Reduce Cost of Monitoring

Increased focus on financial reporting has changed the way Internal Audit is being done nowadays. Hence, risk consulting firms like PWC and protiviti consulting have suggested adopting a balanced approach to Internal Audit, i.e. balancing the Internal Audit between Risk & Control Assessment focus and Business Performance Assessment focus so that Internal Audit resources are allocated appropriately between value protection and value enhancement objectives of the Internal Audit.

However question arises: Are these two focus or objectives, means to a same end? If so, do resources allocation between these would be amounting to duplication? Instead of a balancing act, I am in favour of hybrid approach just as a strategy to corroborate and substantiate various internal control/ risk assertions. Mind well, your cost of monitoring and cost of SOX or SARBOX compliance efforts are mainly driven by the kind of Risk Assessment you do and thus Control Activities you define within your business processes.

Many Internal Auditors who adopt risk based audit use following logic to reduce their monitoring cost. When they place higher reliance on Effectiveness of controls whether based on their subjective judgment or on basis of some kind of risk scoring, they reduce extent of testing Existence of control. Lesser the net risk score, lower it will be in the priority list. If we apply this logic in a situation where Internal Auditor has designed the controls, he will rely on Effectiveness of controls more and thus extent of testing Existence will be less. When the Management designs controls, IA test controls to provide assurance to the Management of its Existence and Effectiveness.

Now many would see a contradiction here and they may like to question as to how Existence of control is connected to its Effectiveness of control. Mind well, whether a control is Effective or not Effective, if a control exists on the list (List of Primary Controls), they have to be tested for its Existence to reduce the Audit Risk. In other words, there is no connection.

Now let's again turn to the main topic as to how we can reduce the cost of monitoring and achieve various objective of IA within available time and budget.

More we under rely controls, our strategy will be for deploying more procedures and will entail more cost. If we over rely controls to reduce our costs, we are responsible for not exercising appropriate diligence. Controls and Risks are affected by the type of industry, location, volume of business, type and value of assets, segregation of duties, past performance and efficiency of risk or process owners, etc. These controls and risk are owned by the Business Managers and they can influence the Effectiveness and Existence of controls.

Management Accounting concept used in designing a Performance Measurement System suggests that one should not be made responsible for inefficiencies of others. Clearly, Internal Audit is made responsible for the higher costs of audit when controls are ineffective or not complied with due to delinquent Business Managers.

Second problem within the Industry is testing Existence entails more cost than testing Effectiveness assertion of Internal Control. However, introduction of technology have solved this problem to some extent, bigger leaps are still to be taken.

So how would we reduce cost of monitoring while achieving appropriate level of deterrence for ensuring compliance and how we can free up IA resources for extending IA program to other non attended priorities? How inefficiency of Business Managers which increases IA cost be reduced or taken care of.

Many have adopted balance scorecard incorporating control objectives with its framework but in reality this management method is just diversifying the risk of the business managers who may have personal objectives that may not be in sync with the business objectives. An another management method named Control Self Assessment proving to be an exercise which is just enhancing controlling skills of a business managers instead of helping them achieve the business objectives in an optimum way.

We are suggesting below an Innovative Method which is proposed to reduce the cost of monitoring while keeping the deterrence level among the auditees and assurance provided to the management at the same level. This will make the business managers more business oriented who will then serve the business as a separate business unit and their performance and efficiency will measured as if they are an outside professional service provider.

Monitoring cost mainly depends on no. of transactions (sources of risk) to be tested and frequency of testing to provide the required level of comfort or assurance to the management.

IA determines a control liability score on basis of no. of non-compliant sources found. Say if IA founds 1 unauthorized credit note, it will give a score (-1). Thus when 10 credit notes are found unauthorized, it will give a control liability score (-)10 to the process owner concerned.

These scores may be connected to KPI of the process owner under his due knowledge which may create required level of deterrence. Unit Score may differ based on the type of risk or transaction to produce desired deterrence or incentive to comply with the controls. The entire score system may be designed by the top management or audit committee.

How new method will work:

We will take retail industry example. Say there are 5 SKUs in a period which should be correctly coded and approved by the Warehouse Manager. Assume that IA imposes control liability score of (-)10 upon the Warehouse Manager for each incorrect coding or non- approval.

