How important is net interest margin (NIM) to your institution?
In 2019, banks nationally were 87% dependent on net interest income. With the lion’s share of earnings coming from NIM, implementing a disciplined approach around margin management will mean the difference between underperforming institutions and outperforming ones. (To see how your institution ranks versus national and in-state peers, click here.)
Anticipating the next steps a bank should take to protect or improve its profitability will become increasingly difficult as they manage balance sheet risks and margin pressure. Cash positions are growing with record deposit inflows, pricing on meager loan demand is ultra-competitive and many institutions are experiencing accelerated cash flows from investment portfolios.
It is also important to remember that stress testing the balance sheet is no longer an academic exercise. Beyond the risk management, stressing the durability of capital and resiliency of liquidity can give your institution the confidence necessary to execute on strategies to improve performance and to stay ahead of peers. It is of heightened importance to maintain focus on the four major balance sheet position discussed below.
Capital Assessment, Position
Capital serves as the cornerstone for all balance sheets, supporting growth, absorbing losses and providing resources to seize opportunities. Most importantly, capital serves as a last line of defense, protecting against risk of the known and the unknown.
The rapid changes occurring within the economy are not wholly cyclical in nature; rather, structural shifts will develop as consumer behavior evolves and business operations adjust to the ‘next normal.’ Knowing the breaking points for your capital base — in terms of growth, credit deterioration and a combination of these factors — will serve your institution well.
Liquidity Assessment, Position
Asset quality deterioration leads to capital erosion, which leads to liquidity evaporation. With institutions reporting record deposit growth and swelling cash balances, understanding how access to a variety of funding sources can change, given asset quality deterioration or capital pressure, is critical to evaluating the adequacy of your comprehensive liquidity position.
Interest Rate Risk Assessment, Position
In today’s ultra-low rate environment, pressure on earning asset yields is compounded by funding costs already nearing historically low levels. Excess cash is expensive; significant asset sensitivity represents an opportunity cost as the central bank forecasts a low-rate environment for the foreseeable future. Focus on adjusting your asset mix — not only to improve your earnings today, but to sustain it with higher, stable-earning asset yields over time.
Additionally, revisit critical model assumptions to ensure that your assumptions are reflective of actual pricing behaviors, including new volume rate floors and deposit betas, as they may be too high for certain categories.
Investment Assessment, Position
Strategies for investment portfolios including cash can make a meaningful contribution to your institution’s overall interest income. Some key considerations to help guide the investment process in today’s challenging environment include:
- Cost of carrying excess cash has increased: Most institutions are now earning 0.1% or less on their overnight funds, but there are alternatives to increasing income on short-term liquidity.
- Consider pre-investing: Many institutions have been very busy with Paycheck Protection Program loans, and we anticipate this will have a short-term impact on liquidity and resources. Currently, spreads are still attractive in select sectors of the market.
Taylor Advisors’ Take:
Moving into 2021, liquidity and capital are taking center stage in most community banks’ asset-liability committee discussions. Moving away from regulatory appeasement and towards proactive planning and decision-making are of paramount importance. This can start with upgrading your bank’s tools and policies, improving your ability to interpret and communicate the results and implementing actionable strategies.
Truly understanding your balance sheet positions is critical before implementing balance sheet management strategies. You must know where you are to know where you want to go. Start by studying your latest quarterly data. Dissect your NIM and understand why your earning asset yields are above or below peer. Balance sheet management is about driving unique strategies and tailored risk management practices to outperform; anything less will lead to sub-optimal results.
New York-based Piermont Bank opened its doors in July 2019. Just eight months later — on March 1 — a New York woman returning home from Iran became the city’s first Covid-19 case. By March 20, with cases in the state rapidly climbing, Gov. Andrew Cuomo mandated that non-essential businesses close. One hundred days after reporting its first case, New York began reopening — but as of Nov. 19, restrictions remained in place, and New York City public schools recently returned to virtual learning to combat a resurgence of Covid-19 cases.
What a time to run a bank — especially a new one.
It sounds counterintuitive at first blush, but Wendy Cai-Lee, the bank’s founder and chief executive, believes Piermont is well positioned to serve customers. The $117 million bank focuses heavily on commercial real estate loans; it also makes commercial and industrial (C&I) loans.
