The recent bankruptcy filing by MF Global Holdings Ltd. exemplifies the enormous risks that financial derivatives pose to institutional investors, broker-dealers, and global financial markets. When used for hedging purposes, derivatives provide a form of insurance to reduce risk to an acceptable level. For example, a portfolio fund manager may purchase U.S. "put" options to limit the risk of open equity positions, because the "strike" price, or price at which the owner of the put can sell the underlying assets until expiration, establishes a floor and limits the loss at the expense of an upfront premium. On the other hand, derivatives used for speculative purposes can be disastrous for a firm's balance sheet and liquidity, as was the case with Long-Term Capital Management (LTCM) LP in 1998, American International Group Inc. in 2008, and MF Global in 2011. Internal auditors must remain diligent and consider a variety of factors when assessing risks and internal controls around derivatives.
A derivative is a financial instrument that derives its value from an underlying asset, indexes, or event — it has no intrinsic value itself. Investors worldwide are concerned that many derivatives have become so intentionally complex in structure that they can be understood only by a select few who have specialized knowledge or interest, at the expense of transparency. Such esoteric derivatives potentially can be structured to achieve a specific accounting treatment irrespective of the economic substance of the transaction. This has resulted in the use of derivatives as a form of off-balance-sheet financing. For example, the accounting treatment of repurchase agreements — better known as Repo 105 — by Lehman Brothers Holdings Inc. moved approximately US $50 billion off the balance sheet by recording a sale in lieu of a financing liability. Many of the regulatory initiatives enacted worldwide in the wake of the financial crisis contain provisions to regulate derivatives.
Internal auditors should view complex financial instruments as a double-edged sword. Derivatives can be an effective financial risk management tool or a catastrophic failure in judgment that can quickly undermine and threaten a company's existence. Auditors must be mindful of the unique inherent risks associated with the different types and classes of derivatives (see "Two Types of Derivatives" at right).
Over-the-counter (OTC) derivatives are private contracts made between counterparties. They circumvent clearinghouse collateral and margin requirements—or may be negotiated and incorporated into contract terms. OTC derivatives can be tailored in agreement between both parties so long as the requirements of a binding contract under the Uniform Commercial Code are met, and provide greater flexibility, and risk, than exchange-traded derivatives. Three examples of OTC derivatives are interest rate swaps, forward contracts, and repurchase (repo) agreements.
Internal auditors should perceive counterparty risk as inherent with OTC derivatives. Furthermore, monitoring is essential in managing risk in volatile financial markets where small changes in market indexes can have a material impact on portfolio positions. In assessing the risks of OTC derivatives, internal auditors should consider:
Reviews and Approvals
Who reviews and approves the terms of OTC derivative contracts before execution of the agreement? What is the nature of the analyses used when making such decisions? Are they forward-looking projections or trend analyses based on historical data?
Internal auditors should consider the tone at the top, along with corporate strategy and risk appetite, when assessing the control environment around OTC derivative transactions. Auditors should evaluate key controls around the approval process when assessing the likelihood of derivative purchases that are unauthorized, have excessive risk, or are inconsistent with corporate strategy. They should consider the relevance and reliability of information used in the review and approval. Key controls designed around the review process also can help in assessing compliance with corporate strategy and fostering accountability. The review process should be documented formally and detail the contract terms, including the identification of any embedded derivatives, as specific market variables can trigger material changes in cash flows. This review should be approved formally by designated personnel before entering into the agreement.
A secondary review by independent personnel can be a strong detective control in identifying transactions that exceed risk thresholds or are inconsistent with corporate strategy. In addition, the secondary review should assess contract terms to detect any material components that were not documented previously and identify any inconsistencies between the documentation and contract terms. As part of the monthly closing process, a third independent review can serve as a compensating control.
Who is monitoring the financial health of counterparties and on what information are they basing the assessment? Are periodic credit checks reviewed to ascertain a counterparty's ability to satisfy obligations?
