Inherent and control risks of derivatives, hedging and securities investments: a primer.

Auditing Derivative Instruments, Hedging Activities and Investments in Securities (SAS No. 92) is chock-full of information and guidance for today's auditors looking to plan and perform auditing procedures for assertions in these three areas. This article focuses particularly on how auditors can assess -- and manage -- inherent and control risks.

Introduction

As its name suggests, the Auditing Standards Board's (ASB's) Auditing Derivative Instruments, Hedging Activities and Investments in Securities helps auditors plan and perform auditing procedures for assertions about derivative instruments, hedging activities and investments in securities made in an entity's financial statements. The information and guidance included in SAS (Statement on Auditing Standards) No. 92 apply to derivative instruments of all entities -- including certain derivative instruments embedded in other contracts or agreements. *

For purposes of applying SAS No. 92, a derivative is a financial instrument or other contract containing all of the following characteristics:

* It has: (a) one or more underlyings and (b) one or more notional amounts, payment provisions or both. Those terms determine the amount of the settlement(s) and, in some cases, whether or not a settlement is required.

* It requires no initial net investment, or a smaller investment than would be required for other types of contracts expected to have a similar response to changes in market factors.

* Its terms require or permit net settlement, it can readily be settled net by a means outside the contract, or it provides for delivery of an asset that puts the recipient in a position not substantially different from net settlement.

According to the ASB, an entity may enter into a derivative for investment purposes. Or, it may designate a derivative as a hedge of exposure to: (a) changes in fair value (referred to as a fair value hedge); (b) variable cash flows (referred to as a cash flow hedge); or, (c) foreign currency. SAS No. 92 applies to hedging activities in which the entity designates a derivative (or non-derivative) financial instrument as a hedge of exposure for which SFAS (Statement of Financial Accounting Standards) No. 133 permits hedge accounting.

SAS No. 92 applies to all debt and equity securities as defined in SFAS No. 115, Accounting for Certain Investments in Debt and Equity Securities -- whether or not these securities are subject to the accounting requirements of that document For example, it applies to assertions about securities accounted for under the equity method following the requirements of Accounting Principles Board (APB) Opinion No. 18, The Equity Method of Accounting for Investments in Common Stock.

You May Need Special Skills or Knowledge

The assertions addressed in SAS No. 92 are classified into the five broad categories discussed in SAS No. 31, Evidential Matter: 1) existence or occurrence; 2) completeness; 3) rights and obligations; 4) valuation and allocation; and, 5) presentation and disclosure. According to SAS No. 92, auditors may need special skills or knowledge to plan and perform auditing procedures for certain assertions about derivatives and securities in these areas. For example, it would help if they had a good understanding of:

* Computer applications. This can help auditors understand an entity's information system for derivatives and securities (including services provided by a service organization) -- particularly when significant information is transmitted, processed, maintained or accessed electronically.

* Typical Operating Characteristics of Client's Industry. This can help auditors identify the controls placed in operation by a service organization that provides services to an entity that are part of the entity's information system for derivatives and securities.

* Generally Accepted Accounting Principles (GAAP). Because of the complexity of GAAP -- and many derivatives themselves -- auditors will need to have special knowledge to be able to evaluate the derivative's measurement and disclosure so they conform with GAAP. For example, features embedded in contracts or agreements may require separate accounting as a derivative, while complex pricing structures may make assumptions used in estimating the derivative's fair value more complex, too.

* Valuation Concepts. This can help auditors understand how to determinate the fair values of derivatives and securities -- including the appropriateness of various types of valuation models, and the reasonableness of key factors and assumptions.

* Risk and Asset/Liability Management. Understanding general risk management concepts and typical asset/liability management strategies can help auditors assess inherent and control risks for assertions about derivatives used in hedging activities.

Where To Turn for Assistance. According to SAS No. 92, auditors may want to seek the assistance of employees of the auditor's firm, or others outside the firm, to access the special skills or knowledge they might need. SAS No. 22, Planning and Supervision, provides guidance on using individuals as members of the audit team, and who can help the auditor plan and perform auditing procedures. The auditor may also choose to use a specialist as evidential matter -- SAS No. 73, Using the Work of a Specialist, provides guidance in this area.

