Despite the fall of Lehman Bros., the catastrophic failure of Washington Mutual, and the financial fiascos of Detroit and Jefferson County, Ala., all of which have been blamed in part on exotic derivative instruments, derivatives are making a comeback. The Independent Community Bankers of America, for example, has testified before U.S. congressional committees since the financial collapse regarding the important role derivatives play in helping community banks manage interest rate risk and offer competitive fixed-rate loans. And in February, the National Credit Union Administration allowed, for the first time, the use of interest rate derivatives to help credit unions manage interest rate risk.
Implementing processes to identify, analyze, and report the risk associated with derivatives can go a long way toward helping ensure the financial problems of the past will not be repeated. In support of these efforts, internal auditors should know how to monitor derivatives activity and familiarize themselves with the review processes external auditors follow. Especially if an organization is implementing derivatives for the first time, a high level of internal audit competency in this area can highlight the function's ability to add value and play a role in strategic initiatives.
The most extensive guidelines for derivatives auditing come from the U.S. Public Company Accounting Oversight Board (PCAOB) — the guidelines serve as a useful framework for discussing derivative auditing issues. In particular, PCAOB AU Section 332, Auditing Derivative Instruments, Hedging Activities, and Investments in Securities, provides guidance that can be of help to internal auditors performing reviews of derivatives activity. Areas of particular relevance to internal audit practitioners include AU 332's discussion of specialized skills, reliance on audit work, inherent risk, procedures based on risk assessments, financial statement assertions, documentation, and management assertions.
AU 332 states that auditors "may need special skill or knowledge to plan and perform auditing procedures for certain assertions about derivatives and securities." The guidance cites, for example, the information systems associated with derivatives and the application of U.S. Generally Accepted Accounting Principles (GAAP) for derivatives and hedge accounting as areas that may require such knowledge and expertise.
The need for a specialized skill set may also arise because many derivative end users outsource the accounting and ancillary responsibilities. One such responsibility involves tracking changes in a derivative's fair value, which is based on data from industry data providers and may require knowledge about manipulating complex data feeds. And because reporting entities sometimes need to explain their hedging processes to an outside auditor, the internal auditor should be prepared to help share this information.
Companies also frequently outsource fair value measurement — derivatives must be initially recorded at fair value and revalued at every quarter-end. An internal auditor may need to identify and evaluate controls used by the outside service organization and audit the reliability of the transfer of this information to the reporting entity. Performing this work may require the auditor to possess specialized knowledge to plan and perform audit procedures.
PCAOB AU Section 336 provides guidance for auditors who engage specialists. Auditors should note that AU 336 requires them to "obtain an understanding of the methods and assumptions used by the specialist."
Reliance on Audit Work
PCAOB AU Section 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, provides guidance for outside auditors seeking to rely on the work of internal audit. AU 322 instructs outside auditors to be familiar with internal auditors' level of expertise before relying on their work. Accordingly, internal auditors should be prepared to document their competency to the company's external practitioners.
According to AU 332, assertions about a derivative or security present inherent risk in their "susceptibility to a material misstatement, assuming there are no related controls." Several complexities raise the level of inherent risk in a derivative audit, including:
- Interest rate swaps that initially do not involve an exchange of cash and have zero fair value are not initially recorded on the balance sheet — as a result, the organization may subsequently neglect to identify them for valuation and disclosure considerations.
- Credit risk exposes the reporting entity to potential loss from an interest rate swap counterparty failing to meet its recurring net settlement obligations.
- Legal risk exposes the reporting entity to potential loss from legal or regulatory action due to unauthorized use of derivatives by the reporting entity or a
counterparty. For example, an interest rate swap counterparty, or possibly even the reporting entity itself, may be found in violation of rules and need to exit a swap prematurely.
- Because of the complexity of GAAP relating to derivative transactions, GAAP may be misapplied, resulting in restatement. In other words, the complexity presents restatement risk.
