How to Get Ready for a Safety and Soundness Exam

soundness-exam-4-14-16.pngThere are few events in the life of a bank that are more important than a safety and soundness examination by the institution’s primary regulator. A passing grade means the bank will be able to execute its growth strategy, including acquisitions, product development and business expansion, with little interruption or objection from their regulator. Not only does a failing grade mean that bank’s major growth initiatives will probably be put on hold, but its management team will have to spend both time and money fixing the deficiencies—resources that otherwise would be spent on more productive pursuits. Gary Bronstein, a Washington, DC-based partner at Kilpatrick, Townsend & Stockton LLP, offers advice to bank management teams and boards for how to prepare for an exam in an edited conversation with Bank Director Editor in Chief Jack Milligan.

Preparing for a Safety and Soundness Examination
The first thing, which is probably the most important thing, is for management and the board to review any deficiencies or matters requiring attention from the prior exam and make sure those have been addressed. The regulators will verify and review the effectiveness of any corrective action taken after a prior exam. A few other things that are perhaps a little less pressing but still important to consider include any changes in the bank’s business activities since the last exam. You might want to take a look at your policies and procedures to make sure that those have been updated to reflect the new activities. For example, if the bank is engaging in a new lending activity or a new subsidiary activity, do the policies and procedures reflect what they’re doing? Also, if you’re expanding to new markets, that also may require a look at the policies and procedures.

It’s also important that you prepare your employees for the examination process. You ought to make sure that they’re aware of the exam, that it’s coming, what the schedule is, when the examiners will be there and where they’ll be located. Remind employees of simple things about office protocol that you might take for granted, such as not having business discussions in public areas where they may be overheard by an examiner, and not to leave documents laying around in conference rooms and photo copiers that examiners might have access to and that might contain sensitive information that you’re not ready to provide. Employees should be knowledgeable about the policies and procedures for which they’re responsible, because they may be asked to talk about it.

Approximately 30 to 90 days before the exam, the bank will receive what’s called a first day letter, which talks about the scope of the exam. That is to be taken seriously. It’s important to do your homework, relative to that letter and what’s in it. The other thing that’s worth looking at is each of the federal banking agencies have an examination manual that’s posted online. It sets forth the supervisory and examination objectives. That’s absolutely worth reviewing. It’s a good idea to appoint a point person at the bank who is responsible for handling all inquiries that arise during the exam. And when you gather information for examiners, keep a record of what you’ve gathered so that in case anything gets lost, you have a record of it.

The Importance of the Initial Meeting With the Examiners
It’s important to think in advance of an exam about the opening meeting that will take place with the examiners. It’s important to make a good first impression because that can set the tone for the exam. You should probably have your full executive team present for that. I don’t think it’s necessary to have board member at that initial meeting because most banks generally think of an exam, certainly at the initial stage, to be more of a management function, rather than a board function. It might be a good idea to have your compliance officer present, as well as key officers in charge of particular business units. You might start off the meeting by talking about issues that were raised during the prior exam and address those up front. Address some changes that have taken place at the bank since the last exam so that the examiners are well-informed of what has taken place. Set the ground rules for how this is going to unfold in terms of how long they’re going to be there, what days of the week and the person to contact.

Other Pre-Examination Considerations
Take care of logistics, such as where the examiners are going to sit. Make sure they have access to things that they need because that sets a nice tone. It’s a good idea to be proactive. Sometimes you have new examiners who are not familiar with your bank, so it’s a good idea to start off with a summary of your business, where you’re headed and what your control environment looks like. Also, you might consider self-identifying issues or problems, but don’t do that without being prepared to provide a remediation plan of how you’re going to deal with those issues.

And make sure your files are organized because it sets a bad tone if you’re having difficulty finding things and it takes a long time, so organize your files related to things you expect the examiners are going to look for.

Conducting a Mock Examination
Some banks conduct a mock regulatory examination, which may help you prepare for the process and identify areas to focus on. It could be performed by someone at the bank who is experienced in having gone through a number of exams, so they’re familiar with how the examination process takes place. Or you could use an outside consultant who walks you through an initial meeting, gets you prepared for issues that would typically arise during the exam. What happens if the examiner approaches you about X, Y or Z? How are you going to respond? What happens if you disagree with an examiner? Who’s going to be the spokesperson and how can you effectively address the disagreement?

