For Release Upon Delivery
July 26, 2000

STATEMENT OF

JOHN D. HAWKE, JR.

COMPTROLLER OF THE CURRENCY

Before the

SECURITIES AND EXCHANGE COMMISSION

July 26, 2000

Introduction

Chairman Levitt and Commissioners, I appreciate the opportunity to participate in today's hearings on the Securities and Exchange Commission's proposal to revise the rules relating to auditor independence. I believe the Commission's proposed rule deserves careful consideration by all interested parties and I applaud you for this initiative.

It is indisputable that independent auditors play a critical role in maintaining public trust in our financial markets and in the integrity of corporate financial statements. Accordingly, ensuring not only the independence of external auditors, but also the appearance of independence, is vitally important for investors and other users of financial statements, including bank supervisors.

It is important to recognize, moreover, that the factors that influence independence may be extremely subtle and difficult to identify, and that the consequences of an impairment of independence may be difficult to document. In this sense, independence may really be more of a state of mind than a legal status. Thus, building safeguards for independence can present difficult challenges. In an ideal world, the external auditor should be free from any extraneous influences and motivations that might cause it to express anything less than its frank and forthright opinion.

The Commission's proposed rule would comprehensively modernize and strengthen the standards for determining independence. Most relevant to the OCC's concerns, the proposal would establish the standard that an external auditor would not be deemed independent if it provided internal audit services for an audit client or an affiliate of an audit client, subject to limited exceptions. This part of the proposal is of great importance for bank supervisors and we support its adoption.

My testimony today will focus on the importance of independent external and internal audits for the safety and soundness of the banking system, and on the role each plays in bank supervision. I will also discuss some trends we are seeing in the relationships between external auditors and national banks, and steps the OCC is taking to strengthen both the internal and external audit functions at national banks. I will conclude with some observations on the Commission's proposed rule.

Importance of Audit to Bank Safety and Soundness

An effective audit process has always been an essential component of risk management for the banking industry, and it is becoming more critical as banks expand into new products, services, and technologies. Unfortunately, history offers many examples of serious problems that could have been avoided or mitigated through effective audits. Some of these situations resulted from breakdowns in fundamental operational controls that had gone undetected by the banks' external and internal auditors.

A well-planned and well executed external audit complements the bank's internal audit function, helps to strengthen internal controls, and contributes to safe and sound operations. Such audits provide a bank's board of directors with an independent and objective view of the bank's activities. While external audits are required for all national banks having $500 million or more in total assets¹, the OCC strongly encourages smaller national banks to have external audits performed by independent public accountants. And indeed, the vast majority of these banks have established some type of external audit program.

A bank's board of directors must have unfettered access to an independent assessment of the bank's internal controls, its adherence to established policies and procedures, and its compliance with applicable laws and regulations. Therefore, a key component of any effective audit is the auditor's independence. An internal auditor must have significant standing in the organizational structure of the bank and must be able to carry out assignments with objectivity and impartiality. Similarly, an external auditor must be able to provide reasonable assurances that internal controls related to financial reporting are effective, that transactions are recorded in a timely and accurate manner, and that financial and regulatory reports are complete and fairly stated. While auditors can and should work cooperatively with bank managers, they must remain independent of the activities they audit so that they can carry out their work freely and objectively, without bias or interference. Ideally, both the internal and external auditors will report conclusions directly to the bank's board of directors or an appropriate board committee.

The OCC and other banking agencies require financial institutions' external auditors to adhere to the SEC's and American Institute of Certified Public Accountants (AICPA) rules and standards concerning the role of external accountants and their independence. Hence, the banking industry and we have considerable interest in the SEC's proposal.

Role of Auditors in Bank Supervision

OCC examiners review a bank's internal controls and audit processes during every national bank examination. To provide guidance in this area, we have issued examination procedures for evaluating internal controls, as well as internal and external audit programs. As part of these procedures, examiners are directed to assess and draw specific conclusions about the adequacy of a bank's audit and control programs. A key qualitative factor that examiners consider when assessing a bank's audit programs is the independence of the audit function.

These conclusions have an important influence on the scope of the examination work to be performed by OCC examiners. At banks with strong, independent internal and external audit programs, our examiners will often rely upon work performed by the auditors, rather than engage in direct validation and testing of bank operations. Thus, the relationship between the quality of the audit and the resources we devote to an examination is very significant. A compliance examination, for example, is an important, resource-intensive component of bank supervision. Where we do not have a high degree of confidence in the quality of the bank's internal audit function, we must devote more of our own resources to compliance examinations and our examiners will perform more direct testing and verification than they might otherwise do.

Recent Trends

We have observed a number of trends similar to those highlighted in the Commission's proposal concerning the business relationships between national banks and external auditing firms. These trends affect both the structure used to manage the bank/accounting firm relationship and the range of services the auditing firm provides.

In particular, we have seen a growing number of national banks outsource some or all of their internal audit functions to auditing firms. This practice raises concerns that bank management and examiners must carefully assess. Specifically, the bank's board of directors and senior management must understand that these arrangements do not relieve them of their responsibilities for establishing, maintaining, and operating effective and independent audit programs. Management and the board cannot allow such outsourcing arrangements to compromise the integrity or independence of either the bank's internal or external audit functions.

