Sponsoring organizations:

COSO

Comprising the professional associations listed above, the Committee of Sponsoring Organizations (COSO) is a voluntary private-sector organization. COSO is dedicated to guiding executive management and governance entities toward the establishment of more effective, efficient, and ethical business operations on a global basis. It sponsors and disseminates frameworks and guidance based on in-depth research, analysis, and best practices.

Internal Control Issues in Derivatives Usage

Executive Summary

Problems surrounding the use of derivatives in recent years often revolved around difficulty in understanding their risks and their use for risk management purposes. These problems highlight the need for management to develop internal control systems for derivative activities.

The COSO report, Internal Control--Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission in 1992, is becoming a widely accepted basis for developing business control systems and assessing their effectiveness. This information tool was developed to help end-users of derivative products establish, assess, and improve internal control systems using the COSO Framework. Many of the control considerations discussed are also applicable to financial instruments other than derivatives.

This Executive Summary provides senior management and boards of directors with an overview of how the COSO Framework might be applied to risk management activities involving the use of derivatives. It can be used to help management design control processes, especially by providing direction for formulation of risk management policies. It also provides insights that enable those charged with oversight responsibilities to constructively examine existing policies and procedures. This information is augmented by the following supplements.

Supplement 1 -- Formulating Policies Governing Derivatives Used for Risk Management

Describes the process of developing a policy governing derivatives use in the context of the overall risk management policy of an entity. It recognizes that risk management policies encompass all aspects of control. It also recognizes the importance of establishing clear and carefully written policies to avoid confusion and miscommunication, and provides examples of various aspects of a risk management policy for derivatives. This supplement can be used as a reference to formalize such a policy.

Supplement 2 -- Illustrative Control Procedures Reference Tool

Provides examples of controls over derivative activities associated with each of the five components of control specified in the COSO Framework. It can be used as a reference for establishing, assessing, and improving controls relating to derivative activities, and can be useful for selecting controls considered to be appropriate in particular circumstances.

Overview of Derivatives and Their Environment

Derivatives are financial contracts that derive their value from the performance of underlying assets (such as a stock, bond, or physical commodity), interest or currency exchange rates, or a variety of indices (such as a composite stock index like the Standard & Poor's [S&P] 500).

Derivatives include a wide assortment of financial contracts, including swaps, futures, forwards, options, caps, floors, and collars, whose values are derived based on defined formulas that apply to notional amounts (hypothetical reference amounts). Derivatives can also include certain assets and liabilities whose value and cash flows are directly determined by an underlying instrument or index, such as collateralized mortgage obligations, interest-only and principal-only certificates, and structured notes. Other types of derivatives include contracts traded on organized exchanges standardized by regulation, as well as contracts that are traded in unregulated over-the-counter (OTC) markets, including individually tailored contracts negotiated between two parties for a specific purpose. A more detailed overview of various types of derivatives is included in Appendix A.

Risks associated with derivatives include market, credit, liquidity, as well as various other risks, described more fully in Appendix A. In addition to these technical risks, there is the fundamental risk that the use of these products may not be consistent with entity-wide objectives. Derivative use is sometimes misunderstood because, depending on the type of instrument and its terms, an instrument may be used to increase, modify, or decrease risk. As contract features increase in complexity, the value and effectiveness of a derivative in achieving objectives may become more difficult to ascertain before such positions are closed out or settled for cash. Derivative products and activities must be well understood in order for control systems to provide adequate assurance that derivatives use will support achievement of entity-wide strategies and objectives.

Utilizing the COSO Framework Control Principles in Derivatives Management

This document relates to derivatives each of the five components of control specified in the COSO Framework, focusing primarily on derivatives that are used for risk management purposes. An environment that provides for appropriate control over derivative activities generally has certain characteristics.

The Control Environment consists of the integrity, ethical values, and competence of the entity's personnel, as well as management's philosophy and operating style. An active and effective board of directors should provide oversight. It should recognize that the "tone at the top" and the attitude toward controlling risk affect the nature and extent of derivative activities. The board should review management's planned decisions regarding the appropriateness and effectiveness of derivative strategies and positions. For example, the board should probe for explanations of past results to determine that derivative activities are effective in accomplishing objectives for which they were used. The audit committee should work with internal and external auditors to oversee implementation of risk management policies, procedures, and limits.