Handling Difficulties as They Come Up During the Exam
Issues regularly come up during an exam. They could be tactical in nature. It might be the examiner taking a position that there’s been a regulatory violation. Is that based upon a law or regulation? It might not, in fact, be a violation, but there may be a disagreement. It might be a reasonable and understandable disagreement. It may not be. It may be a misunderstanding about something that the bank is doing that they’re actually not doing. It can be a mistake. Some of the examiners are inexperienced and like any person, an examiner can make a mistake. The question becomes, how do you proceed?

My first piece of advice for disagreeing with an examiner is this: Proceed with caution. The last thing you should do in communicating with the examiner is to dress that person down, or berate the person. I’ve seen that happen and things deteriorate quickly. That’s a bad idea in almost any scenario but it’s certainly a bad idea when you’re dealing with an examiner or regulator. You should never be condescending or disparaging. I think it’s important to be non-defensive, factual, unemotional and just set forth why you disagree. If it’s done in a constructive manner, it should go pretty well.

The importance of dealing with problems as they come up
Whether it’s a regulatory violation or some other significant issue that arises during the exam, the bank should make every effort to try to get it resolved, hopefully while the examiners are still there, but certainly before the examination report is issued. If it’s a regulatory violation, it’s a good idea to get the lawyers involved, whether it’s in-house or outside counsel, to get an opinion about whether or not the situation does rise to a regulatory violation and then address it head-on, but again in a constructive way. Hopefully, it can be solved by resolution as opposed to a heated argument.

The board’s role in preparing for a safety and soundness examination
The one thing the board can be doing all year long is to make sure that any discussions about board oversight of management is properly recorded in the minutes, because the examiners are going to look at the board minutes and I’ve heard it said on many occasions that from an examiner’s perspective, if it’s not in the minutes, it didn’t happen. That’s not to suggest that you should have a stenographer on hand to record every word, but it ought to be a fair summary of what discussions have taken place, particularly with respect to the prior exam. It’s important to have a record that these issues were discussed, that the exam was discussed, the response was discussed and questions were asked.

It is important that there be a tone at the top communicating that the examination process is important, and that begins with the board and the senior management team. As far as board involvement is concerned, certainly if it’s a troubled bank, the board is going to be more involved in the examination process and there’s the expectation that the board will be. With a healthy bank, you might have the chair of the audit committee be available as needed. Issues that may be discussed include the internal audit process and the internal controls environment. The audit committee chair is the most credible person to discuss those issues.

Managing the post-examination process
As always, management is on the front lines and the board is performing an oversight function. I think it’s important after the exam to have open lines of communication with the examiners, particularly with an issue that might be unresolved, because I think it’s important to vet those issues, provide additional information, and hopefully correct those issues before a final report is released, so that kind of back-and-forth communication between management and examiners is important. If there are any issues of significance, those ought to be brought to the board’s attention as soon as possible so that the board is aware of it. If they’re significant enough, the examiners are going to want to meet with the board, so the board needs to be well informed before any meeting takes place with the examiners.

The final report ought to be reviewed carefully and a well thought out plan for correcting any problems ought to be developed. The written response ought to be delivered in a non-defensive and factual way, without getting combative. I think it’s important not to over-commit to remediation and corrections because the last thing you want is to commit to doing something and you’re unable to deliver. It’s important at the board level that there be a written record of discussions about the exam process, the report, the response and it’s important that management fully report to the board about the issues that arose during the exam. The board ought to be engaged and ought to challenge management about the areas of concern that were raised during the process, because ultimately, the board is going to be held responsible if there are any repeat violations of issues raised during the exam.

The Audit Committee: Help Them Help You

audit-committee-11-19-15.pngAn effective audit committee is a critical component of a financial institution’s corporate governance, but such a committee is not the result of an accident. It is formed through a deliberate process that includes appointing qualified individuals, providing adequate resources and offering other appropriate support.

The Right People
Every effective team begins with an effective leader to serve as chairperson. To fill that role for the audit committee, the board must select an independent director who, at a minimum, possesses an understanding of U.S. generally accepted accounting principles and the importance of internal controls. The audit chairperson should have a sense of the pressure points where the institution might be particularly vulnerable to fraud. Often, board members are business owners, managers in other organizations, or educators and will need help to acquire the requisite skill sets to lead or participate on the audit committee.

