Internal Audit Report on Supervision Support Group – Capital Markets & Risk Assessment Services

Document Properties

  • Type of Publication: Audit
  • Date: February 2013

1. Background

Introduction

Internal Audit conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada’s (OSFI’s) risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations.

The audit of the Supervision Support Group - Capital Markets & Risk Assessment Services (SSG - CMRAS) was approved by the OSFI Audit Committee and the Superintendent for inclusion in the OSFI 2012 to 2013 Internal Audit Plan.

This report presents the results of that audit based on audit work completed at the end of December 2012. The audit recommendations will support the CMRAS group to continuously improve their control framework for identifying and assessing market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs).

This report was presented to the OSFI Audit Committee and approved by the Superintendent on February 20, 2013. The Deputy Superintendent, Supervision Sector; the Senior Director - Supervision Support Group (SSG); and CMRAS’ Senior Management, who have provided their management comments within this report, have also reviewed it.

Context

Overview – Why this is important

CMRAS is one of the six teams within the Supervision Support Group (SSG) that supports the Relationship Management (RM) teams in the Supervision Sector. In conjunction with the RM teams for the Federally Regulated Financial Institutions (FRFIs), CMRAS supports OSFI’s mandate of protecting depositors and policyholders from undue loss by carrying out regular monitoring, on-site reviews, and early intervention activities at the FRFIs, with respect to market and liquidity risks and the associated capital requirements.

Objectives of CMRAS

Capital Markets & Risk Assessment Services’ (CMRAS) mandate and activities directly support OSFI’s legislative mandate of

  1. supervising Federally Regulated Financial Institutions (FRFIs); and
  2. monitoring and evaluating system-wide or sectoral events that may impact FRFIs.

CMRAS’ mandate includes:

  • Identifying emerging market and liquidity risks and communicating them internally within OSFI (e.g. to the Emerging Risks Committee; or to the Supervision Sector’s RM teams) and externally to OSFI’s Financial Institutions Supervisory Committee (FISC) partners and/ or directly to the FRFIs.
  • Identifying acceptable practices for market and liquidity risk mitigation, and, in conjunction with the RM teams, encouraging their adoption by the FRFIs.
  • Working with other (international and domestic) regulators to share and to harmonize supervisory and regulatory practices, with respect to market and liquidity risk issues.
  • Working with OSFI’s Regulation Sector to develop effective rules, guidelines and frameworks with respect to the oversight and effectiveness of controls over market and liquidity risks at the FRFIs.

2. Audit Objective, Scope and Approach

Audit Objective

The objective of the audit was to provide reasonable assurance that CMRAS’ control framework for identifying and assessing market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs) is adequately designed and operating as intended:

  • to support the Relationship Management (RM) teams in their supervision of the FRFIs; and
  • to monitor and to evaluate system-wide or sectoral issues relating to market and/ or liquidity risks.

Audit Scope

The scope of the audit is for the period October 01, 2011 to June 30, 2012. One of the key principles of OSFI’s Supervisory Framework is a risk-based approach to supervision, focusing on material risks to a FRFI. CMRAS’ adherence to this principle results in them spending approximately 50% of their time on the monitoring reviews, of which a significant proportion of that time is spent for the RM teams in the Deposit Taking Group - Conglomerates (DTG-C) and the Life Insurance Group - Conglomerates (Lifeco). As a result, our audit focused on the monitoring reviews that CMRAS performed for the DTG-C and Lifeco groups over the three quarter-ends during the audit period.

The scope of the audit included:

  1. The institution-specific, quarterly reviews that result in the section notes on the FRFIs’ Quarterly Executive Reports (QERs);
  2. The deposit-taking industry-wide, monthly Liquidity Summary Reviews (LSRs); and
  3. The industry-wide, Quarterly Monitoring Interim Reviews (QMIRs).

For the above CMRAS’ reviews, IA assessed that

  1. the flow of the documentation clearly support the analysis, rationale, conclusions and key messages delivered by CMRAS; and
  2. quality control (QC) reviews on the work, analyses and reports are effectively performed at the appropriate levels on a timely basis.

Audit Approach

The audit was conducted in accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board’s Policy on Internal Audit.

