1. Choose an experienced audit committee chairperson
Every effective team begins with an effective leader to serve as chairperson. To fill that role for the audit committee, the board must select an independent director who, at a minimum, understands U.S. generally accepted accounting principles and the importance of internal controls. The audit chairperson should have a sense of the pressure points where the institution might be particularly vulnerable to fraud.
Often, board members are business owners, managers in other organizations, or educators. They might require assistance to obtain the requisite skill sets for leading or participating in the audit committee, and the right chairperson can help them acquire those skills.
2. Provide banking industry training and resources
Regulatory agency expectations of corporate governance and risk management continue to increase, as reflected in the October 2023 Federal Deposit Insurance Corp. (FDIC) proposal to heighten its standards for supervision of state nonmember banks with $10 billion or more in assets.
With evolving accounting standards, regulatory compliance requirements, and emerging risk factors, boards need to commit time and money to get the chairperson and the audit committee up to speed. In particular, the audit committee should stay up to date on the following areas:
- Economics. Rapid movements in interest rates and the economic landscape have an impact on borrower credit capacity, bank liquidity, and asset valuation. Audit committees need to understand the risks and consequences and monitor how management is mitigating such risks to the bank.
- Accounting standards. Changes in accounting standards have revisited some long-standing techniques to establish a more transparent level of reporting.
- Regulatory compliance. Banks should evaluate their corporate governance and risk management framework against regulatory expectations – both current and anticipated – such as those outlined within the FDIC’s October 2023 proposal. In addition, the Consumer Financial Protection Bureau continues its focus on regulatory compliance, and a bank that runs afoul of the rules could suffer substantial harm to its reputation.
- Digital transformation. Technology and customer demand for nontraditional channels pose additional risks. Understanding digital transformation trends and their impact is a priority for audit committees.
To help the audit committee stay current, the board should provide access to outside training on these and other relevant areas. Boards also can obtain valuable guidance by monitoring activities at other banks. Those banks’ experiences (publicized, for example, in alerts from the Office of the Comptroller of the Currency) can serve as a road map of areas that require regular audit committee attention. Audit committee members should be familiar not just with their own bank but also with the banking industry as a whole.
3. Deepen involvement in the internal audit process
Although it is management’s responsibility to establish processes and controls to mitigate risk, it is the audit committee’s responsibility to confirm that such processes and controls are established and monitored.
The internal audit group, already charged with risk assessment and monitoring, can play an important role in satisfying this responsibility. For this reason, one of the critical traits of an effective audit committee is involvement in internal audit, particularly the following elements:
- Training. As with the audit committee, the success of the internal audit team hinges on the training and experience of the team members and on the provision of necessary resources.
- Personnel. Even the most capable audit committee can prove ineffective without a sufficient number of skilled members on its internal audit team.
- Follow-up. The attitude and responsiveness of the board and management toward internal audit findings frequently contribute to the internal audit team’s success (or lack thereof).
The importance of internal audit team training and experience increases significantly when the bank’s management is responsible for reporting on the design and effectiveness of the internal controls over financial reporting, as is required for publicly traded companies. Management has to attest that controls are well-designed and operating effectively and is held responsible if its attestation proves false.
When the board looks strategically at the bank, it must align the expansion of the business with the risk mitigation process – including its internal audit team. However, a bank’s growth often is not mirrored by changes in internal audit. As a result, issues can go unidentified. Even if new issues are appropriately identified, the review cycles can be prolonged if internal audit has insufficient personnel.
If management is not sufficiently involved in the internal audit process or is dismissive of internal audit findings, and if the audit committee or board is disinterested in follow-up, the value of the internal audit role could erode quickly. Leadership should address findings on a timely basis, and the board and audit committee should monitor the responsiveness of corrective action, especially for those issues flagged as higher risk.
Adapted with permission. A version of this article was published by Bank Director in November 2015.