RESPONSIBILITY WITH AUTHORITY: USING THE POWER OF THE

advertisement
The need for Continuous Monitoring and
Assurance for Financial Institutions
Michael Alles
Miklos Vasarhelyi
Department Of Accounting, Business Ethics And Information
Systems
CONTECSI 2008: I SIMPÓSIO DE AUDITORIA CONTÍNUA
Background: A Serious Crisis
• Bank write-downs from subprime crisis are $355 billion and
growing: by most measures, larger than either S&L or Latin
American debt crises of 1980’s.
• Estimates are that this crisis will be longer and deeper than
any other before and losses at investment banks could
amount to 2 ½ years of profits!
• House prices in free-fall in much of the developed world as
mortgages become difficult to get even for borrowers with
good credit.
• Some consider banking sector to be facing a crisis of 1930’s
proportions as entire basis for modern banking practices
brought into question, as well as the governance/regulatory
structure that gave rise to it.
2
1. Why don’t we learn?
Why don’t we learn?
• In 1997/1998 LTCM failed precipitously forcing the Fed
intervention to coordinate 16 banks to contribute close to 4 bi
dollars to shore up an institution largely deregulated that was
operating with leverages around 30 times capital, ignoring
even their swap and derivative positions
• The total effect on the economy, justifying the Fed’s action
was estimated to be about 1 trillion dollars
• Among the major players for countertrades and financing for
LTCM were Bear Sterns, Chase, and Merryl Lynch
• The epilogue was that these firms escaped largelly unscatted
and recovered their investment and loans with positive returns
in about 18 months after Mr. Greenspan’s interest lowering
4
Why don’t we learn? (2)
• Greatly contributing to the crisis, net of the different
international currency crises, were
– the total lack of transparency of LTCM positions
– the ignorance by counterparties of LTCM of their intricate web of
relationships and exposures
– the nearly totally unregulated nature of hedge funds
– the immense greed of both LTCM partners and their
counterparties
– the lack of disclosures on derivatives by all parties
5
Why don’t we learn? (3)
• Since those days (10th Year anniversary celebration of LTCM)
– The FASB issued derivative disclosure rules
– Many other types of financial instruments continue to be non-reported
under the guise of competitive impairment
– As private equity and hedge funds remained largely unregulated and
Sarbanes increased the onus of regulation large amont of funds was
routed to these entities
– The financial institutions refined the use of SPElike entities for their
funds
– The amounts at serious risk are now in the hundreds of billions not in
the pittance amount that partners were forced to contribute at LTCM
– Write downs at banks are accumulating to the 100 bi mark and
continuing
6
Background considerations
•
•
•
•
The ill defined nature of the boundaries of business entities with special
purpose entities and partnering organizations impacting the firm’s balance
sheets, but which are often outside the scope of existing audit practice.
The inability to fully assess the value at risk from financial instrument and
contracts whose underlying assumptions are unclear and whose value
depends on market dynamics and market confidence to a degree that only
now is being realized.
The interlocked nature of financial entities and instruments that are being
measured, assured, and valued separately, and with less control than
many had assumed, with for example, hedge operations involving
numerous instruments often managed and monitored on nothing more
sophisticated than a spreadsheet.
As the Societe Generale case has demonstrated, even seemingly
sophisticated real-time controls have weaknesses stemming from their own
lack of security, monitoring and alarm handling features. Firms may be
monitoring the wrong people and the wrong things and not know what to do
with the information that controls are generating.
7
Audit considerations
•
•
•
The sufficiency of capital to give a “going concern” opinion
and satisfy banking regulation.
The “arms length” valuation of the financial assets of the
auditee, the value at risk that they pose.
A methodology for ensuring that such instruments are
properly recorded when they are created or traded and that
controls are in place to monitor how they are utilized.
8
An Evolving Crisis
a
Subprimes
Are sold to
clients that cannot
afford them or
speculators
Subprimes
Subprimes
Subprimes
Subprimes
Moral hazard..