The Right Resources
With accounting standards, regulatory compliance requirements and risk factors continuing to change at a rapid pace, boards need to commit time and money to keep the chairperson and the audit committee up to speed. New accounting rules revisit some long-standing techniques in order to establish a more transparent level of reporting. Also, the introduction of the Consumer Financial Protection Bureau (CFPB) added complexity to regulatory compliance, and a bank that runs afoul of the new rules could suffer substantial harm to its reputation. In addition, technology and customer demands for access to services through nontraditional channels add risks never contemplated 10 years ago.

To help the audit committee stay current, the board should provide it access to outside training on these and other relevant areas. Boards also can obtain valuable guidance by monitoring the activities at other banks. Their publicized experiences (for example, in alerts from the Office of the Comptroller of the Currency) can serve as a road map of areas that require regular attention from the audit committee. Audit committee members must be intimately familiar not just with their own bank—but also with the banking industry as a whole.

The Right Support
Although it is management’s responsibility to establish processes and controls to manage risk, it is the audit committee’s responsibility to confirm that such processes and controls are established and monitored. The internal audit group, already charged with risk assessment and monitoring, can play an important role in satisfying this responsibility.

As with the audit committee, the success of internal audit hinges on the training and experience of the team members and on the provision of necessary resources. The importance of these elements increases significantly when the bank’s management is responsible for reporting on the design and effectiveness of the internal controls over financial reporting, as is required of publicly traded companies, because management must attest that controls are well-designed and operating effectively and is held responsible if its attestation proves false.

Bear in mind that a bank’s growth often is not mirrored in changes in internal audit. As a result, issues can go unidentified. Even if new issues are appropriately identified, the review cycles will be prolonged if internal audit has insufficient personnel. When the board looks strategically at the organization, it must align the expansion of the business with the risk mitigation process—including internal audit resources. Even the most capable audit committee will prove ineffective without a well-armed internal audit team.

The board also should recognize that its attitude and that of management toward internal audit frequently contributes to its success (or lack thereof). Leadership should address findings on a timely basis, and the board and audit committee should monitor the responsiveness of corrective action, especially for those issues flagged as higher risk. If management is dismissive of findings, and the audit committee or board is disinterested in follow-up, the value of the internal audit role will erode quickly.

The Right Approach
Board members are elected to oversee the activities of their bank, and the audit committee is an integral part of that oversight. It is in the board’s—and the bank’s—best interest to provide both the audit committee and internal audit with the training and resources necessary to execute their responsibilities.

Maintaining Internal Audit Independence Regardless of Structure

Whether your bank uses an in–house, an outsourced or co-sourced internal audit function, the internal audit program must be independent. And no matter the arrangement, management and the board have a degree of responsibility for internal audit’s efficacy—as such, they must accept ownership of this function even where it is fully outsourced.

As part of this, national chartered banks need to comply with the requirements issued by the Office of the Comptroller of the Currency (OCC) in October 2013 entitled “Third Party Relationships: Risk Management Guidance,” which deals with the selection and ongoing oversight of all critical third-party relationships, including outsourced or co-sourced internal audit arrangements. Although the guidance is addressed to national banks, it also establishes a best practices approach for state chartered banks that are supervised by the Federal Reserve or Federal Deposit Insurance Corp. The OCC guidance stipulates that banks must implement effective risk management processes to actively manage outsourced vendors, and that the roles and responsibilities for overseeing and managing all third-party relationships be specific and clearly defined. Therefore, whether the bank outsources or co-sources all or parts of an internal audit program, it does not diminish the responsibility of its board of directors and senior management with respect to overseeing and managing the program.

So the question becomes how best to manage outsourced or co-sourced internal audit relationships while optimizing the independence that is necessary for boards and audit committees in the fulfillment of their responsibilities.

Banks are deploying a variety of approaches driven by organizational structure, cost or culture. Sometimes these are successful, but they often fall short of regulatory expectations.

It is possible to achieve a quality internal audit program as long as the board and management adhere to a number of key principals and are truly committed to having an internal control environment that helps the bank manage its risks.

