Managing risk in audits of financial institutions; how CPAs can identify high-risk areas in savings and loan audits.
ROBERT S. KEMP, CPA, DBA, is associate professor of commerce at the McIntire School of Commerce, University of Virginia.
The banking industry is facing a crisis. Between 1985 and 1988, 689 banks and 499 savings institutions were either closed or given financial subsidies and help to maintain profitable operations by federal regulators. What does the future hold? The Congressional Budget Office predicts more than 600 banks insured by the Federal Deposit Insurance Corporation will fail in the next three years; help for these ailing institutions won't come cheaply. The cost of the savings and loan bailout recently was projected to reach $500 billion, with some estimates running as high as $1 trillion over the next 30 years.
In the past two years, over 300 people have been convicted of felonies related to S&L wrongdoing. The FDIC has filed 16 lawsuits against eight CPA firms for nearly $1.4 billion in damages in connection with their work on failed thrift institutions. Given these circumstances, it's an understatement to say audits of banks and savings institutions are high-risk engagements. This article identifies the high-risk areas of financial institution audits, describes how such audits should be managed within the framework of generally accepted auditing standards and suggests ways CPAs can effectively manage risk on these engagements.
THE NATURE AND FORCES Of RISK ASSESSMENT
Designing an audit plan for a financial institution requires an understanding of the audit's objectives and of the financial institution itself. These two factors interact to create unique and sometimes troublesome challenges.
Risk assessment. Statement on Auditing Standards no. 47, Audit Risk and Materiality in Conducting an Audit, cites audit risk as the risk that the auditor "may unknowingly fail to appropriately modify his opinion on financial statements that are materially misstated." Financial statements are considered materially misstated "when they contain errors or irregularities whose effect, individually or in the aggregate, is important enough to cause them not to be presented fairly in conformity with generally accepted accounting principles." While this definition applies to material misstatements in a client's financial statements taken as a whole, in planning an engagement auditors must assess audit risk and materiality in relation to individual account balances and transaction classes as well. This entails assessments of inherent risk and control risk so detection risk can be managed at an appropriate level.
In audits of financial institutions, audit risk should be established at a low level, given the needs and expectations of those who rely on the institutions' audited financial statements. Inherent risk can be affected by (1) internal factors, such as management style, an account's susceptibility to theft or other error and whether the account balance is derived from accounting estimates and (2) external factors, such as operations in a declining industry or market forces giving rise to risk associated with changing interest rates or liquidity needs.
As financial institutions grow, the relationship between the assessed level of control risk and audit risk becomes more critical. In smaller financial institutions, it may be practicable to decrease detection risk to a sufficiently low level through tests of details. In larger institutions, control risk is normally assessed at a less-than-maximum level.
The volatility of account balances and classes of transactions must be carefully considered in designing a financial institution audit. Continued regulators' emphasis on financial ratios and peer comparisons provides a useful approach for auditors to evaluate key factors such as liquidity, capital adequacy and interest sensitivity. Comparative statistics are available from regulatory agencies and other sources.
The principal source of comparative statistics is the FDIC Uniform Bank Performance Report, which provides comparisons based on both size and geographic location. The report uses self-reported data financial institutions submit to regulatory agencies. Thus, evaluating an institution's control structure, including controls over preparing reports to regulatory agencies, is an important consideration in determining how much reliance to place on the data.
External influences, such as examination and oversight by regulatory agencies, enhance management's awareness of specific regulatory requirements, usually resulting in the establishment of specific internal control policies and procedures. These regulatory agencies often issue reports to the institution outlining problems discovered during the oversight and examination process; in some cases, agreements are reached on correcting matters in the reports.
AICPA Statement of Position no. 90-5, Inquires of Representatives of Financial Institution Regulatory Agencies, provides guidance to auditors on the use of reports and other communications from regulators in planning and conducting an audit. The SOP also helps auditors evaluate the effect these communications have on the institution's financial statements and the auditor's report. Many of the characteristics of failed financial institutions identified in the report discussed below by the Office of the Comptroller of the Currency (OCC) are similar to the factors discussed in SAS no. 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities, as indicators of higher than normal potential for misstatement.
