56 Why Internal Control Systems Must be Audited
involved we should start from fundamentals. The classical types of internal controls have been authorization for transactions, safeguards over assets and records, segregation of duties, and documentation standards. Also, verification duties, which over the years had tended to integrate internal control responsibilities with auditing.
Traditionally, internal accounting control for banks and other companies included books and records of the firm's assets and liabilities, as well as segregated entries of customer property. From this perspective, the duty of a day-to-day manager or chief operating executive 'was not to sign every check' as one analyst put it, but to be on the feedback line of internal control intelligence focusing on:
• Capital protection and
• Sound risk management.
This more classical type of activity, and of associated responsibility, has been extended in recent years to cover accountability for making judgements on the degree of independence of different organizational functions, including their relationships with corporate governance and with compliance activities; observance of rules and regulations; and all the other subjects we studied in Chapter 2. Among tier-1 companies, these enlarged responsibilities are supported by sophisticated technology.
However, while the existence of state-of-the-art technology is definitely a major 'plus', it is not an assurance that there exists an adequate internal control environment. The lack of it is an indication of insufficient management attention paid to globally expanding operations - and what this means in terms of preservation of assets and reputation of the firm.
Therefore, the board and senior management must ask for mechanisms able to verify that internal controls, once established, are being followed and deviations immediately corrected.
This is not a one-off task but a permanent one, and it cannot be performed manually in the long run. Let me take a globally operating credit institution as an example, to explain the meaning of this statement. While in its home country this institution may have retail banking operations, one can bet that abroad it concentrates on trading and asset management.
Therefore, global internal control should focus on the frame of reference shown in Figure 3.1. Factors behind this real-time framework are:
• Intraday valuation required in all dynamic markets
• Performance premiums which create risk incentives and
• A clear distinction to be made in accounting by axis of reference.
The Globalization of Financial Markets TRADING
ACTIVITIES
57
CLIENT ASSET MANAGEMENT
PRESERVATION OF OWN ASSETS
Figure 3.1 A real-time framework for focusing internal control by country and in a global setting
Institutions with first-class internal control have paid full attention to real- time reporting. The Boston-based State Street Bank, for example, is able to produce a virtual balance sheet within less than 30 minutes, and the next goal is 5 minutes. This is doable with advanced technology provided senior management has the will to get commendable results. (A virtual balance sheet permits us to map assets and liabilities with 96 per cent or better accuracy, which is plenty for a real-time management information system.) Particularly in connection with global operations, the integrative frame of reference presented by a virtual balance sheet can be a major competitive advantage. Another reason real-time feedback is so important is that very few of the global credit institutions work as a network. The large majority lack the necessary integration of internal knowledge across borders. Yet, with today's dispersed markets, with their:
• Financial hot spots,
• Choosy clients and
• Dynamic market players
58 Why Internal Control Systems Must be Audited
a thorough integration of internal control intelligence is necessary if the board and the CEO are to be in charge. Transborder collaboration among all of the bank's branches is vital to managing the institution's competitive position, its credit risk, market risk, and operational risk exposure as well as its global profitability.
Because many of the most important clients of the bank are themselves global, successful risk management requires multi-point reporting capabilities which include accurate knowledge of how much each branch is leveraging the bank's equity and assets. Such results don't come free of cost or effort. The globalization of internal control calls for studies of organizational learning, both:
• About our bank, its affiliates and its activities and
• About all our important client firms.
One of the key issues in globalization is how independent business units can co-operate effectively when developing innovative products as well as when evaluating exposure to clients, instruments, and markets. Head- quarters should play a critical role in supporting risk-oriented co-operation.
Because a great deal of credit and market information is developed in subsidiaries, companies must through special task forces specialize in facilitating shared developments and making possible knowledge transfers - eliminating complacency and bringing full management attention to troubled spots.
REGULATORS LOOK AT INTERNAL CONTROL AS A FOUNDATION OF SOUND MANAGEMENT
Regulatory authorities are keen to provide internal and external auditors with guidance on how to assess an entity's internal control structure during an audit of financial statements. This must in principle be done in accordance with Generally Accepted Auditing Standards (GAAS), which are not to be confused with the Generally Accepted Accounting Principles (GAAP) discussed below. An assessment of a company's internal control system helps the auditor to better evaluate assertions set forth in financial statements. It also helps to determine the extent of testing to be done.
The Office of Thrift Supervision (OTS) underlined that institutions should not only have in place an adequate system of internal controls but
The Globalization of Financial Markets 59 also that internal control should be an integral part of the bank's risk management system. Superficially, a reference to the OTS might look out of place in a discussion on globalization, but in reality this is a pretty good example if we make the assumption that OTS is comparable to the headquarters of a large global entity with about 1100 independent business units, of which 70 are of a reasonably large size. (That is the number of thrifts supervised by OTS.)
Working on this hypothesis of a well managed global headquarters function which exercises prudential supervision of the entities over which it has authority, let me bring into our perspective some of the OTS directives for retail banks (savings and loans, S&L, thrifts). These directives explicitly state that internal control should promote:
• Efficient operations within established risk limits
• Reliable financial and regulatory reporting procedures and
• Compliance with relevant laws, regulations, and institutional policies.