She points out that as a de novo, the bank’s balance sheet is clean; her team didn’t have to devote attention to working with troubled borrowers. Piermont also has a lot of capital on hand, with a leverage ratio of 32.82% as of June 30.
But Cai-Lee recognizes the broader, longer-term impact the pandemic could have on the New York market. “We have seen appraisal values essentially drop anywhere between 10% to 35%,” she says. Her team has a risk assessment meeting every Monday; when we spoke in October, they were evaluating the potential fallout from the end of unemployment benefits through the CARES Act, set to expire at the end of the year. “That’s going to impact people’s ability to pay their rent, and I do think that’s going to bring some impact to multi-family that we haven’t seen so far,” she says.
Serving customers during the pandemic had some banks scrambling to adopt new technology to serve customers; in contrast, Piermont was already positioning itself as a “tech-enabled” bank. “When it comes to innovation, I’m a big believer that it’s not only technology that we need to focus on, but also process,” says Cai-Lee. She aims to create an end-to-end digitized process without sacrificing on risk controls.
“I use technology to digitize everything that the client doesn’t see so that I can move all those resources to allow my bankers to spend the time with the client to find specific pain points” and identify the right solution, she explains. “This allows my bankers to engage the client very differently.” Piermont can close commercial loans in three days, she says, rather than a couple of weeks. And innovation isn’t limited to technology; Piermont offers subscription pricing for its services, for example, and recently announced a banking-as-a-service platform it’s offering through a partnership with Treasury Prime.
I spoke with Cai-Lee before that announcement. “We’re actually not going to be that anonymous bank behind these fintechs,” she says. “We’re actually going to market front and center along with the API partner so that we can actually focus on creating the right product for them.”
Piermont Bank also seeks to serve women- and minority-owned businesses, which have been particularly devastated by the pandemic and have historically lacked access to credit and investor capital. A lot of banks say they want to serve women and minority entrepreneurs, yet these groups remain underserved. When I ask how Cai-Lee’s plans differ from other institutions’ efforts, she credits Piermont’s diverse team.
Cai-Lee is Asian American; before founding Piermont, she led the commercial real estate, commercial lending, and consumer and business banking divisions at $50 billion, Pasadena, California-based East West Bancorp, which serves markets in the U.S. and China. Before that, she spent almost a decade at Deloitte, where she was literally the poster child for diversity. “They had a [life-size] cutout of me made and had it in the lobby of every Deloitte domestic office,” she recalls.
When she founded Piermont Bank, she prioritized adding a diverse array of voices and backgrounds when she assembled her team. She believes it’s a strength for the bank. “The reason why [women and minorities are] underserved is — no different from serving any industry or any demographic out there — unless you understand their pain points, it’s hard to come up with the right product and service to serve them,” says Cai-Lee. “If you don’t have enough representation of women, of minorities on your board and senior management [team], how do you foster an environment where [you can] address that demographic?”
Nearly 2,000 banks in the U.S. have elected Subchapter S tax treatment as a way of enhancing shareholder value since 1997, the first year they were permitted to make the election. Consequently, many banks have more than 20 years of operating history as an S corporation.
However, this history is presenting increasingly frequent challenges during acquisition due diligence. Acquirers of S corporations are placing greater emphasis on due diligence to ensure that the target made a valid initial Subchapter S election and continuously maintained eligibility since the election. Common issues arising during due diligence typically fall into two categories:
- Failure to maintain stock transfer and shareholder records with sufficient specificity to demonstrate continuous eligibility as an S corporation.
- Failure by certain trust shareholders to timely make required Qualified Subchapter S Trust (QSST) or Electing Small Business Trust (ESBT) elections.
A target’s inability to affirmatively demonstrate its initial or continuing eligibility as an S corporation creates a risk for the acquirer. The target’s S election could be disregarded after the deal closes, subjecting the acquirer to corporate-level tax liability with respect to the target for all prior periods that are within the statute of limitations. This risk assessment may impact the purchase price or the willingness of the buyer to proceed with the transaction. In addition, the target could become exposed to corporate tax liability, depending on the extent of the compliance issues revealed during due diligence, unless remediated.