Given the highly regulated environment financial institutions operate in, the auditor should be aware of major laws and regulations that might give rise to a material misstatement in financial statements. The auditor also should be aware of uncertainties related to the application of laws and regulations that might create a need for a report. Such modifications might include additional paragraphs calling attention to uncertainties about the adequacy of loan loss reserves, maintenance of required capital or even substantial doubt about the entities' continued existence.
Identifying high-risk areas. In June 1988, the OCC published Bank Failure-an Evaluation of the Factors Contributing to the Failure of National Banks, a study that analyzed the performance of 260 banks from 1979 to 1987. Examined were 38 healthy banks, 51 banks rehabilitated with FDIC assistance and 171 failed banks. A failed bank was one declared insolvent, resulting in a purchase and assumption, a deposit transfer or a payoff of insured depositors.
The study's findings should prove useful in managing risk and planning a financial institution audit. The OCC evaluated each bank's performance in eight categories:
* Asset quality.
* Policies, planning and management quality.
* Economic environment.
* Insider abuse.
* Audits, controls and systems.
* Material fraud.
* Liquidity and funds management.
* Nonfunding expenses.
The results indicated the major cause of decline and eventual failure of problem banks was poor asset quality that ultimately eroded a bank's capital. To determine the factors leading to poor asset quality, the OCC assessed internal and external conditions in the sample banks. The findings are presented in exhibit 1, page 62. Poor policies, planning and management were present in 90% of the failed banks and 88% of the rehabilitated banks before recovery. Other internal problems present to a lesser extent were related to insider abuse and audits, controls and systems. The results of these findings are presented in exhibit 2, page 64.
Fully 73% of the banks were faced with a depressed economic environment, while another 15% operated in marginally depressed conditions. As might be expected, these economic conditions led to problems in loan collectibility in oil and gas, real estate and agriculture. Surprisingly, the evidence indicated depressed economic conditions were the primary cause of failure for only 7% of the banks.
The OCC concluded a bank's ability to remain healthy in a depressed economy was a function of its internal policies and procedures.
OVERALL RISK IN FINANCIAL INSTITUTION AUDITS
Today, auditors must pay special attention to the material risks facing financial institutions. Internally, material risk involves management's credit and market decisions. The OCC study indicated the failed and declining banks lacked systems, policies and specific controls to limit their risk.
Conversely, healthy and rehabilitated banks exhibited strengths in
* Controls over key bank officers and departments.
* Management information systems.
* Systems to ensure compliance with policies and laws, lending policy and problem loan identification systems.
Auditors face the highest risk areas in the bank's loan portfolio (the allowance for loan losses) and in evolving environmental forces. Planning and performing an audit of loans involves evaluating management's assertions of valuation or allocation and presentation and disclosure. Other management assertions are important, but in most instances simple control systems minimize the risk associated with existence or occurrence, completeness and rights and obligations.
SAS no. 57, Auditing Accounting Estimates, gives the auditor guidance "on obtaining and evaluating sufficient competent evidential matter to support significant accounting estimates." It discusses management's responsibility for estimates and how the auditor's evaluation relates to the financial statements as a whole.
ALLOWANCE FOR LOAN LOSSES
The audit objective for loans and for the related allowance for loan losses is to evaluate the reasonableness of the allowance recorded by management. The allowance for loan losses represents the quantification of management's assertion the loan portfolio is valued at its net realizable value in accordance with generally accepted accounting principles.
In addition to guidance in the AICPA industry audit guide, Audits of Banks, guidance on evaluating the allowance for loan losses is in the AICPA auditing procedures study, Auditing the Allowance for Credit Losses of Banks.
Financial Accounting Standards Board Statement no. 5, Accounting for Contingencies, provides authoritative guidance on the accounting and reporting of loss contingencies, including addressing uncertainty about the collectibility of receivables. Statement no. 5 discusses the likelihood that when a loss contingency exists, one or more future events will confirm the loss. An estimated loss from a loss contingency should be accrued by a charge to income only if both the following are met:
* Information available before issuance of the financial statements indicates it is probable an asset had been impaired or a liability had been incurred at the date of the statements. Implicit in this condition is the probability that one or more future events will occur confirming the fact of the loss.