Our firm has helped hundreds of banks implement effective internal audit programs in both full outsourced and co-sourced scenarios. Some of the elements that we have found most critical to building an effective program include:

Corporate Governance: Corporate governance and the tone at the top is the foundation of an effective program. This entails setting up a structure that includes direct reporting to the chairman of the audit committee while, at the same time, having appropriate internal management oversight. Often that oversight resides with the chief risk officer of the bank. However, we have observed successful programs that use compliance officers or an in-house internal auditor. Independence is derived from board and management commitment, setting the tone and culture within the bank.

Internal Audit Risk Assessment and Audit Plan: The success of an internal audit program is highly dependent on identifying the risk profile of the bank and developing an appropriate audit plan that addresses those risks. Just a few of the areas complicating today’s bank risk environment include  information security and technology driven service delivery channels, consumer compliance and BSA/AML compliance requirements and interest rate risk management.

Experienced and Qualified Internal Audit Team: A successful internal audit program is simply not possible without deploying the right expertise and experience to audit the different aspects of a bank’s business and compliance requirements.

A successful internal audit program is often accomplished by seeking an outsourced or co-sourced solution which, based on regulatory guidance, management is responsible for managing. However, independence does not need to be compromised—particularly if the bank culture and tone at the top are committed to an independent risk-based internal audit program.

Supreme Court Ruling Could Impact Your Bank

disparate-impact-10-16-15.pngOn June 25, 2015, nearly four years after first agreeing to consider the question, the Supreme Court issued a decision in the case Texas Dept. of Housing and Community Affairs v. Inclusive Communities Project, Inc., holding that disparate impact claims may be brought under the Fair Housing Act (FHA). The Court’s decision confirms that, irrespective of intent, an institution engaged in residential real estate-related transactions such as mortgage lending may be held liable for a practice that has an adverse impact on members of a particular racial, religious, or other statutorily protected class.

However, the Court pointed out the following important limitations on the ability of plaintiffs to raise claims:

  • It is not sufficient to point out statistical disparities alone. Instead, plaintiffs must show that a defendant’s policy or policies caused that disparity.
  • Policies may only be challenged under disparate impact analysis if they are “artificial, arbitrary and unnecessary barriers.”
  • A defendant’s valid business justification may not be rejected unless a plaintiff identifies an alternative practice that has less disparate impact while still serving the entity’s legitimate needs.

To receive the benefit of any heightened standard resulting from the Court’s opinion, however, financial institutions must be willing to litigate. To avoid litigation in the first place, experience has shown that proactive steps taken by financial institutions can protect against possible disparate impact claims. Those steps include, for example:

Internal Audits and Fair Lending Risk Analysis
Financial institutions should be proactive in identifying and analyzing lending portfolios to identify areas susceptible to statistical challenge. One of the most reliable methods of doing so is to conduct routine statistical self-assessments on a portfolio-wide basis, appropriately structured to ensure attorney-client privilege will apply. Institutions should conduct periodic assessments, analyze the results (including file reviews of any outliers), and tailor policies and procedures to address the results, thus ensuring the institution is alert to potential disparities and can address any fair-lending related issues before they become supervisory concerns.

Policies and Procedures
Institutions should carefully review their policies and procedures to identify instances in which discretion is permitted in any aspect of underwriting or other credit processes, as discretion may give rise to discriminatory results. To the extent policies and procedures allow for discretion or exceptions, institutions should craft corporate governance mechanisms to approve such exceptions or departures from common practice as well as record keeping procedures to ensure proper documentation. In effect, the financial institution is creating a record of why it departed from its normal business practices. To the extent that the institution considers any changes to its policies and procedures as a result of its review, senior management should articulate the business- or risk-related reasons why such changes were or were not made.

Corporate Governance and Documentation
With increased scrutiny from regulators on fair lending issues, any business decisions that may involve practices that could have a disparate impact on a protected class, such as changing or discontinuing a particular product or service, should be carefully considered and the justifications for them should be clearly documented. Institutions should establish corporate governance procedures that provide for review of material changes to product and services offerings by senior management and fair lending/risk committees. The results of the review, including assessments of the reasons for the business decisions at issue, should be documented through meeting minutes and other records.

The Inclusive Communities decision almost certainly will embolden private plaintiffs and government agencies to assert claims of disparate impact discrimination. Proactive steps taken now can head off years of litigation and costly settlements by preventing statistical disparities from ripening into claims of discrimination. Financial institutions should aggressively review and enhance their compliance efforts to ensure the compliance of their business policies and practices.

