Listen on Apple Podcasts, Spotify and YouTube
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Dr. Damion McIntosh, Professor of Practice Finance in the Harbert College of Business at Auburn University. Dr. McIntosh is also a banking supervision advisor with the International Monetary Fund (IMF).
Dr. McIntosh formerly worked at the Central Bank of Jamaica and brings an international perspective to his work. His experience in different areas of the financial system both in the US and abroad gives him unique insights on regulation. We discuss how best to uphold audit and assurance standards in a constantly changing economic environment, the relationship between internal auditors and their clients and what being a marathon runner taught him about managing risk.
NOTE: Next week we will share Part II of the AccelPro Audit conversation with Dr. Damion McIntosh.
Listen on Apple Podcasts, Spotify and YouTube
Interview References:
Damion McIntosh’s Auburn University profile.
13:42 | Financial Stability Oversight Council. U.S. Department of the Treasury.
13:45 | Dodd-Frank Wall Street Reform and Consumer Protection Act, H.R. 4173 Public Law No. 111-203, (2010).
TRANSCRIPT
I. ASSURANCE STANDARDS AND INTERNAL AUDIT FRAMEWORK
Alizah Salario, Host: I want to start by talking about significant regulations in the financial industry. Is it fair to say that historically, auditors have assigned lower control risks for financial institutions than non-financial institutions?
Damion McIntosh: “Fair” is just such an explosive word to use in that context. That's fine. But in my experience with auditors, they have their own internal standards that they do need to meet. Oftentimes, especially within the audit framework, these standards are global standards, sometimes specifically established by the IASB. So I don't necessarily believe that to be the case. There are different degrees of regulation. For that reason, I recognize that there may be instances where the auditors will rely on some of the work that regulators have done, but it doesn't necessarily influence or affect the degree of control that they actually do have.
AS: Backing up, I think it would be helpful if you distinguish between the different motivations between regulators and auditors, specifically when we're talking about financial institutions.
DM: Absolutely. The work that auditors do almost appears within a box. And I mean that in the most positive way. That box is the set of audit standards that auditors are required to comply with in doing their work. And so they operate within that framework, and that box is also strengthened by the scope of the audit that they intend to engage in. And of course, that scope oftentimes is pre-agreed upon with a client — what they specifically intend to cover, what the likely audit output is. Again, that operates within a specific set of boundaries, so to speak. Regulation and supervision does not find itself in those particular confines.
Previously, it did, because regulation operated more on a compliance-based set of activities, where bank examiners review the operations of financial institutions to test whether or not they complied with relevant laws, rules, or whatever regulation is in place. And what we realized is that there were significant weaknesses within that because then again, we were placed in this boundary or this box.
There are weaknesses that financial institutions may exhibit that were not previously captured in law. When we review their framework, we wouldn't necessarily review those specific activities or those specific motivations. And so we've moved beyond this compliance-based perspective of regulation and supervision to more in the scope of, what are the risks that financial institutions exhibit? Do they have an effective risk management framework in place to manage those particular risks, and minimize the detriment it will likely have to depositors and on social systems and on economic systems? So our motivations are a little bit different in that respect.
AS: You touched on my next question, which is about risk management. I want to specifically focus on the past year of bank turmoil, and the questions that arose as to whether financial statements were sufficient when it comes to audits.
DM: One of the things that's very interesting when we consider risk management is a focus on the future. When you think of the perspective of auditors and what it is that they do, especially when they audit financial statements, they're reviewing historical information, and what the likelihood is that the historical events will question the accuracy of reporting, so to speak, of financial information.
Again, confined within what the accounting or financial reporting standards require, and they perform their work in accordance with audit and assurance standards. So their business, in performing those tasks, if they do see weaknesses in the risk management framework, that will question the accuracy or the likelihood of misstatements in the financial statements. Then they do have, again, an audit obligation to report that, either in the management letter or through discussions with the management of financial institutions. But their role is so different that their reporting or their audit is not necessarily to identify these weaknesses, to determine, ‘Well, how could it have a contagion or an adverse effect on the financial system or, an economic system, or on social conditions.’
Their motivation and scope is principally to their clients, and not necessarily to the wider audience, to which regulators are more accountable.
—
II. ACCOUNTABILITY AND AUDITOR INDEPENDENCE
AS: On that note, let’s dig into auditor independence. Auditors are required to challenge their management's assumptions, and they're supposed to avoid downplaying risks or red flags that should be included in the company's disclosures. What are some of the ways to foster auditor independence, especially in light of the events of the past year?
DM: That’s a twofold answer. First of all, strengthening the necessary audit and assurance standards that are in place that govern how auditors engage in their audit responsibilities and audit tasks, and being held accountable to that. One of the great things about the professional opportunities such as peer review (outside of the relationship of an auditor with a client) is that you have an independent set of individuals that review whether or not the work that auditors do is compliant with ethical standards, and the level of expertise and technical capacity that is required of audit and assurance standards.
That’s one aspect, but that is general to the audit profession. Let's speak specifically to financial institutions. I know that several countries have embedded within their framework that their regulators have the legal responsibility, or mandate, to approve auditors who audit financial institutions. It gives certain powers to regulators, who are independent of the relationship between the auditor and the client.
In the event that the regulators believe that either the competence or impairment of independence between the auditor and client — if either those things become questionable — then the regulators have legal authority to remove the external auditor from providing that audit of the financial institution client. Or even worse, de-list the auditor, so to speak, so that the auditor can never audit any financial institution client because of the degree of incompetence, or lack of expertise, or just plain unethical behavior. So that also adds another level of defense, or accountability, for the audit profession of financial institutions.
AS: Do you think that we'd ever see that level of accountability here in the U.S.?
