Office of the Superintendent of Financial Institutions
Internal Audit conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada’s (OSFI’s) risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations.
The audit of the Supervision Support Group - Capital Markets & Risk Assessment Services (SSG - CMRAS) was approved by the OSFI Audit Committee and the Superintendent for inclusion in the OSFI 2012 to 2013 Internal Audit Plan.
This report presents the results of that audit based on audit work completed at the end of December 2012. The audit recommendations will support the CMRAS group to continuously improve their control framework for identifying and assessing market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs).
This report was presented to the OSFI Audit Committee and approved by the Superintendent on February 20, 2013. The Deputy Superintendent, Supervision Sector; the Senior Director - Supervision Support Group (SSG); and CMRAS’ Senior Management, who have provided their management comments within this report, have also reviewed it.
Overview – Why this is important
CMRAS is one of the six teams within the Supervision Support Group (SSG) that supports the Relationship Management (RM) teams in the Supervision Sector. In conjunction with the RM teams for the Federally Regulated Financial Institutions (FRFIs), CMRAS supports OSFI’s mandate of protecting depositors and policyholders from undue loss by carrying out regular monitoring, on-site reviews, and early intervention activities at the FRFIs, with respect to market and liquidity risks and the associated capital requirements.
Capital Markets & Risk Assessment Services’ (CMRAS) mandate and activities directly support OSFI’s legislative mandate of
CMRAS’ mandate includes:
The objective of the audit was to provide reasonable assurance that CMRAS’ control framework for identifying and assessing market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs) is adequately designed and operating as intended:
The scope of the audit is for the period October 01, 2011 to June 30, 2012. One of the key principles of OSFI’s Supervisory Framework is a risk-based approach to supervision, focusing on material risks to a FRFI. CMRAS’ adherence to this principle results in them spending approximately 50% of their time on the monitoring reviews, of which a significant proportion of that time is spent for the RM teams in the Deposit Taking Group - Conglomerates (DTG-C) and the Life Insurance Group - Conglomerates (Lifeco). As a result, our audit focused on the monitoring reviews that CMRAS performed for the DTG-C and Lifeco groups over the three quarter-ends during the audit period.
The scope of the audit included:
For the above CMRAS’ reviews, IA assessed that
The audit was conducted in accordance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board’s Policy on Internal Audit.
The SSG – CMRAS audit was predominantly conducted by leveraging the internationally recognized Enterprise Risk Management – Integrated Framework recommended by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
The approach to conducting the audit included:
The Capital Markets & Risk Assessment Services (CMRAS) group has a control framework that is adequately designed and operating to enable OSFI to identify and to assess market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs). Opportunities for improvements exist to enhance the effectiveness of CMRAS’ control framework and should be undertaken for its continued assurance.
Roles/ responsibilities; authorities; and a structure for monitoring, managing and reporting risks/issues are generally defined and are operational. Process and control activities exist for engaging key stakeholders, with decision and control points being in place to identify, assess and communicate key messages and potentially emerging industry-wide or institution-specific risks.
Internal Audit has identified opportunities for improvement, where CMRAS can further strengthen its processes and controls framework as follows:
In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit, and the procedures used meet the professional standards of the Institute of Internal Auditors. The evidence has been gathered to be sufficient to provide senior management with the proof of the opinion derived from the internal audit.
We wish to recognize the excellent rapport and exchange of views with all involved in the audit. The depth of the review and focusing on what matters would not have been possible without the support received throughout the audit.
Line for Chief Audit Executive Signature_________________________________Chief Audit Executive, IA
Line for Date_________________________________Date
This report has been reviewed by the Managing Director, Capital Markets Risk Assessment Services (CMRAS), the Senior Director, Capital Markets and Model Analytics, and the Senior Director, SSG, who acknowledge its observations and recommendations.
The recommendations will support CMRAS in continuing efforts to enhance and improve documentation and process as needed.
We thank the audit team for their detailed review of the supervisory work of CMRAS. We are in agreement with the findings of the audit. We note significant work was in progress to address the audit findings prior to the commencement of the audit.
CMRAS is committed to addressing the recommendations outlined in this report, and has made substantial progress to date in improving the quality assurance processes, and data management/integrity controls and processes.
