Four Lessons Internal Auditors Can Learn From Bank Failures
In the first quarter of 2023, a few banks were in the news for the wrong reasons - bank failures. These include the 167-year-old Credit Suisse, which is Switzerland’s second largest bank. Other banks, such as Silicon Valley Bank (SVB), have also failed.
By analysing the reasons that led to the collapse of these banks, internal auditors can learn at least four valuable lessons to enhance the effectiveness of their audits.
(1) Banking is about confidence and trust.
In The Business Times published on 22 April 2023, the chief risk officer of UOB stressed that “ultimately, it is the level of trust and confidence in the bank that will ensure its long-term survival.”
As banks take deposits from customers, they must pay interest to the depositors. These are costs to the banks. Therefore, banks need to invest the money out to earn higher yields, which are the revenue. However, if depositors lack trust and confidence in the banks, they may withdraw their money. This could lead to difficulties for the banks to meet their obligations since most of the money is usually invested in loans or other revenue-earning instruments.
To illustrate, consider a bank that has collected $1,000 in fixed deposits for one year. It would then place $900 as a loan for 5 to 20 years and keep $100 as a buffer for other payments. Under normal circumstances, the bank would encourage its customers to renew their deposits after one year later to continue funding the loan. However, if a customer does not like the bank, he or she may withdraw the deposit. The bank must then entice another customer, for example by offering higher interest rates, to place a deposit with the bank. It will be challenging to find depositors if there is a widespread lack of trust and confidence in the bank. This was the key reason that caused SVB to fail.
Lesson (1): Like banks, the internal audit profession cannot survive without trust and confidence. Therefore, internal auditors cannot take them for granted.
(2) Never put majority of the eggs in one basket.
Banks need to diversify their risks in all areas. This means they should not rely too heavily on depositors with similar behaviours or grant the majority of loans to a single industry.
SVB’s depositors were mostly technology start-ups, and when the technology industry experienced a downturn, many of these start-ups were adversely affected and needed cash to continue operating. Consequently, they began withdrawing their deposits from SVB, causing a liquidity crunch as the bank lacked the funds to finance its loans.
Lesson (2): During the IIA Singapore Public Sector Internal Audit Conference 2023, it was highlighted that internal auditors should evolve from being mere “watchdogs” to “change agents”. By examining the business model and objectively assessing risk diversification, internal auditors can provide value-added advice to management.
(3) Low risk investments can lose money.
In addition to issuing loans, SVB invested mainly in low-risk treasury bills and bonds to manage their liquidity risks. These assets can generate income and can be sold in the market to fulfil depositors’ requests for withdrawals. If held to maturity, they can be redeemed at face values. As they are guaranteed by the Treasury, the credit risks are considered extremely low.
However, as many depositors withdrew their money, SVB was forced to sell their treasury bills and bonds before maturity. As interest rates increased, bond prices fell, leading to losses for SVB when they sold their low-risk assets. These losses further eroded SVB’s capital adequacy and confidence, resulting in more withdrawals and perpetuating a vicious cycle.
Lesson (3): To enhance the value of their audits, internal auditors can challenge conventional norms by asking “what if” questions to test whether their organisations are prepared to handle worst-case scenarios. This requires a thorough understanding of business risks and identification of the combinations of factors that drive these risks.
(4) Adhering to rules is essential but it may not be enough.
Regulators stipulate strict rules such as maintaining common equity tier 1 ratio and liquidity coverage ratio above certain levels. Credit Suisse maintained these ratios at levels well above those stipulated by the regulators. However, compliance with the regulations did not prevent Credit Suisse’s failure in March 2023, and they were taken over by their rival, UBS.
The Credit Suisse saga demonstrated that adhering solely to the rules and regulations is not enough to survive in the long-term. The UOB chief risk officer highlighted that risk culture and business model matter. I would add that the risk culture and business model must also instil trust and confidence in the public, market, and customers for companies to survive.
Lesson (4): Audit clients often argue that internal auditors should not raise findings against practices that are not required by policies. However, internal auditors should stand firm that they are auditing against risks, not just policies, rules and regulations. They should raise issues if the practices, or lack thereof, expose the organisations to material risks even if they are not required by policies or regulations.
As the Chinese say, crises provide opportunities for growth. By examining bank failures, internal auditors can uncover blind spots to enhance audit value.
Dr Sia Nam Chie started his career as an auditor before he moved to work in risk management, legal, compliance, and operations. He served as a Board of Governor for The Institute of Internal Auditors Singapore from 2013 to 2019, and as a member of the IIA International Internal Audit Standards Board from 2016 to 2018.
The Institute of Internal Auditors Singapore blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors Singapore and its committees and from opinions endorsed by the bloggers’ employers.
