VOLUME SIXTEEN
FURTHER MATTERS ASSOCIATED WITH
THE BANK AND BANK GROUP

 

 

CHAPTER 44
REPORTS FROM THE BANK'S EXTERNAL AUDITORS
TO THE RESERVE BANK OF AUSTRALIA

 

 

TABLE OF CONTENTS

44.1 INTRODUCTION
44.1.1 THE PURPOSE OF THIS CHAPTER
44.1.2 RELEVANCE TO THE INVESTIGATION

44.2 THE RESERVE BANK'S REPORTING REQUIREMENTS

44.3 THE REPORTING BY THE STATE BANK'S EXTERNAL AUDITORS
44.3.1 INTRODUCTION
44.3.2 THE STATE BANK'S DESCRIPTION OF ITS POLICIES AND SYSTEMS
44.3.3 THE EXTERNAL AUDITOR'S FIRST REPORT: 1988
44.3.4 STATE BANK ACTION IN RESPECT OF ITS SYSTEMS
44.3.5 THE EXTERNAL AUDITOR'S REPORTS: 1989 AND 1990
44.3.6 THE ADEQUACY OF THE EXTERNAL AUDITOR'S REPORTS
44.3.7 CAUSATION

44.4 SUMMARY AND CONCLUSIONS

44.5 REPORT IN ACCORDANCE WITH TERMS OF APPOINTMENT

44.6 APPENDICES
A Prudential Statement H1
B Extracts from Auditing Guidance Release No 4
C Extract from Letter from External Auditors Regarding Reserve Bank Reporting

 

 

 

44.1 INTRODUCTION

 

44.1.1 THE PURPOSE OF THIS CHAPTER

This Chapter provides the results of my examination of the reporting by the external auditors of the State Bank to the Reserve Bank of Australia in respect of the adequacy of the State Bank's systems for monitoring and controlling its credit risk exposures.

From 1986, the Reserve Bank required the licensed banks to instruct their external auditors to provide yearly reports on the banks' credit risk management systems. The State Bank's auditors provided such reports in 1989 and 1990.

As I reported in Chapter 5 - "The Management of the Bank Group's Diversifiable Credit Risk" of my First Report, the State Bank's systems were far from adequate. In particular, I concluded that:

(a) among the matters or events which caused the financial position of the Bank and the State Bank Group as reported at February 1991, was the imprudent and excessive exposure of the Bank Group to commercial property construction and development; and

(b) one cause of that imprudent and excessive exposure was the failure of the Bank to implement any system to monitor its total exposure to commercial property.

This Chapter explains why the external auditors failed to tell the Reserve Bank about that deficiency in the State Bank's systems.

The essential background to the role of the external auditors was described in detail in Chapters 5 - "The Management of the Bank Group's Diversifiable Credit Risk" and Chapter 15 - "The Relationship with the Reserve Bank of Australia" of my First Report.

It needs to be emphasised that this Chapter is limited to the role of the external auditors in meeting their obligations under the arrangements for reporting to the Reserve Bank. The results of my examination of other aspects of the performance of the external auditors are reported in my Report, dealing with the adequacy and appropriateness of the external audits of the Bank and of Beneficial Finance.

44.1.2 RELEVANCE TO THE INVESTIGATION

Term of Appointment A(a) directs me to investigate and report on:

"... what matters and events caused the financial position of the Bank and the State Bank Group as reported by the Bank and the Treasurer in public statements on 10 February 1991."

I have examined the adequacy of the external auditors' reporting to the Reserve Bank because a failure of the external auditors to tell the Reserve Bank about the deficiencies in the State Bank's systems might have been one of the matters and events that contributed to the Bank's financial position. I have investigated the possibility that, had the Reserve Bank been made aware of those inadequacies by the external auditors, some positive action may have been taken to address them in time to reduce the losses eventually realised by the State Bank.

Again, it needs to be stressed that this Chapter is limited to the reports prepared by the external auditor for presentation to the Reserve Bank. I have not considered, in this Chapter, whether there are other reports that the external auditors did, or did not, prepare that may have been contributory causes of the Bank and Bank Group's financial position.

 

44.2 THE RESERVE BANK'S REPORTING REQUIREMENTS

 

In January 1985, the Reserve Bank described a new regime for the "Prudential Supervision of Banks", stating that:

"The Reserve Bank's system of supervision is directed towards satisfying itself that individual banks are following management practices which limit risks to prudent levels and that banks' prudential standards are being observed and kept under review to take account of changing circumstances."

The Reserve Bank required each licensed bank to describe, among other things:

(a) its prudential policies for limiting credit risk exposures to particular borrowers and particular industries; and

(b) the systems used by the bank to ensure that those policies were in fact observed in practice. Such systems would include information systems to enable the bank to measure, at any point in time, its total credit exposure to a particular borrower, or to a particular industry such as commercial property construction and development.

Apart from introducing its own inspection arrangements which the Reserve Bank determined that it would not do, the Reserve Bank's only source of information as to whether a bank's systems were being effectively used in practice was to ask the bank's management, which is hardly satisfactory. Management might be very reluctant to admit to deficiencies in the operation of its systems, or might conceivably be unaware of some deficiencies.

Accordingly, in April 1986, the Reserve Bank issued Prudential Statement H1, titled "Relationship Between Banks, their External Auditors and the Reserve Bank". The text of the Prudential Statement is provided as Appendix A to this Chapter. Shortly stated, the Prudential Statement noted that the Reserve Bank was unable to determine whether banks in fact complied with the systems that they had described to the Reserve Bank for monitoring and controlling risk. To remedy that situation, the Prudential Statement stated that the Reserve Bank would:

"... seek the external auditor's opinion as to whether a bank's internal management systems and controls are generally adequate, and specifically ... whether management systems to control exposures and limit risks outlined to the Reserve Bank are effective, and are being observed." [Emphasis added]

The Prudential Statement noted that the Reserve Bank would "consult with each bank and its external auditors about the form of reporting". Each bank was to be asked to "inform its external auditor of the Reserve Bank's requirements", and to "request the auditor to have regard for them in forming his opinions".

