NR 98-61
June 17, 1998

    Acting Comptroller Cites Slippage in Internal Controls;
       OCC to "Drill Down" to Test Adequacy of Bank Systems

CHICAGO -- Acting Comptroller of the Currency Julie L.
Williams expressed concern today that the "vigor and
thoroughness" of bank internal controls are declining at a
time of challenge in many areas of the business. 

Speaking before the Bank Administration Institute's National
Auditing and Regulatory Compliance Conference, Ms. Williams
noted that banks face increased risk from technological
change, the decline in underwriting standards and a new wave
of industry consolidation. 

"Particularly as banks seek to grow even larger," she said,
"their internal control capacities should be strengthened
not diminished, relative to the size and complexity of the
resulting organization."

Instead, she said, some banks have allowed vacancies in
their auditing departments to go unfilled and have been slow
to upgrade the accounting, information, and communication
systems that are vital to any effective system of internal
controls.  

The Acting Comptroller attributed the slippage to
complacency created by the industry's current prosperity and
to cost-cutting pressures, which most often affect non-income
producing areas of bank operations.   

Nevertheless, she said, responsibility for maintaining a
robust system of internal controls  "falls squarely on
bankers."  OCC examiners, she added, will vigorously monitor
"how well that responsibility is being met."

"We will be drilling down into the bank's operations and
doing more testing and verifying of actual transactions,"
Ms. Williams said.  "Where the bank's risk profile is
higher, we will be doing proportionately more of that kind
of in-depth testing.  And we will bring any deficiencies to
the attention of senior management."

To that end, the Office of the Comptroller of the Currency
will soon issue a new handbook on internal controls.  The
publication will describe sound internal control procedures
and make it clear that the agency's emphasis on internal
controls now permeates its approach to both large bank and
community bank supervision.



                              # # #

The OCC charters, regulates and examines approximately 2,600
national banks and 66 federal branches of foreign banks in
the U.S., accounting for more than 58 percent of  the
nation's banking assets.  Its mission is to ensure a safe
and sound and competitive national banking system that
supports the citizens, communities and economy of the United
States.

                            Remarks by

                        Julie L. Williams
                Acting Comptroller of the Currency

                           before the 

      National Auditing and Regulatory Compliance Conference
                  Bank Administration Institute
                        Chicago, Illinois

                          June 17, 1998

I'd like to begin this morning by sharing an interesting case
that just came to my attention. The facts are these: on his own
account, the CEO of a Washington D.C. national bank made a big
unsecured loan -- amounting to nearly half the bank's total
capital -- to a Baltimore firm in which he was the majority
shareholder. Through after-hours doctoring of the books, he was
able to hide the transaction from OCC examiners and the bank's
own auditors.  Although the bank's bylaws called for weekly board
meetings to consider major loan applications, few meetings were
actually held.  When the board did assemble, the CEO announced
that there was no business requiring its attention, and sent the
members on their way.  Meanwhile, the CEO was furtively extending
new loans to the Baltimore firm as its old loans came due.  In
the end, both the firm and the bank came crashing down. The CEO,
one Leonard Huyck, wound up doing time in federal prison. 

The bank in question was the Merchants National Bank.  If the
name doesn't ring a bell, perhaps it's because Merchants National
failed during a sleepy Washington D.C. summer -- the summer of
1866.  Merchants was, in fact, the second national bank ever to
fail.

The lesson of this story is as relevant for bankers and bank
supervisors today as it was 132 years ago.  A basic foundation of
bank safety and soundness is a vigorously administered and
thorough system of internal controls. And my message to you this
morning is simple: I am concerned that the vigor and thoroughness
of banks' internal controls are slipping. This is a trend that
must be reversed. You have a crucial role to play in
accomplishing that result. 

Today, increasing numbers of the cases that come to the OCC's
special supervision division -- the division that deals with
problem banks -- wind up there as a result of fraud.  Much of it
is garden variety theft and embezzlement and loan and check fraud
that would be instantly recognizable to any 19th century banker. 

