Keith Newton, CPA, is a partner at the Dallas office of Grant Thornton LLP. With more than 20 years experience as a bank auditor, he serves on the AICPA banks and savings institutions committee. His e-mail address is: firstname.lastname@example.org.
Bank regulators have proposed a new external audit policy for banks and thrifts with less than $500 million in assets. These smaller institutions, known as community banks, have not been subject to the audit requirements imposed on larger institutions by the Federal Deposit Insurance Corporation (FDIC).
The proposed policy encourages all banking institutions to obtain annual audits of their financial statements by independent CPAs. But, as an option, it permits a new alternative, an attestation examination performed by a CPA.
The community bank attestation would be comparable to other attestation engagements CPAs do, such as an attestation on compliance with government regulations or the one bank auditors do assuring that government regulations for student loans have been met. In this case, CPAs would examine a bank's internal controls and issue an opinion on whether or not the bank's management has fully disclosed any deficiencies in those controls. The new attestation is designed to spotlight the risk areas at the regulated institutions by focusing on controls rather than on account balances. It is significant for CPAs because it presents an opportunity to offer a new assurance service.
The attestation examination tests managements statements regarding the strength of internal controls on matters covered by specified call report schedules and their preparation, the ones most relevant to bank risk. An attestation examination provides a CPAs opinion similar to that in an independent audit, but its focus is on internal controls rather than on financial statements. Also, because the scope is restricted to controls over a limited number of the most important schedules rather than all financial reports, the examination usually can be done quicker and cheaper than an audit.
Attestation examinations will be slightly more expensive than the external reviews they replace, director's examinations. Director's exams consist of agreed-upon procedures, agreed upon by the institution and the person administering the examination. After some initial learning, attestations should not take longer or be more difficult than director's exams and should yield considerably more useful information to all parties. The timing of attestation examinations is flexible. They can be performed conveniently at a quarter-end date that coincides with a required regulatory report.
The Federal Financial Institutions Examination Council (FFIEC) member agencies, the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board (FRB), the Office of the Comptroller of the Currency (OCC), the Office of Thrift Supervision (OTS) and the National Credit Union Association (NCUA), regulate the nation's banks, thrifts and credit unions. They are working together on this issue, as they have on others such as Y2K and outsourcing, because a strong external audit program enables the institutions themselves to detect and correct problems early and also provides the agencies and the public with assurance that the institutions are following GAAP.
Although some of the FFIEC agencies have provided guidance on external audits to the institutions they supervise, the guidelines, although substantially similar, have not been uniform. For example, the OCC discusses its policies on independent external audits for national banks in the Comptrollers Handbook for National Banks, Section 102, Internal and External Audits, and the Comptrollers Manual for Corporate Activities. The FDIC adopted similar guidance in its Policy Statement Regarding Independent External Auditing Programs of State Nonmember Banks on November 16, 1988, and amended on June 24, 1996. The OTS's policy on independent external audits is discussed in the Thrift Activities Regulatory Handbook, Section 350, Independent Audits. The FRB sets forth its policy on external audits in the FR-Y-6 Annual Report of Bank Holding Companies and Section 1010, External Audits, of the Commercial Bank Examination Manual. These policies all encourage the regulated institutions to engage independent accountants to audit their financial statements but stop short of mandating audits except in very specific circumstances. For instance, the FDIC requires that newly chartered banks engage CPAs to audit their statements for their first two years of operations.
The NCUA, which is the only FFIEC member that did not adopt the external audit policy at this time, traditionally has insisted that the supervisory boards of its member institutions be allowed to conduct the external audit function in whatever manner they deem most appropriate; CPAs are not necessarily involved. Accordingly, credit unions will not be affected by the FFIEC proposal. However, the recent passage of the Credit Union Membership Access Act of 1998 may prompt the NCUA to embrace this policy at some point in the future because credit unions soon will be subject to many of the same audit and accounting requirements as banks and thrifts.