* The loss amount can be reasonably estimated.
Audits of Banks provides additional guidance on Statement no. 5's application to a bank's loan portfolio. The guide says banks should maintain a reasonable allowance for losses for all loan categories through periodic charges to operating expenses. The amount can be considered reasonable when the allowance (the amount carried as the accumulated valuation account in the balance sheet), including the current provision, is adequate to cover estimated losses inherent in the loan portfolio.
The guide also says the propriety of the accounting treatment should be judged by the adequacy of the allowance, not the provision charged against income. Loans should be charged off as soon as they are deemed uncollectible. The allowance should cover specifically identified loans, as well as loans and pools of loans for which losses are probable but not identifiable on a loan-by-loan basis.
The significant objective of the audit of the allowance for loan losses, according to the guide, is to evaluate the recorded allowance's reasonableness. The guide describes the allowance as an amount that, in management's judgment, approximates the current amount of loans in the portfolio that will not be collected at the balance sheet date. All relevant conditions existing at that date should be considered. They should not be limited to previous collection experience but, rather, should incorporate business trends and other such conditions.
Loan evaluation is a matter of ascertaining collectibility. Most often, a loan's soundness is predicated on the borrower's
* Past and projected earnings and cash flow.
* Credit history.
* Net realizable value of loan collateral.
* Financial responsibility of endorsers or guarantors.
The auditor is not responsible for calculating the allowance's amount but for obtaining reasonable assurance management has recorded a reasonable allowance based on available information. Since loans generally are a bank's largest single class of assets and present the highest potential for loss, auditors can expect numerous groups or individuals, in addition to state and federal examiners, to have an interest in the collectibility of the loan portfolio. These include the institution's loan and executive committees, internal auditors and directors' examining committees.
These groups' specific responsibilities in loan review vary, depending on the size of the bank and the directives of the board of directors and management. In planning the evaluation of the adequacy of the allowance, auditors should determine the existence and role of interested parties. Testing the provision for loan losses and related allowance account should maximize the use of data from these sources, and the auditor may consider their efforts when setting the nature, extent and timing of tests.
The main purpose of audit procedures is to identify specific loans or conditions requiring further consideration.
Examples of such conditions and loans follow:
* Current trend of delinquencies.
* Loans classified by supervisory agency examiners.
* Excessive loan renewals and extensions.
* Absence of current financial data on borrowers and guarantors.
* Borrowers with operating losses, marginal working capital, inadequate cash flow or business interruptions such as involuntary conversions due to fire, loss or condemnation.
* Loans secured by collateral not readily marketable or susceptible to deterioration in realizable value.
* Loans in industries experiencing economic instability.
* Inadequately documented loans.
Auditors are not required to ascertain the collectibility of each loan in a bank's portfolio. Rather, audit procedures should be designed to determine the collectibility of the entire portfolio and should be performed primarily on a test basis. In establishing the scope of the work, auditors should consider
* Loan portfolio composition.
* Growth trends in specific loan classifications.
* Previous loss and recovery experience, including timeliness of charge-offs.
* The existence of appropriate lending policies and procedures.
* Management's procedures for loan review and classification.
* Other subjective factors, such as economic and environmental conditions.
Although the auditor's primary responsibility is to evaluate the adequacy of the loan loss allowance, practical considerations may dictate a review of the separate loan categories that constitute the portfolio. Since the risk and other inherent characteristics of primary loan categories vary, the nature and extent of the separate reviews will vary as well. Loan categories including large volumes of relatively small loans with similar characteristics, such as real estate mortgages, installment loans and retail credit loans, typically are evaluated as a pool. Auditors generally are more concerned with the effectiveness of and adherence to sound procedures than with a critical appraisal of each loan.
