1997 International Standards on Auditing 400: Risk Assessment and Internal Controls

The purpose of this International Standard on Auditing is to establish standards and provide guidance on obtaining an understanding of the accounting and internal control systems and on audit risk and its components: inherent risk, control risk and detection risk.

July 1997 European Monetary Institute: Internal Control Systems of Credit Institutions

Basic principles for a sound internal control system. The report is intended to assist banking supervisors in assessing the adequacy of the internal control systems of credit institutions. It draws upon the practical experience of banking supervisors in the European Union and incorporates comments made to a number of international accounting firms.

June 1997 Global Supervision of Financial Institutions and Markets Study Group: The Group of Thirty, Global Institutions, National Supervision and Systemic Risk ("Study")

The rapid evolution of financial institutions, products and markets is increasingly challenging the effectiveness of management oversight, market discipline, and official supervision. That concern prompted the creation of this study group on the global supervision of financial institutions and markets by the Group of Thirty.

Managing an expanding range of complex products and varied services around the globe and around the clock is a daunting challenge, but it has become business as usual for globally active firms. This operating environment places a premium, as never before, on understanding and managing risk. A key to understanding and managing a firm's own risk is evaluating how effectively counterparty firms understand and manage theirs; a task that is, if anything, more challenging than the first because of the limited grounds on which to base such a judgment. Most daunting of all is the difficult task facing national supervisors who are charged with setting supervisory requirements for the global operations of complex financial conglomerates while operating within the limits of national legal jurisdiction and supervisory charters. Even as progress is being made in strengthening the international supervisory framework for financial services, the significance of the institutional and geographic boundaries that define the existing framework continues to diminish.

The Study first examines the potential for systemic risk arising from the gap between the global operations of financial institutions and markets and nationally based systems of accounting, reporting, law, and supervision. It then proposes actions that the financial services industry, the accounting profession, supervisors, and legislators should take to promote the continued stability and efficiency of global institutions and markets.

1996 Deloitte & Touche, "Internal Control Issues In Derivatives Usage: An Information Tool for Considering the COSO Internal Control - Integrated Framework in Derivatives Applications"

Deloitte & Touche developed this report using published and internal sources supplemented by input from the Project Advisory Council and other interested persons. This report's purpose is to serve as a reference document, illustrating how the COSO Internal Control - Integrated Framework ("COSO Report") can be employed by end users to evaluate the effectiveness of internal controls surrounding the use of derivative products.

The Committee of Sponsoring Organizations of the Treadway Commission, commonly referred to as COSO, issued a document in September 1992 (and reissued it in July 1994 - see the "COSO Report" below). COSO believes that COSO Report is useful in assessing control systems and determining how to improve them. In recent years, there have been reports of large, unauthorized losses arising from the use of financial derivatives products. COSO, believing the COSO Report can be used as a basis for reviewing the adequacy and effectiveness of controls over derivatives, requested that Deloitte & Touche LLP author an information tool that would assist organizations in applying the Framework to the control of derivatives.

November 1996 U.S. General Accounting Office ("GAO"), Report to Congressional Committees, "Financial Derivatives - Actions Taken or Proposed Since May 1994"

This report is a follow-up to a report the GAO issued in May 1994, "Financial Derivatives: Actions Needed to Protect the Financial System" (see below) that responded to questions regarding derivative products. This report reveals that, although many concerns still remain in the oversight and management of derivatives-related risk, many U.S. market participants and regulators have improved the management and oversight of their derivatives activities consistent with the GAO's 1994 recommendations. U.S. industry surveys show that dealers and end-users of derivatives have strengthened their risk management and control systems. Other market participants have proposed recommended practices to improve internal control systems and intend to implement such recommendations in the future. In June 1996 an additional six organizations signed the agreement.

March 15, 1996 Declaration on Cooperation and Supervision of International Futures Markets and Clearing Organizations

Information-sharing memorandum of understanding signed by 49 futures and option exchanges and clearing houses. The intent was to establish a framework for information sharing between exchanges and clearing houses in the event of certain destabilizing market events.