The one that sells
the mortgage is
not who ultimately
carries it
Many forms of
mortgages have
been engineered
to minimize
monthly payments
These lower
quality loans carry
higher interest
rates therefore pay
higher sales
commissions
With the passing
of time or
decrease in real
estate values
these mortgages
become
9
Perverse incentives
• Loan originators and loan carriers
– Praying on uneducated consumers
– Too complex titles
• Rating agencies
– Being paid by the rated entities
• Accounting rules
– Allowing again “off balance sheet entities”
– Fair value valuations precipitating unintended consequences … a
cooling period with double reporting would help
– Clueless in non regulated markets
– Clueless in dealing with regulated interfacing with unregulated parties
– Clueless in general    
10
An Evolving Crisis
Subprimes
Subprimes
Subprimes
Subprimes
Subprimes
Subprimes
Subprimes
Sold by one
entity acquired
by another
that converts
them to
a SIV
(structured
Investment
Vehicle)
Subprimes
Subprime B
They are sold
as paper to
banks wanting
to improve
their returns
Subprime B
Subprimes
C
Subprimes
C
These are
broken down
into different
risk categories
called
“tranches”
11
An Evolving Crisis
Subprimes
Subprimes
Subprimes
Subprimes
Sold by one
entity acquired
by another
that converts
them to
a SIV
(structured
Investment
Vehicle)
Subprimes
Short- term
Financial
paper
Subprime B
Subprime B
Short- term
Financial
paper
Subprimes
C
Subprimes
Subprimes
Subprimes
Banks sell
The tranches
to clients that
finance it
issuing short
term paper
Subprimes
C
Off balance sheet
Entities are created
Short- term
Financial
paper
12
An Evolving Crisis
Subprimes
Subprimes
Subprimes
Subprimes
Sold by one
entity acquired
by another
that converts
them to
a SIV
(structured
Investment
Vehicle)
Subprimes
Subprimes
Short- term
Financial
paper
Subprime B
Subprime B
Short- term
Financial
paper
Subprimes
C
Subprimes
Subprimes
Swaps are sold insuring the instruments
Banks sell
Higher interest
yielding
insured
instruments
Subprimes
C
Off balance sheet
Entities are created
Short- term
Financial
paper
13
14
Market Failure
• The credit crisis has choked off many of the markets that
banks in recent years relied on to take assets off their balance
sheets. Issuance of mortgage-backed securities has dropped
sharply, while demand for more complex instruments such as
C.D.O.s has dried up completely.
• Many bankers think it will be months, if not years, before they
can start issuing these securities again. If and when they do,
investors are bound to demand higher returns than before and
are likely to require banks to demonstrate confidence in the
securities by keeping a greater proportion themselves.
• In short, this means that banks will be forced to fund more of
their future loans from their own balance sheet resources.
15
Banks Need To Strengthen Balance Sheets
• Several of the world's largest banks--Citigroup, Merrill Lynch,
UBS and Morgan Stanley—have sold multibillion-dollar stakes
to Asian and Middle Eastern investors and Sovereign Wealth
Funds to boost their capital amid heavy losses on mortgage
investments. But as banks increasingly take responsibility for
assets that had been held in off-balance sheet funds such as
SIVs, their capital needs have grown.
• Goldman Sachs estimated that $475 billion of “extra” assets
had been moved to bank balance sheets since the credit
crunch picked up speed earlier this year.
• Mortgage insurance entities have been shored up by the
same banks that they insure.
16
3. Monitoring financial institutions
Are the raters reliable monitors?
• Standard & Poor’s to revamp its governance procedures,
analytics and ratings transparency mark the latest in a series
of mea culpas from the leading credit rating agencies as they
attempt to restore their credibility with investors.
• Moody’s, Fitch and S&P have in recent months come under
intense fire from investors and regulators in the US and
Europe after complex structured finance instruments they
rated have suffered losses far in excess of the rating
agencies’ initial expectations.
18
Is the government a reliable monitor?
• The government has stayed largely in the sidelines watching
the financial bubble grow
• The regulator umbrella is cumbersome, prone to political
intervention, and lacks effective weapons to deal with the
powerful banking establishment
• Since the deconstruciton of the Glass Seagall act banks have
become investment banks and vice-versa. Hedge funds and
private equity have taken secondary and tertiary roles in this
process.
19
Are auditors reliable monitors?
• External audit methodology is anachronistic
–
–
–
–
–
The point-in-time audit is not designed to
Monitor fast moving financial operations
Detect going concern weaknesses in short periods of times
Measure integrated risk faced by financial institutions
Deal with the fuzzy boundary issues of interlinked financial agents
• Internal audit groups
– Are better positioned to deal with these issues
– Do not have the monitoring and control charter
– Need to develop a comfort zone for monitoring and assurance functions
to be negotiated among the Basel II, compliance, fraud, Sarbanes, and
operating groups
20
Underlying Causes Of LTCM Debacle
• Greatly contributing to the crisis were:
– the total lack of transparency of LTCM positions
– the ignorance by counterparties of LTCM of its intricate web
of relationships and their consequent exposure
– the effectively totally unregulated nature of hedge funds
– the immense arrogance and greed of both LTCM partners,
counterparties and investors, all of whom were seduced by
the Nobel Prizes of the LTCM partners
– a refusal to ask hard questions and to insist on usual
controls and standards of prudence
– the lack of disclosures on derivatives by all parties
21
LTCM Had Little Long Term Impact
• 10th Year anniversary of LTCM:
– The FASB issued derivative disclosure rules, but
disclosures remain opaque.
