Speech by SEC Staff:
Integrating Audit and Compliance Disciplines within the Risk Management Framework
Mary Ann Gadziala
Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission
Operational Risk and Risk Magazine present Compliance '05 USA
New York, NY
November 30, 2005
The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author’s views and does not necessarily reflect those of the Commission, the Commissioners, or the other members of the staff.
Thank you very much for giving me this opportunity to present my views on integrating the audit and compliance disciplines within the risk management framework. A number of recent international and U.S. regulatory groups have acknowledged that these activities are core elements of risk management activity. By all accounts, these functions have risen in prominence over the past few years and now generally maintain a position that is commensurate with their credit and market risk counterparts. We in the SEC’s Office of Compliance Inspections and Examinations consider compliance and internal audit to be particularly critical control components, since they are essentially preventive in nature, and effective programs can reduce the incidence of abuses. In fact, we have recently begun a new initiative to rely more than we had in the past on the high quality internal audit work of broker-dealers in scoping our own regulatory examinations. I will elaborate further on this concept later in my presentation.
Compliance and audit serve two very important, but different roles in the risk management framework. The compliance function, in its most fundamental sense, is the system or process that is meant to reasonably ensure that a firm is complying with all applicable laws, rules, regulations, codes of conduct, firm policies, and standards of good practice. A key role of the internal audit function is to monitor and evaluate the firm’s adequacy, implementation, and performance with respect to risk controls within all aspects of the firm's businesses. One of these control functions is compliance, which should be subject to independent audits as are all other aspects of a firm’s risk management and internal controls activities.
Let’s look at some examples of what can happen to a firm that fails to build and maintain an effective control and compliance system. There are the illegal trading activities of Nick Leeson that helped precipitate the ultimate failure of Barings Bank – a venerable institution that had withstood two centuries with episodes of financial turbulence and two world wars. Another example is Drexel Burnham Lambert, a firm featuring Michael Milken. Mr. Milken was sent to jail for securities fraud, which played a substantial role in the firm's failure. At Riggs's Bank, significant money laundering violations led to lost reputation and contributed to the sale of this longstanding independent Washington institution to PNC. One of the most recent examples involves Refco. It is alleged that the firm’s CEO fraudulently hid bad debts to buffer the commodities and futures brokerage firm’s financials. The result has been significant customer departures, bankruptcy of Refco’s unregulated operations, and forced sales of other units.
I’m sure all of you can think of numerous other examples of weak controls and compliance breaches that destroyed large, seemingly unassailable institutions. Business personnel obviously have an appropriate profit motive, but they should respect the advice and determinations of firm control and compliance personnel concerning compliance with the law.
The Compliance Function
As I noted earlier, the compliance function is the system or process that is meant to reasonably ensure that a firm is complying with all laws and other regulatory requirements and codes of conduct. The compliance function generally includes the identification of compliance responsibilities, assessment of risks, advice, monitoring, and reporting on the firm’s compliance with securities laws and codes of conduct, as well as assisting in the prevention of violations at the firm.
Another compliance function is having a mechanism in place to protect the firm from liability arising from abuses committed by its customers. This compliance risk was clearly evidenced in connection with the structured finance work of certain financial firms involved in Enron’s accounting abuses. The bank regulators and the SEC published a proposed “Interagency Statement on Sound Practices Concerning Complex Structured Finance Transactions” (Exchange Act Release No. 34-49695). As proposed in the Statement, an institution's policies and procedures should define what constitutes a complex structured finance transaction and should with respect to such transactions, among other things
- Define the process for their approval and establish a control process for the approval of all "new" products;
- Ensure reputational and legal risks associated with such transactions are identified, evaluated, and appropriately managed;
- Ensure appropriate review and documentation of the customers' proposed accounting treatment, financial disclosures, and business objectives related to the transactions;
- Provide for the generation, collection and retention of appropriate documentation;
- Ensure senior management and the board of directors of the institution receive appropriate and timely reports;
- Provide for periodic independent reviews to ensure that the institution's policies and controls are being implemented effectively and to identify potential compliance issues;
- Ensure effective internal audit coverage; and
- Appropriately train firm personnel concerning the institution's policies and procedures governing these products.
The federal regulatory agencies are currently working together to address the comments made on the proposed statement in order to produce a revised statement.
Compliance risks include the risk of legal and regulatory sanctions against the firm and firm personnel, material financial loss, loss to reputation, and actual loss of the franchise. These potential losses are incalculable. Therefore, unlike other risks, such as market and credit risks, which are risks taken as part of the firm’s business, compliance risks are not. Firms would be well-advised not to waste resources measuring the chances of being caught, estimating the effect of a potential sanction, and then deciding whether or not to risk a compliance breach. The compliance function should be focusing on how best to ensure compliance. Zero tolerance is the best policy.