Accordingly, it is important for S corporation banks to ensure that their elections are continuously maintained and that they retain appropriate documentation to demonstrate compliance. An S corporation bank should retain all records associated with the initial election, including all shareholder consents and IRS election forms. S corporation banks should also maintain detailed stock transfer records to enable the substantiation of continuous shareholder eligibility.
Prior to registering a stock transfer to a trust, S corporation banks should request and retain copies of all governing trust instruments, as well as any required IRS elections.
It is also advisable to have the bank’s legal counsel review these trust instruments to confirm eligibility status and any required elections. Banks that are relying on the family aggregation rules to stay below the 100 shareholder limitation should also keep records supporting the family aggregation analysis.
While S corporation banks have realized significant economic benefits through the elimination of double taxation of corporate earnings, maintaining strong recordkeeping practices is a critical element in protecting and maximizing franchise value, especially during an acquisition. Any S corporation bank that is contemplating selling in the foreseeable future should consider conducting a preemptive review of its Subchapter S compliance and take any steps necessary to remediate adverse findings or secure missing documentation prior to exploring a sale.
As new types of risk – and new regulatory requirements – are introduced, bank directors play an instrumental role in making sure the executive team is properly addressing cybersecurity risks.
This can be an especially challenging responsibility as it is rare for board members to have the technical background or expertise to appropriately assess an entity’s cybersecurity risk management program without external resources. In many instances, directors find themselves in the uncomfortable position of relying primarily on management reports or the advice of third-party providers to meet their oversight responsibilities.
Annual scorecards from management and vulnerability assessments from third-party providers have value, but can make it difficult to compare and assess risk management programs with confidence.
To address this challenge, boards can consult new guides that offer ways to explore and dig into potential cyber risk management issues and other technical matters.
The Center for Audit Quality (CAQ), recently released a new publication, “Cybersecurity Risk Management Oversight: A Tool for Board Members.” The tool, like other emerging frameworks, is designed to help board members probe more deeply, challenge management assertions from a position of knowledge and understanding, and make more informed use of independent auditors.
Asking the right questions
In addition to offering board members a high-level overview of cybersecurity risk management issues and board responsibilities, the tool offers a series of probing questions board members can use as they engage in discussions about cybersecurity risks and disclosures with management and with independent financial auditors.
The questions are organized into four groups:
- Understanding how the financial statement auditor considers cybersecurity risk. These questions help board members understand the auditor’s approach to cybersecurity-related risks, and how such risks get addressed in the audit process.
- Understanding the role of management and responsibilities of the financial statement auditor related to cybersecurity disclosures. These questions help board members explore compliance with current SEC guidance, as well as other regulatory and disclosure requirements.
- Understanding management’s approach to cybersecurity risk management. These questions look beyond financial reporting and compliance, and begin to probe broader cybersecurity-related issues, including the governing framework, policies, processes, and controls the bank has in place to manage and mitigate cybersecurity risk.
- Understanding how CPA firms can assist boards of directors in their oversight of cybersecurity risk management. These questions help board members learn about additional offerings CPA firms can provide to assist them, and what factors to consider when engaging outside auditors to perform readiness assessments and examinations.
Starting the conversation
The CAQ says the cybersecurity oversight tool is not intended to be a comprehensive, all-inclusive list of questions for board members to ask. It also cautions against using the questions as a checklist for board members to use.
Rather, board members should look at the questions as conversation starters, examples of the types of issues they should raise with management and financial statement auditors. The purpose of the questions is to spark a dialogue to clarify responsibilities and generate a conversation and help board members develop a better understanding of how the company is managing its cybersecurity risks.
Expanding CPAs’ capabilities
As noted, one group of questions is designed to help board members learn more about other cybersecurity assurance services offered by CPA firms. One example of such services is the new System and Organization Controls (SOC) for Cybersecurity examination developed by the AICPA.
The information within the report provides management, directors or clients a description of the organization’s cybersecurity risk management program and an independent opinion on the effectiveness of the controls in place.
As concerns over cybersecurity risks in banking continue to intensify, directors will find it increasingly necessary to be capable of effectively challenging executive management and financial auditors. This tool is one guide alongside other evolving frameworks and services, that can help boards fulfill their responsibilities while also adding significant value to the bank and its shareholders.