OSFI’s Supervisory Framework states: “Supervision involves assessing the safety and soundness of FRFIs, providing feedback as appropriate, and using powers for timely intervention where necessary. The supervision of Canadian financial institutions is conducted on a consolidated basis, which involves an assessment of all of a FRFI’s material entities (including all subsidiaries, branches and joint ventures), both in Canada and internationally. OSFI designates a relationship manager (RM) for each FRFI. The RM is responsible for maintaining an up-to-date risk assessment of the FRFI. Specialists and other staff within OSFI help support this work. The RM is the main point of contact for the FRFI.”
In support of the RM’s risk assessment of the FRFIs, CMRAS conducts monitoring reviews of the FRFI’s market and liquidity risks. At the end of their monitoring process, CMRAS will prepare and submit a “Quarterly Monitoring Note” to the Relationship Management (RM) Supervisory team. This Monitoring Note includes CMRAS’ recommended market risk ratings for a particular business activity in the FRFI; and key conclusions or messages arising from CMRAS’ monitoring review of the FRFI for the quarter. CMRAS then meets with the relevant RM team to discuss both groups’ perspectives on the risk ratings and conclusions.
If there are any unresolved differences in professional opinions for the market risk ratings between CMRAS and the RM team, then further consultation is to be held with Senior and/ or Executive management, as appropriate.
Once CMRAS and the RM team agree on the market risk ratings, the RM team updates their risk matrix for the FRFI and their supervisory documentation supporting the risk ratings, with CMRAS’ inputs.
OSFI’s Supervisory Framework: “The purpose of the risk matrix is to facilitate a holistic risk assessment of a FRFI, resulting in a Composite Risk Rating (CRR). The CRR is OSFI’s assessment of the safety and soundness of the FRFI, with respect to its depositors and policyholders.”
IA noted instances where CMRAS’ recommended market risk rating for a particular business activity in the FRFI was different (i.e. worse) from the rating used by the RM Supervisory team on their risk matrix for the FRFI. It was not clear if CMRAS had discussed their rationale and agreed their recommended market risk rating for this specific business activity with the RM team. For the instances noted, the overall assessment and resultant supervisory strategy for the FRFI’s business activity was not impacted.
If the risk assessments on the matrix are incomplete or inaccurate, then the supervisory strategy for the FRFI’s business activity may not be appropriate and emerging issues evolving from that activity could therefore be potentially overlooked.
The Supervision Working Agreement & Principles (SWAP) outlines guidelines with roles and responsibilities for better coordination of work and more effective communications between the Supervisory Relationship Management (RM) teams for the Deposit Taking Group - Conglomerates (DTG-C) and the SSG groups.
Roles and responsibilities of the RM team and SSG are outlined in Appendix A of the SWAP. Section B.2 requires a “virtual sign off” by both the RM team and SSG on the monitoring note, with respect to the issues and topics relating to the SSG’s area of expertise for the risk being assessed.
In keeping with the spirit of the SWAP, CMRAS should demonstrate that they have fulfilled their roles and responsibilities by improving their process for quarterly monitoring reviews as follows:
Quality Control (QC) is a key component of the supervisory process and active oversight is required at each step in the supervisory process to ensure:
The QC reviews such as peer reviews and the “one-up” line reviews of CMRAS’ work and reports were not always effective at ensuring the completeness and accuracy of the data used by CMRAS during their analyses.
During the audit, IA noted a number of immaterial instances where the wrong data was used by CMRAS in their detailed analytical work. Although the impact of these specific errors, both individually and cumulatively were immaterial, going forward these types of errors can, individually and cumulatively, be potentially material and hence can potentially result in the wrong conclusions being reached from CMRAS’ assessments, with the wrong key messages being identified and communicated.
Over the course of the audit fieldwork, IA noted that CMRAS made an effort to preserve data integrity by making their analytical tool more user-friendly and providing more instructions to assist with the data entry.
Typical controls to mitigate data errors on analytical tools include a combination of preventative controls at the front end during data entry and detective controls at the back end, as part of a quality control or peer review of the data inputs.
For CMRAS’ overall QC process, IA recommends that CMRAS: