Government regulators often rely on third-party monitors in their oversight of corporate accounting practices. Monitors impose costs, which are borne by the regulated, and create benefits, which accrue to society more generally. The scope of monitors’ activities within this trade-off has been vigorously debated as regulatory environments have evolved over time.
This article examines monitoring by external auditors in the banking industry. The key issue—what auditors accomplish in this heavily regulated environment that justifies their costs—is investigated using information from bank examination files and interviews with bank examiners.This article is based on a study conducted by the author that is accessible at the Federal Reserve Bank of St. Louis. See Dahl. Evidence provided from these sources serves to narrow the scope of what third-party monitors have been thought to accomplish in financial reporting quality.This analysis is not statistical in nature. It is partly descriptive, based on a small sample of disciplinary actions, and partly anecdotal, based on interviews with a handful of examiners from a single Federal Reserve district. Findings must be qualified accordingly.
First, I identified banks that became subject to greater oversight by auditors and supervisors. This allowed for a look at interactions between them in a dynamic context that is common in regulated industries such as banking.
External auditing requirements for banks were first mandated under the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). They were meant to address bank failures in the 1980s that were attributed, in part, to inadequate oversight of internal controls and financial accounting practices. Under FDICIA, insured depository institutions with more than $500 million in assets must prepare annual financial statements that are audited by an independent public accountant.
For banks with more than $1 billion in assets, external auditors must additionally “examine, attest to and report separately on the assertion of management concerning the effectiveness of the institution’s internal control structure and procedures for financial reporting.” Internal control is a process, established by a bank’s board of directors and management, to ensure information flows are reliable, accurate and timely.
Following this size-based distinction, audit intensity is assumed to increase when banks with assets exceeding $500 million but less than $1 billion choose to upgrade their audits to include internal controls. Audits become mandatory above the $500 million mark, but internal controls are optional; internal controls become mandatory when assets exceed $1 billion. Supervisory intensity is assumed to increase when banks are cited for violations of laws or regulations or matters requiring attention and matters requiring immediate attention in which banks must take corrective action.
Next, I developed a sample based on disciplinary actions imposed in 2017 and 2018 on 100 banks with assets between $500 million and $1 billion that changed audit status in those years—that is, from audit under internal controls to audit without internal controls or from audit without internal controls to audit with internal controls. The banks represented about 5%, per year, of all banks with assets between $500 million and $1 billion.
Of these 100 banks, I had access to 76 reviewable files. Of these, 44 added internal controls and 32 eliminated them in the year in which disciplinary actions were either imposed on the bank or removed.Actions were imposed and removed in the same year at three banks, of which two added, and one eliminated, consideration of internal controls. (See the table below.) Among the 44 banks that expanded audits to include internal controls, 36, or 82%, had disciplinary actions imposed in the same year. Of the 32 banks that dropped internal controls, 14, or 44%, had disciplinary actions removed.These percentages are understated to the extent that actions at some banks were imposed or removed late in a calendar year, thereby missing changes in audit status that may have been reported in the following year.
|Added Internal Controls||Eliminated Internal Controls|
|Added internal controls||44||Dropped internal controls||32|
|Disciplinary action imposed||36||Disciplinary action removed||14|
|- Actions involved financial reporting||3||- Actions involved financial reporting||1|
|- Actions did not involve financial reporting||33||- Actions did not involve financial reporting||13|
|Not subject to imposed disciplinary action||8||Not subject to removal of disciplinary action||18|
|SOURCE: Confidential bank examination files.|
|NOTES: Of the eight banks adding internal controls that were not subject to disciplinary action, two had an action removed. Of the 18 banks dropping internal controls that were not subject to removal of disciplinary action, one had an action imposed. Changes occurred in 2017 and 2018 at select banks with assets between $500 million and $1 billion.|
I concluded that audit intensity is linked with supervisory intensity. This is important because supervisory intensity improves financial reporting quality. It suggests that purported benefits of using external auditors are attributable, at least in part, to coincident scrutiny of supervisors exerted elsewhere. In this case, only three of the 50 disciplinary actions at banks changing audit status—the 36 banks that added and the 14 banks that eliminated consideration of internal controls—addressed financial reporting.
The Federal Reserve, in commenting on FDICIA prior to its enactment, said at least some of its required auditing procedures duplicated practices already required by regulators. The Fed was, therefore, “reluctant” to impose a costly requirement for outside audits of banks.The Federal Reserve and the Office of the Comptroller of the Currency supervise different categories of banks.
Later, in exempting smaller banks from FDICIA’s internal control requirements, the FDIC similarly noted that those requirements had “become more burdensome and costly.” Both comments are consistent with a recent survey of bankers by the Conference of State Bank Supervisors showing that more than 40% of all accounting and auditing expenses went toward regulatory compliance.
Structured interviews I conducted with a dozen bank examiners provided some support, albeit qualified, for external auditors’ influence on the quality of financial reporting. But most reported they felt otherwise. One of them said he has “not found issues with financial statement reliability for non-externally audited institutions.” Another “accepts financial [statements] as readily from a bank that’s not audited as one that is.” Another “has not found any differences in the reliability of financial statements across banks regardless of the type of audit.”
These doubts offer insight into improvements in financial reporting quality during the overlap of heightened monitoring activities by examiners and auditors. They also underscore a sensitivity of bankers to earnings management practices that examiners may perceive to be a minor concern in most circumstances but not when they occur in the context of disciplinary action.Hirtle et al. and Ghosh et al.
“When problems come up, boards of directors don’t tell management to fix things up so that auditors are happy,” one examiner said. “They tell them to fix things up so that examiners are happy.”
Examination files show that banks choosing to be audited more intensively are more likely to operate under an enhanced level of supervisory attention that seldom involves accounting practices. This raises doubts about the underlying cause of observed improvement in financial reporting quality when auditors are more intensively employed. Interviews with examiners further corroborated that auditors’ influence on financial statements is limited.
Although these findings were generated in the banking industry, they are relevant to understanding the role of third-party monitors in other regulated industries. For the biggest firms, these auditing costs can amount to millions of dollars annually; for the smallest firms, they can account for substantial portions of annual operating expenses.
This analysis is incapable of determining whether the benefits of external auditors exceed the costs involved. But it does raise questions about the value these auditors provide in ensuring the integrity of financial statements in a regulatory context. It suggests a continuing need to evaluate the extent to which requirements for third-party monitoring comply with their original objectives.