Heightened Standards for Directors: What You Need to Know

directors-10-15-15.pngOn September 2, 2014, the OCC issued guidelines establishing heightened standards for certain institutions with $50 billion in total assets and for “highly complex” institutions, noting that it does not intend to apply the guidelines to community banks. However, the guidelines distill the OCC’s characterization of directors’ responsibilities that apply regardless of asset size. In this regard, the guidelines should be required reading for directors of every bank.

With regard to the role of directors, the OCC did not adopt a higher standard of director liability than the law generally provides (depending upon state of incorporation or chartering). This approach is very different from that espoused by the Federal Reserve Board’s Governor Tarullo in his controversial speech last year. Governor Daniel Tarullo exhorted legislatures to change the standards governing director conduct to impose a duty to meet regulatory and supervisory objectives (not just a duty to their institution and shareholders). The OCC notably bypassed the opportunity to try to extend director obligations beyond statute. Thus, the guidelines need to be read in conjunction with the existing legal framework.

The OCC reformulated what are in many cases age-old principles of director conduct. The guidelines are beneficial to directors in a variety of ways. Notably, the OCC sought to reclarify the divide between director and managerial responsibilities. To understand the significance of such line drawing, directors need to be aware of the regulatory approach to conflating the roles of directors and management since the downturn. Specifically, administrative actions, matters requiring attention and supervisory correspondence, have discussed the directors’ obligations to become further involved in their institutions’ activities in a quasi-managerial tone.

The OCC’s guidelines, however, note that they do not impose managerial responsibilities on boards or suggest the boards must guarantee any particular result. Instead, the OCC notes that the board’s duty is the traditional one of strategy and oversight.

However, there are increasing expectations for directors, particularly in terms of oversight of risk management. First, the OCC expects institutions to establish strategic plans that set forth a risk appetite. The board then must hold management accountable for adhering to the framework established. The guidelines clarify that the board provides active oversight by relying on risk assessments prepared by the departments of risk management and internal audit. Thus, although the board’s active oversight is in reliance on risk assessments, the board still must evaluate whether the risk appetite is being exceeded.

This expectation for oversight of risk tolerance have been seeping down the landscape and has become common practice for banking organizations of over $1 billion. I have seen institutions of $600 million and $700 million in total assets adding chief risk officers and risk committees. Risk assessments have proliferated like kudzu. Whether the guidelines are only expectations generally for the systemic important financial institutions (SIFIs) or not, these principles are becoming mainstream ideas for community banks as well. For SIFIs, the scope and pervasiveness of the risk management and mitigation framework are yet to be fleshed out.

The OCC expects boards to provide a credible challenge to management. Specifically, boards, in reliance on information from independent risk management and internal audit, should question, challenge and, when necessary, oppose decisions to expand the bank’s risk profile beyond its risk appetite.

The guidelines note that boards are not prohibited from engaging third-party experts to assist them. Thus, the OCC keeps open the well-worn ability of directors to rely on others for guidance (although the fiduciary decision-making remains exclusively the province of the board).

Otherwise, the OCC trots out existing basic minimum standards for corporate governance. Specifically, the guidelines provide that boards should conduct annual self-assessments. The guidelines also note that the OCC will review director training to see if it touches on all appropriate areas. Moreover, the guidelines note that directors must dedicate time and energy to reviewing and understanding the key issues affecting their bank. Those expectations are hardly new.

In short, the guidelines represent a mixed bag for bank directors. The OCC’s adherence to the separation between board and managerial responsibilities and directors’ ability to rely on third-party experts is reassuring. The OCC’s discussion of risk management and engaged directors challenging managerial direction are not threatening in themselves. Director concerns lie in the notion that examiners will expect an increasingly elaborate edifice of risk tolerance and assessment. For community banks, the question is how much of this edifice will they need. Thus, it is not the principles that are controversial, but the way in which such principles will be measured that causes concern for director liability.

Are You at Risk for a Trading Fraud?

stock-fraud-9-11-15.pngYou’ve probably read recently about trading-related frauds where individuals manipulated markets for their own gain. Several of these frauds were highly organized affairs, with traders using alternate channels to communicate with one another in order to manipulate individual trades and market conditions. The most recently settled foreign exchange action came to light once a reporter from a national business publication published the details of the collusion.