The State Bank sent a copy of Prudential Statement H1 to its external auditors, and on 30 April 1986 there was a meeting between representatives of the Reserve Bank, the State Bank, and the State Bank's external auditors, at which the Reserve Bank representatives explained the requirements of Prudential Statement H1. A Reserve Bank diary note of the proceedings of the meeting records that the State Bank and its external auditors were advised that:

"The Reserve Bank is looking for an opinion about Systems and Controls generally, and an explicit opinion required on the systems for limiting risk exposure in the areas of credit business, liquidity management and foreign exchange.

We will make our requirements clear in a letter to banks with a description intended to assist the external auditors - these requirements will also be included in a manual to supplement Prudential Statement H1.

State Bank representatives and external auditors agreed that the arrangements would be of primary comfort for the bank's management, and secondary comfort for the Reserve Bank." [Emphasis added]

On 6 May 1986, the Reserve Bank wrote to the State Bank to expand on their explanation of the requirements regarding the external auditor's reports.

In respect of the specific opinion required in respect of particular management systems, the letter advised:

"We look for a positive review of, and opinion about, particular systems which your bank employs to control exposures and limit risks.

For the time being, this request relates to systems in respect of credit (on and off-balance sheet), liquidity and foreign currency operations. We have written separately to you seeking written descriptions of each of these systems. Subject to our review of them, we see such descriptions as providing the basis upon which the auditors would report.

As well as seeking confirmation that the systems described to us are being observed, we would look for the auditor's opinion that they are adequately providing a means to control exposures and limit risks to the prudent levels set by management." [Emphasis added]

In respect of the general opinion required by the Reserve Bank in respect of the State Bank's internal controls, the letter stated that the Reserve Bank was seeking an "opinion whether a bank's internal management systems and controls were generally adequate". The letter continued:

"We are not seeking a thorough-going review of each of your bank's systems and controls. We would, however, like to have an expression of opinion, based on professional observation and experience, of their general adequacy. We appreciate that, in general, an auditor's review of internal controls may be limited to obtaining audit evidence and might therefore be insufficient to enable him to determine the adequacy of internal controls for management purposes. In seeking their opinion, however, we assume that your external auditors would already be generally familiar with those management systems and controls that are directed to the security of the bank's assets and operations."

In summary, the key steps involved in the arrangements for the reporting by the external auditors on the operation of a bank's risk management systems were:

(a) First, the bank would tell the Reserve Bank what its prudential policies for limiting its credit risk exposures were. The Reserve Bank would review those policies, and decide whether or not they were adequate.

(b) Second, but ideally at the same time, the bank would tell the Reserve Bank what systems it had in place to monitor and control those risks. Again, the Reserve Bank would review those systems, and decide whether or not they were adequate.

(c) Third, upon receiving instructions from the bank to do so, the external auditors would review the actual operation of those systems, and express an opinion as to whether the systems were being observed, and were adequately providing a means of monitoring and controlling exposures to within the limits set by the prudential policies.

The Reserve Bank made it clear in Prudential Statement H1 that its prudential supervision requirements would extend the scope of a bank auditor's usual statutory audit role. The auditing profession were concerned to understand, and to agree with the Reserve Bank, what that meant in practice. Accordingly, discussions were held between the auditing profession and the Reserve Bank, and in December 1987, the Australian Accounting Research Foundation released Auditing Guidance Release No 4, titled 'Audit Implications of Reserve Bank Prudential Reporting Requirements'. Relevant parts of the text of the Auditing Guidance Release are provided as Appendix B. For present purposes however, the important clause in the Auditing Guidance Release was Paragraph 41, which said:

"Auditors will ... have the written description of each system which client banks are to prepare and agree with the Reserve Bank. These descriptions will detail the major controls in the respective areas, set by management to control exposures and limit risks to the level determined by management." [Emphasis added]

 

44.3 THE REPORTING BY THE STATE BANK'S EXTERNAL AUDITORS

 

44.3.1 INTRODUCTION

To cut a long story short, the State Bank did not give the Reserve Bank a description of its system of monitoring the Bank's total exposure to particular clients or industries, for the simple reason that it did not have one to describe. As I reported in detail in Chapter 5 - "The Management of the Bank Group's Diversifiable Credit Risk" of my First Report, the Bank was unable to measure those exposures until December 1989, and then only by manually collating information from its various divisions.

The absence of any description of the system was regarded by the external auditors, consistent with the Reserve Bank's Prudential Statement H1 and Auditing Guidance Release No 4, as precluding them from expressing any opinion to the Reserve Bank in respect of the system, or lack of it. An essential first step was that the system both be described by the State Bank, and be evaluated as being adequate or inadequate by the Reserve Bank. Indeed, the State Bank's external auditors went one step further. Their view was that not only must the system be described and approved, but it must also be included in the Audit Manual prepared by the Reserve Bank to assist the external auditors in undertaking their review and report.

44.3.2 THE STATE BANK'S DESCRIPTION OF ITS POLICIES AND SYSTEMS

On 27 May 1986, the State Bank sent to the Reserve Bank what it described as being "details of our systems for controlling exposures and limiting risks in respect of our credit, liquidity and foreign exchange operations". In fact, the document contained no details whatsoever of any system, but simply described the Bank's prudential policies regarding client and industry exposures, and outlined the loan approval, review and reporting procedures of the Corporate Banking and International Banking divisions. The document stated that the Bank's policy was that its exposure to any one industry, with the exception of the public sector, housing, and broadacre farming, was not to exceed 20 per cent of the Bank's total loan portfolio.

Correspondence between the Reserve Bank and the State Bank regarding the policies and related systems continued during 1986 and 1987 until, on 5 May 1988, the State Bank sent a further, more detailed description of its prudential policies. Again, however, there was no description of the systems used to manage those risks on a Bank-wide basis. The letter stated only that the Bank's exposures were monitored using "regular industry exposure monitoring procedures".

44.3.3 THE EXTERNAL AUDITOR'S FIRST REPORT: 1988

In early 1988, the State Bank instructed its auditors, for the first time, to prepare a report for the Reserve Bank in accordance with Prudential Statement H1. In March 1988, the external auditors sent an engagement letter in respect of its proposed review of the State Bank's systems to Mr K S Matthews. An extended extract of that letter, dated 21 March 1988, is provided as Appendix C. The engagement letter said that the external auditor's first report to the Reserve Bank would cover the period 1 April 1988 to 30 June 1988, and listed the matters to be covered by the report, including the effectiveness of the Bank's systems as "outlined to the Reserve Bank" for controlling risk exposures. The letter stated, however, that the extent to which the opinion would specifically cover each Reserve Bank requirement would "be determined at a later stage when we are in a better position to appreciate all aspects of this new procedure."

