Auditing the Auditors

By Jack Milligan

Meeting heightened corporate governance standards for financial institutions requires proactive internal auditors.

The tough new corporate governance requirements of the Sarbanes-Oxley Act — enacted in the wake of mega-scandals at fallen companies such as Enron Corp. and WorldCom Inc. — pose a major new regulatory burden on many industries, which now must adhere to audit and disclosure standards that previously applied mostly to banks.

But should banks themselves be concerned? There's a strong tendency for bankers to say no, given that depository institutions have lived for 12 years with the FDIC Improvement Act — an important model for Sarbanes-Oxley — without feeling particularly overwhelmed or witnessing a lot of governmental intrusion into their internal auditing procedures.

Such complacency would be a big mistake. For one thing, the new Sarbanes regime is much broader in scope than its FDICIA antecedent. And while the federal banking regulators seemingly showed little more than perfunctory interest in FDICIA's Section 36, which focused on internal controls and financial reporting, Sarbanes-Oxley represents the sharp spear point in the government's drive to clean up corporate America. "It's requiring banks to take a fresh look at all of their auditing systems," says Patricia Oliver, a partner in the Cleveland office of Squire, Sanders & Dempsey.

Federal regulators certainly are stepping up their involvement. In March, the Federal Reserve Bank of Cleveland obliged Fifth Third Bancorp to sign an agreement strengthening some of its risk management and internal control processes. The Federal Reserve Board took similar action last year with PNC Financial Services Group over an accounting issue. And recent Securities and Exchange Commission investigations at Huntington Bancshares Inc. and Freddie Mac both involve control-and-audit issues. "The regulators are looking at this big-time now," says former Comptroller of the Currency Eugene Ludwig.

What's the proper response, then, for financial institutions? The first step, experts say, is a complete review of all the control-and-review practices previously established under Section 36 of FDICIA. This documentation can then be used as a foundation for improving compliance with Sarbanes-Oxley.

As a general rule, institutions should also take a more conservative posture toward Sarbanes-Oxley than toward FDICIA. For one thing, this is a new law and the SEC will be paying close attention. Also, there are harsher penalties in Sarbanes-Oxley for issuing fraudulent financial statements.

Finally, the bank's internal auditors should test the new financial controls to make sure they're performing as intended. Although Sarbanes-Oxley will probably require an increased use of outside auditors, to maintain required levels of independence, it will also elevate the role of internal auditors within their own organizations.

Over the next year, bank auditors will be required to work closely with their organization's executive management and outside accountants to create a strong control environment, and the muscle-flexing has already begun. "A lot of internal auditors are saying 'I'm finally getting an opportunity to show what I can do,'" says Michele Sullivan, a partner in the consulting practice of Crowe, Chizek and Co., an Indianapolis-based consulting and accounting firm.

Rogue Trader

The importance of internal auditing in banking is highlighted by the disaster that overtook Allfirst Financial Corp. in 2001. Before he was caught that December, a rogue foreign currency trader at Allfirst named John M. Rusnak had wracked up $691 million in losses through a fraudulent scheme that went undetected for five years.

How did he avoid discovery for so long? To begin with, Allfirst's senior management failed to maintain the necessary system of internal controls. Then, the internal auditing team didn't catch on until it was too late. Compounding the disaster, Allfirst's external auditing firm permitted this slipshod environment to exist for years.

These very issues — internal controls, auditing procedures, management accountability and the oversight responsibilities of external auditors — are at the heart of the Sarbanes- Oxley reforms.

Former Comptroller Ludwig, now the managing partner at the Washington, D.C.-based accounting firm Promontory Financial Group, performed an exhaustive investigation into Rusnak's misdeeds for Dublin-based Allied Irish Banks plc, which owned Allfirst at the time. In his view, the Allfirst fraud case is exactly the kind of situation that Sarbanes is intended to address. "In the financial controls area, this is the center of the bull's eye," Ludwig says.

Section 404 of Sarbanes-Oxley requires that all public companies establish a set of internal controls and procedures for financial reporting, and include in their annual reports "management's conclusions" about the effectiveness of those controls. This assertion by management as to the effectiveness of its financial controls also must be "attested" to — or in effect confirmed — by the company's registered public accountant. Lastly, the company is required to conduct a less rigorous quarterly evaluation of its internal controls and procedures for financial reporting.

Section 404 is modeled closely on FDICIA's Section 36, which also requires that CEOs, CFOs and/or chief accounting officers maintain an adequate internal control structure and procedures for financial reporting. As with Section 404, these same executives are also required to make an annual assessment of the effectiveness of these controls, and the institution's independent public accountant must then attest to this assessment.

