Title: Leveraging The Subprime Crisis: Making The Case For Continuous Auditing And Monitoring Of Financial Institutions
1Leveraging The Subprime CrisisMaking The Case
For Continuous Auditing And Monitoring Of
Financial Institutions
- Michael Alles
- Miklos Vasarhelyi
- Department Of Accounting, Business Ethics And
Information Systems - CONTECSI 2008 I SIMPÓSIO DE AUDITORIA CONTÍNUA
2Background An Unprecedented Crisis
- Bank write-downs from subprime crisis are 355
billion and growing by most measures, larger
than either SL or Latin American debt crises of
1980s. - Estimates are that this crisis will be longer and
deeper than any other before and losses at
investment banks could amount to 2 ½ years of
profits! - House prices in free-fall in much of the
developed world as mortgages become difficult to
get even for borrowers with good credit. - Some consider banking sector to be facing a
crisis of 1930s proportions as entire basis for
modern banking practices brought into question,
as well as the governance/regulatory structure
that gave rise to it.
3An Evolving Crisis
Many forms of mortgages have been engineered to
minimize monthly payments
Are sold to clients that cannot afford them or
speculators
These lower quality loans carry higher interest
rates therefore pay higher sales commissions
Moral hazard.. The one that sells the mortgage is
not who ultimately carries it
With the passing of time or decrease in real
estate values these mortgages become unaffordable
4An Evolving Crisis
They are sold as paper to banks wanting to
improve their returns
Sold by one entity acquired by another that
converts them to a SIV (structured Investment Vehi
cle)
These are broken down into different risk
categories called tranches
5An Evolving Crisis
Sold by one entity acquired by another that
converts them to a SIV (structured Investment Vehi
cle)
Banks sell The tranches to clients that finance
it issuing short term paper
6An Evolving Crisis
Swaps are sold insuring the instruments
Sold by one entity acquired by another that
converts them to a SIV (structured Investment Vehi
cle)
Banks sell Higher interest yielding insured
instruments
7(No Transcript)
8Market Failure
- The credit crisis has choked off many of the
markets that banks in recent years relied on to
take assets off their balance sheets. Issuance of
mortgage-backed securities has dropped sharply,
while demand for more complex instruments such as
C.D.O.s has dried up completely. - Many bankers think it will be months, if not
years, before they can start issuing these
securities again. If and when they do, investors
are bound to demand higher returns than before
and are likely to require banks to demonstrate
confidence in the securities by keeping a greater
proportion themselves. - In short, this means that banks will be forced to
fund more of their future loans from their own
balance sheet resources.
9Banks Need To Strengthen Balance Sheets
- Several of the world's largest banks--Citigroup,
Merrill Lynch, UBS and Morgan Stanleyhave sold
multibillion-dollar stakes to Asian and Middle
Eastern investors and Sovereign Wealth Funds to
boost their capital amid heavy losses on mortgage
investments. But as banks increasingly take
responsibility for assets that had been held in
off-balance sheet funds such as SIVs, their
capital needs have grown. - Goldman Sachs estimated that 475 billion of
extra assets had been moved to bank balance
sheets since the credit crunch picked up speed
earlier this year. - Mortgage insurance entities have been shored up
by the same banks that they insure.
10From Banking Crisis To Governance Crisis
- The SPM-crisis brings into focus the fact that
financial service practice is running far ahead
of governance practices, which include - External mandatory, periodic audit.
- Internal audit.
- Ratings agencies.
- Government regulators.
- Board of directors.
- Auditing is only one part of the reformed
governance structure that is needed to overcome
the current crisis and perhaps reduce frequency
of future ones. But the role of audit has to been
seen against this wider breakdown in governance.
11SPM-Crisis Not Unprecedented
- Consider lessons from Long Term Capital
Management (LTCM) crisis not hard to findsee
Wikipedia! - In 1998, Russian default caused LTCM to fail
precipitously forcing 3.65 billion intervention
by the Federal Reserve. - LTCM had equity of 4.72 billion and had borrowed
over 124.5 billion with assets of around 129
billion. It had off-balance sheet derivative
positions with a notional value of approximately
1.25 trillion, most of which were in interest
rate derivatives such as interest rate swaps. - The fear was that there would be a chain reaction
as the company liquidated its securities to cover
its debt, leading to a drop in prices, which
would force other companies to liquidate their
own debt creating a vicious cycle.
