Internal Control And Derivatives

By Kenneth K. Marshall

Kenneth Marshall is the director of Internal Audit of Salomon Brothers, a major international investment banking and brokerage firm. A former senior partner at Coopers & Lybrand L.L.P., Marshall joined Salomon as a managing director in 1993 to spearhead the firm's reengineering and reinvigoration of its internal control structure. The CPA Journal spoke with Marshall on the subjects of derivatives, internal control, and his audit approach at Salomon.

Several recent, highly publicized incidents have created the popular perception that derivatives are inherently bad financial instruments that have caused firms and government entities to lose enormous sums of money. However, I think you have to look beyond the headlines to understand the true message of these incidents.

For example, in two of the recent financial disasters, Orange County, California and Barings Investment Bank in Great Britain, derivatives were initially reported as the culprit. However, in both cases, the problems were caused by fundamental weaknesses in internal control rather than anything inherent in derivative instruments. Based on published accounts, the Orange County problems stemmed largely from uncontrolled use of repurchase obligations that were collateralized by U.S. Government securities. The county treasurer leveraged the county's portfolio manyfold by betting on interest rate moves through basic repurchase agreements, a commonly used financing technique that has been around for a long time. This raises questions about Orange County's risk management system and its basic oversight of the treasurer's activities. For instance, did the county have a way to accurately measure its exposure to interest rate changes? Could the county evaluate that exposure relative to its tolerance to withstand market losses? Did the senior, responsible officials of the county have knowledge of and understand the treasurer's investment activities? These are critical questions that any entity engaging in investing should be able to answer.

In the Barings case, the trader responsible for the huge losses was dealing in one of the simpler types of derivatives--exchange-traded options. Not only were his trades in "plain vanilla" derivatives, the trades occurred in a highly regulated, exchange environment. However, the recent report on Barings done for Britain's Chancellor of the Exchequer found a "material failure in the management, financial, and operating controls...that enabled massive, unauthorized positions on exchanges to be established without detection." One specific control breakdown was that this employee appeared to have responsibility for trading and for the operations and recordkeeping areas that supported the trading function. By allowing the trader to have these dual responsibilities, Barings violated the long established and tested principle that these duties should be segregated. Because of this management control gap, the trader was able to amass a $27 billion dollar "bet" tied to the direction of Japanese stocks and bonds without management knowledge.

Derivatives are not inherently bad, but they are inherently complex. Boards of directors and senior managements need to sufficiently understand the complexities of derivatives, the uses of derivatives in their companies, and the need to monitor the risks associated with derivatives. Similarly, they need to be cognizant that derivatives, because of their many nuances, require a control structure that is in keeping with their complexities and the systems needed to adequately process the transactions.

It may be helpful to present some of the broader concepts of internal control before discussing the specifics of controls in the derivatives area.

Change as a Factor in Designing Controls

Over the last decade, the financial services industry has seen explosive growth and significant changes that are both internally and externally driven. Clearly, some of this change is related to increases in derivatives activities. But the bulk of change is attributable to other factors, such as a) the continued evolution of the "global" marketplace, b) organizational restructurings, c) corporate downsizing, and d) technological developments that permit the streamlining of manual systems and the creation of many new, often complex products. These changes have come rapidly, often without a full understanding or consideration of their effect on systems of internal controls.

Traditionally, controls have been established at a functional, highly centralized level. Reengineering and other changes often result in the dismantling of controls in the hurry to eliminate fat or layers of "unnecessary" middle management. We are in a state of rapid change where company managements have often not taken the time to reexamine their traditional control structures and systems to see if they are still relevant and effective.

A recent example of a major change in the securities industry was the shortening of the equity settlement cycle from five business days to three business days. This change put pressure upon existing systems, procedures, and control structures and, needless to say, has been a major challenge to many firms in the industry. But the early stages of the changeover have gone smoothly, which may suggest that the industry is learning how to adapt to rapidly changing conditions.

At Salomon, I attempt to focus the Internal Audit Department's resources toward the firm's highest risk areas. In doing so, we make a presumption that change and risk are correlated. In other words, when there is a major change, such as a reorganization, implementation of a new system, acquisition of a new business, expansion into a new country, introduction of a new product, or passage of new regulations, there is added risk that controls will be under stress or inadvertently eliminated. Auditors need to understand and analyze how well the change is being managed. Now, let's turn to internal control.

What Is Internal Control?

Internal control is often thought of as the detailed procedures and practices put into place to catch errors and prevent fraud. But, internal control is much more comprehensive than that. Internal control should be understood as a process by which a company's management and employees keep the risks of the business within acceptable bounds.

The foundation of internal control is built with management's own vision of the importance of controls. It's the process and structure used by management, under the guidance and oversight of a board of directors, to manage the risks inherent in the company's business. Risks inherent in the financial services industry include market risk, credit risk, operational risk, legal risk, regulatory risk, compliance risk, reputational risk, and technology risk. Management must understand the risks before it can effectively manage them.

