Audit Regulation
Introduction
Good afternoon. It is a great honor for me to have the opportunity to address the 2023 PCAOB International Institute on Audit Regulation. I’d like to thank Chair Williams for the invitation, as well as my former FDIC colleague, Saba Qamar, who now serves as the PCAOB’s Investor Advocate.
As was mentioned in the introduction, I spent a good part of my career working for Senator Sarbanes on the staff of the Senate Banking Committee. Most of what I know about public service I learned from working for Senator Sarbanes. In many ways, the Sarbanes–Oxley Act epitomized Senator Sarbanes’ approach to public policy.
In response to the financial market disruption caused by the collapse of Enron Corporation in 2001, Senator Sarbanes, who chaired the Senate Banking Committee at the time, held an unprecedented series of 10 hearings to examine every aspect of the failure and the implications for audit regulation. He then carefully developed draft legislation drawing from the hearing record and the leading experts in the field. He also worked collaboratively with his Senate colleagues to build bipartisan support for the legislation, which was reported out of the Senate Banking Committee on a 17–4 vote, with a majority of Democrats and Republicans supporting the bill. The House and the Senate unanimously approved the ultimate conference report on the bill.
The centerpiece of that legislation, of course, was the Public Company Accounting Oversight Board. The PCAOB was intended to be an independent supervisor and standard setter for the auditing industry in the United States, putting an end to the self–regulatory system that had failed public companies so badly. In its over twenty years of operation, the PCAOB has fulfilled that vision. It remains vitally important to maintaining public confidence in the integrity of financial reporting for public companies in the United States, with large implications for financial stability as well.
The Sarbanes–Oxley Act also had significant influence internationally in setting auditing standards, something I know gave Senator Sarbanes great satisfaction. It is therefore a particular honor for me to address this International Institute, established in 2007, which Senator Sarbanes also had the opportunity to address.
The timing here is opportune. As you all know, earlier this year three large regional banks failed in the United States, with large implications for the U.S. banking system. There were a number of reasons for those failures, which I would like to discuss with you this afternoon. Those failures also highlighted the role of the external auditor and in particular the going concern determination that an external auditor has to make when auditing a financial institution.
So, if I may, I would like to walk you through the causes of those three bank failures, their implications for banking regulation in the United States, and in particular the going concern auditing standard, which is currently a subject of review by the PCAOB.
The Failures of Silicon Valley Bank, Signature Bank, and First Republic Bank
On Friday, March 10, Silicon Valley Bank (SVB), with $209 billion in assets at year–end 2022, was closed by the California state banking authority, which appointed the FDIC as receiver. The events that led to its failure began on March 8, when SVB announced a $1.8 billion loss on sale of securities, and a concurrent plan to raise $2 billion in capital to shore up its balance sheet. Then on Thursday March 9, shares of SVB fell 60 percent and it experienced a run by uninsured depositors. By that evening, $42 billion in deposits had left the bank with an additional $100 billion staged to be withdrawn the next day. To put this in perspective, nearly 30 percent of deposits left the bank in a matter of hours, with another 50 percent set to leave. Of great relevance, over 90 percent of SVB’s deposits were uninsured.
When SVB failed on Friday, March 10, the FDIC initially established a Deposit Insurance National Bank (DINB), which is a self–liquidating vehicle under FDIC control.
We announced that insured depositors would have full access to their funds on the Monday after failure and that uninsured depositors would have access to a substantial portion of their funds shortly thereafter through the payment of an advance dividend. A portion of the uninsured deposits would be held back in the receivership and would experience losses depending on the losses to the Deposit Insurance Fund.1
The prospect that uninsured depositors at SVB would experience losses alarmed uninsured depositors at several other regional banks, and depositors began to withdraw funds. Signature Bank of New York in particular experienced heavy withdrawals. A contagion effect became apparent and there was clear evidence that the failure of a regional bank in which uninsured depositors faced losses could cause systemic disruption. On Sunday March 12, just two days after the failure of SVB, the New York State bank regulator closed Signature Bank and appointed the FDIC as receiver. Like SVB, Signature had experienced a run on uninsured deposits and was ultimately unable to meet its obligations, and like SVB, over 90 percent of its deposits were uninsured.
Faced with growing contagion in the system, the boards of the FDIC and Federal Reserve voted unanimously to recommend that the Secretary of the Treasury, in consultation with the President, make a systemic risk determination under the Federal Deposit Insurance Act with regard to the resolutions of SVB and Signature Bank.