12LTMC Gave Warning Of Future Risks
- The profits from LTCM's trading strategies were
generally not correlated with each other and thus
normally LTCM's highly leveraged portfolio
benefited from diversification. However, the
general flight to liquidity in the late summer of
1998 led to a marketwide repricing of all risk
leading these positions to all move in the same
direction. - As the correlation of LTCM's positions increased,
the diversified aspect of LTCM's portfolio
vanished and large losses to its equity value
occurred. - Thus the primary lesson of 1998 and the collapse
of LTCM for Value at Risk (VaR) users is not a
liquidity one, but more fundamentally that the
underlying Covariance matrix used in VaR analysis
is not static but changes over time.
13Black Swans Managing For 10-? Events
- Nassim Taleb compared LTCM's strategies to
picking up pennies in front of a steamroller. - Problem is that standard risk models, such as
value at risk (VaR) tend to underappreciate the
risk of low probability/high loss events, such as
the market moving in unison and unraveling risk
diversification strategies or assumptions about
liquidity of assets. - VaR leads to the illusion that you can quantify
all risks and therefore regulate them. Till
Gulidmann, creator of VaR concept. - Ignores changes in markets, assets like
observing 100 years of weather in Antarctica to
forecast the weather in Hawaii.
14Underlying Causes Of LTCM Debacle
- Greatly contributing to the crisis were
- the total lack of transparency of LTCM positions
- the ignorance by counterparties of LTCM of its
intricate web of relationships and their
consequent exposure - the effectively totally unregulated nature of
hedge funds - the immense arrogance and greed of both LTCM
partners, counterparties and investors, all of
whom were seduced by the Nobel Prizes of the LTCM
partners - a refusal to ask hard questions and to insist on
usual controls and standards of prudence - the lack of disclosures on derivatives by all
parties
15LTCM Had Little Long Term Impact
- 10th Year anniversary of LTCM
- The FASB issued derivative disclosure rules, but
disclosures remain opaque. - Many other types of financial instruments
continue to be under-reported or non-reported
under the excuse of competitive impairment. - As private equity and hedge funds remained
largely unregulated and Sarbanes-Oxley increased
the regulatory burden on public firms, large
amount of funds was routed to these entities. - The financial institutions refined the use of
SPE-like entities for taking assets and
liabilities off the balance sheet.
16Governance And Regulatory Environment
- In general, very little regulatory impact on
SPM-crisis except, importantly, in the negative
sense. - Lack of regulation on lenders, despite desperate
calls to do so. On the one hand, SPM was a public
policy good, ending racist practice of
black-lining loans, predatory loans. - Made housing available to a large deserving group
previously denied loans, boosting house sales
(not house ownership!) to record highs. - Problem was increasing practice of lending
without usual standards of ability to pay back,
or documentation Liars loans. - In one mortgage backed security of 2,393
mortgages, 43 provided no documentation of
income!
17Incentives Unraveled Throughout Industry
- Even mortgages for owner-occupied homes proved
less reliable than past history indicated? - Why? Because people were buying them as
investments, not as homes and so had less
loyalty to them. - Thus mortgage holders look at homes rationally
and not with sentimentality as soon as they have
negative equity, even home-owners with good
credit walk away from the loan, raising default
rates to unprecedentedly high levels. - Mortgage lenders made loans so that they could
sell them to Wall Street to be securitized. Thus
they had little incentive to care how good the
loans were and though, sometimes mistakenly, that
they could pass on the risk completely.
18Securitization The Great Driver
- Securitizationtransforming cash flows from
assets into bondsis the real driver of the
SPM-crisis. - Bankers created a new market from slicing, dicing
and packaging mortgages into such new derivative
instruments as mortgage backed securities,
collateralized debt obligations, C.D.O.s
squared, special purpose vehicles etc. - At best these structured finance products allowed
risk to be better allocated and diversified and
hence expanded the amount of credit that could be
offered a key feature of the Basel II standard. - At worst, they vastly leveraged the amount of
gambling that could be done on the financial
markets C.D.O.s of some 75 billion generated
trades with a notional value of 60 trillion.
19Key Enabler Ratings Agencies
- Ability to sell these derivative products depends
on their ratings. Instead of being gate keepers,
rating agencies became gate-openers. - Analysts look at mathematical models, not details
of the underlying mortgages. Moodys did not even
have access to the individual loan files.
Certainly did not communicate with the borrowers
or try to verify the information they provided in
their loan applications. - We aren't loan officers. Our expertise is as
statisticians on an aggregate basis. We want to
know, of 1,000 individuals, based on historical
performance, what percent will pay their loans?
Claire Robinson, a 20-year veteran for Moodys.
