The need for Continuous Monitoring and Assurance for Financial Institutions Michael Alles Miklos Vasarhelyi Department Of Accounting, Business Ethics And Information Systems CONTECSI 2008: I SIMPÓSIO DE AUDITORIA CONTÍNUA Background: A Serious Crisis • Bank write-downs from subprime crisis are $355 billion and growing: by most measures, larger than either S&L or Latin American debt crises of 1980’s. • Estimates are that this crisis will be longer and deeper than any other before and losses at investment banks could amount to 2 ½ years of profits! • House prices in free-fall in much of the developed world as mortgages become difficult to get even for borrowers with good credit. • Some consider banking sector to be facing a crisis of 1930’s proportions as entire basis for modern banking practices brought into question, as well as the governance/regulatory structure that gave rise to it. 2 1. Why don’t we learn? Why don’t we learn? • In 1997/1998 LTCM failed precipitously forcing the Fed intervention to coordinate 16 banks to contribute close to 4 bi dollars to shore up an institution largely deregulated that was operating with leverages around 30 times capital, ignoring even their swap and derivative positions • The total effect on the economy, justifying the Fed’s action was estimated to be about 1 trillion dollars • Among the major players for countertrades and financing for LTCM were Bear Sterns, Chase, and Merryl Lynch • The epilogue was that these firms escaped largelly unscatted and recovered their investment and loans with positive returns in about 18 months after Mr. Greenspan’s interest lowering 4 Why don’t we learn? (2) • Greatly contributing to the crisis, net of the different international currency crises, were – the total lack of transparency of LTCM positions – the ignorance by counterparties of LTCM of their intricate web of relationships and exposures – the nearly totally unregulated nature of hedge funds – the immense greed of both LTCM partners and their counterparties – the lack of disclosures on derivatives by all parties 5 Why don’t we learn? (3) • Since those days (10th Year anniversary celebration of LTCM) – The FASB issued derivative disclosure rules – Many other types of financial instruments continue to be non-reported under the guise of competitive impairment – As private equity and hedge funds remained largely unregulated and Sarbanes increased the onus of regulation large amont of funds was routed to these entities – The financial institutions refined the use of SPElike entities for their funds – The amounts at serious risk are now in the hundreds of billions not in the pittance amount that partners were forced to contribute at LTCM – Write downs at banks are accumulating to the 100 bi mark and continuing 6 Background considerations • • • • The ill defined nature of the boundaries of business entities with special purpose entities and partnering organizations impacting the firm’s balance sheets, but which are often outside the scope of existing audit practice. The inability to fully assess the value at risk from financial instrument and contracts whose underlying assumptions are unclear and whose value depends on market dynamics and market confidence to a degree that only now is being realized. The interlocked nature of financial entities and instruments that are being measured, assured, and valued separately, and with less control than many had assumed, with for example, hedge operations involving numerous instruments often managed and monitored on nothing more sophisticated than a spreadsheet. As the Societe Generale case has demonstrated, even seemingly sophisticated real-time controls have weaknesses stemming from their own lack of security, monitoring and alarm handling features. Firms may be monitoring the wrong people and the wrong things and not know what to do with the information that controls are generating. 7 Audit considerations • • • The sufficiency of capital to give a “going concern” opinion and satisfy banking regulation. The “arms length” valuation of the financial assets of the auditee, the value at risk that they pose. A methodology for ensuring that such instruments are properly recorded when they are created or traded and that controls are in place to monitor how they are utilized. 8 An Evolving Crisis a Subprimes Are sold to clients that cannot afford them or speculators Subprimes Subprimes Subprimes Subprimes Moral hazard.. The one that sells the mortgage is not who ultimately carries it Many forms of mortgages have been engineered to minimize monthly payments These lower quality loans carry higher interest rates therefore pay higher sales commissions With the passing of time or decrease in real estate values these mortgages become 9 Perverse incentives • Loan originators and loan carriers – Praying on uneducated consumers – Too complex titles • Rating agencies – Being paid by the rated entities • Accounting rules – Allowing again “off balance sheet entities” – Fair value valuations precipitating unintended consequences … a cooling period with double reporting would help – Clueless in non regulated markets – Clueless in dealing with regulated interfacing