We asked audit committee chairmen (and women) what their committees are grappling with in the year ahead. With the passage of the Dodd-Frank Act in 2010, it’s obvious from their responses that compliance with government regulations has become a huge concern. But so is monitoring the organization’s risks, including IT risks, and figuring out how to make a profit in an environment of low interest rates.
What do you believe are the top issues facing audit committee members in 2012 and into 2013?
We need to focus on developing the appropriate stress tests for our institutions to determine, monitor and support our capital adequacy; focus on liquidity risk as macro-economic conditions improve and many of our institutions face a run-off of deposits to higher earning assets; and institutionalize the lessons learned during this credit cycle.
– Robert F. Coleman, audit committee chairman, PrivateBancorp, Inc., Chicago, IL
I think the top issues are sustaining a risk-based focus with executive leadership, adapting risk oversight at the board level to new Dodd-Frank and Fed requirements and figuring out how to make money in a flat interest rate environment for the next two years.
– Ingrid S. Stafford, audit committee chairman, Wintrust Financial Corporation, Lake Forest, IL
IT & Security Risks
I agree that compliance, particularly trying to understand what is coming with Dodd-Frank, is growing in importance. IT risk is also taking a bigger share of our time. Everything from privacy and security (including cyber-security), to emerging technologies like the cloud, social and mobile are going to be a focus for us.
– David L. Copeland, audit committee chairman, First Financial Bankshares, Abilene, TX
Compliance continues to be one of the top issues. More and more internal resources are being directed to the ever growing compliance requirements. Disclosure is another struggle. I suspect that eventually, the 10-Qs and 10-Ks will become so lengthy that no one will read them with footnotes that now span multiple pages and are seemingly redundant to matters covered in other sections of the submissions. Risk is a concern. Each of us hopes that we do not overlook the obvious.
– Gordon Budke, audit committee chairman, Banner Corporation, Walla Walla, WA
The exponential acceleration of regulations will become an increasing challenge for audit committees of all banks, regardless of size. The compliance area alone, where banks are being required to implement government policy initiatives, is a prime example of this challenge. In addition, regulators are requiring extensive documentation of all actions taken and not taken in a culture where risk is to be reduced to zero. Therefore, the audit committee’s role is changing rapidly and must constantly be reassessed with these increasing responsibilities.
– John E. Seward, Jr., audit committee chairman, Bank of Tennessee, Kingsport, TN and Carter County Bank, Elizabethton, TN
I believe the top issues confronting audit committees this year and next are developing, implementing and monitoring audit plans, including internal audit. These plans are focused on the identification and weighting of risk elements arising out of the transition of the banking industry from the defensive/capital conservation strategies of the past three years to the growth/capital deployment strategies to be implemented over the next several years. The economy and the need for bank financing will expand together with the regulatory risks presented by the Dodd-Frank legislation.
– Timothy B. Matz, audit committee chairman, PacWest Bancorp, San Diego, CA
Managing internal audit is one of the most critical functions of the audit committee. The audit committee not only oversees the internal audit function of an organization, but often recruits and hires the director of internal audit, who reports directly to the audit committee. The committee must take care to ensure the audit function’s independence from management and make decisions about how to handle whistleblower complaints and internal investigations. A best practice is to have an executive session during every audit committee meeting to allow the director of internal audit to discuss issues privately with the committee. The audit committee chairman also should have a trusting relationship with the director of internal audit that is based on open communication.
The Importance of Independence from Management
The director of internal audit must have free and open access to the board-level audit committee in order to ensure that he/she has total independence and the freedom to take whatever steps are deemed appropriate to investigate audit matters.Accordingly, the director of internal audit (DIA) reports directly to the audit committee, which is generally represented by the chairman. In fact, it works best when the audit committee assumes responsibility for recruiting and hiring the DIA.While bank management (via its human resources department) might assist in such matters, it is the audit committee that oversees the process and makes the hiring decision.