Except under unusual circumstances, the test procedures and review of delinquency status reports establish the adequacy of the allowance required for those loan classifications. In evaluating the adequacy of the portion of the allowance attributable to the loan categories, auditors should use historical average annual charge-off experience in light of the average remaining lives of loans, consistency of loan policy and current economic conditions.
An evaluation of commercial loans normally requires a more detailed review, since the amount of each loan generally is large and the types of borrowers and the purposes of the loans may be dissimilar. The auditor may select and review a certain number of loans in excess of a particular amount, paying attention to problem loans identified by the bank's internal review procedures and those commented on by regulatory authorities. Loans selected for review may be further stratified by purpose, such as construction or working capital loans or loans to a specific class of business, the choices depending on the auditor's assessment of each category's relative exposure to loss.
A number of factors contribute to the creation of the environment in which financial institution audits are conducted.
Communication obligations. Auditors have important communication obligations designed to ensure that management, the audit committee and others are properly informed of conditions existing and observed during the audit. Letters covering reportable conditions, particularly any that might be considered a material weakness in internal control, are important to regulators, directors and others with a fiduciary responsibility.
Economic conditions. Financial institutions are susceptible to the risks of general economic conditions, which may lead to decline or failure. A large number have been adversely affected by the decline in specific sectors of the economy in which they operate, including agriculture, energy and real estate. For many institutions, loans to Third World countries also have been a problem.
Laws and regulations. New laws and regulations present another risk for financial institutions. The Financial Institutions Reform, Recovery and Enforcement Act of 1989, combined with the FDIC'S decline in resources, has created a shift in regulators' priorities.
Armed with mandated changes in allowable accounting practices and faced with possible adoption of changes to the U. S. banking system patterned after those in the United Kingdom, regulators are scrutinizing the operations of financial institutions more than ever. Spending restraints and political considerations force regulators to balance the safety and soundness of the U.S. banking system with social issues, such as those embodied in the Community Reinvestment Act, the Environmental Protection Act and industry practices that have evolved over six decades. In addition, a report by the Government Accounting Office has recommended specific accounting and auditing reforms to address the problems of failed banks. For details of the report, see the sidebar on page below.
Communication with regulators has become even more critical to the auditor in evaluating the risks associated with a financial institution audit. SOP no. 90-5 suggests the auditor review reports and correspondence with regulators and if necessary, communicate with them directly.
Changing standards. In the last five years, financial institutions have dealt with fundamental changes in accounting for pensions; a new required statement of cash flows and two subsequent amendments to facilitate its preparation; a three-times-deferred change in accounting for income taxes; new requirements for disclosure of off-balance-sheet risks and concentration of credit risk; and the specter of accounting for certain post-employment benefits. Uncertainty has been created by the call for mark-to-market accounting for investment securities and standardization of valuation methods to calculate and record foreclosed assets and loss reserves.
What do these changes mean? In a period of changing standards, auditors are exposed to a previously undefined risk: applying the most current standards to the audit while the financial institution is not applying the most recent accounting standards. Recent FASB decisions indicate a new responsiveness to "standards risk."
The FDIC has adopted an aggressive stance in charging auditors with negligence in working with insured banks and thrifts assisted or closed. Allegations of damages running into the hundreds of millions of dollars have been made against several U.S. CPA firms. The profession undoubtedly will need to address issues similar to those that led to the issuance of the expectation gap SASS in response to the report of the National Commission on Fraudulent Financial Reporting.
In 1986, the AICPA auditing standards board issued standards for attestation services. As a means of adding reliability to third-party assertions, the availability of attestation services can answer several of the concerns of financial institution regulators. Auditors' reports on financial institutions in future years will likely be a combination of attestations of management representations. Such representations on compliance and related systems and controls to ensure compliance with specific laws and regulations can provide a means for direct reporting to regulators by auditors while preserving client confidentiality.
The AICPA banking committee recently issued SOP no. 90-6, Director's Examinations of Banks. In the future, it might be reasonable to assume auditors of financial institutions will combine the traditional director's examination with the responsibilities of the "reporting accountant," as defined in the U. K. Banking Act of 1987. Such an engagement would provide needed services to both the financial institution and regulatory authorities, while returning the risk an auditor can accept to a level consistent with the concept of "reasonable, but not absolute, assurance."