The SSG – CMRAS audit was predominantly conducted by leveraging the internationally recognized Enterprise Risk Management – Integrated Framework recommended by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The approach to conducting the audit included:

  • walkthrough of the processes used by CMRAS during their reviews (from the data inputs, to the analysis, to the QC reviews and eventual communication to the appropriate stakeholders);
  • detailed testing of selected documentation supporting CMRAS’ processes; and
  • discussions/ interviews with key personnel and stakeholders.

3.  Conclusion

Conclusion

The Capital Markets & Risk Assessment Services (CMRAS) group has a control framework that is adequately designed and operating to enable OSFI to identify and to assess market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs). Opportunities for improvements exist to enhance the effectiveness of CMRAS’ control framework and should be undertaken for its continued assurance.

Roles/ responsibilities; authorities; and a structure for monitoring, managing and reporting risks/issues are generally defined and are operational. Process and control activities exist for engaging key stakeholders, with decision and control points being in place to identify, assess and communicate key messages and potentially emerging industry-wide or institution-specific risks.

Internal Audit has identified opportunities for improvement, where CMRAS can further strengthen its processes and controls framework as follows:

  • Enhance its quarterly monitoring process to demonstrate that CMRAS has discussed with the Relationship Management (RM) team and has reached agreement on the applicable FRFI risk assessments.
  • Consult with the “Practices Division” to determine the best practices for Quality Control (QC) reviews, including an understanding of the requirements to demonstrate that the QC reviews have been effectively performed.

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit, and the procedures used meet the professional standards of the Institute of Internal Auditors. The evidence has been gathered to be sufficient to provide senior management with the proof of the opinion derived from the internal audit.

We wish to recognize the excellent rapport and exchange of views with all involved in the audit. The depth of the review and focusing on what matters would not have been possible without the support received throughout the audit.

Line for Chief Audit Executive Signature_________________________________
Chief Audit Executive, IA

Line for Date_________________________________
Date

4. Management Response

Overview

This report has been reviewed by the Managing Director, Capital Markets Risk Assessment Services (CMRAS), the Senior Director, Capital Markets and Model Analytics, and the Senior Director, SSG, who acknowledge its observations and recommendations.

The recommendations will support CMRAS in continuing efforts to enhance and improve documentation and process as needed.

Responses / Comments

We thank the audit team for their detailed review of the supervisory work of CMRAS. We are in agreement with the findings of the audit. We note significant work was in progress to address the audit findings prior to the commencement of the audit.

CMRAS is committed to addressing the recommendations outlined in this report, and has made substantial progress to date in improving the quality assurance processes, and data management/integrity controls and processes.

5.  Observations and Recommendations

Governance, roles and responsibilities

  1. CMRAS has a Governance framework, outlining key roles and responsibilities.
  2. CMRAS has established a management oversight structure over their monitoring reviews of a Federally Regulated Financial Institution (FRFI).

Processes and Controls

  1. CMRAS has a process for performing their periodic monitoring reviews of the FRFIs.
  2. CMRAS has a reasonable approach for performing “environmental” scans to identify potentially emerging issues related to their areas of technical expertise.
  3. CMRAS has a process for monitoring potentially emerging industry-wide or institution-specific risks related to their areas of technical expertise.

Information and communication, including reporting

  1. The appropriate stakeholders are generally engaged when information is gathered, analyzed and followed-up.
  2. CMRAS is appropriately represented during the key internal quarterly meetings with the Relationship Management (RM) teams, other Supervision Support Groups (SSGs) and the Executive.
  3. Open and timely channels of communication exist among staff within the CMRAS team.
  4. IA noted significant positive feedback from some of CMRAS’ key stakeholders with respect to their accessibility, open communications style and timeliness of delivery of their outputs.

Observation #1:
Quarterly Monitoring Reviews of the FRFIs

OSFI’s Supervisory Framework states: “Supervision involves assessing the safety and soundness of FRFIs, providing feedback as appropriate, and using powers for timely intervention where necessary. The supervision of Canadian financial institutions is conducted on a consolidated basis, which involves an assessment of all of a FRFI’s material entities (including all subsidiaries, branches and joint ventures), both in Canada and internationally. OSFI designates a relationship manager (RM) for each FRFI. The RM is responsible for maintaining an up-to-date risk assessment of the FRFI. Specialists and other staff within OSFI help support this work. The RM is the main point of contact for the FRFI.”

