Speech by SEC Staff:
Remarks before the Securities Industry Association, Internal Auditors Division 2005 Annual Conference
Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
Key Biscayne, FL
October 18, 2005
Internal Audits and SEC Examinations
Good Morning. As an examiner, I feel a kind of kinship with auditors, because like you, we also review the activities of others. It can be a thankless job. So let me start today by acknowledging you and thanking you for your efforts! I'd also like to thank Marc Platizky and Doug Hendersen, of the IAD/SIA conference committee for inviting me to speak.1
I see on the agenda for this conference that you had an interesting speaker yesterday, Barry Minkow. As he undoubtedly told you, Mr. Minkow was responsible for a multi-million dollar fraud on investors in the company he founded, ZZZZ Best. I was bemused to see his name on the program because it brought back memories - I was a new staff attorney at the SEC in its Los Angeles Office during the investigation of Mr. Minkow and his firm, and a colleague of mine was responsible for spearheading that investigation. Ultimately, the SEC brought enforcement actions against many people associated with the scheme, including Mr. Minkow himself. It was one of those cases where each step of the investigation revealed new details - each discovery indicating the breadth and audacity of the fraud. That case, like many others I have seen, seemed to begin with some kind of real business operation, i.e., there really was a carpet cleaning business and some amount of carpet cleaning was in fact going on. At some point, however, those good intentions were overtaken by the need to show better financial results, and then, to show even better financial results, and of course by the need to conceal the earlier lies. I suppose the ZZZZ Best case offers some lessons for those of us whose job it is to look for indications of fraud - beware the boldest claims, beware of taking blind comfort in the fact that gatekeepers have approved the product, the inventory or the transaction. And, beware the charismatic pitchman! While I'm glad Mr. Minkow has found redemption, one only wishes he would have found it before defrauding investors.
I have been fortunate to address this group at your annual meetings several times -- each time I spoke about the types of "hot button" issues that we were seeing in SEC examinations. These were also the issues that I hoped that internal auditors would be alert to, and would focus on as well. Indeed, the agenda for this conference includes some of those "hot button" topics - mutual fund sales and trading, clearing and prime brokerage, structured products, anti-money laundering, SAS 70 issues, and more.
You have also heard SEC officials say that we hoped, given the importance of the compliance function, that internal auditors would include a review of the compliance program in the routine scope of their work. Some critical questions that you could ask include -- is the compliance program adequately resourced in terms of the number of staff, their expertise and their access to technology? Does it command the support that it needs to function effectively? Does it conduct an inventory of compliance obligations and risks that the firm is subject to in each area? Does it overlay onto that inventory the methods it uses to encourage compliance? Is it box-checking or forward thinking? Does it consider conflicts of interest and the management of these conflicts? I hope that the importance of a strong compliance function has been well-demonstrated by past events.
Today, however, I wanted to talk with you about a topic that is broader than the discrete compliance issues of the day - and that is the ways in which your work might affect the scope of our work.
As a starting point, let me say directly that I would like for SEC examinations to be able to rely more than we presently do on the existence of a high quality internal audit function in determining the scope of our examinations. This is not a new concept in the audit world. Indeed, as you know, audit standards for independent (external) auditors have long advised that one of the factors an auditor should consider in determining the nature, timing, and extent of the auditing procedures to be performed is the existence of an internal audit function.2 The standard envisions that the internal auditor will contribute to the firm's overall system of controls, and as such, that the internal auditor will be independent from the activities they audit. The guidance advises the external auditor to gain an understanding of the internal audit function within the firm, to assess the competence and objectivity of the internal auditor, to consider the internal auditors' work in planning the audit, and in evaluating and testing the effectiveness of the audit.
In addition, bank regulators have long had articulated standards for the internal audit function and for bank examiners to use in assessing that function.
What does this have to do with SEC examinations? We are considering how we can use this methodology to add value to SEC examinations. We're looking at a particular type of examination. In particular, as you may know, for more than ten years now the SEC staff have conducted specialized examinations of large firms' internal controls and risk management procedures. We use these examinations to evaluate risk controls at the largest and most complex broker-dealers, and have conveyed our findings and results to firm management in an effort to encourage improvements and to proactively seek strengthened controls. Our years of experience conducting these examinations has allowed us to build a solid base of information on risk management procedures and systems at large firms, and to familiarize our examiners with the implementation of risk controls at these firms. Over the course of the years, we've also seen improvements in the risk management systems of many firms, and in the independent auditing and oversight of these systems by the firms' own internal auditors.
In view of our experience and the improvements we have seen over time, we are seeking to enhance our examinations in this area by leveraging to a greater extent on our past examination work, and on the firm's own independent reviews. We hope that this will increase our effectiveness and efficiency by allowing us to focus our resources on areas of higher risk, and areas not adequately covered by the firms' own reviews.