Each of these risks can be broken down into subsets. For example, market risk has several components that relate to movements of prices and interest rates. Market risk also includes liquidity risk (the risk of not being able to unwind a position quickly), basis risk (the risk when different products are used to hedge each other that they may not be sufficiently correlated), and gamma risk (the risk that an investment will move in a nonlinear fashion relative to an underlying hedge). Basis and gamma risk factors may have caused holders of certain derivatives to get burned even though they thought they were fully hedged.

Operational risk consists of traditional concepts, such as authorization to commit a firm's money, safeguarding of assets, complete and accurate recording of transactions, orderly and timely processing and clearance of transactions, and reconciliation of individual trade details to a firm's aggregate records.

Compliance and regulatory risk are diverse. Since these risks vary from locale to locale, we think of them in terms of broad categories of concerns that regulators or lawmakers may have. Some common regulatory or compliance concerns involve market manipulation, conflicts of interest, suitability, and maintaining confidentiality of nonpublic information.

Technology risk relates to the potential loss of a firm's competitiveness in the marketplace due to inadequate technology, both for maintaining the business and servicing customers. In addition, technological risk is often associated with the need to protect systems, and the data contained on them, from unauthorized access and tampering.

All organizations have an acceptable risk tolerance level and it is imperative that management understand its "risk appetite." For example, a bank may be willing to accept more credit risk than market risk. In general, companies in the financial services industry have the least tolerance for compliance and regulatory risk.

Internal Control Structure

Once a firm understands its risk appetite, it can build an effective control structure. I like to think of the control structure in terms of a five-level pyramid, which is very similar to the approach in the Committee of Sponsoring Organizations (COSO) report, Internal Control‹Integrated Framework. At the top of the pyramid is the "tone" of control and compliance philosophy.

Tone at the Top. Without a proper tone from senior management and the board of directors, it would be difficult, perhaps impossible, to set up a good control structure. Their view, and the messages they send to the firm as a whole, will virtually dictate the nature of control and the ethical standards in the organization. Once articulated, management's message must be clearly and frequently repeated and disseminated throughout an organization.

Tone at the top is established in several ways‹written polices, training programs, and management actions‹all of which are necessary to send an accurate message to staff. Consider, for example, how senior management reacts to an unpleasant surprise‹does it "circle the wagons" or "shoot the messenger"? Or does it respond openly and promptly to correct the problem?

Tone at the top does not end with the highest levels of management. Each department or function within an organization must convey a control philosophy that is consistent with overall firm management. Whether it wants to or not, each department sends its own control message, and each department head must establish a mini-pyramid. If the manager of a business or support unit does not convey a proper concern for control, neither will his or her staff.

One way for management to clearly communicate its tone is to include performance related to control mattters as part of employee evaluations. If staff promotions and compensation are based in part on controls management, then internal controls should improve.

Risk Assessment. The second level in the pyramid is "risk assessment"‹understanding a firm's inherent risks and addressing them in relation to the firm's risk tolerance. But, beyond that, each operating department within a firm must "buy in" to the importance of identifying, evaluating, and managing the risks in its area. This, of course, follows from the tone set at the top‹both firm-wide and within each department.

Management Information. The third level of the pyramid is management information. Without complete and accurate information about what is going on, it is impossible to be "in control." For large, multinational companies, particularly those in the financial services industry, management information is usually one of the most difficult and challenging undertakings because the products, technology, and activity continually change at high velocity. Keeping systems up-to-date‹able to handle increased volumes of complex transactions--and properly integrated from a global perspective is like "running on a treadmill."

Control Activities. The fourth level of the pyramid concerns "control activities." These are the many control procedures and activities that are established to ensure that all business activities are properly authorized, that data is completely and accurately recorded and summarized in the books and records of the company, and that data is properly analyzed, periodically reconciled to independent sources, and regularly correlated to expected outcomes. These control procedures and activities comprise the sum total of daily and monthly duties of virtually all employees. They are not limited to financial accounting controls.

Monitoring Activities. Finally, management needs to establish proper "monitoring activities" to ensure that their systems of internal control are operating as intended. Monitoring activities need to permeate the organization, in a nonthreatening way, and be the eyes and ears of management looking for anything that might go wrong.

Monitoring and surveillance activities need to be designed to fit the nature of the business and its supporting activities. For example, if a company trades securities for its own account, it must be able to monitor for possible illegal activities, such as market manipulation or parking securities. If that same operation expands to include trading the same products on behalf of customers, management has to consider the potential for other unwanted activities to occur and enhance its monitoring and surveillance activities accordingly. Such a firm would then need systems to monitor potential conflicts of interest, such as whether the customer received the best execution or price on a trade.

The overall message is that the monitoring activities must be dynamic enough to adjust to changing environments, yet structured enough to accomplish its objectives.

Monitoring and surveillance activities can operate on a centralized or decentralized basis. No one way is necessarily right; what works best and in synergy with the business side is usually what companies choose. At Salomon, we have both types. For example, we have compliance staff in place in the business unit to be there where the action is taking place. But, we also have a centralized compliance unit keeping a watchful eye on patterns or developments that could indicate a problem. We also have centralized risk management and credit functions and other centralized control activities, including internal audit.

