The world witnessed the devastating
effect of the global financial crisis which began in 2007-2008. This
evolved into a Sovereign Debt Crisis by 2010, and caused the loss of
millions of jobs worldwide. The effect is still being felt today.
So what was learned about the causes of
the financial crisis, and what are the emerging trends in the banking
industry and the audit profession? The sensational headlines post-crisis
routinely discussed “Corporate Greed”, “Market Abuse”, Banks “Too Big
to Fail”, and bankers “Too Big to Jail”. Public
outrage led to the birth
of the “Occupy Wall Street” protest movement in 2011. The main issues
were social and economic inequality, greed, corruption and the perceived
undue influence of corporations on government, particularly from the
financial services sector.
A report by the U.S. Financial Crisis
Inquiry Commission concluded that the crisis was avoidable and was
caused by widespread failures in financial regulation and supervision;
dramatic failures of corporate governance and risk management at
systemically important financial institutions; a combination of
excessive borrowing, risky investments, and lack of transparency by
financial institutions; a systemic breakdown in accountability and
ethics; collapsing mortgage-lending standards; deregulation of
over-the-counter derivatives, especially credit default swaps; and
failure of credit rating agencies to correctly price risk. Subsequently
there have been on-going investigations, prosecutions, billions of
dollars of fines and enforcement actions.
Such increasingly aggressive pursuit of
Banks and bankers has led to a restructuring of the regulatory agencies
in many jurisdictions, with increased legislation being introduced,
such as the Dodd-Frank (Wall Street Reform and Consumer Protection Act).
A comprehensive set of reform measures was developed by the Basel
Committee on Banking Supervision to strengthen the regulation,
supervision, capital adequacy and risk management of the banking sector.
These measures aim to improve the banking sector’s ability to absorb
shocks arising from financial and economic stress, improve risk
management and governance, and strengthen bank transparency and
disclosures.
Taking into consideration these
developments, a list of Auditing Trends was compiled. The research to
produce the list not only analyzed the financial crisis and the measures
to reform the regulatory framework, it also took into account studies
conducted by major auditing and consulting firms, and new guidance for
banking governance. These documents are: PwC’s “Key Considerations for
Board and Audit Committee Members” 2014–2015 edition; KPMG’s Audit
Committee Institute “2015 Global Audit Committee Survey”: Deloitte’s
“2015 Planning Priorities for Internal Audit in Financial Services” and
“Directors’ Alert – Through the Eyes of the Board: Key Governance Issues
for 2015”; the 2014 Basel Committee on Banking Supervision revised
“Corporate Governance Principles for Banks”, and Protiviti’s “Setting
the 2015 Audit Committee Agenda”.
Business Strategy
Revised guidance from the Institute of
Internal Auditors regarding the Financial Services sector requires the
audit scope to include information presented to the Board and Executive
Management, together with the associated processes and controls,
supporting the strategic and operational decision making. Internal Audit
should assess whether the information presented to the Board and
Executive Management fairly represents the benefits, risks and
assumptions associated with the strategy and corresponding business
model.
Regulatory Compliance, Fines, Sanctions
In 2014, BNP Paribas was criminally
charged by the SEC, and paid US$ 8.97 billion in fines, a record for a
global sanctions case. Credit Suisse pleaded guilty to a criminal charge
for its role in helping Americans avoid taxes, and paid more than $2.5
billion as part of an agreement with U.S. authorities. The massive scale
of regulatory breaches, criminal activities, greed and unethical
behavior have led the regulators to introduce the concept of
accountability for senior bankers. This is a shock wake up call for
Directors and Executives. In the UK, the Prudential Regulation Authority
and the Financial Conduct Authority are introducing a new conduct rules
regime. Bankers may be held criminally responsible and prosecuted for
taking a decision that causes an institution to fail. The rules include a
concept of “presumption of responsibility” following the establishment
of a regulatory breach. This will significantly increase the personal
regulatory exposure of senior managers. Auditors will need to focus on:
Assessing that standards of conduct are being raised to meet the higher
regulatory rules; and considering what records they should themselves
maintain to evidence their own actions.
Clients – TCF, MiFID, KYC, AML, Tax Transparency, Risk Appetite Profiling
The primary role of internal audit is
to help protect the assets, reputation and sustainability of the
organization. Clients are the key asset of the bank, the wrong clients
can damage the reputation of the Bank, and the business is not
sustainable without the client base. The increase in the regulatory
standards is primarily driven by the bank-client relationship. In the UK
“Treating Customers Fairly (TCF”) remains central to the FSA’s
expectations of firms’ conduct. Banks must put the well-being of
customers at the heart of their business.