The FFIEC proposal appeared in the February 17, 1998, Federal Register (vol. 63, no. 31, page 7796) and also can be found at the Web sites of the FFIEC agencies, all of which can be reached through links with the Fife's, www.ffiec.gov. The comment period has expired and a final policy is expected in the first quarter of 1999.
Meanwhile, the agencies have sent a letter to all the community banks they regulate, encouraging them to adopt the proposed policy even though some modifications suggested in the comments still are under consideration. The AICPA banking committee has seen the comments, which include quite a few letters from community banks expressing concerns about increased external audit costs. Most of the banking trade organizations commented, and generally supported the policy, with reservations about higher costs. Some suggested allowing exemptions for the very smallest banks, a suggestion that may be incorporated in the final policy. Some of the banking trade organizations also requested that implementation be delayed until the states have had an opportunity to catch up and modify their regulations along the same lines.
The new proposal is modeled on changes already in place for larger banks regulated by the FDIC. These changes were mandated by Congress in the FDIC Improvement Act (FDICIA) of 1991. FDICIA required larger institutions to engage CPAs to report on management's assertion of the effectiveness of an institution's internal controls and on the accuracy of its financial reporting. Based on the regulators actions, the FDIC as an agency seems pleased with the FDICIA model, which focuses on controls rather than on account balances.
Similarly, Congress and the banking industry lobby groups also are pressuring the other agencies in the FFIEC to reduce the regulatory burden on community banks and thrifts. To do so without jeopardizing their mission, the FFIEC agencies also are focusing their oversight efforts on the risk areas of institutions, examining controls more than account balances. These agencies bank examiners are willing to rely more on the work of external auditors, but only if an effective external audit program is in place.
In the past, community banks could offer regulators a director's examination instead of an audit or the new option, an attestation. While director's examinations often are performed by former agency examiners, they are not particularly effective for managing or evaluating risk because the procedures involved are an inadequate basis for an opinion on the controls. Instead, people performing these examinations report procedures and results without judgment. For example, the procedures may involve sending out confirmation letters for the accruals on deposits and loans. That leaves the bank regulators and the banks management to read the lengthy reports on procedures and results and draw their own inferences.
The attestations will differ from the directors examinations in that CPAs will examine and offer an opinion on the adequacy of the pertinent internal controls, drawing attention to any deficiencies. Accordingly, a banker who wants to strengthen his or her institutions external audit program without bearing the full cost of a financial statement audit may find that an attestation examination suits the purpose well.
The scope of the proposed attestation examination for community banks is limited to internal controls over specific schedules filed each quarter with the banking agencies. The FDICIA-required audit of all internal controls over financial reporting, in contrast, is much more comprehensive. The new FFIEC proposals narrower scope allows smaller institutions to maximize the quality of the test of their internal controls while minimizing the cost, which smaller institutions can less readily afford.
FDICIA allowed the FDIC to determine which institutions would be considered large, so the FDIC chose to limit its FDICIA-mandated rules to institutions with total assets over $500 million. All other FDIC-regulated financial institutions have remained subject to the FDIC's external audit policy statement issued in 1988 and amended in 1990. The 1988 policy provides for the directors examination as an alternative to an audit. In most cases, the proposed attestation examination will supplant the director's examination as bankers at smaller institutions and those institutions' boards may not believe their banks' risk profiles warrant audited financial statements.
Banks still will be able to get director's examinations if they want them, but they probably won't, except where required by state regulations. Although it is reasonable to expect that states will harmonize their requirements with those of the federal agencies, banking institutions may, at least for awhile, be in the unenviable situation of having to incur two examinations to satisfy two levels of regulatory requirements, federal and state. Because the new policy, like the old, is technically voluntary, many banking institutions may defer attestation engagements until the states change their statutory regulations to accept the new approach. So far, none of the states with conflicting statutes have, and it could be a slow process (see exhibit 1).
THE ATTESTATION EXAMINATION IS AN IMPROVEMENT ON THE
While CPAs may want to do director's examinations for their banking clients, professional standards put them at a competitive disadvantage. For CPAs, SAS no. 75, Engagements to Apply Agreed-Upon Procedures to Specified Elements, Accounts, or Items of a Financial Statement, says the responsibility for the sufficiency of the procedures resides with the users of the results of those procedures.
