Leveraging The Subprime Crisis: Making The Case For Continuous Auditing And Monitoring Of Financial Institutions

1
Leveraging The Subprime CrisisMaking The Case
For Continuous Auditing And Monitoring Of
Financial Institutions

• Michael Alles
• Miklos Vasarhelyi
• Department Of Accounting, Business Ethics And
  Information Systems
• CONTECSI 2008 I SIMPÓSIO DE AUDITORIA CONTÍNUA

2
Background An Unprecedented Crisis

• Bank write-downs from subprime crisis are 355
  billion and growing by most measures, larger
  than either SL or Latin American debt crises of
  1980s.
• Estimates are that this crisis will be longer and
  deeper than any other before and losses at
  investment banks could amount to 2 ½ years of
  profits!
• House prices in free-fall in much of the
  developed world as mortgages become difficult to
  get even for borrowers with good credit.
• Some consider banking sector to be facing a
  crisis of 1930s proportions as entire basis for
  modern banking practices brought into question,
  as well as the governance/regulatory structure
  that gave rise to it.

3
An Evolving Crisis
Many forms of mortgages have been engineered to
minimize monthly payments
Are sold to clients that cannot afford them or
speculators
These lower quality loans carry higher interest
rates therefore pay higher sales commissions
Moral hazard.. The one that sells the mortgage is
not who ultimately carries it
With the passing of time or decrease in real
estate values these mortgages become unaffordable
4
An Evolving Crisis
They are sold as paper to banks wanting to
improve their returns
Sold by one entity acquired by another that
converts them to a SIV (structured Investment Vehi
cle)
These are broken down into different risk
categories called tranches
5
An Evolving Crisis
Sold by one entity acquired by another that
converts them to a SIV (structured Investment Vehi
cle)
Banks sell The tranches to clients that finance
it issuing short term paper
6
An Evolving Crisis
Swaps are sold insuring the instruments
Sold by one entity acquired by another that
converts them to a SIV (structured Investment Vehi
cle)
Banks sell Higher interest yielding insured
instruments
7
(No Transcript)
8
Market Failure

• The credit crisis has choked off many of the
  markets that banks in recent years relied on to
  take assets off their balance sheets. Issuance of
  mortgage-backed securities has dropped sharply,
  while demand for more complex instruments such as
  C.D.O.s has dried up completely.
• Many bankers think it will be months, if not
  years, before they can start issuing these
  securities again. If and when they do, investors
  are bound to demand higher returns than before
  and are likely to require banks to demonstrate
  confidence in the securities by keeping a greater
  proportion themselves.
• In short, this means that banks will be forced to
  fund more of their future loans from their own
  balance sheet resources.

9
Banks Need To Strengthen Balance Sheets

• Several of the world's largest banks--Citigroup,
  Merrill Lynch, UBS and Morgan Stanleyhave sold
  multibillion-dollar stakes to Asian and Middle
  Eastern investors and Sovereign Wealth Funds to
  boost their capital amid heavy losses on mortgage
  investments. But as banks increasingly take
  responsibility for assets that had been held in
  off-balance sheet funds such as SIVs, their
  capital needs have grown.
• Goldman Sachs estimated that 475 billion of
  extra assets had been moved to bank balance
  sheets since the credit crunch picked up speed
  earlier this year.
• Mortgage insurance entities have been shored up
  by the same banks that they insure.

10
From Banking Crisis To Governance Crisis

• The SPM-crisis brings into focus the fact that
  financial service practice is running far ahead
  of governance practices, which include
• External mandatory, periodic audit.
• Internal audit.
• Ratings agencies.
• Government regulators.
• Board of directors.
• Auditing is only one part of the reformed
  governance structure that is needed to overcome
  the current crisis and perhaps reduce frequency
  of future ones. But the role of audit has to been
  seen against this wider breakdown in governance.

