The full text on this page is automatically extracted from the file linked above and may contain errors and inconsistencies.
o THE CHALLENGE TO BANK I. Introduction I am honored to be here today. accountants — It's good to be back with practicing though I must admit the accountant's job is much tougher today than it was twelve years ago when I was in the business. Your Institute's members represent the front line of defense against fraud, insider abuse, and unwise financial practices within the nation's corporations. Your job is difficult, but vital. In tandem with independent auditors, you are responsible for helping safeguard the confidence of shareholders and the general public in the way business is conducted. I salute you, and encourage you to keep up the good work. II. Discussion As a bank supervisor, I am particularly interested in how information gathered by bank auditors can help simplify the lives of government bank examiners. Although bank auditors and bank examiners both share the common goal of a strong financial system, their roles in the past have differed. Bank auditors were the "eyes and ears" of the board of directors and the shareholders of a bank. FDIC examiners, on the other hand, are primarily interested in protecting the insurance trust fund and instilling public confidence in the banking system. Auditors reviewed financial records to see, if in their opinion, financial statements were fairly presented. Examiners tried to maintain public confidence in our banking system by detecting deteriorating bank conditions early enough to allow time for correction and to limit the exposure to the insurance fund. 2 These traditional roles are now blurring. more have the same audience. Auditors and examiners more and Not only do auditors have a responsibility to the board of directors and shareholders, but many people now claim that their audited financial statements are also for use by the public, analysts, and government officials. We at the supervisory agencies also are increasingly looking at our role in assuring proper disclosure by the banks. In these days of limited resources, we are placing more emphasis on planning examinations by targeting our resources to those banks and areas of a bank that exhibit the greatest risk potential. We are therefore relying more on our offsite monitoring system, which depends largely on financial information provided by the Call Reports. Audits and accounting assistance to banks and thrifts provide us with greater assurance that Call Report information is reiiable. Accordingly, the FDIC is encouraging, but not requiring, banks to have an independent audit. Audited financial statements can be presumed to more fairly present an institution's financial position than unaudited statements, thereby enabling depositors and creditors to better judge a bank's performance. The CPA provides help to management in dealing with the accounting treatment for the complex transactions and intricate financial deals made by banks today. The audit also provides assurance to the board of directors that they are wel1-informed about the condition of the bank, that management is complying with their policies, and that internal controls are strong. I will not presume to lecture you or how to do you>* bu =es . I would, however, like to share with you the FDIC's thoughts about matters that deserve special emphasis in outside bank audits thoughts those of you who are bank auditors might wish to share with the independent I p -|J who come knocking at your doors. Specifically, I wi11 focus on (1) control system, and fraud detection, (2) the loan portfolio, (3) the reserve for loan lo* ■» (4) legal considerations, and (5) communications Internal Audits First, though, let me say a few words about what the FI Ir looks for in a bank's internal audit department. Obviously, the size of the bank has a lot to do with the type of audit program we expect to see. But regardless of a bank's size, a successful program really depends on three basic elements: independence, competence, and management support. Independence is critically important. The internal auditor should report directly to the board of directors or the audit committee of the board of directors. This line of authority should be cleaily defined in writing and applied in practice. The auditor's responsibilities should also be established in writing and approved by the board Audit , should not be sidetracked into performing operational tasks which they would normally audit. They need the power to delve into all of the bank's affairs, including those of the bank's management. Without this independence, the internal auditor will lack effectiveness and be of little or no real value to the bank. Independence alone is not enough, however. In today's complex banking environment, the board of directors must be firmly committed to developing and maintaining a high quality, competent audit staff. This means competitive compensation, a program of continuing education and professional development, and a career path that provides the potential for future advancement within the bank. It does not mean placing marginally qualified line officers or employees into dead-end audit jobs. The third element necessary for a successful audit program is management support. There is just no way auditors can perform their responsibilities effectively if they are quarantined from the rest of the bank. Senior management must demonstrate, by the nature of its relationships with the internal auditors, that they are key players in the organization. To ensure that auditors gain the respect of their peers, they must be brought into the mainstream. By this, I mean that auditors should be informed of all key management decisions. They must be fully apprised of the bank's goals and aspirations and they must have a full understanding of the policies they are expected to monitor. The auditor's report findings must be seriously considered and followed-up to ensure that deficiencies are satisfactorily corrected. Obviously, the board must verify that the audit department does not become involved in areas that may compromise its independence. But it is proper, and in fact necessary, for auditors to make recommendations to management concerning decisions that may affect proper control procedures. When FDIC examiners evaluate an institution's audit program, they essentially look at the three basic elements I have already discussed. We recognize, however, that depending on the size and complexity of a bank's operations, the board's responsibility for providing an adequate audit program can be - 5 satisfied in a variety of ways. justify a full time auditor. Small banks, for example, may not be able