20Ratings System Broke Down
- Centrality of ratings for process and fact that
seller not buyer paid for rating created obvious
incentive problem Every agency has a model
available to bankers that allows them to run the
numbers until they get something they like and
send it in for a rating says former Moodys
securitization expert. - Moreover, valuing derivatives more difficult than
valuing underlying assets when they are put
through securitization process Four thousand
pieces of a Porsche are more difficult to value
than a Porsche itself and the sum of the parts
does not equal the whole, says Bill Michael of
KPMG. - In the anything goes climate of 2006, Moodys had
only a single day to value a mortgage backed
security.
21Implied Versus Actual Ratings
- Moody's Analytics, which operates separately from
Moody's ratings division, uses credit-default
swap prices as an alternative system of grading
debt. - These so-called implied ratings often differ
significantly from Moody's official grades,
suggesting higher default risk than Moodys
official ratings. - And the data shows that the implied ratings are
more accurate predictors of default risk. - The only thing holding securities at AAA is
simply the model that the rating agencies claim
they use to judge that capital and the fact they
know that if they downgrade the companies, it'll
push them into default. Tim Backshall, CDR LLC.
22If You Are So Smart, How Come I Am President?
- Reputation for intellectual horsepower and amount
of money earned by those doing securitization
intimidated those who would ask questions. In
hindsight, both sellers and buyers failed to
understand the true risks of derivative products. - Investment bankers who talk about 'exploding
short-term gamma risk' earn 2m someone in our
debt-recovery team earns 50,000. The only
difference between them is that the person who
earns 50,000 knows what he is doing. - Same old story Nobel prize winners at LTCM
Andersen auditors working for free in their part
time for Enron because of prestige of working for
Americas most innovative company. - Such behavioral issues pervasive, significant.
23Societe Generale The Icing On The Cake
- Jérôme Kerviel, a junior trader at Societe
Generale accused of exceeding his authority to
engage in unauthorized trades totaling as much as
49.9 billion, a figure far higher than the
banks total market capitalization. - Investigators say Kerviel's bosses missed more
than 1,000 faked trades a huge jump in his
earnings in 2007 questions about his trades from
the Eurex exchange unusually high levels of cash
flow, accounting anomalies, and high brokerage
expenses Kerviel's failure to take vacation and
his breach of the desk's market risk limit on one
position. - One problem was that it was only net positions
that were monitored, not total.
24Anatomy Of A Bank Failure
- Controversy about whether his superiors knew what
was going onalerted by Eurex exchange, did not
object when net position was showing profits for
the bank. - My feeling is that we are now on the second
report by the third report it's going to be the
fault of the cleaning ladies. Each time it goes
down (the corporate hierarchy), instead of up.
Kerviels lawyer. - A central issue was that the trader had worked in
the controls area and knew how to circumvent
them. Several key controls that could have
identified fraudulent mechanisms were lacking.
There was a lack of an appropriate awareness of
the risk of fraud. PwC report.
25Societe Generale What Lessons?
- At Goldman Sachs people are routinely rotated
between control functions and business functions
so that each has an equal cachet, and problems
are discussed by a broad range of insiders. Aim
is avoid risk management being seen as
second-rate naysayers holding back sexy trading
strategies. - But is this a good thing, or does is it give
people like Kerviel the means to circumvent
controls? - The number of firms that will investigate an
unusual profit is smaller than the number of
firms that will investigate an unusual loss.
Andrew Gray, PwC. - Bottom line is that banks, especially investment
banks, are inherently susceptible to failures of
control and governance since their culture today
is to push risk/reward boundaries.
26Lessons For Auditing From Recent Crises
- Point of recounting this story is to understand
the challenges facing governance and control of
financial service firms today. Many lessons
available from recent crises, but one lesson is
that such lessons have to be continuously
re-learnt. - Societe Generale is tightening computer security,
significantly investing in information
technology, reinforcing controls and taking more
account of the possibility of fraud. - Clearly technology has a major role to play, but
it is not a magic bullet. Need to take behavioral
issues into account. - Technology can indicate that something is wrong,
but it cannot stop risky behavior. - None are as foolish as those willing to be fooled.
27Tasks Auditors Will Have To Perform
- Assess the sufficiency of capital to give a
going concern opinion and satisfy banking
regulation. - Conduct arms length valuation of the financial
assets of the client and assess the value at risk
that they pose. - Develop a methodology for ensuring that complex
derivative instruments that pose particular
risks are properly recorded when they are created
or traded and that controls are in place to
monitor how they are utilized.
