been absolutely necessary. And it hasn’t diminished profitability.

Last year, Fifth Third had its second most profitable year in its 155-year history, with profits of $1.5 billion. Return on assets was 1.3 percent and return on average common equity was 11.6 percent.

“While deficiencies in a bank’s financial statements, or poor oversight of them, can create major problems, you are at as much risk, arguably greater, due to poor management of the enterprise risk function,’’ he said.

Postcard from the Bank Audit Committee Conference

Jack_Audit_13_blog.pngUpon receiving (with great relief!) a gentleman’s C in the one accounting course I took in college oh-so-many years ago, I vowed to steer clear of the topic from then on. It’s almost impossible to spend the better part of your working life as a financial journalist and not pick up a little bit of accounting knowledge along the way—and I have, although I have been home schooled so-to-speak rather than formally educated, and I still find the discipline to be a little mystifying.

It’s because of this arms-length relationship I’ve long maintained with accounting that I’m always a little surprised by how much I enjoy our Bank Audit Committee Conference, which took place June 5-7 at the JW Marriott in Chicago. This was our seventh year for the event and we attracted 330-plus attendees, most of whom were bank audit committee chairs or members. We don’t really talk about accounting issues all that much at this conference. Instead, we dive into some really fascinating non-accounting topics like government-mandated stress tests, cyber risk, regulatory compliance, enterprise risk management, whistle blowers and forensic investigations.

In recent years, the audit committee has become the most important board at most banks because just about everything of any significance that happens inside of a bank ends up passing through the audit committee in some form or fashion. The audit committee’s significance in the world of public companies was greatly elevated 11 years ago by the Sarbanes-Oxley Act, which among its many provisions made the audit committee responsible for overseeing the company’s relationship with its outside auditor.

If that was the first shoe to fall, the second shoe was the 2007-2008 financial crisis, which led to a greatly heightened emphasis by the bank regulatory agencies on risk governance at the board level. While a growing number of bank boards (especially at the larger institutions) have established separate risk committees, most institutions still handle risk governance oversight through their audit committees. I think it’s fair to say that the financial crisis was a wakeup call for most banks that they needed to do a better job of managing risk at the operating level, and that directors had to improve their understanding as well. Certainly the regulators expect bank boards to be taking a leading role in setting the institution’s risk appetite and monitoring its risk profile on a regular basis.

As you might expect, there were a lot of risk topics on the conference agenda, including overviews of enterprise risk management, board level risk committees and risk dashboards. Two sessions in particular stood out for me. One was a panel discussion that I moderated on cyber risk. I think you could describe the contest between banks and criminal hackers as an arms race in which the banks might be falling behind. Because of the creativity and sheer doggedness with which hackers try to penetrate banks, audit and risk audit committees need to make sure their management teams are placing as much emphasis on cyber security as possible. This is not an area of strength for most bank directors—they need to educate themselves about cyber risk so they can ask intelligent questions about their institution’s security practices. Over the next decade, cyber risk might end up replacing credit risk as the greatest threat facing the banking industry.

KKabat.pngThe other session that I thought was particularly insightful was a keynote presentation by Fifth Third Bancorp CEO Kevin Kabat. The Cincinnati-based bank was one of the top performing institutions in the country before it hit a rough patch prior to the financial crisis. Kabat made a compelling argument that Fifth Third’s resurgence owes a great deal to the cutting-edge risk management practices that began to develop even before the crisis.

Banking is a risky business, and managing that risk has become job one for many bank audit committees.