The Changing Role of the Audit Committee
Times Require a Harder Look at the Greatest Areas of Risk
"Who's watching the road?"
That's the question many observers ask amidst the global economic crisis, with its wild market fluctuations and historic failures of well-known banking institutions such as Washington Mutual and IndyMac.
But don't blame these failures solely on institutions' audit committees for being asleep at the wheel, says one banking leader.
"Most bank failures are not because of lack of audit committee involvement; some of it is systemic, and others are the result of diverse issues," says Paul V. Stahlin, Regional President of Skylands Community Bank, a NJ-based institution with $1.2 billion in assets under management. Stahlin recently served on the Board of Directors of the American Institute of Certified Public Accountants (AICPA) and is immediate past Chairman of its Audit Committee. "The number of bank failures is miniscule compared to the total number of banks which are in business in United States -- a clear indication of the fact that the system does work, and these committees are active and very much doing their job."
That said, Stahlin offers, there are still some new tasks audit committees can take on in tough times to further ensure safety and soundness.
The Role of the Audit Committee
Since their outset, audit committees have always been critical to an institution's integrity. They are responsible to provide board oversight and ensure legal and regulatory compliance. Among the issues they deal with regularly:
Risk management program: How effective is the program in place? Is management working actively to underline major risks, and are internal controls in place over major risk areas? Is the risk assessment looking into strategic, operations, technology, financial and regulatory compliance areas?
Development of the internal audit plan: How are these plans developed? How are internal and external audit exceptions reported? What is the follow-up mechanism? Are there any issues between the internal and external auditors that need resolution or immediate attention? Is the audit plan addressing regulatory compliance, and has it any provision for anticipating changes?
Management support and insight: How is management responding to internal and external audit findings? Are they following best practices to address risk and implement an effective risk and security management program? What is the management's process in assessing risks faced by institutions and businesses? Do they have a fraud and incident response plan and program in place?
Of course, hard times require banking leaders to take a hard look at their internal operations. And Stahlin says progressive audit committees are evolving their roles in response to the global economic crisis.
"The guidelines, controls and framework for an audit committee at any financial institution are well-defined and appropriate," Stahlin says. However, given the developments of the market place, audit committees need to move dynamically with the changing times by:
Committing to an evolving role -- where communication is the most critical piece, including open dialogue with stakeholders such as internal auditors, external auditors, management and shareholders.
Intensifying focus primarily on the 5 areas of risk -- Capital, Liquidity, Reputation, Credit and Control (both financial and information security). Where are the risks? How is management adjusting business process to address the ongoing risks and changing risk profile? And then focus in pursuing each of those areas in an organized manner.
Anticipating the changes in economy -- and asking deeper and intelligent questions that directly reflect on the degree of involvement of audit committees, indicating how far they will go to get the answers.
Educating and training the members of the audit committee -- in areas of risk management, including financial, legal and information security risk, regulatory compliance initiatives, information and internal controls, overall business best practices and the dynamics of the community that is being served.
Drawing a fine balance -- between rigorous audit controls and the business being conducted. The control system is built to allow businesses to act responsibly, but audit committees need to understand that putting increasing controls may obstruct the institution's day-to-day operations. Therefore, Stahlin says, emphasis needs to be given to ensure that the cost of controls does not ruin the value of the system.
See also: What's it Take to be an Internal Auditor?