In June 1996, an additional six organization signed the agreement. Also, the Futures Industry Association issued a final report of "Financial Integrity Recommendations".

January 1996 Coopers & Lybrand, Generally Accepted Risk Principles ("GARP")

Written by C&L's Capital Markets and Risk Management practice in consultation with a review panel comprised of representatives from industry (Barclays, JP Morgan and Bank of England) and regulators (CFTC, SEC, SFA and SIB).

A checklist of 89 Risk Management Principles, categorized into five broad groups:

• Risk Management Strategy: an integrated framework of responsibilities and functions driven from the governing body down to operational levels which identifies, quantifies, and manages the risks of the business. Suggests that a risk management group independent of risk generating functions (such as trading activities) be established, reporting to the executive committee of the governing body;

• Risk Management Function: a group charged with the day-to-day responsibility for risk monitoring, measurement and evaluation;

• Risk Measurement, Reporting and Control: the development and use of risk and performance measures to ensure that business activities are being managed in accordance with the defined risk management strategies;

• Operations: operational controls over front, middle, and back office operations regarding the authorization and reporting of transactions; and

• Risk Management Systems: real-time information reporting the results of each risk system.

December 1995 American Institute of Certified Public Accountants, Statement on Auditing Standards No. 78 ("SAS 78"): "Consideration of Internal Control in a Financial Statement Audit"

This statement provides the independent external auditor with guidance on how to assess an entity's internal control structure during an audit of financial statements in accordance with generally accepted auditing standards ("GAAS"). An assessment of an entity's internal control system is necessary for the auditor to be able to assess the level of control risk for the assertions set forth in the financial statements, which in turn will determine the extent of testing to be done.

Note that SAS 78 amended SAS 55, "Consideration of the Internal Control Structure in a Financial Statement Audit" to recognize the definition and description of internal control contained in "Internal Control - Integrated Framework" published by the Committee of Sponsoring Organizations of the Treadway Commission ("COSO Report" - see below). The definition of internal control contained therein is a revision to the second standard of fieldwork of the ten generally accepted auditing standards.

December 1995 Futures & Options Association, Managing Derivatives Risk - Guidelines for End-Users of Derivatives

Advisory guidelines for users on procedures and controls necessary in managing derivatives risk.

July 18, 1995 Report of the Board of Banking Supervision Inquiry into the Circumstances of the Collapse of Barings

Detailed explanation and analysis of the circumstances and the reasons for the Barings collapse. Presents lessons to be learned by management and regulators involving internal controls, accountability for profits, risk and operations, and failure to follow-up on warning signals (see discussion above regarding "Operational Risk").

July 1995 The Tripartite Group of Bank, Securities and Insurance Regulators, The Supervision of Financial Conglomerates

A cross-industry report written by an international group of banking, securities, and insurance regulators addressing the particular problems in the supervision of financial conglomerates (any group of companies under common control whose exclusive or predominant activities consist of providing significant services in at least two different financial sectors such as banking, securities, or insurance).

The report suggested that the five main areas of interest to supervisors involved capital adequacy, cooperation and exchange of information between supervisors, the impact of individual entities within the conglomerate on the financial stability of the group and of markets, intra-group transactions, and counterparty concentrations on a consolidated basis.

June 1995 Futures Industry Association Global Task Force on Financial Integrity, Financial Integrity Recommendations for Futures and Options Markets and Market Participants

Participants from 17 countries cooperated in the issuance of 60 recommendations on exchange-traded derivatives, including those directed at exchanges / clearing houses, brokers / intermediaries, and customers.

In March 1996, an information-sharing memorandum of understanding was reached in a follow-up to the recommendations. In June 1996, a final report of Financial Integrity Recommendations was issued (see above).

