Reading time: 12 – 19 minutes
Return to “Finding a safe stockbroker”
Return to “Is your investment advisor honest?”
Wikipedia (Feb 2010) defines internal control as follows:
- In accounting and auditing, internal control is defined as a process effected by an organization’s structure, work and authority flows, people and management information systems, designed to help the organization accomplish specific goals or objectives.
- It is a means by which an organization’s resources are directed, monitored, and measured.
- It plays an important role in preventing and detecting fraud and protecting the organization’s resources, both physical (e.g., machinery and property) and intangible (e.g., reputation or intellectual property such as trademarks).
The principles of internal control have been known for centuries
- At the organizational level, internal control objectives relate to the reliability of financial reporting, timely feedback on the achievement of operational or strategic goals, and compliance with laws and regulations.
- At the specific transaction level, internal control refers to the actions taken to achieve a specific objective (e.g., how to ensure the organization’s payments to third parties are for valid services rendered.)
- Internal control procedures reduce process variation, leading to more predictable outcomes.
President Bush on signing the Sarbanes-Oxley Act of 2002.
- Internal control is a key element of the Foreign Corrupt Practices Act (FCPA) of 1977 and the Sarbanes–Oxley Act of 2002, which required improvements in internal control in United States public corporations. Internal controls within business entities are also referred to as operational controls.
In this article, I discuss certain aspects of internal control that are particularly important to customers of broker-dealers with regard to the safety of their assets held in custody.
Lessons from Barings Bank
In 1995, Barings Bank, the oldest merchant bank in London, suddenly collapsed — the result of $1.3 billion in trading losses incurred by Nick Leeson, a derivatives trader in the bank’s Singapore office.
Barings Bank logo (1762-1995)
Although the popular press focused attention on the trader, Nick Leeson, the culprits in Barings downfall were company executives, including those at the very top of the organization, that did not understand or overlooked the most basic rule of internal control:
A company employee that has the authority to spend company funds should never have the authority over the accounting entries that reflect such disbursements.
Sir Francis Baring, founder of Barings Bank, was a London financial leader over 240 years ago.
Nick Leeson, the ‘rogue trader’ in question, was convicted and went to jail for his part in Barings downfall.
He was able to commit this fraud because higher management had given him authority not only to authorize trades, but also to control the accounting entries that registered these trades. He also had the authority to deal with the Singapore clearing house on the settlement of these trades and margin requirements.
In fact, this trader was not an evil person — his motive for hiding trading losses started as an attempt to protect another employee who had losses and could be fired.
Leeson believed that his ’superior trading skills’ would enable him to quickly earn back the amount this employee had lost. In the meantime, he falsified the accounting records to hide what he was doing.
Unfortunately, the market went the other way and Leeson’s losses got bigger and bigger, forcing him to use ever more inventive ways to conceal the shortfall.
Société Générale headquarters (Paris), site of one of the greatest failures of internal controls in history.
The villains in the Barings fiasco were the company officials who lacked a fundamental understanding of the basics of internal control — or commitment to these principles.
Some even excused Leeson’s dual authority over spending and accounting as justifiable as a money-saving measure.
None of these officials went to jail, because the principles of internal control are simply not that widely understood and Baring practices of lax controls are, unfortunately, quite common in large investment institutions.
The case of Société Générale
For a similar instance of lax internal controls, we have the Jérôme Kerviel incident:
Jérôme Kerviel, a French trader with Société Générale, was charged in a January 2008 trading loss incident of approximately €4.9 billion.
Société Générale characterized Kerviel as a rogue trader and claimed that Kerviel worked these trades alone, and without its authorization.
Eugène Schneider, Société Générale's first Chairman in 1864.
Kerviel, in turn, told investigators that such practices were widespread and that getting a profit makes the hierarchy turn a blind eye.
Until the discovery of fraud perpetrated by Bernard Madoff, the Kerviel incident was reported to be the largest fraud in banking history.
As in the Barings case, the Société Générale incident was, in fact, a massive failure of internal controls, suggesting the degree to which major financial institutions across the globe are mismanaged.
In both the Barings and Société Générale cases, proprietary trading was involved and speculative profits created a permissive environment is which bank executives ignored elementary principles of internal control.
Expensive controls with no income
Internal control systems are expensive and generate no income. Furthermore, clients of banks and broker-dealers are generally unaware of the importance of internal controls.
Bear Stearns former Headquarters in NYC. No sign of any benefit from Sarbanes-Oxley's focus on internal controls.
Section 404 of the Sarbanes-Oxley Act of 2002 required the US Securities and Exchange Commission to issue regulation regarding internal controls of financial institutions and issuers of securities.
However, the emphasis was mainly on issuers (since Sarbanes-Oxley was the result of the Enron scandal), rather than on custodial liabilities of broker-dealers and investment banks.
Unpopular controls
Securities issuers have protested loudly about the cost of the internal control provisions of Sarbanes-Oxley. The effectiveness of this law is questionable, in view of the collapse of major financial institutions (like Lehman Brothers and Bear Stearns) in the Crash of 2008.
Most internal control practices do not require high-tech solutions, but, instead, rely on simple, rather boring, common sense.
Few, if any, financial institutions make a point of advertising or even explaining the basic techniques of internal control that they do employ.
Advertising 'internal controls' risks putting clients to sleep.
To advertise such practices risks putting investors to sleep.