– Many other types of financial instruments continue to be
under-reported or non-reported under the excuse of
competitive impairment.
– As private equity and hedge funds remained largely
unregulated and Sarbanes-Oxley increased the regulatory
burden on public firms, large amount of funds was routed
to these entities.
– The financial institutions refined the use of SPE-like
entities for taking assets and liabilities off the balance
sheet.
22
Securitization: The Great Driver
• Securitization—transforming cash flows from assets into
bonds—is the real driver of the SPM-crisis.
• Bankers created a new market from slicing, dicing and
packaging mortgages into such new derivative instruments as
mortgage backed securities, collateralized debt obligations,
C.D.O.’s squared, special purpose vehicles etc.
• At best these structured finance products allowed risk to be
better allocated and diversified and hence expanded the
amount of credit that could be offered: a key feature of the
Basel II standard.
• At worst, they vastly leveraged the amount of gambling that
could be done on the financial markets: C.D.O.’s of some $75
billion generated trades with a notional value of $60 trillion.
23
Key Enabler: Ratings Agencies
• Ability to sell these derivative products depends on their
ratings. Instead of being gate keepers, rating agencies
became “gate-openers”.
• Analysts look at mathematical models, not details of the
underlying mortgages. Moody’s did not even have access to
the individual loan files. Certainly did not communicate with
the borrowers or try to verify the information they provided in
their loan applications.
• “We aren't loan officers. Our expertise is as statisticians on an
aggregate basis. We want to know, of 1,000 individuals,
based on historical performance, what percent will pay their
loans?” Claire Robinson, a 20-year veteran for Moody’s.
24
Ratings System Broke Down
• Centrality of ratings for process and fact that seller not buyer
paid for rating created obvious incentive problem: “Every
agency has a model available to bankers that allows them to
run the numbers until they get something they like and send it
in for a rating” says former Moody’s securitization expert.
• Moreover, valuing derivatives more difficult than valuing
underlying assets when they are put through securitization
process: “Four thousand pieces of a Porsche are more
difficult to value than a Porsche itself and the sum of the parts
does not equal the whole,” says Bill Michael of KPMG.
• In the anything goes climate of 2006, Moody’s had only a
single day to value a mortgage backed security.
25
Implied Versus Actual Ratings
• Moody's Analytics, which operates separately from Moody's
ratings division, uses credit-default swap prices as an
alternative system of grading debt.
• These so-called implied ratings often differ significantly from
Moody's official grades, suggesting higher default risk than
Moody’s official ratings.
• And the data shows that the implied ratings are more
accurate predictors of default risk.
• “The only thing holding [securities] at AAA is simply the model
that the rating agencies claim they use to judge that capital
and the fact they know that if they downgrade the companies,
it'll push them into default”. Tim Backshall, CDR LLC.
26
Lessons For Auditing From Recent Crises
• Point of recounting this story is to understand the challenges
facing governance and control of financial service firms today.
Many lessons available from recent crises, but one lesson is
that such lessons have to be continuously re-learnt.
• Societe Generale is tightening computer security, significantly
investing in information technology, reinforcing controls and
taking more account of the possibility of fraud.
• Clearly technology has a major role to play, but it is not a
magic bullet. Need to take behavioral issues into account.
• Technology can indicate that something is wrong, but it cannot
stop risky behavior.
• None are as foolish as those willing to be fooled.
27
Tasks Auditors Will Have To Perform
•
•
•
Assess the sufficiency of capital to give a “going concern”
opinion and satisfy banking regulation.
Conduct “arms length” valuation of the financial assets of the
client and assess the value at risk that they pose.
Develop a methodology for ensuring that complex derivative
instruments that pose particular risks are properly recorded
when they are created or traded and that controls are in
place to monitor how they are utilized.
28
Challenging Audit Environment
• Boundaries of business entities are increasingly ill defined
with special purpose entities and counterparties impacting the
firm’s balance sheets, but which are often outside the scope
of existing audit practice.
• Difficult to assess VaR from financial instrument and contracts
whose underlying assumptions are unclear and whose value
depends on market dynamics and market confidence to a
degree that only now is being realized.