In designing or assessing a compliance program, a firm may look first to specific laws and rules covering compliance and supervisory responsibilities. For example, NASD Rule 3013 and NYSE Rule 342.30 require that the chief executive officer certify annually that each member firm has in place a process to establish, maintain, review, test and modify written compliance policies and written supervisory procedures reasonably designed to achieve compliance with applicable regulatory and federal securities laws and regulations. The first certification would be due in April 2006. Other examples are NASD Rule 3010 and NYSE Rule 342, which require firms to establish a supervisory system reasonably designed to achieve compliance with applicable securities laws and regulations. NASD Rule 3012 and NYSE Rule 342.23 require firms to establish, maintain and enforce a system of control policies and procedures that test and verify that the firm’s supervisory procedures are reasonably designed with respect to the activities of the member, and create or amend supervisory procedures where the need is identified.
The Commission recently adopted a rule requiring compliance programs and chief compliance officers for mutual funds (Section 38a-1 of the Investment Company Act) and advisers (Rule 206(4)-7 of the Investment Advisers Act) and a new code of ethics for advisers (Rule 204A-1 of the Investment Advisers Act). There are also relevant federal laws requiring the compliance function, including Section 352 of the USA Patriot Act, requiring financial firms to have compliance programs for anti-money laundering.
These and many other laws and rules specifically dealing with compliance mainly serve the purpose of requiring firms to have effective compliance programs. They do not articulate exactly what the policies, procedures and responsibilities of the compliance program should be. That is because there is no standard “one-size fits all” compliance program. Rather a firm’s compliance program should be customized based upon its structure, organization, business, customers and other relevant factors. However, there are some basic principles that in my view may be generally relevant to any effective compliance program.
The foundation of an effective compliance program is an overarching compliance culture at the firm -- a culture of honesty and integrity that permeates the firm, not simply a superficial, technical compliance with the letter of the law. It is the firm’s overall responsibility to ensure that the compliance program is taken seriously. An effective compliance program is substantive and compliant not only with the letter, but the spirit, of the law.
Compliance starts at the top – and that typically means the board of directors or, where there is no board, executive management (top management). They set the tone of the overall compliance culture and generally approve the overall compliance policy for the firm. Top management oversees the implementation of the compliance policy and ensures that material compliance issues are appropriately and timely resolved. In essence, the top management is ultimately accountable for compliance at their firms.
Another important component of an effective compliance program is a formal documented system for reporting material compliance matters to the top management, so they can effectively perform their oversight and policy-making functions. And, of course, the top management should permit and encourage appropriate access to compliance personnel to perform the reporting function.
There should be a process to identify applicable laws and compliance risks. An effective documented compliance program, based on evaluation of risks and controls, should be established and communicated throughout the firm. The priorities and processes of the compliance function should be consistent with this assessment and the firm’s business and risk management strategy and structure. For example, a firm need not build a strong compliance system to cover variable annuities or hedge funds if it does not offer these products. And a one-person firm that executes a few transactions each day does not need sophisticated technology to ensure compliance, while manual monitoring and surveillance at a large firm with hundreds of branches would hardly seem adequate.
Effective compliance personnel also have certain attributes. They are independent from the business operations and have appropriate expertise, experience, authority, and resources to conduct their compliance responsibilities. Compliance responsibilities should be clearly articulated and persons should be accountable for fulfilling their specific responsibilities. There should also be an effective system to track and resolve compliance issues. Where problems arise or controls are found to be weak, appropriate resolution and improvements should be effectuated.
The compliance function monitors and tests the effectiveness of supervisory controls, and assists in effecting improvements in the firm’s supervisory system, as appropriate. This should be an ongoing process to ensure that the compliance function at the firm keeps pace with all business and regulatory changes, as well as new technology and best practices that may enhance compliance at the firm.
Employee registration, training, and trading are other typical areas overseen by the compliance function. This begins with controls in the hiring process, including effective background checks and reviews of relevant forms U-4s and U-5s. When firms decide to hire or retain employees who have been subject to multiple customer complaints or disciplinary action, heightened or special supervision may be appropriate. Training and continuing education on compliance responsibilities of firm employees is an ongoing requirement. And supervisory controls over employee trading should be carefully monitored in view of the opportunities for gaining personal advantage through the use of material non-public information where compliance controls are inadequate.
A typical SEC examination of the compliance function will look for compliance with the laws and rules dealing specifically with compliance. It will also look proactively for weak controls that, while not necessarily violating the letter of the law, may lead to violations because of the lack of effective controls.
