Embed Size (px)
Citation preview
IMPLEMENTING AND AUDITING THE INTERNAL CONTROL SYSTEM
Also by Dimitris N. Chorafas
MANAGING RISK IN THE NEW ECONOMY NEW REGULATION OF THE FINANCIAL INDUSTRY MANAGING CREDIT RISK: 1. Analysing, Rating and Pricing the Profitability of Default MANAGING CREDIT RISK: 2. The Lessons of VAR Failures and Imprudent Exposure RELIABLE FINANCIAL REPORTING AND INTERNAL CONTROL: A Global
Implementation Guide CREDIT DERIVATIVES AND THE MANAGEMENT OF RISK SETTING LIMITS FOR MARKET RISK HANDBOOK OF COMMERCIAL BANKING: Strategic Planning for Growth and
Survival in the New Decade UNDERSTANDING VOLATILITY AND LIQUIDITY IN FINANCIAL MARKETS THE MARKET RISK AMENDMENT: Understanding Marking-to-Model and Value-at-Risk COST EFFECTIVE IT SOLUTIONS FOR FINANCIAL SERVICES AGENT TECHNOLOGY HANDBOOK TRANSACTION MANAGEMENT INTERNET FINANCIAL SERVICES: Secure Electronic Banking and Electronic Commerce? NETWORK COMPUTERS VERSUS HIGH-PERFORMANCE COMPUTERS VISUAL PROGRAMMING TECHNOLOGY HIGH-PERFORMANCE NETWORKS, PERSONAL COMMUNICATIONS AND MOBILE
COMPUTING PROTOCOLS, SERVERS AND PROJECTS FOR MULTIMEDIA REAL-TIME SYSTEMS THE MONEY MAGNET: Regulating International Finance, Analyzing Money Flows and
Selecting a Strategy for Personal Hedging MANAGING DERIVATIVES RISK ROCKET SCIENTISTS IN BANKING HOW TO UNDERSTAND AND USE MATHEMATICS FOR DERIVATIVES: 1. Foreign
Exchange and the Behaviour of Markets HOW TO UNDERSTAND AND USE MATHEMATICS FOR DERIVATIVES: 2. Advanced
Modelling Methods AN INTRODUCTION TO COMMUNICATIONS NETWORKS AND THE
INFORMATION SUPERHIGHWAY (with Heinrich Steinmann) DERIVATIVE FINANCIAL INSTRUMENTS: Managing Risk and Return FINANCIAL MODELS AND SIMULATION: Concepts, Processes and Technology
Implementing and Auditing the Internal Control System Dimitris N. Chorafas
I' Dimitris N. Chmafas 2001
Softcover reprint of the hardcover 15t edition 2001
All rights reserved. No reproduction. copy or transmission of this publication may be made without written permission.
No paragraph of this publication may be reproduced. copied or transmitted save with written permission or in accordance with the pnwisions of the Copyright. Designs and Patents Act 19RR. or under the terms of any licence permitting limited copying issued by the Copyright Licensing Agency. 90 Tottenham COUl1 Road. London WI P OLP.
Any person who does any unauthorized act in relation to this publication may bc liable to criminal prosecution and civil claims for damages.
The author has asserted his right to be identitied as the author of this work in accordance with the Copyright. Designs and Patents Act 19XX.
First puhlished 200 I hy PALGRAVE Houndmills. Basingstoke. Hampshire RG21 6XS and 175 Fifth Avenue. New York. N.Y. 10010 Companies and representatives throughout the world
PALGRA VE is the new glohal academic imprint of SI. Martin's Press LLC Scholarly and Reference Division and Palgrave Publishers Ltd (formerly Macmillan Press Ltd).
ISBN 978-1-349-42552-5 ISBN 978-0-230-59786-0 (eBook) DOI 10.1057/9780230597860
This hook is printed on paper suitahle for recycling and made from fully managed and sustained forest sources.
A catalogue record for this hook is availahlc from the British Lihrary.
Library of Congress Cataloging-in-Puhlication Data
Chmafas. Dimitris N. Implementing and auditing the internal control system 1 Dimitris N. Chorat~ls.
p. cm. Includes bibliographical references and index. ISBN 978- O·-333-l)2l)~~65
I. Auditing. Internal. I. Title.
HF566X.25 .C523 2000 o5T.45X-dc21
10 l) X 10 Ol) OX
765 07 00 05
Printed in Great Britain hy
4 3 04 03
2 I 02 01
Antony Rowe Ltd. Chippenham. Wiltshire
00-049149
This publication is designed to provide accurate and authoritative information in regard to the suhject matter covered. It is sold with the understanding that the author and the puhlishers are not engaged in rendering legal. accounting or other professional services.