Updates to the FFIEC Management Booklet portion of the IT Examination Handbook in late 2015 have placed your board of directors under more pressure than ever to ensure the health and stability of your institution’s overall IT and cybersecurity environment.
While the board has always held ultimate responsibility for institutional governance, the revised handbook places extra demands on their level of knowledge and involvement, particularly in the areas of cybersecurity, examination procedures and IT management.
It’s perhaps the IT management portion and its two major changes that will prove most taxing to board members. First, the description of the IT management structure is more granular, with the addition of two new parties: executive management and a chief information security officer. Specifically, executive management is expected “to understand at a high level the IT risks faced by the institution and ensure those risks are included in the institution’s risk assessments. In the event that executive management is unable to implement an objective or agree on a course of action, executive management should escalate that matter to the board for more guidance.” The chief information security officer’s duties are spelled out in depth, and the guidance requires that person to report directly to the board, a committee of the board, or senior management—but not to someone in IT. The board is responsible for implementing this new governance structure.
Secondly—and of more concern—the updated guidance requires board members to provide “credible challenges” to bank management before approving IT or security decisions. This means they must maintain enough understanding of IT and cybersecurity matters to ascertain how these decisions might pose risks to the institution and whether they align with its overall strategy. And if they don’t understand something, they must be able to ask thoughtful, intelligent questions until they do.
Now, as most of us know, it isn’t uncommon for board members to “rubber stamp” IT management decisions, sending approvals through with a modest amount of consideration. So, given their accountability for understanding these matters before signing off on them, how can you help your board succeed?
It helps to view this challenge as a two-way street: the board provides oversight and governance, and the bank’s management and subject matter experts (SMEs) share their knowledge and information with board members to help them carry it out. There are four best practices to accomplish this task:
- Request that bank management, as well as the IT and security departments, begin passing relevant information to the board. Specifically, this includes monthly or quarterly summaries of incident reports that can apprise the board of any major incidents involving downtime, deployment of business continuity plans or anything else that could affect business decisions.
- Have your bank’s IT and security SMEs—or possibly an outside firm—provide the board with continuous updates on regulators’ expectations surrounding cyber risk management and oversight, as well as which high-level risks are circulating in the current environment. The experts also can consult with board members about why this knowledge is important, and how they can incorporate it into their strategic decisions.
- Encourage the board members to actively educate themselves by doing their own reading and research. To that end, ask one or two members to sit in on IT or security steering committees, then take the information they learn back to the rest of the board. This gives them access at the ground level.
- Invite the board to get involved with the Financial Services Information Sharing and Analysis Center (FS-ISAC), which shares the latest threat intelligence and attack methods, and encourages its financial industry members to do the same. If your institution has a membership—and it should—board members can access those resources and take part in the center’s bi-weekly conference calls.
Again, board members don’t have to become overnight SMEs. But they need to be involved, engaged and ready to ask some tough questions to ensure IT and security strategies are aligned with board expectations and the risk appetite they’ve set. If not, they shouldn’t be voting to approve IT plans.
After all, when it comes to IT, you can have all the best technology in the world, but if it’s unreliable or exposes your bank to too much risk, what good is it? It’s within the best interest of your institution and its board of directors to carefully apply the updated FFIEC guidance to all IT and security decisions.
In mid-2015, executives at a bank in Russia awoke one morning to discover that the institution had lost millions of rubles overnight through a series of unauthorized withdrawals made through the automated teller machines of other banks. Earlier in the year, the Russian ruble experienced a volatile 14-minute long swing in the exchange rate that resulted in one financial institution’s reported loss of $3.2 million due to trades. Another well-coordinated attack in 2013 resulted in a loss of $45 million taken from ATM locations around the world when hackers eliminated the cash-withdrawal limits for 12 debit card accounts.
Such attacks are not limited to Russian banks; hackers and other cyber criminals are threatening the security of financial institutions around the world. The rise in cyber threats puts a spotlight on the vulnerability of the IT systems at many financial institutions—and intensifies the need to implement more robust security procedures to protect institutional assets.