to They may have to depend on employees with part time audit responsibilities combined with strong internal operating controls and possibly an outside audit. In contrast, large, sophisticated banking operations would be expected to have a highly competent, sophisticated audit team to match the complexities of a large bank operating environment. Control Systems and Fraud Detection Now let me turn to the outside auditor's responsibilities. From the FDIC's standpoint, the most important role the outside auditor has in a bank is confirming the strength of its control systems — management controls. both internal controls and Although our. examiners have always scrutinized this area, the increasing importance of sound control systems for the prevention of insider abuse, fraud, and embezzlement warrants greater attention. John Kenneth Galbraith described embezzlement in his book, The Great Crash, 1929, by stating that it: . . varies in size with the business cycle. are relaxed, trusting, and money is plentiful. In good times people But even though money is plentiful, there are always many people who need more. Under the circumstances the rate of embezzlement grows, the rate of discovery fal1s off, and (em)bezzle(ment) increases rapidly. depression all this is reversed. suspicious eye. Money is watched with a narrow, The man who handles it is assumed to be dishonest until he proves himself otherwise. meticulous. In Audits are penetrating and Needless to say, we cannot wait until there is a depression for audits to become more critical and discerning or for insider abuse and fraud to cease. An FDIC survey of insured banks that failed from 1980 to 1982 found fraud and embezzlement by insiders were a major factor (but not necessarily the primary factor) in 15 percent of the failures. Credit losses on loans to insiders were a major factor in 27 percent of the cases. All told, fraud and insider abuse contributed to over 40 percent of all failures. Insider fraud usually involves making loans to fictitious borrowers, withdrawals from inactive accounts, issuing checks on accounts opened under false names and cycling overdrafts between them, as well as various other ploys. Often correctly, insiders reason that their embezzlement can be easily "buried" in the high volume of transactions handled daily by a financial institution. Insider abuse, another major problem, usually involves a waiver of proper credit standards or a failure to follow established loan procedures. There are a variety of ways in which employee fraud and embezzlement could detected at an early stage, or avoided completely. mandatory vacations and segregation of duties. One area of concern be is Not only should outside auditors confirm that the policy of mandatory vacation is being enforced, but frequent rotation of duties — particularly where segregation of duties practical — is also a good suggestion as a preventive measure. is not The independent review of transactions posted to employees' accounts, the review of suspense and inactive accounts, and the investigation of unusual items in clearing accounts can also limit cases of fraud. Banks should be advised to clearly explain each employee's responsibilities for various document approvals so that an employee does not indicate approval carelessly or simply sign because he is told to do so. - 7 Many of these measures would also be helpful in preventing insider abuse. Management controls must still be carefully reviewed. Budgeting and financial reporting is an important area to check to determine whether controls over management are adequate, and whether stated policies and procedures are being followed. Even the "corporate culture" of a bank is important. Does top management expect appropriate behavior from' employees and managers? Do they encourage it by their planning, training, hiring, and organizational policies? What degree of oversight does the bank's board of directors — particularly outside directors — provide over management controls? Management itself is a great part of this evaluation. The competence of management is important in determining the reliability of information provided. The independence of the manager to take action indicates whether the auditor's recommendations can and will be implemented. In small banks, this may be of particular importance because a single owner or manager may have the power to set the policies and the ability to override them. Of course, the outside auditor can do only so much. As I've already stressed, a bank's internal audit department is its first line of defense against fraud and insider abuse. No bank is too small, in our opinion, to have an adequate system of internal controls, even if it does not rise to the level of a separate "department." Testing the strength (or weakness) of this department merits the outside auditor's priority. - 8 - External fraud is usually less sophisticated, but detection and prevention measures are still needed. In the deposit area, customers sometimes use forms of check kiting, such as using several accounts to "cover" overdrafts by flowing funds through them. When applying for loans, unaudited financial statements may include company or individual assets actually belonging to shareholders or related companies. In addition, assets may be listed at values far in excess of their real market value on financial statements filed with banks to support increases in credit limits. Needless to say, obtaining audited financial statements and title searches would greatly limit this type of fraud. We are stressing fraud detection with our examiners, and believe it is an area in which outside auditors and bank supervisory agencies can work together to strengthen the banking system. The Loan Portfolio The evaluation of credit risk represents a major part of our examination process and will continue to be so. Outside auditors may wish to strengthen their review of asset quality and the adequacy of the bank's loan loss reserves. We have seen evidence in one highly publicized bank failure where independent auditors apparently ignored questionable loans cited in earlier work by the bank's internal audit staff. The problems in the agricultural and energy segments of our economy demonstrate why industry diversification is more important than ever when reviewing a loan portfolio. In addition, the auditor should be highlighting any concentrations of loans by geographic area, by borrower, and by types of borrowers. Loan participations, particularly when the total loan is large, should also be reviewed. It is not enough to just emphasize the loans that - 9 the bank examiners have previously cited, or the past due loans. These problem credits should be reviewed, of