The systemic risk determination enabled the FDIC to extend deposit insurance protection to all of the depositors of SVB and Signature Bank, including uninsured depositors. The FDIC as receiver chartered two bridge banks to carry this out and then started the process of finding potential buyers for the bridge banks. This process allowed for the possible sale of the entire bank to an acquirer or major pieces of it to separate buyers. A regional bank with a similar business model, New York Community Bancorp’s subsidiary, Flagstar Bank, purchased Signature a week after it was placed in receivership. Another regional bank, First Citizens Bank of North Carolina, purchased SVB after two weeks.
Although the FDIC was authorized to proceed under the systemic risk exception in these cases, it is important to recognize that both institutions were allowed to fail. Shareholders lost their investment. Unsecured creditors took losses. The boards and the most senior executives were removed. The FDIC is conducting investigations, as it is legally required to do, to hold directors, officers, and executives accountable for losses and misconduct.
Less than two months later, on May 1, 2023, First Republic Bank of California, was closed by the state regulator, and the FDIC was appointed receiver. At year–end 2022, First Republic Bank held $213 billion dollars in assets. First Republic had a nearly 70 percent reliance on uninsured deposits and was clearly impacted by the contagion effect of the previous two failures. First Republic was resolved via a purchase and assumption agreement with JPMorgan Chase Bank, which assumed all of the failed bank’s deposits and substantially all of the assets. This was done under the least–cost test and without a systemic risk exception.
Implications for Deposit Insurance and Financial Stability
The three regional bank failures earlier this year illustrated a point I have made previously2: while regional banks may not be as large, complex, and internationally active as the Global Systemically Important Banks – or G–SIBS as they are called – they pose distinct and significant challenges in resolution that can raise serious financial stability risks.
In particular, the heavy reliance of regional banks on uninsured deposits for funding has the potential to create a destabilizing contagion effect on other banks if one regional bank were to fail and uninsured depositors took losses. Contagion can, and did, spread very quickly and well beyond its original source.
The events of the spring raised questions about the role of deposit insurance in the U.S. banking system. As a step toward addressing these questions, on May 1, the FDIC released a report on “Options for Deposit Insurance Reform.” The report is a comprehensive overview of the deposit insurance system, its history and objectives, an assessment of the risks facing the system, and reform options for consideration to address those risks.
First, the report analyzes relevant trends in deposits in the U.S. In particular, uninsured deposits have trended up over time and have increased the risk of bank runs. At their peak in 2021, the proportion of uninsured deposits in the banking system was almost 47 percent, higher than at any time since 1949. Large concentrations of uninsured deposits increase the potential for bank runs and can threaten financial stability.
The report presents a fairly straightforward discussion of deposit insurance issues. Deposit insurance has two main objectives. One is to promote financial stability by making damaging bank runs less likely.
Another objective is to protect small depositors. As of year–end 2022, more than 99 percent of deposit accounts in the U.S. were under the $250,000 deposit insurance limit.
While providing these benefits, deposit insurance can also lead to moral hazard and excessive risk–taking by making depositors and bankers less likely to care about the risks that banks are taking. Concerns about moral hazard can be addressed to some extent by certain design features of the system, such as limited coverage and risk–based premiums.
However, the report highlights that the effectiveness of deposit insurance depends on how it interacts with other aspects of the banking regulatory system. Regulation and supervision play an important role in supporting the financial stability objective of deposit insurance and limiting risk–taking that may result from moral hazard.
Capital and liquidity requirements, as well as supervision of interest rate risk management, rapid growth of assets and liabilities, and uninsured deposit concentrations are important examples. The report also discusses new tools that might be considered to complement deposit insurance system reforms such as a requirement that banks maintain an amount of long–term debt to absorb losses ahead of uninsured deposits. These are all matters under review in the U.S., and in some cases action has already been taken.
It is against the backdrop of these bank failures, and the consideration of regulatory and supervisory responses, that a discussion of the role of the external auditor, activities of the audit standard setters, the responsibilities of bank management, including the going concern audit standard specifically, seems warranted.
Importance of the Independent External Audit Function
Let me begin with the external audit function. The independent external auditor plays a vital role in maintaining market confidence by imparting credence to audited financial statements. Reliable and credible financial information is foundational to the decisions of a broad range of stakeholders and contributes to stability in financial markets and the economy as a whole. Investors rely on financial statements to determine capital allocations, while creditors assess the likelihood of repayment. Counterparties frequently require assurance about financial health before entering into agreements. Reliable financial statements remain crucial to the prudential supervisory process.
The FDIC shares the PCAOB’s mission to promote a high level of audit quality.3 As mandated in Section 36 of the Federal Deposit Insurance Act and implemented through Part 363 of the FDIC Rules and Regulations, each insured depository institution in the United States with consolidated total assets of $500 million or more must have annual financial statements prepared in accordance with U.S. generally accepted accounting principles or GAAP. An independent public accountant must also audit these financial statements. As not all insured depository institutions are public companies, each audit must be performed in accordance with the American Institute of Certified Public Accountants, that is, the AICPA’s generally accepted auditing standards or the PCAOB’s auditing standards, if applicable.