A comprehensive assessment of an institution’s cybersecurity environment would have gone a long way towards establishing appropriate technology governance and protecting the assets of those Russian banks.
Targeting the Weakest Link
The most common and effective form of cyberattack is social engineering—that is, contacting personnel by email or phone and duping them into disclosing confidential information that can subsequently be used to gain access to systems and data. Alternatively, emails can be opened by employees who unwittingly release customized and often quite sophisticated malware (the software used by hackers to infiltrate IT systems).
Financial institutions are clearly not immune to such attacks and the opportunities and attempts for unauthorized access have increased. Yet some security mechanisms such as firewalls are no longer enough to protect an institution from modern threats. Although in some cases they thwart cyberattacks, outdated banking processes and systems are commonly the weak link exploited in these scenarios.
Implement a Risk-Based Approach
Most banks would claim they have a rich risk-assessment process, and to an extent, this may be true. But the focus is often primarily on business risk, not cybersecurity, and therein lies the issue. As a result, areas of weakness such as interconnection to ATMs may be overlooked. In addition, most banks have limited personnel and security resources dedicated to IT so, despite being attacked virtually every day, they cannot react to all alerts. Moreover, a bank’s internal enterprise risk management group may not be familiar with current risks or trained to respond to advanced threats.
IT investments will be based in part on whether or not the institution has been compromised historically; if management thinks a breach won’t happen, they probably won’t invest heavily in cybersecurity. Larger banks may have the resources to absorb the costs caused by a cybersecurity attack, but that is not true for all financial institutions.
There are a number of steps that financial institutions can take in order to mitigate IT security risks:
- User awareness training: One of the most effective actions that any organization can take to reduce the risk of successful security attacks is employee and customer education. Strong awareness and education processes are critical actions to take to minimize the risks that social engineering poses. Training will differ, depending on the roles and responsibilities of the users, but an educated workforce and customer base are strong defenses against attacks.
- Review and apply controls using a risk-based approach: To be truly effective, a risk assessment must get down into the weeds. A robust compliance program will evaluate—and periodically re-evaluate—threats in the entire universe of the banking system.
- Identify weaknesses: If the bank doesn’t examine the weaknesses in their systems, the hackers will. There is a reason why the hackers used the ATMs owned by one bank to steal money from another institution—they knew that most systems would give them a few hours’ lead time before their withdrawals were reported. Understanding this weakness and implementing mitigating controls such as alerts could have at least minimized the damage inflicted by such an attack.
- Add controls: Management must develop and implement controls that are designed to keep incidents from occurring and serve as a deterrent against unauthorized access. That said, it should also be assumed that these controls will eventually fail at some point. Therefore, detective controls will help to monitor and alert an organization of any malicious or unauthorized activity, including malicious activity—taken knowingly or not—by employees. In addition, corrective controls can help limit the scope of an incident and contain unauthorized activity.
With so much at stake—potential financial losses, compromised brand reputations, access to operational capital and possible regulatory violations—taking action is a business imperative.
The size, complexity and ever-evolving nature of cyberattacks mean there’s no one-size-fits-all way to respond. Whatever your organization’s plan to mitigate the risk of data breaches, to be effective, it must encompass the five attributes discussed here.
Attribute One: An Effective Framework
An effective, appropriate framework is an essential place to start. The centerpiece of any cybersecurity risk management program, a cybersecurity framework is a standard designed to assist with managing the confidentiality, integrity and availability of data and critical infrastructure.
Many frameworks are now in use in various industries (some common ones include the National Institute of Standards and Technology Cybersecurity Framework, International Organization for Standardization, and ISACA’s COBIT). Regardless of which framework an organization chooses for managing its cybersecurity program, the framework will need to be adapted and fine-tuned to reflect the organization’s size and the nature of the data being protected. The point here is not to advocate for one framework over another; rather, the point is that choosing and implementing a framework is an essential first step in guarding against cybersecurity threats and launching a cybersecurity risk management program.
Attribute Two: End-to-End Scope
The second critical attribute of a cybersecurity program is its scope. An effective program must be comprehensive, or end to end, in scope—that is, the program must address all the critical elements that need to be protected in the institution.