28Challenging Audit Environment
- Boundaries of business entities are increasingly
ill defined with special purpose entities and
counterparties impacting the firms balance
sheets, but which are often outside the scope of
existing audit practice. - Difficult to assess VaR from financial instrument
and contracts whose underlying assumptions are
unclear and whose value depends on market
dynamics and market confidence to a degree that
only now is being realized. - The interlocked nature of financial entities and
instruments that are being measured, assured, and
valued separately, and with less control than
many had assumed.
29Challenging Audit Environment Continued
- Hedge operations involving numerous instruments
are often managed and monitored on nothing more
sophisticated than a spreadsheet. Pervasive
problem in finance and insurance. - As the Societe Generale case has demonstrated,
even seemingly sophisticated real-time controls
have weaknesses stemming from their own lack of
security, monitoring and alarm handling features.
Firms may be monitoring the wrong people and the
wrong things and not know what to do with the
information that controls are generating. - Application of accounting rules, especially Fair
Value, may cause unforeseeable problems,
impacting markets, not just providing a neutral
measurement.
30Audit Methodology Behind The Times
- External audit methodology is an anachronism.
- The periodic, backward looking audit is not
designed to monitor fast moving financial
operations or detect going concern weaknesses in
short periods of times. - Fails to measure integrated risk faced by
financial institutions. - Or deal with the fuzzy boundary issues of
interlinked financial agents. - Internal audit groups.
- Are better positioned to deal with these issues.
- But they often do not have the monitoring and
control charter. - Need to develop a comfort zone for monitoring and
assurance functions to be negotiated among the
Basel II, compliance, fraud, Sarbanes-Oxley, and
operating groups.
31Applying Technology To Auditing
- Continuous auditing and monitoring applying
technology to the reengineer the audit process in
order to enable on-demand auditing with reduced
latency between the transaction event and the
provision of assurance. - CA continuous control monitoring continuous
data level assurance. - Continuous auditing and monitoring cannot by
themselves prevent crises such as SPM or Societe
Generale. - Scope of CA/CM today is too limited, focused on
operational control, automation of existing audit
processes and fraud detection. - Need to take it to the next level. But note that
trading already subject to CA, which indicates
need for caution.
32CA/CM In The Governance Process
- Would CA/CM as currently envisaged have prevented
the SPM-crisis? Realistically, no. - When there is a systematic failure across the
entire governance process, no one part of that
process can compensate sufficiently. - Part of the problem is the failure to understand
the flawed incentives throughout the governance
process, which can lead to even technological
alarms to be ignored, as in the case of Societe
Generale. - On the other hand, advantage of technology is
that it is not swayed by status, income or
position. - The point of this conference is to begin the
process of taking CA/CM to the level necessary
where it will have a real impact.
33Some Possible Solutions To Explore
- A valuation platform that will provide third
party valuation of complex financial instruments
and a systemic assessment of their critical
risks, types and their inter-linkages, and an
automated confirmation mechanism (a more
sophisticated and broader form of the SWIFT
system, using confirmatory extranets) to verify
and affirm the existence of the instruments in
question. - A library and taxonomy of derivative valuation
programs drawn from various sources, both
external and internally developed. - A template for a linkage methodology where
related derivative instruments part of a
coordinated hedge will be linked. - A high level set of risk KPI and monitoring
alarming features.
34Thinking Out Of The Box Continued
- A set of analytic continuity equations linking
varied outside market conditions clearance
agents derivative instrument and security
positions, and different views of risk exposures. - A representation of clearance agents, clients,
paper issuers, SPEs, and other relevant entities. - An alarming/management methodology to mitigate
the danger of rogue trading and unbalanced
derivative positions. - Simulation of several alternate
conditions/contingencies based on published
reports of major frauds at Societe Generale,
Citigroup, Barings and so on to test the validity
of the proposed approach as a preventive and
detective control.
35- Database to database confirmations
Counterparty 1
4. high level set of risk KPI and monitoring
alarming
3. library of derivative valuation programs
5. Analytic continuity equations
2. A reporting level control panel
FI enters in thousands of Derivative transactions
6. alarming/management methodology
Counterparty n
- Many transactions are multiparty
- Similar instruments are actual different
- There are tight and loose hedges
- Catastrophic changes in markets undermine hedges
36Discussion Questions
- Can a technologically based solution and new
audit methodologies be derived to deal with or
mitigate these problems? - How good are the current risk management
platforms at the financial institutions? - Can a platform just involving one institution
without spanning its counterparties be relied
upon? - How do we make allowance for incentive issues,
especially in the face of enormous temptations to
subvert governance. - With XBRL now effectively mandated the question
that looms is if version 2.1 is adequate to
represent fast moving instruments or will new XML
extension languages have to be created to deal
with the live financial report.