11
SPM-Crisis Not Unprecedented

• Consider lessons from Long Term Capital
  Management (LTCM) crisis not hard to findsee
  Wikipedia!
• In 1998, Russian default caused LTCM to fail
  precipitously forcing 3.65 billion intervention
  by the Federal Reserve.
• LTCM had equity of 4.72 billion and had borrowed
  over 124.5 billion with assets of around 129
  billion. It had off-balance sheet derivative
  positions with a notional value of approximately
  1.25 trillion, most of which were in interest
  rate derivatives such as interest rate swaps.
• The fear was that there would be a chain reaction
  as the company liquidated its securities to cover
  its debt, leading to a drop in prices, which
  would force other companies to liquidate their
  own debt creating a vicious cycle.

12
LTMC Gave Warning Of Future Risks

• The profits from LTCM's trading strategies were
  generally not correlated with each other and thus
  normally LTCM's highly leveraged portfolio
  benefited from diversification. However, the
  general flight to liquidity in the late summer of
  1998 led to a marketwide repricing of all risk
  leading these positions to all move in the same
  direction.
• As the correlation of LTCM's positions increased,
  the diversified aspect of LTCM's portfolio
  vanished and large losses to its equity value
  occurred.
• Thus the primary lesson of 1998 and the collapse
  of LTCM for Value at Risk (VaR) users is not a
  liquidity one, but more fundamentally that the
  underlying Covariance matrix used in VaR analysis
  is not static but changes over time.

13
Black Swans Managing For 10-? Events

• Nassim Taleb compared LTCM's strategies to
  picking up pennies in front of a steamroller.
• Problem is that standard risk models, such as
  value at risk (VaR) tend to underappreciate the
  risk of low probability/high loss events, such as
  the market moving in unison and unraveling risk
  diversification strategies or assumptions about
  liquidity of assets.
• VaR leads to the illusion that you can quantify
  all risks and therefore regulate them. Till
  Gulidmann, creator of VaR concept.
• Ignores changes in markets, assets like
  observing 100 years of weather in Antarctica to
  forecast the weather in Hawaii.

14
Underlying Causes Of LTCM Debacle

• Greatly contributing to the crisis were
• the total lack of transparency of LTCM positions
• the ignorance by counterparties of LTCM of its
  intricate web of relationships and their
  consequent exposure
• the effectively totally unregulated nature of
  hedge funds
• the immense arrogance and greed of both LTCM
  partners, counterparties and investors, all of
  whom were seduced by the Nobel Prizes of the LTCM
  partners
• a refusal to ask hard questions and to insist on
  usual controls and standards of prudence
• the lack of disclosures on derivatives by all
  parties

15
LTCM Had Little Long Term Impact

• 10th Year anniversary of LTCM
• The FASB issued derivative disclosure rules, but
  disclosures remain opaque.
• Many other types of financial instruments
  continue to be under-reported or non-reported
  under the excuse of competitive impairment.
• As private equity and hedge funds remained
  largely unregulated and Sarbanes-Oxley increased
  the regulatory burden on public firms, large
  amount of funds was routed to these entities.
• The financial institutions refined the use of
  SPE-like entities for taking assets and
  liabilities off the balance sheet.

16
Governance And Regulatory Environment

• In general, very little regulatory impact on
  SPM-crisis except, importantly, in the negative
  sense.
• Lack of regulation on lenders, despite desperate
  calls to do so. On the one hand, SPM was a public
  policy good, ending racist practice of
  black-lining loans, predatory loans.
• Made housing available to a large deserving group
  previously denied loans, boosting house sales
  (not house ownership!) to record highs.
• Problem was increasing practice of lending
  without usual standards of ability to pay back,
  or documentation Liars loans.
• In one mortgage backed security of 2,393
  mortgages, 43 provided no documentation of
  income!

