Role of Internal Audit and Future SEC Examinations
Lori Richards, Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission, delivered prepared remarks to the Securities Industry Association, Internal Auditors Division 2005 Annual Conference in Key Biscayne, FL on October 18, 2005 entitled “Internal Audits and SEC Examinations.” While she briefly highlighted “hot button” issues like mutual fund sales and trading, clearing and prime brokerage, structured products, anti-money laundering, SAS 70 issues, and more, the main part of her remarks focused on how the existence of a high-quality internal audit function may affect future SEC examinations. Although her remarks were primarily geared to the broker/dealer audience, the astute reader should realize that there comments are equally likely to apply to the larger hedge funds required to register with the SEC by February 1, 2006. Do such hedge fund registrants have an independent and high-quality internal audit function? !—break-->
Toomre Capital Markets supports the SEC’s focus on internal controls and risk management, particularly at the larger or more complex broker/dealer, investement management and hedge fund firms. Ms. Richards explained, “We focus on a firm's systems, procedures, resources and performance in the assessment, monitoring and control of risks. The examination begins with an overview of the firm's businesses and the risk management system and controls that overlay the business operations. This includes obtaining an understanding of how managers identify, assess, monitor and control all risks within the broker-dealer. These examinations are conducted in conjunction with a review of the firm's compliance with the SEC's net capital and customer reserve rules. Here are some of the questions that examiners ask in these exams: “
- How are the overall policies established? Is senior management involved in risk management and the oversight of risk parameters and controls;
- What are the resources and systems accorded to risk management? We seek to evaluate whether resources are adequate and systems appear to operate effectively;
- What are controls over market risk in trading activities and firm inventory, including value at risk, economic models, scenario analyses, stress testing, and back testing? We follow a sample of trades from the trading desk through the entire risk management system;
- How is credit risk managed at the firm? We look at controls over counterparty credit risk across all products and businesses, credit limits, pricing models, guarantees, collateral, margin, and settlement and legal risks;
- Does the firm maintain a comprehensive program to ensure its continued funding and liquidity? We look at a firm's internal measures of liquidity, its reserves and its contingency funding plan;
- What are controls over operational risks? We look at segregation of duties, checks and balances, protection of customer funds and securities, operating systems, management information systems, management reporting, front and back office operations, security, contingency planning and disaster recovery;
- Is internal audit effective in conducting comprehensive and independent assessments? We also seek to understand whether deficiencies noted by internal auditors are addressed in a timely manner;
- What are the controls over the introduction of new products? We seek to understand how new products are incorporated into the firm's risk management system.
Ms. Richards continued “More recently, we have focused our internal controls examinations on selected business areas which are either new, highly profitable or viewed as possessing greater risk. For the selected business areas, we perform a comprehensive examination of the management, marketing and execution of the business to understand how the business unit is deriving revenue, managing risk and fulfilling its supervisory and compliance responsibilities.”
This last paragraph is particularly noteworthy. Toomre Capital Markets LLC suggests that hedge funds facing the February 1, 2006 requirement to register with the SEC focus on this statement as their operations are likely to be classified as new, highly profitable and/or viewed as possessing greater risk. What, if anything, do these funds have by way of internal audit functions? Please contact TCM should the reader have further questions.