Implementing and
Auditing the Internal
Control System
Dimitris N. Chorafas


IMPLEMENTING AND AUDITING
THE INTERNAL CONTROL SYSTEM


Also by Dimitris N. Chorafas
MANAGING RISK IN THE NEW ECONOMY
NEW REGULATION OF THE FINANCIAL INDUSTRY
MANAGING CREDIT RISK: 1. Analysing, Rating and Pricing the Profitability of Default
MANAGING CREDIT RISK: 2. The Lessons of VAR Failures and Imprudent Exposure
RELIABLE FINANCIAL REPORTING AND INTERNAL CONTROL: A Global
Implementation Guide
CREDIT DERIVATIVES AND THE MANAGEMENT OF RISK
SETTING LIMITS FOR MARKET RISK
HANDBOOK OF COMMERCIAL BANKING: Strategic Planning for Growth and
Survival in the New Decade
UNDERSTANDING VOLATILITY AND LIQUIDITY IN FINANCIAL MARKETS
THE MARKET RISK AMENDMENT: Understanding Marking-to-Model and Value-at-Risk
COST EFFECTIVE IT SOLUTIONS FOR FINANCIAL SERVICES
AGENT TECHNOLOGY HANDBOOK
TRANSACTION MANAGEMENT
INTERNET FINANCIAL SERVICES: Secure Electronic Banking and Electronic Commerce?
NETWORK COMPUTERS VERSUS HIGH-PERFORMANCE COMPUTERS
VISUAL PROGRAMMING TECHNOLOGY
HIGH-PERFORMANCE NETWORKS, PERSONAL COMMUNICATIONS AND MOBILE
COMPUTING

PROTOCOLS, SERVERS AND PROJECTS FOR MULTIMEDIA REAL-TIME SYSTEMS
THE MONEY MAGNET: Regulating International Finance, Analyzing Money Flows and
Selecting a Strategy for Personal Hedging
MANAGING DERIVATIVES RISK
ROCKET SCIENTISTS IN BANKING
HOW TO UNDERSTAND AND USE MATHEMATICS FOR DERIVATIVES: 1. Foreign
Exchange and the Behaviour of Markets
HOW TO UNDERSTAND AND USE MATHEMATICS FOR DERIVATIVES: 2. Advanced
Modelling Methods
AN INTRODUCTION TO COMMUNICATIONS NETWORKS AND THE
INFORMATION SUPERHIGHWAY (with Heinrich Steinmann)
DERIVATIVE FINANCIAL INSTRUMENTS: Managing Risk and Return
FINANCIAL MODELS AND SIMULATION: Concepts, Processes and Technology


Implementing and
Auditing the Internal
Control System
Dimitris N. Chorafas


( Dimitris N. Chorafas 2001
All rights reserved. No reproduction, copy or transmission of
this publication may be made without written permission.
No paragraph of this publication may be reproduced, copied or
transmitted save with written permission or in accordance with
the provisions of the Copyright, Designs and Patents Act 1988,
or under the terms of any licence permitting limited copying
issued by the Copyright Licensing Agency, 90 Tottenham Court
Road, London W1P OLP.

Any person who does any unauthorized act in relation to this
publication may be liable to criminal prosecution and civil
claims for damages.
The author has asserted his right to be identified
as the author of this work in accordance with the
Copyright, Designs and Patents Act 1988.
First published 2001 by
PALGRAVE
Houndmills, Basingstoke, Hampshire RG21 6XS and
175 Fifth Avenue, New York, N.Y. 10010
Companies and representatives throughout the world
PALGRAVE is the new global academic imprint of
St. Martin's Press LLC Scholarly and Reference Division and
Palgrave Publishers Ltd (formerly Macmillan Press Ltd).
ISBN 0-333-92936-5
This book is printed on paper suitable for recycling and
made from fully managed and sustained forest sources.
A catalogue record for this book is available
from the British Library.
Library of Congress Cataloging-in-Publication Data
Chorafas, Dimitris N.
Implementing and auditing the internal control system / Dimitris N. Chorafas.
p. cm.
Includes bibliographical references and index.
ISBN 0-333-92936-5
1. Auditing, Internal. I. Title.
HF5668.25 .C523 2000
657' .458—dc21

