Making Audits More Audible

Source : http://tnwinc.com/index.php/news/comments/making_audits_more_audible

 

by Sarah Johnson, senior editor for risk & compliance, CFO Magazine

New rules would require auditors to speak up about possible problems, and describe in more detail what they do and don’t look at.

The succinctness of an audit opinion belies the many hours of review, reconciliations, and judgments that are required for an auditor to produce it. Despite all that work, the public audit opinion ultimately amounts to little more than a thumbs up or down regarding whether a company’s numbers are presented in accordance with generally accepted accounting principles.

That could change. A movement has been underway for the past several years to push auditors to narrow the gap between what they do and what investors would like them to do, particularly when it comes to detecting fraud. At the least, some experts believe that auditors should expand their opinions to better explain their role and any limitations they face in expanding that role. “We were getting a lot of information from a lot of different sources that the standard form of the auditor report, with its simple pass/fail verdict on the company’s financial reporting, was becoming less useful,” says James Doty, chairman of the Public Company Accounting Oversight Board (PCAOB), which recently issued a concept release exploring the issue.

For the most part, finance executives would be fine with auditors adding more description about their responsibilities, as the PCAOB has proposed. “I can see a case being made that auditors should describe more of what they’re doing,” says Gary Kabureck, chief accounting officer at Xerox.

But how detailed auditors will get, and whether additional verbiage in the audit report will require more actual audit work, is another matter. Auditors’ workloads could significantly increase if some rule changes contemplated by the PCAOB move forward, and that, in turn, would have a direct effect on finance departments in terms of time and costs.

In addition to expanding the way in which auditors approach financial statements, the PCAOB is also contemplating whether auditors’ assurances should extend to new domains, including management’s discussion and analysis (MD&A) and earnings releases. The regulator is also toying with mandatory auditor rotation, which could require companies to switch auditing firms every 10 years.

At the heart of these and other possible changes is a desire on the part of the regulator to bolster the credibility of audits, which has faltered in recent years, and to make them as relevant and independent as possible. According to a board document, some of this new information “would increase the scope of the auditor’s responsibilities [and] require the development of new auditing standards.” Most likely, it would also require the Securities and Exchange Commission to tweak the reporting requirements it imposes on companies.

If some of these proposals survive the inevitable battles that changes to standards entail, as accounting firms and business interests push back, finance departments will feel some of the pain, even though they’re not the target of the PCAOB rules. “Increased responsibility and regulatory requirements on the external auditors are going to require more work, which will result in higher fees,” says Erik Skramstad, a partner and U.S. forensic services practice leader at PricewaterhouseCoopers.

Indeed, finance departments could find themselves spending more time and money on audits, not to mention having to answer more-pressing questions than they do now, especially during the crunch time at the tail end of the financial-reporting cycle. If auditors have to produce more-detailed and customized reports, that could lead to an “administrative nightmare in trying to wrap up the audit,” says Dennis Beresford, a University of Georgia accounting professor and audit-committee chairman of Legg Mason and Fannie Mae.

Repairing the Damage

The PCAOB was created by the Sarbanes-Oxley Act under the belief that a designated watchdog would better keep the accounting industry in check than the self-reviews the accounting firms had been practicing. Likewise, its existence would help repair the credibility problems of the industry following well-publicized audit failures (Enron, WorldCom).
But eight years after the PCAOB was launched, the accounting industry is again in “self-examining mode,” according to chairman Doty, following the most recent financial crisis and investors’ questions about why auditors didn’t — or couldn’t — send up more red flags that something was amiss at some of the institutions they reviewed.

“Where were the auditors?” became a common refrain. At the very least, the argument goes, auditors could have given hints that, perhaps, fraud or serious mismanagement was occurring. Investors have told the PCAOB that auditors seemed to have held back information they collected during their evaluations, and that if that did happen, rules need to be changed so that investors can know more in the future.

Auditors do have an avenue for relaying troubling information, via their talks with companies’ audit committees, but those discussions are not shared publicly. (In fact, the nature of those conversations is the subject of another possible rule that would emphasize auditors are beholden to audit committees and not to management.)
Doty has repeatedly been questioned about the accounting industry’s business model: How can auditors maintain their independence and provide skeptical reviews when they are paid by the clients they are reviewing — and whose business they want to keep?

One possible answer to the coziness that creeps up between these two parties is mandatory rotation. The PCAOB has suggested (in yet another concept release) that accounting firms should switch off clients every few years. (Some companies have kept the same accounting firm for more than 50 years.) But that idea was rejected by Sarbox lawmakers nearly a decade ago. Instead, the 2002 law requires the lead audit partner to move off an account after 5 consecutive years.

The PCAOB will be challenged over the details of the proposed changes. One likely objection from companies is that getting new auditors up to speed on their business is too time-consuming. (For those who want to speak up, the comment period ends in December.) “It’s a huge hurdle for management as well as auditors,” says Gail Hanson, CFO of Aurora Health Care. Moreover, for larger companies that have tended to limit their pool of would-be auditors to the Big Four, mandatory rotation won’t give them many options, particularly since many companies give their audit work to one Big Four firm and related consulting work to another.