Furthermore, most financial executives in today’s market, working in the high income divisions of their institutions, have no understanding of internal control. When prudent measures are suggested, immediate income managers are quick to dismiss prudent practices as too expensive or a waste of effort.
A lack of effective controls and management without an understanding of such, was an explanation for the collapse of Barings Bank, Lehman Brothers, and Bear Stearns.
An example of internal controls
At the risk of putting you to sleep, I’ll describe a highly effective internal control systems with which I am quite familiar.
Citibank Branch, Rio de Janeiro, in the 1950s. This is where I learned the basics of internal controls.
In the 1950s, First National City Bank of New York was, arguably, among the best managed, most respected banks in the world. A large part of its success was the emphasis given to bank operations and internal controls.
The methods of internal control in Citibank in the 1950s included the following:
- An Operations Manual: Every Citibank branch throughout the world had several copies of a thick, clearly written operational manual (called the ‘Bible’). Compliance was closely audited yearly by an international audit team. Failure to observe these norms would effect a manager’s career.
- Rigorous Executive Training: The only route to an executive position in Citibank in those years was through a two-year management training program that was open to selected recent college graduates. The focus of this program was knowledge of internal control and bank operations. Trainees were required to write reports describing the operational routines of every bank department, from the mail room to the credit department. Trainees usually had a stint with the international audit team, further reinforcing knowledge of prudent controls.
- Modest Executive Salaries, without Bonuses: Management salaries in Citibank in the 1950s were modest compared to today. There were no bonuses. Careers were helped by being a ‘team player’, showing technical competence, and respect for internal controls. Executives spoke of ‘not losing the depositor’s money’, rather than increasing shareholder profits.
- Rigorous assignment of responsibility: Employees of Citibank in the 1950s knew exactly who was responsible for what. There was no ambiguity. If something went wrong, it would always be possible to precisely assign blame. For example, trainees learning internal auditing techniques were taught that when auditing a teller, when a teller asks to go to the bathroom, the auditor must exit the teller cage so that there would be no ambiguity as to who was responsible for the money in the cage.
The concept of 'Chinese walls' is used in systems of internal control.
- Strict separation of authority from accounting: This, perhaps, is the most important element of internal control. Employees and executives with authority to spend money or legally commit the firm must never have authority over accounting for such acts, or any access to the accounting process. Furthermore, systems must be in place to assure that such acts are actually registered immediately, promptly and accurately posted to the accounting system, and regularly audited. Barings Bank collapsed precisely for violating this basic rule. Today’s loosely controlled proprietary trading desks, operating on unregulated, over-the-counter derivative markets, were a major element in the Crash of 2008 and contributed to the difficulties of Lehman Brothers, Bear Stearns, AIG, and many other institutions.
- Daily closing of accounts and effective, aggressive internal audits: The books of financial institutions must be balanced every day. Postings to pending or transit accounts must be used with extreme caution and carefully audited. In the 1950s, Citibank internal auditors fully inspected, in detail, all accounts, adopting a forensic approach. There was a complete internal audit at least once a year, and auditors reported only to the highest levels of the bank, far above the level of he ordinary bank manager or vice president. In addition to the roving team of internal auditors, each branch had its own in-house auditors. Defalcations that passed undetected for long were rare.
- Tough rules to reinforce internal security: Many of Citibank rules of internal control of the 1950s have been abandoned or relaxed by today’s financial institutions, including Citibank itself. For example, (1) An officer who left the bank was never rehired; (2) Executives were never recruited from other banks; (3) All employees were prohibited from having a bank account with the bank (another bank had to be used); (4) All employees had to take annual vacations. The philosophy was, “In order to protect all, trust no one.” High ranking bank officers had spent their entire working lives with Citibank and their personal lives, competencies, and weak points were well known to other officers.
Most large broker-dealers and investment banks no longer have internal controls of the rigor of Citibank systems of the mid-20th century.
Judging the quality of internal controls
From the outside, it is difficult, or impossible, for an investor to evaluate the effectiveness of the internal controls of a broker-dealer.
However, there are certain signs and portents that you may take as an indication of possible weak internal controls:
- Proprietary trading: A broker-dealer that actively engages in proprietary trading on a large scale and that pays traders million dollar bonuses, is unlikely to have a culture supportive of strict internal controls.
- Growth by merger: A financial institution that has grown by merging with other institutions and that recruits executives from other firms, is unlikely to have a good system of internal controls.
- Too big to fail: An investment bank that is considered ‘too big to fail’ is probably also ‘too big to manage effectively’ and will have serious problems with internal controls. This is particularly true of organizations that have hundreds of complex derivative products and that are essentially groups of hundreds of firms in many jurisdictions.
Richard Fuld, CEO of Lehman Brothers, received $22 million in remuneration in 2007, a year before the firm declared bankruptcy
- Excessive remuneration Investment banks that pay multi-million dollar salaries and bonuses are unlikely to have a culture that supports the heavy expense and strict rules of effective internal controls. Such remuneration schemes are usually linked to short-term profits, whereas internal controls result in long-term expense for benefits that generally are unappreciated or not understood by customers (until it is too late).
On the other hand, any firm, without the signs of weakness listed above, that takes time to explain and promote its systems of internal controls is at least indicating an interest in the subject and is more likely to have effective controls.
Return to “Finding a safe stockbroker”
Return to “Is your investment advisor honest?”
Add your comments
Please add comments, experiences, and observations that will make this article more useful for readers.
Popular Articles