17
Incentives Unraveled Throughout Industry

• Even mortgages for owner-occupied homes proved
  less reliable than past history indicated?
• Why? Because people were buying them as
  investments, not as homes and so had less
  loyalty to them.
• Thus mortgage holders look at homes rationally
  and not with sentimentality as soon as they have
  negative equity, even home-owners with good
  credit walk away from the loan, raising default
  rates to unprecedentedly high levels.
• Mortgage lenders made loans so that they could
  sell them to Wall Street to be securitized. Thus
  they had little incentive to care how good the
  loans were and though, sometimes mistakenly, that
  they could pass on the risk completely.

18
Securitization The Great Driver

• Securitizationtransforming cash flows from
  assets into bondsis the real driver of the
  SPM-crisis.
• Bankers created a new market from slicing, dicing
  and packaging mortgages into such new derivative
  instruments as mortgage backed securities,
  collateralized debt obligations, C.D.O.s
  squared, special purpose vehicles etc.
• At best these structured finance products allowed
  risk to be better allocated and diversified and
  hence expanded the amount of credit that could be
  offered a key feature of the Basel II standard.
• At worst, they vastly leveraged the amount of
  gambling that could be done on the financial
  markets C.D.O.s of some 75 billion generated
  trades with a notional value of 60 trillion.

19
Key Enabler Ratings Agencies

• Ability to sell these derivative products depends
  on their ratings. Instead of being gate keepers,
  rating agencies became gate-openers.
• Analysts look at mathematical models, not details
  of the underlying mortgages. Moodys did not even
  have access to the individual loan files.
  Certainly did not communicate with the borrowers
  or try to verify the information they provided in
  their loan applications.
• We aren't loan officers. Our expertise is as
  statisticians on an aggregate basis. We want to
  know, of 1,000 individuals, based on historical
  performance, what percent will pay their loans?
  Claire Robinson, a 20-year veteran for Moodys.

20
Ratings System Broke Down

• Centrality of ratings for process and fact that
  seller not buyer paid for rating created obvious
  incentive problem Every agency has a model
  available to bankers that allows them to run the
  numbers until they get something they like and
  send it in for a rating says former Moodys
  securitization expert.
• Moreover, valuing derivatives more difficult than
  valuing underlying assets when they are put
  through securitization process Four thousand
  pieces of a Porsche are more difficult to value
  than a Porsche itself and the sum of the parts
  does not equal the whole, says Bill Michael of
  KPMG.
• In the anything goes climate of 2006, Moodys had
  only a single day to value a mortgage backed
  security.

21
Implied Versus Actual Ratings

• Moody's Analytics, which operates separately from
  Moody's ratings division, uses credit-default
  swap prices as an alternative system of grading
  debt.
• These so-called implied ratings often differ
  significantly from Moody's official grades,
  suggesting higher default risk than Moodys
  official ratings.
• And the data shows that the implied ratings are
  more accurate predictors of default risk.
• The only thing holding securities at AAA is
  simply the model that the rating agencies claim
  they use to judge that capital and the fact they
  know that if they downgrade the companies, it'll
  push them into default. Tim Backshall, CDR LLC.

22
If You Are So Smart, How Come I Am President?

• Reputation for intellectual horsepower and amount
  of money earned by those doing securitization
  intimidated those who would ask questions. In
  hindsight, both sellers and buyers failed to
  understand the true risks of derivative products.
• Investment bankers who talk about 'exploding
  short-term gamma risk' earn 2m someone in our
  debt-recovery team earns 50,000. The only
  difference between them is that the person who
  earns 50,000 knows what he is doing.
• Same old story Nobel prize winners at LTCM
  Andersen auditors working for free in their part
  time for Enron because of prestige of working for
  Americas most innovative company.
• Such behavioral issues pervasive, significant.