Contents
List of Figures
List of Tables
Preface
Acknowledgements
List of Abbreviations and Acronyms
PART I WHY INTERNAL CONTROL SYSTEMS MUST BE AUDITED
1 The Role of Auditing in an Organization
Introduction Auditing Defined Auditing as an Indispensable Element of a Management System Senior Management Responsibilities in Connection with Auditing and Internal Controls Value-Added Services to be Provided by Auditing The Role of an Independent Auditing Committee and the Contribution of the Treadway Commission Good Practice Guidelines Regarding Auditing Committee Functions and Responsibilities
2 What is Meant by 'Internal Control'?
Introduction 'Internal Control' Defined What Constitutes a Sound Internal Control Policy? Steps in Implementing an Internal Control System Improving the Status of Internal Control in Business and Industry What Is Meant by a 'Rigorous Internal Control Solution'? A Practical Example with Internal Control Approaches to Operational Risk Appendix: Definitions of Internal Control by AICPA, Basle Committee, EMI, IIA, and COSO
v
VI Contents
3 Internal Control and the Globalization of Financial Markets 54
Introduction 54 The Impact of Globalization on Internal Control 55 Regulators Look at Internal Control as a Foundation of Sound Management 58 Important Differences Between Accounting Systems Handicap Global Internal Control and Auditing 62 Internal Control Deficiencies, Conflicts of Interest, and the Massaging of Accounting Data 65 A Threat Curve Which Addresses Our Problems and Their Likelihood 78
4 New Standards for Auditing Internal Control and the Use of Risk-Based Audits 83
Introduction 83 Auditing Responsibilities Prescribed by Securities Laws 85 Agency Costs and the Impairment of Assets 87 Using a Company's Cash Flow for Auditing Reasons 91 The Concept Underpinning Risk-Based Auditing 95 Authority and Responsibility for Risk-Based Auditing Solutions 98 Paying Attention to Information Requirements for Risk-Based Auditing 101
5 A Methodology for Auditing the Internal Control System 105
Introduction 105 Discovery is the First Major Step of a Valid Auditing Methodology 106 Auditing Strengths and Weaknesses of an Internal Control System: An Example From a Money Centre Bank 110 The Methods of Internal Control Resemble Those of Military Intelligence 114 Internal Control Intelligence and the Calculation of Assumed Exposure 118 Internal Control Intelligence and Dynamic Computing of Capital Requirements 123 Synergy Necessary Between Business Units to Make Internal Control a Reality 127
Contents vn
PART II MANAGEMENT APPRAISAL OF AND ACCOUNTABILITY FOR THE INTERNAL CONTROL SYSTEM
6 Senior Management Responsibilities For Internal Control 133
Introduction 133 Legal Reasons Why Internal Control Must be Managed 134 Effective Internal Control Requires Trustworthy People 140 Internal Control, Product Review, and Risk Assumptions 144 Senior Management Cannot Delegate its Accountability for Internal Control 148 Restructuring is a Critical Element of Financial Innovation 152 Beware of Creative Accounting: it is Poison to Internal Control 155
7 Internal Control Implementation Must Focus on Core Functions 159
Introduction 159 Which are the Core Functions of a Financial Institution? 160 A Polyvalent Approach to the Implementation of Internal Control: the Commission Bancaire Directives 163 Why Both a priori and a posteriori Studies Improve Internal Control 165 Do We Need a Separate Department to Look After Compliance? The Case of Two Swiss Banks 172 Management Intent: Its Impact on Internal Discipline and Financial Reporting 176 New Rules of Competition and the Need for Market Discipline 182
8 Establishing an Efficient Internal Control Structure 185
Introduction 185 Organizational Solutions for Internal Control at Edward Jones 187 The Process of Internal Control and the Prerequisites for Risk Management 190 Commercial Risk, Financial Risk, and the Tuning of Internal Control 193
Vl l l Contents
Should We Analyze the Behavioural Pattern of Our Traders? 196 Developing and Using a System of Internal Margin Calls 202 Internal Controls Should Highlight Information Technology Failures 206
PART III CASE STUDIES ON THE IMPLEMENTATION OF INTERNAL CONTROL
9 Applying Internal Control to Our Institution's Limits System 213
Introduction 213 Limits, Marking-to-Market, and the Contribution of Internal Control 214 Internal Control and the Role of Benchmarks 219 Answers by Leading Institutions to an Internal Controls and Limits Questionnaire 221 Setting Limits is a Business Requiring Know-how and Imagination 225 The Study of Internal Controls by the European Monetary Institute 228 Advance Notice Can Help in Limiting Future Loss Through Repositioning 231
10 Auditing Counterparty Limits and Trading Limits 235