Audit Risk and Materiality

Auditors are required to design procedures that can obtain reasonable assurance of detecting misstatements of assertions about derivatives and securities. They are particularly looking for those misstatements that, when combined with other misstatements or assertions, could cause financial statements as a whole to be materially misstated. When designing such procedures, auditors should consider the inherent and control risks for those assertions. The auditor should also consider the work performed by the entity's internal auditors.

SAS No. 47, Audit Risk and Materiality in Conducting an Audit, can help auditors evaluate audit risk and materiality when planning and performing an audit of financial statements m accordance with generally accepted auditing standards (GAAS). SAS No. 65, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, can help them consider the work performed by internal auditors.

Assessing Inherent Risk Means Looking for Material Misstatements

According to the ASB, the inherent risk for an assertion about a derivative or security is its susceptibility to a material misstatement (assuming there are no related controls). SAS No. 92 gives several examples of considerations that might affect the auditor's assessment of inherent risk. These include:

* Management's objectives

* The complexity of the derivative's or security's features

* Whether the transaction that gave rise to the derivative or security involved the exchange of cash

* The entity's experience with the derivative or security

* Whether a derivative is freestanding or an embedded feature of an agreement

* Whether external factors, such as risks factors, affect the assertion (i.e., credit, market, basis or legal risks)

* The evolving nature of derivatives and applicable Generally Accepted Accounting Principles

* Significant reliance on outside parties; and

* Whether GAAP requires developing assumptions about future conditions.

Assessing Control Risk Means Understanding Internal Control

SAS No. 55, Consideration of Internal Control in a Financial Statement Audit (as amended by SAS No. 78, Consideration of Internal Control in a Financial Statement Audit: An Amendment to Statement on Auditing Standards No. 55) requires auditors to understand internal control. This, in turn, enables them to:

* Identify potential misstatements of assertions

* Consider factors that affect the risk that misstatements will be material to the financial statements; and

* Design substantive tests.

As mentioned above, management's s objectives can play a significant role in helping auditors assess inherent risk. To achieve its goals in areas such as financial reporting, operations and compliance, an entity's management may implement a variety of controls; this is particularly true of entities with extensive derivatives transactions. For example, management may call for:

* Control staff monitoring that is fully independent of derivatives activities

* Derivatives personnel to obtain (prior to exceeding limits) at least oral approval from members of senior management who are independent of derivatives activities

* Senior management to properly address limit excesses and divergences from approved derivatives strategies

* Accurate transmittal of derivatives positions to risk measurement systems

* Appropriate reconciliations to ensure data integrity across the full range of derivatives, including any new or existing derivatives that may be monitored apart from the main processing networks

* Derivatives traders, risk managers and senior management to define constraints on derivatives activities and justify identified excesses

* Senior management; an independent group or an individual that management designates, to perform a regular review of identified controls and financial results of derivatives activities. This will help determine whether controls are being effectively implemented, and that the entity's business objectives and strategies are being achieved; and

* Review of limits in the context of changes in strategy, the entity's risk tolerance and market conditions.

How much auditors are able to find out about internal control over derivatives and securities will depend on how much information the auditor needs to:

* Identify the types of potential misstatements

* Consider factors that affect the risk of material misstatement

* Design tests of controls, where appropriate; and

* Design substantive tests.

Don't Forget about Service Organizations' Services. According to the ASB, auditors will need to understand controls over derivatives and securities transactions from start to finish -- i.e., from their initiation to their inclusion in financial statements. Gathering this information could include looking at controls the entity has placed in operation, as well as those put in place by the service organization, whose services are part of the entity's information system. SAS No. 55 defines the information system as those methods and records an entity establishes to record, process, summarize and report entity transactions, and to maintain accountability for related assets, liabilities and equity.

In accordance with SAS No. 70, Service Organizations, a service organization's services are considered part of an entity's information system for derivatives and securities if they affect any of the following:

* How the entity's derivatives and securities transactions are initiated

* Accounting records, supporting information and specific accounts in the financial statements involved in processing and reporting the entity's derivatives and securities transactions

* The accounting processing involved -- from initiation of transactions to inclusion in financial statements -- including electronic means (such as computers and electronic data interchange) used to transmit, process, maintain and access information; and

* The process the entity uses to report information about derivatives and securities transactions in its financial statements, including significant accounting estimates and disclosures.