The possibility for inherent conflicts and impairment of auditor independence and audit integrity is greatest when a bank outsources its internal audit function to the same firm that performs the bank's external financial audit. Such arrangements introduce a number of risks, including, as the Commission has noted, questions about the independence of the external auditor, both in fact and appearance. These arrangements eliminate the normal checks and balances that can be expected to operate where the internal and external audit functions are performed independently. In addition, the combination of these functions deprives bank management and the board of having an independent review and assessment of the internal audit function performed by the entity that is likely to be best situated to do so -- the bank's external auditor.

The Commission's rulemaking proposal summarizes in a succinct and compelling way the fundamental problem presented by such outsourcing:

Since the external auditor generally will rely, at least to some extent, on the internal control system when conducting the audit of the financial statements, the auditor would be relying on its own work performed as part of the internal controls and internal audit function. In essence, by outsourcing the internal audit function, the auditor assumes a responsibility of the company and becomes part of the company's control system, as opposed to providing consulting advice. Also, there may well be a mutuality of interest where management and the external auditor become partners in creating an internal control system and share the risk of loss if that system proves to be deficient.²

OCC Responses

Currently, the OCC and the other banking agencies do not impose a blanket prohibition on a bank's outsourcing internal audit work to the same external firm that audits its financial statements, because we follow the SEC's and AICPA's current rules and standards on auditor independence. However, we discourage this practice and have imposed a number of safeguards and quality controls to address our supervisory concerns. Guidance is set forth in a 1998 Interagency Policy Statement on the Internal Audit Function and its Outsourcing³ (issued jointly by the Federal Reserve Board, Federal Deposit Insurance Corporation, Office of Thrift Supervision, and the OCC) and our handbook on Internal and External Audits.

The Interagency Policy Statement points out how the use of outside vendors for internal audit activities may affect an examiner's assessment of internal controls, and the effect such relationships may have on the independence of the external auditor. The statement references the AICPA's guidance on these issues⁴ and further states that the "federal banking agencies are concerned that outsourcing arrangements may involve activities that compromise, in fact or appearance, the independence of an external auditor." It also notes that other actions may compromise independence in addition to those in AICPA Interpretation 101-13, including:

• contributing in a decision-making capacity or otherwise actively participating (e.g., advocating positions or actions rather than merely advising) in committees, task forces, and meetings that determine the institution's strategic direction; and

• contributing in a decision-making capacity to the design, implementation, and evaluation of new products, services, internal controls or software that are significant to the institution's business activities.

The Policy Statement establishes a number of safeguards that banks should have in place for any internal audit outsourcing arrangements. These include:

• ensuring that the board of directors and senior management retain overall responsibility for having an effective system of internal controls and audit;

• assigning responsibility for the internal audit function to a member of management who is independent of business operating units, who reports directly to the bank's board of directors, and who oversees the external auditor's work and establishes the scope and frequency of the work to be performed;

• maintaining strong and open communications between the internal audit function, outsourcing vendor, and directors and senior management;

• conducting sufficient due diligence to ensure that the outsourcing vendor or external auditor has sufficient expertise to perform the contracted work; and

• having a contingency plan in place should an outsourcing arrangement be suddenly terminated in order to mitigate any significant discontinuity in audit coverage.

The OCC's Handbook on Internal and External Audit stipulates that any outsourcing arrangement should meet the following additional guidelines:

• the arrangement must maintain or enhance the quality of a bank's internal audit function and internal controls;

• key bank employees and the vendor must clearly understand the lines of communication and how the bank will address internal control or other problems noted by the external auditor or vendor;

• the board and management should perform sufficient due diligence to verify the auditor's or vendor's competence and objectivity before entering the outsourcing arrangement; and

• the arrangement must not compromise the role or independence of a vendor who also serves as the bank's external auditor.

When evaluating a national bank's external audit or any internal audit outsourcing program, OCC examiners are directed to evaluate the independence, objectivity, and competence of the external auditor. Recognizing the SEC's and AICPA's primary jurisdiction in this area, our handbook references their auditor independence rules and standards for determining whether an external auditor's independence has been impaired. Under appropriate circumstances, the OCC could refer an external auditor's possible ethics violations to the auditors' state board of accountancy, or to the SEC if involving an SEC registrant. While we have not done so to date, we also have the authority to bar an external auditor from engagements with OCC-supervised institutions.

The approach that the US banking agencies have adopted on outsourcing is fully consistent with the general principles that have been endorsed by the Accounting Task Force of the Basel Committee on Banking Supervision, on which the OCC sits.⁵ The Task Force has recognized that while outsourcing can bring significant benefits to banks, it also introduces the risk of the bank losing or having reduced control over the outsourced activity. The Task Force has cautioned that outsourcing to the same firm that provides a bank's external audit may compromise, in fact or appearance, the independence of the external auditor and it has noted that some countries prohibit such arrangements. In cases where home country rules permit the external auditor to provide this service, the Task Force has established prudential safeguards similar to those found in the Interagency Policy Statement and the OCC Handbook.

