The Control Environment

1. Firms need to establish a mechanism to ensure that they have internal accounting controls and risk management controls. Supervisors need to establish a mechanism to ensure that the entities they regulate have internal accounting controls and risk management controls. The supervisory mechanism need not prescribe specific and detailed controls, but rather provide general guidance to firms.

2. Firms and supervisors need to determine that controls are set and monitored at the senior management level at a firm; responsibility for monitoring controls is clearly defined; and senior management promotes a culture of controls at all levels within a firm.

The control environment is a representation of the attitude, awareness, and actions of a securities firm's governing body and senior management toward the safeguarding of the firm's financial resources and the integrity of internally generated information. The control culture should also be expanded to all staff levels, with a view to promoting a widely shared control culture within the firm. As an example of this concept, Statement of Auditing Standards No. 78 states that the control environment sets the tone of an organization, influencing the control consciousness of its people; it is the foundation for all other components of internal control, providing discipline and structure.⁵

The control environment's effectiveness is influenced by several variables, including:

• Management's attitudes, beliefs, and practices;
• Organizational structure and accountability;
• Nature and scope of the governing body and management committees; and
• Degree of external oversight.

A strong control environment is the essential basis of a firm's efforts to protect itself from unanticipated losses and erosion of capital. When working properly, the internal accounting controls and risk management and controls can spot and identify potential problems early on and, while it may not prevent unanticipated losses (nor should it be so extensive as to prevent losses), it can bring such situations quickly to light within the governing body and senior management's thresholds (e.g., Solomon Inc.'s pricing controls described under "operational risk" above). When a firm lacks an adequate control environment, it is at the mercy of unscrupulous employees to take advantage of the firm and, in some instances, with terminal consequences (e.g., the collapse of Barings PLC). The lack of an adequate control environment and "control consciousness" on the part of a firm's governing body and senior management has been at the root of such recent losses at Barings, Daiwa, Kidder Peabody, and NatWest.

The governing body has the ultimate responsibility to a securities firm's owners for understanding the risks and exposures facing a securities firm and ensuring that senior management takes the necessary steps to monitor and control these risks and ascertaining the effectiveness of the risk management and control systems.⁶ Senior management, in turn, has the responsibility for day-to-day oversight of the firms activities, implementing appropriate risk management and control policies, and monitoring risks and exposures to the firm. Both the governing body and senior management are responsible for promoting high standards of ethical conduct.

Supervisors of firms as well as the firms themselves have to be control conscious. Supervisors must be satisfied that the firms they oversee have adequate control environments and that senior management sponsors a culture of control at all levels within a firm. In order to do this, supervisors must have the tools and mechanisms (e.g., statutory authority, financial means, human resources, etc.) to be able to satisfy themselves with respect to the control environment. Certain aspects of this, such as identifying material weaknesses or inadequacies in the system of internal accounting controls may involve the use of independent external auditors. Supervisors should not craft a "one size fits all" detailed control framework, as each institution has unique aspects and characteristics to its organization and the way its conducts business. Rather, supervisors should provide broad, general guidance which is flexible and adaptable to firms as they see fit. This is not intended to preclude supervisors that have determined controls have fallen below acceptable levels of international standards or minimum standards in their jurisdictions from setting detailed requirements for a particular firm.

It is incumbent upon supervisors to ensure that firms' risk management and internal accounting control environment is consistent with the general framework. Each firm should have its control environment documented and approved by its governing body. By documenting the control environment, a firm can clearly illustrate to supervisors and external third parties that it has policies and procedures in place to ensure that the assets and capital of the firm are safeguarded from unauthorized use.

Nature and Scope of Controls

3. Firm guidance and guidance from supervisors should cover both internal accounting controls and risk management and controls.

4. Internal accounting controls for firms should include books and records requirements, segregation of duties, and controls that are designed to safeguard assets of the entity and to safeguard customer property.

5. Risk management and controls for firms should include controls for overall firm and individual trading desk limits, market risk, credit risk, legal risk, operational risk, and liquidity risk.

The nature and scope of risk management and controls by necessity must fit the organization they are going to protect which means they can not be dictated in much detail from without, but must be designed from within to meet the needs of the organizational structure as well as a firm's business practices and appetite for risk. Irrespective of design and implementation, controls can provide only reasonable assurance with respect to fulfilling a firm's control objectives.

To be effective, risk management and controls must cover certain basic elements. The basic control elements which should be disseminated as firm guidance by management and guidance from supervisors should cover both internal accounting controls, which include basic books and records requirements, and risk management and controls. Basic internal accounting controls for firms should include books and records requirements which have controls that are designed to safeguard assets of the entity and to safeguard customer property. This needs to be accomplished in an environment where duties are segregated (i.e., front office and back office responsibilities must be separated). Segregation of duties is necessary to reduce the opportunities to allow one person to be in a position to both create and conceal errors in the normal course of business. It is therefore important to assign different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets. For example, this may require the independent verification of pricing securities positions and other information.

Risk management and controls for firms should include controls for overall firm and individual trading desk limits, market risk, credit risk, legal risk, liquidity risk, and operational risk (as discussed in detail above in Section II, "The Role of Risk Management and Controls"). The degree of risk that a firm takes is generally not a concern of the regulator. A regulator needs to have a clear understanding of the risk appetite of the firm to review the control structure appropriateness.

