An implementation plan addressed to internal control, as well as the method chosen for its upkeep, should be tailored to a company's conditions without violating the basic principles I have outlined and the definitions given in the Appendix. For instance, that responsibility and accountability for internal control starts at the level of the board of directors, the CEO, and senior managers. This is necessary because, as a rule, successful execution of internal control depends on leadership, not only on the collaboration of lower levels of supervision.
A question I am often asked in my seminars is the relation which exists between general management duties, internal control and the functions of bank supervision. Figure 2.4 provides the answer in a nutshell. This response is specific to a banking environment, using limits and compliance as an example. A meaningful discussion on current status and future perspectives of internal control can be made only with reference to specifics. Therefore, in this section and the next I take credit institutions as a reference, even if the evidence accumulating in new forms of risk suggests that most banks are behind what is required by a prudent internal control policy.
For instance, if its system of internal controls was in good shape, the Bayerische Landesbank would not have had DM400 million in unwarranted losses. Bayerische Landesbank is a big institution, but it is not alone in this plight. In the large number of cases, even major banks do not have in place the system of checks and balances which permits them to immediately control the type of exposure that took place at Barings and Daiwa Bank in 1995, or National Westminster Bank and Union Bank of Switzerland in 1997.
The concept underlying internal control functions must promote in the most explicit manner the supervision and compliance requirements set by the board for conducting business activities. These must be observed at all time in order to safeguard our bank's future. Controlling the observance of clearly stated guidelines is the job of internal auditing, and as we saw in
What is Meant by 'Internal Control'? 41
GENERAL MANAGEMENT
INTERNAL CONTROL
BANK SUPERVISION
• DETERMINES GOALS
• SETS LIMITS
• TAKES CONTROL ACTION
• FOLLOWS UP ON LIMITS
• RECORDS AND REPORTS DEVIATIONS
• INFORMS ON STATUS IN REAL-TIME
• ASSURES COMPLIANCE
• KEEPS FINANCIAL SYSTEM DYNAMIC
• AVOIDS SYSTEMIC RISK
Figure 2.4 Roles and responsibilities of different agents concerned by the control of risk
Chapter 1 internal audit should be assisted by intelligent knowledge artefacts:
• These agents must be designed by the institution, not bought as a commodity, and
• They should be implemented in collaboration between internal auditing and the technologists.
Chapter 1 also brought to the reader's attention the fact that a bank's system of internal controls, and the technology supporting it, must cover all transactions by channel of activity and by desk: money market, capital
42 Why Internal Control Systems Must be Audited
market (securities and debt instruments), foreign exchange, loans and other interest rate exposure, traded commodities, and, most evidently derivatives.
One of the tests which I make to ascertain the dependability of internal controls is whether transactions which are concluded in the bank's name, either for proprietary trading or for the account of third parties, are always carefully controlled and any deviations from rules immediately reported for corrective action. It is a good policy that not only transactions but also the portfolio of positions is evaluated both regularly and ad hoc for gains and losses which are recognized but not yet realized.
Internal control has a great deal to do with exposure, yet some institutions fail to appreciate that part of the overall system of controls is not only the information on creditworthiness to be obtained about counterparties by independent rating agencies, but also the internal analysis to be made in regard to each major counterparty. Another area of attention should be the market risks involved in transactions and those existing in the portfolio; still another is operational risk (see below).
Internal control, said one of the executives who contributed to this research project, is both a practical problem and a cultural problem embedded deep in our way of doing business. Another senior banker commented that to find a valid solution to internal control problems one has to distinguish three distinct phases:
• Identification that there is a problem
• Measurement to assure that we know the size of the problem
• The Solution, or alternative solutions, needed to end that problem, at least in its current form.
Identification, measurement and solution(s) are three giant steps in both personal life and business life that pervade our thinking, decisions, and actions. There is an important link here with the world of military intelligence. The tangible is given greater value than the intangible.
Intangibles are harder to identify and measure; yet, sometimes, this is unavoidable.
Both for tangibles and for intangibles senior management must rely on analytical information. A great deal will be obtained by mining the bank's own database(s). Quite often, internal control is deficient because it is not formally established as both a concept and a practice, and financial institutions do not monitor every transaction in a rigorous manner. Also managers make judgements, implicitly or explicitly, which ignore some types of risk or lack detail. The discussion above also pressed home the
What is Meant by 'Internal Control'? 43 point that the internal control solution which is good for one institution can serve another in only an average way:
• A sound internal control system must be designed in accordance with the scale, complexity, and risk content of the lending, trading, investing, and other activities conducted or projected.
What this bullet point essentially states is the principle of materiality, so dear to the accounting profession. We do not wish to either overshoot or undershoot the right level of internal control:
• A company's business strategy, its clients, its suppliers, its practices, and the market(s) in which it operates should be taken into account in designing the internal control system.
At the foundation of the control environment lies the fact that an effective organizational structure can provide an overall framework for forecasting, planning, staffing, organizing, directing, and controlling operations.
Reliable solutions consider such matters as the reporting relationships of organizational units; the assignment of authority and responsibility; and the constraints established over day-to-day and longer-term funding as well as functioning.
Efficient methods of communicating and enforcing the assignment of authority and the watch over accepted responsibility, are those which clarify the understanding of, and improve compliance with, the organization's policies and objectives. For instance, the policies regarding acceptable business practices and conflicts of interest. Job descriptions are necessary, and they should delineate specific duties and associated accountability.
Technology plays a key role in connection with communications methods. But while technology should be used to assist internal control, it does not substitute management's responsibility for establishing and maintaining an interactive supervisory system designed to provide reasonable assurance regarding the integrity and reliability of financial statements - including prevention and detection of fraudulent financial reporting as well as protection of assets and their value.