Let's say, there are 2 of the 5 SKUs not coded correctly and checked. The IA could choose to iteratively test all the SKU sheets to inspect each for the appropriate authorization and coding; given that 2 are incorrectly coded, it would assess total control liability score of (-)20, if IA were to do a 100 % testing.

Instead, under our proposed method, the IA could randomly select fewer samples to determine control liability score and apply that outcome to determine control liability score for all 5 SKUs.

If the IA randomly selected 1 SKU as a sample and found it be with incorrect coding, the auditee would bear total control liability score of (-) 50. And, if the selected SKU is correctly coded, then auditee would bear a control liability score 0(Zero). Notably, using this approach, the process owner would be subjected to the same aggregate expected control liability score of (-) 20. 40% probability of (-) 50 and 60% probability of 0 of total control liability score. Thus even testing 1 SKU, IA can generate the same level of deterrence for the process owner. Similarly, whether you test two or three or four or all the five, control liability would remain same when you apply average result of the sample so tested to the entire population.

Sample Size One
Probability of sample selected with risk present: 2/5 = 0. 4
Probability of sample selected without risk present: 3/5 = 0.6
Control Liability Score: 2/5*(-50)+3/5*(0)= -20

Sample Size Two
Probability of both samples selected with risk present: 2/5*1/4 = 0.1
Probability of one sample with risk present: 2/5*3/4 + 3/5*2/4 = 0.6
Probability of samples without risk present: 3/5*2/4 = 0.3
Control Liability Score: 0.1*(-50)+0.6*(-25)+0.3*(0)= -20

Sample Size Three
Probability of two samples selected with risk present: 2/5*1/4*1+2/4*3/4*1/3+3/5*2/4*1/3 = 0.3
Probability of one sample with risk present: 2/5*3/4*2/3 + 3/5*2/4*2/3+ 3/5*2/4*2/3 = 0.6
Probability of samples without risk present: 3/5*2/4*1/3 = 0.1
Ctrl Liability Score:0.3*(-33.33)+0.6*(-16.67)+0.3*(0) = -20

Thus whatever may be the sample size 1 or 1000, the final control liability score will remain same.

Size of sample may be determined based plan approved by the management or the audit committee to ensure adequate assurance within the available time and budget. The size of sample can be negotiated between the parties concerned before the audit period.

The method will also reduce the frequency of audit or monitoring as well. However, the method should only be applied for past transactions and not for prospective transactions. This method will reduce cost of testing Existence of Control so that IA can deploy resources freed up to other compelling IA priorities.

Remember, in real life scenario, the auditor may not know the exact no. of non-complied risk sources within a risk population but size of risk source population, sample size and degree of control liability score for the type of control risk would determine the action, discipline and efficiency of the concerned process owner even before the start of the audit. The method provides adequate incentive to the process owners to remain complied while optimizing the business results to be achieved. They should be trained with various risk reduction techniques to reduce their control liability score and optimize the business results. Thus IA can become proactive in coaching the process owners with controlling skills as well as help them improve the business performance.

The control liability scores should reflect the kind of assurance required and facilitate achievement of business objectives. The scores have to evolve for each industry or type of business or transaction so that they can be benchmarked across the industry or the business segments appropriately.

This new concept is at the idea incubation stage and thus any suggestion or critical comments are welcome from the IA community and members of management around the globe interested in reducing the cost of monitoring or SOX / J-SOX / Clause 49 Compliance while achieving increased value addition.

If you have any confusion with the new method suggested, let me know how you are positioned looking at the SERMON cartoon below.

Subprime Crisis & Microfinancing in India

The sub prime crisis is definitely a credit market problem, first and foremost and thus it's advised that people remain long in equities. The root cause of sub prime crises is conjuring trick of structured finance mismanagement, which basically makes bad credit look like good credits. Credit risk is now being repriced throughout the system, impacting greatly the borrowing cost for ordinary consumers and companies in those countries, where the sub prime structured finance crisis has hit. However, the downside is incidentally greater on credits for people who own credit instruments and equities.

The problem with sub-prime crisis was not structured finance instruments per se, but the way these securities were not tracked, not properly rated, not properly analyzed etc. in short, were mismanaged. In sub-prime lending the institutions that granted these loans promptly sold them on the securitization process to other institutions, which sold them on to others, and so on again and again. Those who suffered losses were the ultimate holders. There were so many of them, all over the world, that no one knows where the losses were being borne.