with unregulated parties – Clueless in general 10 An Evolving Crisis Subprimes Subprimes Subprimes Subprimes Subprimes Subprimes Subprimes Sold by one entity acquired by another that converts them to a SIV (structured Investment Vehicle) Subprimes Subprime B They are sold as paper to banks wanting to improve their returns Subprime B Subprimes C Subprimes C These are broken down into different risk categories called “tranches” 11 An Evolving Crisis Subprimes Subprimes Subprimes Subprimes Sold by one entity acquired by another that converts them to a SIV (structured Investment Vehicle) Subprimes Short- term Financial paper Subprime B Subprime B Short- term Financial paper Subprimes C Subprimes Subprimes Subprimes Banks sell The tranches to clients that finance it issuing short term paper Subprimes C Off balance sheet Entities are created Short- term Financial paper 12 An Evolving Crisis Subprimes Subprimes Subprimes Subprimes Sold by one entity acquired by another that converts them to a SIV (structured Investment Vehicle) Subprimes Subprimes Short- term Financial paper Subprime B Subprime B Short- term Financial paper Subprimes C Subprimes Subprimes Swaps are sold insuring the instruments Banks sell Higher interest yielding insured instruments Subprimes C Off balance sheet Entities are created Short- term Financial paper 13 14 Market Failure • The credit crisis has choked off many of the markets that banks in recent years relied on to take assets off their balance sheets. Issuance of mortgage-backed securities has dropped sharply, while demand for more complex instruments such as C.D.O.s has dried up completely. • Many bankers think it will be months, if not years, before they can start issuing these securities again. If and when they do, investors are bound to demand higher returns than before and are likely to require banks to demonstrate confidence in the securities by keeping a greater proportion themselves. • In short, this means that banks will be forced to fund more of their future loans from their own balance sheet resources. 15 Banks Need To Strengthen Balance Sheets • Several of the world's largest banks--Citigroup, Merrill Lynch, UBS and Morgan Stanley—have sold multibillion-dollar stakes to Asian and Middle Eastern investors and Sovereign Wealth Funds to boost their capital amid heavy losses on mortgage investments. But as banks increasingly take responsibility for assets that had been held in off-balance sheet funds such as SIVs, their capital needs have grown. • Goldman Sachs estimated that $475 billion of “extra” assets had been moved to bank balance sheets since the credit crunch picked up speed earlier this year. • Mortgage insurance entities have been shored up by the same banks that they insure. 16 3. Monitoring financial institutions Are the raters reliable monitors? • Standard & Poor’s to revamp its governance procedures, analytics and ratings transparency mark the latest in a series of mea culpas from the leading credit rating agencies as they attempt to restore their credibility with investors. • Moody’s, Fitch and S&P have in recent months come under intense fire from investors and regulators in the US and Europe after complex structured finance instruments they rated have suffered losses far in excess of the rating agencies’ initial expectations. 18 Is the government a reliable monitor? • The government has stayed largely in the sidelines watching the financial bubble grow • The regulator umbrella is cumbersome, prone to political intervention, and lacks effective weapons to deal with the powerful banking establishment • Since the deconstruciton of the Glass Seagall act banks have become investment banks and vice-versa. Hedge funds and private equity have taken secondary and tertiary roles in this process. 19 Are auditors reliable monitors? • External audit methodology is anachronistic – – – – – The point-in-time audit is not designed to Monitor fast moving financial operations Detect going concern weaknesses in short periods of times Measure integrated risk faced by financial institutions Deal with the fuzzy boundary issues of interlinked financial agents • Internal audit groups – Are better positioned to deal with these issues – Do not have the monitoring and control charter – Need to develop a comfort zone for monitoring and assurance functions to be negotiated among the Basel II, compliance, fraud, Sarbanes, and operating groups 20 Underlying Causes Of LTCM Debacle • Greatly contributing to the crisis were: – the total lack of transparency of LTCM positions – the ignorance by counterparties of LTCM of its intricate web of relationships and their consequent exposure – the effectively totally unregulated nature of hedge funds – the immense arrogance and greed of both LTCM partners, counterparties and investors, all of whom were seduced by the Nobel Prizes of the LTCM partners – a refusal to ask hard questions and to insist on usual controls and standards of prudence – the lack of disclosures on derivatives by all parties 21 LTCM Had Little Long Term Impact • 10th Year anniversary of LTCM: – The FASB issued derivative disclosure rules, but disclosures remain opaque. – Many other types of financial instruments continue to be under-reported or non-reported under the excuse of competitive impairment. – As private equity and hedge funds remained largely unregulated and Sarbanes-Oxley increased the regulatory burden on public firms, large amount of funds was routed to these entities. – The financial institutions refined the use of SPE-like entities for taking assets and liabilities off the balance sheet. 