Commentators will also want to know how the regulator will determine what types of information auditors should scrutinize (forward-looking statements can’t exactly be audited, for example) and how much additional verbiage should be devoted to such matters in financial reports, particularly for information a company has decided to withhold.
“If auditors think they see something that is a problem that the board and management doesn’t, what do you do?” says Xerox’s Kabureck. “Auditors don’t know more about the client than the client knows itself.”

One idea floated by the PCAOB is to give auditors their own discussion-and-analysis section in financial reports. Auditors would use the space to express their thoughts on management’s judgments and estimates, accounting policies and practices, and — most controversial — management’s “close calls,” or debatable estimates.

It’s important to note that, as of now, all of these proposals are in flux. The auditor-rotation idea, for instance, “is a long shot,” predicts Beresford, who as a former chairman of the Financial Accounting Standards Board has seen his share of proposals amount to nothing. Still, the level of activity at the PCAOB suggests that some changes are imminent (see chart, below).

While CFOs certainly would not welcome higher audit bills, they might like what those higher fees will, in theory, buy. If more auditor-verified information improves the confidence of investors, so much the better for the capital markets, says Hanson of Aurora Health Care. “Companies pay a lot to get an audit,” she says. “The hope is that by having those audits go beyond a pass/fail grade, the audit will communicate something to investors that will warrant the higher fees.”

Mum’s the Word

Currently, auditors’ reports do not mention the word fraud, nor do they discuss the auditors’ responsibility to detect it. That’s despite the fact that accounting firms are expected, under the Public Company Accounting Oversight Board’s rules, to decide whether a company’s financial statements are free of material misstatement, “whether [it be] caused by error or fraud.” The PCAOB now wants auditors to spell out this responsibility in their audit opinions.

But even if they do so, that may not provide much confidence that fraud has been vanquished. Because auditors can’t look at every transaction a company makes, they focus on risky areas. Clever fraudsters know that. “It’s very difficult for auditors to uncover fraud if the people committing the fraud really want to hide it,” says Luis Ramos, chief executive officer of The Network, a governance, risk, and compliance consultancy.

Even if audit reports explicitly describe how the external auditor attempts to ferret out fraud, the bulk of responsibility is likely to rest with internal staff and policies. External audits are “one piece of the puzzle to fraud prevention,” says Erik Skramstad, a partner and U.S. forensic services practice leader at PricewaterhouseCoopers. “[But] it’s ultimately the company’s and the board of directors’s responsibility to ensure corporate integrity.” — S.J.

Internal Audit Tips

Source : http://www.questanalytical.com/Articles/Internal_Audit_Tips.htm

 

Internal audits help you learn about your company and find areas that are working and areas that are not working as planned. Whether you do internal audits to stay compliant with government regulations or quality standards, whether it is your first audit or your 100th, below are some tips to help the process.

Before an audit

 

• Make sure the authority of the audit team is established – this will increase the cooperation from auditees.
• Decide what areas of the company will be audited and the frequency of the audits. Prepare a yearly audit schedule and distribute.
• Develop an audit plan. Decide what other audit resources are needed – checklists, other auditors?
• Determine the purpose of the audit – is it to comply with government regulations, quality standards, internal procedures and systems? v Define the scope of the audit – is it an overview of the area being audited or is it to concentrate on a specific system within the area?
• Hold a meeting with the auditors to discuss the plan, purpose, and scope of the audit.
• Read the documents you will be auditing against. Know what they say. Develop questions to ask the auditees.
• Conduct an opening meeting with the auditees.

 

During an audit

 

• Be professional at all times. Avoid being judgmental.
• Follow safety procedures, clean room procedures, and all other required procedures.
• Explain the purpose of the audit to the auditees.
• Answer questions or discuss compliance problems brought to your attention by auditees.
• Be flexible – if you find a potential problem not within the scope of the audit – evaluate the potential risks of the problem if left unaddressed.
• Encourage honesty with the auditees.

 

After the audit

 

• Hold an auditors meeting to discuss the closing meeting content.
• Hold a closing meeting with all auditees involved with the audit. First, point out what was done well. Second, address the nonconformances and ensure the auditees understand the nonconformances and what part of the standard is not met.
• Issue the audit report in a timely manner.
• Encourage auditees to decide on the corrective actions. Allowing auditees to have input will give them ownership in implementing changes.
• Assist those responsible for completing the corrective actions with setting reasonable deadlines. The corrective action deadlines may vary depending on the severity of the noncompliance.
• Be available and willing to help the auditees.
• Ask for feedback on how you and your audit team were perceived – adjust your approach if necessary.

 

One last tip: Involve people!

Use audits as opportunities to train others. Ask for a volunteer (who is not an auditor) to walk through the audit process with you as an assistant. This will provide others with a better understanding of what audits are and why they are necessary.

Invite all the auditees to the closing meeting. Having been an auditee, I know it helps to hear audit findings firsthand, the positive as well as the negative.

Involving people creates a feeling that everyone is a vital contributor to the goal of the company – compliance.

Best Practices in Internal Audit

Source : http://www.metricstream.com/insights/bestpractices_intaudit.htm

 

Internal auditing is a mechanism by which an organization examines a business process to evaluate its ability to comply with internal and external requirements. It is also a very effective tool to implement a discipline of continuous improvement. Internal audits enable management to:

• Discover what’s really going on within the organization, which enables objective decision making and enables managers to direct the resources towards the right issues
• Learn about potential problems before they become burning issues
• Identify failure points within a process, so relevant stakeholders can implement corrective actions in a timely manner
• Determine the effectiveness of controls within a process

Attributes of a successful internal audit program

To be effective, the internal audit and the corrective and preventive action (CAPA) processes must be fully integrated in a closed-loop manner. Internal audit of a process/organization takes a snapshot of the current environment, maps it to defined requirements or specifications and then identifies nonconformities or opportunities for improvement. These nonconformities are then fed into a corrective action process, which recommends specific actions and solutions. The lead auditor should then verify that the corrective action has been implemented and the root cause of the original nonconformity has been eliminated.

An internal-audit program within an organization is less likely to be successful when it does not have the right management support and commitment. In organizations where the audit program consistently delivers good results, the closed loop audit/corrective action process is likely to be institutionalized as a result of the management support. A key attribute of such an organization is any process-owner’s ability to answer the following questions very clearly:

• Are the processes and metrics clearly defined, so internal audit process can discover unambiguous non-conformance?
• How does the audit process incorporate the results of previous audits to track progress against previously discovered nonconformities?
• What is the process to identify potential root causes in a timely manner for the non-conformities that are discovered by the audit process? Are corrective actions always taken to eliminate such root causes or potential root causes?
• How is the data on corrective and preventive actions reported and analyzed?
• How do employees receive feedback on their respective non-conformities?

Five key activities in an internal audit
An internal audit is almost always successful when an internal auditor is able to carry out the following five linked activities:

• Audit schedule: The purpose of the audit schedule is to communicate when the organization can expect to be audited, who will lead the effort, which high level processes will be included in the audit and what type of resources may be needed from the process owner. Audits scheduled far in advance always produce better results.
• Audit plan: An audit plan should detail a single audit’s scope, objectives and agenda. The plan provides a chronology of the audit from start to finish: which specific processes and sub-processes will be audited, exactly when they’ll be audited, who will do it and which requirements will be audited in each segment.
• Audit management: Lead auditor manages the overall process including managing and communicating any changes to the audit plan, communicating the audit progress to the stakeholders, ensuring that the audit process stays on track, reviewing all nonconformities to ensure that they’re logical, valid and clear, resolving all conflicts constructively and ensuring that the entire audit is conducted professionally and positively.
• Audit reporting: Stakeholders are presented with the written audit observations and a list of non-conformities, and these form the basis for discussion of the audit results.
• Audit Verification: The manager of the process being audited is usually asked to respond to audit nonconformities by an agreed-upon date. The response should include investigation into the root cause, proposed corrective action and a date when the action should be completed. The lead auditor reviews the responses to determine whether the investigation and proposed corrective actions are adequate. If a response doesn’t identify a plausible root cause or propose a corrective action related to it, the lead auditor can reject the response and explain to the manager-of-the-process why it’s inadequate. The second stage of verification occurs when the manager-of-the-process notifies the lead auditor that corrective action has been implemented. At this stage, the lead auditor or a team member will verify that the corrective action has been fully implemented and the root cause of the original nonconformity has been eliminated.

System Requirements for a Successful internal Audit Program
A specific audit is likely to be more successful if the detailed steps listed above are automated using software to make them repeatable. Leading industry analysts have identified the following core requirements of a software solution for a closed-loop internal audit program – an end-to-end process from audit management through corrective actions to change control.

• Audit Management: The software should allow definition and management of various elements of the audit process including creation of different checklists by audit type, tracking audit schedule details, managing role differentiation between lead auditors, approvers and managers for all audit components and enabling workload distribution by sharing components of the audit. The software should also allow auditors to track progress, attach various documents as supporting evidence of the non-conformities, review non-conformities identified by audit team members, ensure all exit criteria in the checklist have been met before the step is completed and report audit results (pass/fail).
• Non conformance tracking and management: The software should track and manage all non-conformances arising out of the audit process and provide an ability to either close-out the non-conformance (based on severity level and authorization) or trigger a corrective action process. In some regulated industries such as medical devices, closing out the certain non-conformities may not be an option and a corrective-action is automatically triggered.
• Corrective Action: The software should provide a collaborative mechanism for automatically routing a corrective action request to a hierarchy of users with built-in notification and escalation procedures, enabling them to review all relevant non-conformance records to analyze the root cause and document corrective actions to correct or prevent the recurrence of the problem. The system should support configurable industry-specific report formats such as 8-D, 5-Phase and PIAR.
• Change Control: The software should support multiple change control mechanisms identified in corrective action such as document change (change to a standard operating procedure or process instructions etc.) or employee training or equipment recalibration.
• The system should be developed from the ground up using web architecture, so it can be easily accessed by any user within the company or by key suppliers or customers outside the organization and it can easily integrate with other systems or corporate portals.
• The system should allow Enterprise-wide reporting on any non-conformance and corrective action at a department/plant/division/company hierarchy and provide an Executive Dashboard to report on key process indicators.