The recent sub-prime crisis is good example of mess created by mismanaging the structured finance instruments and one can draw a few lessons from this crisis so as to exercise caution as far as the microfinance industry in India is concerned.

Looking at the demand, broad basing the reach of financial services to the people falling in the low income category, help them invest in and benefit from their skill sets is a need of the hour. The intentions might sound quite philanthropic however microfinance is turning out to be a profitable market for commercial banks which is quite evident from their presence in this area.

As commercial banks entering this market do not have the infrastructure to ensure the last mile connectivity and have to rely heavily of microfinance institutions (MFI). The MFIs who were grant based organizations have begun to graduate from it to capital based organizations. Equity and Securitization came forth as good methods of sourcing capital for these microfinance initiatives.

MFIs have incentive of freeing up more capital and expanding their reach by selling of the portfolio and transferring the risk to the investor. Although defaults clauses exist in the securitization deal, but as the securities change multiple hands the situation would not be much different compared to the current sub-prime crisis.

The securitization of loans in India is covered by a number of rigorous guidelines. The fact that the sub-prime bust originated in securitized loans should not induce further restrictions on this. It is a useful innovation and the RBI rules should take care not to scare it away totally.

Securitization is a good tool to be carefully used. Let not the RBI make the rules too strict. It is more important to ensure that the originator of the loan practices the appropriate procedures of lending, having adequate security and monitoring of repayments in time.

Microfinance requires new and innovative products to ensure greater reach to further encourage more sophisticated financial instruments to participate in the microfinance market. Taking the stock of current and future developments, regulation of microfinance becomes important. Rating of MFIs, structured securities, regulating secondary market for structured securities would be good precautionary steps.

Structured Finance Explained

Let's assume a farm equipment manufacturing corporation has some of its sales for cash, but the bulk of its sales are from installment sales contract. Effectively, an installment sale contract is a loan to the buyer of the farm equipment. The loan specifies an interest rate that buyer pays. The credit department of Farm Equipment Corporation makes decision as to whether or not to extend credit to a customer. That is, the credit department will receive a credit application from a customer and, based on criteria establish by the firm, will decide on whether to extend loan and the amount. The criteria for extending credit or a loan are referred to as underwriting standards.

As Farm Equipment Corporation is extending the loan, it is referred to as the originator the loan. Moreover, Farm Equipment Corporation has one more department that is responsible for servicing the loan. Servicing involve collecting payment from borrowers, notifying borrowers who may be delinquents and, when necessary recovering and disposing of the collateral (i.e. farm equipment in our illustration) if borrower do not make loan repayments by the specified time. While the servicer of the loans need not be the originator of the loan, in our illustration, Farm Equipment Corporation is both originator and servicer.

Now suppose Farm Equipment Corporation has more than Rs. 200 Million of installment sales contract shown on its balance sheet as an asset. Now, when Farm Equipment Corporation wants to raise Rs 200 Million it can raise the fund with structured financing rather than issuing corporate bonds for Rs 200 Million.

To do so, the Farm Equipment Corporation will set up a legal entity known as SPV. Farm Equipment Corporation will then sell the Rs 200 Million loan to the SPV for cash. But where does SPV will get Rs. 200 Million to pay to Farm Equipment Corporation? It obtains the funds by selling the securities that are backed up by these Rs 200 Million loans. These securities are called asset backed securities or bond classes that are issued in a structured finance transaction.

Looking at the credit risk, role of the rating agency or a risk consulting firm will be to focus on:

Credit Quality of Collateral as determined by the asset type, borrowers' ability to pay the loan and the borrower's equity in the asset. Currently micro finance in India is mainly without adequate collaterals. Credit rating will also need to see experience of the originator of the underlying loans and to see if the loans have the same characteristic in which the originator has experience in. Rating agency will assess the nature of underwriting standards vis-à-vis historical default rate. It will also monitor default rates over time to determine whether there is improvement or deterioration in the underwriting standards.

The quality of loan servicing: The agency will look at recovery rates along with default rates which determine the ultimate loss rate. This is a high reputation risk area for many banks as recovery is being done using a goon's protection money asking approach.

Cash flow stress and payment structure: Credit rating agency will also look for stress on cash flows for both the originator and the borrower and rationalization of payment structure to gauge the credit risk. Lot of scope exists for innovation in this area which is possible through various public and private extension services.