The Federal Reserve Board eagle logo links to home page

Remarks by Governor Susan Schmidt Bies
Before the Conference of State Bank Supervisors, Asheville, North Carolina
May 30, 2003

Restoring Our Confidence in Bank Controls and Financial Statements

This conference is always an important gathering, but not simply because of what we discuss over these few days. It serves as an annual reminder of the remarkable strength of the dual banking system in the United States. The diversity and flexibility of our banking system are unique. Bankers can make charter choices on the basis of their business needs and particular circumstances. Thousands of community banks coexist comfortably--indeed, thrive--alongside a much smaller number of very large regional and global institutions, regardless of charter. Our system provides a rich menu of choices to the marketplace, encouraging financial institutions to innovate and respond dynamically to the changing economic needs of depositors and borrowers. Under the dual banking system states have fostered innovations that likely would not have occurred as rapidly--if at all--had only federal regulation existed. The dual banking system also helps to safeguard against regulatory excesses.

In short, this structure has been critical in producing a banking system that is the most innovative, responsive, and flexible in the world. U.S. banks have developed those characteristics to survive in a market economy that is subject to rapid change and periodic stress. Our banking system is thus better able to finance growth and serve customer needs and has demonstrated its ability to rebound from crises that have, from time to time, devastated more rigid systems.

This conference also reminds us of the long history of close and successful cooperation among state and federal regulators that allows state-chartered banks to flourish in the marketplace while remaining safe and sound. As you know, the Federal Reserve has consistently been a strong supporter of the dual banking system, and that will continue. We understand, as you do, the importance of a safe and sound banking system to the proper functioning of the economy, and the role of effective supervision in ensuring sound banks.

Supervising these state-chartered banks is a very significant responsibility, considering the scope and vitality of these institutions. State-chartered banks continue to represent about half of the commercial banking industry by assets--$3.41 trillion, or 47.6 percent of the industry at year-end 2002. By number of institutions, roughly three-fourths of banks operate under a state charter--6,311 institutions or 75.2 percent of the industry as of December. Perhaps most significant, over the past three years the vast majority of new bank charters--once again, about three-fourths of them--have been granted by states.

We have a long history of working with the states to coordinate our supervisory programs and achieve quality results. We rely on state supervisors as equal partners to ensure consistent, effective, and high-quality supervision. Together with the Federal Deposit Insurance Corporation, we believe we have a strong relationship with the states, bolstered by our common effort to develop the supervisory protocols of the last decade and, more recently, by our work with the states and the FDIC to foster consistent examination processes and procedures.

I believe the flexibility and dynamism of our banking system contributes to the financial soundness and performance of U.S. banks. The banking industry continues to be strong and profitable despite a tepid economy and corporate governance issues. After a record year in 2002, insured commercial banks in the United States earned $24.6 billion in the first quarter of 2003--a quarterly record. Robust growth in core deposits and vibrant activity in mortgage lending have been the key forces behind recent strong earnings, which have been offset in part by weak loan demand from businesses. Aggregate nonaccrual loans and foreclosed assets remain at about 1.2 percent of loans while credit costs have declined, as first-quarter net charge-offs dropped to 0.91 percent of average loans--the lowest level since June 2001. Although all the facts are not yet in, it appears that this credit cycle hasn't tested us nearly as significantly as we have been tested in the past.

Community banks have also remained strongly profitable through this period, although over the past two years they experienced far less of a run-up in problem assets and charge-offs than their larger counterparts. The number of problem banks remains at about 120, but actual failures remain quite low, only ten in all of last year.

Corporate Governance
Based on the current condition of the industry, you might ask what's on the supervisory agenda and where should we focus our attention? Although there are a number of supervisory issues that require our attention, there are two specific areas--corporate governance and quality assurance in the audit process--where I believe we should focus some of our supervisory attention.

Over the past two years, corporate scandals have focused our attention on the deficiencies in corporate governance at major companies. The reforms of the Sarbanes-Oxley Act of 2002 focused on the need to enhance the governance, accounting, and disclosure practices at public companies, and the resulting dialogue has focused attention on the need to improve governance practices at other companies. The Securities and Exchange Commission has launched significant regulatory reforms and initiatives to address these issues, and the banking agencies have been actively involved in a dialogue with the SEC on matters of mutual interest. The focal point of this dialogue is to implement practical steps to move the corporate governance practices of public and nonpublic companies forward, particularly with regard to the adequacy of internal controls and audits. I want to focus the rest of my remarks on steps that we can take to improve the quality assurance process surrounding internal controls and audits.

Internal Controls
The essence of corporate governance is ensuring that the company is operated, at all times, in a manner that manages risk, achieves the company's stated operating objectives, and protects the best interests of the shareholders. The Internal Control-Integrated Framework of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission is the most-often-mentioned standard on internal control at banking organizations. The COSO framework defines internal control as
"a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of…:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations."
Based on this definition, it is clear that boards of directors are responsible for ensuring that their organizations' internal controls are adequate for the nature and scope of their businesses and that line management is responsible for ensuring that internal controls are functioning on a day-to-day basis. Thus, the board of directors and management need to have a quality assurance process in place for internal controls. So, how do we know that the quality assurance process surrounding the internal controls at banking organizations is working?

With respect to this quality assurance process, the Federal Reserve conducted reviews of the documentation and support for management's assessment of internal controls and the auditor's related attestations at a few problem institutions that are subject to section 112 of the Federal Deposit Insurance Corporation Improvement Act. What we found was evidence that notable deficiencies had crept into the quality of the work performed by management over time as the businesses grew and new products were added. Management became less vigilant in the internal control area because of increased performance pressures. This behavior is actually counterintuitive when dealing with internal controls. As the business grows and new products are added, that is precisely the time when management needs to ensure that adequate controls are in place to mitigate risks. We are talking to the other banking agencies about these concerns and are considering the need for more detailed guidance for management that will strengthen banks' internal control practices.