DM: I'm going to say no for a couple of reasons. I'm not quite sure that the audit profession in the United States is ready for that, nor am I sure that the regulators want to take on this additional burdensome responsibility. Because what that also would mean is that they’d have to have the expertise to evaluate the quality of work of external auditors, and be able to justify any disapproval of certain auditors from financial institutions. They would need to take on that responsibility, and I'm not quite sure the market is ready for that degree of intense accountability just yet.
AS: Is there anything else in terms of accountability that we might see here in the U.S.? For example, operations or enforcement, penalties or specific controls that could be adjusted. For people who are working in the field and want to improve their practice, what would greater independence look like?
DM: The best opportunity to ensure independence within the framework is going to be self-regulation and self-control within the audit profession, monitoring themselves and holding themselves accountable. I mentioned previously the peer review process, amd I am also familiar with partner rotations that can occur from time to time. So it would have to be more internal standards within the profession, not necessarily within the audit firm, but within the profession, to standardize the application of independence between auditor and client, and that central body or that self-regulatory body would also need to have the opportunity to enforce those specific set standards, whether it requires de-listing, de-licensing, or whatever sort of enforcement that can be applied against some of these auditors.
You're going to realize that in some instances, monetary penalties are not enough. There has to be more severe consequences on the audit profession, because they represent a significant line of defense in the corporate governance of financial institutions. They play a critical role in terms of the financial reporting to users of financial statements, and what their assurance gives to the market about the future prospects of the financial institution, be it financially or operationally.
AS: So there's really a macroeconomic impact.
DM: Yes, absolutely. I'm glad you mentioned that because that further supports the motivation of regulators that are separate from the auditors themselves. In the majority of countries, and also in the United States, regulators have the awesome responsibility of [helping to ensure] financial stability. When you think of the Financial Stability Oversight Council (FSOC) that was created by the Dodd-Frank Act in 2010, that was one of the main reasons why it was created. There was no specific central body pulling this macro financial stability element together, to have that bird's eye view of what the entire financial system is doing. And so what that body does is almost like self-regulation within regulation. The FSOC is headed by the U.S. Treasury Secretary. So within that forum, you have bank regulators, credit union regulators, insurance regulators — all are held accountable for the financial stability of the entire financial system.
So if we pivot to the audit profession, that accountability is necessary to ensure that auditors dispense their responsibilities, but not just within the confines, as I mentioned earlier, of specific sets of audit standards or the audit scope. If I were to suggest anything else, maybe it moves beyond the careers of what auditors are supposed to do. Maybe we're asking them to move beyond the set of audit and assurance standards and the scope that they have been contracted to do. Then again, in their relationship, their responsibility is oftentimes to the client in a bigger scenario. Regulators’ accountability is to the entire country’s financial system, economic systems, etcetera.
AS: What I hear you saying is that there's tension between these various stakeholders that the auditor is accountable to.
DM: Oh, absolutely. And in fact, in my relationship with various regulatory stakeholders, sometimes there is overlap. I will ask, ‘Do you rely on the work that external auditors do, or even internal auditors?’ And 100% of the response is they will review it, but they will still do their own work. When you think about it, the external audit profession may not necessarily have access to the work papers or the examination reports that are produced by regulators themselves. For that reason, they will do their own work. That's one of the main reasons why they won't necessarily adjust their control risk simply because the client is a regulated entity. Certainly, it gives them a degree of comfort that there's another line of defense, so to speak. But the motivations are just so different.
In fact, it's quite interesting that I was in a conversation with a couple of individuals, and someone who doesn't work in regulation refers to bank examiners as bank auditors. And our respondent was so quick that the two terms mean absolutely two different things. And the distinction is important — again, because of the motivation. Bank examiners who work with central banks or regulators around the world, as I mentioned, the work that they do is so different from the work that auditors and financial institutions do that we refer to as bank auditors.
So there are things that are hugely different because of the environment, but there are just some things that are common because the motivation of regulators around the world is the same: protect the financial system. Allow financial institutions to engage in risk, but ensure that financial institutions have a sound and effective risk management framework in place. Ensure that there are effective systems in place that protect depositors funds, and ensure that there is information and disclosure transparency to the marketplace as well.
—
III. RISK MANAGEMENT FROM A MARATHONER’S PERSPECTIVE
AS: I want to briefly pivot to your experience as a runner and the president of a track club. Do you see any parallels between running and financial regulation?
DM: Yes, and we can refer to what we talked about: risk management. That is what it really is about. When you think of the phases of an effective risk management system, the more substantial ones include being able to identify, measure, monitor, control, and report your risk exposures. It's the same thing for running.
I'm a marathon runner, and so I'm running 26.2 miles — and not even just 26.2 miles on race day. But to train the distances up to that race day involves taking risks. Monitoring myself throughout training and on race day — when should I speed up? When should I slow down? Implementing those controls as is necessary. So talk about my pace. Am I going too fast? Am I going to slow, my cadence, and ensure I have all the resources that are necessary to execute an effective race day — my hydration, my fueling, what do I eat for breakfast in the morning, what I should eat for breakfast afterwards, keeping myself healthy, the vitamins — all of that is all part of risk management, and that's where financial institutions are at right now.
So if we were to take away anything from this discussion, it is that the business model of financial institutions right now, irrespective of the activities, products, consumers, and the markets that they engage in, are centered around risk management. And when you look at the role of the regulator, it is to ensure that financial institutions have effective risk management systems. When you think of the role of the auditor within that, the role of the auditor is simply one of multiple layers of defense that financial institutions must have in place for an effective risk management system.
It's all about risk, and risk management.
NOTE: Next week we will share Part II of the AccelPro Audit conversation with Dr. Damion McIntosh.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on August 21, 2023.
Listen on Apple Podcasts, Spotify and YouTube
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.