Now as then, most of these schemes to defraud are simple in
concept. How simple they are to execute depends upon the bank's
internal control mechanisms and procedures. Where controls are
effective, fraud can be prevented or uprooted before it affects
the bank's solvency. Where internal controls go awry,  fraud can
fester undetected  -- with possibly disastrous -- and certainly
expensive -- consequences for the bank.     

For example, a bank that violated the fixed principle of internal
controls that "no single person shall both authorize loans and
control their disbursement"  recently suffered a big loss when
its president made "nominal" loans to nonexistent borrowers -- 
and used the cash in a bid to corner the bank's stock.

Or consider the bank that violated the fixed principle that "the
board of directors shall exercise special vigilance in cases
involving loans to insiders and affiliates."  This bank recently
suffered big losses when an unscrupulous officer originated an
unsecured loan to an out-of-town jewelry store and used the
proceeds to buy his wife lavish gifts. 

A bank that violated the basic principle that "independent
verification of all loan documentation shall be performed before
a loan is issued" recently failed when an ambitious loan officer
falsified borrowers' financial statements and collateral
inspections.  In this case, the fraud came to light as the result
of the bank's adherence to another basic precept of internal
controls:  officers and employees in sensitive positions shall be
away from their desks for at least two consecutive weeks each
year. 

In each of these cases, the failure to follow fundamental
techniques for sound internal controls led to expensive mistakes
that diminished bank capital and tarnished banking reputations
even when the bank itself survived.  In each of these cases,
personal suffering and financial loss could have been avoided if
only these simple, common sense procedures had been in place. 

Evidence of weakening internal controls is not merely anecdotal.
Late last year, in a study similar to BAI's own Audit
Benchmarking Survey, the OCC's Central District here in Chicago
found that the growth in audit capabilities in the banks they
looked at was not keeping pace with the growth of the banks
themselves.  We found that turnover in the banks' auditing
departments was increasing; so was the employee-to-auditor ratio.
While these findings represented preliminary results based on a
small sample and are open to various interpretations, they do
give us additional reason to be concerned. Particularly as banks
seek to grow even larger, their internal control capacities
should be strengthened, not diminished, relative to the size and
complexity of the resulting organizations.   

To some degree, the slippage in internal controls might be
attributed to the current health of the economy and the
profitability of most banks.  Some bankers in tight labor markets
are reportedly finding it hard to recruit enough competent
internal auditors to fill vacancies.  Given the difficulty in
hiring staff to guard against fraud,  some bankers may have come
to accept an understaffed, less robust internal control function
and the fraud that attends it as just another incidental cost of
doing what is these days a most profitable business.  In good
times, losses can be more readily absorbed, and in-house auditors
often have a harder time getting the ear of senior management.

The decline in internal controls is also undoubtedly related to
the competitive lending environment in which banks currently
operate. As loan margins grow thinner, banks feel an  increasing
urgency to cut costs, and are most likely to economize in areas
they perceive as having minimum impact on income.  When this
approach is directed to a bank's internal controls, it 
misguidedly sacrifices long-term strength and stability to short-
term profits. 

The apparent degradation of internal controls systems come at a
particularly critical time for the banking business  -- a time of
rising risk in many phases of the industry.  Many banks face
intensified competition from domestic and foreign-based providers
for what was once their core lending business, competition that
has taken a toll in underwriting standards and loan terms. 
Technological challenges -- such as those associated with the
millennium change and electronic commerce -- pose risks all their
own.  The information that banks have accumulated about their
customers has great value -- not only for the banks but for
others as well.  There is an increasing risk that unauthorized
persons will look for ways -- legal and illegal -- to access bank
customers' private account information.  And, of course, the wave
of announced massive bank consolidations in recent weeks alone
has created a new element of uncertainty -- and new challenges --
for the affected banks.

In the face of such industry change, it stands to reason that
banks would be strengthening their internal controls instead of
cutting them back.  It stands to reason that banks would be
adding experts in this area -- in-house or contract -- to their
staffs.  It stands to reason that banks would be upgrading their
monitoring systems to make them more effective and more resistant
to tampering and intrusion.  A few banks are doing all of those
things. But not enough.  This failure reflects structural and
management weaknesses that could have serious safety and
soundness implications for some banks.   