May 1995 Basle Committee on Banking Supervision and the Technical Committee of the International Organization of Securities Commissions, Framework for Supervisory Information About the Derivatives Activities of Banks and Securities Firms ("Framework")

Basle and IOSCO issued to banking and securities firm supervisors worldwide a framework for supervisory information on the derivatives activities of banks and securities firms. The Framework consisted of a catalogue of data on derivatives activities, broken down into the areas of credit risk, liquidity risk, market risk, and earnings, from which supervisors could draw from as they expanded and improved their reporting systems. The Framework also included a recommendation that supervisors have available to them a minimum subset.

April 1995 Basle Committee on Banking Supervision ("Committee"), Planned Supplement to the Capital Accord to Incorporate Market Risks and An Internal Model-Based Approach to Market Risk Capital Requirements

The Committee proposed to permit banks to use VAR models to determine capital requirements for market risk ("Basle Standard"). During 1994, the Committee investigated the possible use of banks' proprietary in-house models for the calculation of market risk capital as an alternative to a standardized measurement framework. The proposed approach for a model-based supervisory capital requirement was based on the definition of a series of quantitative and qualitative standards that banks would have to meet in order to use their own systems for measuring market risk, while leaving a necessary amount of flexibility to account for different levels of detail in the systems.

March 1995 UK Auditing Practices Board "Accounting and Internal Controls Systems and Audit Risk Assessments", Statement of Auditing Standards 300

The objective of the statement is to establish standards and provide guidance on audit risk and its components and also on the auditors approach to obtaining an understanding of the accounting and internal control systems.

March 1995 Derivatives Policy Group ("DPG"), Framework for Voluntary Oversight: A Framework for Voluntary Oversight of the OTC Activities of Securities Firm Affiliates to Promote Confidence and Stability in Financial Markets ("Framework")

The DPG was formed to address the regulatory issues arising from the unregulated activities of securities firms. Specifically, the DPG focused on the use of capital at risk models to measure market risk. The Framework provided for the use of proprietary models to measure capital at risk due to OTC derivatives activities but not as a method for calculating minimum capital standards for the DPG.

The DPG defined risk of loss or "capital at risk" to be the maximum loss expected to be exceeded with a probability of one percent over a two-week period. The Framework provided that each firm's model must capture all material sources of market risk which might impact the value of the firm's positions. The Framework identified nine specific material sources of risk, or core risk factors, based on interest rate shocks, changes in equity values, and changes in exchange rates.

The Framework also sets forth common audit and verification procedures of the technical and performance characteristics of the models. Each firm's modeling procedures will undergo an internal and external audit by independent auditors.

September 1994 Euro-currency Standing Committee of the Central Banks of the Group of Ten countries, A Discussion Paper on Public Disclosure of Market and Credit Risks by Financial Intermediaries

This report dealt with disclosure issues relating to the risk exposures and risk management performance of trading activities of financial intermediaries. This report is based on the premise that the markets function most efficiently when participants have access to information that facilitates the prompt and accurate pricing of assets. The intent of this report was to stimulate debate on the purpose and scope of public disclosures by all financial intermediaries and encouraging an evolution of disclosures practices that will improve the functioning of financial markets.

July 1994 The Committee of Sponsoring Organizations of the Treadway Commission ("COSO"), originally issued September 1992, Internal Control - Integrated Framework (COSO Report)

This report deals with the needs and expectations of management and others. It defines: internal controls; what internal controls can do and cannot do; the organizational roles and responsibilities. The report is organized into four volumes: an Executive Summary; the Framework; Reporting to External Parties and Evaluation Tools.

Note that this report's definition of internal control revised the second standard of fieldwork of the ten generally accepted auditing standards. This revision caused the issuance of SAS 78, "Consideration of Internal Control in a Financial Statement Audit" (see above) to recognize the new definition and description of internal control, which amended SAS 55.

