Leveraging The Subprime Crisis: Making The Case For Continuous Auditing And Monitoring Of Financial Institutions Michael Alles Miklos Vasarhelyi Department Of Accounting, Business Ethics And Information Systems CONTECSI 2008: I SIMPÓSIO DE AUDITORIA CONTÍNUA Background: An Unprecedented Crisis • Bank write-downs from subprime crisis are $355 billion and growing: by most measures, larger than either S&L or Latin American debt crises of 1980’s. • Estimates are that this crisis will be longer and deeper than any other before and losses at investment banks could amount to 2 ½ years of profits! • House prices in free-fall in much of the developed world as mortgages become difficult to get even for borrowers with good credit. • Some consider banking sector to be facing a crisis of 1930’s proportions as entire basis for modern banking practices brought into question, as well as the governance/regulatory structure that gave rise to it. 2 An Evolving Crisis a Subprimes Are sold to clients that cannot afford them or speculators Subprimes Subprimes Subprimes Subprimes Moral hazard.. The one that sells the mortgage is not who ultimately carries it Many forms of mortgages have been engineered to minimize monthly payments These lower quality loans carry higher interest rates therefore pay higher sales commissions With the passing of time or decrease in real estate values these mortgages become 3 An Evolving Crisis Subprimes Subprimes Subprimes Subprimes Subprimes Subprimes Subprimes Sold by one entity acquired by another that converts them to a SIV (structured Investment Vehicle) Subprimes Subprime B They are sold as paper to banks wanting to improve their returns Subprime B Subprimes C Subprimes C These are broken down into different risk categories called “tranches” 4 An Evolving Crisis Subprimes Subprimes Subprimes Subprimes Sold by one entity acquired by another that converts them to a SIV (structured Investment Vehicle) Subprimes Short- term Financial paper Subprime B Subprime B Short- term Financial paper Subprimes C Subprimes Subprimes Subprimes Banks sell The tranches to clients that finance it issuing short term paper Subprimes C Off balance sheet Entities are created Short- term Financial paper 5 An Evolving Crisis Subprimes Subprimes Subprimes Subprimes Sold by one entity acquired by another that converts them to a SIV (structured Investment Vehicle) Subprimes Subprimes Short- term Financial paper Subprime B Subprime B Short- term Financial paper Subprimes C Subprimes Subprimes Swaps are sold insuring the instruments Banks sell Higher interest yielding insured instruments Subprimes C Off balance sheet Entities are created Short- term Financial paper 6 7 Market Failure • The credit crisis has choked off many of the markets that banks in recent years relied on to take assets off their balance sheets. Issuance of mortgage-backed securities has dropped sharply, while demand for more complex instruments such as C.D.O.s has dried up completely. • Many bankers think it will be months, if not years, before they can start issuing these securities again. If and when they do, investors are bound to demand higher returns than before and are likely to require banks to demonstrate confidence in the securities by keeping a greater proportion themselves. • In short, this means that banks will be forced to fund more of their future loans from their own balance sheet resources. 8 Banks Need To Strengthen Balance Sheets • Several of the world's largest banks--Citigroup, Merrill Lynch, UBS and Morgan Stanley—have sold multibillion-dollar stakes to Asian and Middle Eastern investors and Sovereign Wealth Funds to boost their capital amid heavy losses on mortgage investments. But as banks increasingly take responsibility for assets that had been held in off-balance sheet funds such as SIVs, their capital needs have grown. • Goldman Sachs estimated that $475 billion of “extra” assets had been moved to bank balance sheets since the credit crunch picked up speed earlier this year. • Mortgage insurance entities have been shored up by the same banks that they insure. 9 From Banking Crisis To Governance Crisis • The SPM-crisis brings into focus the fact that financial service practice is running far ahead of governance practices, which include: • External mandatory, periodic audit. • Internal audit. • Ratings agencies. • Government regulators. • Board of directors. • Auditing is only one part of the reformed governance structure that is needed to overcome the current crisis and perhaps reduce frequency of future ones. But the role of audit has to been seen against this wider breakdown in governance. 10 SPM-Crisis Not Unprecedented • Consider lessons from Long Term Capital Management (LTCM) crisis: not hard to find—see Wikipedia! • In 1998, Russian default caused LTCM to fail precipitously forcing $3.65 billion intervention by the Federal Reserve. • LTCM had equity of $4.72 billion and had borrowed over $124.5 billion with assets of around $129 billion. It had offbalance sheet derivative positions with a notional value of approximately $1.25 trillion, most of which were in interest rate derivatives such as interest rate swaps. • The fear was that there would be a chain reaction as the company liquidated its securities to cover its debt, leading to a drop in prices, which would force other companies to liquidate their own debt creating a vicious cycle. 