Will the layering of Sarbanes-Oxley on FDICIA help prevent fraudulent schemes such as the one at Allfirst? The Ludwig report recounted numerous instances where the internal control and auditing practices at Allfirst were found to be grossly deficient. But clearly, one underlying factor was the general detachment of senior management from the bank's control-and-audit structure. Such management engagement and accountability is a central tenet of Section 404.

"The energy and freshness" that senior management brings to a company's problems is the "differentiating factor" in these situations, according to Ludwig. If Allfirst's executive managers had been paying closer attention to the bank's control-and-audit processes, as they would now be required to do under Sarbanes-Oxley, "there's a reasonable chance that the trading scam would have been picked up earlier," he says.

Senior bank executives are well aware that the post-Enron environment requires a heightened sensitivity on their part. When PricewaterhouseCoopers and the Economist Intelligence Unit recently asked 160 senior financial services executives to rank the various kinds of risks faced by their institutions, reputational risk rose to the very top (53%) of their list of concerns, followed by credit risk as a distant second (34%). And effective internal controls was cited as the second-most important method of mitigating that risk (60%), close behind clear and accessible codes of governance and risk management practices (64%).

Heightened Scrutiny

Section 404 was originally set to take effect as early as Sept. 30, 2003, depending on a company's fiscal year. This had banks and thrifts scrambling through the first half of 2003 to get the necessary control procedures in place. The problem was, all they had to go on were a few short paragraphs in the original legislation. That's because the SEC, which had been given the job of developing many of the regulations under Sarbanes-Oxley, had yet to issue its final ruling.

When the agency announced in late May that it was delaying the implementation of Section 404 until June 15, 2004 — meaning that companies filing their financial reports on a calendar year basis won't have to comply until yearend 2004 — an audible sigh of relief could be heard throughout the banking industry. Yet that doesn't mean financial institutions can relax for a year.

Although Section 404 of Sarbanes-Oxley is modeled on Section 36 of FDICIA and the language is similar, compliance with the older law does not translate — ipso facto — into immediate compliance with the new one. For one thing, Section 36 only applies to insured depository institutions with $500 million in assets or greater. A company that also has, say, a separate mortgage banking or insurance agency subsidiary, is not required under FDICIA to maintain the same control systems for those businesses.

It's not clear whether banking companies have pursued corporate-wide compliance with Section 36, since there's no regulatory mandate for this. Outside accountants and banking regulators say some bank holding companies have chosen to follow the requirements of Section 36 in all their subsidiaries, while many others haven't.

It also appears that the federal banking regulators took only a perfunctory interest in Section 36. "No one ever really focused on it during their examinations," says the chief auditor at one large commercial bank who asked that his name not be used. "It wasn't something that examiners ever picked up and challenged." Ed Wydock, the chief auditor at Susquehanna Bancshares Inc. in Litiz, Pa., says he "never had one regulator ask to see an assertion report. Section 36 turned into a paper exercise rather than something that might add value to an institution."

To be fair, regulators disagree with this assessment. Examiners at the Federal Deposit Insurance Corp., which supervises approximately 8,500 banks, are supposed to review management's assessment of internal controls and accompanying documentation, says George French, the agency's deputy director for policy in the division of supervision and consumer protection. "We do have the expectation that the work should be done." Adds Zane Blackburn, the OCC's chief accountant: "The idea that we're not paying attention to it — I don't think that's true at all."

Regardless of how seriously the regulators took FDICIA's Section 36, they are clearly paying a lot more attention to Sarbanes-Oxley. And that's not all bankers have to worry about. In January, the Federal Financial Institutions Examination Council — which comprises all the financial regulatory agencies — issued revised guidance to its Information Technology Examination Handbook that calls on banks and their service providers to identify information security risks and to evaluate the adequacy of controls and risk management practices.

Other recent developments include new guidelines on operational risk that were issued in February by the Basel Committee on Banking Supervision. These require both the independent evaluation and public disclosure of an institution's policies, procedures and practices related to operational risks. Furthermore, an interagency paper issued in April by the Federal Reserve Board, SEC and OCC strongly recommends that all banks have detailed business continuity plans in place.

All of these additional initiatives have attendant control-and-auditing requirements and fit very comfortably within the structure of Sarbanes-Oxley. "You have to think of this as part of your Section 404 compliance program," says Brian W. Smith, a former OCC general counsel and now partner at the Washington, D.C.-based law firm Mayer, Brown, Rowe & Maw.

Control Testing

As financial institutions contemplate how to comply with Section 404 of Sarbanes-Oxley, they should probably begin with a complete review of their control-and-review practices under FDICIA's Section 36. "Banks have an advantage here that other industries don't have," says Susquehanna Bancshares' Wydock. "Both the documentation of the control environment and the assertions under FDICIA, if they were done properly, can be used to build Sarbanes compliance. But a lot of that documentation is stale and institutions will have to go back and refresh their FDICIA compliance."