* THE CRISIS FACING THE banking industry has increased the risk CPAs face in auditing financial institutions within the framework of generally accepted auditing standards.
* FINANCIAL INSTITUTIONS OPERATE in a highly regulated environment. Auditors need to be aware of the laws and regulations that could result in a major misstatement in an institution's financial statements.
* A RECENT STUDY indicates a major cause of the decline, and eventual failure, of problem banks is poor asset quality, which eroded bank capital. A bank's ability to remain healthy in a depressed economy is a function of how well internal policies and procedures operate.
* BANKS SHOULD MAINTAIN a reasonable allowance for loan losses. In auditing financial institutions, auditors should evaluate the adequacy of the allowance management has recorded. But the auditor is not responsible for calculating the allowance amount.
* AUDITORS HAVE RESPONSIBILITIES to ensure appropriate parties are informed of the conditions observed during an audit.
* GIVEN THE AGGRESSIVE STANCE of the FDIC in charging auditors with negligence in their work with the insured banks and thrifts that have been assisted or closed, the accounting profession may need to adopt new auditing standards to address the problem.
Significant internal problem areas in failed banks
* Uninformed or inattentive board of directors or management.
* Inadequate systems to ensure compliance with internal policies or banking laws.
* Inadequate controls or supervision of key bank officers or departments.
* Inadequate problem loan identification systems.
* Decisions made by one dominant individual.
* Nonexistent or poorly followed asset and liability management policies.
* Overly aggressive activity by board or management.
* Nonexistent or inappropriate lending policies (liberal repayment terms, collection practices, or credit standards).
* Excessive loan growth in relation to the abilities of management staff, control systems or funding sources.
* Undue reliance on volatile liabilities.
* Inadequate liquid assets as a second source of liquidity.
* Problems involving the chief executive officer (lack of capability, experience or integrity).
* Other problems related to oversight or management deficiencies.
* Excessive credit exceptions (missing financial statements or poor collateral documentation).
* Collateral-based lending and insufficient cash flow analysis.
* Unwarranted concentrations of credit in one industry.
* insider abuse and fraud.
* Self-dealing, undue dependence on the bank for income or services by a board member or shareholder, inappropriate transactions with affiliates, or unauthorized transactions by management.
* Material fraud.
Source: Bank Failure--An Evaluation of the Factors Contributing to the Failure of National Banks, the Office of the Comptroller of the Currency.
GAO REPORT CITES URGENT NEED FOR REFORMS
According to Failed Banks: Accounting and Auditing Reforms Urgently Needed, a U.S. General Accounting Office report to Congress, "internal control weaknesses continue to be a significant cause of bank failures and ... the regulatory early warning system is seriously flawed." The report was based on an analysis of financial and regulators' examination reports for 39 financial institutions that failed between 1980 and 1990.
The report said none of the 39 banks' call reports provided regulators with advance warning of the magnitude of the deterioration of their financial conditions. The GAO cited, among other factors, deficiencies in generally accepted accounting principles, particularly in asset valuation and loss recognition, as a major culprit. These deficiencies, in the GAO'S opinion, permit banks to overstate assets and defer loss recognition while still complying with GAAP.
The GAO study found 22 of the 39 banks filed call reports containing significant errors and irregularities. Thirty-five banks were cited for loan portfolio weaknesses (lack of lending policies, liberal lending practices and missing loan documentation); 30 banks for lack of competent management and staff, and 13 banks for regulatory violations, such as kiting schemes and money laundering.
The GAO also said 23 of the failed banks did not have independent audits in the year before failing. Of these, 6 banks had not been audited in the second year preceding failure, and 4 had never been audited.
The GAO'S recommendations for bank accounting and auditing reforms are pervasive and would result in a significant increase in the overall responsibilities of bank auditors. These recommendations, grouped as bank accounting and reporting issues and internal control and related issues, are summarized below.