00-049149


10 9 8 7 6 5 4 3 2 1
10 09 08 07 06 05 04 03 02 01
Printed in Great Britain by
Antony Rowe Ltd, Chippenham, Wiltshire
This publication is designed to provide accurate and authoritative
information in regard to the subject matter covered. It is sold with the
understanding that the author and the publishers are not engaged in
rendering legal, accounting or other professional services.


Contents
List of Figures
List of Tables
Preface
Acknowledgements
List of Abbreviations

and Acronyms

PART I WHY INTERNAL CONTROL SYSTEMS MUST
BE AUDITED
1

The Role of Auditing in an Organization
Introduction
Auditing Defined
Auditing as an Indispensable Element of a
Management System
Senior Management Responsibilities in Connection

with Auditing and Internal Controls
Value-Added Services to be Provided by Auditing
The Role of an Independent Auditing Committee and
the Contribution of the Treadway Commission
Good Practice Guidelines Regarding Auditing
Committee Functions and Responsibilities

2

What is Meant by 'Internal Control'?
Introduction
'Internal Control' Defined
What Constitutes a Sound Internal Control Policy?
Steps in Implementing an Internal Control System
Improving the Status of Internal Control in Business
and Industry
What Is Meant by a 'Rigorous Internal Control Solution'?
A Practical Example with Internal Control Approaches
to Operational Risk
Appendix: Definitions of Internal Control by AICPA,
Basle Committee, EMI, IIA, and COSO
v


VI

3

4


5

Contents
Internal Control and the Globalization of Financial Markets

54

Introduction
The Impact of Globalization on Internal Control
Regulators Look at Internal Control as a Foundation
of Sound Management
Important Differences Between Accounting Systems
Handicap Global Internal Control and Auditing
Internal Control Deficiencies, Conflicts of Interest, and
the Massaging of Accounting Data
A Threat Curve Which Addresses Our Problems and
Their Likelihood

54
55

New Standards for Auditing Internal Control and the
Use of Risk-Based Audits

58
62
65
78

83


Introduction
Auditing Responsibilities Prescribed by Securities Laws
Agency Costs and the Impairment of Assets
Using a Company's Cash Flow for Auditing Reasons
The Concept Underpinning Risk-Based Auditing
Authority and Responsibility for Risk-Based Auditing
Solutions
Paying Attention to Information Requirements for
Risk-Based Auditing

101

A Methodology for Auditing the Internal Control
System

105

Introduction
Discovery is the First Major Step of a Valid Auditing
Methodology
Auditing Strengths and Weaknesses of an Internal Control
System: An Example From a Money Centre Bank
The Methods of Internal Control Resemble Those of
Military Intelligence
Internal Control Intelligence and the Calculation of
Assumed Exposure
Internal Control Intelligence and Dynamic Computing of
Capital Requirements
Synergy Necessary Between Business Units to Make Internal

Control a Reality

83
85
87
91
95
98

105
106
110
114
118
123
127


Contents

vn

PART II MANAGEMENT APPRAISAL OF AND
ACCOUNTABILITY FOR THE INTERNAL CONTROL
SYSTEM
6

7

Senior Management Responsibilities For Internal

Control
Introduction
Legal Reasons Why Internal Control Must be Managed
Effective Internal Control Requires Trustworthy People
Internal Control, Product Review, and Risk Assumptions
Senior Management Cannot Delegate its Accountability for
Internal Control
Restructuring is a Critical Element of Financial Innovation
Beware of Creative Accounting: it is Poison to Internal
Control