Most of the entities involved are relatively large organizations, with sophisticated governance and internal control programs. One has to ask, how could this occur, especially in this world where virtually anything done on a system can be tracked, stored, and retrieved? With hindsight, we can look at these frauds and glean some lessons by walking through the internal audit process at a high level. What can directors do to help make sure something like this does not happen at their organizations?

Risk Assessment
Are trading operations and similar functions scored high enough in the periodic risk assessment? By similar functions we mean any job function such as procurement or sales that has the following characteristics:

  • has a high level of discretion and is regularly in the market
  • has the de facto checkbook of the company
  • is under significant pressure to make revenue or save expenses
  • requires a specialized skill set to execute the role.

The lesson here is that these market roles, in many cases, have a risk profile higher than anticipated.

Audit Planning and Execution
Do you expect internal audit to master every function within your organization? Obviously, internal audit functions best when the auditors have knowledge of the business and the controls around that business. However, is it realistic to expect that internal audit can cover every risk with internal resources? Some prudent borrowing or “renting” of resources with specialized skill sets might be needed to adequately cover some types of risk.

Ongoing Monitoring
Virtually every organization in the U.S. with its own systems has some sort of user computing policy that describes the acceptable use of technology. Also prevalent is the use of monitoring tools to continuously track how employees are using systems. For some time now, organizations have been keenly aware of the damage that can be caused by employees going to inappropriate websites. Yet traders executed one of the well publicized trading frauds during normal business hours, using “back channel” means such as chat rooms provided through third parties. Certainly, the technology to monitor usage has existed for some time, however the connection between the usage and the risk was just not recognized.

Certainly, collusion is inherently difficult to detect or prevent. However, recent frauds highlight the fact that those with an organization’s checkbook can present a risk much greater than previously thought, and detecting or preventing similar frauds will require diligence throughout the risk management cycle.

The Job of the Audit Committee

audit-committees-6-23-15.pngAs regulatory scrutiny intensifies and liability concerns mount, it’s more important than ever that financial institution audit committees are highly engaged. With the recession and the banking crisis fading in the rearview mirror, regulators are shifting their focus from asset quality to corporate governance—including the effectiveness of audit committees. Effective audit committees are likely to have the following critical attributes.

Proactive Involvement With Internal Audit
Greater audit committee participation in the internal audit process should be the new norm. In the past, audit committees typically took a more passive role—receiving reports from the internal audit department, entering them in the minutes, and rarely asking questions. But today, regulator criticism increasingly cites lack of detail in audit committee oversight of internal audit.

Regulators expect audit committees to have a better understanding of how the department operates on a daily basis and to be more involved with developing the risk assessment and the internal audit plan, including determining the scope of work. Rather than simply functioning as a rubber stamp, the audit committee should push back and challenge management when appropriate and ensure that internal audit has sufficient resources.

The challenge for some audit committees is achieving the necessary composition of members to provide effective internal audit oversight. The membership of audit committees, after all, is drawn from boards of directors, which may lack the requisite diversity in backgrounds and expertise. Financial institutions should address any such inadequacies.

Extensive Communication With External Auditors
The auditing standards under which external auditors work are undergoing significant changes that require expanded communication with the audit committee. The current auditing environment calls for more detailed communications and discussions between external auditors and the audit committee.

Yet, the communication the standards require is sometimes more complex than the information the audit committee wants to hear or has the ability to process. An effective audit committee needs to include at least one financial expert (preferably two) and to allow an appropriate amount of time for the sharing and understanding of vital information.

Comprehensive Understanding of Risk
Since the economy and financial services industry have begun to recover, regulators have placed greater emphasis on how financial institutions are managing risks currently and how risks will be managed in the future—what steps financial institutions are taking to identify risk earlier and respond appropriately. The audit committee therefore must satisfy a higher standard regarding its understanding of the entire organization when it comes to risk.

Regulators rightly assume that a financial institution’s overall strategy strongly influences the level of risk it is willing to assume, along with the level of controls required to monitor and mitigate that risk. In turn, the board and the audit committee are subject to substantially higher expectations related to their understanding of the institution’s risk profile, risk appetite, and mitigation and management of risk factors.

If the financial institution has a formal board risk committee, the audit committee should coordinate with it; if not, the audit committee often is delegated the responsibility for addressing risk management issues. In either case, the committee should stay on top of the bank’s chief risks (including understanding their probability and potential magnitude), the measures management is taking to combat those risks, and the amount of financial or reputation risk that management and the board have agreed is tolerable.

The Consequences of an Ineffective Audit Committee
A financial institution with an ineffective audit committee is vulnerable to regulatory consequences. The institution could find itself subject to criticism related to the audit committee’s failure to fulfill its responsibilities as laid out in the audit committee charter. In rare but potentially disastrous instances, the external auditors could conclude that the audit committee is ineffective, resulting in a finding of material weakness in the bank’s overall internal controls. To avoid such consequences, financial institutions must take action to see that their audit committees have the essential attributes.

Scandals and Internal Audit: Where Banks Can Do Better

7-28-14-Bishop.pngMany well-known banks are paying billions of dollars to settle allegations of a wide range of wrongdoing. Directors at all financial institutions would be wise to ask how these things could happen without internal controls preventing or timely detecting them. Is there a systemic weakness in internal controls that could also affect your institution? Studying The Institute of Internal Auditors’ (IIA) last Global Audit Survey in light of recent events suggests there is such a weakness and that it impairs 62 percent of the internal audit functions in the financial services industry.

Widespread noncompliance
So what’s the issue? Essentially, an alarmingly high proportion of internal audit functions are failing to comply with the “International Standards for the Professional Practice of Internal Auditing,” which set out basic requirements that the IIA considers essential for an internal audit function. The IIA mandates that members comply fully with its Standards. Failure to do so is a violation of the IIA’s Rule of Conduct 4.2.

This is not just a paperwork issue: it is substantive and affects the quality and reliability of internal audits. According to the IIA’s Global Internal Audit Survey, last conducted in 2010, only 38 percent of finance industry chief audit executives self-reported that their internal audit function complied fully with the IIA’s quality assurance standard, AS 1300: Quality Assurance and Improvement Program. Self-reported compliance with other IIA standards was higher, but still worryingly short of what investors, regulators and bank directors might reasonably expect. Only 60.6 percent of chief audit executives said they complied fully with PS 2600: Resolution of Senior Management’s Acceptance of Risks. This standard requires them to inform the board of directors if management failed to resolve risk-taking that the chief audit executive believed to be excessive—an extremely important issue for directors.

Looking at two of the simplest, most basic standards, while 76.1 percent complied with AS 1200: Proficiency and Due Professional Care, that still means that nearly a quarter of internal audit employees in the finance industry apparently operated without the skills necessary to do their job properly or failed to conduct their work with appropriate care. For AS 1100: Independence and Objectivity, chief audit executives self-reported 83.4 percent compliance, suggesting that one-sixth of internal audit departments in finance failed to meet the requirements to be independent and objective, a fundamental tenet of auditing.

I have many friends who are internal auditors whom I respect highly, yet the internal audit profession has allowed the IIA standards to be widely disregarded without disciplinary consequences. This situation has been going on for years, is well-known within the internal audit profession, but has not been well communicated to the broader financial community.

In addition to putting their reputation at risk, bank directors who allow such noncompliance to occur at their financial institution may expose themselves to allegations of negligence and breach of their duty of care.

Actions You Can Take
Some actions you can take to help your bank deal with this issue are:

  • Ask your chief audit executive whether the internal audit function operates in full compliance with all IIA standards. If it is not, ask why and whether there’s a plan to come quickly into compliance. Probe, with professional skepticism, any negative responses.
  • If there is noncompliance, identify potential legal, regulatory, financial and reputational risks, as well as the potential impact on the effectiveness of the entity’s enterprise risk management.
  • Work with your chief audit executive, chief financial officer, chief executive officer and board chair to implement any appropriate changes to bring your bank’s internal audit promptly into full compliance with all IIA standards as a minimum level of quality. Going beyond the minimum standards may also be necessary for more sophisticated entities and those with high risks.