BANK ACCOUNTING AND REPORTING ISSUES
To improve the early warning system provided by call reports, the GAO recommends the American Institute of CPAs and the Financial Accounting Standards Board implement immediate changes in GAAP. They also recommend the Federal Deposit Insurance Corporation, Office of the Controller of the Currency and the Federal Reserve Bank adopt revised guidance as follows:
* Treat losses for problem loans as likely rather than probable, accounting for problem loans as in-substance foreclosures.
* Change the definition of fair market value used in current accounting practice from a value assuming an orderly liquidation to one assuming a distressed disposal.
* Enhance the accounting rules and audit procedures for related party transactions to clarify the need to account for and report such transactions based on their economic substance. More extensive, improved guidance on determining economic substance should be provided.
INTERNAL CONTROL AND RELATED ISSUES
To ensure proper application of GAAP, including the changes summarized here, the GAO report recommends Congress enact legislation mandating changes in banks' internal control systems. These recommendations are based on the GAO's view that a strong internal control system is an effective deterrent to unsafe and unsound banking practices and other abuses. Compliance with these proposed legislative changes would be a condition for the banks' obtaining federal depository insurance.
* Preparation of annual financial statements in accordance with GAAP and mandatory audits by independent CPAs.
* Maintenance of a system of internal accounting controls that meets requirements such as those established by the Foreign Corrupt Practices Act of 1977.
* Maintenance of controls designed to ensure compliance with laws and regulations and with specific regulatory directives.
* Evaluation of internal controls in accordance with guidelines prepared by regulators and preparation of an annual management report to be published with the bank's audited financial statements.
* Establishment of an independent audit committee composed solely of outside directors. The committee should include members with banking or related experience and have a member who is an attorney or have outside counsel. Large customers of the institution should not be members of the audit committee.
The report also proposed legislation to enhance the role of banking regulators, including
* Mandatory annual on-site, full-scope examinations of all depository institutions.
* Sharing with the bank's independent auditor knowledge of its potential illegal acts.
* Authority to remove the bank's independent auditor for cause with appropriate due process.
* Periodic review of large institution's independent auditor's procedures and working papers as a basis for regulatory reliance on them.
* Authority to require the independent auditor to review specific operations of large banks as deemed necessary to ensure regulatory objectives are met.
* Report biennially to Congress on the effectiveness of auditing and management reforms at large banks, to be reviewed by the GAO.
Finally, the GAO report proposes legislation to expand the duties and responsibilities of independent auditors. These recommendations would require the bank's auditor to
* Review and report on quarterly financial reports, examine a one-year financial forecast prepared by the bank and meet at least annually with regulators and the audit committee to review the annual financial forecast and internal control assessment.
* Include in the annual report an assessment of management's assertions described in its report on internal controls, based on a study and evaluation of the bank's system of internal controls.
* Report to the bank and to regulators important internal control weaknesses not defined as material.
* Report to the bank itself and to regulators on its compliance with safety-and-soundness laws and regulations and special regulatory directives.
* Immediately pursue suspected illegal acts and inform in a timely manner the audit committee, the board of directors and an officer authorized to sign the bank's internal control report.
* Resign from an audit engagement and inform regulators of illegal acts if those acts are substantial and the bank does not take corrective action.
* Notify regulators of the timing and reasons for changes in the auditor's status as the bank's independent auditor.
* Undergo periodic peer review, such as the self-regulatory program prescribed by the AICPA.
Copies of the GAO report can by obtained by writing to the U.S. General Accounting Office, P.O. Box 6015, Gaithersburg, Maryland 20877, and requesting government document GAO/ AFMD-91-43.
|Printer friendly Cite/link Email Feedback|
|Author:||Kemp, Robert S.|
|Publication:||Journal of Accountancy|
|Date:||Sep 1, 1991|
|Previous Article:||Financial planning for the risk of long life; how to cope with the rising cost of getting old.|
|Next Article:||Software makes it easier to handle insurance programs; computers are a valuable tool for handling casualty coverage and workers' compensation.|