• The interlocked nature of financial entities and instruments
that are being measured, assured, and valued separately, and
with less control than many had assumed.
29
Challenging Audit Environment Continued
• Hedge operations involving numerous instruments are often
managed and monitored on nothing more sophisticated than a
spreadsheet. Pervasive problem in finance and insurance.
• As the Societe Generale case has demonstrated, even
seemingly sophisticated real-time controls have weaknesses
stemming from their own lack of security, monitoring and
alarm handling features. Firms may be monitoring the wrong
people and the wrong things and not know what to do with the
information that controls are generating.
• Application of accounting rules, especially Fair Value, may
cause unforeseeable problems, impacting markets, not just
providing a neutral measurement.
30
Audit Methodology Behind The Times
• External audit methodology is an anachronism.
– The periodic, backward looking audit is not designed to
monitor fast moving financial operations or detect going
concern weaknesses in short periods of times.
– Fails to measure integrated risk faced by financial
institutions.
– Or deal with the fuzzy boundary issues of interlinked
financial agents.
• Internal audit groups.
– Are better positioned to deal with these issues.
– But they often do not have the monitoring and control
charter.
– Need to develop a comfort zone for monitoring and
assurance functions to be negotiated among the Basel II,
compliance, fraud, Sarbanes-Oxley, and operating groups.
31
Applying Technology To Auditing
• Continuous auditing and monitoring: applying technology to
the reengineer the audit process in order to enable ondemand auditing with reduced latency between the
transaction event and the provision of assurance.
• CA = continuous control monitoring + continuous data
level assurance.
• Continuous auditing and monitoring cannot by themselves
prevent crises such as SPM or Societe Generale.
• Scope of CA/CM today is too limited, focused on operational
control, automation of existing audit processes and fraud
detection.
• Need to take it to the next level. But note that trading already
subject to CA, which indicates need for caution.
32
CA/CM In The Governance Process
• Would CA/CM as currently envisaged have prevented the
SPM-crisis? Realistically, no.
• When there is a systematic failure across the entire
governance process, no one part of that process can
compensate sufficiently.
• Part of the problem is the failure to understand the flawed
incentives throughout the governance process, which can
lead to even technological alarms to be ignored, as in the
case of Societe Generale.
• On the other hand, advantage of technology is that it is not
swayed by status, income or position.
• The point of this conference is to begin the process of taking
CA/CM to the level necessary where it will have a real impact.
33
Some Possible Solutions To Explore
• A valuation platform that will provide third party valuation of
complex financial instruments and a systemic assessment of
their critical risks, types and their inter-linkages, and an
automated confirmation mechanism (a more sophisticated
and broader form of the SWIFT system, using confirmatory
extranets) to verify and affirm the existence of the instruments
in question.
• A library and taxonomy of derivative valuation programs
drawn from various sources, both external and internally
developed.
• A template for a linkage methodology where related derivative
instruments part of a coordinated hedge will be linked.
• A high level set of risk KPI and monitoring alarming features.
34
Thinking Out Of The Box Continued
• A set of analytic continuity equations linking: varied outside
market conditions; clearance agents; derivative instrument
and security positions, and different views of risk exposures.
• A representation of clearance agents, clients, paper issuers,
SPEs, and other relevant entities.
• An alarming/management methodology to mitigate the danger
of rogue trading and unbalanced derivative positions.
• Simulation of several alternate conditions/contingencies
based on published reports of major frauds at Societe
Generale, Citigroup, Barings and so on to test the validity of
the proposed approach as a preventive and detective control.
35
1. Database to database confirmations
3. library of derivative
valuation programs
4. high level set
of risk KPI
and monitoring
alarming
Counterparty 1
5. Analytic
2. A reporting level
control panel
continuity equations
FI enters in thousands of
Derivative transactions
6. alarming/management
methodology
•Many transactions are multiparty
•Similar instruments are actual different
•There are tight and loose hedges
•Catastrophic changes in markets undermine hedges
Counterparty n
36
Discussion Questions
• Can a technologically based solution and new audit
methodologies be derived to deal with or mitigate these
problems?
• How good are the current risk management platforms at the
financial institutions?
• Can a platform just involving one institution without spanning its
counterparties be relied upon?
• How do we make allowance for incentive issues, especially in
the face of enormous temptations to subvert governance.
• With XBRL now effectively mandated the question that looms is
if version 2.1 is adequate to represent fast moving instruments
or will new XML extension languages have to be created to
deal with the “live financial report.”
37
Download