Article
The trading environment is amongst the inherently more risky
control environments in any organisation. The susceptibility to fraud and the
ability of financial errors tends to be inherently higher in this area. The last
two decades have witnessed a large number of incidents comprising of frauds,
mismarking (valuation) and trading with excessive positions. Let’s get a closer
look at auditing a trading environment.
A typical trading environment is centred around the trader in
an organisation. The control environment around the trader comprises of a
supervisor who oversees his activities, back office or operations which performs
confirmation and settlement function, mid office which performs valuation and
analysis, finance, risk management and other control environment functions. Mid
office is known by different names in different organisations (including finance
and back office). However, the reference here is to the function which performs
valuations and analyses the profit & loss.
The following aspects tend to be the key areas in an audit of
trading environment :
- Settlement and confirmations functions
- Technology and continuity
- Oversight and governance routines by management
1. Supervision :
Oversight by the trader’s supervisor(s) is a major control
point in a trading business. While this is not an independent function, the
supervisor will be in best position to spot any untoward trading or frauds. Key
elements of the audit should include a review of nature and quality of
information available on trading positions from independent functions, ability
of the supervisor to review the risks of trading positions on real-time basis
and role of the supervisor in monitoring abnormal events such as abnormal spurts
in profitability, risk positions and number of trades. Special emphasis should
be on review of trades at abnormal rates and surveillance mechanism to detect
circular trading, market manipulation and rate reasonableness review for
non-exchange traded products.
A number of frauds have occurred as trades have been
cancelled and rebooked or modified before being valued by valuation teams
(finance or mid office) and restored back to original status after a valuation
is done. This is done to artificially lower the cost of purchases before
securities or positions are valued (and calculation of profitability) and then
bring them to realistic values again after this is done. To counter this, all
cancellation of trades or modification of trades should be reviewed by the
supervisor as well as someone independent in back office/operations along with
reasons for the cancellation/modifications on a daily basis. The auditor should
assess if this process is working effectively.
Apart from daily trade reviews, it is important that the
traders are subjected to a mandatory leave policy without access to office
resources or communication and that they have no edit access to systems used for
valuation of securities/positions.
2. Settlement and confirmations functions :
Settlement function pertains to payment and receipt of funds
or securities (including shares and bonds). Confirmation pertains verifying
genuineness of trades either by matching with the exchange or with the
counterparty.
This function is commonly conducted by a back office (or
operations). This function may not be complex if the products are traded on
exchanges (like equity shares) or has a clearing house (like the bond trades
done on Negotiated Dealing System — Order matching) or has a confirmation
platform (like swap derivative trades). This is because the confirmation and/or
settlement is centralised with a clearing house which makes the process more
simple and quick. In all other cases, this may be complex.
The most important aspect to review in this area is the level
of independence of the back office/operations — both in form as well as
substance. While it is easy to assess the formal reporting lines to establish
independence, it is difficult to review whether the back office is independent
in substance. Matters such as exception reports, rigour of follow-up of open
items, decisions taken by the back office/operations head in conflicting
situations generally demonstrate their independence.
Apart from this, a review of design of process, adequacy,
quality and past experience of staff are important.
One of the other big risk factors in the back
office/operations processes pertains to segregation of duties and oversight to
avoid one person having too much control in their hands :
- All key functions such as confirmations, remittance of funds or transfer of
securities should be conducted by a minimum of two personnel.
- Reconciliation of securities or positions and funds between internal and
external records should be conducted by personnel that are independent of
those who are in charge of remitting funds or transferring securities. Else,
they will have the ability to manipulate transactions without being detected.
Important reconciliations should be conducted daily and should compulsorily
have evidence of a second person having reviewed it.
- In cases, where operations has the ability to book transaction-related
accounting adjustments manually, the personnel booking accounting adjustments
should not be those who are performing reconciliations mentioned earlier.
In case, the products are not exchange-traded or not settled via a clearing house, confirmations are obtained from each contracting party (counter-party) separately. At times, it may take time to obtain this. In such cases, focus on follow-up of aged outstanding confirmations and ability to enforce the legality of trade in light of confirmation being challenged are additional factors to be reviewed.
3. Valuations:
Valuation of portfolio/positions is usually performed by a mid office (in case there is one) or finance team. This may be a simple matter of picking last traded rates from an exchange quotation or can be complex in case the prices for valuation are not easily available. These have historically been areas of a number of frauds and mismarking incidents globally.