A successful internal audit program is critical to implementing an organizational discipline of continuous improvement. By ensuring that the best practices are implemented and by using software to automate the closed-loop process, an organization will be well on its way towards realizing impressive results from its internal audit program.

Audit committee should be allowed to select internal audit head, determine pay

Source : http://biz.thestar.com.my/news/story.asp?file=/2011/8/15/business/9274559&sec=business&sf1994764=1

KUALA LUMPUR: A listed company’s audit committee should have a say in the selection of the company’s head of internal audit and in determining his pay, says the Institute of Internal Auditors (IIA). The Florida-based professional body adds that this will help ensure the internal audit function although a part of management has a degree of independence that will allow it to fulfil its responsibilities.

IIA president and CEO Richard F. Chambers said internal auditors in most parts of the world had dual reporting relationships. They come under the CEOs or CFOs (chief financial officers), but they also reported to the boards of directors, via the audit committees. Bursa Malaysia, for example, requires a listed company’s internal audit function to report directly to the audit committee.

“If I’m a chief audit executive, I should have access to the audit committee. I should have regular private meetings with the committee so that they can ask me, without management present, if there are any matters that they should be aware of,” said Chambers, who was here recently to attend the IIA’s annual international conference, which was held in Asia for the first time.

“When internal audit doesn’t have the strong support of the board to ensure its independence, there will always be the perception, or the risk of the perception, that it’s not independent, because its entire world revolves around management. Today we see 80% to 90% of chief audit executives having reporting relationships with the chairmen of audit committees. That’s up from only about 50% 10 years ago. That’s why I feel so much better today about internal audit’s independence than I did 10 years ago.”

He described the reporting relationship to the audit committee as the final line of defence for the internal audit function. That relationship, he pointed out, gave some comfort that fraud or mismanagement detected by the internal auditor would not be easily swept under the carpet, even if the management was reluctant to take action.

He suggested an additional measure to reinforce the independence of internal audit: “We advocate that the audit committee not only have the reporting relationship, but be involved in hiring and firing of the internal audit chief, and in setting his compensation.”

According to the IIA, internal audit helps an organisation to achieve its objectives through the enhancement of internal controls, risk management and corporate governance.

Chambers pointed out that shareholders expected the board of directors to figure out the risk appetite of the company, communicate that risk appetite to management and then hold management accountable if it took on risks that the company could not sustain. The many corporate failures that led to the global financial crisis, he argued, were partly caused by very weak risk management, particularly in the financial services sector.

“A strong internal audit function can provide assurance to the board that the management has a solid risk management system and that effective internal controls are in place to help mitigate the risks,” he added.

On the role of internal audit in corporate governance, he said: “I don’t think in this day and age that a board can be truly effective if it doesn’t have the eyes and ears that an internal audit function provides. Boards cannot be present in a company every day. They have to rely on someone in the company besides the management to tell them what kind of job the management does.”

But how do you tell if a company’s internal audit is working well? Chambers said most company directors had told him that a strong and effective internal audit function yielded fewer surprises. “This is because the internal auditors will be out there looking at, identifying and talking about the risks the company faces, making sure the right controls are in place to mitigate the risks, and that you don’t end up with something blowing up,” he explained.

He added that internal audit had deterrent value too, because the management would be wary of having a bad audit result.

Internal audit gained larger prominence in corporate Malaysia when Bursa Malaysia mandated that beginning Jan 31, 2009, a listed company must have an internal audit function that is “independent of the activities it audits”.

The exchange also requires the company’s annual report to include a statement relating to the internal audit function, informing whether the function is performed in-house or is outsourced, and the costs incurred for the function in respect of the financial year.

“What has impressed me about the regulations here is that they have put some teeth into the requirement (for a listed company to have an internal audit function) by requiring transparency about whether there’s a real internal audit function there or just one in name,” says Chambers.

The IIA has 170,000 members from 165 countries. Local affiliate The Institute of Internal Auditors Malaysia was set up in 1977 and has more than 3,000 members.

Time Frames: Are You Establishing Them for the Issuance of Audit Reports?

Source:

http://www.theiia.org/blogs/soapbox/index.cfm/post/Time%20Frames:%20Are%20You%20Establishing%20Them%20for%20the%20Issuance%20of%20Audit%20Reports?utm_content=sf1994801&utm_medium=spredfast&utm_campaign=IIA+Brand&cid=[channel]text&sf1994801=1

Pamela Edwards-Faulk, CFE
Internal Review Evaluator
U.S. Department of the Army
Fayetteville, N.C.

Internal auditors are viewed by many as an extension of top management. Therefore, it is a good practice to issue timely audit reports to management who are vested in the audit results. Timely audit results show management that not only are auditors committed to improving the deficiencies identified in the audit, but also that they are committed to helping management improve the overall effectiveness and efficiencies of the organization’s operations.