155

Internal Control Implementation Must Focus on Core
Functions

159

Introduction
Which are the Core Functions of a Financial Institution?
A Polyvalent Approach to the Implementation of Internal
Control: the Commission Bancaire Directives
Why Both a priori and a posteriori Studies Improve
Internal Control
Do We Need a Separate Department to Look After
Compliance? The Case of Two Swiss Banks
Management Intent: Its Impact on Internal Discipline and
Financial Reporting
New Rules of Competition and the Need for Market
Discipline

8

133
133
134
140
144
148
152

159
160
163
165
172
176
182

Establishing an Efficient Internal Control Structure

185

Introduction
Organizational Solutions for Internal Control at Edward
Jones
The Process of Internal Control and the Prerequisites for
Risk Management
Commercial Risk, Financial Risk, and the Tuning of
Internal Control


185
187
190
193


Vlll

Contents
Should We Analyze the Behavioural Pattern of Our Traders?
Developing and Using a System of Internal Margin Calls
Internal Controls Should Highlight Information
Technology Failures

196
202
206

PART III CASE STUDIES ON THE IMPLEMENTATION
OF INTERNAL CONTROL
9

Applying Internal Control to Our Institution's
Limits System
Introduction
Limits, Marking-to-Market, and the Contribution of
Internal Control
Internal Control and the Role of Benchmarks
Answers by Leading Institutions to an Internal Controls
and Limits Questionnaire

Setting Limits is a Business Requiring Know-how and
Imagination
The Study of Internal Controls by the European
Monetary Institute
Advance Notice Can Help in Limiting Future Loss
Through Repositioning

10 Auditing Counterparty Limits and Trading Limits
Introduction
Internal Controls and Dynamic Limits Management
The Role of Auditing in Controlling the Calculation of
Prices and Risk Premiums
Internal Controls, Leveraging, and the Evaluation of
Risk and Return
Should Internal Controls Reflect a Portfolio's
Diversification?
Internal Controls and Limits for Equity Trading
Examining and Implementing Limits in Currency Positions
11 An Internal Control System for Engineering Design,
Product Development, and Quality Assurance
Introduction
Long-Termism and Short-Termism in R&D

213
213
214
219
221
225
228

231
235
235
236
241
245
250
254
258

262
262
263


Contents
A Methodology for Internal Control Applied to
Engineering Design
Internal Control's Contribution to the Project
Manager's Job
Internal Control for Prototypes and for Measurements
Connected with Different Projects
Design Reviews are Essentially a Process of Rigorous
Auditing
An Infrastructure for Quality Assurance
12 Services Provided by Information Technology to the
Auditing of Internal Controls
Introduction
Positioning Our Institution to Profit From the Fact that
Banking is Information in Motion

The Use of Advanced Technology is not a Fad but an
Obligation
Online Banking and the Auditing of Financial Operations
The Effective Use of Information Technology for Internal
Control
The Regulators Emphasize the Need to Use Technology in
an Able Manner
Why Auditing Increasingly Depends on Computer Systems
13 The Contribution of External Auditors to the Internal
Control System
Introduction
Value-Added Duties Beyond Those Classically Performed
by External Auditors
What Should be Expected from Auditing Internal Controls
by External Auditors?
Are Central Bank Examiners Better Positioned in Studying
the Effectiveness of Internal Controls?
The Concept Behind Outsourcing Internal Auditing and
Other Duties
A Closer Look at Outsourcing Internal Auditing, its 'Pluses'
and 'Minuses'
Liabilities Which Might Come the Way of External
Auditors

IX

268
271
276
280

284

289
289
292
294
299
304
308
310

314
314
315
319
323
327
330
334


x

Contents

B ib Hog rap hy
Appendix of Participating
Index

337

Organizations

339
359


List of Figures
1.1
1.2
1.3
1.4

1.5
2.1
2.2

2.3
2.4
2.5

2.6
3.1
3.2

3.3
3.4
3.5

The domains where auditing functions are necessary if
modern business continues to expand