Senior management should recognize that its philosophy and operating style have a pervasive effect on an entity. For this reason, senior managers should understand their control responsibilities, authorize use of derivatives only after risks and expected benefits have been carefully analyzed, and clearly communicate objectives and expectations for derivative activities. Senior managers should make a conscious decision about the extent of authority over derivatives delegated to management. Management should have the competence needed to understand derivative activities. Employees involved in such activities should possess the necessary skills and experience. The training process should develop and improve specific skills relating to responsibilities and expectations about derivative activities.

Risk Assessment is the identification and analysis of risks relevant to achieving objectives that form a basis for determining how risks should be managed. From a risk management perspective, entity-wide objectives relating to the use of derivatives should be consistent with risk management objectives. Mechanisms should exist for the identification and assessment of business risks relevant to the entity's unique circumstances. Use of derivatives should be based on a careful assessment of such business risks.

Management should clearly link benefits of and support for derivative use with entity-wide objectives. Management also should obtain an understanding of personnel, management operating systems, valuation methodologies and assumptions, and documentation as a foundation for identifying and assessing the capability to manage risk exposures associated with derivative activities. Management should provide specific measurement criteria for achieving derivative activities objectives, such as value at risk. Risk analysis processes for derivative activities should include identifying risk, estimating its significance, and assessing the likelihood of its occurrence.

Control Activities are the policies and procedures to help ensure that management directives are carried out. Policies governing derivative use should be clearly defined and communicated throughout the organization. The risk management policy should include procedures for identifying, measuring, assessing, and limiting business risks as the foundation for using derivatives for risk management purposes. Aspects of the risk management policy for derivatives should include controls relating to managerial oversight and responsibilities; the nature and extent of derivative activities, including limitations on their use; and reporting processes and operational controls. The policy should provide for monitoring exposures against limits, and for the timely and accurate transmission of positions to the risk measurement systems. It also should provide for evaluation of controls within management information systems, including the evaluation of resources provided to maintain the integrity of the risk measurement system.

Information and Communication focus on the nature and quality of information needed for effective control, the systems used to develop such information, and reports necessary to communicate it effectively. Communications should ensure that duties and control responsibilities relating to derivative activities are understood across the organization. Adequate systems for data capture, processing, settlement and management reporting should exist so that derivative transactions are conducted in an orderly and efficient manner. Mechanisms should be in place to obtain and communicate relevant information covering derivative activities. Directors and senior management should obtain sufficient and timely information to monitor achievement of objectives and strategies for using derivative instruments.

Monitoring is the component that assesses the quality and effectiveness of the system's performance over time. Control systems relating to derivative activities should be monitored to ensure the integrity of system-generated reports. The organizational structure should include an independent monitoring function over derivatives, providing senior management with an understanding of the risks of derivative activities, validating results, and assessing compliance with established policies.

Applying the COSO Framework Control Principles to Derivatives

This tool recognizes that the nature and extent of derivatives use are frequently found in the overall risk management processes of an organization. Such processes, as they relate to the use of derivatives for risk management purposes, should generally involve the following:

Understanding operations and entity-wide objectives.
Identifying, measuring, assessing, and modifying business risk.
Evaluating the use of derivatives to control market risk and linking use to entity-wide and activity-level objectives.
Defining risk management activities and terms relating to derivatives to provide a clear understanding of their intended use.
Assessing the appropriateness of specified activities and strategies relating to the use of derivatives.
Establishing procedures for obtaining and communicating information and analyzing and monitoring risk management activities and their results.

Management may consider evaluating the appropriateness of the risk management processes governing derivatives against each of the five components of control specified in the COSO Framework.

Policies that document the risk management processes and provide for the use of derivatives should be carefully constructed to recognize that risk management means different things to different people. Precise reasons for using derivatives are not always apparent, and risk relating to certain activities and uses may be interpreted differently. Since there are no standard definitions of what risk management activities entail, appropriate control means that entities must use very specific language to describe expectations for using derivatives for risk management purposes. Policies should identify objectives and expected results, clearly define terms and limits, and identify and classify activities and strategies that are permitted, prohibited, or require specific approval.