Introduction 235 Internal Controls and Dynamic Limits Management 236 The Role of Auditing in Controlling the Calculation of Prices and Risk Premiums 241 Internal Controls, Leveraging, and the Evaluation of Risk and Return 245 Should Internal Controls Reflect a Portfolio's Diversification? 250 Internal Controls and Limits for Equity Trading 254 Examining and Implementing Limits in Currency Positions 258
11 An Internal Control System for Engineering Design, Product Development, and Quality Assurance 262
Introduction 262 Long-Termism and Short-Termism in R&D 263
Contents IX
A Methodology for Internal Control Applied to Engineering Design 268 Internal Control's Contribution to the Project Manager's Job 271 Internal Control for Prototypes and for Measurements Connected with Different Projects 276 Design Reviews are Essentially a Process of Rigorous Auditing 280 An Infrastructure for Quality Assurance 284
12 Services Provided by Information Technology to the Auditing of Internal Controls 289
Introduction 289 Positioning Our Institution to Profit From the Fact that Banking is Information in Motion 292 The Use of Advanced Technology is not a Fad but an Obligation 294 Online Banking and the Auditing of Financial Operations 299 The Effective Use of Information Technology for Internal Control 304 The Regulators Emphasize the Need to Use Technology in an Able Manner 308 Why Auditing Increasingly Depends on Computer Systems 310
13 The Contribution of External Auditors to the Internal Control System 314
Introduction 314 Value-Added Duties Beyond Those Classically Performed by External Auditors 315 What Should be Expected from Auditing Internal Controls by External Auditors? 319 Are Central Bank Examiners Better Positioned in Studying the Effectiveness of Internal Controls? 323 The Concept Behind Outsourcing Internal Auditing and Other Duties 327 A Closer Look at Outsourcing Internal Auditing, its 'Pluses' and 'Minuses' 330 Liabilities Which Might Come the Way of External Auditors 334
x Contents
B ib Hog rap hy 337
Appendix of Participating Organizations 339
Index 359
List of Figures
1.1 The domains where auditing functions are necessary if modern business continues to expand 4
1.2 The concepts underpinning internal control and audit tend, up to a point, to overlap 6
1.3 It is wise to make a distinction between the functions of auditing and those of internal control 10
1.4 Front desk and back office should be separated, and the same is tine of other functions, but all must be transparent to auditing 13
1.5 The bifurcation in self-assessment through internal control and auditing 17
2.1 Focal areas of internal control and the impact of internal and external key factors 30
2.2 The functions of internal control, auditing, accounting, treasury, and risk management overlap, but also have a common core 33
2.3 Infrastructure and pillars supporting a valid solution to internal control 37
2.4 Roles and responsibilities of different agents concerned by the control of risk 41
2.5 Technological solutions addressed to high-grade professionals must be positioned in an unstructured information environment 46
2.6 The top four operational risks influence one another in a significant way 49
3.1 A real-time framework for focusing internal control by country and in a global setting 57
3.2 Four different organizational approaches followed by credit institutions with regard to internal control and risk management 61
3.3 The internal control framework of COSO implementation, as seen by the Federal Reserve Bank of Boston 75
3.4 By ordering the probability associated with different risks, a threat curve can assists in appreciating their likelihood 79
3.5 Radar chart for off-balance-sheet risk control to keep top management alert 81
XI
List of Figures
Assets in the balance sheet and off-balance sheet of a major financial institution 90 Liabilities in the balance sheet and off-balance sheet of a major financial institution 90 Seasonally adjusted german M-3 money supply, fluctuation in the 1990 to 1994 timeframe 94 High quality means that tolerances are observed at all times; low quality fails to observe tolerances 97 Discovery is an analytical process, while legal conclusions are synthetic and practical 108 There are three ways of looking at internal control, with accounting at the kernel and high technology the outer layer 115 The internal control intelligence cycle consists of six major steps 116 Intraday follow-up on exposure, bank-wide and trader-by-trader 120 There are common elements in different types of risk: with new instruments these should be addressed on the drawing board 124 The policy of the OTS has borne fruit: no thrift failures since 1993 138 The life-cycle of business passes through successive phases, each requiring specific skills 143 Block diagram of profit and loss (P&L) analysis of a profit centre 146 Distribution of Daily Trading Revenue (P&L) at Credit Suisse First Boston, 1997 and 1998 151 Abstraction is the two-way interface between complexity and simplicity 167 The difference 1 month makes: benchmark yield curves with 30-year bonds in three G-10 countries: United States 170 The difference 1 month makes: benchmark yield curves with 30-year bonds in three G-10 countries: United Kingdom 171 The difference 1 month makes: benchmark yield curves with 30-year bonds in three G-10 countries: Japan 172 Auditing is a metalayer whose business is rigorous inspection, not the day-to-day control of operations 174 Management intent and strategic planning overlap, but basically they are different concepts 177
