When I first started in the internal audit profession a mere 30+ years ago, much of our audit work was taking deep dives into areas. Huge sample selections, weeklong branch audits, and ticking and tying until our red pencils were worn to the nubs were the norm.
Since then, the game has changed, several times, in fact. Our internal audit plans are now based on risk, and our sample selections based on controls. With increasingly smaller internal audit resources, we must focus on these areas of bigger risk, and look at the big picture.
Which brings us to corporate governance. Over the past couple of years, we have been having more and more conversations with several clients on examiner expectations of this topic.
The Basel Committee on Banking Supervision defines Corporate Governance as:
- A set of relationships between a company’s management, its board and its shareholders which provide the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance.
Perhaps more importantly, Basel notes the Board of Directors, “…should establish the strategies that will direct the ongoing activities” of a company, and that the Board, “…should take the lead in establishing the tone at the top.”
It’s that “tone at the top” that we have seen more and more examiners looking at, and consequently, we are doing so in our internal audits as well. Within each “regular” audit we perform, we have pretty much been doing this to some extent already. This includes review of board approved policies, large loans which require board approval, or perhaps policy exceptions which must go to the board level. All of these show how active board involvement is.
But, what about an individual audit geared specifically to overall corporate governance? We’ve been doing more of those lately, both at the request of our clients, and sometimes urged a bit by the examiners.
For this audit, we look at the effectiveness of overall board oversight, the Financial Institution’s (FI) Enterprise Risk Management (ERM) system in place, and the adequacy of overall internal controls.
This includes steps to review how the Board performs its duties, and the approval of policies, but that’s only the start. A review of how involved the Board is in governing the FI should be undertaken, and such involvement on their part should be documented.
Documenting Board oversight of senior management is also key. While delegation of responsibilities is fine, “delegation” does not mean “discharge.”
One way to assess this is a review of minutes. Whether they are from Board meetings, or committees of which directors are a member, they can paint a picture of effective governance. While the minutes shouldn’t be dozens of pages, they should contain sufficient detail of what has been discussed at the meetings.
What comprises “sufficient detail” has been the source of several, shall we say, spirited conversations between Internal Audit and management for years. Striking the proper balance in the minutes varies vastly amongst our clients. That said, the minutes should certainly note discussions in which the directors are asking questions of (or challenging) what management is presenting to them. To that end, it may not be a bad idea for management to encourage such questioning/challenging.
Which can even mean dissenting opinions from Board members being brought up. Management typically does their best to avoid such situations, but these dissentions can be an indication of an involved Board. Including these dissentions in minutes will further document this, and give us in Internal Audit, and those at the regulatory level further assurance of a healthy board involvement.
I’ve mentioned management a few times so far, and review of them, at the senior or “C” level, is an important part of a Corporate Governance audit. Management should:
- Be accountable to the Board
- Establish proper tone at the top
- Consist of competent personnel
- Have clearly defined roles
Each of these four bullets is important, but so is cooperation and communication amongst management. This brings us to the dreaded Silo Syndrome. If each management team is operating in a vacuum, overall ERM will suffer. Any robust ERM program in place will have ongoing communication between all areas of the FI.
This will include ensuring each area of the FI is included in the ERM. Even if your FI doesn’t have a formal ERM program in place, discussion of the status of any major projects and/or new products should include representation across all management groups. Once again, minutes of such discussion should be properly documented.
Another part of this audit is one that ties together both management, namely our review of board packets. While this may already be part of audits such as Loan and Deposit Operations, looking at the overall process is not a bad idea. The Board packets should contain sufficient and accurate information.
Again, what is “sufficient” is a subjective matter on the part of the FI, and as such, we’ve had a fair number of audit report comments over the years recommending additional areas which could be added to the packets.
Don’t forget the accuracy element, either. Part of our audit includes agreeing data included in board packet sections such as loans (and corresponding delinquencies), deposits, and asset/liability management back to source system figures to verify its accuracy. Not a bad idea if management is doing the same on an ongoing basis.
Financial Institutions are only as good as those running the show. A review of Corporate Governance can go a long way in giving management and the Board additional assurance that the show is running just fine.
If you need further guidance or have any questions on this topic, we’re here to help. Please do not hesitate to reach out to our trusted experts to discuss your specific situation.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.