Significant delays and long cycle times often result in management dissatisfaction because memories of the audit can become stale. Internal auditors who don’t ensure that audit results are communicated to management risk developing a negative reputation within their organization. Also, management may develop process action teams to assist with future issues and problems instead of seeking the assistance of internal auditors. Therefore, it is essential that an audit entity plan to issue the audit report or the audit results promptly, or the subsequent report will be of little value to management.

Communicating audit results, whether positive or negative, can be a challenge. The delay of negative results is even more stressful when the information is not conveyed timely. That is why it is imperative that all auditors make it a goal to communicate audit results timely. In accordance with the International Standards for the Professional Practice of Internal Auditing, for managers to take corrective action, audit results need to be current and relevant.

There are alternatives to issuing a formal audit report. Memorandum reports or summary reports can still outline the condition, cause, criteria, effect, and recommendations. This will allow management to issue the report within a number of days as opposed to a number of weeks or months. A memorandum report or summary report is by no means a substitute for the final report; however, it allows management the opportunity to correct the deficiencies identified during the audit prior to receiving the final report. Of course, this is on a case-by-case basis. There are times when a detailed report is required due to the significance of the audit findings.

The establishment of time frames and milestones is twofold; not only is it an effective way to ensure audit reports are conveyed to the organization’s leadership timely, it also will allow audit management to measure the progress of the internal audit department. For example, audit managers and supervisors can make it a standard that all reports will be published within 10 days of completing fieldwork. This is, of course, at the audit manager’s discretion because each audit has its own issues that may prevent an auditor from meeting this goal. Different audit approaches can and should be applied depending on the circumstances. However, it is better to have a standard goal as opposed to issuing reports at random.

Establishing a time frame with specific milestones will ensure audit reports are issued within a reasonable amount of time and will hold auditors accountable to a schedule. Additionally, managers and supervisors can modify the audit report format to help ensure that reports are issued timely. After all, establishing measurable goals within the audit department can provide a standard for measuring its progress.

Unfortunately, auditors are faced with the same challenges of balancing workloads and expectations with limited resources. However, finding opportunities to issue reports with limited resources — particularly for smaller audit entities — is achievable. By performing timely, value-added audits, internal auditors will show their value within their organization. Also, issuing timely audit reports will not only enhance the auditors’ credibility, it also will show management that it can depend upon internal auditors to provide meaningful recommendations.

Just Have a Conversation

Source : http://www.theiia.org/BLOGS/jacka/index.cfm/post/Just%20Have%20a%20Conversation?sf2067574=1

I have a tip for everyone regarding interviewing. In my experience, I have seen that there are some people who recognize they are not as skillful at interviewing as they would like to be. But it is interesting to me how many (and this is a large number) think they are very good at interviewing, but they really aren’t. It’s kind of like driving. I have met next to nobody who doesn’t think they are an expert driver – yet, few of them are. And so it is with interviewing – far too many people think they are experts, and a good proportion of them are wrong.

I just finished Neil Strauss’s Everyone Loves You When You’re Dead. Neil has been a journalist for twenty years and, in that time, has interviewed people representing all aspects of the music scene. He has talked to people from Bo Diddley to Loretta Lynne to Lady Gaga to The Funerals to Lucia Pamela to Henry Grimes to Rick James to Katey Red to Leonard Cohen to Hanson to ? and the Mysterians to Jordy to Slipknot to Chuck Berry to … sorry, I got carried away with myself.

The book is not a collection of his articles. Rather, what he has done is transcribe small sections of his interviews providing a different insight into the interviewees. In putting the book together this way, he also shows a little something about his technique.

You can see from the way the interviews go that Strauss is not necessarily following a formula, not following a list of questions. Rather, he is engaging people in conversation. And, from that conversation he is getting to the truth he is trying to find.

Which leads to the tip.

Don’t follow a formula. Don’t follow a set of questions. Don’t read to the interviewee. Rather, engage the person in a conversation. You are still in charge of the interview, so you must know what you want to ask and ensure the discussion goes that way. But by having a conversation rather than an interview, you will usually learn more than you knew was out there.

(And one other tip – don’t forget to take notes. But that’s part of another story.

Understanding Reputational Risk: Identify, Measure, and Mitigate the Risk

Source : http://www.philadelphiafed.org/bank-resources/publications/src-insights/2007/fourth-quarter/q4si1_07.cfm

by William J. Brown, Enforcement Specialist

While building and maintaining a solid reputation is important for all types of organizations, it is especially important for financial institutions. It could be argued that protecting a financial institution’s reputation is the most significant risk management challenge that boards of directors face today.

Last month, in the midst of the global credit crisis partly caused by the U.S. subprime mortgage meltdown, Northern Rock, Britain’s fifth largest mortgage lender, had to be bailed out by the British central bank, the Bank of England. The institution began as a small local lender in early 2001, but grew excessively in 2005 and through early 2007, primarily by relying on wholesale markets rather than retail deposits. Northern Rock bundled its loans together and packaged them into bonds that it sold to investors around the world; however, as liquidity dried up this past summer in the U.S. and across the globe, it spelled disaster for Northern Rock. When news leaked out that Northern Rock had approached the Bank of England to obtain emergency funding, customers reportedly withdrew £2 billion in one day. Britain’s first bank run in 140 years occurred despite the bank’s solvency, the nation’s strong economy, low interest rates, and low inflation. Northern Rock became a victim of reputational risk.