Internal auditors should evaluate the design of monitoring key controls to ascertain whether the frequency (i.e., daily, weekly, monthly, quarterly, semi-annually, or annually) and reliability (e.g., Dun & Bradstreet reports) of source documents used in the monitoring process reduces counterparty risk to an acceptable level. Auditors also should evaluate the clarity and timeliness of communications so that proactive measures can be taken to address counterparty risk. The company should establish policies to monitor and report on counterparty financial health regularly, and creditworthiness should be monitored continually.
How are quantitative and qualitative risk factors monitored? What is the risk that regulatory or environmental changes may impair a counterparty's ability to perform? What is the probability of an event, such as a change in index or natural disaster, that would bind the company to take an unfavorable position?
Internal auditors should evaluate whether the monitoring process includes a review of the analytical assumptions,through sensitivity analysis or other methodologies. This will enable themto ascertain the degree of variability and risk and to accurately quantify the effect of changes in market indexes through "what if" scenarios based on probability and market indicators. This monitoring also should review systematic risk and other unavoidable external risk factors, such as the effect a change in legislation would have on corporate strategy and operations or the impact a natural disaster would have on the valuation of the underlying assets of derivatives (e.g., wheat, rice, and oil).
What ensures that all derivatives are recorded accurately from an accounting and valuation perspective?
Internal auditors should evaluate the design of key controls to detect compliance with established corporate accounting policies used in the accounting for, and valuation of, financial derivatives. Accounting policies should be consistent with applicable accounting standards and applied appropriately given the unique structure of specific OTC derivatives. For example, two similar transactions may require different accounting treatments and financial statement presentation and disclosure depending on the nature of the transaction and whether the derivative meets the requirements of a perfect hedge as promulgated under Financial Accounting Standards Board (FASB) Accounting Standards Codification (ASC) 815: Derivatives and Hedging, or International Financial Reporting Standards (IFRS) 9: Financial Instruments: Classification and Measurement. Key preventive and detective controls should mitigate the risk that an incorrect accounting treatment or subjective valuation may not be detected timely.
What ensures that key controls are designed to address the risks that are unique to the terms of OTC derivatives?
Internal auditors should evaluate the control environment to ascertain that an appropriate mix of preventive, detective, and compensating controls are in place, given the nature and complexity of the financial derivatives involved. An overall assessment of the control environment should entail a detailed review of narratives, test plans, and risk control matrixes, in conjunction with walk-throughs, to identify any risks that are not otherwise addressed. Key controls should be balanced and designed around financial statement assertions such as valuation, presentation, and disclosure.
Exchange-traded derivatives are standardized contracts executed between counterparties on organized exchanges, such as the New York Mercantile Exchange (NYMEX), that are booked through a clearinghouse that serves as a counterparty to each party (e.g., seller to the buyer and buyer to the seller). Although counterparty risk is reduced, it is not eliminated entirely, as the MF Global bankruptcy proved. In addition, mandatory margin requirements stipulate initial cash outflow, while daily mark-to-market settlements and margin calls can result in a previously favorable position closing unfavorably and requiring additional collateral. Two examples of exchange-traded derivatives are equity options and futures contracts.
In assessing the risks of exchange-traded derivatives, auditors should examine the effect these derivatives have on cash management and consider:
Who is monitoring the purchase of exchange-traded derivatives, and are the underlying assets owned (i.e., covered positions)?
Internal auditors should evaluate the design of key controls around the review process before the purchase of exchange-traded derivatives to evaluate whether the transaction is consistent with corporate strategy. Generally speaking, covered positions have lower inherent risk than naked positions, those in which the underlying asset is not owned. Auditors should evaluate key controls around the approval process when assessing the likelihood of derivative purchases that are unauthorized, have excess risk, or are inconsistent with corporate strategy, as well as consider the relevance and reliability of information used in the review and approval. Moreover, practitioners should compare the corporate risk appetite with approved transactions when assessing the degree to which derivative usage coincides with corporate strategy. For example, naked positions or derivative investments that have a positive correlation with portfolio performance may indicate excessive risk-taking and speculation.
