Speech by SEC Staff:
A Regulatory View - Broker-Dealer Internal Audit/Compliance Priorities

by

Mary Ann Gadziala

Associate Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

2006 Annual Conference of the Internal Auditors Division of the Securities Industry Association
Fort Lauderdale, Florida
October 17, 2006

Thank you very much for providing me this opportunity to address the 2006 Annual Conference of the Internal Auditors Division of the Securities Industry Association. It is always a great pleasure to address fellow securities compliance auditors. Colleagues like you are the first line of defense in ensuring a firm's controls and systems are operating effectively. And your high quality audit work can make our job as SEC examiners less burdensome and more effective. That is especially true in light of a recently initiated process in the SEC broker-dealer examination program under which we are leveraging off the high quality and independent oversight of a firm's internal audit department in conducting our risk management examinations. I will be discussing this process in more detail during my remarks. I would also like to spend a little time noting some of the areas of focus of our examination program. These examination priorities are typically based upon our analysis of risks to investors, registrants, and the markets. They are therefore an indication to you where you might want to focus some of your high level attention.

I. Reliance on Effective Internal Audit Work

As I mentioned, the SEC broker-dealer examination program has recently begun the implementation of a new process whereby we may leverage off the high quality work of a firm's internal audit department in conducting our own risk management examinations. This process is being employed only with respect to risk management examinations of broker-dealers and consolidated supervised entities at the current time because these examinations are very resource-intensive. However, it is my view that this process could be extended to other areas if successful in the risk management area. In addition, the practices and procedures I will discuss may be relevant to the development of an effective internal audit program at any firm, regardless of whether you may be subject to an SEC risk management examination. Since the scope of our examination, where this new process is used, will be somewhat dependent on our evaluation of your internal audit work, our risk management examination process has changed to permit our onsite examination to begin with a review of the work of the firm's internal audit department. After evaluation of the internal audit work, we will conduct our examination of market, credit, legal and compliance, operational, and liquidity risks of the firm. We will use an examination scope that may be limited or adjusted based on your internal audit work.

In order to evaluate the quality and strength of the firm's internal audit function, some areas we may review include the qualifications and expertise of audit management and staff, the adequacy of resources and systems, the independence and authority of the internal audit department, and the adequacy of audit coverage throughout the organization with a focus on risk management audits.¹

One of the first documents that our examination team will assess is typically the internal audit charter. The purpose, authority, and responsibility of the internal audit function is defined in the charter or other document that is approved by the top levels of the firm, such as senior management and the audit committee. We would expect to see that this document is maintained and updated on a periodic basis. An effective audit charter or comparable document would generally include but not be limited to the following:

• The objectives and scope of the internal audit function;
   
• The Internal Audit Department's ("Internal Audit") role within the firm;
   
• The authority and access of the head of Internal Audit to top levels of the firm, such as the audit committee and senior business executives;
   
• Internal Audit's powers and responsibilities, which include full and direct access to all records and activities of the firm, as well as access to and the ability to communicate with any employee of the firm;
   
• The accountability of the head of Internal Audit; and
   
• The terms and circumstances under which Internal Audit may act in an advisory or consulting role.

The independence of Internal Audit is also critical to the effectiveness and quality of their evaluation of the activities and operations of an organization. In addition to being independent from business operations, an effective internal audit program is typically independent from the compliance department and other "control" groups that it audits. This should achieve the goal that Internal Audit is objective and impartial, and seeks to avoid any conflicts of interests.

Effective implementation of the internal audit function requires that Internal Audit have adequate resources, including personnel and technology. Overall staffing and budget should be sufficient to effectively cover audit needs of the firm as it relates to the size, diversity, riskiness and other relevant aspects of firm operations. This generally means Internal Audit will have the resources it needs to complete the audit plan and auditing tasks effectively and in a timely manner. Auditors should have adequate experience in both auditing and an understanding of business operations of the firm where the auditor has audit responsibilities. SEC examination staff may review resumes or biographies of the internal audit staff, the firm's policies and procedures with respect to minimum qualifications, and auditors' educational level and professional experience. Training and continuing education are also assessed during our examinations. Specialized training sessions for new products or changes in regulations, accounting rules, and business operations may also be considered.

The next part of the SEC review will evaluate the "audit universe" and audit cycles set by Internal Audit. In general, the audit universe is a comprehensive list of all areas of a firm that expose it to risk. It includes business lines as well as other functions and operations, such as the firm's significant information technology applications and platforms. The audit universe covers firm headquarters, branches, subsidiaries, and outsourced activities. It also covers the intersection and interaction of various business operations to assess conflicts and overall relationships with customers and counterparties. Firms use the audit universe to develop a multi-year audit plan to ensure that each area of risk is audited at least once during the audit cycle. Audit cycles are generally based on a combined analysis of inherent risk to the firm and controls that may mitigate the risk. The maximum cycle we have seen, which is for the low risk areas, is typically three to five years. Among the SEC examiners' primary concerns regarding a firm's audit universe are its completeness, risk rankings, and cycles as related to risks and controls.²

An effective internal audit department generally has thorough and clear procedures with respect to the conduct of its audits. Effective audit procedures may (1) explain how the auditor conducts audits; (2) describe the required workpapers necessary to support the audit; (3) contain guidelines for testing and sampling; (4) discuss supervision of the audit; and (5) describe reporting of audit findings and audit reports.³ As I am sure you know, the Accounting Standards Board issued Statement on Auditing Standards No. 103 ("SAS 103")⁴ / to cover non-public companies, which requires an auditor to prepare audit documentation that is sufficiently detailed for an experienced auditor having no previous connection to the audit to understand the audit work performed, evidence obtained, and conclusions reached. SAS 103 also requires auditors to assemble audit documentation that is the "final engagement file" within 60 days of the report release date. It also provides guidance on what to document; states that oral explanations by themselves are insufficient to support audit work or conclusions although they may be used to clarify audit documentation; and specifies a minimum file retention period of five years. SEC examiners consider this guidance in their evaluation.

The firm's meaningful corrective action in response to the audit is also a key element of the effectiveness of Internal Audit's work. Therefore, appropriate dissemination of results and follow-up are essential. You are no doubt familiar with the Institute of Internal Auditors Performance Standard 2440, which states that the chief audit executive should disseminate audit results to the appropriate parties.⁵ The dissemination of results will depend on the type of organization, the type of audit work performed, and the circumstances and findings of the audit. Ordinarily the report will go to the business line manager for the area under review and may also go up the management and executive chain depending on the significance of findings. If the findings are significant, they should also generally be reported to the audit committee or Board, as appropriate, by the head of Internal Audit. These processes will also be evaluated.

Once the audit is complete, the audited business area is expected to respond in writing to the audit report in a specified time frame (generally 30 days). Internal Audit may include in the report recommended remedial actions with a specific reasonable time frame for their completion; in some cases the business area may be more qualified to suggest remedial action acceptable to Internal Audit. Procedures may allow the business area to extend the time to complete the remedial action often in consultation with Internal Audit. The SEC examination team will look to see if audit procedures include an adequate system to monitor audit findings and their resolution.⁶

This summary outlines some of the areas our examiners may review in assessing the effectiveness and adequacy of the work of Internal Audit. The SEC examination team will select a number of audits covering risk management controls at the firm. The audit reports, workpapers, testing, sampling, scoping, depth of coverage, findings, timeliness, and follow-up are subject to evaluation by the examination team. This in turn will be used to determine our own examination coverage. We have already used this process in several recent examinations and your high quality internal audit work has allowed our examination teams to reduce or adjust the scope and coverage of their risk management examinations. This permits the SEC examiners to focus on more specific areas of high risk, particularly those not recently or fully covered by a firm's internal audit department or new activities not yet reviewed by Internal Audit.

II. SEC Examination Focus Areas

Now let me mention some of the current areas of focus for our SEC examination program. They include:

• Supervision — One area that merits continued attention is ensuring that a firm's written supervisory procedures are complete and updated to keep pace with regulatory or business changes. They also need to be effectively implemented. Large, high volume firms using manual monitoring processes may raise supervisory concerns. Branch office supervision is a growing challenge as the number of branch offices has escalated to about 170,000, and many offices are independent contractors or at remote locations, offering additional challenges. Outsourcing of more and more activities also raises supervisory issues. And, of course, supervising correspondence remains a priority.
   
• Sales Practices — Sales and marketing to senior citizens is a top priority and we are involved in a major collaborative examination initiative involving the SEC, the states, and SROs. Almost 90 examinations in six key retirement states — including the state of Florida — have begun. We are also focusing on certain products where we have seen more frequent sales practice problems. These include 529 plans, variable annuities, illiquid securities, and IPOs. Instances of retail and corporate bond dealers charging large mark-ups or mark downs on riskless principal and inventory transactions may raise suitability concerns. And despite all the valuable work that has been done by regulators and the industry, we continue to find firms that are not providing investors with appropriate breakpoint discounts on mutual fund purchases.
   
• Risk Management — Firms continue to make significant advances in risk management internal controls. However, there are still some areas where special attention might be directed. For example, it is a good practice for firms to continually monitor and update business continuity plans as appropriate to implement technological advancements and address new challenges, such as a potential pandemic. Making certain back office operations and compliance keep pace with sales and marketing new products is an area of focus. And we are looking to be sure firms are effectively addressing problems with assignments and confirmations with respect to credit derivatives. Complex structured finance transactions should also be carefully monitored for appropriate risk management. Information security is a key risk management concern, particularly in view of increased instances of identify thefts. Another critical risk management area is conflicts of interests, which should be carefully monitored especially by firms with diversified activities and customers.
   
• Financial Issues — Net capital deficiencies and inaccuracies in computing net capital remain among top findings from our examinations. Imposing adequate margin requirements on customers, particularly hedge funds and other significant or highly leveraged customers, is also an area of focus. And you should be mindful of developments with respect to portfolio margining. We have also focused a significant amount of attention on the alternative net capital computations of broker-dealers using methodologies that incorporate the concepts of the Basel capital requirements with internal mathematical models as the underlying basis.
   
• Anti-Money Laundering — Some areas of focus are: firms' relationships with foreign institutions; general risk assessment and suspicious activity reporting; independent tests — are they timely, comprehensive, and conducted by a person with sufficient knowledge of anti-money laundering laws; whether firm compliance programs are adequate and effectively implemented; and whether each regulated entity has met its independent obligations under the PATRIOT Act.
   
• Books and Records — Having accurate books and records is a key component of ensuring compliance with the law and having financial integrity and accuracy of financial statements. They are also key to understanding firm operations and activities. It is important that all business-related correspondence and records, including e-mails, be accurately maintained and accessible as required.
   
• Trading Practices — Examinations continue to find instances of market timing in mutual funds, variable annuity products, and REITs. Best execution of transactions is also an examination priority as well as compliance with Reg SHO. Trading practices is another area where conflicts are a concern, particularly with respect to maintaining the confidentiality of nonpublic customer trade information and preventing insider trading, frontrunning, and market manipulation.

I mention these as some examples of current SEC examination priorities. However, like you, we are continually re-evaluating the potential risks to investors, firms, and markets. Thus, our priorities change.

III. Conclusion

In conclusion, it is my view that there are some potential challenges we can already anticipate. Potential terrorist attacks or natural disasters are probably still the most devastating potential risks for which ample business continuity planning should be implemented. In addition, there is an ever increasing stream of new and complex products being offered and quickly proliferating. It is a challenge to keep pace in the areas of operations, controls, compliance, and training. Sales of complex structured finance products or hedge funds to retail customers may raise particular suitability and supervisory challenges. Structured products marketing and sales continue to escalate with a reported 500% growth in commodities-related structured products and recognition by the Structured Products Association that 2005 was a breakthrough year for retail sales of structured products. Firms have substantially increased their focus on sales and marketing to senior citizens and those in the pre-retirement stage and appropriate attention must be devoted to ensuring sales are suitable. We are also seeing an unprecedented amount of senior management turnover at firms and changes in business strategies which offer continual challenges.

Changes in interest rates will impact home mortgages, home equity loans and fixed income products in ways that may not be expected by investors. Other significant macro-economic market events may also raise risks. For example, a drop in market activity or stock market price may encourage more aggressive and risky principal trading. As more and more activities are outsourced, firms will be challenged with maintaining appropriate controls and supervision. Technology continues to offer challenges — there are increasing volumes, increased rapidity of trades, more non-public information on potential customer trading provided to firm personnel, and more sophisticated hackers and security breaches. Maintaining robust and flexible controls, and continually monitoring and addressing risks, are the best defenses against compliance and financial failures. I encourage you to continue to consider these and other risks you may identify in keeping your risk management and compliance programs complete and up-to-date. Thank you for your kind attention.

Endnotes

---

¹ Since this process is part of our risk management examinations, we will focus on the extent and adequacy of the internal audit department's coverage of risk management control groups, the process and controls for creation and testing of internal mathematical models used by the firm, risk systems, and risk taking and controls in various businesses. Our examination staff will select specific audits in these areas for more focused review and will review audit reports and workpapers for that sample of recent audits performed by the firm.

² The audit plan is based on Internal Audit's risk assessment. An effective plan may include a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget. Material changes in a firm's business operations may require changes to the internal control system and also warrant additional internal audit work. Changes may include (1) new management; (2) areas or activities experiencing rapid growth or rapid decline; (3) new lines of business, products, or technologies; (4) corporate restructurings, mergers, and acquisitions; or (5) the discovery of fraudulent activity, a new conflict, or a significant market or regulatory development.

³ Audit procedures followed during the internal audit should be documented in workpapers, which will be reviewed by the SEC examination team with respect to audits selected for review. These reflect the work performed by the internal audit team and support the evaluations formulated in the final audit report. The workpapers should provide sufficient information to verify whether the audit was duly performed and to enable others to check the manner in which it was performed.

⁴ http://www.aicpa.org/pubs/jofa/feb2006/news.htm#AUDITING

⁵ In particular, Implementation Standard 2440.A1 specifies that: "The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration".

⁶ Institute of Internal Auditors Performance Standard 2500 states "The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management". The system should indicate when the remedial action was completed and may show confirmation by Internal Audit.

http://www.sec.gov/news/speech/2006/spch101706mag.htm