The concepts underpinning internal control and audit tend,
up to a point, to overlap
It is wise to make a distinction between the functions of
auditing and those of internal control
Front desk and back office should be separated, and the
same is tine of other functions, but all must be transparent
to auditing
The bifurcation in self-assessment through internal control
and auditing
Focal areas of internal control and the impact of internal
and external key factors
The functions of internal control, auditing, accounting,
treasury, and risk management overlap, but also have a
common core
Infrastructure and pillars supporting a valid solution to
internal control
Roles and responsibilities of different agents concerned by
the control of risk
Technological solutions addressed to high-grade
professionals must be positioned in an unstructured
information environment
The top four operational risks influence one another in a
significant way
A real-time framework for focusing internal control by
country and in a global setting
Four different organizational approaches followed by
credit institutions with regard to internal control and risk
management
The internal control framework of COSO implementation,
as seen by the Federal Reserve Bank of Boston

By ordering the probability associated with different risks,
a threat curve can assists in appreciating their likelihood
Radar chart for off-balance-sheet risk control to keep top
management alert
XI

4
6
10

13
17
30

33
37
41

46
49
57

61
75
79
81


List of Figures
Assets in the balance sheet and off-balance sheet of a

major financial institution
Liabilities in the balance sheet and off-balance sheet of
a major financial institution
Seasonally adjusted german M-3 money supply, fluctuation
in the 1990 to 1994 timeframe
High quality means that tolerances are observed at all
times; low quality fails to observe tolerances
Discovery is an analytical process, while legal conclusions
are synthetic and practical
There are three ways of looking at internal control, with
accounting at the kernel and high technology the outer
layer
The internal control intelligence cycle consists of six major
steps
Intraday follow-up on exposure, bank-wide and
trader-by-trader
There are common elements in different types of risk:
with new instruments these should be addressed on the
drawing board
The policy of the OTS has borne fruit: no thrift failures
since 1993
The life-cycle of business passes through successive phases,
each requiring specific skills
Block diagram of profit and loss (P&L) analysis of a profit
centre
Distribution of Daily Trading Revenue (P&L) at Credit
Suisse First Boston, 1997 and 1998
Abstraction is the two-way interface between complexity
and simplicity
The difference 1 month makes: benchmark yield curves

with 30-year bonds in three G-10 countries: United States
The difference 1 month makes: benchmark yield curves
with 30-year bonds in three G-10 countries:
United Kingdom
The difference 1 month makes: benchmark yield curves
with 30-year bonds in three G-10 countries: Japan
Auditing is a metalayer whose business is rigorous
inspection, not the day-to-day control of operations
Management intent and strategic planning overlap, but
basically they are different concepts

90
90
94
97
108

115
116
120

124
138
143
146
151
167
170

171

172
174
177


List of Figures
1.1

8.1
8.2
8.3
8.4
9.1
9.2
9.3
10.1
10.2
10.3
10.4
10.5
10.6
11.1

11.2

11.3
11.4
11.5
11.6


A feedback mechanism characterizing both engineering
constructs and financial markets, but many bankers lack
this sensitivity
Securum's three-layered internal control organization for
credit exposure
Evolution of longer-term financial assets v. the trading
portfolio at a money centre bank
SQC chart with tolerance limits and control limits
Average market risks of a money centre bank, over a
period of 2 years
Risk management should be studied in a multidimensional
space, in a manner similar to process control
Four different dimensions of liquidity to be controlled
intraday
A classification of business partners based on sophistication
of client demands and potential risk exposure
A thorough evaluation of VAR requires that three
metalayers work in synergy
The statistical distribution of loans losses classified into
three major categories
Some frightening statistics on equity, assets, and
derivatives exposure by Chase Manhattan
Yield spread average of AAA corporate bonds v. equal
maturity government bonds
An efficient frontier analysis tries to balance risk and
return, eventually leading to portfolio optimization
In mid-to-late 1995, Cypress Semiconductor lost
60 per cent of its capitalization
Able solutions to R&D must have globality, benefit from
technology and standards, and be subject to critical project