List of Figures
1.1 A feedback mechanism characterizing both engineering constructs and financial markets, but many bankers lack this sensitivity
8.1 Securum's three-layered internal control organization for credit exposure
8.2 Evolution of longer-term financial assets v. the trading portfolio at a money centre bank
8.3 SQC chart with tolerance limits and control limits 8.4 Average market risks of a money centre bank, over a
period of 2 years 9.1 Risk management should be studied in a multidimensional
space, in a manner similar to process control 9.2 Four different dimensions of liquidity to be controlled
intraday 9.3 A classification of business partners based on sophistication
of client demands and potential risk exposure 10.1 A thorough evaluation of VAR requires that three
metalayers work in synergy 10.2 The statistical distribution of loans losses classified into
three major categories 10.3 Some frightening statistics on equity, assets, and
derivatives exposure by Chase Manhattan 10.4 Yield spread average of AAA corporate bonds v. equal
maturity government bonds 10.5 An efficient frontier analysis tries to balance risk and
return, eventually leading to portfolio optimization 10.6 In mid-to-late 1995, Cypress Semiconductor lost
60 per cent of its capitalization 11.1 Able solutions to R&D must have globality, benefit from
technology and standards, and be subject to critical project revamps
11.2 The acceleration in technology characterizing the mid-to-late 1990s is expected to continue well into the twenty-first century
11.3 According to Jean Monnet, planning for the future should start at end-results level and move toward the beginning
11.4 Non-seamless interfaces significantly reduce the efficiency and reliability of engineering work during product transition
11.5 The need for design reviews is present in any project 11.6 The impact of good management on competitiveness can
best be appreciated in a 3-dimensional frame of reference
xiv List of Figures
11.7 Chart for number of defects per unit and adjustments on an hourly basis, during a week 287
12.1 Investments in information technology: United States v. Euroland, 1993 and 1999 291
12.2 Technology supporting four different banks which offer personal banking services 295
12.3 Grand design of an IT solution addressing a range of functional and operational characteristics 297
12.4 A bank's financial network and effective management of client accounts 300
12.5 The distribution of IT investments and supported functionality is not keeping pace with end-user demands. 302
12.6 Financial instruments become complex because they can be combined in many and varied ways 306
12.7 Management information needed to do business v. data which is massively produced 312
13.1 The Hampel Report recommended adding new areas to internal control 316
13.2 Rigorous evaluation of exposure, study of business opportunity, and analysis of business intelligence rest on four pillars 320
13.3 A three-tier and two-tier model in bank supervision 324 13.4 Rating the quality of internal auditing and/or outsourced
services using confidence intervals 332
List of Tables
2.1 The top dozen operational risks 48 3.1 Comparison of some of the outstanding differences
between the US GAAP and Italian GAAP 66 6.1 NPVR limits in connection to changes in interest rates 139 7.1 Net asset value on year-to-year basis through two different
trading strategies 169 7.2 A bank's exposure to loans and derivatives risks, standard
VAR. v. stress analysis 175 7.3 Reserve requirements for loans to sovereigns, banks,
corporate clients, and securitized instruments based on ratings by independent agencies 181
9.1 VAR in Commerzbank's trading portfolio, 1997 223 9.2 VAR in Commerzbank's trading portfolio, 1996, and
1997-1996 comparison 224 10.1 Demodulated derivatives exposure compared to equity and
assets of major credit institutions, as of 31 March 1999 248
xv
Preface
Written on the threshold of the twenty-first century - a time that is increasingly marked by globalization of products and services, rapid progress in financial analytics, and technological breakthroughs - this text addresses itself to managers and professionals. Typically, its readers have, or are about to have, fiduciary responsibilities and/or an immediate and deep interest in assuring the evolution of internal control for reasons of good governance.