What is the probability that unforeseen margin calls may challenge or exceed liquidity capacity, and who is monitoring this risk? Are the derivatives' terms and usage appropriate given the corporate risk appetite and financial portfolio?
Internal auditors should evaluate the design of key controls around the treasury and cash management function when assessing the effectiveness of monitoring. They also should assess whether liquidity and leverage levels are appropriate given the corporate risk appetite. Senior management should be performing daily reviews — from both a monitoring and accountability perspective — to assess the effectiveness of corporate strategy and anticipate margin calls.
What ensures that exchange-traded derivatives are given the appropriate accounting treatment pursuant to ASC 815 and IFRS 9? What ensures that the appropriate financial statement presentation and footnote disclosures are made in accordance with U.S. Generally Accepted Accounting Principles and IFRS?
Although exchange-traded derivatives are not as inherently complex in nature as OTC derivatives, their appropriate accounting treatment will vary based on the substance of the transaction. Internal auditors should verify the finance department has hedge accounting policies approved by the board and key controls designed to test compliance with policies. Key controls should be designed to prevent or detect misclassification or inappropriate accounting treatment by formalizing a second or third review that is independent from personnel who are responsible for recording the transaction.
Best Practice Controls
In accordance with IIA Standard 2030: Resource Management, the internal audit department should comprise professionals with various skill sets and collectively possess the experience and expertise required to achieve audit plan objectives. Due to the diverse nature and complexity of derivatives, any specific expertise or skill sets deemed necessary should be listed formally in job requirements. An understanding of financial valuation models, along with strong analytical and communication skills, can assist internal auditors in their evaluation of residual risk.
There are several best practice key controls auditors should consider:
- Segregation of duties. Purchasing, recording, and custody of derivatives should be delegated to different personnel to provide effective checks and balances. Segregation of duties can be strengthened by access controls that focus on authentication. Custody of source documents should be maintained in an environmentally safe repository that is monitored in real time. Access should be limited to authorized personnel and preferably contain a biometric component. Any additions or removals should be documented formally and include the date, name, time-in, purpose of action, time-out, and signature of authorized personnel. Consistent with the custodial function, key controls should segregate customer collateral from corporate funds, while restricting the use of customer collateral, to mitigate the risk that customer collateral will be commingled with corporate funds to back trading and financing (rehypothecation). Although legal, the failures of MF Global, Lehman Brothers, and LTCM exemplify the risk rehypothecation poses to investors.
- Formal approval of reconciliations. Control owners should review and formally approve reconciliations. The frequency of reconciliations should coincide with the nature of the derivatives involved. For example, a company that enters into forward contracts with the same delivery date may not require daily reconciliations, while a company that enters into swaps and repos may require daily reconciliations. Management should investigate, identify, resolve, and document any discrepancies between the general ledger and reconciliations timely. Material differences should be communicated formally to senior management to foster accountability.
- Recalculation and confirmation. The design and frequency of recalculation of outstanding positions should be consistent with the nature of the derivatives. The valuation of level 1 assets, such as exchange-traded derivatives, can be recalculated using market quotes and confirmed with clearinghouses, while the valuation of level 2 assets, such as OTC derivatives, can be recalculated using pricing models and should be confirmed with counterparties. Internal auditors should evaluate whether a change in derivative portfolio necessitates a modification in control design to mitigate risk effectively. Formal review and approval by control owners should occur timely.
- Formal review of board minutes and relevant source documents. By reviewing board minutes and relevant source documents, auditors can assess the appropriate classification, valuation, and accounting treatment of derivatives pursuant to ASC 815 and IFRS 9. Key controls should be designed to ascertain the degree of corporate governance and its effectiveness in addressing relevant issues and communicating findings to appropriate personnel. Any modification in accounting treatment or established parameters should be justified with factual information that can be substantiated. Any proposed change in accounting treatment should entail a detailed rationale, be supported by reference to authoritative accounting standards, clearly identify the applicability to specific derivatives, be voted on by the board and documented in board minutes, and be communicated to the appropriate personnel.
- Management's presentation of net exposure to the board and risk committee. This presentation can increase risk awareness while enhancing the board's monitoring function. The presentation should provide sufficient detail (e.g., by derivative type and respective value) and facilitate a productive dialogue between board members and management. The frequency should be based on organizational needs and the nature of the derivatives involved. Evidence of management's presentation, as well as any relative dialogue and actions taken as a result, should be documented in board minutes.
- Performance analysis. Management's analysis of realized and unrealized gains and losses provides an effective monitoring and assessment mechanism that should be evaluated in conjunction with corporate strategy and market events. Senior management should review and approve the analysis and give formal presentations to the board and risk committee.
A Daunting Prospect
Evaluating the design, effectiveness, and efficiency of internal controls as they relate to financial derivatives may appear daunting to internal auditors. However, a sound understanding of derivatives along with a risk-based approach to assessing the internal control environment can be helpful.
Financial derivatives are an integral part of the global economy that must be handled responsibly by all parties involved. Internal auditors should evaluate the effectiveness of financial derivatives in managing risk while assessing whether the manner in which they are used exacerbates existing risk unacceptably. They should follow domestic and international regulatory developments, be mindful of the effect change may have on liquidity and risk-taking activities, and consider the risk that some derivatives may be structured intentionally to circumvent new regulations. Finally, auditors should approach financial derivatives with the perspective that the benefits derived should not be exceeded by the risks they create and should be consistent with risk appetite and corporate strategy.
A significant outcome of the 2009 G20 summit in Pittsburgh was the commitment of world leaders to strengthen the international financial regulatory system in light of the global financial crisis. Title VII of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act has numerous provisions to regulate derivatives — specifically over-the-counter (OTC) derivatives. One provision requires derivatives to be registered at clearinghouses with electronic trading platforms. The rationale is that greater transparency will improve investor confidence while facilitating effective compliance programs and enforcements.
Other nations have attempted to align their respective regulations with Dodd-Frank and Basel III capital requirements to address counterparty risk while preventing the possibility of regulatory arbitrage. The European Parliament has approved new regulations that will require all OTC derivatives traded in the European Union to be cleared through central counterparties. Additionally, the regulations mandate the reporting of derivative transactions to trade repositories monitored by the European Securities and Markets Authority. The Monetary Authority of Singapore has proposed expanding the scope of that nation’s Securities and Futures Act to regulate OTC derivatives. While most of the regulations proposed worldwide are consistent with the G20 recommendations, one notable departure is that electronic trading platforms will not be required at clearinghouses.
The International Monetary Fund (IMF) has questioned the effectiveness of the G20 recommendations, specifically citing the threat of creating clearinghouses that could become “too big to fail” themselves. Furthermore, the IMF is concerned that regulations mandating higher collateral for OTC derivatives, along with Basel III capital requirements that exclude goodwill and deferred tax assets, may increase demand for safe assets while reducing market liquidity. Although the risk of financial derivatives has been identified, a consensus on the appropriate degree of regulations has yet to be reached.
Brazil, Russia, India, China, and South Africa (the BRICS nations) have attempted to enhance their individual and collective status in the global economy by launching a cross-listing of benchmark equity index derivatives that allows investors in one BRICS country to invest in any other BRICS countries in local currencies. The aim of the initiative is to facilitate market activity by eliminating currency risk while luring global investors to new products in emerging markets. This was done in response to global economic inequalities and to gain greater voting power for the BRICS at the IMF.
Monitoring and Oversight of Derivative Usage
One of the most notable proposed modifications to The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control–Integrated Framework is the inversion of the control environment and monitoring. To this end, the perspective of monitoring as the foundation of an internal control environment — as opposed to the original framework, which ascribed the control environment as the foundation — is pertinent in a volatile, globally entwined business environment.
Monitoring and oversight by the board of directors and audit committee is an effective method for identifying and managing corporate risk stemming from an organization’s usage of financial derivatives to an acceptable level given the degree of risk appetite while addressing the concerns of various stakeholders. The board may use several policies to establish the appropriate tone at the top, while organizational independence can assist internal auditors in assessing risk, designing key controls, and evaluating their effectiveness and efficiency related to financial derivatives.
Charter A formally approved internal audit charter should clearly define the parameters and reporting relationships of the internal audit function. Preferably, the charter should allow unfettered access to relevant source documents and personnel.
Risk Committee Organizations should create a risk committee to establish enterprise risk management policies and monitor risk factors. Section 165(h) of the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act mandates that systemically vital financial institutions with more than US $10 billion in consolidated assets, including publicly traded bank holding companies and some nonbank financial companies, must establish a risk committee comprising at least one “risk management expert.” As a best practice, companies that do not meet the threshold pursuant to Section 165(h) should have a risk committee as well. The risk committee should work in conjunction with the board and senior management to determine whether derivative usage is consistent with corporate risk management policies and risk appetite, as well as whether it is appropriate given the impact market volatility can have. The risk committee should be responsible for creating a risk management system that will achieve four objectives:
Establish control and monitoring mechanisms to identify material risks timely.
Develop and implement risk management strategies that are consistent with corporate strategy and risk appetite.
Align risk management strategies with operational activities and business decision-making.
Ensure that relevant, accurate, and timely information is communicated to senior management, the board, and the risk committee.
Effectiveness The board should evaluate the effectiveness and efficiency of the risk management system at least annually. Outside consultants and experts may provide an objective perspective and could evaluate any residual risk factors not previously addressed or identified. Risk management benchmarks and performance metrics should be approved formally by the risk committee and board, clearly communicated to relevant personnel, and used to foster accountability.
Parameters The organization should establish unambiguous parameters that restrict the use of derivatives to specific types of transactions and for specific purposes (e.g., hedging as opposed to speculative), which should denote quantifiable limits. These parameters should be consistent with the corporate strategic plan and should be reviewed timely by the board and risk committee to ascertain whether any modifications are necessary given the economic environment on both a macro and micro level.
Policies The organization should create policies that facilitate a timely review of performance and compliance with established parameters. Similar to a balanced scorecard, metrics should encompass both quantitative and qualitative measures and be defined clearly. Targets should be compared with actual results. Favorable performance should be reviewed within the context of market performance to ascertain any positive correlations that may enhance corporate strategy; unfavorable performance should be evaluated to identify and address the root causes. Communication should be limited to appropriate personnel. Key controls should be designed to prevent and detect noncompliance with established parameters and should use attribute sampling to ascertain the degree of noncompliance. Any exceptions discovered should be investigated by the internal audit department and may involve in-house counsel. Senior management also should monitor compliance with corporate policies from an operational perspective, and the board should formally approve a protocol for investigating and remedying noncompliance. Any material findings should be presented to the board and risk committee.
Review Process A formally approved review process can evaluate residual risk and identify initiatives that can be implemented to either maintain risk at an acceptable level or reduce risk in a cost-effective manner. Consideration should be given to reputational, environmental, and social risks as these may arise unintentionally in the risk mitigation process. Risks that are unlikely to occur, but which could have a material impact on operations, should be evaluated by the board and risk committee for probability of occurrence and potential loss when determining if any additional risk mitigation is necessary. Outside consultants may provide an objective perspective and can evaluate any residual risk factors that were not addressed or identified previously.
Whistleblower Reporting Organizations should establish a whistleblower policy or other reporting mechanism that enables individuals to report suspected improprieties or noncompliance with established parameters anonymously to an independent party. The policy should establish legal protection from reprisal arising from complaints made in good faith. In addition, legal counsel should review and approve corporate policies detailing the ramifications for improprieties or noncompliance, which should be clearly communicated to all relevant personnel. The internal audit charter should clearly define the authority internal auditors have, along with the protocol they should follow, when investigating reports of noncompliance and improprieties. The consequences for substantiated allegations should be consistent with corporate policies.