To understand your full scope, you must “follow the data” and identify everywhere sensitive data is created, stored or transmitted. Beyond the immediate system, there might be many unknown data stores, including cloud services and third-party vendors.
Attribute Three: Thorough Risk Assessment and Threat Modeling
Because no institution has unlimited resources to devote to cybersecurity, the multiplying array of threats means risk assessment and prioritization are essential. By monitoring emerging threats and assessing both their likelihood and the damage they could cause, the cybersecurity team can develop a decision heat map that plots the potential risk against the cost and effort that would be required to protect against it.
Attribute Four: Proactive Incident Response Planning
For much of its history, the cybersecurity industry focused on preventing attacks. But today, although prevention remains crucial, the focus is shifting away from prevention alone and is turning instead to being prepared for the worst. Although breach prevention remains paramount, preparing for the worst case is becoming equally important. Preparing an incident response plan—and updating it regularly—is a minimum first step.
Once an incident has occurred, a bank can follow the typical incident response plan, which encompasses certain fundamental steps, including the following:
- Inventory and understand the data to be protected.
- Inventory and classify incidents.
- Understand known threats and monitor new ones.
- Identify the stakeholders and incident response team—corporate communications, legal, compliance, lines of business, IT and external forensics partners.
- Set up a command center.
- Develop and implement a containment and investigation strategy.
- Develop and implement an evidence preservation strategy.
- Develop and implement a communication plan for customers, media, regulators and other stakeholders.
- Conduct a post-mortem and apply lessons learned.
Attribute Five: Dedicated Cybersecurity Resources
The final critical attribute of a cybersecurity initiative is having sufficient resources dedicated to the effort—in particular, a designated cybersecurity team. Many organizations have not yet given adequate attention to this requirement, often neglecting to assign appropriate roles and responsibilities or failing to establish the necessary governance structures called for in the framework being used.
In most companies, the IT team’s day-to-day attention is focused primarily on keeping the system up and running—an understandable priority. After all, service interruptions are noticed immediately and the effects are apparent to almost everyone. On the other hand, security lapses or breaches are less visible than service interruptions—at least at first—and the benefits of prevention and incident planning are not nearly as obvious.
The cybersecurity effort should be led by an experienced team leader for whom IT security is his or her primary duty rather than a secondary function squeezed in among other priorities. If the company is too small to afford a cybersecurity staff member, consider retaining a professional cybersecurity firm to implement the IT security function in order to develop appropriate prevention and response plans.
An effective audit committee is a critical component of a financial institution’s corporate governance, but such a committee is not the result of an accident. It is formed through a deliberate process that includes appointing qualified individuals, providing adequate resources and offering other appropriate support.
The Right People
Every effective team begins with an effective leader to serve as chairperson. To fill that role for the audit committee, the board must select an independent director who, at a minimum, possesses an understanding of U.S. generally accepted accounting principles and the importance of internal controls. The audit chairperson should have a sense of the pressure points where the institution might be particularly vulnerable to fraud. Often, board members are business owners, managers in other organizations, or educators and will need help to acquire the requisite skill sets to lead or participate on the audit committee.
The Right Resources
With accounting standards, regulatory compliance requirements and risk factors continuing to change at a rapid pace, boards need to commit time and money to keep the chairperson and the audit committee up to speed. New accounting rules revisit some long-standing techniques in order to establish a more transparent level of reporting. Also, the introduction of the Consumer Financial Protection Bureau (CFPB) added complexity to regulatory compliance, and a bank that runs afoul of the new rules could suffer substantial harm to its reputation. In addition, technology and customer demands for access to services through nontraditional channels add risks never contemplated 10 years ago.
To help the audit committee stay current, the board should provide it access to outside training on these and other relevant areas. Boards also can obtain valuable guidance by monitoring the activities at other banks. Their publicized experiences (for example, in alerts from the Office of the Comptroller of the Currency) can serve as a road map of areas that require regular attention from the audit committee. Audit committee members must be intimately familiar not just with their own bank—but also with the banking industry as a whole.
The Right Support
Although it is management’s responsibility to establish processes and controls to manage risk, it is the audit committee’s responsibility to confirm that such processes and controls are established and monitored. The internal audit group, already charged with risk assessment and monitoring, can play an important role in satisfying this responsibility.