The International Organization for Securities Commissions (IOSCO) says that a control structure can only be as effective as the people who operate it. Therefore, strong commitment by the board as well as by all managers and professionals working for a financial institution, a manufacturing enterprise, or any other organization, is a prerequisite to the good functioning of internal control - that is, the intelligence necessary to ascertain that an entity functions effectively, according to ethical standards, board policies, and regulatory rules.
One of the lessons managers should learn very early in their careers is that they have to deal with the world as they find it, not as they might wish it to be. From this derives the need for interpretation of information internal control provides, looking for presence or absence of compliance and asking why and how there are deviations, and what that means for their company's present and future. Here are, in a nutshell, the five basic principles of an effective internal control.
• Internal control is a dynamic system covering all types of risk, addressing fraud, assuring transparency, and making possible reliable financial reporting.
• The chairman of the board, the directors, the chief executive officer (CEO), and senior management are responsible and accountable for internal control.
• Beyond risks, internal control goals are preservation of assets, account reconciliation, and compliance. Laws and regulations impact on internal control.
• The able management of internal control requires policies, organization, technology, open communications, access to all transactions, real-time operation, quality control, and corrective action.
• Internal control must be regularly audited by internal and external auditors to ensure its rank and condition, and to see to it there is no cognitive dissonance at any level.
xvi
Preface xvn
Cognitive dissonance is the name for the organizational phenomenon whereby people ignore something that does not fit their view of the world and pretend it does not exist. This is distinct from outright fraud, or the intentional falsification of events and records. But, like fraud, cognitive dissonance is anathema to the proper functioning of an internal control system, and therefore internal auditors and external auditors must be on the alert.
An organizational issue to attract the auditor's attention in examining the lines of authority and accountability for internal control purposes is the separation of responsibility for the measurement, monitoring, and supervision of exposure from that of day-to-day operations. Auditors are, or at least should be, well aware that the execution of any transaction and the inventorying of any position are giving rise to risk. Risk has to be monitored and managed, but this must independent of trading, lending, and other revenue sidelines.
Auditing is part of senior management duties. The role of internal audit is to analyze and reconcile accounts, test the dependability of financial statements, evaluate qualitative business aspects, detect fraud, and master internal control details. The internal auditing function must be staffed with first-class people, be supported by the best technology, and report directly to the board or the Audit Committee. In executing their functions, auditors should form a view on the correctness and efficiency of the way in which the company is managed.
* * *
With globalization, deregulation, and the advent of derivatives, credit institutions, as well as the treasury operations of manufacturing, merchandising, and service companies, are finding that their traditional tools for management control no longer suffice. They must develop more efficient processes able to measure and monitor their risks in real-time. They must also have tools that permit to exercise timely and accurate control.
This is well known to national and international regulators who have issued a number of directives to enhance existing means for compliance, and promote risk management systems - including the use of Audit Committees and the redefining of internal control functions. Regulatory authorities are also seeing to it that both the members of the board of directors and external auditors are responsible for the company's system of internal checks and balances, and for the implementation of rigorous solutions able to provide assurance against material misstatement or loss.
XV111 Preface
The book the reader has on hand addresses the need for a direct confirmation that senior management and the auditors have reviewed the effectiveness of the system of internal financial and operational controls. This text is divided into three parts. Part 1 defines both auditing and internal control, then explains why internal control must be audited and in which way this should be done to improve upon the quality of deliverables.
Chapter 1 addresses the role of auditing in an organization. It demonstrates that auditing is an indispensable instrument of management, and documents that rigorous auditing can provide value-added services. This chapter also outlines the functions and responsibilities of the Auditing Committee, at the level of the board of directors. Its existence has been strongly recommended by the Basle Committee on Banking Supervision of the Bank for International Settlements (BIS).
