If you’re serving on an audit committee, congratulations. That may be the toughest and most time consuming committee of a bank board. If you find that it isn’t getting any easier, you’re not alone.
As Bank Director gears up for next week’s Bank Audit & Risk Committees Conference in Chicago, we spoke to accountants and consultants who advise banks on the biggest trends impacting audit committees this year.
Audit committees are clamoring to learn how to be more strategic. Jennifer Burke, a partner at Crowe Horwath LLP, says she gets lots of questions from audit committees about how they should focus more on big picture issues, and not get bogged down in all the details. They have the usual responsibilities: supervising an internal auditor, hiring an external auditor, reviewing audits and following up to make sure problems are fixed, but they have a lot more to keep track of as well, including a widening array of new regulations and accounting pronouncements, as well as, in some cases, risk management and cyber risk issues. “It’s not easy to be on an audit committee these days,’’ she says. “There’s not a box to check to make sure your bank will survive.”
Audit committees will begin asking questions about the implementation of Financial Accounting Standards Board (FASB)’s new standard on loan loss impairment. The organization is expected to publish final rules in the next week or two for what’s known as the Current Expected Credit Loss Impairment Model (CECL). “It’s the biggest accounting change for banks we’ve seen in a decade,’’ says Carol Larson, a partner at Deloitte & Touche LLP. Under the current incurred loss model, banks reserve for loan losses based on incurred losses. Under CECL, which is expected to go into effect in 2020, banks will have to reserve for estimated losses over the life of the loan, based on the experience with other, similar types of loans. As soon as a bank makes a loan, it will likely have to record a reserve for that loan. “Banks don’t like this model we’re moving to,’’ Larson says. “It’s going to significantly increase their reserves. You can imagine regulators really like it a lot.” Since banks will want to run the new model for a year in advance of the rule going into effect, Larson suggests banks should try to have a concrete plan and timeline for implementation this fall.
Audit committees increasingly burdened with bank-related compliance issues are trying to be more efficient. Larson says boards often hand over compliance-related problems and oversight of new regulations to audit committees, which have seen such work escalate since the financial crisis. It used to be fairly uncommon for a bank to get hit with a regulatory “matters requiring attention” notice. Now, it’s fairly common for a bank to have 20, Larson says. “It’s mind numbing on some level,’’ she says. It’s fair for an audit committee to ask questions not just about adding employees to the compliance department, but how to add them efficiently. Perhaps the old way of doing business is no longer the most efficient way, and data analytics could help banks in some ways handle the compliance burden effectively.
Cyber risk is a huge concern. Bank boards are worried about cyber security, there’s no doubt about it, and much of this oversight is handled at the audit committee level, especially for smaller banks. About 28 percent of bank audit committees handle cyber risk in the audit committee, with smaller banks more likely to handle this in audit than banks over $5 billion in assets, according to Bank Director’s 2016 Risk Practices Survey. A good practice is not to assume you can plug every leak, but to get prepared for the almost inevitable data breach, Larson says. Just like a natural disaster, data breaches aren’t necessarily preventable, but you can prepare with a good disaster plan.