The report, which was dated 28 October 1988, expressly stated that it did not address the State Bank's systems to control risk exposures to within the limits of the Bank's prudential policies, because:

"... we have been advised by the (State) Bank that the management systems to control exposures and limit risks on the Bank's credit, liquidity and foreign exchange operations have been documented by the Bank, and are currently awaiting acceptance by the Reserve Bank for inclusion in the Reference Manual."

In short, the 1988 report was no report at all. It expressly disavowed expressing any opinion in respect of the performance of the State Bank's systems, on the basis that the systems had not yet been approved by the Reserve Bank and added to the Reserve Bank's Audit Manual.

Both the Reserve Bank, and the State Bank managers, were aware that no relevant opinion had been expressed in the report. A meeting on 1 November 1988 between officers of the Reserve Bank and the State Bank discussed the report provided by the external auditors. A Reserve Bank file note of the meeting records that the Reserve Bank was:

"... somewhat surprised to see that the auditors had indicated they were unable to report on the adequacy of the bank's management systems because they were currently awaiting acceptance by the Reserve Bank for inclusion in the Auditor's Manual.

In response, Mr Copley (of the State Bank) said he understood the auditors had refrained from expressing the opinion sought on systems simply because the descriptions had not yet been included in the Manual. Mr Pearson (of the Reserve Bank) stated that such a view was both unreasonable and irrelevant - that the Manual was not designed to replace source documents but to bring relevant material together into one binder to help auditors." [Emphasis added]

The external auditors (Mr B H Edwards, Mr T J Whimpress, Mr T G Hallion and Mr M H Penniment) attended the State Bank's prudential consultation with the Reserve Bank held two weeks later, on 15 November 1988. Mr Penniment's file note of the meeting records, in relation to this issue, that:

"Our report did not comment on key systems to control exposures and limit risks, however the Bank had submitted (a description of the system) to the Reserve Bank, and the Reserve had accepted it. K Matthews had been advised of that acceptance, but this was not communicated to us.

The point was made that all correspondence to the State Bank from the Reserve bank is to supplement the Reserve Bank Manual." [Emphasis added]

44.3.4 STATE BANK ACTION IN RESPECT OF ITS SYSTEMS

It was about this time that the State Bank took the first steps toward establishing a system to monitor its risk exposures. On 19 August 1988, Mr Matthews presented a report to the State Bank's Executive Committee which stated that:

"At this time we do not have any mechanisms to accurately assess our total exposure as a Bank or a Group to any one individual, business entity, industry, region or country."

The minutes of the Executive Committee meeting held on that date record that the Committee agreed that Mr Matthews would take responsibility for the Bank's management of its risk exposures.

In October 1988, Mr Matthews reported that a Global Risk Working Group had been formed to determine the best systems approach, and that user divisions were being assisted in writing specifications for their operational and information requirements. By February 1989, development had proceeded to the stage where the broad structure of the data collection and reporting system required had been identified, and the general specifications for input requirements had been completed. A paper from Mr Matthews to the Executive Committee in February 1989 pointed out, however, that much of the information available from the Bank's various divisions and subsidiaries was either not in sufficient detail, or was not in a form that was readily available for computer processing, or both. The paper also highlighted the need to implement common classification standards throughout the Group, particularly for industry exposures, in order to produce timely and accurate reporting.

A progress report in May 1989 commented that a draft paper on common terminology, and a list of items for inclusion in an exposures database, had been circulated. The progress report also summarised the steps still to be taken:

"The task ahead is to standardize the data and provide for meaningful risk management reports. When the data standardisation exercise is completed, the next step is to review management practices and policies to ensure that not only are risks monitored comprehensively, but that early warning systems are in place to anticipate the development of unacceptable risk levels."

The report also noted current investigations into methods of recording client groups.

On 1 July 1989, the State Bank established a Group Risk Management division, headed by Mr Matthews, to develop a system to measure risk exposures on both a Bank-wide and Group-wide basis. It was not until December 1989 that the State Bank produced, for the first time, a report of its total industry exposures. The report was compiled manually. A Reserve Bank Diary Note dated January 1990 records that Mr Matthews finally advised the Reserve Bank that the State Bank's "system for measuring exposures by industry group, including property, was not yet completed but could be ready by mid-year."

44.3.5 THE EXTERNAL AUDITOR'S REPORTS: 1989 AND 1990

The external auditor's report for year ended June 1989 in respect of the Reserve Bank arrangements was sent to Mr Matthews on 13 November 1989, and Mr Matthews sent a copy to the Reserve Bank. The Report expressed favourable opinions on all matters dealt with. In relation to the State Bank's management systems to control exposures and limit risks, the report said:

"We have examined the management systems to control exposures and limit risks on the bank's credit, liquidity and foreign exchange operations as outlined by the Bank to the Reserve Bank by correspondence dated 5 May, 1988. During the year under review we carried out such tests and reviewed such procedures as we considered necessary to determine whether those systems generally were being observed and adequately provide a means to control exposures and limit risks to the prudent levels set by management. Inherent limitations in any management system and systems of internal control may mean that errors or irregularities might occur and not be detected.

Subject to these limitations, in our opinion the credit, liquidity and foreign exchange management systems were generally being observed during the year under review, and adequately provide a means to control exposures and limit risks to the prudent levels set by management." [Emphasis added]

In relation to the general statement of opinion as to the State Bank's internal management systems and controls, the Report was in precisely the same terms as the first report of a year earlier:

"Internal Control Systems

We have examined the financial statements of State Bank of South Australia ("the Bank") for the year ended 30th June, 1989 and have issued to the Bank our report thereon dated 24th August 1989. The performance of our statutory audit included a review of the Bank's system of internal control for the purpose of determining the appropriate audit procedures to enable an opinion to be expressed on the financial statements. This review is not a comprehensive review of all those systems or of the system taken as a whole and is not designed to uncover all weaknesses in those systems. We have formed the following opinion, based on our audit procedures, supplemented by our familiarity with the Bank's systems of internal control.