revamps
The acceleration in technology characterizing the
mid-to-late 1990s is expected to continue well into the
twenty-first century
According to Jean Monnet, planning for the future should
start at end-results level and move toward the beginning
Non-seamless interfaces significantly reduce the efficiency
and reliability of engineering work during product transition
The need for design reviews is present in any project
The impact of good management on competitiveness can
best be appreciated in a 3-dimensional frame of reference


xiv
11.7
12.1
12.2
12.3
12.4
12.5
12.6
12.7
13.1
13.2

13.3
13.4

List of Figures
Chart for number of defects per unit and adjustments on

an hourly basis, during a week
Investments in information technology: United States v.
Euroland, 1993 and 1999
Technology supporting four different banks which offer
personal banking services
Grand design of an IT solution addressing a range of
functional and operational characteristics
A bank's financial network and effective management of
client accounts
The distribution of IT investments and supported
functionality is not keeping pace with end-user demands.
Financial instruments become complex because they can
be combined in many and varied ways
Management information needed to do business v. data
which is massively produced
The Hampel Report recommended adding new areas to
internal control
Rigorous evaluation of exposure, study of business
opportunity, and analysis of business intelligence rest on
four pillars
A three-tier and two-tier model in bank supervision
Rating the quality of internal auditing and/or outsourced
services using confidence intervals

287
291
295
297
300
302

306
312
316

320
324
332


List of Tables
2.1
3.1
6.1
7.1
7.2
7.3

9.1
9.2
10.1

The top dozen operational risks
Comparison of some of the outstanding differences
between the US GAAP and Italian GAAP
NPVR limits in connection to changes in interest rates
Net asset value on year-to-year basis through two different
trading strategies
A bank's exposure to loans and derivatives risks, standard
VAR. v. stress analysis
Reserve requirements for loans to sovereigns, banks,

corporate clients, and securitized instruments based on
ratings by independent agencies
VAR in Commerzbank's trading portfolio, 1997
VAR in Commerzbank's trading portfolio, 1996, and
1997-1996 comparison
Demodulated derivatives exposure compared to equity and
assets of major credit institutions, as of 31 March 1999

xv

48
66
139
169
175

181
223
224
248


Preface
Written on the threshold of the twenty-first century - a time that is increasingly
marked by globalization of products and services, rapid progress in financial
analytics, and technological breakthroughs - this text addresses itself to
managers and professionals. Typically, its readers have, or are about to have,
fiduciary responsibilities and/or an immediate and deep interest in assuring the
evolution of internal control for reasons of good governance.
The International Organization for Securities Commissions (IOSCO)

says that a control structure can only be as effective as the people who
operate it. Therefore, strong commitment by the board as well as by all
managers and professionals working for a financial institution, a
manufacturing enterprise, or any other organization, is a prerequisite to
the good functioning of internal control - that is, the intelligence necessary
to ascertain that an entity functions effectively, according to ethical
standards, board policies, and regulatory rules.
One of the lessons managers should learn very early in their careers is
that they have to deal with the world as they find it, not as they might wish
it to be. From this derives the need for interpretation of information internal
control provides, looking for presence or absence of compliance and asking
why and how there are deviations, and what that means for their company's
present and future. Here are, in a nutshell, the five basic principles of an
effective internal control.
•

•

•

•

•

Internal control is a dynamic system covering all types of risk, addressing
fraud, assuring transparency, and making possible reliable financial
reporting.
The chairman of the board, the directors, the chief executive officer
(CEO), and senior management are responsible and accountable for
internal control.