Chapter 2 focuses on internal control. After defining the internal control functions and the senior management policies on which these should rest, it presents to the reader the successive steps necessary for implementing a rigorous internal control system, demonstrating why properly studied and applied internal controls can be instrumental in curbing not only fraud but as well credit risk, market risk, operational risk, and other major exposures.
Chapter 3 examines the need for internal controls from the viewpoint of globalization of financial markets. It brings home the point that important differences in accounting systems handicap internal control and auditing, and it documents how conflicts of interest work to the detriment of internal control - and therefore of the company's ability to take hold of itself.
The theme of Chapter 4 is new standards for auditing internal controls and risk management systems. Practical examples range from the more classical auditing of cash flow to risk-based auditing. A methodology for auditing the internal control system is presented in Chapter 5. Internal control information is compared to military intelligence, and applications examples are taken from trading in derivative financial instruments.
Accurate information passed in a timely fashion to decision-makers can enable them to take appropriate steps whether these focus on new business opportunities or on control action. The latter is the role of internal control intelligence. However, numbers and statistics are only a small part of the game. Much of the risk taken by a company because of trading and inventoried positions is inherently unqualified. Yet, we try not only to qualify it but also, whenever possible, to quantify it - because this is the only way to control it.
On these premises rests Part II, which addresses top management's accountability for internal control. The line of responsibilities starts at the
Preface xix
chairman of the board, and though authority is delegated responsibility is not; it always stays at the top. This is precisely Chapter 6's subject. The text explains why effective internal control requires trustworthy people all the way down the line of command. It also brings into perspective the need for restructuring, and makes the point that it is wise to keep away from creative accounting practices.
The synergy between internal controls and core functions is the next important theme examined. Chapter 7 looks into core functions from the perspective of a credit institution. Emphasis is placed on both a priori and a posteriori studies as well as on compliance. Attention is also paid to management intent and on why transparency is practically synonymous with market discipline.
Transparency requires both appropriate board policies and an efficient internal control structure. This is explained in Chapter 8, which takes as an example of necessary policies those of a better-known brokerage in the United States. The reader is also presented with advice on useful tests on the way internal controls works, tips on improvements, and a discussion on the role of advanced technology in making the internal control system so much more efficient.
Technology can be instrumental in distilling data streams and in mining databased events, but as Part III explains through case studies for information to become intelligence there is no substitute for sound and well informed analysis. On the bottom line, internal control intelligence is the interpretation of facts and figures and educated guesswork on management intent at all levels of the organization.
The practical examples in Chapter 9 revolve around applying internal control to our institution's limits system, and to other prudential benchmarks put in place by top management. The text presents the reasons why setting limits is a business requiring know-how and imagination, as well as a feedback which makes possible dynamic limits management. The latter is the theme of Chapter 10, which elaborates further on the role of auditing in controlling the calculation of prices and risk premiums, estimating the amount of leveraging, and identifying a range of risks from equity trading to currency positions.
Chapter 11 changes the frame of reference by examining the role of internal control in engineering and manufacturing. Starting with long-termism and short-termism in research and development (R&D), it proceeds with internal control applied to engineering design. Practical examples are taken from project management and design reviews, as well as from prototyping and quality assurance. Unavoidably, this leads to a discussion on information technology.
XX Preface
Effective internal control and high technology are inseparable, particularly so in a very dynamic, globalized market. Chapter 12, therefore, focuses its attention on the services information technology provides in connection to the auditing of internal controls. It also explains why the use of advanced technology is not a fad but an obligation. The cutting edge of technology is never a bleeding edge unless we don't know what we are doing. But falling behind in technology has often proved to be the bleeding side of an internal control system.
While much can be done by way of supporting an internal control structure through human resources employed by our firm, external auditors can also play a major role. This is the theme of Chapter 13, which addresses both classical and modern duties of external auditors, in connection with scrutiny and verification of our company's internal controls. Part of this discussion is outsourcing, its strengths and weaknesses; another part is the responsibilities of all players involved in auditing internal controls.
The careful reader who considers all of the points which have been made will appreciate that internal control should be examined from different angles to assure the appropriateness of policies and procedures. Among the issues to which attention should be paid is auditing staff qualifications. Is the staff experienced in analyzing an internal control system and its effectiveness? Is a training programme in effect? Are members of the staff experienced in specialized areas such as risk management and information technology?
