Internal auditors can play a role in reining in the complex risks associated with financial instruments.
Professor of Accounting
Loyola University Chicago
It is acknowledged that much of the blame of the recent global financial crisis has been the blatant misuse of financial instruments, primarily derivatives. A basic question was and still is: Where were the auditors? Not just the public firms, but the internal auditors of these organizations as well. Internal auditors are responsible for evaluating and assisting with the improvement of their firm’s risk management process and maintaining effective controls that, in part, help safeguard assets and comply with laws, regulations, policies, procedures, and contracts. Internal auditors are familiar with U.S. Sarbanes-Oxley Act of 2002 Section 404, Assessment of Internal Control, which, in part, requires management to affirm its responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting and additionally assess the effectiveness of the internal control structure and procedures of the firm. Yet much of this was ignored by both external and internal auditors to the detriment of the global market and economy.
Internal auditors can audit the use of derivatives and the related processes and provide their firm and the firm’s shareholders some assurance that there are effective controls in place to mitigate the risk that these financial instruments could lead to massive financial destruction.
RISK ASSESSMENT OF DERIVATIVES
Derivatives are financial instruments that derive their value from other financial instruments, underlying assets, or indexes. For example, a simple derivative would involve a commitment by a company to purchase a commodity at a certain price at some point in the future. This is referred to as a futures or a forward contract, depending on how it is traded. Stock options and interest rate swaps are additional examples of common types of derivatives. Other derivatives are much more complex, involving, for example, the credit default swaps that made AIG infamous, and mortgage-backed securities, which caused havoc in the mortgage and banking industries.
Sarbanes-Oxley Section 404 generally requires firms to adopt an internal control framework such as that described by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). According to COSO, internal auditors play an important role in evaluating the effectiveness of control systems. As an independent function reporting to top management, the internal audit function is able to assess the internal control systems implemented by the firm and contribute to its ongoing effectiveness, especially as it applies to a firm’s risk management procedures. The complexity of derivatives leads to inherent risks that the internal auditor must be aware of and have a good understanding of the control mechanisms that should be in place for these financial instruments. One of the five components of COSO’s Internal Control-Integrated Framework is risk assessment. It states that every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives. Thus the goal of risk assessment is to identify and analyze potential risks as to how they may impact business objectives and strategy.
Due to the inherent risks of derivatives (see “Inherent Derivatives Risks,” at right), perhaps nowhere in the internal
Inherent Derivative Risks
External risks consist primarily of:
- Identifying controls at service organizations that provide financial services and are part of the client’s information system (e.g., banks and other financial institutions).
- Obtaining an understanding of information systems for securities and derivatives that are highly dependent on computer technology.
- Applying complex accounting principles such as hedging requirements to various types of financial investments.
- Understanding the methods used to determine the fair values of financial investments, especially those that must be valued using complex valuation models.
The complexity and high potential risk associated with derivatives makes risk assessment procedures and strong technical knowledge a priority for CAEs. According to Standard 1210: Proficiency, if knowledge, skills, or other competencies are lacking within the internal audit department, it is the responsibility of the CAE to obtain competent advice and assistance.
CONTROL AND TESTING OF DERIVATIVE INSTRUMENTS
Internal auditors can use internal control and substantive testing procedures specific to derivative instruments on an ongoing basis to help reduce derivative risk. A detailed, though not comprehensive, list of the procedures adapted from Statements on Auditing Standard (SAS) 92: Auditing Derivative Instruments, Hedging Activities, and Investments in Securities, is detailed below.
Develop expectations and limitations. Formal investment policies that limit the nature of derivatives must be developed, communicated, and followed. Examples abound of investors who go “off the grid” and make large gambles that go sour and require investors to escalate their behavior to cover incurred losses. An investment committee of the board of directors should be established that authorizes and reviews financial investment activities for compliance with investment policies. Any investment that potentially exceeds established limits should be formally approved in writing by designated senior managers. Top managers and the board of directors should set formal limits on investment risk, which is critical in setting the tone at the top.
Separation of duties. There must be a separation of responsibilities between the executive authorizing purchases and sales of derivative instruments, the custodian of the securities, and the person maintaining the records of investments. In many instances, segregation of the functions of custody and recordkeeping is achieved by the use of an independent safekeeping agent, such as a stockbroker, bank, or trust company. Because the independent agent has no direct contact with the employee responsible for maintaining accounting records of the investments in derivatives, the possibilities of concealing fraud through falsification of the accounts are greatly reduced. If securities are not placed in the custody of an independent agent, they should be kept in a bank safe deposit box under the joint control of two or more of the company’s officials. Joint control means that neither of the two custodians may have access to the securities except in the presence of the other. A list of securities in the box should be maintained within the box, and the deposit or withdrawal of securities should be recorded on this list along with the date and signatures of all persons present. The safe deposit box rental should be in the name of the company, not in the name of an officer having custody of securities.
Recordkeeping. There must be complete detailed records of all derivative instruments owned and the related provisions and terms. Registration of the derivatives should be in the name of the company. An internal auditor or an official having no responsibility for the authorization, custody, or recordkeeping of investments should conduct periodic physical inspection of securities on hand by comparing the serial numbers and other identifying data of the securities examined with the accounting records and reconciling the subsidiary record for securities with the control account. If the entity engages in derivative transactions, the auditor or official also should review the terms of derivative instruments for compliance with investment policies and appropriate financial accounting and disclosure.
