You’ve probably read recently about trading-related frauds where individuals manipulated markets for their own gain. Several of these frauds were highly organized affairs, with traders using alternate channels to communicate with one another in order to manipulate individual trades and market conditions. The most recently settled foreign exchange action came to light once a reporter from a national business publication published the details of the collusion.
Most of the entities involved are relatively large organizations, with sophisticated governance and internal control programs. One has to ask, how could this occur, especially in this world where virtually anything done on a system can be tracked, stored, and retrieved? With hindsight, we can look at these frauds and glean some lessons by walking through the internal audit process at a high level. What can directors do to help make sure something like this does not happen at their organizations?
Are trading operations and similar functions scored high enough in the periodic risk assessment? By similar functions we mean any job function such as procurement or sales that has the following characteristics:
- has a high level of discretion and is regularly in the market
- has the de facto checkbook of the company
- is under significant pressure to make revenue or save expenses
- requires a specialized skill set to execute the role.
The lesson here is that these market roles, in many cases, have a risk profile higher than anticipated.
Audit Planning and Execution
Do you expect internal audit to master every function within your organization? Obviously, internal audit functions best when the auditors have knowledge of the business and the controls around that business. However, is it realistic to expect that internal audit can cover every risk with internal resources? Some prudent borrowing or “renting” of resources with specialized skill sets might be needed to adequately cover some types of risk.
Virtually every organization in the U.S. with its own systems has some sort of user computing policy that describes the acceptable use of technology. Also prevalent is the use of monitoring tools to continuously track how employees are using systems. For some time now, organizations have been keenly aware of the damage that can be caused by employees going to inappropriate websites. Yet traders executed one of the well publicized trading frauds during normal business hours, using “back channel” means such as chat rooms provided through third parties. Certainly, the technology to monitor usage has existed for some time, however the connection between the usage and the risk was just not recognized.
Certainly, collusion is inherently difficult to detect or prevent. However, recent frauds highlight the fact that those with an organization’s checkbook can present a risk much greater than previously thought, and detecting or preventing similar frauds will require diligence throughout the risk management cycle.