Internal Audit
Recent corporate governance events clearly demonstrate the importance of the internal audit function. While Sarbanes-Oxley does not focus on the role of the internal auditor, bank supervisors have long recognized the importance of an effective internal audit function to the control environment. With respect to the quality of internal audit, the audit committee must pave the way for quality assurance. As we indicated in a recently amended interagency policy statement on the internal audit function, the committee should provide for the utmost independence, objectivity, and professionalism of the internal audit process. The audit committee sets the tone, and our role as supervisors is to reinforce it. The goal for internal audit should be to have no internal control surprises.

To support this goal, internal audit should have an effective quality assurance process. Risk-focused audit programs should be reviewed regularly to ensure audit resources are focused on the higher-risk areas as the company grows and produces and processes change. As lower-risk areas come up for review, auditors should do enough transaction testing to be confident in their risk rating. Audit committees should receive reports on all breaks in internal controls to determine where the auditing process can be strengthened.

Before a company moves into new or higher-risk areas, the board of directors and management should receive assurances from internal audit that the tools are in place to ensure that the basics of sound governance will be adhered to. The audit committee should actively engage the internal auditor to ensure that the bank's risk assessment and control process over financial reporting are vigorous.

Many of the organizations that have seen their reputations tarnished in the past two years have simply neglected to consider emerging conflicts of interest when adding new products and lines of business. It is important to make sure that appropriate firewalls are in place before the product or activity begins. As supervisors, we can focus attention on this area and watch for signs of any internal audit deficiencies at our institutions.

The audit committee should also require the highest possible level of independence for the internal audit process and eliminate any threats to this independence, such as the tendency for some internal auditors to act as management consultants within the organization. Many of the proposed revisions to the Institute of Internal Auditors' professional standards focus on adding value by meeting the needs of management and the board. Internal auditors add value by being effective independent assessors of the quality of the internal control framework and processes. Auditors lose their independence when they perform management consulting roles for which they later will have to render an opinion. Internal audit is one of the few corporate functions that has both the ability and the responsibility to look across all of the management silos within the corporation and make sure that the system of internal controls has no gaps and that the control framework is continually reviewed to keep up with corporate strategic initiatives, reorganizations, and process changes. When an auditor becomes part of management, the independent view is lost.

External Audit
Let's turn to the topic of quality assurance in the external audit process. As supervisors, we must take steps to encourage a high standard of professionalism among auditors. In some cases, this may mean undertaking an enforcement action against an accountant. The agencies are finalizing the accountant debarment rule, which will be one more tool we can use to correct errant behavior. However, before we do that, we should look at the lessons learned from some recent audit failures.

The typical fact pattern in these failures indicates that some auditors are focusing on the form rather than the substance of transactions when making critical audit judgments. Moreover, when looking at assurance services, such as the FDICIA 112 auditor attestations, some auditors have a tendency to gloss over internal control deficiencies or simply ignore significant control deficiencies because they are "immaterial." It is not meaningful for auditors to apply a financial statement concept of materiality to an attestation engagement on internal controls. From a supervisory perspective, we would consider the existence of a series of such immaterial deficiencies to be useful information in assessing the quality of the internal and external audit process. We need to change this mindset in the auditing community.

Some of this can be done through dialogue with the American Institute of Certified Public Accountants and the Public Company Accounting Oversight Board, which we are doing. Once auditors start to routinely report known deficiencies in internal controls, we should begin to eliminate the gap between what we expect an audit or attestation engagement to include and actual services provided by auditors. However, if we continue to find significant internal control deficiencies in safety and soundness examinations that the auditor knows about but fails to disclose, because they are judged to be immaterial, then we should discuss the auditor's lack of action with the banking organization's audit committee. Furthermore, in appropriate circumstances, we may need to refer the auditor to the PCAOB or subject the auditor to sanctions under the agencies' debarment regulations if the bank is subject to FDICIA 112.

A secondary cause of the audit failures was lax professional standards. Examples in the banking area are the professional standards for attestation engagements. Currently, the standards don't require auditors to perform any independent testing of controls. Under the current standards, auditors can simply rely on the work of internal audit as the basis for issuing an attestation report on management's report on the effectiveness of internal controls. There is virtually no guidance on the criteria auditors should use to issue a qualified opinion. We have long argued that the professional standards in this area need to be more robust. In response to our criticisms and those of others, the AICPA recently proposed revisions to their professional standards to address some of these issues. However, the AICPA no longer has the authority to issue standards or to administer the quality assurance (peer review) function for audit or attestation engagements of public companies. The newly created Pubic Company Accounting Oversight Board has this authority and is just beginning to develop a framework for quality assurance. So, this may take a little time to correct. However, as supervisors, we will continue to work with the AICPA and the PCAOB to ensure that high-quality professional standards are created for public and nonpublic companies and that a robust process for ensuring audit quality is implemented.

In closing, I would like to simply encourage all of us to be vigilant about sound corporate governance and internal control processes at banking organizations. To accomplish this, we need to insist on effective attestations on internal controls by external auditors and encourage bankers to improve the quality assurance process and independence of the internal audit function. Finally, supervisors from all regulatory agencies need to continually work together to ensure a consistent, high-quality examination process throughout our banking system.

Return to topReturn to top

2003 Speeches