11 LTMC Gave Warning Of Future Risks • The profits from LTCM's trading strategies were generally not correlated with each other and thus normally LTCM's highly leveraged portfolio benefited from diversification. However, the general flight to liquidity in the late summer of 1998 led to a marketwide repricing of all risk leading these positions to all move in the same direction. • As the correlation of LTCM's positions increased, the diversified aspect of LTCM's portfolio vanished and large losses to its equity value occurred. • Thus the primary lesson of 1998 and the collapse of LTCM for Value at Risk (VaR) users is not a liquidity one, but more fundamentally that the underlying Covariance matrix used in VaR analysis is not static but changes over time. 12 “Black Swans”: Managing For 10-Ω Events • Nassim Taleb compared LTCM's strategies to “picking up pennies in front of a steamroller”. • Problem is that standard risk models, such as value at risk (VaR) tend to underappreciate the risk of low probability/high loss events, such as the market moving in unison and unraveling risk diversification strategies or assumptions about liquidity of assets. • “VaR leads to the illusion that you can quantify all risks and therefore regulate them”. Till Gulidmann, creator of VaR concept. • Ignores changes in markets, assets: “like observing 100 years of weather in Antarctica to forecast the weather in Hawaii”. 13 Underlying Causes Of LTCM Debacle • Greatly contributing to the crisis were: – the total lack of transparency of LTCM positions – the ignorance by counterparties of LTCM of its intricate web of relationships and their consequent exposure – the effectively totally unregulated nature of hedge funds – the immense arrogance and greed of both LTCM partners, counterparties and investors, all of whom were seduced by the Nobel Prizes of the LTCM partners – a refusal to ask hard questions and to insist on usual controls and standards of prudence – the lack of disclosures on derivatives by all parties 14 LTCM Had Little Long Term Impact • 10th Year anniversary of LTCM: – The FASB issued derivative disclosure rules, but disclosures remain opaque. – Many other types of financial instruments continue to be under-reported or non-reported under the excuse of competitive impairment. – As private equity and hedge funds remained largely unregulated and Sarbanes-Oxley increased the regulatory burden on public firms, large amount of funds was routed to these entities. – The financial institutions refined the use of SPE-like entities for taking assets and liabilities off the balance sheet. 15 Governance And Regulatory Environment • In general, very little regulatory impact on SPM-crisis except, importantly, in the negative sense. • Lack of regulation on lenders, despite desperate calls to do so. On the one hand, SPM was a public policy good, ending racist practice of black-lining loans, predatory loans. • Made housing available to a large deserving group previously denied loans, boosting house sales (not house ownership!) to record highs. • Problem was increasing practice of lending without usual standards of ability to pay back, or documentation: “Liar’s loans”. • In one mortgage backed security of 2,393 mortgages, 43% provided no documentation of income! 16 Incentives Unraveled Throughout Industry • Even mortgages for owner-occupied homes proved less reliable than past history indicated? • Why? Because people were buying them as investments, not as “homes” and so had less loyalty to them. • Thus mortgage holders look at homes rationally and not with sentimentality: as soon as they have negative equity, even home-owners with good credit walk away from the loan, raising default rates to unprecedentedly high levels. • Mortgage lenders made loans so that they could sell them to Wall Street to be securitized. Thus they had little incentive to care how good the loans were and though, sometimes mistakenly, that they could pass on the risk completely. 17 Securitization: The Great Driver • Securitization—transforming cash flows from assets into bonds—is the real driver of the SPM-crisis. • Bankers created a new market from slicing, dicing and packaging mortgages into such new derivative instruments as mortgage backed securities, collateralized debt obligations, C.D.O.’s squared, special purpose vehicles etc. • At best these structured finance products allowed risk to be better allocated and diversified and hence expanded the amount of credit that could be offered: a key feature of the Basel II standard. • At worst, they vastly leveraged the amount of gambling that could be done on the financial markets: C.D.O.’s of some $75 billion generated trades with a notional value of $60 trillion. 18 Key Enabler: Ratings Agencies • Ability to sell these derivative products depends on their ratings. Instead of being gate keepers, rating agencies became “gate-openers”. • Analysts look at mathematical models, not details of the underlying mortgages. Moody’s did not even have access to the individual loan files. Certainly did not communicate with the borrowers or try to verify the information they provided in their loan applications. • “We aren't loan officers. Our expertise is as statisticians on an aggregate basis. We want to know, of 1,000 individuals, based on historical performance, what percent will pay their loans?” Claire Robinson, a 20-year veteran for Moody’s. 19 Ratings System Broke Down • Centrality of ratings for process and fact that seller not buyer paid for rating created obvious incentive problem: “Every agency has a model available to bankers that allows them to run the numbers until they get something they like and send it in for a rating” says former Moody’s securitization expert. • Moreover, valuing derivatives more difficult than valuing underlying assets when they are put through securitization process: “Four thousand pieces of a Porsche are more difficult to value than a Porsche itself and the sum of the parts does not equal the whole,” says Bill Michael of KPMG. • In the anything goes climate of 2006, Moody’s had only a single day to value a mortgage backed security. 20 Implied Versus Actual Ratings • Moody's Analytics, which operates separately from Moody's ratings division, uses credit-default swap prices as an alternative system of grading debt. • These so-called implied ratings often differ significantly from Moody's official grades, suggesting higher default risk than Moody’s official ratings. • And the data shows that the implied ratings are more accurate predictors of default risk. • “The only thing holding [securities] at AAA is simply the model that the rating agencies claim they use to judge that capital and the fact they know that if they downgrade the companies, it'll push them into default”. Tim Backshall, CDR LLC. 21 “If You Are So Smart, How Come I Am President?” • Reputation for intellectual horsepower and amount of money earned by those doing securitization intimidated those who would ask questions. In hindsight, both sellers and buyers failed to understand the true risks of derivative products. • “Investment bankers who talk about 'exploding short-term gamma risk' earn $2m; someone in our debt-recovery team earns $50,000. The only difference between them is that the person who earns $50,000 knows what he is doing.” • Same old story: Nobel prize winners at LTCM; Andersen auditors working for free in their part time for Enron because of prestige of working for “America’s most innovative company”. • Such behavioral issues pervasive, significant. 22 Societe Generale: The Icing On The Cake • Jérôme Kerviel, a junior trader at Societe Generale accused of exceeding his authority to engage in unauthorized trades totaling as much as €49.9 billion, a figure far higher than the bank’s total market capitalization. • Investigators say Kerviel's bosses missed more than 1,000 faked trades; a huge jump in his earnings in 2007; questions about his trades from the Eurex exchange; unusually high levels of cash flow, accounting anomalies, and high brokerage expenses; Kerviel's failure to take vacation; and his breach of the desk's market risk limit on one position. • One problem was that it was only net positions that were monitored, not total. 23 Anatomy Of A Bank Failure • Controversy about whether his superiors knew what was going on—alerted by Eurex exchange, did not object when net position was showing profits for the bank. • “My feeling is that — we are now on the second report — by the third report it's going to be the fault of the cleaning ladies. Each time it goes down (the corporate hierarchy), instead of up.” Kerviel’s lawyer. • A central issue was that the trader had worked in the controls area and knew how to circumvent them. “Several key controls that could have identified fraudulent mechanisms were lacking. There was a lack of an appropriate awareness of the risk of fraud”. PwC report. 24 Societe Generale: What Lessons? • At Goldman Sachs people are routinely rotated between control functions and business functions so that each has an equal cachet, and problems are discussed by a broad range of insiders. Aim is avoid risk management being seen as second-rate naysayers holding back sexy trading strategies. • But is this a good thing, or does is it give people like Kerviel the means to circumvent controls? • “The number of firms that will investigate an unusual profit is smaller than the number of firms that will investigate an unusual loss”. Andrew Gray, PwC. • Bottom line is that banks, especially investment banks, are inherently susceptible to failures of control and governance since their culture today is to push risk/reward boundaries. 25 Lessons For Auditing From Recent Crises • Point of recounting this story is to understand the challenges facing governance and control of financial service firms today. Many lessons available from recent crises, but one lesson is that such lessons have to be continuously re-learnt. • Societe Generale is tightening computer security, significantly investing in information technology, reinforcing controls and taking more account of the possibility of fraud. • Clearly technology has a major role to play, but it is not a magic bullet. Need to take behavioral issues into account. • Technology can indicate that something is wrong, but it cannot stop risky behavior. • None are as foolish as those willing to be fooled. 26 Tasks Auditors Will Have To Perform • • • Assess the sufficiency of capital to give a “going concern” opinion and satisfy banking regulation. Conduct “arms length” valuation of the financial assets of the client and assess the value at risk that they pose. Develop a methodology for ensuring that complex derivative instruments that pose particular risks are properly recorded when they are created or traded and that controls are in place to monitor how they are utilized. 27 Challenging Audit Environment • Boundaries of business entities are increasingly ill defined with special purpose entities and counterparties impacting the firm’s balance sheets, but which are often outside the scope of existing audit practice. • Difficult to assess VaR from financial instrument and contracts whose underlying assumptions are unclear and whose value depends on market dynamics and market confidence to a degree that only now is being realized. • The interlocked nature of financial entities and instruments that are being measured, assured, and valued separately, and with less control than many had assumed. 