Conversely, access to any reports on the procedures and results must be restricted to those who have agreed on their sufficiency. However, the regulators will not participate in the agreement over the procedures for the director's exam; the regulators position is that responsibility for designing adequate procedures lies entirely with the banks management and boards. Yet CPAs know that the regulators must receive a copy of the director's exam report. That puts CPAs in an uncomfortable professional bind.
SAS no. 75 also provides that agreed-upon procedures for director's examinations cannot be overly subjective and open to varying interpretations; that creates yet another bind for CPAs. Some states regulations require both procedures and judgments on the part of the person performing the procedures. The FDIC's 1988 policy statement also requires the examiner to make subjective judgments on, for example, the adequacy of internal controls and on whether specified transactions comply with policies. Although a CPA can recast such policies, either federal or state regulators might consequently determine that an engagement does not meet their minimum requirements.
This dilemma often has left the administration of directors examinations to former bank regulators or former bank employees, who can offer a bare-bones service that meets the letter of state regulatory requirements at a low cost. Although regulatory examiners don't get training in controls as CPAs do, they know operations extensively, often better than CPAs do. While the agreed-upon procedures that constitute a directors examination provide bankers and regulators some comfort that the accounting records are accurate, they provide little assurance that the institution is managing risks appropriately. Neither state nor federal regulators assume responsibility for assessing the sufficiency of a financial institution's internal controls. In fact, under the FDIC's 1988 policy statement, the financial institutions management and board are responsible for establishing and maintaining effective internal controls. If the management and board don't know enough about internal controls and the controls have not been documented, those controls may in fact be inadequate and no one would be the wiser because no one outside the bank has scrutinized them. This is a big problem for the regulators charged with protecting the public.
While these arguments may be convincing from some points of view, community banks and thrifts are not unhappy with the director's exams. To the community banker, the director's examination is quick, easy and cheap and can be conducted at any convenient time during the year. The procedures usually involve only operations and can be dealt with well down in the organization, taking up little management time.
Since few community banks welcome the expense imposed by detailed federal regulations, and their risk profile doesn't always justify the expense of an independent audit, the newly proposed policy, while strongly encouraging audits by CPAs, permits banks to substitute an attestation examination.
WHAT IS AN ATTESTATION ENGAGEMENT?
The attestation examination must be performed by a CPA. If the FFIEC proposal becomes effective by yearend, as expected, this alternative will eventually succeed the director's exam. Institutions that still want to engage third parties to perform agreed-upon procedures still can, although there would be little value added in doing so except to meet state regulatory requirements.
For the CPA, the objective of an attestation engagement is to probe management's assertion that internal controls over matters reported on specific schedules, and on the preparation of these schedules themselves, are effective. The proposal explicitly covers the regulatory reporting schedules for loans and lease financing receivables; past-due and nonaccrual loans; leases and other assets; allowances for credit losses; and securities. These schedules are included in the regulatory report that banking institutions file quarterly with the relevant banking agencies. The proposal also holds management and the board of directors responsible for identifying other areas of risk particular to their financial institution. The attestation examination should involve these as well. One example of the kinds of things management should point out: off-balance-sheet items.
Of course, not every bank has formally asserted that it has effective internal controls on the matters covered by the specified call schedules, but it implicitly does so to the regulatory agencies each time it files its quarterly reports. At least for now, the proposal will require financial institutions opting for the attestation examination to prepare such a document formally. However, the Auditing Standards Board
In the attestation document, management should identify known internal control deficiencies. If the examination supports an assertion that notes any deficiencies, the attestation report would include the identified deficiency as an explanatory paragraph but would not be qualified otherwise, although that will change after June 30. After that date, CPAs will have to qualify their opinion whenever the controls are deficient, whether or not management has acknowledged the deficiency. Discovery of any deficiency not identified in management's assertion would mandate a qualified opinion.
