When Silicon Valley Bank (SVB) closed its doors in early March, I joined many in wondering what kind of risk and control environment the bank had. I specifically wanted to know about its internal audit function. How strong was it? Did it share in any culpability?

Normally, questions like those linger unless/until they are answered in subsequent litigation proceedings or regulatory sanctions. It turns out we didn’t have to wait that long for some perspective on SVB’s internal audit.

Late last month, the Federal Reserve released a treasure trove of documents related to its supervision and regulation of SVB and SVB Financial Group (SVBFG). In releasing the documents, the Fed noted:

“These documents include supervisory material that is confidential under the Board’s regulations. Due to the exceptional nature of these events, including the failure of SVB and the extraordinary response required by the Federal Reserve, the Board has determined that release of this information is appropriate, as the substantial public interest outweighs the need to maintain the information’s confidentiality.”

On the one hand, maybe the Fed released the documents to be transparent and demonstrate due diligence in its supervision of SVB. But I can’t help but wonder if the timing and extent of the document release wasn’t a bit self-serving. I will leave it to readers to peruse the full inventory of the disclosure and to draw your own conclusion. However, thanks to the eagle eye of my friend Hal Garyn, one document in particular is worthy of review by those of us in the internal audit profession.

Included in the Fed’s release was a letter to the SVB board of directors in December 2022. The letter detailed findings of a joint target examination of SVB’s Internal Audit Program by the Federal Reserve Bank of San Francisco and the California Department of Financial Protection and Innovation (CDPFI). That letter concluded that the “SVBFG/SVB’s Internal Audit (IA) is not fully effective.” It noted that “the overall assessment was driven by material weaknesses in the risk assessment process, the process to define the IA audit universe, IA’s continuous monitoring, and audit execution.” Overall, it’s a very critical report that ranked each of those areas as “below supervisory expectations.”

As Hal and others have noted, there are important lessons from the Fed/CDPFI letter for internal audit functions in all sectors and industries. Regulator observations that stood out to me included:

• “While there is quantitative methodology that drives the risk assessment, the analysis supporting the numerical scores is limited, lacks transparency, and is often informal.
• “IA does not effectively identify all auditable entities within the audit universe. . . . IA also has not developed a formal methodology to check the completeness of the Firm’s Audit Universe.”
• “IA’s continuous monitoring processes are ineffective. IA has not established processes for updating the Audit Plan or Staffing as emerging risks or significant organizational changes are occurring.
• “IA’s planning and scoping processes do not provide sufficient oversight. Based on the sample of workpapers reviewed, the FR and CDPFI noted examples where the Risk and Control Matrices were not approved by an IA Director or Manager; end-to-end walkthroughs of the auditable entity were not performed; internal controls maps or process narratives were not developed; and ineffective mechanisms to check the completeness of the audit scope prior to fieldwork.
• “IA’s testing practices are inconsistent and lacks clarity when relying on other control functions. While the IA Policy allows leveraging off first and second line control testing, there are no defined criteria to determine when to leverage versus when to re-test. Also, the examination noted examples where the testing sample sizes were not aligned with industry standards.”

Based on my experience leading external quality assessments of internal audit functions in financial services and other industries, I am guessing that a great many internal audit functions would receive feedback similar to that received by SVB’s IA function. That’s not an excuse – just an observation. And I think we all need the kind of feedback that SVB’s IA received.

The documents released by the Fed didn’t just target SVB’s internal audit function. There is ample documentation that other challenges existed within the bank. While I don’t believe the Fed unfairly targeted internal audit, I do have a few rhetorical questions:

• Would the Fed have released the report if it had concluded that IA had performed all of its work in a manner “generally consistent” with supervisory expectations?
• How could SVB IA’s quality assurance function be rated “generally consistent with supervisory expectations,” yet so many quality issues resulted in a majority of areas being rated “partially consistent” or “below supervisory expectations?”
• Why did the Fed redact the names of all its staff from the report, but not the names of SVB’s CEO and CAE?

Over the years, I have observed an interesting relationship between U.S. banks’ internal audit functions and their regulators. Bank CAEs often complain about overbearing or heavy-handed regulators and their examinations of internal audit. Bank CAEs also privately acknowledge that, without the regulators’ support, internal audit would not enjoy the same level of resources or stature within the bank.  

A few years ago, a staff member of a bank regulator candidly shared with me that the regulator considered bank internal auditors to be their “boots on the ground.” I was taken aback by that strongly worded analogy and cautioned about the risks I thought it created if bank management and boards perceived internal audit merely as an extension of the regulator. After reading the Fed’s report on SVB’s IA, I smiled and thought, “I guess that, if your boots have mud on them, under the bus they go!”

I am sure my views in this blog will generate some strong reactions. I welcome your thoughts in the comments or by email at: blogs@richardchambers.com.