Even when the risks and weaknesses associated with internal control are considered by the auditor as likely to require management action, the
A Methodology for Auditing 107 auditor may need to perform substantive tests for efficiency reasons and for documentation. An example is an assertion concerning account balances.
Verification provides a degree of confidence and it is also a good way of limiting the tests performed post mortem when the author's findings are contested by interested parties. Verification also permits concentrating full attention on the weak links in the chain. Verification means testing:
• Through testing, the auditor obtains additional knowledge about the effectiveness of internal controls, or their lack of focus.
• Substantive testing is quite important even if its details might be confusing to third parties.
Some of the senior executives who participated in this research suggested that communicating to third parties the complexity found in the examination of an internal control system might lead to certain issues being misunderstood. But others said that, on the contrary, this process demonstrates how sophisticated the auditing of an internal control system needs to be - and provides evidence that the job has been well done.
Many of the experts whom I met said that in their opinion the best methodology in getting ready for auditing internal controls is similar to that followed by lawyers in their pre-trial preparation. F. Lee Bailey, an American criminal lawyer, puts in this way the benefits derived from doing one's homework:
My experience has taught me the importance of - in fact, the absolute necessity of - thorough pre-trial preparation ... Cases are seldom if ever won in court. They are won by the side that comes into court fully prepared because it has slaved to find the facts of the case before the trial begins. (F. Lee Bailey, 1975)
Quite similarly defects and weaknesses in the internal control system of a financial institution and any other organization, are seldom found while its formal auditing is in process. They are flushed out during discovery, the nearest thing to pre-trial preparation, which permits us to identify weak spots, dubious records, conflicts of interest, and other problems - and focus on them when the auditing takes place.
Discovery should not be confused with the conclusions. Indeed, there is a significant difference between the two. As shown in Figure 5.1, discovery is analytical, and, up to a point, more rigorous than conclusions. Discovery is an unrelenting research into historical evidence. Turning over stones invariably lets sunlight onto some creatures of the shadows. Borrowing a
108 Why Internal Control Systems Must be Audited I ANALYTICAL
THEORETICAL
DISCOVERY
CONCLUSIONS
PRACTICAL
SYNTHETIC
Figure 5.1 Discovery is an analytical process, while legal conclusions are synthetic and practical
lead from the book of criminal lawyers, discovery provides the ability to unearth every element which helps, or even might help, to prove that the counterparty in a litigation:
• Is of bad faith
• Has given false references or
• Has tried to hide its weaknesses through lies.
By contrast, the core matter of conclusions is practical and constructive.
The contents of conclusions should be synthetic, building upon the results
A Meth odology fo r A uditiitg 109 of discovery. The goal is not only to bring into perspective in a comprehensive way the weaknesses of the counterparty and the soft underbelly of its defences but also to document these weaknesses in a convincing way. It follows, logically, from this explanation that discovery should take place well before entering into conclusions.
Discovery makes it feasible to travel back in time and find out the origin of a decision, of a transaction, or of any other activity. When did that activity take place? Who authorized it? Who made it? And for what reasons? The answer to these questions must be precise, whether the 'who' is a single person or a committee, they are crucial queries which should receive factual answers. A good example on a methodology is provided by Cicero's six evidentiary questions (Marcus Tullius Cicero, Roman senator and orator, 106-43 BC):
• Who, apart the person who signed, contributed, or was witness to this action?
• How did the person(s) involved, alone or by committee, come to this action?
• Where was the evidence which led to the commitment being made?
• When was this decision, transaction, or action originally made, and under which conditions?
• What exactly did the action in question involve? Was the original decision subsequently changed or manipulated?
• Why was the decision made, at which precise goal was it targeted or intended to avoid? Was there a conflict of interest?
I am indeed surprised how often companies I work with or meet in my research have not thought about asking these queries in relation to important matters, let alone providing factual and documented answers.