Because the audit committee chairman is not on-site on a regular basis, the DIA often reports administratively (represented by a dotted line on the organizational chart) to an executive level bank manager.This might be the chief risk officer, the chief financial officer, the president, or the chief executive officer.The level at which the DIA reports administratively can be reflective of the organization’s tone regarding the importance of the internal audit function and of protecting its independence.It is often therefore recommended that the DIA report administratively to the CEO unless there is strong justification for doing otherwise. This administrative oversight might include matters such as approving vacation absences and coordination of other, internal management functions.This management-led administrative oversight does not, however, extend to the performance of internal audit duties.
In the event bank management has an issue with or concern about the performance of the DIA, management should communicate such issues and concerns directly to the audit committee chairman.For example, if management observes that the DIA is not effectively managing his or her staff or that the manner in which audits are being conducted is overly confrontational and/or ineffective, management would discuss such matters with the audit committee chairman (and not with the DIA directly).The audit committee then has direct responsibility for investigating and discussing such matters with the DIA.
Management must take care to respect the DIA’s independence and not take any actions that might impair the DIA’s independent judgment.It is the audit committee’s duty to ensure this.
The DIA and the audit department staff work very closely with the audit committee, often functioning as the committee’s staff.It should be noted that this role is unchanged when some or all of the internal audit functions are out-sourced to private vendors.In such event, the DIA still reports to the audit committee and he/she supervises the vendors.The audit committee is responsible for reviewing and approving all outsourced audit vendor engagements.
Now let’s talk about how this works in real life.
How to Handle Audit Meetings
Who is generally invited/present at audit committee meetings?And how might the presence of senior level bank management impact the DIA’s independence or opportunity to speak freely to members of the audit committee?How should the audit committee handle concerns raised by the DIA or by bank management?
Different boards function differently.There is no carved in granite rule about who should be invited to attend audit committee meetings.Often the CFO, the CEO, the chief risk officer, the chief credit officer, and/or representatives from the external audit firm are in attendance at audit committee meetings.Some banks invite management representatives from the areas that have been audited to attend the meeting when that audit is being reviewed.Who attends is not important?but it’s important to make sure that whoever is in attendance does not interfere with the DIA’s independence.To ensure that the DIA has free and open communication with the committee, the audit committee chairman should schedule an executive session at the end of each audit committee meeting.Do not wait until the end of the meeting to ask if there is anything that the DIA would like to discuss in executive session.Instead, schedule an executive session as part of the agenda for every single meeting.If there is nothing to discuss, the executive session will simply adjourn.An executive session can take place in multiple parts.First, all bank management is excused and the DIA is invited to stay with the committee.Once everyone but the DIA has been excused, the committee chairman should ask the DIA to discuss any concerns he or she has.The audit committee chairman might ask the DIA to confirm that staffing is adequate (to ensure that budgetary limitations are not resulting in inadequate staffing); or whether bank management is appropriately responding to and following-up on all audit matters.
In the event that the DIA comes forward with a concern of such nature, the audit committee is then responsible for addressing those concerns and for giving direction to management.The audit committee must do so in a constructive manner, so that it does not reflect negatively on the DIA.
For example, let’s say that the DIA does not feel that he or she has adequate staff.The committee’s minutes might reflect that a discussion took place about the number of audit hours that are required to adequately address the bank’s internal audit schedule, and the committee concluded that the current staffing level is not adequate.The committee, therefore, recommends either the addition of another member to the internal audit team, or that the DIA engage an external vendor to perform portions of the internal audit work.Addressing it in that manner makes it the committee’s recommendation.
Similarly, if there are a number of open audit findings – matters that have been open for some time – and the DIA does not feel that management is taking appropriate steps to resolve them; the DIA might bring that to the committee.The committee’s minutes could reflect that a discussion took place about the large number of open audit matters that appear to have been open for too long a period of time and the committee will discuss such concerns with the president or CEO to ensure that they are being given appropriate attention by the responsible manager.Again, addressing it in that manner makes it the committee’s recommendation.
Whistleblower issues are generally directed to the audit committee chairman and/or to the director of internal audit.When the audit committee chairman receives notice of a perceived whistleblower issue, the audit committee chairman should immediately contact the director of internal audit so that the two of them can discuss and determine how best to investigate the matter.Whistleblower matters require confidentiality and trust.When requested, care must be taken to protect and ensure the anonymity of the reporting party.When deemed appropriate, the DIA and audit committee chairman may engage external, third-party professionals to help investigate whistleblower matters.
