Speech by SEC Staff:
The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This speech expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or the other members of the staff.
Thank you very much for providing me this opportunity to address the 2006 Annual Conference of the Internal Auditors Division of the Securities Industry Association. It is always a great pleasure to address fellow securities compliance auditors. Colleagues like you are the first line of defense in ensuring a firm's controls and systems are operating effectively. And your high quality audit work can make our job as SEC examiners less burdensome and more effective. That is especially true in light of a recently initiated process in the SEC broker-dealer examination program under which we are leveraging off the high quality and independent oversight of a firm's internal audit department in conducting our risk management examinations. I will be discussing this process in more detail during my remarks. I would also like to spend a little time noting some of the areas of focus of our examination program. These examination priorities are typically based upon our analysis of risks to investors, registrants, and the markets. They are therefore an indication to you where you might want to focus some of your high level attention.
As I mentioned, the SEC broker-dealer examination program has recently begun the implementation of a new process whereby we may leverage off the high quality work of a firm's internal audit department in conducting our own risk management examinations. This process is being employed only with respect to risk management examinations of broker-dealers and consolidated supervised entities at the current time because these examinations are very resource-intensive. However, it is my view that this process could be extended to other areas if successful in the risk management area. In addition, the practices and procedures I will discuss may be relevant to the development of an effective internal audit program at any firm, regardless of whether you may be subject to an SEC risk management examination. Since the scope of our examination, where this new process is used, will be somewhat dependent on our evaluation of your internal audit work, our risk management examination process has changed to permit our onsite examination to begin with a review of the work of the firm's internal audit department. After evaluation of the internal audit work, we will conduct our examination of market, credit, legal and compliance, operational, and liquidity risks of the firm. We will use an examination scope that may be limited or adjusted based on your internal audit work.
In order to evaluate the quality and strength of the firm's internal audit function, some areas we may review include the qualifications and expertise of audit management and staff, the adequacy of resources and systems, the independence and authority of the internal audit department, and the adequacy of audit coverage throughout the organization with a focus on risk management audits.1
One of the first documents that our examination team will assess is typically the internal audit charter. The purpose, authority, and responsibility of the internal audit function is defined in the charter or other document that is approved by the top levels of the firm, such as senior management and the audit committee. We would expect to see that this document is maintained and updated on a periodic basis. An effective audit charter or comparable document would generally include but not be limited to the following:
The independence of Internal Audit is also critical to the effectiveness and quality of their evaluation of the activities and operations of an organization. In addition to being independent from business operations, an effective internal audit program is typically independent from the compliance department and other "control" groups that it audits. This should achieve the goal that Internal Audit is objective and impartial, and seeks to avoid any conflicts of interests.
Effective implementation of the internal audit function requires that Internal Audit have adequate resources, including personnel and technology. Overall staffing and budget should be sufficient to effectively cover audit needs of the firm as it relates to the size, diversity, riskiness and other relevant aspects of firm operations. This generally means Internal Audit will have the resources it needs to complete the audit plan and auditing tasks effectively and in a timely manner. Auditors should have adequate experience in both auditing and an understanding of business operations of the firm where the auditor has audit responsibilities. SEC examination staff may review resumes or biographies of the internal audit staff, the firm's policies and procedures with respect to minimum qualifications, and auditors' educational level and professional experience. Training and continuing education are also assessed during our examinations. Specialized training sessions for new products or changes in regulations, accounting rules, and business operations may also be considered.
The next part of the SEC review will evaluate the "audit universe" and audit cycles set by Internal Audit. In general, the audit universe is a comprehensive list of all areas of a firm that expose it to risk. It includes business lines as well as other functions and operations, such as the firm's significant information technology applications and platforms. The audit universe covers firm headquarters, branches, subsidiaries, and outsourced activities. It also covers the intersection and interaction of various business operations to assess conflicts and overall relationships with customers and counterparties. Firms use the audit universe to develop a multi-year audit plan to ensure that each area of risk is audited at least once during the audit cycle. Audit cycles are generally based on a combined analysis of inherent risk to the firm and controls that may mitigate the risk. The maximum cycle we have seen, which is for the low risk areas, is typically three to five years. Among the SEC examiners' primary concerns regarding a firm's audit universe are its completeness, risk rankings, and cycles as related to risks and controls.2
An effective internal audit department generally has thorough and clear procedures with respect to the conduct of its audits. Effective audit procedures may (1) explain how the auditor conducts audits; (2) describe the required workpapers necessary to support the audit; (3) contain guidelines for testing and sampling; (4) discuss supervision of the audit; and (5) describe reporting of audit findings and audit reports.3 As I am sure you know, the Accounting Standards Board issued Statement on Auditing Standards No. 103 ("SAS 103")4 / to cover non-public companies, which requires an auditor to prepare audit documentation that is sufficiently detailed for an experienced auditor having no previous connection to the audit to understand the audit work performed, evidence obtained, and conclusions reached. SAS 103 also requires auditors to assemble audit documentation that is the "final engagement file" within 60 days of the report release date. It also provides guidance on what to document; states that oral explanations by themselves are insufficient to support audit work or conclusions although they may be used to clarify audit documentation; and specifies a minimum file retention period of five years. SEC examiners consider this guidance in their evaluation.