To summarize, in order to have an effective control structure, managers, from the most senior down to department heads, must have an understanding of the nature of controls and the risks they are designed to keep within defined "acceptable bounds." This cannot be done merely by issuing a memo from the president with that being the end of it. Internal control is an ongoing "process" with feed-back and corrective action, all done as the business continues to change. Consequently, there has to be a robust, flexible, and continuous improvement process in place.

Internal Audit at Salomon Brothers

In an organization the size of Salomon, an internal audit department plays many roles in seeking to strengthen controls. Perhaps the biggest difference between our approach and the traditional internal audit approach is that we strongly emphasize proactive auditing in addition to traditional auditing. We use our skills to help the business units establish or enhance their control structures, which we believe gives us the most bang for the buck. Let me elaborate on a few of our internal audit "concepts."

Promote a Learning Environment. We sometimes work directly with departments to help them better understand the nature of risks they face and how to control them in the most effective way. I have found that managers are receptive to this approach, especially since they are held accountable for controlling all the risks inherent in the business activities they supervise. By helping the business units establish a good control structure, our contribution to the firm has a multiplier effect.

Analyze Incidents of Control Breakdowns. We conduct forensic analyses of problem situations. We search for the cause of the problem and then craft recommendations that will address the cause and correct the problem. In addition, we identify how the control system in place missed detecting the problem. We also analyze incidents that occur outside the firm to learn from the experiences of others.

Deploy Internal Auditors from Varied Disciplines. An internal audit department needs a varied skill set among its staff. A common misconception about internal auditors is that they must be fully knowledgeable in all the nuances and intricacies of the business units. I don't think this is the case. While it is necessary for an auditor to be able to discuss the various aspects of a particular business unit intelligently, the auditor does not need to be a practitioner to make useful recommendations. Often, an auditor who has some distance from the daily operations of a business unit adds value by providing a fresh perspective.

Control Is a Firm-Wide Responsibility. Some might conclude that the head of an internal audit function in an organization is the chief control officer. That is not the case and it is dangerous to view the audit role in this fashion. In the pyramid concept discussed earlier, each head of an operating function has been deputized as the chief control officer of that function. By viewing control in this fashion, a company is more likely to have a strong control fabric running through the organization.

Illustrating Controls in the Derivatives Area

A firm can apply the internal control techniques that I have explained to their derivatives activities just as they can to other business areas.

Look, for example, at the issue of supervision, one of the fundamental control activities of our pyramid. Allegations of lax supervision have been made in the Barings collapse, including suggestions that the trader's supervisors did not understand the products he was trading. An effective review of trading supervision would need to answer a) who manages the trading desk, b) who monitors or supervises the traders, c) whether the supervisor understands the transactions being conducted, d) whether the supervisor has been properly instructed and indoctrinated into the firm's culture and the importance it places on controls and risk management, e) who the supervisor reports to, f) whether risk reports are prepared, g) whether there are adequate controls to ensure the risk reports are accurate, h) whether the firm has a chief risk manager, or risk management committee, or both, and i) whether those people assume an oversight function. As you can see, these are the same questions that surface whether you are dealing in derivatives or any other product.

A second example, this time from the management information part of the pyramid, is trade processing. Information about each trade should be automatically forwarded to an operating part of a firm. With derivatives, this becomes extremely important because the actual economic event affecting the trade may be another security or may not take place for an extended period of time.

Derivatives pose special control problems because they are relatively new, possess unique characteristics, and can behave in a very volatile fashion. They require constant attention to make sure that those who deal with them fully understand their complexities.

The Industry Responds

The recent Derivatives Policy Group (DPG) initiative, developed by six large derivatives dealers in the U.S., working with the SEC and the CFTC, outlines a framework for voluntary oversight for each firm's unregulated, over-the-counter derivatives business. This framework requires each such firm to establish and maintain rigorous management controls over OTC derivatives and provides for expanded risk disclosures to SEC and CFTC. In addition, each firm must subject its management control standards to an independent auditor's review, which will be provided to the regulators.

The DPG initiative is a major step in the right direction toward measuring and dealing with a whole host of related control, risk management, and legal issues. As a member of the DPG, Salomon took an active role in shaping the initiative and is committed to a worldwide effort to incorporate the control objectives contained in the DPG framework. In Internal Audit, we are playing a major role in designing the control framework and in assisting the business and risk management units in incorporating the DPG guidelines

The Cost of Control

There can be a competitive cost of control, but if control is handled properly, cost should not be a major factor in the equation. Effective control does not mean adding a major separate infrastructure. The key is creating a culture throughout the company that instills an awareness and sensitivity at the front end of the business, where the action is actually taking place. Then, there will be less need to double-check and audit the transactions. Obviously, you can never completely eradicate the need to audit and provide assurance. But, if you invest in an effective control structure, there will be fewer controversies with customers, other firms, and regulators. And controversies attract sizable costs. *

OCTOBER 1995 / THE CPA JOURNAL