Reputational risk is regarded as the greatest threat to a company’s market value, according to a study by PricewaterhouseCoopers and the Economist Intelligence Unit.¹Reputational risk also overtook credit risk last year as the most pressing issue facing bank audit committees, according to an annual survey released on February 27, 2007, by Ernst & Young, one of the Big Four accounting firms.² This article will discuss reputational risk, its implications for financial institutions, and how bank supervisors assess management’s ability to measure and monitor the risk.

What is Reputational Risk?
The Federal Reserve System’s Commercial Bank Examination Manual defines reputational risk as “the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.³” Reputational risk is one of the Federal Reserve System’s categories of safety and soundness and fiduciary risk (credit, market, liquidity, operational, legal, and reputational) and one of three categories of compliance risk (operational, legal, and reputational). While it is a defined risk, reputational risk is often difficult to identify and quantify.

Interpreting Reputational Risk
Assessing reputational risk is not an objective process, but rather it is a subjective assessment that could reflect a number of different factors. “Reputational risk is the starting point of all risks…if you have no reputation, you have no business.”⁴ Reputation can be interpreted as a market or public perception of management and the financial stability of an institution by its major stakeholders. Stakeholders can include its customers, shareholders, and the board of directors. The media could also have a perception, either good or bad, of an organization.

Reputation is and could be perceived as an intangible asset, synonymous with goodwill, but it is more difficult to measure and quantify. Consistently strong earnings, a trustworthy board of directors and senior management, loyal and content branch employees, and a strong customer base are just a few examples of positive factors that contribute to a bank’s good reputation.

The rewards can be great for an institution that has an excellent reputation. Establishing a strong reputation provides a competitive advantage over an organization’s counterparts. A good reputation strengthens a company’s market position and increases shareholder value. It can even help attract top talent and assist in employee retention. In short, reputation is a prized asset, but it is one of the most difficult to protect.

How Can Reputation Be Tarnished?
Just as reputation can be built and preserved over time, it can also be destroyed quickly. We are all too familiar with the scandals that affected financial institutions such as Riggs, Bank of New York, and PNC. These organizations maintained a strong corporate and public image, but their brand values were eroded due to well-publicized missteps. And, as mentioned earlier, Northern Rock’s franchise value tumbled as its share price plummeted by 50 percent over a few days in the midst of a global credit crisis.

In the banking industry, a reputable financial institution may encounter various issues that could significantly harm or even destroy its brand name in a short period of time. For example, noncompliance with and violations of laws could lead to issuance of civil money penalties and/or formal enforcement actions, which would be published in the local or national media and could ultimately tarnish the institution’s image.

The public can also mistakenly interpret certain data, affecting its view of an institution. For example, in the compliance area, an institution’s HMDA (Home Mortgage Disclosure Act) data and CRA (Community Reinvestment Act) ratings are publicly available on the Internet. Also, interpretation of an institution’s lending practices can be gleaned from its HMDA data, while an institution’s CRA rating (outstanding, satisfactory, needs to improve, and substantial noncompliance) can be easily obtained online.

Data security breaches in the bank’s computer system, which houses sensitive financial data of hundreds of thousands of customers, or an unethical board member who leaks confidential information to a family member just days prior to a major announcement of a company acquisition are examples of events that could have an adverse effect on a bank’s reputation.

BSA-related reputational risks remain high: How would the public and the markets react to a financial institution that is found to be a haven for terrorist financing or is laundering millions of dollars from illegal activities?

Other factors like bad customer service or costly lawsuits and litigation could all bring an organization’s reputation spiraling downward. So, how can a financial institution prevent its reputation from being damaged or tainted?

Mitigating and Managing Reputational Risk 
Preserving a strong reputation revolves around effectively communicating and building solid relationships. Communication between a bank and its stakeholders can be the foundation for a strong reputation. Timely and accurate financial reports, informative newsletters, and excellent customer service are important tools for reinforcing a bank’s credibility and obtaining the trust of its stakeholders.

Reputational risk is managed through strong corporate governance. Setting a tone of strong corporate governance starts at the top; an institution’s board of directors and senior management should actively support reputational risk awareness by demanding accurate and timely management information.