The firm's meaningful corrective action in response to the audit is also a key element of the effectiveness of Internal Audit's work. Therefore, appropriate dissemination of results and follow-up are essential. You are no doubt familiar with the Institute of Internal Auditors Performance Standard 2440, which states that the chief audit executive should disseminate audit results to the appropriate parties.5 The dissemination of results will depend on the type of organization, the type of audit work performed, and the circumstances and findings of the audit. Ordinarily the report will go to the business line manager for the area under review and may also go up the management and executive chain depending on the significance of findings. If the findings are significant, they should also generally be reported to the audit committee or Board, as appropriate, by the head of Internal Audit. These processes will also be evaluated.
Once the audit is complete, the audited business area is expected to respond in writing to the audit report in a specified time frame (generally 30 days). Internal Audit may include in the report recommended remedial actions with a specific reasonable time frame for their completion; in some cases the business area may be more qualified to suggest remedial action acceptable to Internal Audit. Procedures may allow the business area to extend the time to complete the remedial action often in consultation with Internal Audit. The SEC examination team will look to see if audit procedures include an adequate system to monitor audit findings and their resolution.6
This summary outlines some of the areas our examiners may review in assessing the effectiveness and adequacy of the work of Internal Audit. The SEC examination team will select a number of audits covering risk management controls at the firm. The audit reports, workpapers, testing, sampling, scoping, depth of coverage, findings, timeliness, and follow-up are subject to evaluation by the examination team. This in turn will be used to determine our own examination coverage. We have already used this process in several recent examinations and your high quality internal audit work has allowed our examination teams to reduce or adjust the scope and coverage of their risk management examinations. This permits the SEC examiners to focus on more specific areas of high risk, particularly those not recently or fully covered by a firm's internal audit department or new activities not yet reviewed by Internal Audit.
Now let me mention some of the current areas of focus for our SEC examination program. They include:
I mention these as some examples of current SEC examination priorities. However, like you, we are continually re-evaluating the potential risks to investors, firms, and markets. Thus, our priorities change.
In conclusion, it is my view that there are some potential challenges we can already anticipate. Potential terrorist attacks or natural disasters are probably still the most devastating potential risks for which ample business continuity planning should be implemented. In addition, there is an ever increasing stream of new and complex products being offered and quickly proliferating. It is a challenge to keep pace in the areas of operations, controls, compliance, and training. Sales of complex structured finance products or hedge funds to retail customers may raise particular suitability and supervisory challenges. Structured products marketing and sales continue to escalate with a reported 500% growth in commodities-related structured products and recognition by the Structured Products Association that 2005 was a breakthrough year for retail sales of structured products. Firms have substantially increased their focus on sales and marketing to senior citizens and those in the pre-retirement stage and appropriate attention must be devoted to ensuring sales are suitable. We are also seeing an unprecedented amount of senior management turnover at firms and changes in business strategies which offer continual challenges.
Changes in interest rates will impact home mortgages, home equity loans and fixed income products in ways that may not be expected by investors. Other significant macro-economic market events may also raise risks. For example, a drop in market activity or stock market price may encourage more aggressive and risky principal trading. As more and more activities are outsourced, firms will be challenged with maintaining appropriate controls and supervision. Technology continues to offer challenges there are increasing volumes, increased rapidity of trades, more non-public information on potential customer trading provided to firm personnel, and more sophisticated hackers and security breaches. Maintaining robust and flexible controls, and continually monitoring and addressing risks, are the best defenses against compliance and financial failures. I encourage you to continue to consider these and other risks you may identify in keeping your risk management and compliance programs complete and up-to-date. Thank you for your kind attention.
|Home | Previous Page||