Not long ago, a major British bank asked its lawyers to comment about legal issues associated with the following critical query: 'Is our risk exposure managed by 50 per cent or 90 per cent?' The lawyers said, 'We don't know' - and this is the most consistent response one gets, in three short words, from every financial institution in connection with this particular query. 'We don't know' is not an acceptable answer by legal counsels:
• Top management has the right to know and to be presented with evidence, not just words.
• The institution's legal department must respond in a factual and documented manner to the demands being posed.
110 Why Internal Control Systems Must be Audited
A similar statement is valid about the auditing department and the results of its examination of the company's internal control system. In a credit institution, for example, much can be learned through focused queries such as the following: Are our credits diversified or concentrated in a few names? How are our credits distributed by our counterparty - By interest rate? By currency? By maturity? What is the pattern of our credits - By credit officer? By branch? By foreign subsidiary?
Other critical queries following the lines of Cicero's seminal work are: Is there any abnormal number of 'weak' credits? Is the same credit officer always dealing with the same counterparty? Is the same derivatives dealer following a repetitive pattern with the same instrument? With the same counterparty? Why is this counterparty dealing in billions of dollars in swaps? Is the counterparty a steady user of over-the-counter (OTC) trades or balances with exchange-traded products? What is the net and gross exposure with this counterparty? Is the account executive aware of such exposure? What has he done about it?
When factual and documented answers are obtained to these and similar queries, the auditors can effectively document if there are weaknesses in the company's internal control system and the way it works. Historical evidence is of prime importance in this type of analysis, because there is often the excuse that a certain misadventure is a one-off affair which 'never occurred in the past' and 'is not going to happen again'.
Discovery does away with these silly arguments, because it helps to unearth a pattern of backpedalling and evasion - if there is one. Another value of discovery is that it brings to the fore elements of which we might not have thought earlier in support of our position. It also speaks volumes about weakness in the arguments presented by the opposite party, which eventually lead to the identification of conflicts of interest of which senior management might not have been aware.
AUDITING STRENGTHS AND WEAKNESSES OF AN INTERNAL CONTROL SYSTEM: AN EXAMPLE FROM A MONEY CENTRE BANK
This is a case study based on a real-life audit, made by independent auditors in one of the better-known money centre banks. Let's call this institution: UNIVERSAL. At headquarters, its board was concerned about the likelihood of potential negative changes in the bank's financial position position as a consequence of unexpected or uncontrollable events.
A Methodology for Auditing 111 Therefore, the board asked for a new risk management concept to be developed by central operations, in collaboration with senior executives in charge of key divisions, and required this new system is thoroughly audited. The board's directive has been that:
• should be integrated into the new risk management concept Existing internal control principles and systems and
• Prior to its implementation the new solution should be audited by an external independent agent.
The board's wish has also been that from the start and during the development of the new control concept, the independent auditor must be involved in periodically reviewing specifications and tolerances, in order to input additional experience and expertise. Another goal of involving an independent auditor was to provide a third-party assessment of the coherence and practicability of the new management control system under study, step by step.
The project started smoothly but, before too long, it hit resistance because of conflicts of interest. Several divisions of UNIVERSAL wanted to derive concrete benefits from the new system but without giving up information they had traditionally kept close to their chest. Because of this, each new feature became the subject of a trade-off. The independent auditor therefore commented that it was not feasible to try and assess the new risk control concept in absolute terms but, rather, in relative terms - particularly in regard to its effectiveness in supporting:
• The business objectives of UNIVERSAL division by division and
• Its global financial operations as a system, provided this proved feasible.
Centralization and decentralization of internal control activities has been one of the early points of contention. Centralization won and, in terms of an overall architecture, the internal control system under study was more centralized than the one it intended to replace. Responsibility for overall control and monitoring of risk rested with the centre, but at the same time a new notion of 'distributed responsibility' was advanced aimed at maximizing flexibility in controlling risk. This was delegated to the business units.
Even if the concept of centralization prevailed, some of the senior executives at UNIVERSAL objected to this definition, which they interpreted as a dilution of internal control. They were also unhappy about soft-pedalling on internal control information by other divisions than their
112 Why Internal Control Systems Must be Audited
own. In a curious twist of modern principles, the new concept projected that internal control reports would be submitted in the future monthly rather than weekly, as per current practice.