OCC Experience To Date

As I previously noted, the OCC has seen a number of cases in which national banks have outsourced internal audit to the same firm that provides their external audit. Several of these arrangements have involved larger institutions and have involved extensive planning, coordination and consultation between the bank's senior management and the auditing firms' senior partners.

While these arrangements incorporate the various safeguards outlined in the agencies' Interagency Policy Statement, and have served to improve the quality of internal audits, I have strong reservations whether even these safeguards can sufficiently address the fundamental issue of external auditor independence. The pressures and influences that may come to bear on external auditors who also are seeking to perform the internal audit function may be exceedingly subtle and may not be effectively addressed by objective safeguards. Moreover, if such pressures and influences were to lead to a less rigorous external audit, the performance of the internal audit would also undoubtedly suffer. By contrast, if the external and internal audit functions are performed independently, bank management and the board have the benefits of the checks and balances that naturally flow from two separate reviews.

Even more problematic are the outsourcing arrangements that we are seeing among smaller community banks. In many of these cases, neither the bank nor the outside auditors have the staff or resources to institute the safeguards outlined in the Interagency Policy Statement. For example, if a bank officer who is nominally in charge of the internal audit function lacks the expertise or stature within the bank to oversee the audit function effectively, or to ensure that appropriate follow-up actions are taken, internal controls may get less rigorous attention. In a few cases, we have seen a breakdown in fundamental operational controls in such situations. While we recognize that banks in some smaller communities may have a limited range of external firms to choose from, the maintenance of independence can be even more important in banks that lack the resources to manage their internal audit function effectively.

As I indicated earlier, however, banks under $500 million in size are not required to have independent external opinion audits, although a substantial number in fact do so. I would be concerned if a rigid application of a rule against outsourcing internal audit caused some smaller institutions to elect to forego independent opinion audits, in order to be able to continue outsourcing internal audit functions to the same firm they had been using for external opinion audits. This is an issue we would like to discuss further with you as your work with the proposal progresses.

These situations are indicative of a more general concern that the OCC has been voicing for some time about the adequacy of banks' control and audit programs. In 1998, in a speech before the Bank Administration Institute's National Auditing and Compliance Conference, Acting Comptroller Julie Williams cautioned banks not to compromise their internal controls in their zeal to cut costs and overhead. In that speech she noted that, similar to the BAI's own Audit Benchmarking Survey, the OCC had found that the growth in audit capabilities at banks was not keeping pace with the growth of the banks themselves. She further noted that bank managers and directors should insist that their auditors constantly probe and test the effectiveness of the bank's internal controls.

In March of this year, at the Independent Community Bankers of America's annual conference, I stressed that a vigorous independent control and audit program is essential to a bank's safety and soundness. I noted that at our examinations of community banks, examiners will be evaluating the quality of board oversight of the bank's audit programs; the adequacy of audit policies, procedures and programs; the competence and independence of the internal audit staff; and the effectiveness of outsourced internal audit arrangements, if applicable.

Despite these and other warnings, we have noted with dismay cutbacks in the size, status, independence, and proficiency of many banks' internal audit departments. As a result, I have made it one of the OCC's top priorities for this year to ensure that national banks have effective audit and internal control programs.

Concurrently with our handbook issuance, we have just sent an advisory letter to all national bank directors to underscore the importance of strong audit and internal control programs. Evaluating these programs - particularly those that involve internal audit outsourcing arrangements - will be a special emphasis in all OCC safety and soundness exams. We have also sent a letter to the chairman of the AICPA's Financial Services Expert Panel regarding the OCC's concerns about the quality of audit and internal control programs at many banks and have invited the AICPA to work cooperatively with us to address this issue. Finally, we are conducting examiner training on evaluating the audit function, including various outsourcing arrangements.

OCC Views on SEC Proposal

Given the important and evolving role that external audits and auditors play in national banks' risk management programs, I believe the SEC's review of its auditor independence rule is timely and warranted. This review is consistent with many of the discussions taking place among bank supervisors, and I applaud the Commission's efforts to address this important issue in a balanced and careful manner.

Although I am very interested in the perspectives that other participants in these hearings and commenters will bring to this discussion, I believe that the SEC's proposal attempts to strike a reasonable balance in this area. In particular, I agree with the SEC's initial views that a blanket prohibition on providing any consulting or non-audit services to financial statement audit clients may be unduly broad, given the considerable expertise that audit firms can provide their clients.

With regard to arrangements involving the outsourcing of internal audit to the external auditor, however, I believe there are serious risks both that the auditor's independence may be compromised and that banks will be deprived of the benefits that can flow from having internal and external audit functions performed independently. In light of the importance that we place on the audit functions in the conduct of our supervisory responsibilities, and given the subtlety of the pressures and influences that can come to bear in this area, I believe the Commission's proposal on outsourcing the internal audit to the external auditor is right on the mark and should be supported. We look forward to consulting with you and the other banking agencies on this subject as the Commission moves forward with this proposal.