As with the audit committee, the success of internal audit hinges on the training and experience of the team members and on the provision of necessary resources. The importance of these elements increases significantly when the bank’s management is responsible for reporting on the design and effectiveness of the internal controls over financial reporting, as is required of publicly traded companies, because management must attest that controls are well-designed and operating effectively and is held responsible if its attestation proves false.
Bear in mind that a bank’s growth often is not mirrored in changes in internal audit. As a result, issues can go unidentified. Even if new issues are appropriately identified, the review cycles will be prolonged if internal audit has insufficient personnel. When the board looks strategically at the organization, it must align the expansion of the business with the risk mitigation process—including internal audit resources. Even the most capable audit committee will prove ineffective without a well-armed internal audit team.
The board also should recognize that its attitude and that of management toward internal audit frequently contributes to its success (or lack thereof). Leadership should address findings on a timely basis, and the board and audit committee should monitor the responsiveness of corrective action, especially for those issues flagged as higher risk. If management is dismissive of findings, and the audit committee or board is disinterested in follow-up, the value of the internal audit role will erode quickly.
The Right Approach
Board members are elected to oversee the activities of their bank, and the audit committee is an integral part of that oversight. It is in the board’s—and the bank’s—best interest to provide both the audit committee and internal audit with the training and resources necessary to execute their responsibilities.
Whether your bank uses an in–house, an outsourced or co-sourced internal audit function, the internal audit program must be independent. And no matter the arrangement, management and the board have a degree of responsibility for internal audit’s efficacy—as such, they must accept ownership of this function even where it is fully outsourced.
As part of this, national chartered banks need to comply with the requirements issued by the Office of the Comptroller of the Currency (OCC) in October 2013 entitled “Third Party Relationships: Risk Management Guidance,” which deals with the selection and ongoing oversight of all critical third-party relationships, including outsourced or co-sourced internal audit arrangements. Although the guidance is addressed to national banks, it also establishes a best practices approach for state chartered banks that are supervised by the Federal Reserve or Federal Deposit Insurance Corp. The OCC guidance stipulates that banks must implement effective risk management processes to actively manage outsourced vendors, and that the roles and responsibilities for overseeing and managing all third-party relationships be specific and clearly defined. Therefore, whether the bank outsources or co-sources all or parts of an internal audit program, it does not diminish the responsibility of its board of directors and senior management with respect to overseeing and managing the program.
So the question becomes how best to manage outsourced or co-sourced internal audit relationships while optimizing the independence that is necessary for boards and audit committees in the fulfillment of their responsibilities.
Banks are deploying a variety of approaches driven by organizational structure, cost or culture. Sometimes these are successful, but they often fall short of regulatory expectations.
It is possible to achieve a quality internal audit program as long as the board and management adhere to a number of key principals and are truly committed to having an internal control environment that helps the bank manage its risks.
Our firm has helped hundreds of banks implement effective internal audit programs in both full outsourced and co-sourced scenarios. Some of the elements that we have found most critical to building an effective program include:
Corporate Governance: Corporate governance and the tone at the top is the foundation of an effective program. This entails setting up a structure that includes direct reporting to the chairman of the audit committee while, at the same time, having appropriate internal management oversight. Often that oversight resides with the chief risk officer of the bank. However, we have observed successful programs that use compliance officers or an in-house internal auditor. Independence is derived from board and management commitment, setting the tone and culture within the bank.
Internal Audit Risk Assessment and Audit Plan: The success of an internal audit program is highly dependent on identifying the risk profile of the bank and developing an appropriate audit plan that addresses those risks. Just a few of the areas complicating today’s bank risk environment include information security and technology driven service delivery channels, consumer compliance and BSA/AML compliance requirements and interest rate risk management.
Experienced and Qualified Internal Audit Team: A successful internal audit program is simply not possible without deploying the right expertise and experience to audit the different aspects of a bank’s business and compliance requirements.
A successful internal audit program is often accomplished by seeking an outsourced or co-sourced solution which, based on regulatory guidance, management is responsible for managing. However, independence does not need to be compromised—particularly if the bank culture and tone at the top are committed to an independent risk-based internal audit program.