With management's assertion about the effectiveness of controls in hand, the CPA firm then sets out to test its fairness. The following procedures were developed in the course of the pilot project mentioned in the case study. To maximize effectiveness and efficiency, practitioners performing attestation examinations should consider adopting them.
A FIVE-STEP PRESCRIPTION FOR TESTING INTERNAL CONTROLS
1. Identify and document the accounting processes. Accounting processes are the intermediate procedures that change what form accounting information takes, through records in the general ledger and, ultimately, financial statements and call report schedules.
The call report schedules specified in the proposed policy statement concern two transaction cycles: loans and investments. Therefore, the accounting processes for the loan cycle and the investment cycle should be understood and documented.
There are several ways to document these processes, flowcharts, descriptive narratives and questionnaires. Flowcharts and narratives are more effective than questionnaires as they offer more flexibility and can be tailored to each engagement.
The critical points in an accounting system are where financial information changes form, such as when a transaction is entered into a computer. Attestation examiners should follow the information pathway, noting where transaction information is captured, processed and assembled. Controls are needed at each of the critical points to ensure that all the relevant economic events are captured and that processes modifying financial information do not introduce errors.
CPAs should differentiate control procedures from transaction processing procedures. The latter are the transactions that flow through the accounting system to the financial statements, whereas control procedures help managers prevent, detect and correct errors that might occur during the processing and recording of transactions. Information processing can generate errors; controls cannot. For example, the recording of a loan is not a control. However, a procedure that prevents a loan disbursement before the loan is approved is a control.
Identifying and documenting the accounting processes is the most time-consuming step in the attestation examination. CPAs shouldn't take shortcuts here. Senior CPAs should be thoroughly involved at this stage; experience is the essential guide to choosing which internal controls to test and how to test them.
|Exhibit 4: Codes
for Regulatory Report Schedules |
Covered by Attestation Examinations
The extent of testing will depend on whether the controls are documented; auditors can't do much testing of undocumented controls. In fact, the attestation engagements may help some banks improve their controls simply by requiring them to document at least some of their control procedures. In most cases, there will be more controls in the lending and investing cycles than it is necessary to document. For efficiency, CPAs shouldn't bother to document any controls that won't be tested. These decisions require considerable judgment, which is why experience is especially important at this stage of the examination.
2. Design a testing strategy. The extent and types of tests depend on the characteristics of the controls to be tested. Again, this requires the examiner to exercise discrimination based on expertise.
Controls can be documented or undocumented, manual or electronic, preventive or detective. Documented controls can be tested by sampling, reperformance or inquiry and observation. Reperforming a control procedure involves proving the same control by an alternate means; for example, does a hands-on test produce the same result as an electronic test?
When controls are undocumented, most possible tests consist of inquiry and observation, although occasionally reperformance can shed some light on whether the control is effective. Electronic controls, which are inherently consistent, can be tested quite effectively by inquiry and observation. Finally, since controls that prevent errors are stronger than those that detect errors after they have been introduced, the testing strategy should give priority to preventive controls.
3. Perform the tests. The actual testing takes surprisingly little time, even when a large number of controls are selected for testing. Even tests that involve a lot of sampling go very quickly.
Before deciding which and how many tests to perform, CPAs should assess the potential for errors in the general control environment. This assessment is no different from one made in connection with a financial statement audit and involves, among other factors, evaluating the attitude of management toward effective internal control. Do the officers welcome it? Are they wary of it? Are they cavalier about it? CPAs should perform more tests whenever the general control environment is more risky. The examiner should bear in mind that, when general controls are very weak, the entire accounting system may fail to be effective, no matter how many specific controls may be in place.
4. Evaluate deviations. Control test failures or errors are referred to as deviations. Any deviations should be evaluated and the examiner should determine whether the control is completely ineffective or whether additional tests might prove the control to be effective. However, it may not make sense to continue to take more samples for a given test. After a few deviations have occurred, the auditor probably will find, ultimately, that the control is ineffective.