In support of the RM’s risk assessment of the FRFIs, CMRAS conducts monitoring reviews of the FRFI’s market and liquidity risks. At the end of their monitoring process, CMRAS will prepare and submit a “Quarterly Monitoring Note” to the Relationship Management (RM) Supervisory team. This Monitoring Note includes CMRAS’ recommended market risk ratings for a particular business activity in the FRFI; and key conclusions or messages arising from CMRAS’ monitoring review of the FRFI for the quarter. CMRAS then meets with the relevant RM team to discuss both groups’ perspectives on the risk ratings and conclusions.

If there are any unresolved differences in professional opinions for the market risk ratings between CMRAS and the RM team, then further consultation is to be held with Senior and/ or Executive management, as appropriate.

Once CMRAS and the RM team agree on the market risk ratings, the RM team updates their risk matrix for the FRFI and their supervisory documentation supporting the risk ratings, with CMRAS’ inputs.

OSFI’s Supervisory Framework: “The purpose of the risk matrix is to facilitate a holistic risk assessment of a FRFI, resulting in a Composite Risk Rating (CRR). The CRR is OSFI’s assessment of the safety and soundness of the FRFI, with respect to its depositors and policyholders.”

IA noted instances where CMRAS’ recommended market risk rating for a particular business activity in the FRFI was different (i.e. worse) from the rating used by the RM Supervisory team on their risk matrix for the FRFI. It was not clear if CMRAS had discussed their rationale and agreed their recommended market risk rating for this specific business activity with the RM team. For the instances noted, the overall assessment and resultant supervisory strategy for the FRFI’s business activity was not impacted.

If the risk assessments on the matrix are incomplete or inaccurate, then the supervisory strategy for the FRFI’s business activity may not be appropriate and emerging issues evolving from that activity could therefore be potentially overlooked.

Recommendation #1

The Supervision Working Agreement & Principles (SWAP) outlines guidelines with roles and responsibilities for better coordination of work and more effective communications between the Supervisory Relationship Management (RM) teams for the Deposit Taking Group - Conglomerates (DTG-C) and the SSG groups.

Roles and responsibilities of the RM team and SSG are outlined in Appendix A of the SWAP. Section B.2 requires a “virtual sign off” by both the RM team and SSG on the monitoring note, with respect to the issues and topics relating to the SSG’s area of expertise for the risk being assessed.

In keeping with the spirit of the SWAP, CMRAS should demonstrate that they have fulfilled their roles and responsibilities by improving their process for quarterly monitoring reviews as follows:

  • implement a consistent process to demonstrate agreement with the RM supervisory teams on the risk assessments, ratings and conclusions for the FRFI, relating to their areas of technical expertise; and
  • perform quality control checks at the end of the quarterly monitoring review period to ensure that their judgments and recommended risk ratings are aligned with the final key messages for their areas of technical expertise, which the RM teams summarize for all of the Supervision Support Groups (SSGs).

Observation #2:
Quality Control (QC) reviews

Quality Control (QC) is a key component of the supervisory process and active oversight is required at each step in the supervisory process to ensure:

  • the completeness and accuracy of the work performed;
  • that the supervisory documentation is sufficiently clear to support any final conclusions, judgments or professional opinions that may result from the underlying detailed analytical work.

The QC reviews such as peer reviews and the “one-up” line reviews of CMRAS’ work and reports were not always effective at ensuring the completeness and accuracy of the data used by CMRAS during their analyses.

During the audit, IA noted a number of immaterial instances where the wrong data was used by CMRAS in their detailed analytical work. Although the impact of these specific errors, both individually and cumulatively were immaterial, going forward these types of errors can, individually and cumulatively, be potentially material and hence can potentially result in the wrong conclusions being reached from CMRAS’ assessments, with the wrong key messages being identified and communicated.

Over the course of the audit fieldwork, IA noted that CMRAS made an effort to preserve data integrity by making their analytical tool more user-friendly and providing more instructions to assist with the data entry.

Recommendation #2

Typical controls to mitigate data errors on analytical tools include a combination of preventative controls at the front end during data entry and detective controls at the back end, as part of a quality control or peer review of the data inputs.

For CMRAS’ overall QC process, IA recommends that CMRAS:

  • consult with the Supervision Sector’s “Practices Division” to determine the best practices on effective QC reviews for the nature of the work, documentation and reports that CMRAS produces, including an understanding of the requirements to demonstrate that the QC reviews have been performed;
  • roll out training within the team to ensure that QC standards and expectations are understood; and
  • consider further improvements in data entry to minimize the need for manual intervention.