course, but not to the exclusion of all others. In addition, check the loan documentation. It is often a symptom of far greater problems, and more often than not, the absence of documentation means the absence of quality. Please do not overlook the loan approval process and compliance with the bank's written lending policy. Any deviations from this policy or weakness in the approval process may indicate future problems in the portfolio or even problems with insider abuse. The written lending policy and all written board policies should be reviewed for compliance by the auditors. should be scrutinized carefully by the auditors. Insider loans Certainly the Butcher dealings in United American Bank and other Tennessee financial institutions provide a convincing example of the importance of reviewing insider loans and transactions. Reserve for Loan Losses An understated reserve for loan losses is one of the more frequent deficiencies found by our examiners. Remember, an adequate loan loss reserve is not the percentage the IRS will allow (and we certainly hope they will continue to allow a loan loss reserve under any new tax bill Congress may pass), but is the amount that, in management's opinion, adequately reflects possible losses in the loan portfolio. This amount should be the estimate that will provide for losses in the period when they become apparent, not just when the charge-offs are directed by our bank examiners. 10 - Our examiners often find that they have to press management to reassess the allowance for loan losses realistically. The independent review of this reserve and management's assessment process could greatly reinforce our efforts. After all, an inadequate loan loss reserve overstates earnings and capital, provides false and misleading financial information to the public, and ultimately may threaten the soundness of the bank. Legal Considerations While I am not here to scare anyone, you are probably well aware that the FDIC, in liquidating the assets of a failed bank, has and will continue to review the work of any prior outside audit to determine whether there is a cause of action against the auditor. Unfortunately, there have been some cases where, in our opinion, action was clearly appropriate. Currently we are involved in three lawsuits against independent auditors of failed banks. While there was some degree of fraud involved in two of these cases, none of our claims is based solely upon the failure of the audit firms to detect and report fraud. In fact, our claims are based principally upon the audit firms' failures to adequately review credit files. Those failures led auditors to sign off on financial statements containing inadequate loan loss reserves, and to fail to detect and report to the banks serious conditions in the loan portfolios. If the auditors had reported the poor portfolio conditions, it is likely that the banks would have taken steps to correct the situations, thereby preventing further losses. Banks would have conducted further investigations to determine why certain credits were being extended. These steps would probably have resulted in the detection of fraud, to the extent fraud contributed to the loan problems. 11 Outside auditors also .need to be aware of the possibility of private litigation. Recently the New Jersey and Wisconsin Supreme Courts held that an accountant owes a duty of due care to all persons whose reliance on his report was reasonably foreseeable. New York law is a bit less severe. In 1985 the New York Court of Appeals held that an accountant owes a duty of due care only to its clients and to those persons whose reliance upon the accountant's report was both specifically foreseen and acknowledged by the accountant. Under Texas law accountants owe a duty of due care to persons whom the accountants knew were relying on their report. In short, while the law differs somewhat among the states, courts in several major jurisdictions have held that accountants can be liable for negligence to third parties. Every independent auditor should keep that fact in mind when carrying out his duties. Communications The last, and certainly not least important, point I would like to make is that good communications are essential. Following proper auditing procedures and emphasizing the evaluation of internal controls, asset reviews, and loan loss reserve adequacy will be of little value if the findings are not adequately communicated to the board of directors. The independent review of a bank's operations is one of the most important tools the board of directors has to recognize potentially serious problems and correct them before they become a threat to the bank. Outside directors, in particular, must be able to rely on the outside audit for much of their information about the bank. The importance of communicating with the board of directors in a clear, explicit, and timely manner cannot be overemphasized. 12 We would also like to encourage improved communications between the bank examiners and the independent auditors. We are hopeful of having a bank's outside CPA play a greater role in our examination process. Our goal for the future is to identify and effectively use all available supervisory tools, whether they be found in the public or private sector. better communications with outside auditors*. To do this, we need FDIC policy permits a bank to allow its outside auditors to review our examination reports and any correspondence between the FDIC and the bank about that report. With the prior approval of the bank, our examiners are authorized to exchange information with the independent auditors when they are in a bank at the same time. If the audit does not coincide with a regular examination, our regional offices are authorized to cooperate with a bank's outside CPAs. We have no objection to the auditors attending, as observers, the examiner's exit interview with management and meetings with the board of directors at the bank's invitation. In the interest of pursuing dialogue, I recently suggested that it would be to the benefit of all if the independent auditors were under an obligation to notify the supervisory authorities when they uncovered a major fraud or evidence of insider abuse. This may represent a change in the traditional lines of responsibility of the auditor and the examiner, but it is a change we should continue to at least consider. We at the FDIC believe that our whole financial system would be strengthened through closer cooperation between independent auditors and the FDIC. 13 III. Conclusion Thank you very much. As Charles Lindbergh remarked as he approached Paris near the end of his historic flight, "I have have some gas left, but I think I'll stop here."