CPAs should consider the cost of excessive sampling when deciding whether to test a control repeatedly. However, CPAs should also resist the temptation to label deviations as isolated without backing that up with further testing. A CPA who jumps to such a conclusion with inadequate support could give an inappropriate opinion, at considerable cost to his or her firm's reputation. Accordingly, CPAs should consider a deviation an indication that an internal control is not effective, unless additional evidence proves otherwise.
Instead of retesting deviations endlessly, the examiner can look for compensating controls that accomplish the same control objective. If the compensating controls test effective, they may provide sufficient support for the auditor's opinion.
CPAs should discuss deviations with management. Sometimes a banker has a good explanation for a specific problem and can assure the examiners that it was detected and corrected well before the examiners arrived on the scene. If that is true, the self-correcting mechanisms may be adequate controls. However, CPAs should take pains to corroborate any management claims to this effect.
5. Report results. After the tests of controls are complete and all deviations evaluated satisfactorily, the examiner can render an opinion. At least until the SSAE amendments become effective, that opinion should concern only whether or not managements assertion is materially correct. The opinion should be qualified if the auditor has seen significant deviations indicating that internal controls are ineffective. Any weaknesses that management has disclosed in its assertion should be highlighted by an explanatory paragraph. In addition, the examiner should offer to prepare an advisory letter outlining areas where controls could be strengthened and suggesting how this might be accomplished. An advisory letter should maximize the reports value to management and the board.
ALMOST EVERYONE BENEFITS FROM THE PROPOSED CHANGE
Of course, a lot of retired bankers and former bank examiners may lose their directors examination work if and when this proposal becomes effective. However, almost everyone else will benefit if attestation examinations replace directors examinations.
Attestation examinations are good for regulatory agencies because they help regulators protect the public. How? They should motivate management to improve internal controls and, consequently, the safety and soundness of the institutions examined. Also, the regulatory agencies may be able to zero in on potential problems more quickly with the aid of attestations.
The management and boards of banks and thrifts will be able to use their independent CPAs feedback on the strength and effectiveness of the institutions internal controls as a management tool. Directors, especially, will sleep better knowing something about the effectiveness of internal control in the riskiest areas of the bank. Furthermore, CPAs executing attestation examinations are not at all disruptive to bank operations. The CPAs work should be invisible to most of an institution's employees, except for the few implementing the actual controls being tested.
Finally, CPAs will be able to offer a new assurance service, the attestation examination. This should be fun and profitable. Most practitioners will find attestation engagements more fulfilling than performing agreed-upon procedures that do not make much use of their skills and experience. Certainly, the attestation examination is better aligned with the CPA's professional obligations. Also, CPAs should gain a much deeper understanding of their clients' operations, which will increase their value as consultants and business advisers.
Before circulating the proposed policy statement for comment, the FFIEC agencies asked the AICPA to conduct at least one pilot attestation examination on a community bank. The AICPA banking and savings institutions committee asked its members whether their firms would be interested in such a test. Since I am a member of that committee, and my firm, Grant Thornton, performs a significant number of director's examinations, we volunteered to conduct the pilot examination. We wanted both to assist the industry and the profession and to understand these examinations thoroughly so we could be in a position to help our clients as they adopt the new policy.
We selected a state chartered bank in Nebraska with approximately $110 million in assets and $13 million in equity. We wanted a bank that was typical of those interested in attestation examinations, a bank in good standing with regulators and with accounting systems that reliably capture and record transactions accurately.
The pilot bank is subject to state regulations but also is regulated by the FDIC. The bank's management does its best to comply with all the FDIC's external audit policies, even when compliance is voluntary. The bank is well capitalized. Its external audit program has consisted of a director's examination conducted annually by my firm. We have used the agreed-upon procedures established by the state of Nebraska, including such standard procedures as sending out confirmation letters for accruals on loans and deposits. Our director's exams haven't turned up any serious or systematic problems at the bank. However, there were a few minor problems, which required follow-up on confirmation replies and adjustments to prepaid expenses. My firm also prepared an advisory letter to management and the board with a critique based on its teams observations.
when we initially approached the banks management about participating in the pilot test, they were somewhat apprehensive. For one thing, at the time the bank did not have much documentation for its internal controls. Since the bank was relatively small, management didn't think it could spare the personnel qualified to prepare the documentation from their routine tasks in time for the test run.