Internal audit is a key internal control for preventing and detecting major fraud and other wrongdoing at banks. Customers, investors and other stakeholders can reasonably expect bank directors to ensure that their internal audit functions meet, or exceed, IIA standards. Bank directors can help internal audit get sufficient moral and financial support from management and the board to comply fully with IIA standards

Self Exam: Improve the Health of the Bank and its Standing with Regulators

reg-health.jpgDoctors recommend various self exams to catch disease early, so it can be treated before it’s too late. As it turns out, a self examination can be good for the health of a bank as well.  My colleagues and I recommend that our banking clients and friends undertake a regular self examination in order to identify potential internal and external challenges that the bank may face.  As discussed more thoroughly below, these self examinations can also be very helpful when the bank’s doctor (your friendly regulator) comes in for a check-up.

Enlist internal audit

To initiate the self examination, the audit committee of the bank’s board of directors should charge management with preparing a report that outlines the current and projected status of the bank’s key areas of risk.  Ideally, the bank’s internal audit function will take the lead in performing the examination and preparing the related report.  In order to maximize the value of this report, the audit committee should direct management to deliver the report at least 60 days prior to the bank’s next scheduled regulatory exam.  The self examination report, in its most basic form, should cover the areas that are the focus of the bank’s regulators:  CAMELS (capital, asset quality, management, earnings, liquidity and sensitivity to market risk).  The report should also address any key areas of risk identified by the directors.

Analyze your market

In addition to analyzing the typical CAMELS components and other areas of risk, a very important part of the self examination process is a market study.  The report should present facts, trends and projections related to the market area in order to define the opportunities and challenges being faced by the bank’s customers.  While many bank directors have a good feel for market trends, we have found that this data, when presented with specific facts and trends, can inform the board’s discussions of a variety of topics a great deal.  It can also provide the bank with support for dealing with its examiners, who conduct their own market analysis prior to each examination. 

Evaluate the bank

In the report, management should report on the current status of the various risk areas (for example, capital levels and levels of problem assets), comparisons to peers and steps being taken to improve the current status.  While it may be difficult for the officers of the bank to evaluate the bank’s management in the way that the bank’s examiners would, the management portion of the report should address the organizational chart of the bank to ensure that appropriate resources are allocated to each of the bank’s functions.  After reviewing the draft report, the audit committee can evaluate the need for further analysis before presenting the final report to the full board.  This report should give the audit committee, and eventually the full board, good perspective on the condition of the bank and the need for corrective actions.

Use self exam in multiple ways

The final self examination report should be clearly organized and comprehensive, though concise.  The report can be used to color a variety of discussions that the board may have in the normal course of overseeing the bank’s operations.  It can serve as the basis for strategic planning discussions in analyzing the opportunities in the bank’s market and the adequacy of the bank’s earnings.  It can also be a guide to more basic discussions, such as the pricing of deposits, based on the information related to the bank’s liquidity and opportunities for loan growth.  Essentially, the report provides a comprehensive guide to the current and projected health of the bank that the bank’s directors can use for a quick point of reference in making their decisions.

Prepare a presentation for regulators

In addition to business planning purposes, the self examination can be a key tool in preparing for a regulatory examination.  Using the results of the self examination, management should prepare a presentation for the examiners that highlights the bank’s key metrics, areas of progress and actions taken to address areas of concern.  The market analysis portion of the self examination can be a key component of this presentation.  While the bank’s examiners should be generally familiar with the bank’s market, they will not have the specific and direct perspective that the self examination report can provide.  Using this market data, the bank can provide factual, documented support for its projections and for any actions it is taking.  This presentation should be conveyed to the bank’s examiners at the initial meeting related to the exam, at which a representative of the board should be present.  By alerting the bank’s examiners to the focus of the board on the bank’s condition and the steps being taken to improve the bank’s condition, the bank increases the likelihood that the examiners will conclude that the board is performing its duties and that the bank’s internal controls are adequate.

The self examination report can be a very useful tool for bank directors.  At its best, it will provide a roadmap for making key strategic decisions.  In its most basic form, it documents the board’s focus on oversight of the bank.  While producing such a report will use management resources, much of the analysis that should be included in the report can be extracted from management’s ongoing reports to the board.  Producing and discussing the self examination report is a healthy exercise, and the bank’s examiners will agree.

Originally published on January 11, 2012.

Repositioning the Internal Audit from Good to Strong

Bankers today face the pressure of doing more with fewer resources. Every business function, including internal audit, is expected to bring value to an institution. In this video, Lynn McKenzie, partner with KPMG LLP, reviews what banks can do to improve internal audit by increasing board engagement, building strong leadership and developing more effective auditing processes.