28 Challenging Audit Environment Continued • Hedge operations involving numerous instruments are often managed and monitored on nothing more sophisticated than a spreadsheet. Pervasive problem in finance and insurance. • As the Societe Generale case has demonstrated, even seemingly sophisticated real-time controls have weaknesses stemming from their own lack of security, monitoring and alarm handling features. Firms may be monitoring the wrong people and the wrong things and not know what to do with the information that controls are generating. • Application of accounting rules, especially Fair Value, may cause unforeseeable problems, impacting markets, not just providing a neutral measurement. 29 Audit Methodology Behind The Times • External audit methodology is an anachronism. – The periodic, backward looking audit is not designed to monitor fast moving financial operations or detect going concern weaknesses in short periods of times. – Fails to measure integrated risk faced by financial institutions. – Or deal with the fuzzy boundary issues of interlinked financial agents. • Internal audit groups. – Are better positioned to deal with these issues. – But they often do not have the monitoring and control charter. – Need to develop a comfort zone for monitoring and assurance functions to be negotiated among the Basel II, compliance, fraud, Sarbanes-Oxley, and operating groups. 30 Applying Technology To Auditing • Continuous auditing and monitoring: applying technology to the reengineer the audit process in order to enable ondemand auditing with reduced latency between the transaction event and the provision of assurance. • CA = continuous control monitoring + continuous data level assurance. • Continuous auditing and monitoring cannot by themselves prevent crises such as SPM or Societe Generale. • Scope of CA/CM today is too limited, focused on operational control, automation of existing audit processes and fraud detection. • Need to take it to the next level. But note that trading already subject to CA, which indicates need for caution. 31 CA/CM In The Governance Process • Would CA/CM as currently envisaged have prevented the SPM-crisis? Realistically, no. • When there is a systematic failure across the entire governance process, no one part of that process can compensate sufficiently. • Part of the problem is the failure to understand the flawed incentives throughout the governance process, which can lead to even technological alarms to be ignored, as in the case of Societe Generale. • On the other hand, advantage of technology is that it is not swayed by status, income or position. • The point of this conference is to begin the process of taking CA/CM to the level necessary where it will have a real impact. 32 Some Possible Solutions To Explore • A valuation platform that will provide third party valuation of complex financial instruments and a systemic assessment of their critical risks, types and their inter-linkages, and an automated confirmation mechanism (a more sophisticated and broader form of the SWIFT system, using confirmatory extranets) to verify and affirm the existence of the instruments in question. • A library and taxonomy of derivative valuation programs drawn from various sources, both external and internally developed. • A template for a linkage methodology where related derivative instruments part of a coordinated hedge will be linked. • A high level set of risk KPI and monitoring alarming features. 33 Thinking Out Of The Box Continued • A set of analytic continuity equations linking: varied outside market conditions; clearance agents; derivative instrument and security positions, and different views of risk exposures. • A representation of clearance agents, clients, paper issuers, SPEs, and other relevant entities. • An alarming/management methodology to mitigate the danger of rogue trading and unbalanced derivative positions. • Simulation of several alternate conditions/contingencies based on published reports of major frauds at Societe Generale, Citigroup, Barings and so on to test the validity of the proposed approach as a preventive and detective control. 34 1. Database to database confirmations 3. library of derivative valuation programs 4. high level set of risk KPI and monitoring alarming Counterparty 1 5. Analytic 2. A reporting level control panel continuity equations FI enters in thousands of Derivative transactions 6. alarming/management methodology •Many transactions are multiparty •Similar instruments are actual different •There are tight and loose hedges •Catastrophic changes in markets undermine hedges Counterparty n 35 Discussion Questions • Can a technologically based solution and new audit methodologies be derived to deal with or mitigate these problems? • How good are the current risk management platforms at the financial institutions? • Can a platform just involving one institution without spanning its counterparties be relied upon? • How do we make allowance for incentive issues, especially in the face of enormous temptations to subvert governance. • With XBRL now effectively mandated the question that looms is if version 2.1 is adequate to represent fast moving instruments or will new XML extension languages have to be created to deal with the “live financial report.” 36