Obtain or prepare an analysis of the investment accounts and related revenue, gain, and loss accounts, and reconcile them to the general ledger. The analysis of financial investments will show the beginning and ending balance for the year, purchases and sales of investments during the year, interest and dividends earned, and realized and unrealized gains and losses. If numerous purchases and sales of investments have occurred during the year, separate schedules of those transactions may support an overall summary schedule of investments. The auditors should make certain that totals on the schedules agree with totals recorded in the general ledger.
Inspect and review underlying derivative agreements. The internal auditors should count derivative contracts held by the firm at year-end, and verify that the derivatives are registered in the company’s name, including the serial numbers. The auditors also should review and analyze the derivative instruments and other agreements that may contain embedded derivatives. For example, a loan agreement might contain a provision to swap a fixed interest rate for a variable interest rate under certain circumstances. This analysis is designed to determine that all derivatives are appropriately recorded and valued in the financial statements.
Confirm derivative instruments with holders and counterparties. Derivative contracts often will be in the hands of brokers or banks for safekeeping. In such cases the auditors should send a confirmation request to the holders of the investments to determine existence and ownership. The auditors also should confirm the terms of derivative instruments with the counterparties — the other parties obligated under the agreements.
Verify purchases, sales, and cutoffs. To determine that investments purchased and sold during the period are recorded correctly, the internal auditors should vouch a sample of transactions by reference to brokers statements. In addition, they should review transactions for one or two weeks after the balance sheet date to ensure a correct cutoff of transactions. Sometimes sales occur shortly before the balance sheet date but go unrecorded until the derivatives are delivered to the broker early in the next period. Also, inspection and confirmation procedures will help ensure appropriate cutoff of derivative transactions.
Review investment committee minutes and reports. Review of these reports may disclose unrecorded purchases and sales of derivative securities. This procedure is especially important for derivatives because transactions may not involve the payment or receipt of cash. For example, if the firm engages in a foreign exchange forward contract, there may be no exchange of cash at the time the contract is executed. In addition, derivatives may be embedded in other financial instruments such as a loan agreement.
Inspect documentation of hedging intention. To account for a derivative instrument as a hedge of an asset, liability, or future transaction, management must establish at inception the intent to hedge, the method to be used to assess its effectiveness as a hedge, and the measurement approach for determining the effective portion of the hedge. Therefore, review of the documentation of management’s intent in hedging assessment procedures is essential to the audit of derivative instruments.
Evaluate the income measurement method. Internal auditors are an integral part of evaluating the reliability and integrity of financial and operational information. With respect to this, internal auditors should possess at a minimum general knowledge of the measurement and reporting requirements of derivative instruments. Accounting for derivative instruments is guided primarily by Accounting Standards Codification (ASC) 815: Derivatives and Hedging, and ASC 820: Fair Value Measurements and Disclosures. All derivative instruments are valued at their fair values, but the unrealized gains or losses are accounted for differently depending on whether or not the instruments are classified as hedges. Unrealized gains or losses on the effective portions of hedges of recorded assets or liabilities are offset by related increases and decreases in the hedged assets or liabilities. Unrealized gains or losses on the effective portions of hedges of future transactions are recorded as part of other comprehensive income in the client’s financial statements. Such gains or losses become adjustments to the recording of the hedged transactions when they occur. Finally, unrealized gains or losses on the ineffective portions of hedge derivatives and nonhedged derivatives are recorded as a part of net earnings in the client’s financial statements.
Evaluate fair value (mark-to-market) measurement calculations. To audit the fair value of derivatives, current market prices can be obtained by reference to quotes in financial publications, such as The Wall Street Journal, various sources on the Internet, or by obtaining representations from securities brokers. If a derivative has no active market, management may obtain an appraisal of fair value from a securities appraiser. When a valuation model, such as an option-pricing model, is used, the internal auditor should assess the reasonableness and appropriateness of the model and evaluate the reasonableness of the underlying assumptions. The auditors should determine that the model considers all aspects of risk, such as counterparty credit risk, risk of adverse changes in market factors, and risk of losses from legal or regulatory action.
Evaluate hedging effectiveness. For derivatives classified as hedges, internal auditors should evaluate the continued effectiveness of the derivative as a hedge and determine that the gains and losses from the effective and ineffective portions of the hedge are appropriately classified. If the auditors find evidence of impairment of the value of any investment, it should be written down to its net realizable value.
Evaluate financial statement disclosure and presentation of derivatives. The auditors must determine that investments are separated into short-term and long-term portfolios. In addition, generally accepted accounting principles require the disclosure of the method of accounting for the derivatives and aggregate market values of the various portfolios. There also should be disclosure about the amount of realized and unrealized gains and losses, as well as the allowance for market decline of both the current and long-term portfolios. Moreover, the financial statements should disclose the details about debt and equity securities and derivative instruments held at year-end.
The implementations of these policies and procedures will help the firm maintain strong control over their derivative instruments and reduce, but not eliminate, the inherent risks associated with these valuable, but potentially dangerous, financial assets.
DERIVATIVES AS A TOOL
There can be no doubt that the abuse, whether intentional or unintentional, of derivatives by various entities over the past several years has had a profoundly adverse affect on both a regional and global level. Yet derivatives, like fire, are not inherently bad. They were initially developed to help mitigate firm risk, not expand it. Assisted by internal auditors, derivatives that are appropriately developed, controlled, and monitored can provide firms with a powerful tool to manage risk and bring a measure of stability to a firm working in today’s complex, risky, and ever changing global environment.
To comment on this article, email the FSA Times editor at firstname.lastname@example.org .