In our opinion, subject to the limitations expressed in the preceding paragraph, those major management systems and controls which are directed to the security of the Bank's assets and operations, are generally adequate and our examination has not disclosed any condition which we believe to be a material weakness."

The opinion expressed in the report to the Reserve Bank can be contrasted with the content of Management Letters sent by the external auditors to Mr Matthews during 1989. In a letter dated 3 May 1989, the auditors wrote, in respect of the Corporate Banking commitment register, that:

"As previously reported and now reiterated, we are concerned that there is still no reconciliation between the Corporate Banking commitment register and the Bank's F.I.S. general ledger.

As a result, it is not possible to know whether or not all commitments and direct liabilities have been recorded on the register and are therefore being effectively administered.

As was highlighted during the recent Equiticorp issue, total exposure to any one debtor was not easily and efficiently obtainable.

We believe it is imperative that the Corporate Banking Department develop and upgrade an overall report or commitment register that details total direct exposure and commitment to all debtors and that this report is reconciled and agreed to the Bank's F.I.S. general ledger on a regular basis." [Emphasis added]

Similarly, on 13 December 1989 the external auditors wrote in respect of the audit for the year ended 30 June 1989, that:

"As previously reported, there was still no reconciliation between the Corporate Banking Commitment Register and the Bank's F.I.S. general ledger as at 30 June, 1989.

We believe it is imperative that the Corporate Banking Department develop or upgrade an overall report or commitment register that details total direct exposure and commitment to all debtors and that this report is reconciled and agreed to the Bank's F.I.S. general ledger on a regular basis.

We understand that this matter is now being addressed and the commitment register upgraded to integrate with the Hogan system. We fully support this development and encourage the Bank to implement this new system at the earliest opportunity." [Emphasis added]

The external auditor's report for the year ended June 1990 was submitted to Mr K L Copley in his capacity as General Manager-Group Accounting on 28 November 1990, and forwarded to the Reserve Bank on 7 December 1990. The Report again reported favourably in all relevant areas. As to the specific management systems to control exposure and limit risks, and the general internal controls, the report was expressed in exactly the same terms as that of November 1989.

The contents of the 1990 report to the Reserve Bank can be contrasted with the contents of the Management Letter from the external auditors to Mr Copley in respect of the six month period ending December 1990. The letter, dated 18 April 1991, stated that:

"A number of matters were noted by Internal Audit during their various audits within Corporate Banking for the half year to 31st December, 1990 and we now re-iterate one point we see as being of particular significance.

It was noted by Internal Audit "that no co-ordination or adequate communication is taking place between the various sections of the Group regarding the Bank's overall security and limit of exposure in relation to customers obtaining loans from various sections of the Bank/Group.

Circumstances noted where SBSA Corporate, Retail Banking, Commercial and Private Banking Sections and Beneficial Finance are independently financing the same customers or groups with no Bank-wide/Group limit of exposure.

It was noted that various sections in the Bank are independently assessing the customers' financial position and loan repayment capabilities without taking into account his commitment on other exposures within the Bank/Group.

Due to the lack of policy in setting a limit on Bank/Group-wide exposures, no adequate control exists over the Bank's total exposure to customers. As a result the evaluation of customers' loan repayment capabilities and the Bank's security could be inaccurate." [Emphasis added]

44.3.6 THE ADEQUACY OF THE EXTERNAL AUDITOR'S REPORTS

In short, neither the 1989 or 1990 Reserve Bank reports suggested that there was any cause for concern about the State Bank's management systems to control exposures and limit risks on the Bank's credit operation, and in particular, in respect of the State Bank's industry exposure policy. The external auditors reported that the Bank was monitoring its Bank-wide industry exposures, and that the Bank was complying with its 20 per cent industry exposure policy.

On the material before the Investigation, however, the external auditors should have reported that:

(a) the Bank was not capable of monitoring Bank-wide industry exposures in an effective or efficient manner;

(b) even in the Corporate Banking division, it was not possible to know whether all corporate loans had been properly recorded in the appropriate register, known as the commitment register, and, therefore, whether all loans were being effectively administered; and

(c) there were significant doubts about whether the State Bank could measure its total exposure to any one debtor in a timely, accurate and efficient manner.

Instead, the external auditors reported to the Reserve Bank, in effect, that:

(a) they knew of, and understood, the Reserve Bank objectives;

(b) with those objectives in mind, they had examined the State Bank's credit management systems, as outlined to the Reserve Bank by letter of 5 May 1988 (in which letter the State Bank asserted that it monitors industry exposures under "regular industry exposure reporting procedures");

(c) they had tested those systems to the necessary extent;

(d) as a result of all of that, the credit management systems were, generally, being observed; and

(e) the credit management systems adequately provided a means to monitor the Bank's 20 per cent industry exposure policy.

In my opinion, the work done by the auditors was not such as to properly enable them to be satisfied that the Bank was able to effectively monitor its industry exposure policy. The only work that the external auditors point to is a review they did in August 1990 of the industry exposure of the Corporate Banking division. That review expressly did not include the property exposures of the Bank's International division, or the Retail or Commercial divisions. The exposure to property and construction of those divisions in December 1989 was in the order of $850.0M, according to the first Global Risk Management Report presented to the Board in February 1990.

On the evidence available to me, I conclude that, although the external auditors and the internal audit department did review Bank practices at a corporate customer file level, such work was not calculated to, and did not, assess whether the State Bank was complying with its industry exposure policy. Internal audit did test a number of corporate accounts. External auditors reviewed that work, did some performance testing, and did a limited amount of compliance testing of individual transactions. In summary, the external auditors and internal auditors did look at certain individual transactions in the course of their audit functions. Their review of those transactions, looked at in isolation, did not, however, warrant the drawing of the inference, by the external auditors, that the State Bank policy on industry exposure was being complied with. In other words, the scope of the work done did not include work to substantiate the opinions sought by the Reserve Bank on the adequacy and observance of the State Bank's credit management systems to monitor and control industry exposure.

In 1990 at least, the external auditors appear to have checked that the industry exposures of the Corporate Banking division were within policy limits. There is nothing before me, however, to indicate that the auditors sought to confirm that the Bank's total industry exposure complied with that policy. For the financial year ended June 1989, not even the Corporate Banking division's aggregate industry exposure appears to have been reviewed by the external auditors for Reserve Bank reporting purposes.

Indeed, on 19 February 1991, KPMG Peat Marwick reported the following "Systems Difficulties" with the Bank's "Credit Review Systems":

"The Bank's credit monitoring systems have not been highly developed and indicate the degree of fragmentation that has existed in development of systems, although progress is being made to remedy this situation. It has been possible for the commitments register to be reconciled to the general ledger since May 1990. However, much of the information included in that register is not accounting transaction based. Update of the information included in the commitments register is reliant on manual intervention by lending officers, a situation which limits the integrity of the risk information that is included in that register.

To the extent that the Bank and Group have not yet fully developed systems to grade credit risk and assess the concentration of risk in customers and/or industries, management's ability to identify the major problems that have now become apparent was hampered. An astute reader of the management information that is included in the operating review may have identified the emerging problems sooner. However, in the absence of any specific risk management strategy against which risk concentration could be monitored, the accounting systems by themselves would not have identified the major weaknesses in the Banks lending portfolio, nor identified the degree to which that portfolio was likely to be affected by a sustained down turn in economic activity." [Emphasis added].

44.3.7 CAUSATION

The final matter to be considered is whether the failure by the external auditors to describe the deficiencies in the Bank's systems in their reports in November 1989 and December 1990 was a contributing cause of the Bank's financial position as described in February 1991.

The issue of causation does not arise in respect of earlier years, simply because the external auditors did not prepare relevant reports in those years. They were not instructed by the State Bank to do so in 1986 and 1987, and in the absence of such instructions, they were under no obligation to prepare a report for use by the Reserve Bank. The external auditors were engaged to prepare such a report in 1988, but in that report they clearly stated that they expressed no opinion in respect of the critical issue of the State Bank's systems for monitoring its risk exposures. In my view they should have been asked to express an opinion, but the fact is that they were not. None of this is to say that the external auditors should not have identified the deficiencies in the State Bank's risk management systems in 1986, 1987 and 1988, and reported those deficiencies to the State Bank's Management, and, in the absence of action by Management, to its Board of Directors. This Chapter is limited to the external auditor's reporting for the purposes of the Reserve Bank's Prudential Statement H1 only.

In respect of the reports prepared for presentation to the Reserve Bank in November 1989 and December 1990, which I have concluded were manifestly incorrect, in my opinion they were not matters or events that contributed to the State Bank's financial position in February 1991, for the simple reason that, by then, the damage had already been done.

Those reports did fail to alert the Reserve Bank to the deficiencies in the State Bank's systems, and so foreclosed the possibility of the of the Reserve Bank taking action. Even if the Reserve Bank had been alerted at that late stage, however, it would have found, upon make enquiries of the State Bank's Management, that the State Bank, was aware of the deficiencies in its systems, and was actively working on remedying the situation. It had established a separate Group Risk Management division on 1 July 1989, and by December 1989 had produced, albeit manually, a reasonably accurate picture of its industry exposures. In other words, if the Reserve Bank had been alerted to the problem, its enquiries would have met with the response that adequate remedial action was under way.

I note too that the Reserve Bank was in fact told by Mr Matthews, in January 1990, that the deficiency existed, and that an adequate system might be established by mid-1990.

Finally, and perhaps most importantly, by late 1989 the excessive exposure to commercial property, in excess of the Bank's own prudential policy limit, already existed. There was little new lending for commercial property development after the end of 1989, when property values began to collapse. Any action to redress the portfolio imbalance at that stage would have had little impact on the losses eventually realised.

 

44.4 SUMMARY AND CONCLUSIONS

 

In 1986, the Reserve Bank issued Prudential Statement H1, which required banks to engage their external auditors to provide independent reports on, among other things, the effectiveness and observance of management systems to monitor and control risk.

The Reserve Bank approved the State Bank's industry exposure policy that the exposure to one industry sector would be no more than 20 per cent of the total loan portfolio. The State Bank was much less forthcoming, however, about describing its systems to monitor and control exposures to within that policy limit. It was not until 5 May 1988 that some description was provided, and even then it was hopelessly vague, the State Bank saying only that it used "regular industry exposure monitoring procedures".

Because of the general recalcitrance of the State Bank's management to comply with the Reserve Bank's prudential supervision regime, it was not until 1988 that the auditors were given instructions by the State Bank to prepare a report in accordance with Prudential Statement H1.

Even then, the report prepared in 1988 amounted to no report at all in respect of the risk exposure systems. The auditors expressly disavowed providing an opinion, because they were waiting for the Reserve Bank to give its approval to the State Bank's description of the system. As unsatisfactory as that situation was, in my opinion the blame cannot be laid at the feet of the external auditors. Both Prudential Statement H1, and Auditing Guidance Release No 4, said that the auditor's report would be based on a written description of the system that had been provided to, and approved by, the Reserve Bank.

The reports provided in 1989 and 1990 are another matter. Those reports expressed opinions regarding the adequacy of the Bank's systems that were, bluntly stated, wrong.

For example, in respect of the year ended 30 June 1989, the report stated that the State Bank's credit management systems were generally observed during the year under review, and adequately provided a means to control exposure and limit risk to the prudent levels determined by management.

That opinion was incorrect. It did not identify that one of the Bank's most important credit policies, its industry exposure policy, could not be effectively monitored, and that it was, therefore, not possible for the Bank to measure its aggregate industry exposure.

The Reserve Bank knew that the State Bank's policy was not to have credit exposures to any given industry of more than 20 per cent of its total loan portfolio. The external auditors reported, in effect, that policy was being complied with because of the adequacy of, and the observance of, effective credit management systems and controls.

The fact is that it was not possible to determine whether the Bank's exposure to commercial property was within its prudential limit. When the exposure was calculated manually in December 1989, it was found to exceed the prudential limit.

It seems to me that the external auditor's based their opinion primarily on the significant amount of experience and familiarity with the Bank's internal controls which they had amassed in the course of their statutory audit work, and not on the outcome of separate additional work done by the external auditors to satisfy themselves that the Bank's credit management systems were such as to enable managers to monitor the Bank's exposures. This was despite the fact that the Reserve Bank's publications, its verbal advice, and its correspondence, all made it plain that the Reserve Bank was looking, not for a general response, but for a specific review of, and a specific opinion about, particular Bank management systems.

The inadequacies of the systems were recognised in the bank from late in 1988. A paper presented by Mr Matthews to the Executive Committee in February 1989 reported that the timely and accurate reporting of aggregate risk exposure in the Bank was effectively impossible, because of the different classification systems in place even within the Bank.

For the reasons set out in Chapter 15 - "The Relationship with the Reserve Bank of Australia" of my First Report, the relevant State Bank officers, particularly Mr Matthews, saw fit not to volunteer the true position to the Reserve Bank. Even when the Reserve Bank raised the matter specifically, Mr Matthews responded in a way which had the effect of suppressing the extent of the inadequacies in the State Bank's credit management systems.

If the external auditors had reported in 1988, or earlier, that the State Bank did not have management systems to enable it to comply with its policies on industry exposure, the Reserve Bank would clearly have been put on notice that there was a significant management inadequacy at the State Bank. It is the fault of the Bank's management, not the auditors, that this did not happen.

As it was, the absence of any report in 1987 or 1988, followed in 1989 and 1990 by the auditor's incorrect opinion on the Banks credit management systems, seriously impeded the Reserve Bank's ability to appreciate the true extent of management shortcomings at the State Bank. By the time of the 1989 report, however, no action by the Reserve Bank could have reduced the losses that the State Bank was to realise.

 

44.5 REPORT IN ACCORDANCE WITH TERMS OF APPOINTMENT

 

I have investigated and inquired into matters relating to the involvement of the Bank's external auditors in the Bank's relationship with the Reserve Bank, as required by Term of Appointment A(a).

Having regard to the evidence to which I have referred in this Chapter and in my First Report, and for the reasons set out in this Chapter, I report that, in my opinion, the failure of the external auditors to report the deficiencies in the Bank's risk monitoring systems in 1989 and 1990 was not a matter or event which caused the financial position of the Bank and Bank Group, as reported in February 1991.

 

44.6 APPENDICES PRUDENTIAL STATEMENT H1

APPENDIX A

 

"1. The Reserve Bank has responsibilities for the protection of depositors of banks subject to the Banking Act. It also has an interest in the stability of the financial system generally.

2. Against that background, the Reserve Bank has developed a system of prudential supervision of banks. This is directed towards the Bank satisfying itself by enquiry and report that individual banks are following management practices which limit risks to prudent levels and which are kept under review and adapted to changing circumstances.

3. The information on which bank supervision in Australia operates includes:

(a) statutory returns submitted by banks;

(b) other data provided to the Reserve Bank by banks;

(c) published financial statements of banks together with reports by their external auditors;

(d) information provided by banks about their management systems to control exposures and limit risks;

(e) requirements for prudential operation of banks, as set out in various statements sent to them by the Reserve Bank.

4. At present, the Reserve Bank cannot say from its own enquiries or independent enquiries on its behalf that the data in 3(b) are reliable, that the systems in 3(d) are being followed or that the requirements in 3(e) are being observed.

5. Rather than add an extra layer of external examination in order to cover these matters, the Bank considers that it would be more efficient, and less intrusive, to build on existing arrangements and seek independent review by each bank's external auditor.

6. In proposing this there is no intention on the part of the Reserve Bank to vary or interfere with customary relationships between a bank and its external auditor. The Bank envisages that banks would commission their auditors to provide the necessary reports; that all communications between the Reserve Bank and auditors would pass through the bank concerned; and that any discussion would involve the management of the banks, the auditor and the Reserve Bank.

The Arrangements

7. In furtherance of its responsibilities for the protection of depositors, the Reserve Bank will seek the external auditor's opinion whether a bank's internal management systems and controls are generally adequate and specifically:

(a) whether the prudential standards which the Reserve Bank has set for banks are being observed. Currently these standards relate to the prime assets ratio, minimum capital ratio and open foreign exchange position;

(b) whether management systems to control exposures and limit risks outlined to the Reserve Bank by the bank are effective, and are being observed. Controls of relevance here are those which serve, inter alia, to satisfy prudential principles and requirements outlined in various statements issued to banks. Policies in relation to provisions and the valuation of assets would be of particular importance;

(c) whether statistical data (both statutory and voluntary) provided to the Reserve Bank by the bank are reliable;

(d) whether any statutory or regulatory banking requirements and conditions on the banking authority have been complied with.

8. Each bank will be asked to inform its external auditor of the Reserve Bank's requirements as outlined in various prudential statements and to request the auditor to have regard for them in forming his opinions.

9. The Reserve Bank will consult with each bank and its external auditor about the form of reporting. Banks might find it convenient to have the reporting to the Reserve Bank based on the auditor's normal report to management, supplemented as necessary to cover specific needs of the Reserve Bank.

10. The auditor will be asked to bring to the attention of the Reserve Bank, through and after discussion with the bank's management, any matters which, in the auditor's opinion, may have potential to prejudice materially the interests of depositors.

11. Three-way discussion is envisaged, ie between the bank, its external auditor and the Reserve Bank. Normally, there will be an annual meeting following completion of the statutory audit. Any party may propose a discussion at any other time.

12. The above paragraphs outline the intended arrangements as the Reserve Bank currently sees them. The Bank recognises that, to the extent that its request runs beyond the scope of the current investigations of external auditors, there could be additional costs for a bank. The Bank is, therefore, seeking to meet its needs with minimal extra costs to banks."

EXTRACTS FROM AUDITING GUIDANCE APPENDIX B

RELEASE NO 4

"AUDIT IMPLICATIONS OF RESERVE BANK PRUDENTIAL REPORTING"

"This Auditing Guidance Release has been prepared by an ad hoc Reserve Bank liaison committee on behalf of the Auditing Standards Board of the Australian Accounting Research Foundation, with the co-operation of the Reserve Bank of Australia, to assist the external auditor in reporting to their client Bank on certain matters sought by the Reserve Bank.

Proper use of this guidance release requires a thorough knowledge of Statement of Auditing Standards issued by the Australian Accounting Bodies and Statements of Auditing Practice issued by the Auditing Standards Board on behalf of the Accounting Bodies.

This publication is only a guide to assist auditors in discharging their reporting obligations in relation to the specific matters requested by the Reserve Bank of Australia. It is not intended to limit or supplant individual judgement, initiative and imagination. Programmes for each audit engagement should be designed to meet the requirements of the particular situation, giving careful consideration to the size and type of Bank and the adequacy of internal control.

1. Deregulation and the increase in international banking activity bring with them significant changes in the supervisory environment, as both regulators and financial institutions strive to maintain investor and depositor confidence. The new financing techniques and instruments spurred by deregulation - particularly off-balance sheet activities - are presenting new problems for supervisors. Those problems will become more complex as distinctions blur between financial institutions traditionally supervised by the Reserve Bank and those supervised by other regulatory agencies.

2. Increased supervision will inevitably accompany deregulation, and any changes in the legal, regulatory, and tax environments will demand more responsibility and accountability from directors and senior managers for compliance with new regulations and requirements.

3. Over the years, the accounting profession has often acted as a bridge between regulatory agencies and financial institutions, particularly when the agencies are considering a new supervisory approach to the financial community. To facilitate the introduction of these changes the accounting profession, through the Auditing Standards Board, set up an ad hoc Reserve Bank Liaison Committee. This committee helped both sides to see each other's viewpoint and to find reasonable solutions to regulatory problems.

4. Over the past year or so the Reserve Bank has been holding discussions with banks and their auditors with a view to assisting the Reserve Bank enhance prudential supervision.

5. The Reserve Bank has arranged for each bank to commission their auditors to report to the client bank on each of the items covered in their memorandum of 13 March 1986, and further explained in their letters sent to banks following the initial discussions.

6. The purpose of this Release is to offer some guidance about the issues which are likely to emerge in dealing with the Reserve Bank's (PSH1). These requests are listed in paragraph 10.

7. The Release acknowledges that auditors will have an increasing role to play in the supervisory process and identifies the work auditors may have to perform to satisfy the needs of the Reserve Bank.

8. Accordingly the liaison committee raised a number of issues with the Reserve Bank to both assist the Reserve Bank to achieve its objectives in an efficient and cost effective manner and to assist the auditor and their client bank in effectively dealing with the Reserve Bank's requirements and guidelines.

9. The Reserve Bank has requested banks to ask their auditors to express an opinion and report to the client bank on the matters raised in the Reserve Bank's (PSH1). The client bank will forward a copy of the auditor's report to the Reserve Bank.

10. The Reserve Bank has made clear, both in correspondence with banks and in discussion with the committee that they do not require either "a thorough-going review of each bank's systems and controls" or "exhaustive checking of the accuracy of the statistical data". However, they do ask the auditor to express the following opinions:

REQUEST 1

Whether, based on professional observation and experience, the bank's internal management systems and controls are generally adequate.

...

REQUEST 3

Whether the management systems to control exposures and limit risks outlined by the bank to the Reserve Bank, presently limited to:

(a) Credit operations (on- and off-balance sheet);

(b) Liquidity management; and

(c) Foreign currency operations; are:

(i) being observed by the bank; and

(ii) adequate to provide a means to control exposures and limit risks to the prudent levels set by management.

...

11. The Reserve Bank, in asking for the above opinions, is seeking an extension of the audit scope in that they are looking to the auditor to add credibility to the information supplied by a bank and in certain respects to form a view as to the conduct of a bank's operations.

12. There appears to be a need to avoid misunderstanding and to clarify what is required or can be achieved in providing the opinions requested, as outlined in paragraph 10. There is also a mutually agreed need to avoid what might result in an excessive or unwarranted amount of work which would be costly to banks.

13. The wording of the requests and the criteria under which auditors should operate also requires consideration. The requests are stated in broad terms and it will be necessary for the respective parties to understand and appreciate the practicalities and the application of professional judgement which will be involved in forming a view on the reliability and the adequacy of information during the period under review.

...

DISCUSSION OF REPORTING REQUIREMENTS

REQUEST 1 - Internal control systems

26. The Reserve Bank has asked that auditors report as to whether, based on professional observation and experience, the bank's internal management systems and controls are generally adequate.

27. The scope of an audit could be extended or varied as outlined in paragraph 22. Whilst each bank will be different, the extension of audit scope required to comply with this Request will result in cost increases.

28. We suggest that the auditor's report on the bank's system of internal control is restricted for the use of management and the Reserve Bank. This report should be based on such study and evaluation of internal controls as is made as part of the audit of the bank's financial statements required under the Companies Act/Codes, recognising that such work is not sufficient for expressing an opinion on the total system, and upon their review of those controls required for Reserve Bank reporting purposes.

29. The management of the bank is responsible for establishing and maintaining a system of internal control. In fulfilling this responsibility, estimates and judgements by management are required to assess the expected benefits and related costs of control procedures. The objectives of a system are to provide management with reasonable, but not absolute, assurance that assets are safeguarded against loss from unauthorised use or disposition, and that transactions are executed in accordance with management's authorisation and recorded properly to permit the preparation of financial statements in accordance with Australian Accounting Standards.

30. Because of inherent limitations in any system of internal control, including management override and collusion, errors or irregularities may nevertheless occur and not be detected. In addition, procedures may become inadequate because of changes in conditions and the degree of compliance with the procedures may deteriorate. It is a matter of judgement by the auditor as to whether control deficiencies or breakdowns are sufficiently material to warrant reporting.

...

REQUEST 3 - Key systems to control exposures and limit risks

39. The Reserve Bank's third request was for auditors to report as to whether the management systems to control exposures and limit risks outlined by the bank to the Reserve Bank, presently limited to:

(a) Credit operations (on- and off-balance sheet);

(b) Liquidity management; and

(c) Foreign currency operations; are:

(i) being observed by the bank; and

(ii) adequate to provide a means to control exposures and limit risks to the prudent levels set by management.

40. The management of a bank is responsible for establishing and maintaining the management systems and controls to control exposures and limit risks.

41. Auditors will, in the three specified areas (credit, liquidity and foreign currency) have the written description of each system which client banks are to prepare and to agree with the Reserve Bank. These descriptions will detail the major controls in the respective areas set by management to control exposures and limit risks to the level determined by management.

42. The necessity to report adverse findings will be a matter of judgement by the auditor.

43. There could be conflict and difference of opinion between management and the auditor if the auditor were asked to comment on whether management is prudent. However the Reserve Bank has recently affirmed it is not asking auditors to audit the efficiency of banks' management.

44. It is particularly relevant in this context that the Reserve Bank has emphasised there is no intention to vary or interfere with the customary relationship between a bank and its auditor.

PROPOSED REPORT - Key Systems to Control Exposures and Limit Risks

45. "We have examined the management systems to control exposures and limit risks on the bank's credit, liquidity and foreign currency operations as outlined by the bank to the Reserve Bank by correspondence dated ....................... and accepted by the Reserve Bank by letter dated .................... During the year under review we carried out such tests and reviewed such procedures as we considered necessary to determine whether those systems generally were being observed and adequately provide a means to control exposures and limit risks to the prudent levels set by management. Inherent limitations in any management system and system of internal control may mean that errors or irregularities might occur and not be detected.

In our opinion, subject to these limitations, the credit, liquidity and foreign exchange management systems were generally being observed during the year under review and adequately provide a means to control exposures and limit risks to the prudent levels set by management."

EXTRACT FROM LETTER APPENDIX C

FROM EXTERNAL AUDITORS, 21 MARCH 1988

REGARDING RESERVE BANK REPORTING

"RESERVE BANK REPORTING

The Reserve Bank some time ago announced that it wished to expand the relationship between banks, their external auditors and the supervisory authorities. The intentions of the Reserve Bank are set out in Prudential Statement H1 on "Prudential supervision of banks, relationships between banks, their external auditors and the Reserve Bank" and have been supplemented by further discussions and correspondence between the Reserve Bank, the State Bank of South Australia and ourselves as auditors.

Overall Responsibilities

So that your Board and senior management may appreciate our additional responsibilities arising from the Reserve Bank's requirements, we set out below in general terms the scope of work we will have to perform and other related matters. These must be seen as involving a separate engagement from our statutory audit appointment.

As statutory auditors of the Bank appointed under Section 24 of the State Bank of South Australia Act 1983, we are required to report on the accounts to be laid before Parliament as to their truth and fairness and on the accounting records maintained by the Bank.

The Reserve Bank, in furtherance of its responsibilities for the protection of depositors under the Banking Act 1959, has now sought to establish, in consultation with the State Bank of South Australia ("the Bank"), arrangements that will involve Touche Ross & Co., and Peat Marwick Hungerfords, as the Bank's statutory auditors, providing opinions on the following insofar as they relate to the Bank:-

(a) whether the Bank's internal management systems and controls directed to the security of its assets and operations are generally adequate;

(b) whether the Bank is observing the prudential standards set by the Reserve Bank;

(c) whether the Bank's management systems to control exposures and limit risks outlined to the Reserve Bank by the Bank are being observed and adequately provide a means to control exposures and limit risks to the prudent levels set by management;

(d) whether certain statistical data provided by the Bank to the Reserve bank are reliable;

(e) whether any relevant statutory or regulatory banking requirements and conditions on the banking authority have been met; and

(f) whether any matters which came to our attention during the course of our audit or as a result of additional work carried out to meet the Reserve Bank's requirements may have potential to prejudice materially the interests of depositors."

Our report will cover the same period as the financial statements and should be issued within four months of balance date. As stated later in this letter, the first report will only cover the period from 1st April, 1988 to 30th June, 1988.

The extent to which our opinion will specifically cover each Reserve Bank requirement and the precise wording of our report will be determined at a later stage when we are in a better position to appreciate all aspects of this new procedure."

...

"Scope of Work

As auditors of the Bank we currently carry out sufficient work to enable us to form a professional opinion about the state of the bank's affairs and its results and to report thereon in the terms required by the State Bank of South Australia Act, 1983. Although this work will include such reviews of the Bank's systems of accounting and internal control and the makings of such tests and enquiries as we consider necessary, our work is not designed to express an opinion on the systems of internal control taken as a whole.

Our statutory audit work is also not designed to express an opinion as to the adequacy of systems and procedures operating within the Bank to generate statistical returns and to ensure compliance with the prudential standards of the Reserve Bank relating to prime assets ratio, capital ratio, and open foreign exchange position; nor is it designed to enable us to express an opinion as to the adequacy of systems and procedures operating within the Bank to general financial information to ensure compliance with statutory or regulatory requirements; nor is it designed to enable us to express an opinion as to whether the Bank's credit, liquidity and foreign exchange management systems are being observed.

To satisfy the requirements of the Reserve Bank, therefore, we will have to carry out additional work over and above that which is performed in our capacity as auditors under the State Bank of South Australia Act 1983.

This additional work will include such reviews of the Bank's management systems and the making of such tests and enquiries as we consider necessary in the circumstances.

We recognise that there may be some overlaps between our audit work and work which is necessary to fulfil the Reserve Bank's requirements. In order to help ensure the most efficient use of resources, reliance will be placed on work which is carried out for statutory audit purposes wherever possible.

Internal Audit Department

The Bank's Internal Audit department is considered well placed to review and test properly documented systems and procedures operating within the Bank. In view of this it is our intention to liaise closely with the Internal Audit department throughout the year and to agree certain areas where assistance might be provided.

Where work is carried out by the Internal Audit department on our behalf, we will review the work performed and carry out such reperformance tests and other procedures as we consider necessary. Where we are satisfied with the work carried out by the Internal Audit department it is our intention to place reliance on such work and accordingly to limit the extent of our own work.

Management's Responsibility

Despite our increased involvement in reviewing the Bank's systems of control, it must be appreciated that it is management's responsibility to establish and maintain all of the Bank's internal control systems. Such systems all have their limitations and this being so, errors or irregularities may occur and not be detected.

Our work should not be relied upon for the purpose of discovering defalcations and irregularities, although we shall report to the appropriate level of management any defalcations or irregularities that may be disclosed as a result of our work.

...

Fees

The Reserve Bank's requirements will result in additional work being carried out. Fees relating to this work will be based on the degree of responsibility and skill involved and the time necessarily occupied by the work undertaken.

As the fees will not relate to work carried out in our capacity as statutory auditors our bills will be rendered separately so as to clearly identify the additional costs of the Reserve Bank's requirements."