The Commission has recognized that a strong internal audit function can be an important element in large firms' overall internal controls framework. Indeed, in several contexts, the Commission has referenced the role of internal audit. For example, in proposing the CSE framework, the Commission noted that the proposed rule amendments would require a broker-dealer that elects to use the CSE framework to consider a number of issues when creating its risk management control system, including the sophistication and experience of relevant trading, risk management, and internal audit personnel, as well as the separation of duties among these personnel.3 In addition, the Commission has provided that internal auditors may perform periodic reviews of OTC derivatives dealers' controls and firms' VaR models under the CSE framework.4 To be clear, there is no SEC regulatory requirement that firms must have an internal audit function, but most large firms have robust internal audit programs.
Let me describe in greater detail the scope of our examinations of internal controls and risk management. We focus on a firm's systems, procedures, resources and performance in the assessment, monitoring and control of risks. The examination begins with an overview of the firm's businesses and the risk management system and controls that overlay the business operations. This includes obtaining an understanding of how managers identify, assess, monitor and control all risks within the broker-dealer. These examinations are conducted in conjunction with a review of the firm's compliance with the SEC's net capital and customer reserve rules.
Here are some of the questions that examiners ask in these exams:
- How are the overall policies established? Is senior management involved in risk management and the oversight of risk parameters and controls;
- What are the resources and systems accorded to risk management? We seek to evaluate whether resources are adequate and systems appear to operate effectively;
- What are controls over market risk in trading activities and firm inventory, including value at risk, economic models, scenario analyses, stress testing, and back testing? We follow a sample of trades from the trading desk through the entire risk management system;
- How is credit risk managed at the firm? We look at controls over counterparty credit risk across all products and businesses, credit limits, pricing models, guarantees, collateral, margin, and settlement and legal risks;
- Does the firm maintain a comprehensive program to ensure its continued funding and liquidity? We look at a firm's internal measures of liquidity, its reserves and its contingency funding plan;
- What are controls over operational risks? We look at segregation of duties, checks and balances, protection of customer funds and securities, operating systems, management information systems, management reporting, front and back office operations, security, contingency planning and disaster recovery;
- Is internal audit effective in conducting comprehensive and independent assessments? We also seek to understand whether deficiencies noted by internal auditors are addressed in a timely manner;
- What are the controls over the introduction of new products? We seek to understand how new products are incorporated into the firm's risk management system.
More recently, we have focused our internal controls examinations on selected business areas which are either new, highly profitable or viewed as possessing greater risk. For the selected business areas, we perform a comprehensive examination of the management, marketing and execution of the business to understand how the business unit is deriving revenue, managing risk and fulfilling its supervisory and compliance responsibilities.
In conducting these internal controls reviews, examiners are seeking to evaluate the quality and the implementation of the firm's internal controls. In areas where controls are strong, we will conduct little or no testing. In areas that are weak, we will conduct more thorough reviews to identify any deficiencies and violations of laws and rules. In order to assist us in this process of identifying where controls are strong we want to understand, to a greater degree, the work of internal auditors, and other independent reviews conducted by the firm or competent external providers. And, as I've said, many of you recognize this approach as one used frequently by federal bank regulators.
To the extent that we can become confident that effective independent oversight has been conducted and that the firm has taken meaningful corrective action, we can limit our review of those areas and focus on high risk areas and areas not adequately covered by the firm's reviews. Working this through to a possible result - this may serve to reduce the scope of our examinations, reduce the time we spend on each examination, and allow for more focused, in-depth and effective examinations in areas posing the greatest risk.
It seems to me that this will only be possible when we have a certain level of understanding and confidence in the internal audit function. Obtaining this understanding and confidence will require good communications between the exam team and the internal audit staff at the outset of these exams. For example, we will seek to meet with the internal auditors, to understand their risk assessment protocols, their risk conclusions, their cycles, their reports, and their process for follow-up on audits. We also may ask for some specific audits that may be relevant to our exam scope. Our goal in this effort will be to determine the extent to which our exam scope ought to reflect the work of internal auditors. I hasten to note that our goal in seeking this kind of interface with internal auditors is not to detect violations or to make enforcement referrals. In fact, as you know, the issues that we deal with in this type of examination go to the strength of the firm's internal controls, and in and of themselves are not the sort of issues that go to enforcement action. I know that many of you in this room this morning have had constructive communications with SEC exam staff on this type of exam, and I hope that we can build on those communications to a greater degree.
I suspect that we will all learn as we go forward in this process, and that as we gain experience with each other, our confidence level in each other will improve. In this specific context, I want to repeat what I said at the outset of my remarks this morning -- we value and appreciate your work -- and we hope to better leverage your efforts in our oversight.
* * *
Thank you for your time and your attention this morning.