In fact, the first weaknesses the independent auditor identified concerned the proposed monthly frequency of reporting which, for any practical purpose, limited the scope and extent of internal control information provided by the periphery to the centre. The bank's executives who promoted the slowdown in reporting said that there were major benefits in this approach, but their arguments were not convincing. These arguments were that:
• It observes the decentralized management style of the bank
• It is relatively simple to implement in terms of information technology requirements and
• It poses no need for investment in real-time systems.
This reference to a 'real-time system' has been a curious argument contested by the independent auditor. The fact, however, was that information technology at UNIVERSAL was still (in the mid-1990s) mainframe-based with some 30 million lines of code in COBOL programs.
Some of this in-house software was maintained by young programmers who were born after the application programs in reference were written, but the managers of data processing resisted change. To them, even the word
'real-time' was anathema.
The independent auditor was most critical of the fact that the technology necessary for real-time control has been put on the back burner. He demonstrated that UNIVERSAL's information systems were still, to a very large extent, characterized by Palaeolithic concepts from batch processing to personal computers used as non-intelligent terminals. The bank's current systems 'solution' was way behind the state of the art, and incompatible with what the board wished to obtain in terms of a well functioning internal control system.
The independent auditor pointed out that all three premises in the above bullets points were wrong. The reason why the board wanted a new internal control solution was to tighten the reins on risk-taking by the subsidiaries at home and abroad, by means of exercising more timely control. No internal control system which worth its salt is 'simple', and while simplicity is welcome the level of simplicity or complexity of the solution to be chosen must be commensurate with the level of risk being taken.
As a result of these considerations, the independent auditor advised that the proposed approach will neither allow a first-class internal control
A Methodology for Auditing 113 structure, nor will it permit the short-term dynamic utilization of capital at risk, as some of the divisional executives wanted. Particularly ineffectual would be any attempt to have a frequent and close monitoring of risk positions. When done on a monthly basis this monitoring is an aberration similar to the allocation of risk capital on an annual basis. Yearly allocation of capital at risk and monthly internal control reports are incompatible with the concepts of:
• Dynamic assignment of capital at risk, according to the pulse of the market and
• Tick-by-tick risk control so that top management is ahead of the curve in identification of exposure and corrective action.
The independent auditor particularly underlined the need for a methodol- ogy which could truly serve the board's objectives, rather than one which bent over backwards to please those people with invested interest in the status quo. The auditor also suggested that it should be possible to overcome current weaknesses within acceptable time and investment limits, by implementing a solution which allowed the flexible use of new technology rather than depending on old connections.
High technology aside, the audit paid attention to the requirements imposed by a concept of dynamic capital allocation, in line with the board's wishes. The challenge has been one of experimentally defining an amount of risk capital by country, division, and desk as a subset of total available capital at risk at Group level, then allocating such funds to risk types. This approach, the independent auditor suggested, was consistent with the trend currently prevailing at leading institutions.
As a part of the audit of the project's basic concept, the independent auditor proposed that the institution tooled itself up with what it took to do real-time simulation and experimentation, in an effort to provide an adaptable and flexible decision-making process. The audit also underlined that the solution to be chosen should neither encourage overleveraging nor create a risk-averse approach.
Most importantly, the independent auditor said, such solution should be consistent with the culture of the bank and its risk-taking policies. In terms of methodology for risk assessment the auditor brought to the board's attention that the currently prevailing practices limited the level of accuracy in risk assessment. But the way it was projected, the new method would not improve upon this situation. By keeping to batch processing it was heralding 'simplicity of implementation', the benefits to be derived were practically nil.
114 Why Internal Control Systems Must be Audited
Between the lines of this case study the careful reader will appreciate the existence of a methodology for auditing strengths and weaknesses of an internal control system, whether this is already in place or constitutes a new development. The first and foremost factor in getting results is top management support. This was practically the only requirement being fulfilled given that the board asked for the audit. The board was, however, misled in regard to the methodology and the mechanics of the implementation as explained in the next section.