Like SAS No. 70, SAS No. 92 also provides examples of a service organization's services that would be considered part of an entity's information system, including:

* When a service organization acts as investment adviser or manager in initiating the purchase or sale of equity securities

* Services that are ancillary to holdings of an entity's securi ties such as:

-- Collecting dividend and interest income, and distributing that income to the entity

-- Receiving notification of corporate actions

-- Receiving notification of security purchase and sales transactions

-- Receiving payments from purchasers, and disbursing proceeds to sellers for security purchase and sale transactions

-- Maintaining records of securities transactions for the entity; and

* A pricing service providing fair values of derivatives and securities through paper documents or electronic downloads that the entity uses to value its derivatives and securities (or financial statement reporting).

SAS No. 92 also provides examples of a service organizaticn's services that would not be considered part of an entity's information system. These include:

* A securities broker's execution of trades initiated by either the entity or its investment adviser; and

* The holding of an entity's securities.

Where To Turn for More Information.

Auditors looking to gather information about the nature of a service organization's services that are part of an entity's information system for derivatives and securities transactions - or its controls over those services -- can turn to:

* User manuals

* System overviews

* Technical manuals

* The contract between the entity and the service organization

* Reports by auditors, internal auditors or regulatory authorities on the information system and other controls a service organization has placed in operation; and

* Inquiry or observation of personnel at the entity or at the service organization.

Of course, if the entity's services -- and the service organization's controls over these services -- are highly standardized, auditors can use their own past experience with that entity (or a similar entity) to help plan their audit.

Assessing Control Risk -- Part II

After gaining an understanding about an entity's internal control over derivatives and securities transactions, the auditor's next step should be to assess control risk for the related assertions. SAS No. 55 provides guidance. According to this document, auditors who plan to assess control risk below the maximum for one or more assertions about derivatives and securities should identify relevant controls (put in place by the entity or service organization) that are likely to prevent or detect material misstatements. The auditor can then gather evidential matter about these controls. How?

According to SAS No. 92, auditors can gather evidential matter through tests, which they can perform themselves, or have another auditor (engaged by them or the service organization) perform. These tests would be conducted:

* As part of an engagement in which a service auditor reports on the controls and their operating effectiveness, as described in SAS No. 70

* As an agreed-upon procedures engagement; and

* To work under the direction of the auditor of the entity's financial statements.

However, SAS No. 92 warns that a service organization's confirmations of balances or transactions do not provide evidential matter about its controls. It recommends, therefore, that the auditor consider the entity's size; organizational structure; the nature of its operations; the types, frequency and complexity of its derivatives and securities transactions; and, its controls over those transactions when designing auditing procedures for assertions about derivatives and securities.

For example, if the entity has a variety of derivatives and securities that are reported at fair value (estimated using valuation models), auditors may be able to reduce the substantive procedures for valuation assertions. They would do this by gathering evidential matter about the controls over the design and use of the models (including significant assumptions), and evaluating their operating effectiveness.

SAS No. 92 notes that there are some circumstances where it may not be practicable -- or possible -- for the auditor to reduce audit risk to an acceptable level without identifying the controls we've been discussing, or gathering evidential matter about the effectiveness of these controls. For example, let's assume the entity has a large number of derivatives or securities transactions. He or she would probably not be able to reduce audit risk to an acceptable level for assertions about the occurrence of earnings on those securities -- including gains and losses from sales -- without identifying controls over the authorization, recording, custody and segregation of duties for those transactions. The auditor would also, naturally, need to gather evidential matter about the controls' operating effectiveness.

Conclusion

SAS No. 92 concludes that the auditor should use the assessed levels of inherent risk and control risk for assertions about derivatives and securities to determine the nature, timing and extent of substantive procedures to detect material misstatements of financial statement assertions.

Endnotes

* The ASB uses the Financial Accounting Standards Board (FASB) definition of derivatives contained in Statement of Financial Accounting Standards (SFAS) No. 133, Accounting for Derivative Instruments and Hedging Activities, as amended by SFAS No. 138, Accounting for Derivative Instruments and Hedging Activities.