Overseeing the Audit Amid a Winter of Turmoil
As Wall Street crashes around our ears this week—down 1.5 percent just today, and off to its worst yearly start ever—audit committees at financial firms should strap yourselves in. This year’s audit could be the most tumultuous you’ve overseen in a long while.
At least, that’s the conclusion I reach as I re-read the guidance issued by banking regulators last week, specifying how they would like external audits of large banks to proceed this year. Clearly these regulators—the Federal Reserve, Federal Deposit Insurance Corp., and Office of the Comptroller of the Currency—are concerned about systemic risks to the financial system, and how to identify those risks before they cause another financial crisis. Given what’s happening on Wall Street every day now, they have a point.
The immediate question for external auditors, internal auditors, and audit committees is whether the external auditor will adjust its definition of what’s material to the audit, given all the turmoil in financial markets. I hear anecdotal evidence that this is happening, although I don’t know to what extent. But remember that audit firms are under pressure from the Public Company Accounting Oversight Board to do better at assessing risk, and the PCAOB has already addressed this point.
The audit firms will take their cues from PCAOB Staff Practice Alert 9, Assessing Risk in the Current Economic Environment. That alert was issued in 2011, and few would argue that the economic environment has improved or stabilized much since then. It warned auditors to keep a sharp eye on changing macro-economic conditions, and if necessary to change audit planning and materiality depending on how those conditions might affect the client company.
Specifically, the alert said, would the changing conditions cause so many small adjustments, each not material in its own right, that taken as a whole, the adjustments might give a reasonable investor pause? “For example, this might be appropriate if certain financial statement line-items are particularly important to a regulatory requirement or a debt covenant.”
Line items like, say, loan-loss provisions for bad debt issued to Chinese companies? Or maybe derivative contracts based on oil prices set in September, before they dropped 75 percent? Because those transactions on large banks’ books are what Practice Alert 9 describes: so numerous that while deviations in any single one might be immaterial, in total they could add up to substantial risk loitering on the balance sheet. Especially if the underlying economics of those transactions is deteriorating rapidly. Which is exactly what’s happening now.
Audit committees themselves have responsibility here too. Various standards from the PCAOB and Securities and Exchange Commission are meant to ensure the audit committee has a clear and productive dialogue with the audit firm about concerns the firm has. But beyond that, SEC and PCAOB standards push the audit committee to ensure that the auditor actually conducts an effective audit. That means the auditor needs a nuanced view of materiality for the audit, particularly in volatile times like now. So the audit committee should be asking the audit firm how it is anticipating those pressures as this year’s audit moves forward.
Last week’s guidance from the banking regulators specifically mentions regulatory capital ratios as important to a successful external audit of a large bank. The Fed, FDIC, and OCC have no authority to compel audit firms to consider capital reserves and other liquidity ratios—but they do have the power to make audit committees uncomfortable until the committees do that dirty work for them. Their guidance even says: “The agencies expect audit committees will ensure that their external auditors consider regulatory capital ratios in planning and performing the audit.” That does not sound like a whimsical and benign request to me.
The next question I have is whether the increased pressure this year will lead the external auditor to talk more frankly with the audit committee about the internal audit team and the quality of that team’s work. No standard anywhere requires the auditor to tell the audit committee what it thinks of the internal audit function. PCAOB standards do require the audit firm to tell the audit committee how much of internal audit’s work it plans to use (if any, and many times the answer is “none”), and the audit firm has to assess the competence of the internal audit function as part of that decision. But that’s as far as the obligation goes.
The banking regulators point to the Basel Committee on Banking Supervision’s recommended standards, that encourage the external auditor to go ahead and spill the beans to the audit committee—but again, no talk of requiring the audit firm to state what it thinks of internal audit’s competency. The banking regulators again, however, “encourage audit committees to consider requesting their external auditor to provide written feedback about the audit engagement team’s relations with internal audit, including its observations on the adequacy of the work of internal audit.”
I suspect that ultimately, what the Fed, FDIC, and OCC want to avoid now is a repeat of the London Whale scandal in 2012—where J.P. Morgan’s trading grew so convoluted that the bank had a $6 billion loss on its hands, and like all good whales, nobody saw it coming until it was already there swamping the balance sheet. Our current turmoil with oil prices, Chinese debt, and slow growth all over the world might lead to an ocean of whales overwhelming the world’s financial system. Best, then, to tell banks’ audit firms and audit committees to stay on top of those risks during this audit season.
So like I said, strap yourselves in.
3 Comments
Leave a Comment
You must be logged in to post a comment.
I’m not sure why external audit should be forced to comment on internal audit. The two are two different things. Would they comment on HR, IT, marketing? So why internal audit?
I suspect regulators would like some outside party–like the auditors– to give thoughts about internal audit because internal audit is much closer to the action than external, which only swoops in once per year. But if the IA function is awful, that’s something the audit committee should know about, and therefore why not have external audit be the messenger? (Not saying I agree with it, just that that’s the logic.)
[…] guidance.” Steven notes that Matt Kelly has written two blogs about the advisory, including this one about the practical implications of […]