Beyond risks, internal control goals are preservation of assets, account
reconciliation, and compliance. Laws and regulations impact on internal
control.
The able management of internal control requires policies, organization,
technology, open communications, access to all transactions, real-time
operation, quality control, and corrective action.
Internal control must be regularly audited by internal and external
auditors to ensure its rank and condition, and to see to it there is no
cognitive dissonance at any level.
xvi


Preface

xvn

Cognitive dissonance is the name for the organizational phenomenon
whereby people ignore something that does not fit their view of the world
and pretend it does not exist. This is distinct from outright fraud, or the
intentional falsification of events and records. But, like fraud, cognitive
dissonance is anathema to the proper functioning of an internal control
system, and therefore internal auditors and external auditors must be on the
alert.
An organizational issue to attract the auditor's attention in examining the
lines of authority and accountability for internal control purposes is the
separation of responsibility for the measurement, monitoring, and
supervision of exposure from that of day-to-day operations. Auditors are,
or at least should be, well aware that the execution of any transaction and
the inventorying of any position are giving rise to risk. Risk has to be
monitored and managed, but this must independent of trading, lending, and

other revenue sidelines.
Auditing is part of senior management duties. The role of internal audit
is to analyze and reconcile accounts, test the dependability of financial
statements, evaluate qualitative business aspects, detect fraud, and master
internal control details. The internal auditing function must be staffed with
first-class people, be supported by the best technology, and report directly
to the board or the Audit Committee. In executing their functions, auditors
should form a view on the correctness and efficiency of the way in which
the company is managed.
*

*

*

With globalization, deregulation, and the advent of derivatives, credit
institutions, as well as the treasury operations of manufacturing,
merchandising, and service companies, are finding that their traditional
tools for management control no longer suffice. They must develop more
efficient processes able to measure and monitor their risks in real-time.
They must also have tools that permit to exercise timely and accurate
control.
This is well known to national and international regulators who have
issued a number of directives to enhance existing means for compliance,
and promote risk management systems - including the use of Audit
Committees and the redefining of internal control functions. Regulatory
authorities are also seeing to it that both the members of the board of
directors and external auditors are responsible for the company's system of
internal checks and balances, and for the implementation of rigorous
solutions able to provide assurance against material misstatement or loss.



XV111

Preface

The book the reader has on hand addresses the need for a direct
confirmation that senior management and the auditors have reviewed the
effectiveness of the system of internal financial and operational controls.
This text is divided into three parts. Part 1 defines both auditing and
internal control, then explains why internal control must be audited and in
which way this should be done to improve upon the quality of deliverables.
Chapter 1 addresses the role of auditing in an organization. It
demonstrates that auditing is an indispensable instrument of management,
and documents that rigorous auditing can provide value-added services.
This chapter also outlines the functions and responsibilities of the Auditing
Committee, at the level of the board of directors. Its existence has been
strongly recommended by the Basle Committee on Banking Supervision of
the Bank for International Settlements (BIS).
Chapter 2 focuses on internal control. After defining the internal
control functions and the senior management policies on which these
should rest, it presents to the reader the successive steps necessary for
implementing a rigorous internal control system, demonstrating why
properly studied and applied internal controls can be instrumental in
curbing not only fraud but as well credit risk, market risk, operational
risk, and other major exposures.
Chapter 3 examines the need for internal controls from the viewpoint of
globalization of financial markets. It brings home the point that important
differences in accounting systems handicap internal control and auditing,
and it documents how conflicts of interest work to the detriment of internal

control - and therefore of the company's ability to take hold of itself.
The theme of Chapter 4 is new standards for auditing internal controls
and risk management systems. Practical examples range from the more
classical auditing of cash flow to risk-based auditing. A methodology for
auditing the internal control system is presented in Chapter 5. Internal
control information is compared to military intelligence, and applications
examples are taken from trading in derivative financial instruments.
Accurate information passed in a timely fashion to decision-makers can
enable them to take appropriate steps whether these focus on new business
opportunities or on control action. The latter is the role of internal control
intelligence. However, numbers and statistics are only a small part of the
game. Much of the risk taken by a company because of trading and
inventoried positions is inherently unqualified. Yet, we try not only to
qualify it but also, whenever possible, to quantify it - because this is the
only way to control it.
On these premises rests Part II, which addresses top management's
accountability for internal control. The line of responsibilities starts at the