For each insured depository institution with total consolidated assets of $1 billion or more, the independent public accountant must also audit and report on the effectiveness of internal controls over financial reporting. To help ensure a high level of audit quality, the FDIC’s regulation also requires the independent public accountant to have peer reviews performed in accordance with the AICPA’s Peer Review Standards and, when applicable, inspections conducted by the PCAOB.
Importance of Audit Standard Setting Authorities
Auditing standards promote the preparation of informative, accurate, and independent audit reports, which is central to the mission of the PCAOB. We also recognize the commitment of the International Auditing and Assurance Standards Board or IAASB in promoting a high level of audit quality.
Audit standard setters establish and uphold the audit framework to help ensure accurate, consistent, and reliable financial statements and auditor reports across entities and industries. They are central to maintaining high audit quality by guiding the audit profession in matters of audit planning and execution, independence and objectivity, ethics, competence, documentation, reporting, confidentiality, and quality control.
Audit standard setters also understand the need to respond to events and circumstances that necessitate the updating and expansion of standards and guidance. For example, the PCAOB has proposed changes to an auditor’s consideration of possible noncompliance with laws and regulations to take into account recent developments in corporate governance and internal control practices.4
Additionally, both the PCAOB and the IAASB have projects underway to reassess going concern audit standards.5 That is the topic I want to focus on in light of the recent bank failures.
The Going Concern Presumption
The decisions of the PCAOB and IAASB to revisit going concern standards are well–timed. The going concern presumption continues to cause frustration and confusion in the audit profession and the public more broadly.
It has also garnered much attention since the spring of this year following the widely publicized bank failures. All three of these failed banks had publicly available financial statements. Observers noted that those banks had received, only days prior, clean audit opinions with no mention of substantial doubt about the banks’ ability to continue as a going concern. This raises questions about the responsibilities of both bank management and the independent external auditor.
Management Role
Under U.S. GAAP, the continuation of an institution as a going concern is presumed as the basis for financial reporting unless and until the institution’s liquidation becomes imminent. Preparation of financial statements under this presumption is commonly referred to as the going concern basis of accounting.6
Even when liquidation is not imminent, an institution’s management must evaluate whether there are conditions that raise substantial doubt about the institution’s ability to continue as a going concern.7 Management’s evaluation considers an institution’s ability to meet its obligations as they become due within one year after the date that the financial statements are issued.8 This presumption may be called into question if conditions exist that raise substantial doubt about the institution’s ability to continue as a going concern during this period.9 Examples of such conditions or events may include negative financial trends, difficulties with financing, work stoppages, and legal proceedings.10
When conditions indicate that it is probable that an institution will be unable to meet its obligations as they become due within one year, management must evaluate whether its mitigation plans, when implemented, will alleviate substantial doubt about the institution’s ability to continue as a going concern.11 In these situations, the financial statements continue to be prepared under the going concern basis of accounting.12 However, expanded disclosures are required in the notes to the financial statements and include the conditions that gave rise to the substantial doubt, management’s evaluation of the significance of those conditions, and management’s plans to mitigate the conditions that raise substantial doubt.13
Auditor Role
The second key role in the going concern presumption is that of the external auditor, who provides reasonable assurance that the financial statements are free of material misstatement.
Under Section 10a of the Securities Exchange Act of 1934 and PCAOB audit standards,14 the auditor also has the responsibility to evaluate independently whether substantial doubt exists in the institution’s ability to continue as a going concern, for a period not to exceed one year beyond the date of the financial statements being audited . In accordance with the PCAOB’s auditing standard, the auditor’s evaluation is based on the knowledge of relevant conditions that exist at or have occurred prior to the date of the auditor’s report.
If the auditor believes substantial doubt exists, the auditor should obtain and assess management’s mitigation plans and assess the likelihood that such plans can be effectively implemented. If the auditor concludes that management’s mitigation plans adequately alleviate substantial doubt, then the auditor should consider the need for disclosure of the principal conditions initially resulting in the belief there was substantial doubt. Conversely, if the auditor concludes that substantial doubt remains, a separate explanatory paragraph is included in the audit report to reflect this conclusion. Further, if the auditor concludes that the entity’s disclosures inadequately address the substantial doubt and proposed mitigation plans, a departure from U.S. GAAP exists. This could result in a qualified or an adverse opinion.
The auditor’s role here is significant in the banking industry because the auditor could have the ability to precipitate the failure of a financial institution. To this end, open communication among the external auditor, bank management, and the banking regulators is crucial when evaluating whether substantial doubt exists in an institution’s ability to continue as a going concern.