This is obviously an important concern for us. To further our
supervisory efforts and attention to internal controls, we will
release the new "Comptroller's Handbook for Internal Control"
next month.  This publication caps the OCC's emphasis on internal
controls -- an emphasis that now permeates our whole approach to
bank supervision for large banks and community banks alike. 
Indeed, our newly-revised Large and Community Bank Examination
procedures integrate the review and testing of internal controls
into all OCC examinations.

The OCC's regimen calls for examiners to review each bank's
internal controls during every 12 or 18 month supervisory cycle.
What will they be looking for? We recognize that no one form of
control system is right for all banks. Community banks can
implement controls in a less formal, less structured manner than
larger banks and still have an effective control mechanism.  Many
of these smaller banks necessarily rely on outside consultants to
perform "internal" audit functions and still are able to get the
job done properly.  

But we do believe that there are common critical components in
internal control systems for all banks, and we embrace the five
identified by COSO, the Committee of Sponsoring Organizations of
the Treadway Commission.  The list includes: Control Environment; 
Risk Assessment;  Control Activities;  Accounting, Information,
and Communication Systems; and Self-Assessment.

Each of these elements is important, but the first -- control
environment -- really represents the foundation for all the
others. It provides the basic discipline and structure vital to
an effective control system. It reflects the level of
management's commitment and awareness of the importance of
internal controls, and sets the tone for the control activities
that are undertaken to carry out management directives.  Included
among these control activities are the bank's procedures for
approving and authorizing transactions and reviewing operating
performance;  the checks and balances that limit employees'
access to assets and records, and the design and use of
documents. 

Risk assessment is the identification and analysis of relevant
risk, both internal and external, that can prevent the bank from
reaching its objectives or can jeopardize its operations. The
assessment helps determine which risks exist, how they should be
managed, and what types of controls are needed. 

The fourth element in an effective internal control program deals
with  accounting, 
information, and communication systems.  These systems must not
only capture information and generate necessary reports, but also
enable all bank personnel to understand their roles in the
overall control system, how their activities relate to others,
and their accountability for the activities they conduct. And,
finally, the self-assessment function consists of periodically
measuring -- and testing -- the effectiveness of controls. 

In assessing the bank's overall arrangements for internal
controls, OCC examiners will look first at its written
procedures. Written procedures are required for controls relating
to insider transactions, Bank Secrecy Act, real estate lending,
asset management, financial derivatives, interbank liabilities,
and retail nondeposit investments. 

But good processes are not enough. Impressive though they might
appear on paper, internal controls are of little value unless
they are thoroughly understood and strictly adhered to.  That
responsibility falls squarely on bankers.  Our examiners will
determine how well that responsibility has been met.  To make
that determination, we will be drilling down and doing more
testing and verifying of actual transactions.  Where the bank's
risk profile is higher, we will be doing proportionately more of
that kind of in-depth testing. Where warranted, we will be
reviewing reconciliations and transaction orginations, internal
audit working papers, and external audit reports. And we will
bring any deficiencies to the attention of senior management.

But as much as we can do as regulators to help build a banking
system that is truly safe and sound, responsibility for the
development, implementation, and testing of internal controls
rests first and foremost with managers and bank board members. 
This responsibility, as we say in the internal controls handbook,
is "not diminished through delegation, outsourcing, or similar
arrangements."  This is crucial.  Senior bank managers and board
members -- not their subordinates or their contractors -- are
responsible for ensuring that the internal control system is
operating as intended and that it is modified, as appropriate, to
adapt to changing conditions. 

Bank managers and directors should be insisting that their own
auditors constantly probe and test the effectiveness of the
bank's internal controls.  And they should welcome a vigorous
internal control function that will prevent problems before they
hatch  -- or catch them before they undermine the bank's assets
and earnings and its good name.  

As long as all parties -- bank managers, board members, bank
supervisors, and internal and external auditors -- play their
respective roles in a vigorous and thorough fashion, the banking
industry will have the foundation it needs to successfully
transit a time of change and
challenge -- and to prepare it for the new challenges that lie
ahead.