Exporting this paradigm to a global scale, the headquarters should expect that local management policies will pay adequate attention to prudential limits; assure a timely and accurate process for measuring, evaluating, and reporting exposure; put a premium on a strong control environment; and make certain that each independent business unit, as well as the institution as a whole, abides by ethical values. This framework engages the accountability of board directors, the CEO, and all senior managers in the affiliates.
Along with the emulation of a well tuned headquarters function, the OTS also provides a practical example of the focused, technology-based approach which it has adopted. As Timothy Stier, its chief accountant, has shown, OTS pays a great amount of attention to interest rate risk taken on by the regulated 1100 S+Ls. The larger of these institutions file a report with interest rate risk information using a model of compliance developed by OTS.
I have been favourably impressed by this model. Even the big banks, at least their majority, do not possess such a sophisticated approach. The model integrates What //'hypotheses on the movement of interest rates with the effect of changes in maturity. OTS runs simulations based on real-life statistics submitted by the S&Ls through the Monte Carlo model (Chorafas, 1994a). The internal control fact to remember is that the relatively small US thrifts have learned how to do:
• Sensitivity measurements
• Worst-case scenarios
60 Why Internal Control Systems Must be Audited
• Capital before-shock calculations and
• Capital after-shock reporting.
This thorough experimental approach to internal control takes current commitments and market interest rates and computes possible exposure by changing the interest rates 100, 200, 300, and 400 basis points up and down. The benchmark adverse condition is the 200 basis points shock level. This is one of the best examples I have found on using technology to strengthen an institution's internal control. Timothy Stier explained that the OTS has also developed a lot of other models which assist the S&Ls' senior management in handling interest rate risk and other risks.
The choice of the OTS advanced applications is intentional because today accountability for internal control is at board level, a statement equally true in several European countries. 'Pursuant to the first sentence of Paragraph 1 of Article 39 of the Austrian Banking Act fBankwesengesetz, BWG] it is the executive board's responsibility to establish, keep up and revise the internal control. This responsibility is seen as part of their duty of diligence', wrote Dr Martin Ohms of the Austrian National Bank.
'The internal control system covers market risk, credit risk, settlement risk, operations risk and legal risk', said Heinz Frauchiger of Bank J. Vontobel who, as chief auditor, reports directly to the bank's CEO. Typically well managed institutions have underlined the fact that internal control functions are driven from the governing body down to operational levels which identify, quantify, report, and manage the risks of the business.
The solution that both supervisory authorities and some of the credit institutions themselves have suggested is that of a risk management group independent of risk generating functions, such as trading activities, reporting to the executive committee but audited by internal auditing.
This risk management function, which some institutions see as the alter ego of internal control, is charged with day-to-to responsibility for:
• Risk monitoring
• Measurement and
• Analytical evaluation.
Evidently, its efficiency depends on the development and use of risk and performance measures able to ensure that all business activities are being run in accordance with defined top management strategies; that operational controls exist over front desk and back office regarding authorization for and reporting of transactions, and a real-time information system is on hand to process and visualize the results of risk analysis.
The Globalization of Financial Markets 61 There has, however, been some divergence of opinion on how the implementation of what I have just stated should take place, though there was no visible discord on the need for a clear concept underlying internal control activities. Such divergence was particularly present in terms of organization. Figure 3.2 presents the four different organizational solutions which I have most frequently encountered in my research. I don't see it necessary to comment which one of these is 'better', because:
• All of them have strengths and weaknesses both in an absolute and a relative sense.
• Most often the organizational solution chosen by an entity is situational, fitting its culture, structure, and business environment.
In a general sense, both for global and for national activities institutions assign internal control duties sometimes to auditing, sometimes to risk management, and in other, more rare cases, to accounting, operations or the legal counsel. This is not surprising because, as we saw in Chapter 2, the areas covered by accounting, auditing, risk management, and internal control overlap, while each also has its own sphere of interest.
INTERNAL CONTROL
INTERNAL CONTROL
RISK 1 M A N A G E M E N T
M A N A G E M E N T
INTERNAL CONTROL
RISK j MANAGEMENT
RISK MANAGEMENT
INTERNAL CONTROL
Figure 3.2 Four different organizational approaches followed by credit institutions with regard to internal control and risk management
62 Why Internal Control Systems Must be Audited
Because organizational responsibilities are not so well settled in an industry-wide sense, and each institution has adopted more or less its own solution, it is appropriate to have a written definition of duties for internal control. In connection w;ith both local and global operations, this should describe the needs of auditors, risk managers, and other professionals in performing duties which assist the internal control system.
Prior to closing this subject on organization challenges associated with internal control for global operations, as an introduction to the theme of the next section on important differences in accounting principles existing in a globalized economy, let me briefly bring to the reader's attention some issues concerning the supervision of financial conglomerates. Published in July 1995, by the Tripartite Group of Bank, Securities and Insurance Regulators, 'The Supervision of Financial Conglomerates' was a seminal paper addressing particular problems in any group of companies under common control whose exclusive or predominant activities consist of providing significant services in at least two out of three financial sectors:
• Banking
• Securities and
• Insurance.