The auditor should review the policies and procedures for valuation. In case the products are exchange-traded (or valuation rates are easily available) the following matters should be looked at with a significant sense of judgment?:
- One should evaluate whether valuation prices used are of liquid (well traded) positions i.e., the prices of illiquid securities may need to be adjusted.
- At times, the organisation being audited may be a significant trader in a particular security. In such a scenario, one should consider whether the organisation has significantly influenced day-end price of a share/security. In such a scenario, an alternate pricing methodology (such as averages) may need to be adopted.
In case, rates for valuations are not easily available, additional factors such as independence of those agencies or parties providing rates and ability of them to be able to correctly capture market be-haviour also needs to be reviewed.
Lastly, one also needs to consider the nature of profitability analysis. The valuation function should analyse and circulate a P&L explain statement regularly (preferably daily) which highlights where and why the organisation made trading revenues and losses. This goes a long way in understanding what trading activity is being conducted and whether profits are from genuine trading opportunities.
4. Risk management:
Risk management, is usually an independent group which oversees various risks emanating out of trad-ing. The most closely watched risk in a trading environment is market risk followed by credit risk.
Market risk:
While organisations having significant trading ac-tivities would usually implement a key element of market risk, such as Value at risk/DV01 or DeAR, depending on size and complexity, the auditor needs to evaluate whether a more granular structure is needed. In more complex trading scenarios, market risk should have a granular limit structure to monitor all applicable metrics (or Greeks) of market risks. The auditor also needs to consider reviewing the accuracy of risk metrics generated by risk systems/risk management. At times, use of external experts may be desirable to confirm accuracy of risk and valuation models. Market risk utilisation reports should be circulated to an important level of management and governance committees (where applicable). Finally, the limit setting process itself and level of limit utilisation are important factors to be looked at.
Credit risk:
While this may not apply in certain products, it is essential that any credit risk pertaining to customers and counterparties is monitored and captured. In case of derivative instruments, a reasonable measure needs to be devised to convert notional exposure to measurable credit risk metric.
5. Regulatory reporting:
Regulatory reporting requirements for organisations trading in equity shares (companies) are not significant. However, they are significant for a bank, insurance or an NBFC which trades more in fixed income or foreign exchange products.
Sustainability of reporting process including adequacy of staff, timeliness of reporting and accuracy of reporting tend to important from a regulatory reporting standpoint. Sustainability can be achieved by adequate trained back-up staff. Timeliness needs to be monitored by use of calendars and reporting checklists. Accuracy needs to be evaluated carefully. For automated reports the logic of items captured for reporting needs to be evaluated. For manually prepared reports, experience of staff and adequacy of documented procedures becomes important.
6. Technology and continuity:
Technology or systems are the back bone of trading environment. While system development, vendor support, etc. may be linked to an audit of trading activity, strictly this may not fall in a routine review of trading activities. Instead, robustness of systems, stability, capacity, security, access controls and reconciliations assume more importance in trading. The first three aspects may be investigated along with help of technology department by use of technical reports.
System security and access controls go a long way in avoiding unauthorised access and trading frauds. A regular review of access privileges (both at system and database end) is a must. Care should be taken to verify if access controls have not been ‘cleaned’ only for the purpose of a specific audit.
Trading environment usually comprises of a number of systems. Trade flow between systems and reconciliation controls to ensure that all systems have correctly captured information need a close review. A few frauds could have been avoided if this detective control would have worked correctly.
Business continuity planning helps manage disruptions. Auditors should consider evaluation of business continuity testing conducted and ability of trading activity to resume business in various critical scenarios.
7. Oversight and governance routines by management:
Finally, the management oversight routines and governance routines form the next line of security for an organisation. Senior management reviews over performance of the trading activity is important. Performance review should not be confined to profitability — but should include how well the desk manages risks and adheres to internal guidelines. In larger organisations, governance groups like asset liability committees (ALCO) are formed. It is important to evaluate the substance of their review through MIS.
Trading environments continue to become more complex with increasing number of products. This area also witnesses more and more sophisticated techniques for frauds. Internal audits in these areas go a long way in safeguarding an organisation’s assets.
Some well-known incidents which led to large trading losses in history with reasons:
