When Silicon Valley Bank (SVB) closed its doors in early March, I joined many in wondering what kind of risk and control environment the bank had. I specifically wanted to know about its internal audit function. How strong was it? Did it share in any culpability?
Normally, questions like those linger unless/until they are answered in subsequent litigation proceedings or regulatory sanctions. It turns out we didn’t have to wait that long for some perspective on SVB’s internal audit.
Late last month, the Federal Reserve released a treasure trove of documents related to its supervision and regulation of SVB and SVB Financial Group (SVBFG). In releasing the documents, the Fed noted:
“These documents include supervisory material that is confidential under the Board’s regulations. Due to the exceptional nature of these events, including the failure of SVB and the extraordinary response required by the Federal Reserve, the Board has determined that release of this information is appropriate, as the substantial public interest outweighs the need to maintain the information’s confidentiality.”
On the one hand, maybe the Fed released the documents to be transparent and demonstrate due diligence in its supervision of SVB. But I can’t help but wonder if the timing and extent of the document release wasn’t a bit self-serving. I will leave it to readers to peruse the full inventory of the disclosure and to draw your own conclusion. However, thanks to the eagle eye of my friend Hal Garyn, one document in particular is worthy of review by those of us in the internal audit profession.
Included in the Fed’s release was a letter to the SVB board of directors in December 2022. The letter detailed findings of a joint target examination of SVB’s Internal Audit Program by the Federal Reserve Bank of San Francisco and the California Department of Financial Protection and Innovation (CDPFI). That letter concluded that the “SVBFG/SVB’s Internal Audit (IA) is not fully effective.” It noted that “the overall assessment was driven by material weaknesses in the risk assessment process, the process to define the IA audit universe, IA’s continuous monitoring, and audit execution.” Overall, it’s a very critical report that ranked each of those areas as “below supervisory expectations.”
As Hal and others have noted, there are important lessons from the Fed/CDPFI letter for internal audit functions in all sectors and industries. Regulator observations that stood out to me included:
Based on my experience leading external quality assessments of internal audit functions in financial services and other industries, I am guessing that a great many internal audit functions would receive feedback similar to that received by SVB’s IA function. That’s not an excuse – just an observation. And I think we all need the kind of feedback that SVB’s IA received.
The documents released by the Fed didn’t just target SVB’s internal audit function. There is ample documentation that other challenges existed within the bank. While I don’t believe the Fed unfairly targeted internal audit, I do have a few rhetorical questions:
Over the years, I have observed an interesting relationship between U.S. banks’ internal audit functions and their regulators. Bank CAEs often complain about overbearing or heavy-handed regulators and their examinations of internal audit. Bank CAEs also privately acknowledge that, without the regulators’ support, internal audit would not enjoy the same level of resources or stature within the bank.
A few years ago, a staff member of a bank regulator candidly shared with me that the regulator considered bank internal auditors to be their “boots on the ground.” I was taken aback by that strongly worded analogy and cautioned about the risks I thought it created if bank management and boards perceived internal audit merely as an extension of the regulator. After reading the Fed’s report on SVB’s IA, I smiled and thought, “I guess that, if your boots have mud on them, under the bus they go!”
I am sure my views in this blog will generate some strong reactions. I welcome your thoughts in the comments or by email at: email@example.com.