WHAT IS MEANT BY A 'RIGOROUS INTERNAL CONTROL SOLUTION"?
A rigorous internal control solution is an integral part of overall risk monitoring, and it is embedded in the management structure covering all of
44 Why Internal Control Systems Must be Audited
a company's areas of business. But what is meant by rigorous? Webster's Dictionary says the term means: 'Severe, exact, strict, scrupulous, accurate, allowing no abatement or mitigation':
• All these definitions apply to an internal control solution, and the way it should be executed
• The mechanics of this solution should facilitate the identification and analysis of risks, from both trading and non-trading activities.
Here is how three different institutions look at this issue. At Bank J. Vontobel, internal controls focus on limits (private and institutional); all types of derivatives trades; credit lines; risk policies (clients and correspondent banks); brokerage operations; and assets/liabilities manage- ment. A quantitative and qualitative risk analysis done by internal auditing involves 11 weighted queries, the highest weight being given to internal control.
In the case of Bank Leu, the most important mission given to internal control is compliance. Bank Leu gave a good reason why internal control should be self-standing and should not be a part of auditing. According to its policy, auditing is a supervisory metalayer (see also Chapter 1). On the contrary, internal control, risk management, treasury, lending, accounting, and other departments are concerned with day-to-day activities.
Lars O. Gronstedt, of Handelsbanken, suggested that at his institution credit risk and market risk are two distinct disciplines, and for practical reasons monitoring of these two risk classes is more efficient if they are kept in different organizations than integrated in the same one. However, Gronstedt added, internal control is over all business activities and the credit risk department is involved in setting market risk relevant limits, in so far as they concern market risk parameters used in establishing counterparty limits.
A few of the technologically most advanced banks pressed the point that internal control can also be seen as a system supported through networks, computers, and sophisticated software, which is at the service of all authorized managers and professionals in the bank - from board members to the lower level of supervision. And as we have seen in Chapter 1, high technology can also help in increasing the efficiency of auditing internal control.
Whether sophisticated software is or is not used to make more efficient internal control functions, a well designed system will be flexible enough to enable the company to respond at short notice to changes in the market and in operational conditions. But flexibility does not mean lack of standards. On the contrary, the internal control and its individual
What is Meant by 'Internal Control'? 45 components, methods, parameters, and computational procedures have to be documented in detail and reviewed regularly (at least annually). Also, they must be continuously developed to become more focused than they have been.
This task is doable, provided the bank not only uses high technology rather than classical and obsolete data processing software and hardware, but also invests its information technology where it counts: at the top of the hierarchical pyramid rather than at the bottom. As Figure 2.5 suggests:
• The information environment at the top of the organizational pyramid is unstructured. There is also where the intangibles exist.
• By contrast, at the bottom of the organizational pyramid the information environment is structured, and therefore it is easier to control it.
We will be talking in more detail about information technology issues and investments in Chapter 13, but in a world of interdisciplinary activities a preview of issues which are further out in a discussion always helps in better appreciating the subject on hand. The point is that because organization-wise internal control belongs to the top of the pyramid, it should benefit from the most advanced technological solutions.
A rigorous internal control approach would pay full attention to the information technology being used, from networks and databases, to data- mining, models, and interactive reporting through visualization (turning tables into graphs). Not only the channels of communications must operate in real-time and the modelling of all types of exposure effectively done, but also market-related parameters must be adjusted immediately to changes in financial conditions and/or board decisions with an impact on the management of risk:
• Risk figures derived from risk-based audits (see Chapter 4) must be continuously compared with actual market data, as well as trends indicating a change in direction.
• In the event of major discrepancies between model-based projections and actual figures, senior management must be immediately informed.
A reference valid for all transactions, as well as for marking to market the bank's assets and liabilities, is that significant attention should be paid to the level of detail which can be reached through internal control. For instance, it is a relatively common practice that what are considered to be related securities are aggregated together in the same bucket. Yet not only does each of these instruments have its own risks, but exposure also varies
UNSTRUCTURED I N F O R M A T I O N ENVIRONMENT
S E M I - S T R U C T U R E D I N F O R M A T I O N E N V I R O N M E N T
STRUCTURED I N F O R M A T I O N E N V I R O N M E N T
TOP MANAGEMENT
M I D D L E MANAGEMENT
CLERICAL WORK
ON
A R E A S WHERE THE M A J O R I T Y OF THE IT MONEY SHOULD BE INVESTED
A R E A WHERE MOST B A N K S SPEND T H E M A J O R I T Y OF T H E I R IT MONEY
Figure 2.5 Technological solutions addressed to high-grade professionals must be positioned in an unstructured information environment
What is Meant by 'Internal Control'? 47 in connection with the counterparty and its leverage. As a senior British banker was to suggest:
• A bank's internal controls have failed if it suffers a substantial loss from an event which was anticipated but not monitored
• Or, an event which was not anticipated by our bank while there is evidence in the financial industry about its occurrence and its perils.
An even greater peril is that people who have assumed risky positions in the hope of making some good profits for the bank (and commissions for themselves) may deliberately suppress or falsify records. This happens when they feel that their own career or that of their friends and supporters is in danger as red ink flows left and right.
Internal controls must also reflect the prevailing regulatory requirements by type of financial institution, country of operations, nature of instruments being handled, and other criteria. They must ensure that there is compliance with the rules set by regulators, for any transaction, anywhere in the world - and they should evolve to match the change, or anticipated change, in regulations.
For instance, an interesting part of German regulations regarding internal control is that traders should not permit brokers to run their own positions, and should not accept deals of 'name-to-foliow' type. They must insist that brokers name the counterparty immediately, the only exception being when brokers are allowed to enter into such a deal within the scope of exchange regulations. This is also a case which has to do with operational risk.