22 Securitization: The Great Driver • Securitization—transforming cash flows from assets into bonds—is the real driver of the SPM-crisis. • Bankers created a new market from slicing, dicing and packaging mortgages into such new derivative instruments as mortgage backed securities, collateralized debt obligations, C.D.O.’s squared, special purpose vehicles etc. • At best these structured finance products allowed risk to be better allocated and diversified and hence expanded the amount of credit that could be offered: a key feature of the Basel II standard. • At worst, they vastly leveraged the amount of gambling that could be done on the financial markets: C.D.O.’s of some $75 billion generated trades with a notional value of $60 trillion. 23 Key Enabler: Ratings Agencies • Ability to sell these derivative products depends on their ratings. Instead of being gate keepers, rating agencies became “gate-openers”. • Analysts look at mathematical models, not details of the underlying mortgages. Moody’s did not even have access to the individual loan files. Certainly did not communicate with the borrowers or try to verify the information they provided in their loan applications. • “We aren't loan officers. Our expertise is as statisticians on an aggregate basis. We want to know, of 1,000 individuals, based on historical performance, what percent will pay their loans?” Claire Robinson, a 20-year veteran for Moody’s. 24 Ratings System Broke Down • Centrality of ratings for process and fact that seller not buyer paid for rating created obvious incentive problem: “Every agency has a model available to bankers that allows them to run the numbers until they get something they like and send it in for a rating” says former Moody’s securitization expert. • Moreover, valuing derivatives more difficult than valuing underlying assets when they are put through securitization process: “Four thousand pieces of a Porsche are more difficult to value than a Porsche itself and the sum of the parts does not equal the whole,” says Bill Michael of KPMG. • In the anything goes climate of 2006, Moody’s had only a single day to value a mortgage backed security. 25 Implied Versus Actual Ratings • Moody's Analytics, which operates separately from Moody's ratings division, uses credit-default swap prices as an alternative system of grading debt. • These so-called implied ratings often differ significantly from Moody's official grades, suggesting higher default risk than Moody’s official ratings. • And the data shows that the implied ratings are more accurate predictors of default risk. • “The only thing holding [securities] at AAA is simply the model that the rating agencies claim they use to judge that capital and the fact they know that if they downgrade the companies, it'll push them into default”. Tim Backshall, CDR LLC. 26 Lessons For Auditing From Recent Crises • Point of recounting this story is to understand the challenges facing governance and control of financial service firms today. Many lessons available from recent crises, but one lesson is that such lessons have to be continuously re-learnt. • Societe Generale is tightening computer security, significantly investing in information technology, reinforcing controls and taking more account of the possibility of fraud. • Clearly technology has a major role to play, but it is not a magic bullet. Need to take behavioral issues into account. • Technology can indicate that something is wrong, but it cannot stop risky behavior. • None are as foolish as those willing to be fooled. 27 Tasks Auditors Will Have To Perform • • • Assess the sufficiency of capital to give a “going concern” opinion and satisfy banking regulation. Conduct “arms length” valuation of the financial assets of the client and assess the value at risk that they pose. Develop a methodology for ensuring that complex derivative instruments that pose particular risks are properly recorded when they are created or traded and that controls are in place to monitor how they are utilized. 28 Challenging Audit Environment • Boundaries of business entities are increasingly ill defined with special purpose entities and counterparties impacting the firm’s balance sheets, but which are often outside the scope of existing audit practice. • Difficult to assess VaR from financial instrument and contracts whose underlying assumptions are unclear and whose value depends on market dynamics and market confidence to a degree that only now is being realized. • The interlocked nature of financial entities and instruments that are being measured, assured, and valued separately, and with less control than many had assumed. 