Preface

xix

chairman of the board, and though authority is delegated responsibility is
not; it always stays at the top. This is precisely Chapter 6's subject. The text
explains why effective internal control requires trustworthy people all the
way down the line of command. It also brings into perspective the need for
restructuring, and makes the point that it is wise to keep away from creative
accounting practices.
The synergy between internal controls and core functions is the next

important theme examined. Chapter 7 looks into core functions from the
perspective of a credit institution. Emphasis is placed on both a priori and a
posteriori studies as well as on compliance. Attention is also paid to
management intent and on why transparency is practically synonymous
with market discipline.
Transparency requires both appropriate board policies and an efficient
internal control structure. This is explained in Chapter 8, which takes as an
example of necessary policies those of a better-known brokerage in the
United States. The reader is also presented with advice on useful tests on
the way internal controls works, tips on improvements, and a discussion on
the role of advanced technology in making the internal control system so
much more efficient.
Technology can be instrumental in distilling data streams and in mining
databased events, but as Part III explains through case studies for
information to become intelligence there is no substitute for sound and well
informed analysis. On the bottom line, internal control intelligence is the
interpretation of facts and figures and educated guesswork on management
intent at all levels of the organization.
The practical examples in Chapter 9 revolve around applying internal
control to our institution's limits system, and to other prudential
benchmarks put in place by top management. The text presents the reasons
why setting limits is a business requiring know-how and imagination, as
well as a feedback which makes possible dynamic limits management. The
latter is the theme of Chapter 10, which elaborates further on the role of
auditing in controlling the calculation of prices and risk premiums,
estimating the amount of leveraging, and identifying a range of risks from
equity trading to currency positions.
Chapter 11 changes the frame of reference by examining the role of
internal control in engineering and manufacturing. Starting with longtermism and short-termism in research and development (R&D), it
proceeds with internal control applied to engineering design. Practical

examples are taken from project management and design reviews, as well
as from prototyping and quality assurance. Unavoidably, this leads to a
discussion on information technology.


XX

Preface

Effective internal control and high technology are inseparable,
particularly so in a very dynamic, globalized market. Chapter 12, therefore,
focuses its attention on the services information technology provides in
connection to the auditing of internal controls. It also explains why the use
of advanced technology is not a fad but an obligation. The cutting edge of
technology is never a bleeding edge unless we don't know what we are
doing. But falling behind in technology has often proved to be the bleeding
side of an internal control system.
While much can be done by way of supporting an internal control
structure through human resources employed by our firm, external auditors
can also play a major role. This is the theme of Chapter 13, which addresses
both classical and modern duties of external auditors, in connection with
scrutiny and verification of our company's internal controls. Part of this
discussion is outsourcing, its strengths and weaknesses; another part is the
responsibilities of all players involved in auditing internal controls.

The careful reader who considers all of the points which have been made
will appreciate that internal control should be examined from different
angles to assure the appropriateness of policies and procedures. Among the
issues to which attention should be paid is auditing staff qualifications. Is
the staff experienced in analyzing an internal control system and its

effectiveness? Is a training programme in effect? Are members of the staff
experienced in specialized areas such as risk management and information
technology?
Other questions, too, are key to the interpretation of intelligence. Does the
depth coverage of the audits appear to be sufficient? Is the chief auditor
member of an executive system planning committee? Is he or she reporting
directly to the chairman or the auditing committee? Behind these queries are
the reasons why from Chapter 1 auditing procedures have been brought under
a magnifying glass. Do these procedures employ statistically valid sampling
techniques, with acceptable reliability and precision? Is the content of auditing
independent of adverse influences by different interests? Has the auditing of
internal control been formally established by the board of directors?
It worth practically nothing to audit internal controls if the intelligence being
collected is distorted by self-imposed limitations and deliberate misconceptions. Distortions of factual and documented discoveries in the auditing of
internal control is a very dangerous business for any company, no matter how
senior and how clever its board, CEO, and top management may be. This has
been the conclusion of the research which led to this book.