The Markets in Financial Instruments
Directive (MiFID) provides harmonized regulation for investment services
with the objective of increasing competition and consumer protection.
MiFID requires firms to categorize clients as “eligible counterparties”,
professional clients or retail clients (these have increasing levels of
protection). The Directive requires Client Investment Risk Profiles to
ensure suitability of investments.
Anti-Money Laundering and Know Your
Customer (AML-KYC) standards have been raised, in particular when banks
deal with Higher Risk and Politically Exposed clients. Evidence of
source of wealth is mandatory. Tax transparency is firmly on the radar,
and “Tax optimization schemes” are now under scrutiny. Auditors should
consider taking a holistic view of clients, client services, client
related regulations, and client-asset transparency in assessing the
business model and culture.
Corporate Governance & Key Corporate Events
Post-crisis analysis by the World Bank
and the IFC identified Corporate Governance failures as one of the main
contributing factors. The failures identified are in 4 areas: “Risk
Governance”, “Remuneration and alignment of incentive structures”,
“Board independence, qualifications and composition”, and “Shareholder
engagement”. These are all areas in which the auditors need to focus.
Remuneration Governance is one of the key challenges to ensure the
correct balance between risk and reward, and ensure that compensation is
equitable to all parties and stakeholders. The trend is to enhance the
Remuneration Governance. Many countries now have regulations for Banks
to include the remuneration for top executives and directors in their
annual financial report, along with shareholder votes on boardroom
remuneration.
There is a trend for audit involvement
in “Key Corporate Events”, a concept introduced by the UK CIIA in their
revised guidance for: “Effective Internal Audit in the Financial
Services Sector”. Key corporate events could include significant
business process changes, introduction of new products and services,
outsourcing decisions and acquisitions or divestments. Internal Audit
should evaluate whether the key risks are being adequately addressed and
reported, and also whether the information being used in key decision
making is fair, balanced and reasonable, and whether the related
procedures and controls have been followed.
Risk Management Framework
Risk oversight continues to be a top
priority for directors. Boards typically focus on overseeing the Bank’s
most critical risks and agreeing on the overall risk appetite. Recent
surveys of Boards and Audit Committees indicate they are increasingly
challenged by amount of time and technical competence required to
effectively provide risk oversight. More time needs to be spent on
operational risk, cyber security, the pace of technology change, and 3rd
party risks. Companies need to have appropriate risk management
practices that address third-party risk, and directors will want to ask
about them. One way to help manage such risks is to conduct independent
audit or verification procedures. Regulatory compliance risk continues
to occupy Board attention.
Cyber Security, Emerging Technology, Data Theft
A major incident at JP Morgan bank
affected 76 million households. In the wake of such data breaches the NY
Department of Financial Services announced a new cybersecurity
examination process for banks under its jurisdiction. This may lead to
enforcement actions against regulated entities failing to implement
adequate cybersecurity programs. Auditors should evaluate the banks’
cybersecurity framework, preferably using the 5 Core Functions approach
developed by the US National Institute of Standards and Technology in
their “Framework for Improving Critical Infrastructure Cybersecurity”.
Emerging technologies require more attention in the Boardroom. The U.S.
Securities and Exchange Commission uses “Big Data” tools to analyze
massive amounts of trading data to understand market behavior and detect
potential illegal trading and other misconduct. Auditors should follow
this trend by expanding their IT Audit resources and technology
capabilities. Audit considerations include: discussing with management
how the bank keeps up with technological change; understanding how the
company uses emerging technologies to drive growth and how the risks are
managed; and assessing board oversight of emerging technologies.
Data Theft is of concern to private
banks, and here the threat can be internal. Client data theft by
employees of HSBC Private Bank and Julius Baer caused immense damage to
the reputation of Switzerland and private bankers. Therefore auditors
will continue to assess the internal risk of client data theft, and the
quality of the client data protection framework.