How should a bank’s reputational risk be managed internally? The following are just a few examples of key elements for managing reputational risk:

• Maintaining timely and efficient communications among shareholders, customers, boards of directors, and employees
• Establishing strong enterprise risk management policies and procedures throughout the organization, including an effective anti-fraud program
• Reinforcing a risk management culture by creating awareness at all staff levels
• Instilling ethics throughout the organization by enforcing a code of conduct for the board, management, and staff
• Developing a comprehensive system of internal controls and practices, including those related to computer systems and transactional websites
• Complying with current laws and regulations and enforcing existing policies and procedures
• Implementing independent testing and transactional testing on a regular basis
• Responding promptly and accurately to bank regulators, oversight professionals (such as internal and external auditors), and law enforcement
• Establishing a crisis management team in the event there is a significant action that may trigger a negative impact on the organization

Assessing and Evaluating Reputational Risk 
One of the more difficult tasks for examiners is to determine how to assess a financial institution’s reputational risk. Examiners complete a risk matrix when conducting full-scope examinations for community and noncomplex institutions. To arrive at a composite risk rating for one of the risk areas, the following criteria are used when assessing risk:⁵

• Level of inherent risk-high, moderate, or low
• Adequacy of risk management-strong, acceptable, or weak
• Trend or direction of risk-decreasing, stable, or increasing

Many items and areas are considered when assessing the risk rating criteria. For reputational risk, prior to conducting an examination, examiners may review corporate press releases, letters to shareholders, stock message boards, and stock analyst comments to gain an initial indication of reputational risk. Examiners may also consider whether an institution responds to the customer concerns; whether the stock analyst recommends buying or selling and why; and what the shareholders, employees, or general public are saying about the institution.

Examiners analyze the financial statements, review marketing plans and advertising campaigns, and consider whether the institution is growing excessively and what types of risky products and services it is providing, if any. They also consider whether the institution is expanding outside its normal geographical area and is supportive of the community.

While on-site, examiners will talk to both bank employees and management to get a sense for items like corporate ethics, will talk to Human Resources to determine whether a consistent message on the importance of ethics is being conveyed throughout the organization, and will consider whether the institution’s risk management practices are strong and commensurate with the size and complexity of the institution. Examiners will assess whether an institution’s expertise is adequate and controls are in place to oversee growth if the institution should engage in riskier products or enter into new business lines.

In addition, examiners will determine whether there are violations of consumer law. For example, is the institution involved in unfair or deceptive practices, such as charging excessive interest rates on credit cards, or are there situations where the institution is overcharging its customers for accrued interest on loans? Reimbursing consumers for these charges could be embarrassing and tarnish an institution’s reputation. Excessive violations could result in class action suits, civil money penalties, or other regulatory actions. There is also a stigma attached to institutions involved with payday lending, even though that type of lending is not illegal.

In the information technology area, where reputational risk and operational risk go hand in hand, examiners measure board and management oversight from the top down. Is oversight adequate? Are policies and procedures tailored to the institution, rather than boiler-plate? Are there adequate internal controls? Lax oversight and controls leave an institution open to security breaches and employee theft, which again could result in unfavorable media attention and may damage the institution’s brand name and reduce the public’s confidence in the institution.

Conclusion
Building a financial institution’s reputation may take years, but it certainly can be damaged or even destroyed very quickly. Reputational risk exists in a combination of factors that financial institutions face every day. Boards of directors and senior management are responsible for measuring and monitoring reputational risk and therefore must remain vigilant and active in providing the safeguards to prevent loss of reputation. Assessing and managing the risk effectively and properly are one of the keys to a financial institution’s continued viability and success.

Case Study: SunTrust Banks
In 2004, SunTrust Banks, a $180 billion financial institution headquartered in Atlanta, disclosed that due to an accounting oversight, it had to restate its corporate earnings. Because of accounting errors, the bank had overbooked the allowance for loan and lease losses, and therefore underreported earnings, for the first two quarters of 2004 by approximately $22 million. This led to a delay in the release of its third-quarter earnings statement.

Within hours, SunTrust issued a press release announcing the accounting irregularities. The release stated that its audit committee, with the assistance of an independent law firm, would begin a review and initiate lines of communication with independent auditors about the errors. In short, the institution addressed the issue immediately, communicating openly with the public and its customers.

Shortly thereafter, market analysts issued their comments concerning SunTrust’s press release. One analyst stated that, “It creates a black eye regarding SunTrust’s reputation, especially since the firm had a similar problem in late 1998.”⁶

Within a month of the press release, the audit committee panel determined that the errors in the loan-loss data related to the auto loan portfolio were higher by approximately $25 million. Loan loss calculation errors and false draft meeting minutes were also uncovered. As a result, three credit administration division members, including the top credit officer, were fired, and a controller was assigned to another division.

Less than two months later, the SEC launched a formal probe of SunTrust’s accounting deficiencies and issued subpoenas seeking documents related to the bank’s accounting procedures. By the summer of 2006, however, SunTrust was notified by the SEC that its inquiry ended with no enforcement action recommended.

Though this newsworthy event cast a negative light on SunTrust’s reputation, overall it did not hurt the organization’s franchise value. Initially, the market and public perception were critical of the accounting issue, and SunTrust’s shares fell 1.12% (less than $1 dollar to $69 per share); however, because the organization’s board and senior management were proactive in addressing the issue quickly, the stock price loss (and financial statement gain, in this case) was manageable, and reputational risk was controlled.