Performance Problems – Performance Evaluation
The audit committee, generally via its chairman, completes the formal performance evaluation of the director of internal audit.The audit committee chairman may solicit input from other bank management and from other committee members, as appropriate.While the bank executive manager who supervises the DIA for administrative purposes participates in this process, it is the audit committee chairman who takes the lead.This confirms that the DIA reports directly to the audit committee.
The relationship between the director of internal audit and the chairman of the audit committee should be one of openness and trust.These two individuals both tasked with the independent oversight of internal audit matters must be free to communicate with one another and they must trust one another to protect the confidentiality of such communications at all times.
All financial institutions must hire an outside CPA firm to audit their financial statements as well as the accounting information system and controls that affect those statements. The relationship between the bank and the external consultant can be mutually beneficial–but only if the bank goes about selecting, hiring and working with the CPA firm in a systematic and effective way.
What You Should Expect–and Receive–From Your CPA
The CPA firm you hire should have industry expertise that is specifically targeted to financial institutions the size and complexity of yours, and the firm should have experience and expertise in your major lines of business. You should also expect the firm’s CPAs to have a deep knowledge of SEC regulations and professional standards such as those issued by the PCAOB.
In addition, you need to be confident that your CPA firm understands the broad spectrum of risks facing your bank, including the potential exposure and return of each. An understanding and audit of the tools that management uses to monitor the bank’s performance results is also essential.
It’s important for you to recognize the difference between your bank’s problems and the auditor’s problems. Don’t expect the auditors to take responsibility for problems that are actually management’s issues to deal with. Doing so only invites delays and a loss of independence on the part of the auditor.
The ideal CPA firm focuses on relationships. The external audit team needs to communicate and work well with the bank’s team. On both sides, clear and informative discussions upfront about roles, timelines, methodologies, controls testing, documentation and the like will go a long way toward ensuring smooth and efficient planning, auditing and reporting process. The audit team also needs to be able to communicate effectively with the bank’s audit committee as well as management.
The Match Game
When contemplating hiring a CPA firm, you must first define your objectives. Understand and communicate the scope of what you expect the firm to do. You can select the appropriate firm only if you know your own organization well–its business, community, management strategy, performance and risks. Think long and hard about the nature of your institution’s risks, and then seek a consultant whose strengths match up with those risks.
Meet face to face with representatives of firms you are considering hiring. Read reports, ask penetrating questions and compare what they say with your understanding of the CPA firm’s reputation, skill set, and culture. Provide input and a balanced approach. Follow through in providing direction to the organization. Think through the cause and effect of problems your institution faces and use the consultants you interview to confirm your conclusions. Act on the recommendations.
You Have Rights
You have the right to continue to be involved and receive clear communication from the consultants throughout the audit and reporting process. You also have the right to receive advance warning from the CPA firm of possible problems.
Take the time to understand the auditors’ perception of the risk profile of your bank and their conclusions about management, and ask questions if you don’t.
Changing Standards, Changing Role
The best-in-class banks anticipate tomorrow’s standards by which today’s actions will be judged. The ubiquitous implementation of enterprise risk management programs in recent years should not have been a surprise given all the chatter of the past several years. And in the near future? Our crystal ball says that “stress testing” will be required soon, so now is the time to embrace it.
The Center for Audit Quality and other groups are looking into the auditor’s role, which we expect to change just as it has done before–particularly in the aftermath of the thrift industry crisis (which led to the Federal Deposit Insurance Corporation Improvement Act) and the major corporate and accounting scandals of the 1990s (which led to Sarbanes-Oxley). Look for greater CPA involvement in10-Ks, and in risk factor disclosure in 10-Ks/Qs and MD&A.
More big changes might be on the horizon, particularly for privately held companies, in light of the analysis of the report of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committee, an analysis indicating that audit committee effectiveness depends on independence and the number of meetings.
Collaboration, Not Confrontation
A good working relationship between your team and the external audit team will enhance the financial reporting process, reduce surprises and generally make everyone’s life easier.
Duty of care, loyalty and good faith are the basic foundations for every board member as they strive to increase revenue and shareholder value for their institutions. As the regulatory requirements continue to expand, the role of the audit committee is quickly following suit, leaving many bank audit committee members concerned about their effectiveness.