July 1994 Basle Committee on Banking Supervision, Risk Management Guidelines for Derivatives and the Technical Committee of the International Organization of Securities Commissions, Operational and Financial Risk Management Control Mechanisms for Over-the-Counter Derivative Activities of Securities Firms

Basle and IOSCO recommended risk management and control guidelines for derivatives traders in their respective industries. The guidelines built on work already in progress by banking and securities regulators in some of the more advanced financial markets as well as the report issued by the G-30 in 1993. Specifically, the guidelines apply to both dealers and end-users and cover such themes as governing body oversight, internal controls, continuous risk monitoring and audit procedures. Both papers issued the same conclusion: sound internal risk management and control is essential for both banks and securities firms in promoting the stability of the financial markets worldwide.

May 1994 U.S. General Accounting Office ("GAO"), Financial Derivatives: Actions Needed to Protect the Financial System

The GAO report ("Report") was a result of concerns from Congress, federal regulators, and some market participants that knowledge of how to manage and oversee risks associated with derivatives may not have kept pace with their increased use. These concerns were heightened by reports of major losses from derivatives use at that time. The GAO concluded that no comprehensive industry or federal regulatory requirements existed to ensure that U.S. OTC derivatives dealers followed good risk management and control practices. The GAO stated that primary responsibility for risk management and controls rests with a firm's governing body and senior management. However, there was no regulatory mechanism in place to bring all major OTC dealers into compliance with risk management and control guidelines already issued by regulators.

The GAO further noted that accounting standards for derivatives, particularly those used in hedging, were incomplete and inconsistent and have not kept pace with business practices.

However, the DPG initiative in the U.S. specifically addressed some of the GAO's concerns about the lack of federal oversight of large, non-banking OTC derivatives dealers by volunteering to abide by risk management and control systems that the DPG, Securities and Exchange Commission ("Commission"), and Commodities Futures Trading Commission ("CFTC") all agreed would enhance the risk management and controls within the six firms. Accordingly, since 1995, the Commission and the CFTC have received quarterly information from five of the six DPG members regarding their OTC derivatives affiliates' trading revenues, individual counterparty exposures, credit concentrations, and estimated amounts of capital at risk. This type of disclosure provides a basis for supervisors to assess the adequacy of capital.

In November 1996, the GAO issued a follow-up report (see above).

July 1993 Global Derivatives Study Group: The Group of Thirty ("G-30"), Derivatives: Practices and Principles ("Study")

The Study is the first comprehensive study of successful management approaches over derivatives activity. The general goal of the Study was to define a set of sound risk management and control practices for those involved in financial derivatives activity.

Twenty recommendations were offered as a benchmark against which brokers and dealers could measure their own practices. The Study concluded that derivatives by their nature do not introduce risks of a fundamentally different kind or of a greater scale than those already present in the financial markets. Hence, systemic risks are not appreciably aggravated, and supervisory concerns can be addressed within present regulatory structures and approaches. Therefore, the Study concluded the role of the regulators should be to clarify legal uncertainties and resolve legal inconsistencies between countries that may impede risk-reduction procedures such as "netting". The G-30 also concluded that not all industry participants were following the principals presented in the Study.

However, the SEC survey issued to the major U.S. broker-dealers after the G-30 report found these firms substantially in compliance with the G-30 recommendations.

October 1992 Report of the IOSCO Technical Committee, "Principles for the Supervision of Financial Conglomerates"

This paper sets out principles which the Technical Committee believes should govern the supervision of financial conglomerates. The principles address the following eight areas:

• Group-Based Risk Assessment
• Investments in Other Group Companies
• Intra-Group Exposures
• Structure of Financial Conglomerates
• Relationships with Shareholders
• Management
• Supervisory Cooperation
• External Auditors

The principles are intended to provide a framework which the Technical Committee believes should guide the development of regulatory practices in this area both in individual countries and in relation to international regulatory cooperation. The paper also discusses the ability of securities regulators to obtain an overview of risks involved, which is different in each case, and the techniques which may need to be employed to this end.