Inherent and control risks of derivatives, hedging and securities investments: a primer.

Auditing Derivative Instruments, Hedging Activities and Investments in Securities (SAS No. 92) is chock-full of information and guidance for today's auditors looking to plan and perform auditing procedures for assertions in these three areas. This article focuses particularly on how auditors can assess -- and manage -- inherent and control risks.

Introduction

As its name suggests, the Auditing Standards Board's (ASB's) Auditing Derivative Instruments, Hedging Activities and Investments in Securities helps auditors plan and perform auditing procedures for assertions about derivative instruments, hedging activities and investments in securities made in an entity's financial statements. The information and guidance included in SAS (Statement on Auditing Standards) No. 92 apply to derivative instruments of all entities -- including certain derivative instruments embedded in other contracts or agreements. *

For purposes of applying SAS No. 92, a derivative is a financial instrument or other contract containing all of the following characteristics:

* It has: (a) one or more underlyings and (b) one or more notional amounts, payment provisions or both. Those terms determine the amount of the settlement(s) and, in some cases, whether or not a settlement is required.

* It requires no initial net investment, or a smaller investment than would be required for other types of contracts expected to have a similar response to changes in market factors.

* Its terms require or permit net settlement, it can readily be settled net by a means outside the contract, or it provides for delivery of an asset that puts the recipient in a position not substantially different from net settlement.

According to the ASB, an entity may enter into a derivative for investment purposes. Or, it may designate a derivative as a hedge of exposure to: (a) changes in fair value (referred to as a fair value hedge); (b) variable cash flows (referred to as a cash flow hedge); or, (c) foreign currency. SAS No. 92 applies to hedging activities in which the entity designates a derivative (or non-derivative) financial instrument as a hedge of exposure for which SFAS (Statement of Financial Accounting Standards) No. 133 permits hedge accounting.

SAS No. 92 applies to all debt and equity securities as defined in SFAS No. 115, Accounting for Certain Investments in Debt and Equity Securities -- whether or not these securities are subject to the accounting requirements of that document For example, it applies to assertions about securities accounted for under the equity method following the requirements of Accounting Principles Board (APB) Opinion No. 18, The Equity Method of Accounting for Investments in Common Stock.

You May Need Special Skills or Knowledge

The assertions addressed in SAS No. 92 are classified into the five broad categories discussed in SAS No. 31, Evidential Matter: 1) existence or occurrence; 2) completeness; 3) rights and obligations; 4) valuation and allocation; and, 5) presentation and disclosure. According to SAS No. 92, auditors may need special skills or knowledge to plan and perform auditing procedures for certain assertions about derivatives and securities in these areas. For example, it would help if they had a good understanding of:

* Computer applications. This can help auditors understand an entity's information system for derivatives and securities (including services provided by a service organization) -- particularly when significant information is transmitted, processed, maintained or accessed electronically.

* Typical Operating Characteristics of Client's Industry. This can help auditors identify the controls placed in operation by a service organization that provides services to an entity that are part of the entity's information system for derivatives and securities.

* Generally Accepted Accounting Principles (GAAP). Because of the complexity of GAAP -- and many derivatives themselves -- auditors will need to have special knowledge to be able to evaluate the derivative's measurement and disclosure so they conform with GAAP. For example, features embedded in contracts or agreements may require separate accounting as a derivative, while complex pricing structures may make assumptions used in estimating the derivative's fair value more complex, too.

* Valuation Concepts. This can help auditors understand how to determinate the fair values of derivatives and securities -- including the appropriateness of various types of valuation models, and the reasonableness of key factors and assumptions.

* Risk and Asset/Liability Management. Understanding general risk management concepts and typical asset/liability management strategies can help auditors assess inherent and control risks for assertions about derivatives used in hedging activities.

Where To Turn for Assistance. According to SAS No. 92, auditors may want to seek the assistance of employees of the auditor's firm, or others outside the firm, to access the special skills or knowledge they might need. SAS No. 22, Planning and Supervision, provides guidance on using individuals as members of the audit team, and who can help the auditor plan and perform auditing procedures. The auditor may also choose to use a specialist as evidential matter -- SAS No. 73, Using the Work of a Specialist, provides guidance in this area.

Audit Risk and Materiality

Auditors are required to design procedures that can obtain reasonable assurance of detecting misstatements of assertions about derivatives and securities. They are particularly looking for those misstatements that, when combined with other misstatements or assertions, could cause financial statements as a whole to be materially misstated. When designing such procedures, auditors should consider the inherent and control risks for those assertions. The auditor should also consider the work performed by the entity's internal auditors.

SAS No. 47, Audit Risk and Materiality in Conducting an Audit, can help auditors evaluate audit risk and materiality when planning and performing an audit of financial statements m accordance with generally accepted auditing standards (GAAS). SAS No. 65, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, can help them consider the work performed by internal auditors.

Assessing Inherent Risk Means Looking for Material Misstatements

According to the ASB, the inherent risk for an assertion about a derivative or security is its susceptibility to a material misstatement (assuming there are no related controls). SAS No. 92 gives several examples of considerations that might affect the auditor's assessment of inherent risk. These include:

* Management's objectives

* The complexity of the derivative's or security's features

* Whether the transaction that gave rise to the derivative or security involved the exchange of cash

* The entity's experience with the derivative or security

* Whether a derivative is freestanding or an embedded feature of an agreement

* Whether external factors, such as risks factors, affect the assertion (i.e., credit, market, basis or legal risks)

* The evolving nature of derivatives and applicable Generally Accepted Accounting Principles

* Significant reliance on outside parties; and

* Whether GAAP requires developing assumptions about future conditions.

Assessing Control Risk Means Understanding Internal Control

SAS No. 55, Consideration of Internal Control in a Financial Statement Audit (as amended by SAS No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55) requires auditors to understand internal control. This, in turn, enables them to:

* Identify potential misstatements of assertions

* Consider factors that affect the risk that misstatements will be material to the financial statements; and

* Design substantive tests.

As mentioned above, management's s objectives can play a significant role in helping auditors assess inherent risk. To achieve its goals in areas such as financial reporting, operations and compliance, an entity's management may implement a variety of controls; this is particularly true of entities with extensive derivatives transactions. For example, management may call for:

* Control staff monitoring that is fully independent of derivatives activities

* Derivatives personnel to obtain (prior to exceeding limits) at least oral approval from members of senior management who are independent of derivatives activities

* Senior management to properly address limit excesses and divergences from approved derivatives strategies

* Accurate transmittal of derivatives positions to risk measurement systems

* Appropriate reconciliations to ensure data integrity across the full range of derivatives, including any new or existing derivatives that may be monitored apart from the main processing networks

* Derivatives traders, risk managers and senior management to define constraints on derivatives activities and justify identified excesses

* Senior management; an independent group or an individual that management designates, to perform a regular review of identified controls and financial results of derivatives activities. This will help determine whether controls are being effectively implemented, and that the entity's business objectives and strategies are being achieved; and

* Review of limits in the context of changes in strategy, the entity's risk tolerance and market conditions.