At Bank Director’s Bank Audit Committee conference in Chicago on June 14-15th, Robert Fleetwood, partner for Chicago-based law firm Barack Ferrazzanno’s financial institutions group and Todd Sprang, partner at the certified public accounting firm Clifton Gunderson, took a crowded room of audit committee members back to basics during their Audit Committee 101 session.
Cautioning that these are not one-size-fits-all requirements, Fleetwood and Sprang outlined a list of fundamentals and best practices for today’s audit committee members.
1.Understand your duties. Sprang suggested if you are unsure of your role or responsibilities, seek a tutorial from outside counsel to ensure that every member is comfortable with their duties.
2.Recognize the reputational risk to the organization and you as an individual. At the end of the day, you want to do the right thing by all parties. It’s never a good situation when a director has to admit that he/she didn’t read the materials or didn’t know what was going on at their institution.
3.Oversight. The primary role of the audit committee is to evaluate the audit process, oversee financial reporting, and assess the risk and control environment. To do this effectively, committee members should be asking lots of questions, requesting feedback and regularly discussing concerns.
4.Committee composition. Most boards typically look to local CPAs to fill their audit committee seats, yet having members with a wide range of expertise provides additional perspective and beneficial feedback.
5.Yes, you need a committee charter. Not only should the charter be reviewed on a regular basis to ensure that the board is complying, but it happens to be a great tool for setting agendas.
6.To rotate or not to rotate? Fleetwood recommended that if you do implement a rotation requirement, that it take place after an extended period of time. The audit committee has a steep learning curve and rotating frequently creates the risk of losing members before they had a chance to peak.
7.Build a relationship with the external auditors. Communication is the key.Review your reports and materials ahead of time, and use the review session to ask them questions, get their perspectives on market trends, and request recommendations.
8.Internal audit reviews. Whether your institution uses in-house resources or outsources this process, a major red flag is a report with no findings. Ask why. You should always be finding ways to improve, rather than just going through the motions.
9.Setting the agenda. The agenda should follow the committee charter as well as include an annual checklist to work through regularly. Delegate the legwork to your experts and include them on the agenda periodically.
10.Attend the meetings. Distribute materials ahead of time, whether in print or through board portals, and include only what is necessary to review. Read the materials beforehand and attend in person at least quarterly.
The compliance audit, like other audit activities, is intended to provide feedback to management and the audit committee about the control environment, ongoing compliance and conditions for potential risk. The compliance audit should evaluate the effectiveness of the compliance management program, including policies and procedures, training, monitoring and consumer complaint response. A financial institution’s audit committee should determine the scope of an audit and the frequency with which audits are conducted.
This topic is often a key component of regulatory compliance examination feedback, particularly when specific regulatory violations have occurred. We see examiners questioning institutions about their overall compliance program management and digging into the elements of policies and procedures, training, quality control assessment and the like. Overlying compliance program management is the role of internal audit. What was internal audit’s assessment of the institution’s compliance with individual regulations, and of the program overall?
Elements of a Compliance Management Program
Regulatory guidance and best practices have helped define which elements are necessary to help an organization mitigate risks associated with compliance.
Typically, the basic elements include:
Designation of a compliance officer
Procedures (internal processes and controls)
Regulatory change management
Quality control (monitoring)
Consumer complaint response process
Historically, compliance has been viewed as an organizational stepchild rather than an essential core function of an organization. Integrating the compliance function into the culture of the business empowers those responsible for compliance with a framework to fulfill their mission. Successful integration encompasses shared communication and education about compliance-related responsibilities, which helps employees at all levels to understand their responsibilities.
The two elements of assessing the overall effectiveness of a compliance program are quality control and audit. Let’s expand more on those components.
The end goal of a quality control function is to monitor how well departmental policies and procedures are being executed. Ultimately, the function should be risk-based, focusing the most resources on the areas of greatest risk. An effectively designed quality control program has an employee–such as a supervisor or other employee independent of the originator of the activity–review an ongoing risk-based sample of the work performed in an applicable area. A quality control program should be designed to assess certain areas based on the residual risk exposure of non-compliance.
