During congressional consideration of what ultimately became the Federal Deposit Insurance Corporation Improvement Act of 1991, only an alert few focused serious attention on the section of the bill requiring new reports on internal controls.
This small section requires chief executive officers and chief financial officers to report annually on management's responsibilities for internal controls.
They must also provide their assessment of the effectiveness of these controls. The independent public accountants then at-test to and report on management's assertions.
Test of Top Executives
When the proposed regulations were announced, the FDIC characterized them as a "conservative" response to this section of the bill. Today these regulations appear to be a critical test of senior management.
They create one of the first opportunities for management to demonstrate its ability to manage regulatory risk, which is on a par with credit exposure risk, interest rate risk, and technology risk.
Understanding the new regulatory environment and implementing appropriate changes is now a critical senior management responsibility.
Second Nature to Some
Bankers' reactions to the new reporting requirements vary widely. Some have already made a serious commitment to evaluating the effectiveness of their institutions' internal controls and to strengthening controls where they find weaknesses.
Well-managed institutions typically have placed a high priority on controls, and the regulatory changes merely elevate their priority a notch or two. Also, senior managements recognize the downside risk of ignoring the significance of the new requirements.
Perhaps because the final regulations and accompanying guidelines are relatively recent, many well-run institutions have not focused significant attention on the issue. But they plan to focus significant senior management attention now that the final requirements are known.
Some Will Try to Coast
At the other end of the spectrum are bankers who plan to make minimal preparation for the new requirements, or perhaps hope that their current controls will be deemed adequate with little documentation to support the "assessment" in their report.
At the close of this fiscal year, when asked to sign off on these controls, this group's typical reaction might be, "Where do I sign?" Bankers who respond casually do so at significant risk.
If a bank has enjoyed strong ratings under the regulators' Camel system, has had consistently solid Community Reinvestment Act experience, and has no other significant regulatory problems, an isolated internal control weakness (or marginally acceptable documentation supporting management's internal control evaluation) may not result in harsh regulatory treatment.
Not Good Enough
But institutions that successfully manage their regulatory risk and have earned high marks generally do not settle for marginal compliance.
If, however, a weakness in the internal controls and documentation of management's assessment is but one of a number of negatives uncovered in an examination, the result could mean a Camel 3 or 4 instead of a 1 or 2. With the much more specific regulatory treatment mandated by the '91 law, the result to the bank could include the following:
An immediate impact of a reduced Camel rating could be an increased FDIC deposit insurance assessment. Using the formula that went into effect last January, the potential assessment increase could be $60,000 for each $100 million of eligible deposits.
Price of Neglect
An institution with deposits of $500 million could suffer a $300,000 increase in premiums by neglecting its exposure to regulatory risk.
Also, a reduced Camel rating may cause the regulators to effectively downgrade the institution by one capital category.
If the bank is now considered "adequately" capitalized, this could trigger mandatory requirements for submitting a new capital plan, and could result in restrictions on growth, lending, and compensation.
There are several steps that can be taken now to prepare for these new requirements. They include:
* Consider a definition of internal controls. Considerable controversy surrounds the fundamental definition of internal controls.
The General Accounting Office, FDIC, Committee of Sponsoring Organizations of the Treadway Commission, and American Institute of Certified Public Accountants have had considerable discussion about what the definition should be. Yet the final regulations do not specify a definition to be used.
The definition of internal controls is the foundation on which management's evaluation lies, so selecting an appropriate definition early is key. The definition will affect the form of management's final report as well as its assessment of controls.
Management should weigh this decision carefully, and select a definition acceptable to all parties involved, including the audit committee, management, independent auditors, and perhaps most important, the regulators.
* Organize for the evaluation. The manner in which institutions conduct the evaluation will vary. In some cases, a department within the organization may be responsible for conducting and documenting the evaluation.
Another approach we advocate is to assemble a team with representatives from various departments, including controllers, internal audit, information systems, legal, and compliance. Whatever the choice, establishing ground rules - such as responsibilities, documentation approach, and timing - is important to a successful project.
* Develop guidelines to be used in documenting management's assessment of controls. The FDIC guidelines for section 112 of FDICIA indicate management of insured depository institutions ". . . should maintain records of its determinations and assessments [of the institution's internal control structure] until the next federal safety and soundness examination, or such later date as specified by the FDIC or appropriate federal banking agency." The importance the regulatory agencies are likely to place on documentation supporting management's assessment appears clear.
This documentation could be considered a "bridge" between much of banks' existing documentation (such as accounting manuals. codes of conduct. and flow charts) and the report signed by management.
Developing a format and approach to completing management's assessment will allow the assessment to be conducted in a more orderly fashion.
* Identify and resolve any known documentation or internal control concerns early. The final regulations require management's assessment of its controls at the end of the fiscal year, so early identification and resolution of documentation or control concerns is especially important.
In Ernst & Young's comment letter to the FDIC on the proposed regulations on section 112, we observed that "point in time" reporting is more constructive (rather than reporting weaknesses that existed during the year) because it encourages prompt correction of internal control weaknesses, rather than focusing on reporting weaknesses that have already been corrected.
* Consider other opportunities to reduce costs while improving controls. In conducting the evaluation, opportunities may be identified to simplify procedures, reduce costs, and improve already effective controls. For example, some financial institutions may find that automating certain manual controls improves both efficiency and compliance with management's policies.
Others may find that certain procedures are no longer effective or necessary (for example, because of changes in the environment) or may duplicate other procedures. If skillfully planned, the evaluation can also provide an opportunity to improve operations and efficiency.
The lack of an aggressive plan to implement these new requirements may not have immediate negative consequences. However, institutions that best manage regulatory risk will not only achieve better compliance but will also reduce the costs of compliance.
Senior management's attention to this subject could separate the winners from the rest of the pack as the competition intensifies to be recognized by the "market" as one of the best.