23
Societe Generale The Icing On The Cake

• Jérôme Kerviel, a junior trader at Societe
  Generale accused of exceeding his authority to
  engage in unauthorized trades totaling as much as
  49.9 billion, a figure far higher than the
  banks total market capitalization.
• Investigators say Kerviel's bosses missed more
  than 1,000 faked trades a huge jump in his
  earnings in 2007 questions about his trades from
  the Eurex exchange unusually high levels of cash
  flow, accounting anomalies, and high brokerage
  expenses Kerviel's failure to take vacation and
  his breach of the desk's market risk limit on one
  position.
• One problem was that it was only net positions
  that were monitored, not total.

24
Anatomy Of A Bank Failure

• Controversy about whether his superiors knew what
  was going onalerted by Eurex exchange, did not
  object when net position was showing profits for
  the bank.
• My feeling is that we are now on the second
  report by the third report it's going to be the
  fault of the cleaning ladies. Each time it goes
  down (the corporate hierarchy), instead of up.
  Kerviels lawyer.
• A central issue was that the trader had worked in
  the controls area and knew how to circumvent
  them. Several key controls that could have
  identified fraudulent mechanisms were lacking.
  There was a lack of an appropriate awareness of
  the risk of fraud. PwC report.

25
Societe Generale What Lessons?

• At Goldman Sachs people are routinely rotated
  between control functions and business functions
  so that each has an equal cachet, and problems
  are discussed by a broad range of insiders. Aim
  is avoid risk management being seen as
  second-rate naysayers holding back sexy trading
  strategies.
• But is this a good thing, or does is it give
  people like Kerviel the means to circumvent
  controls?
• The number of firms that will investigate an
  unusual profit is smaller than the number of
  firms that will investigate an unusual loss.
  Andrew Gray, PwC.
• Bottom line is that banks, especially investment
  banks, are inherently susceptible to failures of
  control and governance since their culture today
  is to push risk/reward boundaries.

26
Lessons For Auditing From Recent Crises

• Point of recounting this story is to understand
  the challenges facing governance and control of
  financial service firms today. Many lessons
  available from recent crises, but one lesson is
  that such lessons have to be continuously
  re-learnt.
• Societe Generale is tightening computer security,
  significantly investing in information
  technology, reinforcing controls and taking more
  account of the possibility of fraud.
• Clearly technology has a major role to play, but
  it is not a magic bullet. Need to take behavioral
  issues into account.
• Technology can indicate that something is wrong,
  but it cannot stop risky behavior.
• None are as foolish as those willing to be fooled.

27
Tasks Auditors Will Have To Perform

• Assess the sufficiency of capital to give a
  going concern opinion and satisfy banking
  regulation.
• Conduct arms length valuation of the financial
  assets of the client and assess the value at risk
  that they pose.
• Develop a methodology for ensuring that complex
  derivative instruments that pose particular
  risks are properly recorded when they are created
  or traded and that controls are in place to
  monitor how they are utilized.

28
Challenging Audit Environment

• Boundaries of business entities are increasingly
  ill defined with special purpose entities and
  counterparties impacting the firms balance
  sheets, but which are often outside the scope of
  existing audit practice.
• Difficult to assess VaR from financial instrument
  and contracts whose underlying assumptions are
  unclear and whose value depends on market
  dynamics and market confidence to a degree that
  only now is being realized.
• The interlocked nature of financial entities and
  instruments that are being measured, assured, and
  valued separately, and with less control than
  many had assumed.

29
Challenging Audit Environment Continued

• Hedge operations involving numerous instruments
  are often managed and monitored on nothing more
  sophisticated than a spreadsheet. Pervasive
  problem in finance and insurance.
• As the Societe Generale case has demonstrated,
  even seemingly sophisticated real-time controls
  have weaknesses stemming from their own lack of
  security, monitoring and alarm handling features.
  Firms may be monitoring the wrong people and the
  wrong things and not know what to do with the
  information that controls are generating.
• Application of accounting rules, especially Fair
  Value, may cause unforeseeable problems,
  impacting markets, not just providing a neutral
  measurement.

30
Audit Methodology Behind The Times

• External audit methodology is an anachronism.
• The periodic, backward looking audit is not
  designed to monitor fast moving financial
  operations or detect going concern weaknesses in
  short periods of times.
• Fails to measure integrated risk faced by
  financial institutions.
• Or deal with the fuzzy boundary issues of
  interlinked financial agents.
• Internal audit groups.
• Are better positioned to deal with these issues.
• But they often do not have the monitoring and
  control charter.
• Need to develop a comfort zone for monitoring and
  assurance functions to be negotiated among the
  Basel II, compliance, fraud, Sarbanes-Oxley, and
  operating groups.

31
Applying Technology To Auditing

• Continuous auditing and monitoring applying
  technology to the reengineer the audit process in
  order to enable on-demand auditing with reduced
  latency between the transaction event and the
  provision of assurance.
• CA continuous control monitoring continuous
  data level assurance.
• Continuous auditing and monitoring cannot by
  themselves prevent crises such as SPM or Societe
  Generale.
• Scope of CA/CM today is too limited, focused on
  operational control, automation of existing audit
  processes and fraud detection.
• Need to take it to the next level. But note that
  trading already subject to CA, which indicates
  need for caution.

32
CA/CM In The Governance Process

• Would CA/CM as currently envisaged have prevented
  the SPM-crisis? Realistically, no.
• When there is a systematic failure across the
  entire governance process, no one part of that
  process can compensate sufficiently.
• Part of the problem is the failure to understand
  the flawed incentives throughout the governance
  process, which can lead to even technological
  alarms to be ignored, as in the case of Societe
  Generale.
• On the other hand, advantage of technology is
  that it is not swayed by status, income or
  position.
• The point of this conference is to begin the
  process of taking CA/CM to the level necessary
  where it will have a real impact.

33
Some Possible Solutions To Explore

• A valuation platform that will provide third
  party valuation of complex financial instruments
  and a systemic assessment of their critical
  risks, types and their inter-linkages, and an
  automated confirmation mechanism (a more
  sophisticated and broader form of the SWIFT
  system, using confirmatory extranets) to verify
  and affirm the existence of the instruments in
  question.
• A library and taxonomy of derivative valuation
  programs drawn from various sources, both
  external and internally developed.
• A template for a linkage methodology where
  related derivative instruments part of a
  coordinated hedge will be linked.
• A high level set of risk KPI and monitoring
  alarming features.

34
Thinking Out Of The Box Continued

• A set of analytic continuity equations linking
  varied outside market conditions clearance
  agents derivative instrument and security
  positions, and different views of risk exposures.
• A representation of clearance agents, clients,
  paper issuers, SPEs, and other relevant entities.
• An alarming/management methodology to mitigate
  the danger of rogue trading and unbalanced
  derivative positions.
• Simulation of several alternate
  conditions/contingencies based on published
  reports of major frauds at Societe Generale,
  Citigroup, Barings and so on to test the validity
  of the proposed approach as a preventive and
  detective control.

35

1. Database to database confirmations

Counterparty 1
4. high level set of risk KPI and monitoring
alarming
3. library of derivative valuation programs
5. Analytic continuity equations
2. A reporting level control panel
FI enters in thousands of Derivative transactions
6. alarming/management methodology
Counterparty n

• Many transactions are multiparty
• Similar instruments are actual different
• There are tight and loose hedges
• Catastrophic changes in markets undermine hedges

36
Discussion Questions

• Can a technologically based solution and new
  audit methodologies be derived to deal with or
  mitigate these problems?
• How good are the current risk management
  platforms at the financial institutions?
• Can a platform just involving one institution
  without spanning its counterparties be relied
  upon?
• How do we make allowance for incentive issues,
  especially in the face of enormous temptations to
  subvert governance.
• With XBRL now effectively mandated the question
  that looms is if version 2.1 is adequate to
  represent fast moving instruments or will new XML
  extension languages have to be created to deal
  with the live financial report.