Completed quality control reviews should be aggregated and reported to the compliance officer for review. The compliance officer should assess applicable areas for overall effectiveness to identify any increasing trends within departments. This oversight allows management to allocate resources on a risk-based, quantifiable basis.
Finally, the compliance officer should provide a consolidated report to the board of directors or designated compliance committee for final oversight. The consolidated report should provide a broad overview of the organization’s compliance posture so the board can continue to provide big-picture, strategic direction.
The compliance audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like the quality control program, the compliance audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory landscape, errors or violations, problems in the past, employee turnover in the compliance department or line of business and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the compliance audit.
The compliance audit results should be provided in formal, detailed reports that outline findings and management’s action plan to resolve each finding. These audits should be conducted by an individual independent of the compliance management function and reported in the same format, manner, and protocol as the organization’s overall audit function. Auditing the compliance function should be conducted on a less frequent basis than the quality control program; timing of the audits can be on a rotational basis and supported by the results of the risk assessment process.
It should be noted that the compliance audit scope can and should cover all of the elements of the compliance management program, including training and quality control, and not be limited to detailed testing of compliance with regulations. The resulting audit reports should be presented directly to the audit committee, and all findings should be tracked for resolution.
Compliance Across the Board
The current regulatory environment requires a new business model for compliance that stretches to all facets of an organization. The role of internal audit can enhance the success of a compliance management program by providing informative feedback that enhances the program’s effectiveness and sustainability.
ICS Compliance has one mission, which is to help the banking and financial services industry manage its risk in today’s challenging and rapidly changing environment. The 14-year-old firm, which is headquartered in New York and has offices in 17 cities across the United States, employs more than 150 risk management experts whose specialties include compliance, internal audit, and credit risk management. Recently, Bank Director spoke with CEO John F. White about the importance of having a strong risk management program, and how it benefits the bank.
What are the most pressing regulatory concerns today?
Whenever you have the kinds of problems in the industry that we’ve had over the last couple of years, Washington wants to regulate with a strong hand, just like the Sarbanes-Oxley Act nine years ago. So the most pressing regulatory concern is that banks maintain a comprehensive risk management program in accordance with the CAMELS Ratings (Capital adequacy, Asset quality, Management, Earnings, Liquidity, and Sensitivity to market). Strong risk management, which includes compliance, internal audit, and credit review programs, will help banks get high ratings in these areas, which in turn will help them maintain a high level of profitability.
What should banks be doing now in terms of risk management?
Banks must implement a comprehensive risk management program, consisting of a compliance program that includes BSA/AML and manages all of the evolving regulatory rules and regulations; an internal audit program that evaluates the effectiveness of the control environment; and a credit review program that monitors asset quality and assures that all loans are being reviewed and rated properly in a timely manner. If a bank has a strong risk management program in place it’s not only less likely to be criticized, but it’s also going to achieve higher earnings and stronger capital.
As the industry’s regulatory burden increases, what’s the key to having an effective compliance program?
It’s crucial that management and the board keep themselves up to date on all the new regulatory requirements and that they allocate the necessary resources to managing compliance risk. You have to have experienced people who understand compliance and BSA/AML. You need to have the right systems and processes in place so that you’re getting all the information you need to manage the risk properly. Regulatory compliance can be especially challenging for small banks that can’t afford to build the necessary infrastructure to manage compliance risk effectively. But they can still accomplish that without making a costly investment by partnering with the support of a qualified vendor that understands the rules and regulations and knows how to establish a strong risk management program. The regulators are very comfortable with this approach. They are less concerned about how it gets done than with the fact that it is getting done.
What is the board’s role from a governance perspective when it comes to risk management?
The board is not responsible for day-to-day management of the bank, but it is responsible for oversight and protecting the interests of the shareholders. The bank has to have written compliance, internal audit, and credit review programs in place; the board has to approve them. The board also has to make sure that the bank has qualified compliance, audit, and credit review officers in place, and if the bank isn’t going to manage all facets of the program itself, the board has to ensure that a qualified vendor has been selected to work closely with the officers. Finally, the board must ensure that appropriate and timely corrective actions are being taken in response to regulatory examinations and audit findings.