Other questions, too, are key to the interpretation of intelligence. Does the depth coverage of the audits appear to be sufficient? Is the chief auditor member of an executive system planning committee? Is he or she reporting directly to the chairman or the auditing committee? Behind these queries are the reasons why from Chapter 1 auditing procedures have been brought under a magnifying glass. Do these procedures employ statistically valid sampling techniques, with acceptable reliability and precision? Is the content of auditing independent of adverse influences by different interests? Has the auditing of internal control been formally established by the board of directors?
It worth practically nothing to audit internal controls if the intelligence being collected is distorted by self-imposed limitations and deliberate misconceptions. Distortions of factual and documented discoveries in the auditing of internal control is a very dangerous business for any company, no matter how senior and how clever its board, CEO, and top management may be. This has been the conclusion of the research which led to this book.
Acknowledgements I am indebted to a long list of knowledgeable people, and of organizations, for their contribution to the research which made this book possible. Also to several senior executives and experts for constructive criticism during the preparation of the manuscript. The complete list of the senior executives and organizations who participated to this research is shown in the Appendix.
Let me take this opportunity to thank Stephen Rutt and Zelah Pengilley for suggesting this project and seeing it all the way to publication, and Keith Povey and Barbara Docherty for the editing work. To Eva-Maria Binder goes the credit for compiling the research results, typing the text, and making the camera-ready artwork and index.
Vaimer and Vitznau DIMITRIS N. CHORAFAS
The author and publishers are grateful to the Credit Suisse Group for permission to reproduce copyright material from the Credit Suisse Annual Report of 1998.
xxi
List of Abbreviations and Acronyms
AICPA ALM ASB BAI BIS BNE BWG CAD CAM CAR CEO CFO CFTC CMO COSO
CPA CRMO DSP ECB EMI ESCB FASB FCPA FDIC FDICIA
FIRREA
FSA G-10
G-30
American Institute of Certified Public Accountants Assets and Liabilities Management Accounting Standards Board (UK) Bank Administration Institute Bank of International Settlements Bank of New England Bankwesengesetz (Austrian Banking Act) Computer-Aided Design Computer-Aided Manufacture Capital-at-Risk Chief Executive Officer Chief Financial Officer Commodities Futures Trading Commission Collateralized Mortgage Obligation Committee of Sponsoring Organizations (Treadway Commission) Certified Public Accountant Chief Risk Management Officer Digital Signal Processing European Central Bank European Monetary Institute (now ECB) European System of Central Banks Financial Accounting Standards Board (US) Foreign Corrupt Practices Act (US) Federal Deposit Insurance Corporation (US) Federal Deposit Insurance Corporation Improvement Act (US) Financial Institutions Reform, Recovery, and Enforcement Act (US) Financial Services Authority (UK) Group of Ten (US, UK, Japan, Germany, France, Italy, Canada, Holland, Belgium, Sweden, Switzerland and Luxemburg as observer) Group of Thirty (a Washington Think Tank)
X X l l
List of Abbreviations and Acronyms xxm
GAAP Generally Accepted Accounting Principles (US) GAAP Generally Accepted Accounting Practice (UK) GAAS Generally Accepted Accounting Standards. GO A General Accounting Office (US) GIGA Giga Instructions per Second HFFD High-Frequency Financial Data IAS International Accounting Standard IASC International Accounting Standards Committee IIA Institute of Internal Auditors IC Internal Control ICS Internal Control System IMF International Monetary Fund IOSCO International Organization for Securities Commissions ISDA International Derivatives Dealers Association IT Information Technology KWG German Banking Act LTCM Long-Term Capital Management MIPS Million Instructions per Second MITI Ministry of International Trade and Industry (Japan) MOU Memorandum of Understanding NASD National Association of Securities Dealers NASDAQ National Association of Securities Dealers
Automated Quotation NPV Net Present Value NYSE New York Stock Exchange OCC Office of the Comptroller of the Currency (US) OTC Over the Counter OTS Office of Thrift Supervision QA Quality Assurance R&D Research and Development RICO Racketeer Influenced and Corrupt Practices Act (US) ROI Return on Investment RV Replacement Value S&L Savings & Loan SEC Securities and Exchange Commission (US) SFAS Statement of Financial Accounting Standards (US) SQC Statistical Quality Control STRG Statement of Total Recognized Gains and Losses (UK) TQM Total Quality Management VAR Value-at-Risk