29 Challenging Audit Environment Continued • Hedge operations involving numerous instruments are often managed and monitored on nothing more sophisticated than a spreadsheet. Pervasive problem in finance and insurance. • As the Societe Generale case has demonstrated, even seemingly sophisticated real-time controls have weaknesses stemming from their own lack of security, monitoring and alarm handling features. Firms may be monitoring the wrong people and the wrong things and not know what to do with the information that controls are generating. • Application of accounting rules, especially Fair Value, may cause unforeseeable problems, impacting markets, not just providing a neutral measurement. 30 Audit Methodology Behind The Times • External audit methodology is an anachronism. – The periodic, backward looking audit is not designed to monitor fast moving financial operations or detect going concern weaknesses in short periods of times. – Fails to measure integrated risk faced by financial institutions. – Or deal with the fuzzy boundary issues of interlinked financial agents. • Internal audit groups. – Are better positioned to deal with these issues. – But they often do not have the monitoring and control charter. – Need to develop a comfort zone for monitoring and assurance functions to be negotiated among the Basel II, compliance, fraud, Sarbanes-Oxley, and operating groups. 31 Applying Technology To Auditing • Continuous auditing and monitoring: applying technology to the reengineer the audit process in order to enable ondemand auditing with reduced latency between the transaction event and the provision of assurance. • CA = continuous control monitoring + continuous data level assurance. • Continuous auditing and monitoring cannot by themselves prevent crises such as SPM or Societe Generale. • Scope of CA/CM today is too limited, focused on operational control, automation of existing audit processes and fraud detection. • Need to take it to the next level. But note that trading already subject to CA, which indicates need for caution. 32 CA/CM In The Governance Process • Would CA/CM as currently envisaged have prevented the SPM-crisis? Realistically, no. • When there is a systematic failure across the entire governance process, no one part of that process can compensate sufficiently. • Part of the problem is the failure to understand the flawed incentives throughout the governance process, which can lead to even technological alarms to be ignored, as in the case of Societe Generale. • On the other hand, advantage of technology is that it is not swayed by status, income or position. • The point of this conference is to begin the process of taking CA/CM to the level necessary where it will have a real impact. 33 Some Possible Solutions To Explore • A valuation platform that will provide third party valuation of complex financial instruments and a systemic assessment of their critical risks, types and their inter-linkages, and an automated confirmation mechanism (a more sophisticated and broader form of the SWIFT system, using confirmatory extranets) to verify and affirm the existence of the instruments in question. • A library and taxonomy of derivative valuation programs drawn from various sources, both external and internally developed. • A template for a linkage methodology where related derivative instruments part of a coordinated hedge will be linked. • A high level set of risk KPI and monitoring alarming features. 34 Thinking Out Of The Box Continued • A set of analytic continuity equations linking: varied outside market conditions; clearance agents; derivative instrument and security positions, and different views of risk exposures. • A representation of clearance agents, clients, paper issuers, SPEs, and other relevant entities. • An alarming/management methodology to mitigate the danger of rogue trading and unbalanced derivative positions. • Simulation of several alternate conditions/contingencies based on published reports of major frauds at Societe Generale, Citigroup, Barings and so on to test the validity of the proposed approach as a preventive and detective control. 35 1. Database to database confirmations 3. library of derivative valuation programs 4. high level set of risk KPI and monitoring alarming Counterparty 1 5. Analytic 2. A reporting level control panel continuity equations FI enters in thousands of Derivative transactions 6. alarming/management methodology •Many transactions are multiparty •Similar instruments are actual different •There are tight and loose hedges •Catastrophic changes in markets undermine hedges Counterparty n 36 Discussion Questions • Can a technologically based solution and new audit methodologies be derived to deal with or mitigate these problems? • How good are the current risk management platforms at the financial institutions? • Can a platform just involving one institution without spanning its counterparties be relied upon? • How do we make allowance for incentive issues, especially in the face of enormous temptations to subvert governance. • With XBRL now effectively mandated the question that looms is if version 2.1 is adequate to represent fast moving instruments or will new XML extension languages have to be created to deal with the “live financial report.” 37