Fraud, Bribery & Corruption
Fraud is a key risk in banking, and
fraud schemes continually evolve. Recent UK reports suggest that on-line
banking fraud increased by 70% in 2014. Updated guidance on fraud risk
was provided by the Committee of Sponsoring Organizations (COSO) in
their updated “Internal Control – Integrated Framework”. Auditors
routinely perform sample transaction testing to gain assurance of the
robustness of the internal control system to prevent and detect errors
and fraud. The trend will be to re-examine the nature and causes of
fraud, design new audit sampling techniques, and embed audit software in
on-line systems.
Bribery and Corruption is firmly on
agenda. The SEC is investigating Goldman Sachs, Credit Suisse, Morgan
Stanley, Citigroup, Bank of New York Mellon and UBS AG for possible
violations of the Foreign Corrupt Practices Act (FCPA). Compliance costs
for banks continue to increase as more nations enact their own
anti-bribery laws. In the UK the 2010 Bribery Act can impose penalties
for committing a crime of 10 years’ imprisonment, along with an
unlimited fine, and disqualification of directors. Auditors need to
review the framework for implementing anti-bribery and corruption
processes.
Auditor Rotation, Training, Automation, QA, IA / EA Cooperation
New rules require European-listed banks
to rotate the audit firm every 10 years (this can be extended under
certain circumstances). Previously, as in the US, Europe followed the
rule of audit partner rotation. The Public Company Accounting Oversight
Board (PCAOB) is finding mandatory audit firm rotation leads to lower
audit fees in Europe, however sparking audit quality concerns. The PCAOB
has raised doubts about the adequacy of External Auditor quality
control systems to provide assurance that audit work meets applicable
standards. Audit Committees should develop a strategy to handle the
audit rotation rule, deal with the handover transition, and seek
assurance on the quality of work. Internal Audit / External Audit
cooperation is another topic to be considered. In the past, there was
expectation of interaction and cooperation, with each party sharing
views on risk, and providing some reliance on work performed by the
other party. The trend now seems to be moving in the other direction.
Financial Products, Approval Process, Mis-selling, Transparency
Learned papers discuss the question:
“Did a Mathematical Formula Blow up Wall Street?” Dr. David Li invented
the Gaussian Copula formula used to rate Collateralized Debt Obligations
by measuring the risk of default. The formula was used to price
hundreds of billions of dollars of CDOs filled with mortgage backed
securities, many of them sub-prime. It was used by credit rating
agencies and the derivatives department of investment banks. Banks rely
heavily on quantitative analysis and models. The risks involved in
decisions based on models that are incorrect, misused, or modified,
should be addressed. According to the “Supervisory Guidance on Model
Risk Management” (FedRS/OCC) model risk governance is provided at the
highest level by the board of directors and senior management when they
establish a bank-wide approach to model risk management. Auditors are
responsible for ensuring that an appropriate model risk governance
framework is in place.
Banks have been fined for mis-selling
complex financial products to unsophisticated clients. Processes
concerned with financial product structuring, approval, marketing,
valuation and suitability require auditor review.
Outsourced Services
Regulators are getting tougher on banks
that fail to adequately oversee outsourced services. The FDIC imposed a
$15 million penalty on the First Bank of Delaware for AML violations
due to failures in monitoring third-party payment processors. Discover
Bank, Capital One and American Express were fined for failing to
supervise outsourced services to telemarketers, debt collection agencies
and call centers. Outsourcing does not relieve a bank from
responsibility and legal liability. It does reduce direct control over
those activities, which increases the risks, endangers the bank’s
operations and reputation, and exposes it to liability for compliance
failures. Auditors should seek assurance that the bank has rigorous
oversight over critical outsourcing activities.
In conclusion
By assessing key risks it is evident
that there are challenges on all sides. Banks are under attack, being
subject to enforcement actions, fines, penalties and expensive
remediation action. Regulators and politicians are under pressure from
the public, and sometimes each other, to deal more firmly with the
banking sector, the banks, and bankers involved in breaches of
regulations, criminal law, public trust and confidence. Auditors have
perhaps been too accommodating in allowing bank management and directors
to somehow “manage” the audit relationship to their advantage, and in
order to mitigate their reputation and regulatory risk. Throughout
history, in moments of crisis and challenge, there are great
opportunities. As stated in the new Basel Committee “Corporate
Governance Principles for Banks”, internal audit provides independent
assurance ….in promoting an effective governance process and the long-term soundness of the bank.
The audit profession must rise to the challenge, embrace the key audit
trends for 2015, and raise the standard of auditing to meet the higher
level of Banking Governance now required.