As a general rule, banks and thrifts should adopt a conservative posture and assume their financial controls will receive greater scrutiny under Sarbanes-Oxley than has been the case with FDICIA. This is almost certainly a safe bet given the recent regulatory investigations of Fifth Third, PNC and Huntington over accounting issues. It's also the case that Sarbanes-Oxley lays out some harsher penalties for fraudulent financial statements than was the case with FDICIA. Bank chief executive officers or chief financial officers who knowingly file a false financial statement with the SEC are subject to a fine of up to $1 million and 10 years imprisonment — and those penalties jump to $5 million and 20 years, respectively, if the false statements are made "willfully."

The role of internal audit then comes to the fore by testing these new financial controls to make sure they're doing what they're intended to do. "Control testing," as it's called, is a time consuming process in which internal auditors examine important processes and their attendant controls to verify that they can't be circumvented.

Justin Hendrickson, a Los Angeles-based manager in the business risk services practice at the accounting firm Grant Thornton, provides a simple example of a payroll department "where someone has the ability to punch a button and cut checks. The risk lies with the employee's ability to embezzle. And if that's the risk, what's the control?" In this example, one control might be limitations on individual signing authority. Internal auditors would need to see whether someone could still manage to cut a check that exceeded their authorized authority. Similar types of scrutiny would have to be applied to all the institution's financial controls.

At Susquehanna Bancshares, Wydock was already well into the process of creating a testing methodology for his bank's financial control structure under Section 404 when the SEC delayed its effective date. "There are transactions all over the institution that end up creating financial data and affect the financial statement," Wydock says. He and his team spent months identifying all of these "touch points" throughout the organization and understanding the corresponding controls. Wydock then developed a testing methodology that involves probing key controls on a quarterly basis and all others annually.

Wydock asserts that Susquehanna Bancshares is in compliance with Section 404 today, although he will use the extra time before implementation to "make sure our processes are as thorough as they can be."

Star Power

One important ramification of Sarbanes-Oxley could well be a greater degree of independence between executive management, internal audit and the external accounting firm. For example, attorney Oliver says it remains unclear whether an internal auditor could go to his or her public accounting firm for advice when designing a testing methodology, since that same firm also has the responsibility under Sarbanes-Oxley of reviewing the company's financial control structure and attesting to its effectiveness. "If you need help, do you need a different external auditing firm?" she wonders.

Under Section 404 of Sarbanes-Oxley, it is management's responsibility to establish and maintain a set of financial controls — an undertaking that neither the internal auditor nor the external accounting firm can do for them, since they are required to gauge the controls' effectiveness. Or as Wydock puts it, "management owns the controls."

Mary Lou Scalese, the chief auditor at Sovereign Bancorp., a Wyomissing, Pa.-based thrift, says external accounting firms will probably have to conduct more independent testing of financial controls under Section 404, and they will not be able to rely as much on internal audit's testing. That will no doubt drive up the fees that banks and thrifts pay to their outside accountants. And it will probably result in less sharing of work between executive management and internal and external auditors. "It's like we're all going to be looking over each other's shoulders now," says Scalese.

On the other hand, the advent of Sarbanes-Oxley will give internal auditors an opportunity to play a more visible — and more consultative — role within their own organizations. The new law elevates the importance of financial controls, and in so doing, elevates the importance of the internal auditor. Over the next year, bank auditors will be required to work closely with executive management and outside accountants to create the stronger control environment that is at the very heart of the law.

"Sometimes internal auditing is seen as a necessary evil, in part because it's viewed as reactive rather than proactive," says Jennifer Burke, a partner in charge of the internal auditing practice at Crowe, Chizek. But in an era where the integrity of a company's financial statements has become a primary concern of both investors and the SEC, internal auditors will play a crucial role in helping their companies survive in this tough new environment. Burke says that outside of the CEO, few people have a broader picture of their companies than the internal auditor.

To illustrate the rising role of internal auditors, Burke points to the Dec. 22, 2002 cover of Time magazine, where Cynthia Cooper, WorldCom's former vice president of internal audit, appeared as one of three "Persons of the Year." Cooper earned that distinction when she went to WorldCom's audit committee and blew the whistle on fraudulent accounting practices at the telecommunications giant.

Cooper's celebrity exemplifies the new-found interest of the public and the government in all things pertaining to sound financial management and reporting accuracy in publicly-traded companies. It's not only the new requirements of Sarbanes-Oxley that banks have to worry about, but the public and regulatory scrutiny that goes with them, and that is why depository institutions will have to break out of their comfort level with FDICIA compliance and get with the new program.

Mr. Milligan is a freelance writer based in Charlottesville, Va.

Copyright © 2003 by Banking Strategies, published by BAI.

back to top