Implementation

6. Firm guidance from senior management to the business units regarding controls should contain general guidance at the most senior levels and specific and detailed guidance as the information flows to smaller business units and individual trading desks.

7. Firms should have and supervisors should require written documentation about their control procedures.

Implementation procedures need to be performed to effectively carry out management's wishes regarding the controls that need to be established in an entity. Without effective implementation procedures the best system of controls will be nothing more than a facade. We have seen examples of this in some recent high profile losses that have been reported by financial institutions where the existence of control systems were documented, but were not properly implemented by the organization.

It is the responsibility of senior management to provide general guidance to the most senior levels and specific and detailed guidance as the information flows to smaller business units and individual trading desks. This can be accomplished with the use of written documentation about control procedures at each level of the control hierarchy. The absence of written evidence of controls should be a warning to firms and supervisors that a weak control environment may exist, which would pose significant risks to a firm, its customers, and institutional counterparties.

The existence of written procedures alone is not assurance that an adequate control environment exists without additional evidence of proper implementation and verification by firm management at all levels and examination procedures by regulators. This means in part that line managers must be actively involved in controls and their frequent use. The procedures that need to be put in place to properly implement a system of internal controls is best left to individual firms. Senior management is responsible for creating an appropriate risk management and control structure within a firm. It must be cost effective. Any implementation procedures in order to be effective must involve management at all levels and should be strictly enforced with severe penalties to employees that circumvent or ignore control directives.

Verification

8. Firms and supervisors need to determine that controls, once established by management, are effectively operating as designed on a continuous basis.

9. Firms and supervisors need to establish mechanisms to verify that controls, once established, are being followed. The verification procedures should include internal audits, which should be independent of the trading desks and the revenue side of the business, and external audits by independent accountants. For supervisors, additional verification would be accomplished through an examination process. Firms need to determine that recommendations by auditing bodies and supervisors are properly implemented.

10. Firms and supervisors need to determine that controls, once established, keep pace with new products and industry technology.

Verification is an essential element of any risk management and control system. Without a comprehensive set of verification procedures by firms and supervisors the risk of a breakdown in controls somewhere in an organization increases. Firms and supervisors need to determine that controls, once established by management, are operating as designed and keep pace with new products and industry technology.

For firms, the verification procedures must include internal audits conducted by employees that are properly trained and have adequate resources. For supervisors, verification procedures should include to the extent possible examination procedures that allow for some testing of firm controls.

In addition, external audits by independent accountants which cover at least the internal accounting control systems should be part of a firm's annual procedures and should also be mandated by the supervisory authority responsible for firm oversight. In some jurisdictions the use of external auditors may supplement the examination process and may be engaged to do special purpose audits for special problems or concerns. The mix of supervisor exams and special purpose exams by external auditors is left to the decision of each jurisdiction.

Verification procedures relating to controls should be a function of internal and external oversight with four levels of defense:

• Internal day-to-day management;
• an internal audit function;
• external auditors; and
• supervisors.

Line managers are responsible for monitoring and ensuring the effectiveness of controls daily. Internal auditors are responsible for making periodic checks of the system. External auditors are responsible for making independent checks of the control systems. Without taking away or diminishing from the responsibilities of these three groups (line managers, internal and external auditors) supervisors, based upon their individual statutory and regulatory authority, will also use high level review, examination procedures, and other oversight processes to satisfy themselves that no gaps are present in the control environment.

Reporting

11. Firms need to establish and supervisors should require mechanisms to report material inadequacies or breakdowns in controls to senior management and supervisors on a timely basis.

12. Firms should be prepared to provide supervisors with relevant information about controls. Supervisors should have mechanisms to share information about controls with each other.

Reporting on the adequacy of risk management and controls is necessary to maintain an effective and efficient control environment. Firms need to establish and supervisors should require mechanisms to report material inadequacies or breakdowns in controls to senior management and supervisors on a timely basis. Without timely reporting procedures about breakdowns in controls, the effectiveness of controls would be diminished due to the loss of essential and timely information that may be crucial to the decision making process of management and regulators.

Effective reporting procedures can only be maintained if the firm has in place a good information system which will permit accurate and detailed information to be retrieved in a timely and reliable manner. Supervisor's ability to gather and accurately interpret necessary financial and operational information relating to the control environment is critical to effective supervision.

Firms should be prepared to provide supervisors with relevant information about the use of controls in each firm and about control failures under routine and in emergency situations. Supervisors should have mechanisms to share information about controls with each other during these situations. Supervisors' information needs relating to controls will often be sharply focused and potentially very detailed in any emergency situation. While the primary information needs in an emergency situation will be firm-specific, there may also be a need for information relating to depositories, exchanges, and clearing organizations.

Footnotes

5. American Institute of Certified Public Accountants, "Statement of Auditing Standards No. 78, Consideration of Internal Control in a Financial Statement Audit", paragraph .07a.

6. This should be read in the context of the legislative and regulatory frameworks in each jurisdiction which may differ in the high level governance and management structures and obligations they impose upon firms at the highest levels.