• ¹   ”Financial Institutions See Reputational Risk As The Greatest Threat ,” August 24, 2004.
• ²   ”Poll: Reputation Top Risk at Bank Audit Committees,” American Banker, February 27, 2007.
• ³   See Section 1000.1 of the Federal Reserve System’s Commercial Bank Examination Manual , November 2006.
• ⁴   McDowall, Bob, “Reputational Risk,” The Register , May 22, 2006.
• ⁵   Refer to Section 1000 (Examination Strategy and Risk-Focused Examinations, pp. 13–15) of the Commercial Bank Examination Manual. The other regulatory agencies (OCC, FDIC, OTS, and NCUA) provide similar guidance in their respective examination manuals.
• ⁶   Gelsi, Steven, “SunTrust Bank Delays Q3 Report ,” October 11, 2004.

IA Frequently Asked Questions

Source : http://internalaudit.buffalo.edu/faq.cfm

HOW DO I KNOW IF I WILL BE AUDITED?

Our annual audit plan is distributed to the Vice Presidents and the Provost. With the exception of audits that require no prior notification to be effective, such as cash counts or payroll distributions, the units responsible for the audits listed in this plan are contacted prior to the start of the audit. An entrance conference is held to discuss the audit and address any concerns management may have.

However, it is not unusual for the plan to be revised during the year to accommodate special requests that need immediate attention. When this happens, audits may be delayed until the next fiscal year and would appear in the subsequent years’ audit plan.

(top)

HOW LONG WILL THE AUDIT TAKE?

Audits may last from several days to several months and will vary in length depending on an area’s size, complexity, and the specific audit objectives. Not all the time devoted to the audit will be evident to you because of the amount of preparation, analysis, and related work needed to document the effort. The auditor assigned to your unit will give you an estimate of the time needed to complete the audit at the entrance conference.

(top)

CAN I ASK INTERNAL AUDIT FOR ASSISTANCE WHEN I’M NOT BEING AUDITED?

Yes, while our department’s mission is principally accomplished through formal audits, there is no need for you to rely solely on audits to utilize the resources of our department. Internal Audit acts as an in-house consultant on internal control matters, and will be happy to provide you with information and suggestions on controls in specific areas.

(top)

ARE AUDITORS LOOKING FOR FRAUD WHEN PERFORMING AUDITS?

Auditors are not specifically searching for the existence of fraud when performing audits. We are more concerned with ensuring that adequate systems of internal control exist to reduce the risk of fraud. In situations where internal controls are weak, our testing is designed to determine if indications of fraud exist.

(top)

WHAT SHOULD I DO IF I SUSPECT SOMEONE IS INVOLVED IN SOMETHING ILLEGAL?

If you suspect fraud or other questionable acts in your department contact your supervisor, the Controller, or the Director of Internal Audit immediately. Do not try to question anyone or otherwise investigate the matter yourself.

(top)

WHAT ARE INTERNAL CONTROLS?

Internal controls encompass a unit’s entire set of methods and procedures that are used in the day-to-day activities of the unit. These methods and procedures safeguard the unit’s assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed policies. Effective internal control systems are designed to ensure that resource use is consistent with laws, regulations, and policies and that resources are safeguarded against waste, loss, and misuse.

(top)

ARE INTERNAL AUDITORS RESPONSIBLE FOR MAINTAINING THE UNIVERSITY’S SYSTEMS OF INTERNAL CONTROLS?

No. University management is responsible for maintaining an adequate system of internal control. Internal Audit independently evaluates the adequacy of existing internal control systems by analyzing and testing controls, and makes recommendations to improve controls based on this analysis.

(top)

WHO AUDITS THE AUDITORS?

The Institute of Internal Auditors suggests that an external review be performed of Internal Audit Department operations at least once every five years. These reviews must be performed by qualified individuals who are independent of the University, usually an independent public accounting firm. The Office of the New York State Comptroller will also periodically audit the operations of the State’s Internal Audit units. These audits cover compliance with professional standards, independence and objectivity, audit coverage and documentation, and staff training.

In addition to this external review, the University’s Internal Audit Department periodically completes a formal self-evaluation of its operations using a program developed by the Institute of Internal Auditors. As part of this self-evaluation program, we may ask individuals who have recently been audited to comment on Internal Audit’s performance during the process. This feedback has been very beneficial to us, and has led to changes in our procedures.

(top)

WHAT IS THE RELATIONSHIP BETWEEN THE INTERNAL AUDITORS AND EXTERNAL AUDITORS WHO AUDIT THE UNIVERSITY?

The University is visited by several external auditors during any given year, including independent certified public accounting firms, the Office of the New York State Comptroller, and SUNY System Administration auditors. The University’s Internal Audit Department may work with these auditors by arranging interviews with University staff, coordinating access to the records the external auditors may require, and allowing them to review relevant work of our Department. The primary purpose of this is to expedite the external auditors stay at the University.

We also consider one of our primary objectives to be protecting the University from criticism by external auditors. Our audit plans try to anticipate areas that external auditors will review so that we can look at them first and resolve any problems internally. We think it is preferable for auditors from our staff to work with you to improve University operations rather than external auditors issuing reports of our operations that go to newspapers, politicians, and other State and Federal agencies.

(top)

WHAT IF I HAVE MORE QUESTIONS?

Please feel free to call or write the Director, or any staff member at any time. We are located on the South Campus, room 148 Parker Hall.