These various complexities may also increase an organization's exposure to fraud, which internal auditors can play a crucial role in helping to detect and prevent. The audit committee should stress the importance of fraud vigilance whenever new accounting techniques or financial instruments are introduced.
Substantive Procedures Based on Risk Assessments
Auditors should use the assessed levels of inherent risk and control risk for derivatives assertions to determine the nature, timing, and extent of the procedures to be performed to detect material misstatements of the financial statement assertions. Timing merits particular attention because qualification for special hedge accounting is dependent on satisfying complex, time-related requirements.
For example, even though GAAP requires quarterly evaluation of hedge effectiveness, the U.S. Securities and Exchange Commission (SEC) staff has said that hedge effectiveness evaluations may need to be performed more often. Essentially, effectiveness evaluations should coincide with any rebalancing of the hedge, which may occur in more complicated hedge scenarios.
Also, reporting entities that qualify for cash-flow hedge accounting must accurately specify the time frame in which hedged forecasted transactions will occur. A two-month leeway period allowed by Financial Accounting Standards Board codification will not be stated explicitly in the financial statements — instead, auditors will need to calculate it from management-supplied hedging documentation.
Financial Statement Assertions
Existence assertions address whether the derivatives reported in the financial statements actually exist at the date of the statement of financial position, whereas occurrence refers to whether the reported transactions occurred. Completeness assertions address whether all of the entity's derivatives are reported in the financial statements, through recognition or disclosure.
Auditing completeness assertions for derivatives can be especially tricky. For cash flow hedges, a hedging derivative's gains or losses might be split, with a portion going to earnings and the rest initially to accumulated other comprehensive income and later transferred to earnings to offset the earnings effects of hedged forecasted cash flows. However, if a reporting entity decides to cease using a derivative as a hedge, or if the derivative is not working effectively as a hedge, the entity's gains or losses will be posted exclusively to earnings. The SEC staff has provided guidance on how to record changes in derivative results in the income statement: "We generally believe that a presentation that splits the components of a derivative into different line items on the income statement or that reclassifies realized gains and losses of a derivative out of the line item that included unrealized gains and losses of the same derivative is inappropriate."
Documentation represents a crucial element in qualifying for hedge accounting and must include the details of the hedging derivative and hedged transaction, as well as the specific risks being protected (hedged) against. Documentation timeliness is of particular importance, as SEC staff has advised that it "will challenge the application of hedge accounting in instances where an entity has not contemporaneously complied with formal hedge documentation requirements." In addition, the PCAOB specifies that auditors should gather evidence "to support management's expectation at the inception of the hedge that the hedging relationship will be highly effective" as well as to document periodic management assessment of ongoing hedging relationship effectiveness, as required by GAAP.
PCAOB AU Section 333, Management Representations, provides guidance to auditors on obtaining written representations from management. Auditors should obtain representations to confirm management's intent and ability to hold a debt security until its maturity, as the type of risk allowed by GAAP to be protected (hedged) against is dependent on management's intention and ability to hold a hedged asset or liability. For example, a debt classified as "held to maturity" cannot be protected (hedged) against interest rate risk due to changes in benchmark interest rates. Internal auditors should ensure that a process exists whereby management classifies assets and liabilities as held to maturity, trading, or available for sale. Open communication between the finance department and internal auditors is key to assuring classifications are consistent and accurate.
Stemming the Tide
Perceptions about heightened interest rate volatility frequently induce companies to increase their use of interest rate swaps and other derivatives to manage interest rate risk. Mandatory documentation, fair value measurement, and complex journal entries make derivative accounting a challenge that may require specialized expertise and increased internal audit competency. Moreover, internal audit reports need to provide information on the risks associated with derivatives and the processes associated with helping manage those risks. Auditors should familiarize themselves with SEC interpretations of GAAP to help satisfy stakeholder expectations and earn an unqualified opinion.