Recent pronouncements by such groups as the Basel Committee on Banking Supervision (Basel Committee) and the International Organization of Securities Commissions (IOSCO) have in a sense validated principles employed in our examination work through documents they have issued this year. Two documents, both published in April 2005, that you may find helpful in designing, improving, or evaluating your compliance program are “Compliance and the Compliance Function”, published by the Basel Committee, Bank for International Settlements, and the “Consultation Report: Compliance Function at Market Intermediaries”, published by the IOSCO Technical Committee. These documents may be found on their respective websites. The IOSCO Consultation Report recognizes that compliance with the law is the foundation of ensuring fair and orderly markets and investor protection, the two main objectives of the U.S. Securities laws. And the Basel Committee specifically states that compliance should be regarded as a core risk management activity. Many of the same principles we have employed in conducting our compliance examinations of broker-dealers may be found in those publications.
The Internal Audit Function
Now let’s turn to the internal audit function at a firm. Internal audit at a firm conducts periodic, independent reviews of all control functions at the firm commensurate with the perceived level of risk. This means auditing all risk control areas, including the compliance function. Both the IOSCO and Basel Reports specifically state that this principle implies that the compliance function and the audit function should be separate, to ensure that the activities of the compliance function are subject to independent review. The Basel Report goes on to say that there should be a clearly documented understanding as to how risk assessment and testing activities are divided between the two functions. These principles underlie the expectations of our examinations of a firm’s internal audit function.
The SEC has recognized the importance of internal audit in a firm’s overall internal controls framework on a number of occasions. One example is the Commission release authorizing firms to become Consolidated Supervised Entities (CSEs) in order to use internal mathematical modules to calculate required regulatory capital. The CSE Release specifically mentions that a firm must consider the sophistication and experience of internal audit personnel, as well as separation of duties among these personnel, when designing and implementing its internal control system’s guidelines, policies, and procedures (Exchange Act Release No. 48690, October 24, 2003).
As I mentioned earlier, the SEC examination program has initiated an enhancement to our program that should permit more effective and efficient SEC risk management examinations by relying on high quality internal audit work of your firms. Lori Richards, Director of the SEC’s Office of Compliance Inspections and Examinations, in a recent speech, discussed our increased use of our past examination work and on the firm's own independent reviews. She stated:
To the extent that we can become confident that effective independent oversight has been conducted and that the firm has taken meaningful corrective action, we might limit our review of those areas and focus on high risk areas and areas not adequately covered by the firm's reviews. Working this through to a possible result - this may serve to reduce the scope of our examinations, reduce the time we spend on examinations, and allow for more focused, in-depth and effective examinations in areas posing the greatest risk.
In order to incorporate this concept into our risk management examination process, we expect to enhance our reviews of the effectiveness and objectivity of the work of a firm's internal audit program.
In assessing a firm’s internal audit programs, we may rely to an extent on factors similar to those articulated in the Statement on Auditing Standards 65 (SAS 65), issued by the Auditing Standards Board. SAS 65 is entitled “The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements” and provides guidance to external auditors in considering the work of internal auditors in determining the nature, timing, and extent of auditing procedures they will perform. While the focus of SAS 65 is auditing financial statements, the basic principles appear to be relevant to our more broad-based audits of risk management and internal controls. They also are generally consistent with our current reviews of internal audit during our risk management examinations conducted over the past decade.
What are some factors SEC examiners may consider in assessing the quality of an internal audit program at a firm? First, we consider the internal audit's assessment to determine the areas of risk, risk rankings, and the effectiveness of risk controls, including whether this assessment comprehensively covers all business areas...the audit universe. We then would review how they incorporate this information into the design and implementation of the audit plan and keep the firm's top management, which has overall responsibility for audit, informed on audit issues.
SAS 65 enumerates key factors to assess the competence and objectivity of the internal auditors. Among the factors listed in SAS 65 in assessing competence are: education and professional experience; professional certification and continuing education; audit policies, programs and procedures; practices regarding assignments; supervision and review of the auditor’s activities; quality of work paper documentation, reports and recommendations; and evaluation of internal auditors’ performance. These are very similar to factors we may consider in examining the competence and objectivity of internal audit at a broker-dealer.
With respect to effectiveness of the internal auditor’s work, SAS 65 requires consideration of
- whether the scope of the work is appropriate to meet the audit’s objectives;
- whether the audit programs are adequate;
- the quality and documentation of work papers, including evidence of supervision and review;
- that conclusions are appropriate in the circumstances; and
- that reports are consistent with the results of work performed.
In addition to looking at these factors to evaluate the quality of the audit program, our examinations may also consider the tracking, follow-up, reporting to top management, remediation, and resulting improvements from the audit process.
These are some of my thoughts based on personal experience conducting examinations and review of current literature on audit and compliance. I hope they may be helpful to you in understanding some of the general principles that underlie the integration of the audit and compliance disciplines in the risk management framework in our examinations in this area. Thank you for listening. I would now be happy to respond to any questions you may have.