Management also was worried that it might get a report that would trigger undue interest from the FDIC. Managements particular concern was that, in the investment area, duties were not as segregated as they might have been at a larger institution. The same person performed both the accounting processes and the controls. If that weakness were to cause my firm to issue a modified report, the examination could raise a red flag inviting a lot of regulatory scrutiny, and possibly even action against the bank.
The bank and my firm have a long relationship, and despite these reservations the officers trusted the firm not to get them involved in a project against their banks best interests. Also, the bank wanted to help the agency evaluate whether these new engagements would fulfill the FDIC's expectations. Accordingly, management agreed to proceed with the pilot. After all, the banks board should know of any weaknesses that might increase the risk of bank failure and has a fiduciary duty to the shareholders to insist that management take corrective action.
The initial step was for management to assert that the bank has effective internal controls in place for the relevant call report schedules. The suggested format for management assertion letters is contained in the attestation standards. In this case, management used the standard format and initially provided a letter to the auditors asserting that it had effective internal controls over all the relevant call report schedules.
The first task for my firm's attestation engagement team was to help management identify and document the internal controls for the areas to be examined. As this process was under way, it became clear that the initial assertion of fully effective controls needed modification, a predictable problem when an institution documents its controls for the first time. Accordingly, management sent a new letter to the auditors outlining control weaknesses in the investment area. The relevant passage read as follows:
We have maintained effective internal control over financial reporting, except as follows:
Certain personnel responsible for initiating and managing the loan and securities portfolios also have access to such assets through the ability to generate accounting entries, including changes to master files. In addition, the general EDP control environment is deficient in that management reports available are either not generated or are not timely reviewed by appropriate personnel.
As the first of its kind, the pilot attestation examination of the bank caused my firm to expend a lot of energy in the planning stages. The planning took several days, primarily because the team was not familiar with audits of internal controls. The engagement team wanted to approach and conduct the examination in the most efficient manner possible while minimizing the risk of forming improper conclusions. Some of the considerations were how to identify and document controls, how to determine the relevant controls and how to test them. Further down the learning curve, attestation engagements may still require a lot of planning, but considerably less than the pilot did.
With the exception of time incurred to document the internal controls initially, the attestation examination took about the same time as the directors exam had. However, the attestation examination used higher-level staff at both my firm and the bank, making it somewhat more expensive, but also more useful.
In the end, Grant Thornton delivered an attestation report to management and the board, with an explanatory paragraph pointing out the internal control weakness acknowledged in the second assertion letter but no other qualifications (see the exhibit).
The firm also sent an advisory letter suggesting how the banks controls could be further strengthened and identifying other, less significant areas where there were no controls or the existing controls could be improved. For instance, the attestation team suggested a compensating control in the investment cycle. If the bank implements that control satisfactorily, that qualification no longer would be necessary.
Ultimately, the bank's management told my audit team that they were both relieved and satisfied. The bankers especially liked the immediate feedback we gave them. The bankers had been accustomed to waiting for weeks or more before getting any feedback on director's examination results.
The attestation examination process resulted in meaningful suggestions for improving and strengthening controls. The examination of the institution's controls was much more comprehensive than the procedures that made up the same bank's director's examination and much more focused on the areas posing the greatest risk, the loan and investment portfolios. Now management can be confident that the outcome of annual attestation examinations will be continuous improvement, with stronger controls resulting in unqualified reports over time.
In this case, everyone came out ahead. Members of the audit team came away with a much deeper knowledge of the bank and its operations. Regulators were satisfied that the important weaknesses had been fully disclosed and the public interest served. The banks board fulfilled its fiduciary duties well. Management learned something about potential problem areas.