Accounting/Auditing Differences
Complicating matters, situations exist where auditors identify and disclose substantial doubt in the audit report, while management concludes that no such doubt exists.15 Contributing to this situation is the inconsistency regarding definitions for substantial doubt in the accounting and auditing standards.
Under U.S. GAAP, substantial doubt is defined using a threshold of “probable.”16 In contrast, the PCAOB auditing standard does not define substantial doubt, resulting in an auditor applying a subjective threshold that may not align with the “probable” threshold applied by management.
Another inconsistency is the time period for the evaluation of substantial doubt. As mentioned earlier, management’s evaluation in accordance with U.S. GAAP covers one year after the date that the financial statements are issued,17 while the auditor’s evaluation in accordance with the PCAOB auditing standard covers one year beyond the date of the financial statements being audited.18
There may be an opportunity here to better align the accounting and auditing standards. Given the inconsistencies in current accounting and auditing standards, revisiting existing standards on going concern is well–timed, and the FDIC strongly supports the PCAOB review that is underway. Collaboration with federal banking regulators during this review, as the PCAOB is doing, has great value in order to be mindful of the potential consequences for bank supervision and financial stability.
Conclusion
In conclusion, the three failures of large regional banks earlier this year raise important questions for bank supervision and regulation. They also raise important questions for the role of the external auditor, bank management, and the audit standard setter.
As I indicated, the FDIC is strongly supportive of the PCAOB’s current review of the going concern audit standard. We encourage collaboration with banking regulators and attention to the inconsistencies in current accounting and auditing standards as well as the potential consequences for bank supervision.
Further, we recognize that the PCAOB is not alone in revisiting the going concern issue. The PCAOB’s project parallels the IAASB’s Exposure Draft on going concern.19 Through its participation on the Basel Committee on Banking Supervision, the FDIC has supported the IAASB’s standard setting and contributed to comments on its exposure draft. In this regard, the FDIC encourages auditors to engage with regulators internationally with regard to going concern matters.
Finally, let me once again thank the PCAOB for the opportunity to speak to you all today. The PCAOB’s role as the independent supervisor and standard setter for the audit profession is of crucial importance to the integrity of our financial markets and ultimately to their stability as well.
Thank you.
- 1
FDIC: PR-16-2023 3/10/2023. See 12 U.S.C. 1821(m). Under a Deposit Insurance National Bank structure, all insured depositors will typically have full access to their insured deposits no later than the next business day. The FDIC will pay uninsured depositors an advance dividend based on a valuation of the assets of the failed institution, and they will receive a receivership certificate for the remaining amount of their uninsured funds. As the FDIC sells the assets of the failed bank, future dividend payments may be made to uninsured depositors.
- 2
Remarks by Martin J. Gruenberg, Member, Board of Directors of the Federal Deposit Insurance Corporation on An Underappreciated Risk: The Resolution of Large Regional Banks in the United States to The Brookings Institution Center on Regulation and Markets; Washington, D.C., October 16, 2019, available at FDIC: Speeches & Testimony - 10/16/2019 and https://www.fdic.gov/news/speeches/2023/spaug1423.html#_ftn1
- 3
See PCAOB Visions and Values at https://pcaobus.org/about/mission-vision-values.
- 4
PCAOB Rulemaking Docket Matter No. 051, PCAOB Release No. 2023-003.
- 5
The IAASB released its exposure draft of International Standard on Auditing 570 in April 2023 and the comment period closed August 24, 2023.
- 6
ASC 205-40-05-01.
- 7
ASC 205-40-50-1.
- 8
ASC 205-40-50-2.
- 9
ASC-205-40-50-6.
- 10
ASC 205-40-55-2.
- 11
ASC 205-40-50-6.
- 12
ASC 205-40-05-2.
- 13
ASC 205-40-50-12 and ASC 205-40-50-13.
- 14
Section 10(a)(3) of Securities Exchange Act – P. 91-92 of https://www.govinfo.gov/content/pkg/COMPS-1885/pdf/COMPS-1885.pdf. PCAOB AS 2415 – https://pcaobus.org/oversight/standards/auditing-standards/details/AS2415.
- 15
Martin F. Baumann, PCAOB Chief Auditor and Director of Professional Standards from 2009 – 2018 https://www.youtube.com/watch?v=wci2ISd1sds at 1:29:00 – 1:31:00
- 16
While U.S. GAAP does not quantify "probable", most accounting/auditing firms seem to interpret this as a 75 percent probability.
- 17
ASC 205-40-50-2.
- 18
PCAOB Auditing Standard AS 2415.02.
- 19
Exposure Draft of proposed International Standard on Auditing (ISA) 570 (Revised 202X), Going Concern (ED-570).