This report suggested that the five main areas of interest to supervisors involve capital adequacy, co-operation and exchange of information between institutions and regulatory agencies, the impact of individual entities within the conglomerate on financial stability of the Group and of markets, intragroup transactions, and counterparty concentrations on a consolidated basis. There is plenty a well designed and properly tuned internal control system can do. The problem arises when the accounting languages institutions and their subsidiaries speak among themselves and with their supervisors are so different from country to country that they become incomprehensive to one another. We will see what this means through a practical example.
IMPORTANT DIFFERENCES BETWEEN ACCOUNTING SYSTEMS HANDICAP GLOBAL INTERNAL CONTROL AND AUDITING One of the difficulties in global risk management is using information and knowledge out of context. Something that is understood in one business environment, may not be easily appreciated in another, or may even be distorted. Knowledge exchange is too often simplistically equated with
The Globalization of Financial Markets 63 codifying information, writing it in a spreadsheet, inputting it into computers, and shifting it around. In contrast to this near-sighted approach, true knowledge integration is the outgrowth of:
• Financial
• Technical and
• Social processes.
Global risk management is not possible by applying easy labels, because control activities usually require a significant paradigm shift. Few companies have established a track record of mastering the diverse cultural approaches and incompatible accounting rules prevailing in different countries. The result of using incompatible accounting systems is a significant operational risk exposure.
In my postgraduate studies at the University of California, in the early 1950s, I had a professor of accounting who taught his students that if one is free to choose the system in which one makes one's accounts one can prove practically anything. A very profitable enterprise could show deficits, while one which is in the red could parade itself as star performer.
These minor miracles in financial reporting are usually done through creative accounting (see the next section), but big differences in national accounting systems can be just as confusing. A truly International Accounting System (IAS) does not seem to be around the corner. It has been years in development, but universal rules are not yet hammered out because of basic disagreements (Chorafas, 2000a).
Not only does internal control currently operate at reduced speed because of diversity in accounting rules, and because auditors require training in different incompatible systems, but also investors unaware of major differences fall into the crevasses existing between one financial reporting scheme and another, learning about the existence of these crevasses in a very painful way. Failure to know the fine print of the law is not excusable, neither is it excusable not to master the financial instruments in which our company trades, and the counterparty with which it enters into contracts.
Financial plans and control procedures which do not pay full attention to the fact that accounting rules and reporting systems are incompatible from one country to the other, mislead senior management into believing the situation is in control. Diversity in accounting rules and principles makes it impossible to do a first-class job in leveraging analytical knowledge across a variety of environments.
Therefore, well managed companies try to unify their accounting procedures. This is what Credit Suisse has done by adopting on a global
64 Why Internal Control Systems Must be Audited
basis the US Generally Accepted Accounting Principles (GAAP). In the spring of 1998 Credit Suisse Group embarked on a project to reconcile its financial statements to US GAAP in a phased process lasting until 2001.
Reconciliation to US GAAP is expected to bring the Group a number of benefits, including:
• Easier access to the international capital markets
• Better benchmarking with competitors and
• An improved ability to make acquisitions in the United States.
Don't be misled by easy labels. US GAAP, British GAAP, Canadian GAAP, and others using the same anagram are not the same thing. To better appreciate the important differences between US GAAP and accounting rules prevailing in Italy, an accounting system known as 'Italian GAAP', let us keep in mind that while the laws of physics are the same in all countries, accounting rules and laws of financial reporting vary.
Indeed, in the majority of cases prevailing differences between countries are quite important - and they are also misleading.
Takes as an example the differences, and even contradictions, between Italian and American laws regulating financial reporting. A case in point is the determination of shareholders' equity as well as net income. Even the label 'Italian GAAP' is tricky because its rules have no relation to those of US GAAP - what the label actually means is that a financial statement has been prepared and presented in conformity with accounting principles generally accepted in Italy, including:
• Legislative Decree 87 of 27 January 1992, which implemented European Commission Directive 56/635 and Bank of Italy regulations of 16 January 1995 and
• A supplement on accounting principles issued by the Italian Accounting Profession (Consiglio Nazionale dei Dottori Commercialisti e dei Ragionieri), or in the absence thereof, those issued by the International Accounting Standards Committee (IASC).
In other words, what is collectively called 'Italian GAAP' is a set of rules which, though valid in Italy, give no assurance that net income and shareholders' equity as determined in accordance to its rules would not be higher or lower than financial reporting through another system - for example US GAAP. There is absolutely no assurance that financial statements would not differ from what they would have been //"determined in accordance to other financial reporting frameworks.
The Globalization of Financial Markets 65 Table 3.1 explains the most important outstanding differences between US GAAP and 'Italian GAAP'. As the reader will appreciate from this description, financial results reported by an entity in Italian GAAP would be misleading to the American financial analyst or auditor who is not aware of differences existing in the letter of the law. Such differences have nothing to do with creative accounting (see the next section) but rather with the fact that even in a globalized economy different jurisdictions have incompatible rules governing financial statements.