Roles and Responsibilities

Informed, involved senior-level governance is needed to ensure that risk management systems are in place and functioning as anticipated. The board of directors, its audit committee, and senior management have roles that represent critical checks and balances in the overall risk management system.

Board responsibilities--The board of directors is responsible for overseeing the business of the entity, including its policies for managing risk and using derivatives. Monitoring and other day-to-day operations of the entity, on the other hand, are the responsibility of senior management. The policy direction provided by the board is important in determining the nature and extent of the use of derivatives. The board of directors provides oversight, reviews and approves the broad objectives to be accomplished, and provides specific delegation of responsibility and authority. It typically authorizes and approves management's strategies, operating plans, and policies for accomplishing objectives. This approval helps to ensure that activity-level objectives are consistent with broad entity-level objectives.

The board of directors and senior management should carefully consider the resources required to use derivatives effectively. They should ensure that policies require employment of competent professionals to carry out risk management activities and strategies in accordance with its risk management policy and that such policy defines when reliance on outside advisors is appropriate. Further, compensation policies should be structured in a way that avoids incentives for excessive risk taking. The board should make a conscious decision about the amount of discretion that managers have in using derivatives.

Audit committee responsibilities--The audit committee should understand the scope of internal and external audit testing of compliance with approved risk management policies, procedures, and limits and become comfortable that such controls appear to be functioning as intended. The audit committee also should be alert to the risk that such controls could be circumvented.

CEO responsibilities--The CEO has overall responsibility for formulating derivatives policy and generally should be assisted in developing the policy and monitoring compliance by senior management who are not part of the day-to-day or derivatives management process. Senior management should formulate and implement approved policies, controls, and limits to ensure that the risks of derivative activities and the manner in which they are conducted are in accordance with the board's authorization.

CFO responsibilities --The CFO also should be active in formulating the entity's derivatives policy and overseeing its implementation.

Controller responsibilities--The controller is responsible for establishing the appropriate accounting treatment for all derivative activities. The corporate controller's department, not the individual business unit, should develop and document the accounting policies for derivatives. The corporate controller's department or other appropriate department independent of the business unit should also take an active role in applying the policies by assuming responsibility for documenting, assessing, and measuring compliance with appropriate accounting criteria.

Business unit responsibilities--The business unit is responsible for recommending, approving, and executing risk management strategies. Segregating transaction initiation by the business unit and transaction review by the corporate controller or other appropriate independent department help establish necessary control over adherence to the entity's derivative policies and objectives.

What to Do

Actions that might be taken to better understand or apply the COSO Framework to derivatives will depend on the position and role of the parties involved. A board of directors, senior management, and others involved with derivatives may consider a number of actions, including:

Initiating a self-assessment of entity-wide control systems, directing attention specifically to areas of derivative operations that are of primary importance.
Fully integrating management of derivative activities into the enterprise's overall risk management system by developing and implementing a comprehensive risk management policy.
Ensuring that policy objectives specifying the use of derivatives are clearly articulated and documented.
Requiring that any use of derivatives be clearly linked with entity-wide and activity-level objectives.

Derivatives will continue to be an important business tool for managing an entity's risk management activities. Their significance is expected to increase with the development of new products and techniques that refine and improve the ability to achieve risk management and other objectives. Adequate understanding of the nature and risks of derivatives is essential to using these tools prudently. Improved awareness of how specific instruments behave under varying market conditions can only produce better informed management decision making. Effective control is critical to any well-managed derivative operation. Control systems serve as the infrastructure for accomplishing entity-wide objectives. Applying the COSO Framework can help ensure that the use of derivatives is carefully integrated into the overall organizational control system and that unforeseen and undesirable outcomes are minimized.

Purchasing Information

COSO publications are available through the American Institute of Certified Public Accountants (www.aicpa.org). For further information about COSO products or to order, contact AICPA at 888-777-7077 or visit the CPA2BIZ Web site.

Internal Control Issues in Derivatives Usage-An Information Tool, Product number 990010
Internal Control - Integrated Framework, 2 Vols. Product number 99009

Coso