keith wenk senior manager audit & enterprise risk services deloitte & touche auditing...

Keith Wenk

Senior Manager

Audit & Enterprise Risk Services

Deloitte & Touche

Auditing Brokerage & Investment Activities

2

Agenda

• Overview• Areas of Risk

– New Account Opening– Client Transactions– Clearance & Settlement– Custody– Account Monitoring– Corporate Actions– Securities Lending

• Questions

Overview

4

Overview

Goals for the session:

• Highlight risks and control activities related to various brokerage and investment activities

• Discuss sampling and profiling ideas related to each of these activities

• Audit procedures and strategy

• Evaluate results to provide constructive comments

5

Overview (cont.)

Themes to focus on include:

• Identifying populations of relevance in sampling populations– Look for ways to make better selections than trying to

look for a needle in a haystack

• Varying testing timing and procedures– Avoid typical audit schedules and selection dates

6

Overview (cont.)

Themes to focus on include (cont.):

• Efficient testing– Leveraging time spent in various departments to address

multiple issues

• Utilizing technology to enhance audit procedures– Narrow large populations through data interrogation

7

Overview (cont.)

Errors

Due to the current economic situation, the risk of error is higher than ever, thanks to:– Corporate layoffs

– Outsourcing

– Early retirements (forced or otherwise)

8

Overview (cont.)

Fraud

Similar to errors, the fraud risk has increased for the same reasons

Fraud committed to cover up errors is also a significant concern– Fear of losing job could cause error

concealment

New Account Opening

10

New Accounts – Risks

• Accounts are opened for non-existent clients

• Account information is incomplete, not received at all, and/or inaccurate

• Account opening is not properly authorized

11

New Accounts – Risks (cont.)

• Proper restrictions are not placed on the account

• The client name, address and instruction file are not kept current and becomes invalid

12

New Accounts – Key Controls

• All new account information is prepared and approved by management prior to trading• Is there a QA process as part of the controls that can be

leveraged off of?• Focus on times of year when errors might be more

likely to occur.

• Confirm account information with client• Usually a process to mail new account information to

client, have all controls in process been considered, including physical mailing?

13

New Accounts – Key Controls (cont.)

• Conditions requiring restrictions on accounts are identified• Consider which restrictions are critical, and actually test

whether restriction was enforced

• The accounts of officers and employees and their known relatives are identified so transactions in such accounts can be reviewed by designated personnel• Utilize technology to search through client addresses

and compare to employees• Consider doing similar searches for name variations

14

New Accounts – Key Controls (cont.)

• Client authorized account information changes through a Letter of Approval (LOA) or other kind of approval• Should be a process to mail out letter, should be testing

both mail and comparison of content to LOA• Search records for frequency of account information

changes, using data interrogation

15

New Accounts – Key Controls (cont.)

• Client statements are periodically mailed or made available electronically unless requested by the client in writing and a designated official has approved the request • Vary timing of testing, avoid same time as last year or

quarter ends• Actually compare statement data to client systems• Have you actually tested electronic statements for

accuracy and delivery?• Hold mail accounts should receive additional focus

Client Transactions

17

Client Transactions – Risks

• Orders are not legitimate client orders and/or not properly authorized by clients

• Orders are not properly or accurately recorded

• Orders are not recorded in the proper period

18

Client Transactions – Risks (cont.)

• All orders are not accounted for and data is not transferred completely and accurately to order entry systems

• All orders are not properly executed

19

Client Transactions – Key Controls

• Client statements are periodically mailed or made available online• Narrow testing based on account characteristics using

data mining– As of trades, accounts with significant trading before

statement mailings

• A number is assigned to orders when placed, and all numbers are accounted for• Have all types of trades been considered for testing?• Utilizes system testing for order number generation and

tracking, IT auditor involvement

20

Client Transactions – Key Controls (cont)

• Trade confirmations are generated for clients who executed orders, including details of the trade• Is there client directed transactions and how are they

documented?• Make selections and compare to documentation• Similar issues as those to other client information

mailings

21

Client Transactions – Key Controls (cont)

• Transactions cleared through clearing organizations (as indicated on the trade date blotter or other internal documents) are compared to contact sheets (clearing reports) from the clearing organizations• Need to design tests based how control operates

– If a systematic pair off, need to test accuracy and completeness of the system

• When testing trade break resolution, make sure that tests are done of both review control and actual resolution for accuracy

Clearance & Settlement

23

Clearance & Settlement – Risks

• All receipts and deliveries of securities and money are not recorded in the proper period

• All receipts and deliveries of securities and money are not accurately recorded

• Settled trades are not properly recorded in the books and records

24

Clearance & Settlement – Risks (cont.)

• Settled trades are not recorded in the proper period

• Transactions underlying failed trades or cash movements are not recorded correctly

• Receipts and deliveries of securities and money are not for approved transactions

• Securities underlying failed trades are not valued correctly

25

Clearance & Settlement – Key Controls

• Pre-settlement trade activity for both money and position are reconciled to the counterparty• Focus testing on higher volume days where items might

be missed• Test for both evidence of review and actual

performance of reconciliation

26

Clearance & Settlement – Key Controls (cont)

• Daily movements of securities and money are balanced and responsibility for the clearance of out-of-balance positions is assigned to specific individuals who have no other duties related to any other aspects of securities processing• Frequency and size of out of balance amounts should

be considered• Same position or account out of balance and constantly

being “fixed”?

27

Clearance & Settlement – Key Controls (cont)

• Accounts are reconciled for cash and securities transactions on a daily basis and reconciling items are promptly investigated for timely resolution• Vary timing of testing and also people being tested

• Specific levels of authorization must be obtained when executing cash and securities movements or wire transfers • Actually compare signatures to approval ranges• Use data mining to look for authorization level abuse or

frequency of transactions by approvers

Custody

29

Custody – Risks

• Securities on hand are not controlled by physical means.

• Securities are not represented accurately by the Company’s records.

30

Custody – Key Controls

• Access to areas containing securities is restricted to authorized personnel, the cage and vault doors are kept locked at all times, and securities are maintained in a fireproof vault• Consider surprise inspections of security measures• Area where sometimes procedures are not enforced for

“convenience” sake

31

Custody – Key Controls (cont.)

• A reconciliation is performed between the Company’s records of positions and the physical securities on hand; any discrepancies are noted in a exception report• Leverage off of physical counts already done?• Make selections of exceptions from various counts• Is there an aging of exceptions?• Make selections of hard to count securities like limited

partnership agreements

32

Custody – Key Controls (cont.)

• A reconciliation is performed for money and position per settlement and stock record/position systems to the clearing organizations and depositories• Usually an automated task, need to evaluate system

controls• Vary dates, people and reconciliations• Look for duplicative correction entries

• Client accounts are balanced with the stock record or trust position system• How are discrepancies addressed?

Account Monitoring

34

Account Monitoring – Risks

• Accounts are not maintained in accordance with policies, laws, and regulations.

• Client accounts are not protected from unauthorized activities.

35

Account Monitoring – Key Controls

• Fiduciaries are required to be registered with the appropriate regulatory agencies.• Comparison of current clients to various state

registrations of fiduciary

• Ensure that employee trading activity is in accordance with applicable Company rules and regulatory standards.• Compare employee holding and trading to clients• Any non standard assets in common

36

Account Monitoring – Key Controls (cont)

• Review client account documentation to ensure all proper documentation is on file.• Consider restriction changes• Documentation that needs to be renewed (W-8)• Narrow down selections based on account attributes

• Monitoring and review of the transactions in client accounts is performed by authorized personnel.• Leverage information obtained to narrow areas of

focus in other areas• As of trades, hold mail accounts, large account value

swings, negative account values, complaints

37

Account Monitoring – Key Controls (cont)

• Computer systems protect information through password restricted functionality depending on the user.• Need to utilize system auditors• Consider using test accounts to devise different

access scenarios

• Inactive accounts are monitored or reviewed for suspicious activity.• How are inactive accounts identified?• Zero balance accounts with hold mail

Corporate Actions

39

There are two sub categories related to corporate actions:

• Instruction Processing

• Transaction Processing and Accounting

Corporate Actions

40

CA Instruction Processing – Risks

• All incoming corporate action notices are not retrieved and recorded.

• Corporate actions are not recorded in the proper period.

• Recorded corporate actions are not valid and/or accurate.

41

CA Instruction Processing – Risks (cont.)

• Securities database is not properly updated to reflect activity.

• Incoming and outgoing instructions on securities transactions are not validated, documented and/or traced prior to submission to depositories on a timely basis.

• Client securities are used to participate in expiring offers without valid client instruction.

42

CA Instruction Processing – Key Controls

• Information is subject to supervisory review/approval.• Is there procedure to compare notice to action?• Compare employee holdings to actions worked on

• Procedures for timely revision/updating of existing announcements are in place.• Is support for history of action reviewed?

43

CA Instruction Processing – Key Controls• Comparison of multiple information feeds is

performed to identify and report illogical or missing data.• Utilize system auditors as usually automated process

• The Company performs a manual review of reports that are produced by the reorganization system detailing all adjustments made.• Do adjustments have supporting information• Look at frequency of adjustments for areas of focus

44

CA Instruction Processing – Key Controls• Validation of client position vs. instructions to

ensure that clients are long the security (or securities).• Data mining to identify accounts that receive action

without positions• Comparison of actions to employee accounts

• Management reviews the action files to ensure proper documentation is maintained upon file completion.• Make sure the files are complete, not just evidence of

review

45

CA Transaction Processing - Risks

• All cash receipts and disbursements of dividends and interest receivable payable are not valid and/or properly recorded.

• Dividend and interest receipts and disbursements are not properly valued and/or accurately recorded on a timely basis.

46

CA Transaction Processing – Risks (cont.)

• Dividend and interest receipts and disbursements are not recorded in the proper period.

• All movement in securities are not recorded in the stock record or trust position system in the current period.

47

CA Transaction Processing – Risks (cont.)

• The stock record or trust position system does not accurately reflects the movement of securities to/from accounts.

48

CA Transaction Processing – Key Controls

• All departmental accounts are reconciled daily.• Reconciliation is performed and reviewed• Look for recurring reconciliation items• Look for recurring entries between operational

accounts

• Timely managerial/supervisory review and approval of critical functions. • Should be signoff authority levels

49

CA Transaction Processing – Key Controls

• Management should review activity/exception reports in a timely manner and ensure that the appropriate follow-up action has been taken to resolve discrepancies. • Does department switch up responsibilities for

exception resolution?• Did management signify review, but resolution does

not make sense?

Securities Lending

51

Securities Lending - Risks

• Client documentation and approval is not obtained before lending securities.

• Transactions are not executed with approved counterparties.

• Risk limits are not set and monitored by senior management

52

Securities Lending – Risks (cont.)

• All transactions are not entered into trading systems completely, accurately and/or in the proper period.

• All recorded transactions are not valid.

• Underlying collateral is not appropriately valued.

53

Securities Lending – Key Controls

• Client authorization is obtained and reviewed before client securities are subject to lending.• Have all aspects been documented, including

allowable collateral and agreed rates?• Client reporting of lending performed and

collateral received?

• Counterparties appear on the company’s authorized listing of acceptable counterparties in collateralized transactions.• Considered related parties when setting credit

limits• Evidence that limits are distributed to employees

54

Securities Lending – Key Controls (cont.)

• Risk systems are set up to report when a breach of set risk limits has occurred.• How evidenced?• Systems updated with correct limits?• Who has access to update limits?

• Collateralized trading systems are set up to allow only authorized trading personnel to enter trade information.• Utilize system auditors to test functionality

55

Securities Lending – Key Controls (cont.)

• Written confirmations received from counterparties are verified against internal records. Any differences are followed up on in a timely manner.• Narrow focus based on size of transactions and

unusual rebate rates

• Procedures used to value underlying positions are regularly reviewed to determine if the methodology used is appropriate.• Should be a automated process, system control

focus• Look for manual price adjustments

Keith Wenk

kwenk@deloitte.com

(415) 783-4186

Questions