Acknowledgements
I am indebted to a long list of knowledgeable people, and of organizations,
for their contribution to the research which made this book possible. Also
to several senior executives and experts for constructive criticism during
the preparation of the manuscript. The complete list of the senior executives
and organizations who participated to this research is shown in the
Appendix.
Let me take this opportunity to thank Stephen Rutt and Zelah Pengilley
for suggesting this project and seeing it all the way to publication, and
Keith Povey and Barbara Docherty for the editing work. To Eva-Maria
Binder goes the credit for compiling the research results, typing the text,

and making the camera-ready artwork and index.
Vaimer and Vitznau

D I M I T R I S N. C H O R A F A S

The author and publishers are grateful to the Credit Suisse Group for
permission to reproduce copyright material from the Credit Suisse Annual
Report of 1998.

xxi


List of Abbreviations and
Acronyms
AICPA
ALM
ASB
BAI
BIS
BNE
BWG
CAD
CAM
CAR
CEO
CFO
CFTC
CMO
COSO
CPA

CRMO
DSP
ECB
EMI
ESCB
FASB
FCPA
FDIC
FDICIA
FIRREA
FSA
G-10

G-30

American Institute of Certified Public Accountants
Assets and Liabilities Management
Accounting Standards Board (UK)
Bank Administration Institute
Bank of International Settlements
Bank of New England
Bankwesengesetz (Austrian Banking Act)
Computer-Aided Design
Computer-Aided Manufacture
Capital-at-Risk
Chief Executive Officer
Chief Financial Officer
Commodities Futures Trading Commission
Collateralized Mortgage Obligation
Committee of Sponsoring Organizations (Treadway

Commission)
Certified Public Accountant
Chief Risk Management Officer
Digital Signal Processing
European Central Bank
European Monetary Institute (now ECB)
European System of Central Banks
Financial Accounting Standards Board (US)
Foreign Corrupt Practices Act (US)
Federal Deposit Insurance Corporation (US)
Federal Deposit Insurance Corporation Improvement Act
(US)
Financial Institutions Reform, Recovery, and
Enforcement Act (US)
Financial Services Authority (UK)
Group of Ten (US, UK, Japan, Germany, France, Italy,
Canada, Holland, Belgium, Sweden, Switzerland and
Luxemburg as observer)
Group of Thirty (a Washington Think Tank)
XXll


List of Abbreviations
GAAP
GAAP
GAAS
GO A
GIGA
HFFD
IAS

IASC
IIA
IC
ICS
IMF
IOSCO
ISDA
IT
KWG
LTCM
MIPS
MITI
MOU
NASD
NASDAQ
NPV
NYSE
OCC
OTC
OTS
QA
R&D
RICO
ROI
RV
S&L
SEC
SFAS
SQC
STRG

TQM
VAR

and Acronyms

xxm

Generally Accepted Accounting Principles (US)
Generally Accepted Accounting Practice (UK)
Generally Accepted Accounting Standards.
General Accounting Office (US)
Giga Instructions per Second
High-Frequency Financial Data
International Accounting Standard
International Accounting Standards Committee
Institute of Internal Auditors
Internal Control
Internal Control System
International Monetary Fund
International Organization for Securities Commissions
International Derivatives Dealers Association
Information Technology
German Banking Act
Long-Term Capital Management
Million Instructions per Second
Ministry of International Trade and Industry (Japan)
Memorandum of Understanding
National Association of Securities Dealers
National Association of Securities Dealers
Automated Quotation

Net Present Value
New York Stock Exchange
Office of the Comptroller of the Currency (US)
Over the Counter
Office of Thrift Supervision
Quality Assurance
Research and Development
Racketeer Influenced and Corrupt Practices Act (US)
Return on Investment
Replacement Value
Savings & Loan
Securities and Exchange Commission (US)
Statement of Financial Accounting Standards (US)
Statistical Quality Control
Statement of Total Recognized Gains and Losses (UK)
Total Quality Management
Value-at-Risk


This page intentionally left blank