oversight

Foreign Banks: Internal Control and Audit Weaknesses in U.S. Branches

Published by the Government Accountability Office on 1997-09-29.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                 United States General Accounting Office

GAO              Report to the Subcommittee on
                 Financial Institutions and Consumer
                 Credit, Committee on Banking and
                 Financial Services, House of
                 Representatives
September 1997
                 FOREIGN BANKS
                 Internal Control and
                 Audit Weaknesses in
                 U.S. Branches




GAO/GGD-97-181
      United States
GAO   General Accounting Office
      Washington, D.C. 20548

      General Government Division

      B-275223

      September 29, 1997

      The Honorable Marge Roukema
      Chairwoman
      The Honorable Bruce F. Vento
      Ranking Minority Member
      Subcommittee on Financial Institutions
        and Consumer Credit
      Committee on Banking and Financial Services
      House of Representatives

      This report responds to your request for information on internal control and audit weaknesses
      at U.S. branches and agencies of foreign banks. It discusses U.S. supervisors’ expectations for
      internal controls and audits, the number of such weaknesses found by U.S. supervisors at fair or
      lower rated U.S. branches and agencies, and the U.S. supervisors’ efforts to improve internal
      controls and audits at these institutions.

      We are sending copies of this report to the Chairmen and Ranking Minority Members of the
      House Committee on Banking and Financial Services and the Senate Committee on Banking
      and Urban Affairs, the Chairman of the Federal Reserve Board, the Chairman of the Federal
      Deposit Insurance Corporation, the Comptroller of the Currency, and other interested parties.
      We will also make copies available to others on request.

      Major contributors to this report are listed in appendix III. If you have any questions, please call
      me at (202) 512-8678.




      Thomas J. McCool,
      Director, Financial
        Institutions and Markets
        Issues
Executive Summary


             In September 1995, Daiwa Bank, one of the largest multinational banks in
Purpose      the world, reported to the Federal Reserve1 that it had incurred losses
             exceeding $1 billion from illegal securities trading activities that had
             occurred at one of its New York branches over an 11-year period.
             Weaknesses in the branch’s internal controls, including inadequate
             segregation of duties in trading and electronic funds transfer activities,
             had enabled an employee to trade illegally and to hide the activities and
             resulting losses. The Chairman of the Federal Reserve Board said that
             before the losses were reported, the Federal Reserve had noted, but had
             not fully appreciated, the seriousness of some of the branch’s weaknesses
             in internal control. One reason for this, according to the Federal Reserve
             Board Chairman, was that those weaknesses did not appear to be
             extraordinary in comparison to those found at other U.S. branches and
             agencies of foreign banking organizations (FBO branches).2

             In response to concern about possible risks to the U.S. financial system,
             the Chairwoman and the Ranking Minority Member, Subcommittee on
             Financial Institutions and Consumer Credit, House Committee on Banking
             and Financial Services, requested that GAO (1) identify U.S. supervisors’
             expectations for adequate internal controls and audits3 in FBO branches,
             (2) determine the extent of serious weaknesses in FBO branches’ internal
             controls and audits reported by U.S. supervisors during examinations, and
             (3) describe U.S. supervisors’ efforts to address these weaknesses.


             FBOs operate today in the United States most frequently by establishing FBO
Background   branches. These FBO branches serve primarily their home country and U.S.
             corporate customers and can generally engage in lending, money market
             services, trade financing, trading,4 and other activities with banks and
             other financial institutions. FBO branches can also access the U.S.
             payments system through the Federal Reserve and obtain other Federal
             Reserve services. As of December 1996, there were 498 FBO branches in the

             1
              In this report, GAO uses the term “Federal Reserve” to refer to both the Board of Governors of the
             Federal Reserve System and the 12 Federal Reserve Banks, unless further specificity is required.
             2
              Branches are legal and operational extensions of foreign banks, and they have broad banking powers,
             including accepting uninsured deposits, lending, money market services, trade financing, and other
             activities related to the service of foreign and U.S. clients. Agencies have similar powers but may not
             accept deposits from U.S. citizens or residents. Because FBO branches and agencies perform similar
             banking functions, they are often discussed together using the term “branches.” This report follows
             this convention.
             3
              The term “audit” in this report generally refers to the internal audit, unless otherwise noted.
             4
              FBO branches engage in a variety of different trading activities, including foreign exchange,
             derivatives, and securities trading.



             Page 2                                   GAO/GGD-97-181 Internal Control and Audit Weaknesses
Executive Summary




United States, with total assets of $821 billion.5 As legal and operational
extensions of foreign banks, these FBO branches have no capital of their
own.

The Federal Reserve is responsible for overseeing the combined U.S.
operations6 of FBOs and for ensuring that FBOs operating in the United
States meet financial, managerial, and operational standards similar to
those of U.S. banking organizations. In addition, FBO branches may be
either state-licensed and, therefore, regulated and supervised by the
respective state banking department or federally licensed and, therefore,
regulated and supervised by the Office of the Comptroller of the Currency.
Some branches are also insured by the Federal Deposit Insurance
Corporation (FDIC) and, therefore, subject to additional supervision by
FDIC.7


While good internal controls do not necessarily guarantee that an entity’s
business objectives will be met, an entity’s board of directors,
management, and/or other personnel use internal controls to obtain
reasonable assurance that they are achieving their objectives relating to
operations, financial reporting, and compliance with applicable laws and
regulations. Internal controls in banking institutions include segregation of
duties,8 proper authorization of transactions and activities, design and use
of adequate documents and records to help ensure the proper recording of
transactions and events, safeguards over access to and use of assets and
records, and independent checks on performance and proper valuation of
recorded amounts.

The performance of internal controls can be monitored and strengthened
by management, as needed, through internal and/or external audits.
Internal auditing is a management function that is to independently
evaluate the adequacy and effectiveness of internal controls and the


5
 For purposes of comparison, the total assets of U.S. domestic banks, not including the assets of
subsidiary banks of FBOs, were about $4.4 trillion as of December 31, 1996.
6
The “combined U.S. operations” of an FBO refers to all of its activities, banking or otherwise, in the
United States.
7
 The Foreign Bank Supervision Enhancement Act of 1991, among other things, in effect prohibited
FBO branches from accepting insured deposits. Public Law 102-242, Title II, Subtitle A, section 214 (a).
Those FBO branches that already had deposit insurance were allowed to retain it. As of December 31,
1996, 31 FBO branches were FDIC-insured.
8
 Segregation of duties is an internal control procedure that assigns different people the responsibilities
of authorizing transactions, recording transactions, and maintaining custody of assets and thus helps
reduce opportunities for any person to be in a position to both perpetrate and conceal errors or
irregularities in the normal course of his/her duties.



Page 3                                  GAO/GGD-97-181 Internal Control and Audit Weaknesses
                   Executive Summary




                   quality of ongoing operations. External financial auditing generally
                   provides an independent assessment of the reliability of an entity’s
                   financial statements and may provide management with useful information
                   for monitoring and improving internal controls.

                   To establish a list of serious internal control and audit weaknesses, GAO
                   compiled a list of the specific weaknesses described in all 99 enforcement
                   actions taken by U.S. supervisors against FBO branches for internal control
                   and/or audit weaknesses from January 1993 to June 1996. To determine
                   the extent of serious internal control and audit weaknesses, GAO then
                   collected data on these weaknesses from 425 examination reports of 254
                   FBO branches (see app. I). The 254 branches included all FBO branches with
                   an overall examination rating of fair or lower or a rating of fair or lower in
                   an examination component substantively affected by internal control and
                   audit weaknesses from January 1993 to June 1996. The percentage of FBO
                   branches whose examination reports GAO reviewed varied from a high of
                   about 30 percent of all FBO branches in 1993 to about 20 percent in 1996.

                   To determine the most serious weaknesses, GAO discussed the data with
                   experienced federal and state supervisors. Internal control weaknesses
                   U.S. supervisors identified as among the most serious were: inadequate
                   segregation of duties in trading and/or electronic funds transfer activities,
                   lack of dual control and independent verification in trading and/or
                   electronic funds transfer activities, lack of security and access restrictions
                   in electronic funds transfers, employee(s) in sensitive positions were not
                   absent for a minimum number of consecutive days to allow another
                   employee to detect improper actions,9 inadequate safekeeping and/or
                   documentation in trading activities, and inadequate security and access
                   restrictions for accounting system software. Audit weaknesses U.S.
                   supervisors identified as among the most serious were: inadequate scope
                   of audit coverage, inadequate frequency of audits, inadequate response to
                   audit criticisms, inadequate audit independence, inadequate workpapers
                   or documentation, and lack of head office supervision. GAO did not verify
                   the information contained in the examination reports.


                   U.S. supervisors expect each U.S. FBO branch to have (1) a system of
Results in Brief   internal controls that is consistent with the size and complexity of its
                   operation and (2) an internal audit function of adequate scope and

                   9
                    The absence of employees in sensitive positions for a minimum number of consecutive days, generally
                   a 2-week period, is an important internal control because it provides an independent check on
                   employees’ performances. During their absences, employees’ duties would have to be done by other
                   employees and any unauthorized activities would probably surface during that time.



                   Page 4                                GAO/GGD-97-181 Internal Control and Audit Weaknesses
Executive Summary




frequency and/or an adequate system of head office10 or external audits.
Although few FBO branches’ deposits are insured by FDIC, U.S. supervisors
have an interest in the activities of FBO branches because the supervisors
wish to preserve standards that help ensure the efficiency of and
confidence in U.S. markets.

A guiding principle for U.S. supervisors in assessing internal controls is
that good internal control exists when employees are not in a position to
make significant errors or perpetrate significant irregularities without
timely detection. In evaluating an FBO branch’s overall system of internal
control, U.S. supervisors are to consider the adequacy of controls and the
level of adherence to them. For example, controls are to be carried out by
competent people who have no incompatible duties. In addition, U.S.
supervisors are to consider the frequency, scope, and adequacy of the FBO
branch’s internal and external audits.

A significant number of the 254 FBO branches U.S. supervisors rated fair or
lower had 1 or more of the weaknesses in internal control that U.S.
supervisors identified as being among the most serious, and a majority of
the FBO branches had 1 or more of the weaknesses in audit function
identified as being among the most serious. For example, 28 percent of the
254 FBO branches were reported to lack adequate segregation of duties in
trading and/or electronic funds transfer activities. U.S. supervisors told
GAO that a lack of adequate segregation of duties in these areas is among
the most serious internal control weaknesses because such a weakness
can be, and has been, associated with big losses.

Sixty-seven percent of the 254 FBO branches whose examination reports
GAO reviewed were reported to have had audits of inadequate scope;
41 percent were reported to have had audits of inadequate frequency; and
28 percent were reported to have had inadequate management response to
audit criticisms. According to U.S. supervisors, these audit weaknesses
represent serious problems in managements’ oversight of internal controls
and could slow or limit improvement of internal controls at some FBO
branches.

GAO found that U.S. supervisors are undertaking numerous efforts intended
to address internal control and audit weaknesses at FBO branches. The
objectives of these efforts include helping to ensure (1) the detection of
losses that have occurred as the result of an FBO branch’s internal control
and audit weaknesses, (2) the timely correction by FBO branches of serious

10
  The head office is the headquarters of the FBO.



Page 5                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
                              Executive Summary




                              weaknesses in control procedures and audit functions, (3) an increased
                              understanding among multinational banks of the importance of adequate
                              internal controls and audits, and (4) the preparedness of supervisors to
                              conduct effective assessments of internal controls. Prompt attention to the
                              development of a strategy for evaluating the results of these initiatives is
                              now needed to determine whether progress is being made in improving the
                              condition of internal controls at FBO branches. The results of such a
                              strategy could be useful in determining whether additional initiatives may
                              be needed and in communicating with FBO branch officials and home
                              country supervisors about the importance of sound bank management
                              practices.



Principal Findings

U.S. Supervisors Expect       U.S. supervisors’ expectations for internal control are based on the
FBO Branches’ Internal        premise that standards that help ensure the efficiency of and confidence in
Controls to Enable Timely     U.S. markets must be preserved. An FBO branch’s system of internal
                              controls is to ensure that its operations are conducted in accordance with
Detection of Significant      internal guidelines and supervisory policies, that all reports and analyses
Errors or Irregularities      provided to the head office and senior branch management are timely and
                              accurate, and that the controls provide protection against losses and
                              ensure accurate financial reporting. In assessing the adequacy of the scope
                              of internal audits, supervisors are to consider whether all important FBO
                              branch functions and services are included and whether the audit program
                              includes the procedures necessary to reasonably ensure compliance with
                              applicable U.S. laws and regulations. Supervisors are also to assess the
                              adequacy of internal audits that are based on an evaluation of the risk
                              associated with each area of audit interest. In evaluating the work of both
                              internal and external auditors, supervisors are to consider the
                              independence of the auditors.


Many of the Fair or Lower     Twenty-eight percent of the 254 FBO branches rated fair or lower were
Rated FBO Branches Were       reported to lack adequate segregation of duties in trading and/or
Reported to Have One or       electronic funds transfer activities. Additional weaknesses supervisors
                              identified as being among the most serious included: a lack of dual control
More of the Weaknesses        and verification in trading and/or electronic funds transfer was reported in
U.S. Supervisors Identified   21 percent of the FBO branches; a lack of security and access restrictions in
as Being Among the Most       electronic funds transfer, in 22 percent; and employees in sensitive
Serious                       positions not being absent for a minimum number of consecutive days so



                              Page 6                       GAO/GGD-97-181 Internal Control and Audit Weaknesses
                            Executive Summary




                            that another employee could detect improper actions, in 22 percent. Some
                            FBO branches were found to have two additional weaknesses that
                            supervisors identified as being among the most serious: inadequate
                            safekeeping and/or documentation in trading activities (15 percent) and
                            inadequate security and access restrictions for accounting system
                            software (6 percent). Inadequate safekeeping and/or documentation in
                            trading activities increases the risk that a transaction will not be
                            accurately recorded in the FBO branch’s books.

                            GAO found that of the FBO branches rated fair or lower, those with certain
                            characteristics had higher numbers of internal control weaknesses. These
                            characteristics included being engaged in trading as a major line of
                            business, having a comparatively high number of lines of business, having
                            a comparatively high number of staff, and having serious weaknesses in
                            audit functions.

                            Management at many of the FBO branches rated fair or lower had not
                            corrected audit weaknesses in response to supervisory examinations. For
                            example, 53 percent of the 171 FBO branches with audits of inadequate
                            scope, which were examined more than once in the study period, were
                            found to have audits of inadequate scope at subsequent examinations.

                            To better understand the meaning of the FBO branch findings, GAO
                            compared them with findings for a sample of U.S. domestic banks rated
                            fair or lower. The comparison, which was limited in that the U.S. domestic
                            banks tended to be smaller in asset size and engage in less complicated
                            activities, showed that these domestic banks tended to have fewer serious
                            internal control and audit weaknesses, such as inadequate segregation of
                            duties and scope of audits, than FBO branches.


Supervisors Are Taking      To help ensure the detection of losses that have occurred as the result of
Actions in an Effort to     an FBO branch’s identified internal control weaknesses, the Federal
Improve Internal Controls   Reserve has established a policy requiring the use of special audits for
                            institutions with less-than-satisfactory overall ratings. Depending upon
and Audits at Certain FBO   specific case circumstances, these audits may be performed by regional,
Branches                    head office, or external auditors. These auditors are to perform direct
                            verification of accounts in areas identified by supervisors as having
                            significant control weaknesses and are to determine the accuracy of
                            reports by the FBO branch to the supervisors.




                            Page 7                       GAO/GGD-97-181 Internal Control and Audit Weaknesses
    Executive Summary




    Supervisory efforts to help ensure the timely correction by FBO branches of
    weaknesses in control procedures and audit functions include the use of
    formal and informal enforcement actions to require remedies for specific
    weaknesses. From January 1993 to June 1996, U.S. supervisors took 99
    enforcement actions against FBO branches for the primary reason of
    inadequate internal controls or inadequate audit. Furthermore, efforts by
    the Federal Reserve to communicate more effectively with FBO officials
    have resulted in quicker and better compliance by FBOs, according to
    Federal Reserve officials.

    Supervisory actions to help ensure increased understanding of the
    importance of adequate internal controls and audits include the Federal
    Reserve’s training programs or meetings with foreign supervisory officials
    to discuss the importance of developing adequate internal controls. Also,
    U.S. and foreign supervisors, working through the Basle Committee on
    Banking Supervision, have developed core principles for effective banking
    supervision that include basic standards for internal controls and audits.

    Examples of efforts to help ensure the preparedness of supervisors to
    conduct effective assessments of internal control systems and audit
    functions include the following:

•   the development, in 1995, and ongoing implementation of the FBO
    Supervision Program,11 which is expected to provide, among other things,
    comprehensive information relevant to assessments of control procedures
    and audit functions as well as an analysis and a ranking to reflect the U.S.
    banking supervisors’ judgment about the FBOs’ ability to provide their U.S.
    operations with the necessary financial and managerial support;
•   the implementation, beginning in 1994, of an FBO branch rating system that
    emphasizes risk management and operational controls;
•   the use, beginning in 1995, of the Examination Manual for U.S. Branches
    and Agencies of Foreign Banking Organizations, which is intended to
    provide uniform guidance to all federal and state supervisors with
    responsibility for FBO branch oversight, and, in 1994, of the Trading
    Activities Manual; and
•   the initiation of examiner training programs covering internal controls in
    1995 and appropriate supervisory strategies for the U.S. operations of FBOs
    in 1996.




    11
     See Foreign Banks: Opportunities Exist to Enhance Supervision Program (GAO/GGD-97-80, May 9,
    1997).



    Page 8                              GAO/GGD-97-181 Internal Control and Audit Weaknesses
                  Executive Summary




                  Although the Federal Reserve told GAO that the Federal Reserve’s
                  initiatives have already resulted in improved internal controls and audits
                  at fair or lower rated FBO branches, improvements in these FBO branches
                  have not been systematically measured.



                  U.S. supervisors have recognized that serious weaknesses in internal
Recommendation    controls and audits at certain FBO branches are significant and must be
                  addressed if losses are to be avoided and confidence maintained in the
                  integrity and efficiency of financial markets. To that end, they have
                  developed and implemented several initiatives in the past 2 to 3 years to
                  improve the supervision of FBO branches and educate home country
                  supervisors about the importance of resolving internal control and audit
                  weaknesses. However, U.S. supervisors have not yet developed a strategy
                  for evaluating the results of these initiatives, including whether those
                  results satisfactorily address the weaknesses identified or whether
                  additional initiatives may be needed. Such a strategy could, for example,
                  determine whether there are appropriate linkages between examination
                  results and training and education efforts. For information to be available
                  to monitor the impact of the initiatives when they are fully implemented, it
                  is important that the U.S. supervisors promptly identify the data that are
                  needed and ensure that the systems necessary to gather and maintain
                  those data are in place and operating.

                  GAO recommends that the Federal Reserve develop a strategy, including
                  objective measures, for assessing the progress it is making through its
                  efforts to improve internal controls and audits at FBO branches and ensure
                  that the procedures and systems necessary to collect the data relevant to
                  those measures are in place and operating. Results from such objective
                  evaluation of efforts to improve internal controls and audits should be
                  useful in determining whether additional initiatives may be needed and in
                  communicating with FBO branch officials and home country supervisors
                  about the importance of sound bank management practices.


                  GAOrequested comments on a draft of this report from the Federal Reserve
Agency Comments   Board, which provided written comments that are discussed at the end of
                  chapter 4. In addition, Federal Reserve staff also provided technical
                  comments, which GAO incorporated in this report where appropriate.




                  Page 9                       GAO/GGD-97-181 Internal Control and Audit Weaknesses
Executive Summary




The Federal Reserve Board commented that GAO’s recommendation was
useful and said that it will take steps to (1) evaluate in a more systematic
fashion the results of its initiatives to improve the supervision of the U.S.
operations of FBOs and (2) identify and address internal control and audit
weaknesses in those operations. The Board also said that several rough
measures currently indicate some degree of improvement in those areas.
As an example of such measures, the Board noted a decline, since 1993, in
the number of FBO branches with fair or lower overall examination ratings
or component ratings that are substantively affected by internal control
and audit weaknesses.




Page 10                      GAO/GGD-97-181 Internal Control and Audit Weaknesses
Page 11   GAO/GGD-97-181 Internal Control and Audit Weaknesses
Contents



Executive Summary                                                                                      2


Chapter 1                                                                                             16
                         Background                                                                   17
Introduction             Foreign Bank Operations in the United States                                 19
                         Internal Control Is to Provide Directors and Management With                 25
                            Reasonable Assurance That Objectives Will be Achieved
                         Objectives, Scope, and Methodology                                           26

Chapter 2                                                                                             28
                         Effective Internal Controls and Audits Are Essential to Preserving           29
U.S. Bank Supervisors      the Integrity of the U.S. Financial System
Expect Internal          Adequacy and Adherence to Internal Control Requirements Is an                30
                           Important Focus of Examination Guidance
Controls That Enable     FBO Branches Are Expected to Have Independent Internal                       31
Timely Detection of        Audits and/or Adequate Head Office or External Audits
Any Significant Errors
or Irregularities
Chapter 3                                                                                             35
                         Serious Internal Control Weaknesses Exposed a Significant                    36
A Significant Number       Number of FBO Branches to Risk of Losses From Misconduct
of FBO Branches          A Substantial Number of FBO Branches Had Serious Audit                       40
                           Weaknesses
Rated Fair or Lower      Certain Characteristics of Fair or Lower Rated FBO Branches                  43
Had Serious Internal       Were Associated With Higher Numbers of Internal Control and
Control and Audit          Audit Weaknesses
                         A Limited Comparison of Examination Results Indicated That                   47
Weaknesses                 Certain Domestic Banks Had Fewer Internal Control Weaknesses
                         Conclusions                                                                  47

Chapter 4                                                                                             48
                         U.S. Supervisors Seek to Ensure Detection of Losses That Have                48
U.S. Supervisors Are       Occurred as the Result of Weaknesses in Internal Controls and
Taking Actions to          Audits
                         U.S. Supervisors Seek Timely Correction of Serious Weaknesses                49
Improve Internal           in Internal Controls and Audits
Controls and Audits at
Certain FBO Branches



                         Page 12                     GAO/GGD-97-181 Internal Control and Audit Weaknesses
             Contents




             U.S. Supervisors Seek an Increased Understanding Among                      51
               Multinational Banks of the Importance of Adequate Internal
               Controls and Audits
             U.S. Supervisors Seek to Ensure the Preparedness of Supervisors             52
               to Conduct Effective Assessments of Internal Controls
             U.S. Supervisors’ Measures Do Not Capture Linkages Between                  55
               Initiatives and Results
             Conclusions                                                                 56
             Recommendation                                                              56
             Agency Comments                                                             57

Appendixes   Appendix I: Data Collected From Examination Reports Using                   58
               Data Collection Instrument
             Appendix II: Comments From the Federal Reserve Board                        66
             Appendix III: Major Contributors to This Report                             69

Tables       Table 1.1: Components of the ROCA Rating System                             23
             Table 1.2: Composite ROCA Rating Definitions and the Required               24
               Supervisory Response
             Table 3.1: Internal Control Weaknesses U.S. Supervisors                     37
               Identified as Among the Most Serious Reported in FBO Branches
               in the United States, Rated Fair, Marginal, or Unsatisfactory
               During January 1993 to June 1996
             Table 3.2: Audit Weaknesses U.S. Supervisors Identified as                  41
               Among the Most Serious Reported in FBO Branches in the United
               States, Rated Fair, Marginal, or Unsatisfactory During
               January 1993 to June 1996
             Table I.1: Descriptions of DCI Internal Control and Audit                   58
               Weakness Categories
             Table I.2: Internal Control and Audit Weaknesses Reported at                62
               FBO Branches Rated Fair or Lower During January 1993 to
               June 1996

Figures      Figure 3.1: Trading FBO Branches Had More Internal Control                  44
               Weaknesses Than Nontrading FBO Branches
             Figure 3.2: FBO Branches With More Lines of Business Had More               46
               Internal Control Weaknesses Than FBO Branches With Fewer
               Lines of Business




             Page 13                    GAO/GGD-97-181 Internal Control and Audit Weaknesses
Contents




Figure I.1: Percentage of FBO Branches Rated Fair or Lower That             60
  Were Reported to Have Each Type of Internal Control Weakness,
  January 1993 to June 1996
Figure I.2: Percentage of FBO Branches Rated Fair or Lower That             61
  Were Reported to Have Each Type of Audit Weakness,
  January 1993 to June 1996
Figure I.3: The 10 Most Frequently Reported Internal Control                65
  Weaknesses at FBO Branches Rated Fair or Lower, January 1993
  to June 1996




Abbreviations

DCI        Data Collection Instrument
EFT        Electronic Funds Transfer
FBO        Foreign Banking Organization
FBSEA      Foreign Bank Supervision Enhancement Act
FDIC       Federal Deposit Insurance Corporation
IBA        International Banking Act of 1978
OCC        Office of the Comptroller of the Currency
SOSA       Source of Strength Assessment


Page 14                    GAO/GGD-97-181 Internal Control and Audit Weaknesses
Page 15   GAO/GGD-97-181 Internal Control and Audit Weaknesses
Chapter 1

Introduction


               In September 1995, Daiwa Bank, one of the largest multinational banks in
               the world, reported to the Federal Reserve1 that it had incurred losses
               exceeding $1 billion from illegal securities trading activities that had
               occurred at one of its New York branches over an 11-year period.
               Weaknesses in the branch’s internal controls, including inadequate
               segregation of duties in trading and lack of security or access restrictions
               in electronic funds transfer (EFT) activities, had enabled an employee to
               trade illegally and to hide the activities and resulting losses. The Chairman
               of the Federal Reserve Board said that before the losses were reported,
               the Federal Reserve had noted, but had not fully appreciated, the
               seriousness of some of the branch’s weaknesses in internal control. One
               reason for this, according to the Federal Reserve, was that those
               weaknesses did not appear to be extraordinary in comparison to those
               found at other U.S. offices of foreign banking organizations (FBO).

               In response to concern about possible risks to the U.S. financial system,
               the Chairwoman and the Ranking Minority Member, Subcommittee on
               Financial Institutions and Consumer Credit, House Committee on Banking
               and Financial Services, requested that we review the supervision of the
               U.S. operations of FBOs and determine the extent of serious weaknesses in
               their internal controls2 and audits.3

               This report is the final of three reports that respond to that request. The
               objectives of this report are to (1) identify U.S. supervisors’ expectations
               for adequate internal controls and audits in U.S. branches and agencies of
               FBOs (FBO branches),4 (2) determine the extent of serious weaknesses in
               FBO branches’ internal controls and audit reported by U.S. supervisors, and
               (3) describe U.S. supervisors’ efforts to address these weaknesses. In our
               two prior reports, we provided the results of our reviews of the Federal
               Reserve’s implementation of the Foreign Bank Supervision Enhancement



               1
                In this report, we use the term “Federal Reserve” to refer to both the Board of Governors of the
               Federal Reserve System and the 12 Federal Reserve Banks, unless further specificity is required.
               2
                As discussed later in this chapter, internal control is the process by which an entity’s board of
               directors, management, and/or other personnel obtain reasonable assurance as to the achievement of
               specified objectives.
               3
                The term “audit” in this report generally refers to the internal audit, unless otherwise noted.
               4
                Because they perform similar functions, branches and agencies are often discussed together. In this
               report, we follow this convention. Branches are legal and operational extensions of foreign banks and
               have broad banking powers, including accepting uninsured deposits, lending, money market activities,
               trading financing, and other activities related to the service of foreign and U.S. clients. Agencies have
               similar powers but may not accept deposits from U.S. citizens or residents.



               Page 16                                  GAO/GGD-97-181 Internal Control and Audit Weaknesses
             Chapter 1
             Introduction




             Act of 1991 and the implementation of the Federal Reserve’s Foreign
             Banking Organization Supervision Program (FBO Program).5


             Congressional concern about the adequacy of internal controls and audits
Background   of FBO branches in the United States was raised in part by the illegal
             activities that occurred at a New York branch office of Daiwa Bank, which
             is headquartered in Japan. In September 1995, senior officials of Daiwa
             Bank informed the Federal Reserve Bank of New York that one of Daiwa
             Bank’s New York branches had incurred losses of $1.1 billion from trading
             activities undertaken by a senior branch official, Mr. Toshihide Iguchi,
             over a period of 11 years, from 1984 to 1995.6 The Federal Reserve later
             found that these losses, which should have been reflected in the bank’s
             books, records, and financial statements, were concealed from federal and
             state banking supervisors through liquidations of securities held in the
             bank’s custodian accounts and falsification of its custody records.7

             Not only was Mr. Iguchi able to conceal massive losses over an extended
             period, but the Federal Reserve found that senior management of Daiwa
             Bank also took steps to conceal the losses from U.S. supervisory
             authorities. Senior management of Daiwa Bank said they had learned
             about the trading losses 2 months before informing Federal Reserve
             officials. They also directed Mr. Iguchi to continue transactions during the
             2-month period to avoid the disclosure of the losses.

             In October 1995, the New York Superintendent of Banks and the Federal
             Deposit Insurance Corporation (FDIC), together with the Federal Reserve,
             issued cease-and-desist orders against Daiwa Bank, requiring a virtual
             cessation of trading activities in the United States. In November 1995,
             Daiwa Bank was indicted on federal criminal charges. At the same time,
             the Federal Reserve, FDIC, the New York State Banking Superintendent,
             and a number of other state banking authorities jointly issued a series of
             orders that terminated Daiwa Bank’s U.S. banking operations. In
             February 1996, Daiwa Bank pled guilty to numerous criminal offenses
             related to its scheme to cover up trading losses from U.S. bank supervisors

             5
              See Foreign Banks: Implementation of the Foreign Bank Supervision Enhancement Act of 1991
             (GAO/GGD-96-187, Sept. 30, 1996) and Foreign Banks: Opportunities Exist to Enhance Supervision
             Program (GAO/GGD-97-80, May 9, 1997).
             6
              As discussed later in this chapter, the Federal Reserve is responsible for overseeing the combined U.S.
             operations of foreign banks.
             7
              FBO branches may act as custodians for customers’ investments, such as stocks, bonds, or gold. This
             is a customer service activity that normally does not result in assets and liabilities subject to entry on
             the general ledger.



             Page 17                                  GAO/GGD-97-181 Internal Control and Audit Weaknesses
                              Chapter 1
                              Introduction




                              and law enforcement authorities. The guilty plea resolved all outstanding
                              criminal proceedings against Daiwa Bank, and it paid a criminal fine of
                              $340 million. Mr. Iguchi and the former General Manager of Daiwa Bank’s
                              New York branch also pled guilty to criminal offenses associated with
                              misconduct at the branch office.


U.S. Supervisors Identified   Federal Reserve officials and staff who reviewed 1992, 1993, and 1994
Conditions That Aided         examination records for the Daiwa Bank’s New York branch office found
Illegal Activities at Daiwa   that certain conditions had been identified at the branch that proved to be
                              instrumental in the conduct of illegal activities. However, U.S. supervisors
Bank but Did Not              did not recognize all of the potential dangers associated with these
Appreciate the Seriousness    conditions at the time of identification.
of Those Conditions
                              According to Federal Reserve officials, U.S. supervisors first became
                              aware in November 1993 that Mr. Iguchi was responsible for both some
                              securities-related activities, possibly including trading, and custody
                              operations as well as some related back-office settlement functions at the
                              branch.8 The supervisors were concerned that Mr. Iguchi could use his
                              position as overseer of the custody account, including his ability to gather
                              information on the volume and nature of customer trades, to gain an
                              improper advantage in carrying out the bank’s trading activities. After
                              finding no evidence of improper advantage, supervisors requested and
                              received written confirmation that the identified dual capacities had been
                              split. This confirmation was later determined to be false and misleading.
                              Supervisors also noted weaknesses in security and access restrictions in
                              EFT activities, which can enable unauthorized transfer of funds out of an
                              FBO branch.


                              While supervisors recognized that Mr. Iguchi’s dual capacities were a
                              potential problem, Federal Reserve staff said they did not recognize them
                              as a potential opportunity for misappropriation of customer and bank
                              funds. Prudent policy dictates that certain operations within an FBO branch
                              be executed by different individuals to limit the possibility for any person
                              to both perpetrate and conceal errors or irregularities in the normal course
                              of his or her duties. As evidenced by Daiwa Bank and other cases, a lack of
                              separation of trading and back-office settlement activities can have very




                              8
                               In banking, settlement refers to the process of recording the debit and credit positions of two parties
                              in a transfer of funds. Also, settlement refers to the delivery of securities by a seller and the payment
                              by the buyer.



                              Page 18                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
                    Chapter 1
                    Introduction




                    adverse consequences.9 This lack of separation of duties was a weakness
                    in internal control at Daiwa Bank.

                    According to a report prepared by Federal Reserve Board staff, a number
                    of factors contributed to the fact that supervisors did not perceive Mr.
                    Iguchi’s functions as a more serious problem when they were identified.
                    One of the factors mentioned in the report was that the internal control
                    problems of Daiwa Bank’s New York branch during 1992 to 1993 did not
                    appear to be extraordinary in comparison to those that supervisors were
                    finding in their examinations of other U.S. offices of foreign banks.
                    Chapter 3 of this report provides our analysis of internal control problems
                    at certain FBO branches from January 1993 to June 1996.


                    FBO branches are the most common types of FBO banking offices in the
Foreign Bank        United States. As of December 31, 1996, they accounted for about 76
Operations in the   percent of FBO banking assets in the United States and 51 percent of all FBO
United States       assets—banking and nonbanking—in the United States.10 As of that date,
                    498 FBO branches were operating in the United States, holding total assets
                    of $821 billion.11 As legal and operational extensions of their parent foreign
                    banks, FBO branches have no capital of their own. FBO branches serve
                    primarily their home country and U.S. corporate customers and engage in
                    lending, money market services, trading,12 trade financing, and other
                    activities with banks and other financial institutions. The FBO branches can
                    access the U.S. payments system through the Federal Reserve and obtain
                    other Federal Reserve services. Over the last decade, the globalization of
                    markets, the increase in transaction volume and volatility, and the
                    introduction of complex trading strategies have led capital markets and
                    trading activities to take on an increasingly important role at financial
                    institutions, including FBO branches.




                    9
                     Adverse consequences of a lack of segregation of duties in trading activities were also evident in cases
                    involving Barings PLC and Sumitomo Corporation, which both suffered large losses as a result of
                    unauthorized trading.
                    10
                     FBO banking assets include the assets of branches, agencies, subsidiary banks, Edge Act and
                    Agreement Corporations, and other deposit-taking entities. FBO nonbanking assets include the assets
                    of securities subsidiaries that underwrite or deal in certain securities and other subsidiaries.
                    11
                     For purposes of comparison, the total assets of insured U.S. domestic banks were about $4.4 trillion
                    on December 31, 1996, excluding the assets of subsidiary banks of FBOs.
                    12
                     FBO branches engage in a variety of different trading activities including foreign exchange,
                    derivatives, and securities trading.



                    Page 19                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
                            Chapter 1
                            Introduction




The Federal Reserve Is      Before enactment of the International Banking Act of 1978 (IBA),13 only
Responsible for Oversight   states licensed, supervised, and regulated the operations of FBO branches.
of the Combined U.S.        Under this system, FBO branches enjoyed many regulatory advantages
                            compared with U.S. banks, but the FBO branches also were restricted in
Operations of FBOs          varying ways, depending upon the laws of the states in which they were
                            licensed. The IBA sought to “level the playing field” between branches and
                            U.S. domestic banks by introducing the FBOs to the dual-bank regulatory
                            system that is in effect for domestic banks. This policy of “national
                            treatment” allowed FBO branches to obtain a state charter or a federal
                            charter from the Office of the Comptroller of the Currency (OCC) and
                            served as the basis for provisions in the IBA that eliminated certain
                            advantages and disadvantages of state-only regulation.

                            The regulatory regime established by the IBA did not fully account for
                            certain safety and soundness and other concerns, however. In 1991,
                            Congress passed the Foreign Bank Supervision Enhancement Act (FBSEA).
                            This act, which amended the IBA, authorized federal oversight of all foreign
                            bank operations in the United States and vested this responsibility with
                            the Federal Reserve. FBSEA also established uniform standards for the
                            combined U.S. operations of foreign banks,14 generally requiring them to
                            meet financial, management, and operational standards equivalent to those
                            required of U.S. banking organizations. Finally, FBSEA prohibited foreign
                            branches from accepting retail deposits (deposits of $100,000 or less that
                            are insured by FDIC),15 although it grandfathered the branches that already
                            offered insured deposits.16

                            Under FBSEA, the Federal Reserve’s supervisory and regulatory powers
                            over FBOs include (1) approving all FBOs seeking to establish U.S. offices,
                            whether these offices are licensed by federal or state authorities, in
                            accordance with standards set forth in the act; (2) terminating the
                            activities of a state-licensed FBO branch or recommending that OCC

                            13
                              Public Law 95-369, 12 U.S.C. 3101 et seq., as amended.
                            14
                             The “combined U.S. operations” of an FBO refers to all of its activities, banking or otherwise, in the
                            United States.
                            15
                             FDIC and OCC have defined a nonretail deposit as, in general, an initial deposit of $100,000 or more.
                            However, FDIC and OCC regulations permit uninsured foreign branches to accept some deposits of
                            $100,000 or less. These deposits include those from any foreign or “large United States” business (a
                            U.S. business with more than $1 million in gross revenues or having its securities registered on a
                            national securities exchange or quoted on the NASDAQ); any governmental unit or international
                            organization; and any individual who is a noncitizen or nonresident at the time the initial deposit is
                            made. In addition, any other depositor may establish an uninsured deposit account under $100,000, but
                            only if the total amount of such deposits does not exceed 1 percent of the branch’s average deposits.
                            The branch cannot solicit these deposits. See 12 C.F.R. Parts 28 and 346.
                            16
                              As of December 1996, 31 branches were FDIC-insured and subject to additional supervision by FDIC.



                            Page 20                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
                           Chapter 1
                           Introduction




                           terminate the license of a federally licensed FBO branch; and (3) ensuring
                           that FBO operations in the United States are examined in a comprehensive
                           and coordinated manner.


Foreign Banking            To enhance their supervision of foreign banking operations in the United
Organization Supervision   States, the Federal Reserve began to implement its interagency FBO
Program                    Program in March 1995. Federal Reserve staff told us that the program was
                           scheduled to be implemented over a 3- to 5-year period, but that they
                           hoped to have it fully operational by 1998. The FBO Program was designed
                           to provide U.S. supervisors with a collective mechanism for supervising
                           the U.S. operations of FBOs in a coordinated, thorough, and efficient
                           manner, according to the Federal Reserve. The FBO Program is expected to
                           provide a mechanism to obtain comprehensive supervisory information
                           about the U.S. operations of FBOs, including information relevant to
                           assessments of FBO branches’ internal controls and audits. The FBO
                           Program is also intended to provide supervisors with an understanding of
                           FBOs’ ability to provide their U.S. operations with the necessary financial
                           and managerial support.

                           The FBO Program calls for the development and distribution of five new
                           supervisory products that have separate requirements regarding what they
                           are to contain, when they are to be prepared, and how they are to be used.
                           Each of the products is designed to assist in supervising FBOs. The
                           products include a Summary of Condition and Combined Rating,
                           Comprehensive Examination Plan, Review of Home Country Financial
                           System, Review of Significant Home Country Accounting Policies and
                           Practices, and Strength of Support Assessment. These products and how
                           they are designed to assist in the oversight of branch internal controls and
                           audits are described in more detail in chapter 4.


New Examination Rating     In 1994, federal and state bank supervisors began phasing in a new,
System Heightened the      uniform examination rating system for U.S. branches of FBOs that
Priority of the            heightened the priority of the effectiveness of a branch’s risk management
                           processes and operational controls. This rating system, which is
Effectiveness of Risk      commonly referred to as the ROCA system, focuses on: Risk management,
Management and Internal    Operational controls, Compliance with U.S. laws and regulations, and
Controls                   Asset quality.17 (The previous rating system, which was known as the AIM
                           system, focused on Assets, Internal controls, and Management.) The first
                           three ROCA system components are to evaluate the major activities or

                           17
                             This report treats the terms “operational controls” and “internal controls” as synonyms.



                           Page 21                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
Chapter 1
Introduction




processes of an FBO branch that may raise supervisory concerns. The
fourth component of the rating system is to provide for a specific rating of
the quality of the FBO branch’s stock of assets as of the examination date.
The ROCA system is intended to direct attention to the types of
weaknesses in front- and back-office duties that allowed unauthorized
activities to continue undetected in Daiwa Bank. Table 1.1 describes each
component of the ROCA rating system. Each component is evaluated on a
scale of one to five, where one represents the least supervisory concern
and five represents the greatest concern. Chapter 4 describes the
supervisors’ shift from an AIM to a ROCA rating system in more detail.




Page 22                      GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                    Chapter 1
                                    Introduction




Table 1.1: Components of the ROCA
Rating System                       Component                        Description
                                    R                                Examiners are to determine the extent to which risk
                                                                     management techniques are adequate to (1) control risk
                                                                     exposures that result from the branch’s activities and (2)
                                                                     ensure adequate oversight by branch and head office
                                                                     management and, thereby, promote a safe and sound
                                                                     banking environment. The primary components that
                                                                     examiners look for in a sound risk management system
                                                                     are a comprehensive risk assessment approach; a
                                                                     detailed structure of limits, guidelines, and other
                                                                     parameters used to govern risk-taking; and a strong
                                                                     management information system for monitoring and
                                                                     reporting risks.
                                    O                                Examiners are to assess the effectiveness of the branch’s
                                                                     operational or internal controls, including accounting and
                                                                     financial controls. This assessment is to be based on the
                                                                     expectation that branches should have an independent
                                                                     internal audit function and/or an adequate system of head
                                                                     office or external audits as well as a system of internal
                                                                     controls consistent with the size and complexity of their
                                                                     operations. In this regard, internal audit and control
                                                                     procedures should ensure that operations are conducted
                                                                     in accordance with internal guidelines and regulatory
                                                                     policies and that all reports and analyses provided to the
                                                                     head office and branch senior management are timely
                                                                     and accurate.
                                    C                                Examiners are to determine whether branches
                                                                     demonstrate compliance with all applicable federal and
                                                                     state laws and regulations, including reporting and
                                                                     special supervisory requirements.
                                    A                                Generally, asset quality is to be evaluated to determine
                                                                     whether a financial entity has sufficient capital to absorb
                                                                     prospective losses, and ultimately, whether it can
                                                                     maintain its viability as an ongoing entity. The evaluation
                                                                     of asset quality in a branch does not have the same result
                                                                     because a branch is not a separately capitalized entity.
                                                                     Instead, the ability of a branch to honor its liability
                                                                     ultimately is to be based on the condition and level of
                                                                     support from the FBO. Therefore, if the FBO is presumed
                                                                     to be able to support the branch with sufficient resources
                                                                     on a consolidated basis, the assessment of asset quality
                                                                     would not in and of itself be a predominant factor if
                                                                     existing risk management techniques are considered to
                                                                     be satisfactory. However, if support from the FBO is
                                                                     questionable, the evaluation of asset quality is to be
                                                                     carefully considered in determining whether supervisory
                                                                     actions are needed to improve the branch’s ability to
                                                                     meet its obligations on a stand-alone basis.
                                    Source: Enhanced Framework for Supervising the U.S. Operations of Foreign Banking
                                    Organizations, Board of Governors of the Federal Reserve System, March 31, 1995 (SR95-22,
                                    Attachment III).




                                    Page 23                             GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                   Chapter 1
                                   Introduction




                                   The overall composite ROCA rating is to indicate whether, in the
                                   aggregate, the operations of the FBO branch may present supervisory
                                   concerns and the extent of these concerns. The composite rating is based
                                   on a scale of one through five, with one representing the least supervisory
                                   concern and five representing the greatest concern. The five composite
                                   ratings are defined in table 1.2.

Table 1.2: Composite ROCA Rating
Definitions and the Required                                        Definition of branch            Required supervisory
Supervisory Response               Rating                           characteristic                  response
                                   1                                Strong condition in every       Only normal supervisory
                                                                    respect.                        attention is required.
                                   2                                Satisfactory condition but      Generally, only normal
                                                                    may have modest                 supervisory attention is
                                                                    weaknesses that can be          required.
                                                                    corrected by branch
                                                                    management in the normal
                                                                    course of business.
                                   3                                Fair condition due to a         Generally, branches in this
                                                                    combination of weaknesses       category raise supervisory
                                                                    in risk management,             concern and require more
                                                                    operational controls, and       than normal supervisory
                                                                    compliance or asset quality     attention to address their
                                                                    problems that, in               weaknesses.
                                                                    combination with the
                                                                    condition of the FBO or
                                                                    other factors, cause
                                                                    supervisory concern.
                                   4                                Marginal condition due to       Branches in this category
                                                                    serious weaknesses as           require close supervisory
                                                                    reflected in the                attention and surveillance
                                                                    assessments of the              monitoring and a definitive
                                                                    individual components.          plan for corrective action by
                                                                    Serious problems or unsafe      branch and head office
                                                                    and unsound banking             management.
                                                                    practices or operations
                                                                    exist that have not been
                                                                    satisfactorily addressed or
                                                                    resolved by branch and/or
                                                                    head office management.
                                   5                                Unsatisfactory condition        Branches in this category
                                                                    due to a high level of severe   require urgent restructuring
                                                                    weaknesses or unsafe and        of operations by branch
                                                                    unsound conditions.             and head office
                                                                                                    management.
                                   Source: Enhanced Framework for Supervising the U.S. Operations of Foreign Banking
                                   Organizations, Board of Governors of the Federal Reserve System, March 31, 1995 (SR95-22,
                                   Attachment III).




                                   Page 24                             GAO/GGD-97-181 Internal Control and Audit Weaknesses
                             Chapter 1
                             Introduction




                             Internal control is the process by which an entity’s board of directors,
Internal Control Is to       management, and/or other personnel obtain reasonable assurance that the
Provide Directors and        objectives in the three following categories will be achieved:
Management With
                         •   Operations—relating to effective and efficient use of the entity’s
Reasonable                   resources.
Assurance That           •   Financial reporting—relating to preparation of reliable financial reports.
                             Compliance—relating to the entity’s compliance with applicable laws and
Objectives Will be       •
                             regulations.
Achieved
                             Although good internal control can provide reasonable assurance that an
                             entity can achieve the three objectives, it has limitations. Internal control
                             can only help ensure an entity’s business success, since shifts in external
                             conditions—such as competitors’ actions or economic conditions—can be
                             beyond the control of management. Likewise, internal control can only
                             help ensure the reliability of financial reporting and compliance with laws
                             and regulations because judgments in decisionmaking can be faulty and
                             breakdowns can occur due to simple error or mistake. In addition,
                             controls can be circumvented by the collusion of two or more people, and
                             management has the ability to override the system. Another limiting factor
                             is that the design of an internal control system must reflect that resource
                             constraints exist, and the benefits of controls must be considered relative
                             to their costs.

                             Internal auditing is a management function that is intended to
                             independently evaluate the adequacy and effectiveness of the control
                             systems within an organization and the quality of ongoing operations.
                             Internal auditors are to directly examine the adequacy and effectiveness of
                             internal control components and recommend improvements in such
                             controls. Internal auditors should contribute to the ongoing effectiveness
                             of the internal control system, but they do not have primary responsibility
                             for establishing or maintaining the system. According to the Examination
                             Manual for U.S. Branches and Agencies of Foreign Banking Organizations
                             (examination manual), internal auditors should be independent of the
                             activities they audit.

                             External audits are performed to provide an independent assessment of
                             the reliability of an entity’s financial statements and may provide
                             management with useful information for conducting internal control
                             responsibilities. The external auditor is to give an opinion on the financial
                             statements. The extent of attention that the external auditor gives to
                             internal control varies from audit to audit, but the external auditor is



                             Page 25                       GAO/GGD-97-181 Internal Control and Audit Weaknesses
                     Chapter 1
                     Introduction




                     rarely, if ever, in a position to identify all internal control weaknesses that
                     might exist in an entity.


                     The specific objectives of this report are to (1) identify U.S. supervisors’
Objectives, Scope,   expectations for adequate internal controls and audits in FBO branches,
and Methodology      (2) determine the extent of serious weaknesses in FBO branches’ internal
                     controls and audit reported by U.S. supervisors, and (3) describe U.S.
                     supervisors’ efforts to address these weaknesses.

                     To describe the criteria that U.S. supervisors use to assess branches’
                     internal controls and audits, we reviewed the examination manual
                     developed by federal and state supervisors for examining FBO branches.
                     We also reviewed other related supervisory guidance and interviewed
                     some state supervisory staff and Federal Reserve staff from the New York,
                     San Francisco, Chicago, and Atlanta Federal Reserve districts.

                     To determine the extent of serious weaknesses reported in FBO branches’
                     internal controls and audits, we reviewed all 99 enforcement actions taken
                     by federal and state supervisors against FBO branches for internal control
                     and/or audit weaknesses from January 1993 to June 1996, and we
                     compiled a list of serious internal control and audit weaknesses by noting
                     the specific weaknesses described in the enforcement actions. We
                     classified these weaknesses by type of weakness, such as inadequate
                     segregation of duties, and by type of operation at the branch where the
                     weakness occurred, such as trading operations. We then developed a data
                     collection instrument (DCI) that we used to categorize serious internal
                     control and audit weaknesses as reported by U.S. supervisors in
                     examination reports. We received and incorporated comments on our
                     preliminary DCI from Federal Reserve staff.

                     Using the DCI, we quantified the types of weaknesses cited in 425
                     examination reports for 254 FBO branches that were examined from
                     January 1993 to June 1996. Of the 425 examinations, 267 resulted in FBO
                     branches receiving AIM or ROCA composite ratings of 3, 4, or 5. The
                     remaining 158 examinations resulted in FBO branches receiving a higher
                     composite rating but a 3, 4, or 5 in the “I” component of the AIM rating or
                     the “R” or “O” components of the ROCA rating. These components are
                     heavily affected by internal control and audit weaknesses. The percentage
                     of FBO branches whose examination reports we reviewed varied from a
                     high of about 30 percent of all FBO branches in 1993 to about 20 percent in
                     1996.



                     Page 26                       GAO/GGD-97-181 Internal Control and Audit Weaknesses
Chapter 1
Introduction




This methodology provided data on the extent of serious internal control
weaknesses that were included in enforcement actions in low-rated FBO
branches. It was not designed to provide the extent of all types of internal
control weaknesses. We reviewed examination reports and enforcement
actions from six Federal Reserve districts: New York, San Francisco,
Chicago, Atlanta, Boston, and Philadelphia. We did not independently
verify the information contained in the examination reports.

We discussed our DCI results with Federal Reserve and New York State
Banking Department staff who identified those weaknesses they
considered to be among the most serious.

To provide perspective to the number of weaknesses cited in branches of
foreign banks, we also reviewed 190 examination reports from a sample of
similarly low-rated domestically chartered banks using the same DCI. The
domestically chartered banks were examined by the Federal Reserve or
jointly examined by the Federal Reserve and the appropriate state
supervisor. These banks were located in the New York, San Francisco,
Chicago, and Atlanta Federal Reserve districts.

To describe the concerns of U.S. supervisors that were raised by FBO
branches’ internal control and audit weaknesses and the efforts by U.S.
supervisors and others to address these concerns, we interviewed staff
from federal and state supervisory agencies to obtain their views on the
seriousness of the weaknesses reported, the risks posed by these
weaknesses, and the efforts of federal and state supervisors to address
them. We also reviewed supervisory guidance detailing efforts to improve
oversight of FBO branches.

We conducted our work in Washington, D.C.; New York; Chicago; Atlanta;
San Francisco; and Miami between July 1996 and June 1997 in accordance
with generally accepted government auditing standards.

We requested comments on a draft of this report from the Federal Reserve
Board, which provided written comments. A discussion of these
comments appears at the end of chapter 4. The Federal Reserve Board’s
comments are reproduced in appendix II. In addition, Federal Reserve
staff provided technical comments, which we incorporated in this report
where appropriate.




Page 27                      GAO/GGD-97-181 Internal Control and Audit Weaknesses
Chapter 2

U.S. Bank Supervisors Expect Internal
Controls That Enable Timely Detection of
Any Significant Errors or Irregularities
               According to the examination manual, supervisory agencies in the United
               States expect each U.S. FBO branch to have internal controls consistent
               with the size and complexity of its operations as well as an independent
               internal audit function and/or adequate audit coverage by the head office1
               or external auditors. The examination manual states that an underlying
               objective of this supervisory policy is to preserve the “high standards,
               efficiency, and confidence in U.S. markets.” Supervisors told us that if this
               policy was not applied to FBO branches, the integrity of business practices
               within the market could be undermined. These officials said that such a
               result was a greater concern than the potential for systemic risk
               associated with losses from unauthorized or illegal activity at an FBO
               branch.2

               From a supervisory perspective, good internal control exists when no one
               at an FBO branch is in a position to make significant errors or perpetuate
               significant irregularities without timely detection. In assessing an FBO
               branch’s internal controls, supervisors are to consider (1) the adequacy of
               these controls and the level of adherence to them; (2) the frequency,
               scope, and adequacy of the branch’s internal and external audit function;
               (3) the number and severity of internal control and audit exceptions;
               (4) whether internal control and audit exceptions are effectively tracked
               and resolved in a timely manner; (5) the adequacy and accuracy of
               management information reports; and (6) whether the system of controls
               is regularly reviewed to keep pace with changes in the FBO branch’s
               business plan and laws and regulations. In addition, supervisors are to
               evaluate whether an FBO branch’s internal controls for regulatory reporting
               help ensure that all required reports are submitted on time and are
               accurate.




               1
                The head office is the headquarters of the FBO.
               2
                Systemic risk is the possibility that failure of one or more financial organizations will trigger a chain
               reaction and cause the collapse of other financial organizations. A chain reaction of failures could take
               place because of linkages between and among markets and due to participation by the same
               institutions in several markets. Systemic risk is the risk that a disturbance could severely impair the
               workings of the financial system and, at the extreme, cause a complete breakdown. A breakdown in
               capital markets could disrupt the process of savings and investment, undermine the long-term
               confidence of private investors, and cause turmoil in the normal course of economic transactions.



               Page 28                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
                        Chapter 2
                        U.S. Bank Supervisors Expect Internal
                        Controls That Enable Timely Detection of
                        Any Significant Errors or Irregularities




                        According to the Federal Reserve Board Chairman, the U.S. financial
Effective Internal      system is strong and vibrant, in large part because the United States
Controls and Audits     demands that financial institutions participating in its markets operate
Are Essential to        with integrity and that any information made available to depositors and
                        investors be accurate. When confidence in the integrity of a financial
Preserving the          institution is shaken or its commitment to the honest conduct of business
Integrity of the U.S.   is in doubt, public trust erodes and the entire system is weakened. Within
                        this context, the Chairman said that termination of the Daiwa Bank’s U.S.
Financial System        operations was necessary because such behavior by a financial institution
                        could cause significant damage to the integrity of the U.S. financial system.

                        The Chairman also stated that what is true for the financial system in
                        general is also particularly true for the supervision of financial institutions.
                        The whole system of supervision proceeds upon the basis of trust, whether
                        in terms of the representations or reports filed by management or in terms
                        of transparency with regard to any material developments affecting the
                        financial condition of the institutions. Supervisors need to trust the ability
                        of bank management to carry out their duties in a responsible and honest
                        manner with adherence to systems and internal controls designed to
                        ensure the safe and sound conduct of business.

                        Supervisory officials reiterated this theme to us in explaining the
                        importance of internal controls and explaining their concerns about
                        weaknesses in the internal control and audit functions. The officials said
                        that FBO branches must be held to the same standards as their U.S.
                        competitors or an erosion of the integrity of business practices within the
                        market could occur. They also said that allowing FBO branches to operate
                        under weaker requirements than domestic banks could undermine the
                        policy of national treatment.

                        The potential for erosion of the integrity, confidence, and efficiency in U.S.
                        financial markets was a greater concern to the supervisors than the
                        potential for systemic risk associated with losses from unauthorized or
                        illegal activity at an FBO branch. Although the officials acknowledged the
                        potential for systemic risk should a foreign bank with substantial
                        obligations to U.S. institutions fail because of losses incurred by one of its
                        U.S. FBO branches, they believed the risk was minimal.




                        Page 29                          GAO/GGD-97-181 Internal Control and Audit Weaknesses
                            Chapter 2
                            U.S. Bank Supervisors Expect Internal
                            Controls That Enable Timely Detection of
                            Any Significant Errors or Irregularities




                            In conducting examinations of FBO branches, supervisors are guided in
Adequacy and                part by the examination manual, which was prepared under the direction
Adherence to Internal       of the Federal Reserve.3 According to the examination manual, the key
Control Requirements        objectives in examining FBO branches are to

Is an Important Focus   •   determine the adequacy of the system of internal control and of FBO
of Examination              branch policies, practices, and procedures;
                            evaluate the scope and adequacy of the internal control environment and
Guidance                •
                            audit function;
                        •   determine compliance with laws, regulations, and rulings; and
                        •   evaluate adherence with internal policies and procedures.

                            In general, good internal control exists when no one is in a position to
                            make significant errors or perpetrate significant irregularities without
                            timely detection, according to the examination manual. The examination
                            manual contains control procedures that are to help ensure that no one is
                            in a position to make significant errors or perpetrate significant
                            irregularities without timely detection. These procedures fall into the
                            following five categories:

                        •   Proper authorization of transactions and activities.
                        •   Segregation of duties, which reduces opportunity for any person to both
                            perpetrate and conceal errors or irregularities in the normal course of his
                            or her duties. Segregation of duties often means assigning different people
                            the responsibilities of authorizing transactions, recording transactions,
                            and maintaining custody of assets.
                        •   Design and use of adequate documents and records to help ensure the
                            proper recording of transactions and events.
                        •   Adequate safeguards over access to and use of assets and records, such as
                            secured facilities and authorization for access to computer programs and
                            data files.
                        •   Independent checks on performance and proper valuation of recorded
                            amounts, such as clerical checks, reconciliations, comparison of assets
                            with recorded accountability, computer programmed controls,
                            management review of reports that summarize the detail of account
                            balances, and user review of computer-generated reports. One method of
                            ensuring an independent check on performance is requiring that
                            employees in sensitive positions be absent from their duties for a
                            minimum number of consecutive days (often 2 weeks). Employees in

                            3
                             The examination manual is to be followed by federal and state supervisors when conducting
                            examinations of FBO branches. The examination manual is divided into sections dealing with
                            particular banking activities and each section generally includes subsections providing overviews,
                            examination objectives, examination procedures, internal control questionnaires, and audit guidelines.



                            Page 30                                GAO/GGD-97-181 Internal Control and Audit Weaknesses
                             Chapter 2
                             U.S. Bank Supervisors Expect Internal
                             Controls That Enable Timely Detection of
                             Any Significant Errors or Irregularities




                             sensitive positions include those with financial responsibilities that can
                             influence the accuracy of the accounting and financial records or those
                             with access to assets.

                             In assessing the internal controls of an FBO branch, supervisors seek to
                             determine not only that the FBO branch has established the necessary
                             control policies and procedures but also that these controls are carried out
                             by competent people who do not have incompatible duties. An example of
                             incompatible duties in control procedures related to credit activities
                             would be the maintenance of records of charged-off loans by a person who
                             also has custody of the notes or receives payment. To make their
                             assessments, supervisors are to review the duties of key employees and
                             evaluate their ability to perform their duties by reviewing their educational
                             experiences and job performances.


                             U.S. supervisors expect FBO branches to have an independent internal
FBO Branches Are             audit function and/or adequate audit coverage by the head office or
Expected to Have             external auditors. Internal audits should ensure that operations are
Independent Internal         conducted in accordance with internal guidelines and supervisory policies
                             and that all reports and analyses provided to the head office, FBO branch
Audits and/or                senior management, and supervisors are timely and accurate. Internal
Adequate Head Office         auditors are responsible for assessing the soundness and adequacy of an
                             FBO branch’s controls to ensure that they promptly and accurately record
or External Audits           transactions and properly safeguard assets against loss.


Scope and Frequency of       The examination manual states that the scope of the program of internal
Internal Audits              audit must be sufficient to attain the audit objectives. In assessing the
                             scope of the audit, supervisors are to consider whether all important FBO
                             branch functions and services are included in the audit scope and whether
                             the audit program includes procedures that are necessary to reasonably
                             ensure compliance with applicable U.S. law and regulations. The
                             frequency with which the audit procedures are performed is to be based
                             on an evaluation of the risk associated with each area of audit interest.
                             Among the factors that the auditor should consider in assessing risk are
                             the following:

                         •   the nature of the specific operation of the specific assets and liabilities
                             under review,
                         •   the existence of appropriate policies and internal control standards,
                         •   the effectiveness of operating procedures and internal controls, and



                             Page 31                          GAO/GGD-97-181 Internal Control and Audit Weaknesses
                               Chapter 2
                               U.S. Bank Supervisors Expect Internal
                               Controls That Enable Timely Detection of
                               Any Significant Errors or Irregularities




                           •   the potential materiality of errors or irregularities associated with the
                               specific operation.


Independence of Internal       In reviewing and evaluating the internal audit function, U.S. supervisors
Auditors                       are to consider, among other things, the independence of the internal
                               auditors. The ability of the internal audit function to achieve its audit
                               objectives depends, in large part, on the extent of such independence.
                               According to the examination manual, the independence of internal
                               auditors can frequently be determined by the reporting lines within the
                               organization and to whom or at what level audit results are reported. In
                               most circumstances, the internal audit function at the FBO branch is to be
                               under the ultimate direction of the FBO’s chief internal auditor and/or
                               executive management or a committee thereof. The examination manual
                               states that to be considered independent, the internal auditor should be
                               given the authority to perform the job, including free access to any records
                               necessary for the proper conduct of the audit. Furthermore, internal
                               auditors generally should not have responsibility for supervising the
                               accounting system, other aspects of the FBO branch’s accounting function,
                               or any operational function.


Effectiveness of the           In reviewing and evaluating the internal audit function, U.S. supervisors
Internal Audit Program         are also to assess the effectiveness of the internal audit program. In
                               addition to considering the scope and frequency of the work performed,
                               supervisors are to consider the following two factors, among others, in
                               assessments for effectiveness:

                           •   Documentation of the work performed. Work programs should be written
                               and individual audit procedures should be presented in a logical manner.
                               Each program should provide a clear, concise description of the audit
                               work required, analyses that clearly indicate the procedures performed,
                               the extent of testing, and the basis for conclusions reached.
                           •   Management’s response to the findings. A measurement of the program’s
                               effectiveness is a prompt and effective management response to the
                               auditor’s recommendations.

                               According to the examination manual, head office management of the FBO
                               should require that FBO branch management respond formally to audit
                               findings and take appropriate corrective action. Management is expected
                               to respond to all internal and external audits and supervisory
                               examinations. Management responses should be timely and address all



                               Page 32                          GAO/GGD-97-181 Internal Control and Audit Weaknesses
                              Chapter 2
                              U.S. Bank Supervisors Expect Internal
                              Controls That Enable Timely Detection of
                              Any Significant Errors or Irregularities




                              findings in the reports, unless specifically noted in the audit report that a
                              response is not necessary. Responses should include concrete solutions
                              that have already been put in place or that will be implemented in a timely
                              manner. Management is to immediately respond to repeat problems noted
                              in the audit report.


External Audits Help          According to the examination manual, external audits enhance the
Ensure Accuracy of            probability that financial statements and reports to regulatory authorities
Financial Statements and      and other financial statement users will be accurate and help detect
                              conditions that could adversely affect banking organizations or the public.
Help Detect Conditions        The independent audit process also subjects the internal controls and the
That Could Adversely          accounting policies, procedures, and records of each banking organization
Affect Banking                to periodic review.
Organizations or the Public
                              The objective of an external financial audit is different from the objectives
                              of an internal audit or an FBO branch examination. Therefore, the
                              supervisor is interested in the work performed by external auditors for
                              three principal reasons. First, supervisors may find that internal audit
                              work is not being performed or that such work is deemed to be of limited
                              or no value to the supervisor. Second, the work performed by external
                              auditors may affect the amount of testing that the supervisor must
                              perform. Third, audits and other reports rendered by external auditors
                              may provide the supervisor with information that is pertinent to the
                              examination of the FBO branch.

                              According to the examination manual, the major factors that should be
                              considered in evaluating the work of external auditors are similar to those
                              factors that are applicable to internal auditors, that is, the competence and
                              independence of the auditors and the adequacy of the audit program.

                              Federal Reserve officials we interviewed said internal auditors can play an
                              important role in the external audit. That is, if an FBO branch has a good
                              internal audit, the external auditor can limit the amount of testing it has to
                              do, thereby decreasing its volume of work and allowing it to concentrate
                              on other areas.




                              Page 33                          GAO/GGD-97-181 Internal Control and Audit Weaknesses
                            Chapter 2
                            U.S. Bank Supervisors Expect Internal
                            Controls That Enable Timely Detection of
                            Any Significant Errors or Irregularities




Supervisors Expect          The examination manual states that an FBO branch’s internal control
Internal Controls to Help   program for supervisory reports is to ensure that all required reports are
Ensure Timely and           submitted on time and are accurate. U.S. supervisors rely on the timely
                            and accurate filing of supervisory reports by domestic and foreign
Accurate Regulatory         financial institutions. Data collected from supervisory reports are to
Reports                     (1) facilitate early identification of problem situations that can threaten
                            the safety and soundness of reporting institutions, (2) ensure timely
                            implementation of the prompt corrective action provisions of banking
                            legislation, and (3) serve other legitimate supervisory purposes. In
                            addition, accurate regulatory reports allow supervisors to better target
                            examination resources.

                            Supervisors are required to discuss in the examination reports of FBO
                            branches any material errors or the filing of late regulatory reports.
                            According to the examination manual, Reserve Bank staff are also to be
                            notified of any regulatory report filing that is considered misleading. A
                            misleading report could involve some degree of knowing or reckless
                            behavior on the part of the filer and the intentional or negligent
                            submission of inaccurate information to the Federal Reserve. On the other
                            hand, a false report could involve the submission of mathematically
                            incorrect data, such as addition errors or transpositions, the submission of
                            call reports (Report of Assets and Liabilities) without appropriate
                            schedules, or the inadvertent filing of inaccurate information.




                            Page 34                          GAO/GGD-97-181 Internal Control and Audit Weaknesses
Chapter 3

A Significant Number of FBO Branches
Rated Fair or Lower Had Serious Internal
Control and Audit Weaknesses
               The results of our analysis of examination reports of the 254 FBO branches
               rated fair, marginal, and unsatisfactory (i.e., 3, 4, or 5) from January 1993
               to June 1996 indicate that a significant number of these FBO branches were
               reported to have serious weaknesses in internal controls, and that a
               majority of the FBO branches had at least 1 serious audit weakness.
               Generally, FBO branches engaged in trading as a major line of business had
               a greater number of internal control and audit weaknesses than
               nontrading FBO branches. Twenty-eight percent of the FBO branches in our
               study were reported to have inadequate segregation of duties in trading
               and/or EFT activities—which are weaknesses that supervisors we
               interviewed identified as among the most serious weaknesses in control
               procedures. These weaknesses can heighten risk of losses due to
               misconduct, including unauthorized trading and misappropriation of
               funds, as occurred at Daiwa Bank. Other serious internal control
               weaknesses cited in the examination reports included lack of dual control
               and independent verification in trading and/or EFT, lack of security and
               access restrictions in EFT, and failure to ensure that employees in sensitive
               positions were absent for a minimum number of consecutive days to allow
               another employee the opportunity to detect improper actions.1

               Ideally, FBO branch management learns of control weaknesses through
               appropriately designed audits and other means, then strengthens controls,
               and finally conducts periodic audits to verify that the controls are
               operating as designed. However, 69 percent of the FBO branches in our
               study were reported to have audits of inadequate scope, indicating that the
               audit did not cover all of the FBO branch’s activities that supervisors
               believed should have been covered. Other serious audit weaknesses
               included inadequate frequency of audits, inadequate response to audit
               criticisms, and inadequate audit independence.

               Subsequent examinations showed that FBO branch management did not
               correct audit weaknesses in response to supervisory examinations at
               many FBO branches. For example, 53 percent of the 171 FBO branches with
               audits of inadequate scope that were examined more than once in our
               study period were found to have audits of inadequate scope in subsequent
               examinations.

               To better understand the seriousness of our findings of internal control
               weakness at the FBO branches, we compared the FBO branch findings with
               examination findings for a sample of U.S. domestic banks. The comparison
               was limited because the FBO branches had usually engaged in a greater

               1
                The Federal Reserve generally recommends that employees be absent for 2 consecutive weeks.



               Page 35                              GAO/GGD-97-181 Internal Control and Audit Weaknesses
                        Chapter 3
                        A Significant Number of FBO Branches
                        Rated Fair or Lower Had Serious Internal
                        Control and Audit Weaknesses




                        variety of major business activities than the U.S. domestic banks, and
                        more than one-half of the FBO branches had engaged in trading activities
                        while only one of the U.S. domestic banks had. The comparison showed
                        that domestic banks tended to have fewer identified internal control
                        weaknesses than FBO branches.


                        To determine the extent of weaknesses in internal controls at FBO
Serious Internal        branches in the United States, we identified weaknesses that, because of
Control Weaknesses      their seriousness, prompted supervisory action. We developed a DCI that
Exposed a Significant   was designed to collect, from supervisory examination reports, the extent
                        of serious internal control weaknesses and other FBO branch-specific
Number of FBO           information, such as assigned ratings, major lines of business, and asset
Branches to Risk of     size. We discussed our preliminary findings with supervisory staff from the
                        Federal Reserve and New York state, who then helped us further narrow
Losses From             our focus to those weaknesses they considered to be among the most
Misconduct              serious as we continued our analysis.

                        Those weaknesses, which were cited in a significant number of FBO
                        branches, included inadequate segregation of duties, lack of dual control
                        and independent verification in trading activity and EFT, lack of security
                        and/or access restrictions in EFTs, inadequate safekeeping and/or
                        documentation in trading activities, and the failure to ensure that
                        employees in sensitive positions were absent for a minimum number of
                        consecutive days. The number of FBO branches rated fair or lower that
                        were reported to have these weaknesses is summarized in table 3.1.




                        Page 36                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                         Chapter 3
                                         A Significant Number of FBO Branches
                                         Rated Fair or Lower Had Serious Internal
                                         Control and Audit Weaknesses




Table 3.1: Internal Control Weaknesses
U.S. Supervisors Identified as Among                                                                           Percentage of FBO
the Most Serious Reported in FBO         Internal control weaknesses supervisors                 Number of FBO branches rated fair
Branches in the United States, Rated     identified as among the most serious                        branches            or lower
Fair, Marginal, or Unsatisfactory        Inadequate segregation of duties                                        72                         28%
During January 1993 to June 1996           in trading and/or EFT
                                           activities
                                         Lack of dual control and                                                53                         21
                                           independent verification in
                                           trading and/or EFT activities
                                         Lack of security and access                                             57                         22
                                           restrictions in EFTs
                                         Employee(s) in sensitive                                                56                         22
                                          positions were not absent for
                                          a minimum number of consecutive
                                          days
                                         Inadequate safekeeping and/or                                           39                         15
                                           documentation in trading
                                           activities
                                         Inadequate security and access                                          16                          6
                                           restrictions for accounting
                                           system software
                                         Note: We reviewed the examination reports for all FBO branches assigned a composite AIM or
                                         ROCA rating of three, four, or five from January 1993 to June 1996 as well as FBO branches with
                                         higher composite ratings that had ratings of three, four, or five in components that are heavily
                                         affected by internal control and audit weaknesses. The percentage of FBO branches whose
                                         examination reports we reviewed varied from a high of about 30 percent of all FBO branches in
                                         1993 to about 20 percent in 1996. The total number of FBO branches included in our analysis
                                         over the 3-1/2 year period was 254.

                                         Source: GAO analysis of U.S. supervisory examination reports.




Twenty-eight Percent of                  As summarized in table 3.1, the results of our analysis of examination
the FBO Branches Were                    reports of the 254 FBO branches rated fair, marginal, or unsatisfactory from
Reported to Lack Adequate                January 1993 to June 1996 indicate that 28 percent (72) of the 254 FBO
                                         branches were reported to lack adequate segregation of duties in trading
Segregation of Duties in                 and/or EFT activities. Inadequate segregation of duties in these activities is
Trading and/or EFT                       among the most serious internal control weaknesses because it heightens
Activities                               risk of losses due to misconduct, including unauthorized trading and
                                         misappropriation of customer and bank funds, and has been recognized as
                                         a factor in serious financial losses, such as those suffered by Daiwa Bank
                                         and Barings PLC. Federal Reserve officials we interviewed said that a lack
                                         of segregation of duties is particularly important in trading and EFT
                                         activities because these activities involve the movement of potentially
                                         large sums of money.




                                         Page 37                               GAO/GGD-97-181 Internal Control and Audit Weaknesses
                            Chapter 3
                            A Significant Number of FBO Branches
                            Rated Fair or Lower Had Serious Internal
                            Control and Audit Weaknesses




                            One examination report we reviewed described a segregation of duties
                            weakness involving trading as follows: “Segregation of duties between
                            back office and trading remains a serious concern. The lack of a
                            completely independent back office prevents FBO branch and head office
                            management from ensuring compliance with policies and procedures, and
                            effectively monitoring and controlling trading risk.” Another examination
                            report described the weakness for electronic funds transfers as follows:
                            “Segregation of duties and controls over the systems security
                            administration of the wire transfer and treasury operations are
                            unsatisfactory and compromise the safety and soundness of the FBO
                            branch.” Another report stated the following: “An absence of segregation
                            of duties was identified in the agency’s payment order operation. Both the
                            agency’s teller and manager of operations can independently input, verify,
                            release, amend, and cancel wire transfers. This situation exposes the
                            agency to undue risk of fraud or misappropriation of customer funds.”

                            Of the 72 FBO branches found to lack adequate segregation of duties, 43
                            were reported to have weaknesses in segregation of duties in EFT
                            activities, and 39 were reported to have weaknesses in trading activities.
                            Ten of these FBO branches had both weaknesses during the study period.


Twenty-one Percent of the   We found that 21 percent (53) of the FBO branches rated fair or lower were
FBO Branches Were           reported to lack dual control and independent verification in trading
Reported to Lack Dual       and/or EFT activities. Dual control is an internal control procedure that is
                            intended to provide an independent check on performance or proper
Control/Independent         valuation of recorded amounts. For example, some functions, such as
Verification in Trading     electronically transferring (wiring) funds out of the institution, may be
and/or EFT Activities       permitted only if done by two individuals simultaneously. In other cases, it
                            might be appropriate for a single individual to carry out a specific
                            function, with another person independently verifying that the function
                            was done properly.

                            Inadequate independent verification in an FBO branch’s trading activities
                            was described as follows in an examination report we reviewed: “All
                            trades are recorded on audio tape. However, the foreign exchange trader
                            has access to the tapes. The tapes should be controlled independently of
                            the foreign exchange trader.” Another examination report described the
                            proper storage of test keys, which are used to verify wire transfer orders,
                            as follows: “Test keys for the wire transfer area should be stored in an area
                            physically separate from the rest of branch operations. Test keys should




                            Page 38                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                             Chapter 3
                             A Significant Number of FBO Branches
                             Rated Fair or Lower Had Serious Internal
                             Control and Audit Weaknesses




                             be secured when not in use and should not be accessible to employees not
                             directly involved in the testing of incoming messages or payment orders.”


Twenty-two Percent of the    The results of our analysis showed that 22 percent (57) of the FBO
FBO Branches Were            branches were reported to lack security and/or access restrictions in EFTs.
Reported to Lack Security    This type of internal control requires security, usually in the form of
                             physical or electronic restrictions, on access to information or machinery
and/or Access Restrictions   that could potentially be used to do financial harm to individuals or the
in EFTs                      institution. Like dual control/independent verification in EFTs, security
                             and/or access restrictions in EFTs help mitigate the risk of losses due to
                             unauthorized transfers of bank or customer funds. One examination report
                             we reviewed instructed FBO branch management that “Access controls for
                             the wire transfer terminals remain inadequate. Management should ensure
                             that access to these terminals is properly restricted.”


Twenty-two Percent of        We found that 22 percent (56) of the FBO branches were reported as failing
FBO Branches Were            to ensure that employees in sensitive positions were absent for a minimum
Reported as Failing to       number of consecutive days. This is a control procedure that was found
                             lacking in Daiwa Bank before disclosure of its losses. As previously
Ensure That Employees in     mentioned in chapter 2, this policy is a way of ensuring an independent
Sensitive Positions Were     check on performance, since the employee’s absence would subject his or
Absent for a Minimum         her activities to scrutiny by others. Employees in sensitive positions are
Number of Consecutive        those that have financial responsibilities that can influence the accuracy of
Days                         the accounting and financial records or have access to assets.

Fifteen Percent of the FBO   We found that 15 percent (39) of the FBO branches were reported to have
Branches Were Reported       inadequate safekeeping and/or documentation in trading activities.
to Have Inadequate           Supervisors identified safekeeping and/or documentation in trading
                             activities as important in mitigating legal risk in trading activities in the
Safekeeping and/or           United States. Supervisory officials we interviewed said that problems
Documentation in Trading     with documentation and safekeeping could present a legal risk in the event
Activities                   of litigation. They said that foreign banks often do not understand this
                             risk. Customers in some countries, the officials said, would never consider
                             suing a bank, but in the United States, this is a very real risk.




                             Page 39                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                         Chapter 3
                         A Significant Number of FBO Branches
                         Rated Fair or Lower Had Serious Internal
                         Control and Audit Weaknesses




Six Percent of FBO       We found that 6 percent (16) of the FBO branches were reported to lack
Branches Were Reported   adequate security and/or access restrictions for accounting system
to Have Inadequate       software. This type of internal control requires security, usually in the
                         form of physical or electronic restrictions, on access to information or
Security and Access      machinery that could potentially be used to do financial harm to
Restrictions for         individuals or the FBO branch. Security and access restrictions for
Accounting System        accounting system software can help prevent manipulation of accounting
Software                 records to conceal misconduct.


                         As discussed in chapter 2, audits help management ensure that all
A Substantial Number     operations are conducted in accordance with internal guidelines and
of FBO Branches Had      supervisory policies, and that all reports and analyses provided to the FBO
Serious Audit            head office and branch senior management are timely and accurate. The
                         role that audits play in helping to ensure effective control procedures was
Weaknesses               confirmed by our statistical analysis of the examination reports of 254 FBO
                         branches rated fair or lower. The analysis showed that reports of audit
                         weaknesses generally indicated larger numbers of internal control
                         weaknesses. FBO branches with one or more audit weaknesses tended to
                         have more internal control weaknesses than FBO branches that had no
                         audit weaknesses. Federal Reserve staff we interviewed said that it was no
                         surprise to them that FBO branches that do not adequately police
                         themselves would have more internal control weaknesses. They said that
                         strong audits are important to help ensure safety and soundness, in part,
                         because it will never be possible for supervisors to pick up everything in
                         an examination.

                         As summarized in table 3.2, a majority of the 254 FBO branches rated fair or
                         lower had at least 1 serious audit weakness. Sixty-seven percent of the FBO
                         branches in the study were reported to have audits of inadequate scope;
                         41 percent had inadequate frequency of audits, 28 percent had inadequate
                         response to audit criticisms, 26 percent had inadequate audit
                         independence, 24 percent had inadequate workpapers/documentation, and
                         9 percent had a lack of adequate supervision by the head office.




                         Page 40                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                       Chapter 3
                                       A Significant Number of FBO Branches
                                       Rated Fair or Lower Had Serious Internal
                                       Control and Audit Weaknesses




Table 3.2: Audit Weaknesses U.S.
Supervisors Identified as Among the    Audit weaknesses U.S.                                                        Percentage of FBO
Most Serious Reported in FBO           supervisors identified as                                                 branches rated fair or
Branches in the United States, Rated   among the most serious              Number of FBO branches                                lower
Fair, Marginal, or Unsatisfactory      Inadequate scope of                                             171                              67%
During January 1993 to June 1996       audit coverage
                                       Inadequate                                                      103                              41
                                       frequency of
                                       audits
                                       Inadequate response                                              71                              28
                                       to audit
                                       criticisms
                                       Inadequate audit                                                 67                              26
                                       independence
                                       Inadequate                                                       62                              24
                                       workpapers or
                                       documentation
                                       Lack of head office                                              23                               9
                                       supervision
                                       Note: We reviewed the examination reports for all FBO branches and agencies assigned a
                                       composite AIM or ROCA rating of three, four, or five from January 1993 to June 1996 as well as
                                       FBO branches with higher composite ratings that had fair to low ratings in components that are
                                       heavily affected by internal control and audit weaknesses. The percentage of FBO branches
                                       whose examination reports we reviewed varied from a high of about 30 percent of all FBO
                                       branches in 1993 to about 20 percent in 1996. The total number of FBO branches rated fair or
                                       lower included in our analysis over the 3-1/2 year period was 254.

                                       Source: GAO analysis of U.S. supervisory examination reports.




Sixty-seven Percent of the             The results of our analysis indicated that 67 percent (171) of the FBO
FBO Branches Were                      branches rated fair or lower were reported to have inadequate scope of
Reported to Have                       audit coverage. This audit weakness compromises the ability of
                                       management to ensure that all operations are conducted in accordance
Inadequate Scope of Audit              with internal guidelines and supervisory policies, and that all reports and
Coverage                               analyses provided to the head office and FBO branch senior management
                                       are timely and accurate. In assessing this aspect of an audit, supervisors
                                       seek to determine if all important FBO branch functions and services are
                                       included in the audit scope and whether the audit program includes
                                       procedures necessary to reasonably ensure compliance with applicable
                                       U.S. laws and regulations. Supervisory officials we interviewed agreed that
                                       inadequate scope of audit coverage and other audit weaknesses we
                                       discuss in this section of the report are among the most serious
                                       weaknesses in the internal controls of FBO branches.




                                       Page 41                               GAO/GGD-97-181 Internal Control and Audit Weaknesses
                            Chapter 3
                            A Significant Number of FBO Branches
                            Rated Fair or Lower Had Serious Internal
                            Control and Audit Weaknesses




                            We also found that inadequate scope of audit coverage was the most
                            frequently reported recurring weakness. Of the 171 FBO branches that were
                            reported to have inadequate scope of audit coverage, 116 were examined
                            more than once from January 1993 to June 1996. Over one-half (61) of
                            these 116 FBO branches had recurring reports of inadequate scope of audit
                            coverage. This may be explained in part—as suggested by supervisory
                            officials we interviewed—by the increasing complexity in the industry and
                            the fast rate of change in the banking system, which requires institutions
                            to continually reassess their risks and the appropriate audit coverage.


Forty-one Percent of the    We found that 41 percent (103) of the FBO branches rated fair or lower
FBO Branches Were           were found by supervisors to have audits of inadequate frequency. As
Reported to Have            discussed in chapter 2, the frequency with which the audit procedures are
                            performed should be based on an evaluation of the risk associated with
Inadequate Frequency of     each area of audit interest. Of the 116 FBO branches that were examined
Audits                      more than once from January 1993 to June 1996, 19 were cited for
                            inadequate frequency of audits more than once. This weakness was
                            described in an examination report as follows: “The agency does not
                            employ an independent auditor to conduct internal control reviews, and
                            head office audits are infrequent. There is no assurance that annual audits
                            are to be performed in the future.”


Twenty-eight Percent of     The results of our analysis indicated that 28 percent (71) of the 254 FBO
the FBO Branches Were       branches rated fair or lower, were reported to have inadequate response
Reported to Have            to audit criticisms. Supervisory staff we interviewed agreed that
                            inadequate response to audit criticisms is among the most serious of audit
Inadequate Response to      weaknesses and could be indicative of poor management. This weakness
Audit Criticisms            also compromises the ability of management to ensure that all operations
                            are conducted in accordance with internal guidelines and supervisory
                            policies, and that all reports and analyses provided to the head office and
                            FBO branch senior management are timely and accurate.



Twenty-six Percent of the   We found that 26 percent (67) of FBO branches rated fair or lower were
FBO Branches Were           reported to have inadequate audit independence, which can compromise
Reported to Have            the objectivity of auditors and thus the reliability of audit work.
                            Supervisory staff we interviewed said that inadequate audit independence
Inadequate Audit            is also among the most serious of weaknesses. An examination report
Independence                described one instance of this as follows: “Audit findings were submitted




                            Page 42                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                             Chapter 3
                             A Significant Number of FBO Branches
                             Rated Fair or Lower Had Serious Internal
                             Control and Audit Weaknesses




                             to the general manager of the FBO branch instead of directly to the senior
                             internal auditor at the regional office in contravention of bank policy.”


Twenty-four Percent of the   We found that 24 percent (62) of the FBO branches rated fair or lower were
FBO Branches Were            reported to have inadequate audit workpapers or documentation. This
Reported to Have             audit weakness is a serious internal control weakness because without
                             such paperwork, supervisors cannot assess the adequacy and the
Inadequate Audit             effectiveness of the internal audit program.
Workpapers or
Documentation
Nine Percent of the FBO      We found that 9 percent (23) of the FBO branches were reported to lack
Branches Were Reported       adequate supervision of audits by the FBO branch’s head office.
to Lack Adequate             Supervisors said that this weakness is a serious concern because it could
                             suggest generally inadequate oversight of the FBO branch by the head
Supervision by Head Office   office. One examination report presented this weakness as follows: “ . . .
                             Equally as disturbing is the failure of the senior internal auditor to forward
                             all audit reports to the head office. It appears that head office has taken
                             little action with regard to this lack of response.”

                             Appendix I contains the summary results of our overall data collection
                             effort.


                             As illustrated in figure 3.1, we found that FBO branches rated fair or lower
Certain                      that engaged in trading as a major line of business tended to have a higher
Characteristics of Fair      number of serious internal control weaknesses than nontrading FBO
or Lower Rated FBO           branches. In addition, FBO branches that engaged in trading as a major line
                             of business were more likely than nontrading FBO branches to have
Branches Were                specific types of serious internal control weaknesses, including inadequate
Associated With              segregation of duties and audit weaknesses, such as inadequate scope and
                             frequency of audits.
Higher Numbers of
Internal Control and
Audit Weaknesses




                             Page 43                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                       Chapter 3
                                       A Significant Number of FBO Branches
                                       Rated Fair or Lower Had Serious Internal
                                       Control and Audit Weaknesses




Figure 3.1: Trading FBO Branches Had
More Internal Control Weaknesses
Than Nontrading FBO Branches           Percentage of branches

                                       50



                                                                                               42
                                       40                                 39                             38

                                                                 33

                                       30          28



                                                                                                                    20
                                       20




                                       10




                                        0
                                                               Trading                                 Nontrading

                                                            N = 142                                    N = 106
                                                 Major line of business
                                                 Range of internal control weaknesses

                                                        1-6

                                                        7 - 12

                                                        > 12




                                       Note: The number of branches does not equal 254 because we could not determine the lines of
                                       business in 6 cases.

                                       Source: GAO analysis of U.S. supervisory examination reports.




                                       Federal Reserve staff we interviewed told us that they expect trading FBO
                                       branches to have more internal control weaknesses because trading is a
                                       complex, high-speed activity that requires sophisticated internal controls
                                       and a certain number of staff to adequately implement them. In addition,




                                       Page 44                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
Chapter 3
A Significant Number of FBO Branches
Rated Fair or Lower Had Serious Internal
Control and Audit Weaknesses




depending on the size of an FBO branch’s operations, its back office, where
it tracks and records trades, could be thinly staffed. That is, smaller FBO
branches might engage in trading but may not have sufficient support staff
because of the costs of hiring them.

An examination report we reviewed illustrated the importance of adequate
internal controls over an FBO branch’s trading operations. It stated as
follows: “Lack of controls led to an environment where agency
management was able to conduct unauthorized trading that resulted in
$22.3 million in losses.”

As illustrated in figure 3.2, we also found that FBO branches rated fair or
lower that had more lines of business tended to have a higher number of
serious internal control weaknesses.




Page 45                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                      Chapter 3
                                      A Significant Number of FBO Branches
                                      Rated Fair or Lower Had Serious Internal
                                      Control and Audit Weaknesses




Figure 3.2: FBO Branches With More
Lines of Business Had More Internal
Control Weaknesses Than FBO            Percentage of branches
Branches With Fewer Lines of
                                       50
Business
                                                   44                                                              44

                                       40
                                                                 37

                                                                                                        33

                                       30


                                                                                                 23

                                       20                                18



                                       10




                                        0
                                                               1 to 3                                 4 or more
                                                            N = 127                                   N = 121

                                                 Numbers of lines of business

                                                 Range of internal control weaknesses

                                                        1-6

                                                        7 - 12

                                                        > 12



                                      Note: The number of branches does not equal 254 because we could not determine the lines of
                                      business in 6 cases.

                                      Source: GAO analysis of supervisory examination reports.




                                      Among FBO branches rated fair or lower that engaged in a large number of
                                      business activities (i.e., four or more), those with smaller staffs had more
                                      internal control weaknesses than those with larger staffs. Federal Reserve
                                      staff suggested that this may be because smaller staffs that are stretched
                                      thin to accommodate a greater variety of activities are generally more
                                      susceptible to internal control weaknesses.



                                      Page 46                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
                         Chapter 3
                         A Significant Number of FBO Branches
                         Rated Fair or Lower Had Serious Internal
                         Control and Audit Weaknesses




                         To provide some perspective to our findings of the extent of internal
A Limited Comparison     control weaknesses in FBO branches, we also reviewed examination
of Examination           reports from a sample of fair-to-unsatisfactory-rated U.S. domestic banks.
Results Indicated That   The U.S. domestic banks were all examined independently by the Federal
                         Reserve or jointly by the Federal Reserve and the appropriate state
Certain Domestic         supervisor, and they were located in the New York, Chicago, San
Banks Had Fewer          Francisco, and Atlanta Federal Reserve districts. We did this to try to
                         remove differences introduced by the agency conducting the examination.
Internal Control         The domestic banks differed from FBO branches in several respects. The
Weaknesses               U.S. domestic banks tended to engage in a smaller variety of businesses,
                         primarily lending, while only one in the sample did trading on behalf of
                         customers. In addition, the U.S. domestic banks generally were smaller, as
                         measured by asset size.

                         U.S. domestic banks from our sample had an average of 7.5 separate
                         internal control weaknesses reported, while FBO branches had an average
                         of 10.1. Domestic banks had an average of 1.2 audit weaknesses reported,
                         while FBO branches had an average of 2.5. Most of the weaknesses
                         reported for domestic banks involved their credit-related operations.
                         Thirty-one percent of domestic banks were reported to have an inadequate
                         segregation of duties in at least one activity, compared to 48 percent of FBO
                         branches. While 67 percent of FBO branches were reported to have audits
                         of inadequate scope, 40 percent of domestic banks were reported to have
                         the same problem.


                         The results of our analysis of examination reports of the 254 FBO branches
Conclusions              rated fair or lower examined from January 1993 to June 1996 indicate that
                         a significant number of the FBO branches were reported to have serious
                         internal weaknesses, and a majority of them had at least 1 serious audit
                         weakness. In our opinion, the numbers and types of internal control and
                         audit weaknesses found by supervisors heighten the importance of recent
                         supervisory attention to the adequacy of internal control and audit
                         processes at FBO branches, as discussed in chapter 4. The Federal Reserve
                         and other banking supervisors told us they are taking steps to promote
                         effective internal controls and audits in FBO branches. According to the
                         Federal Reserve, its policies on addressing control weaknesses within FBO
                         branches are consistent with the supervisory policies it applies to all of the
                         institutions it supervises. These policies, according to the Federal Reserve,
                         are also intended to reduce the risk of losses due to misconduct or fraud
                         in FBO branches and to promote prompt correction of situations that can
                         lead to an unsafe and unsound banking environment.



                         Page 47                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
Chapter 4

U.S. Supervisors Are Taking Actions to
Improve Internal Controls and Audits at
Certain FBO Branches
                        In assessing the operational controls of FBO branches, the U.S. supervisors’
                        primary goal is to ensure that participation of the branches in U.S.
                        financial markets neither raises the level of systemic risk nor undermines
                        standards that help ensure the efficiency of and confidence in U.S.
                        markets. As weaknesses in internal controls and audits of FBOs in the
                        United States have been highlighted by losses experienced by Daiwa Bank
                        and other multinational banks and trading houses, U.S. supervisors are
                        undertaking a variety of efforts consistent with meeting that goal. The
                        objectives of these efforts include helping to ensure (1) the detection of
                        losses that have occurred as the result of a branch’s weaknesses in
                        internal controls and audits, (2) the timely correction by branches of
                        serious weaknesses in internal controls and audits, (3) an increased
                        understanding among multinational banks of the importance of adequate
                        internal controls and audits, and (4) the preparedness of supervisors to
                        conduct effective assessments of internal controls.


                        To reduce the risk of losses due to misconduct or fraud in the U.S.
U.S. Supervisors Seek   operations of FBOs and to promote prompt corrections of situations that
to Ensure Detection     can cause an unsafe and unsound banking environment, the Federal
of Losses That Have     Reserve, in November 1996, released policy guidelines on special audit
                        procedures that are to be implemented in situations where significant
Occurred as the         internal control weaknesses are detected in branches.1 According to
Result of Weaknesses    Federal Reserve guidance, a primary objective of special audits is to
                        determine whether internal control weaknesses have led to unreported
in Internal Controls    losses and the extent of any such losses. The new guidance requires that
and Audits              auditors perform direct verification of those areas identified by
                        supervisors as having significant internal control weaknesses along with
                        some verification of key accounts in other areas of the FBO branch that
                        may have been affected by those weaknesses. The guidance requires
                        auditors to determine the accuracy of reports filed by the FBO branch with
                        U.S. supervisors.

                        Another objective of special audits is to identify the degree of internal
                        control deficiencies and the risks posed to the FBO branch so that
                        management can implement the appropriate corrective action on both an
                        interim and long-term basis. Auditors are required to report on the type,
                        nature, and extent of any significant internal control weaknesses found
                        during the audit. The audit is to concentrate on the areas specifically
                        criticized by supervisors; however, there is also to be some review of

                        1
                         In June 1997, the New York State Banking Department also promulgated Part 5 of its General
                        Regulations to require special internal or external audits of FBO branches with significant internal
                        control weaknesses.



                        Page 48                                 GAO/GGD-97-181 Internal Control and Audit Weaknesses
                        Chapter 4
                        U.S. Supervisors Are Taking Actions to
                        Improve Internal Controls and Audits at
                        Certain FBO Branches




                        internal controls in other significant FBO branch operations. The
                        engagement letter for the audit is to contain target dates for interim and
                        final reports. The coordinating Federal Reserve Bank is to monitor the
                        general progress of the audit, obtain a copy of the final report, discuss
                        with the Federal Reserve Board staff any additional steps that should be
                        taken, and prepare a brief report of actions taken.

                        Federal Reserve guidance requires special audit procedures when both the
                        “O” rating and the composite ROCA rating are three or worse, because
                        such ratings indicate (1) that the overall condition of the FBO branch is less
                        than satisfactory and (2) that, at least in part, the problems are due to
                        internal control weaknesses. In some cases, internal audit staff of the FBO
                        branch may perform the audit. However, if the adequacy of the internal
                        audit at a particular FBO branch is among the reasons why internal controls
                        are considered to be less than satisfactory, the procedures must be
                        conducted by regional or head office internal audit staff or by external
                        auditors. Additionally, external auditors are required to be used (1) if there
                        are extremely serious deficiencies in internal controls, as reflected in an
                        “O” rating of four or worse, and the composite rating is also four or worse;
                        (2) in cases where internal auditors had performed special audit
                        procedures and the current examination indicates the FBO branch
                        continues to be in less than satisfactory condition (i.e., “O” and composite
                        rating of three or worse); or (3) in other situations, if determined
                        necessary after consultations with Federal Reserve, other federal and state
                        supervisory authorities, and the home country supervisor.

                        Federal Reserve supervisors we interviewed told us they had recently
                        begun to require special audits when FBO branches have what they
                        consider to be significant internal control weaknesses. The supervisors
                        said they believe this special audit requirement will be a valuable tool to
                        help them detect potential unreported losses and correct internal control
                        weaknesses. However, the supervisors said it was too early to provide
                        specific examples of improvements.


                        According to the examination manual, supervisors are to seek timely
U.S. Supervisors Seek   correction of serious internal control and audit weaknesses through the
Timely Correction of    use of enforcement actions. Federal and state supervisors have used their
Serious Weaknesses      enforcement authority to direct FBO branches to correct weaknesses in
                        their internal controls and audits. Such actions include cease-and-desist
in Internal Controls    orders, memorandums of understanding, commitment letters, and
and Audits              supervisory letters, among other actions, that direct the institution to



                        Page 49                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
Chapter 4
U.S. Supervisors Are Taking Actions to
Improve Internal Controls and Audits at
Certain FBO Branches




remedy specific weaknesses. Federal Reserve staff told us that they may
initially try to remedy problems at FBO branches without taking
enforcement action but will take action where a weakness shows no
improvement over multiple examinations.

During the period of our review, U.S. supervisors took 282 enforcement
actions against 185 FBO branches. The actions were of varying levels of
severity and included supervisory letters, commitment letters,
memorandums of understanding, written agreements, cease-and-desist
orders, and civil money penalties. Most of the actions were less formal
supervisory letters or commitment letters. Supervisory staff said that the
seriousness of the action taken often depends on the seriousness or
persistence of problems at the FBO branch, but the action taken also is
influenced by the attitude displayed by FBO branch management toward
improving its operations. The supervisory staff said that there is no set
formula that determines whether to take an enforcement action or how
severe of an action to take.

Twenty-nine percent (82) of the 282 enforcement actions against FBO
branches were taken for the primary reason of inadequate internal
controls, and 6 percent (17) were for inadequate audits. In some cases,
supervisors initially took a less serious action and then upgraded the
seriousness of the action when the FBO branch failed to improve. To
contrast these numbers with U.S. domestic banks, 9 percent of the
enforcement actions taken by the Federal Reserve against domestic banks
during the same period were for inadequate internal controls, and less
than 1 percent were for inadequate audits. Of the 254 fair or lower rated
FBO branches, 23 percent (59) were under enforcement actions primarily
for internal control or audit weaknesses.

In addition to taking enforcement actions against FBO branches, the
Federal Reserve has been able to use one of its new products under the
FBO Program, which U.S supervisors began to implement in 1995, to
encourage FBOs to correct less serious internal control and audit
weaknesses.2 The Summary of Condition and Combined Rating was
designed to provide FBO management with an overall assessment of the
FBO’s U.S. operations. This product is to highlight the aspects of the FBO’s
U.S. operations that need the most attention and is to be sent directly to
the foreign bank’s head office. Staff at the Federal Reserve told us that
providing foreign bank management with a summary of the condition of
the FBO’s U.S. operations and a combined rating has helped them

2
 For more information on the FBO Program, see GAO/GGD-97-80.



Page 50                             GAO/GGD-97-181 Internal Control and Audit Weaknesses
                        Chapter 4
                        U.S. Supervisors Are Taking Actions to
                        Improve Internal Controls and Audits at
                        Certain FBO Branches




                        communicate more effectively with foreign bank staff and has resulted in
                        quicker and better compliance by the foreign banks.


                        In recent years, U.S. supervisors have sought to increase the
U.S. Supervisors Seek   understanding among multinational banks of the importance of adequate
an Increased            internal controls and audits. Federal Reserve staff told us that they hold
Understanding Among     meetings with foreign bank and foreign supervisory staff to discuss the
                        importance of developing adequate internal controls. They also conduct
Multinational Banks     some training programs in which foreign supervisory officials participate.
of the Importance of    According to Federal Reserve staff, this has led to an increased awareness
                        among the management of foreign banks, both overseas and in the United
Adequate Internal       States, and among foreign supervisors of the importance of strong internal
Controls and Audits     controls. Federal Reserve staff also said that through these interactions,
                        U.S. supervisors have been able to assist both multinational banks and
                        foreign supervisors in upgrading their understanding and standards of
                        internal controls and audits.

                        U.S. and foreign supervisors, working through the Basle Committee on
                        Banking Supervision, have developed basic standards for internal controls
                        and audits.3 For example, the Basle Committee’s April 1997 paper entitled
                        Core Principles for Effective Banking Supervision states that “Banking
                        supervisors must determine that banks have in place internal controls that
                        are adequate for the nature and scale of their business.” The paper
                        describes the types of internal controls that should be in place, and it also
                        states that internal controls must be supplemented by an effective audit
                        that independently evaluates the adequacy, operational effectiveness, and
                        efficiency of the internal controls within an organization.




                        3
                         The Basle Committee on Banking Supervision was established in 1974 in the aftermath of serious
                        disturbances in the international currency and banking markets. Its members come from the central
                        banks and supervisory authorities in Belgium, Canada, France, Germany, Italy, Japan, Luxembourg,
                        the Netherlands, Sweden, Switzerland, the United Kingdom, and the United States. The Basle
                        Committee provides a forum for regular cooperation between member countries on supervisory
                        matters; however, it does not possess any formal supranational supervisory authority, and its
                        conclusions do not have legal force.



                        Page 51                               GAO/GGD-97-181 Internal Control and Audit Weaknesses
                            Chapter 4
                            U.S. Supervisors Are Taking Actions to
                            Improve Internal Controls and Audits at
                            Certain FBO Branches




                            Actions that U.S. supervisors have taken to help ensure the preparedness
U.S. Supervisors Seek       of supervisors to conduct effective assessments of internal controls
to Ensure the               include the following:
Preparedness of
                        •   the development and implementation of the FBO Program, which is
Supervisors to              expected to provide supervisors with, among other things, more
Conduct Effective           comprehensive information relevant to assessments of internal controls
                            and audits, as well as analysis and a ranking to reflect the U.S. supervisors’
Assessments of              judgment about the FBO’s ability to provide its U.S. operations with the
Internal Controls           necessary financial and managerial support;
                        •   the development and implementation of an FBO branch rating system,
                            ROCA, that emphasizes risk management and operational controls;
                        •   the development and use of the examination manual, which provides
                            specific and uniform guidance to all U.S. supervisors with responsibility
                            for FBO branch oversight, and the Trading Activities Manual; and
                        •   the initiation of examiner training programs covering internal controls,
                            risk assessment, trading exposure management, and advanced derivatives
                            products.


FBO Program                 The FBO Program is intended, in part, to help ensure the preparedness of
                            supervisors to conduct effective assessments of FBOs’ U.S. operations. The
                            Federal Reserve began to implement the FBO Program in March 1995, when
                            it issued its initial guidance. Federal Reserve officials told us that the FBO
                            Program was scheduled to be implemented over a 3- to 5-year period, but
                            that they hoped to have it fully operational within 3 years. As discussed in
                            chapter 1, U.S. supervisors developed five new products under the FBO
                            Program for the use of their examiners. These products were intended, in
                            part, to facilitate supervisors’ ability to obtain comprehensive supervisory
                            information during examinations, including information relevant to the
                            assessments of internal controls and audits. These products include the
                            following:

                        •   Summary of Condition and Combined Rating. This product is intended to
                            provide U.S. supervisors with information about the overall condition of
                            the U.S. offices, including branches, of individual FBOs, including
                            information on control or audit weaknesses, which can then be factored
                            into their supervision of the U.S. offices under their jurisdiction.
                        •   Annual Comprehensive Examination Plan. This plan is intended to help
                            better coordinate examinations of U.S. offices of FBOs with multiple U.S.




                            Page 52                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                            Chapter 4
                            U.S. Supervisors Are Taking Actions to
                            Improve Internal Controls and Audits at
                            Certain FBO Branches




                            banking operations and/or significant U.S. nonbanking operations.4 U.S.
                            banking supervisors we interviewed reported many instances of increased
                            coordination and cooperation among federal and state supervisors, which
                            is important because problems, including internal control or audit
                            weaknesses, identified at a particular office could manifest themselves at
                            other offices of an FBO.
                        •   Review of Home Country Financial System and Review of Significant
                            Home Country Accounting Policies and Practices. These products are to
                            provide information about the financial system and the supervisory and
                            governmental policies in the FBO’s home country and information about
                            significant accounting policies and practices in the home country. For
                            example, these products might include information about a general lack of
                            a rigid internal auditing system in the financial institutions of a particular
                            country or about a country’s lack of a history of independent external
                            auditors. This information may be useful to U.S. supervisors for overseeing
                            the U.S. operations of an FBO from such a country.
                        •   Strength-of-Support Assessment (SOSA). The SOSA is to provide an analysis
                            and a ranking to reflect the U.S. supervisors’ judgment about the FBO’s
                            ability to provide its U.S. operations with the necessary financial and
                            managerial support. The SOSA ranking is to categorize all FBOs with U.S.
                            banking operations by levels of supervisory concern, highlighting those
                            whose U.S. operations are thought to warrant higher levels of supervisory
                            attention. In some cases, an asterisk may be appended to a SOSA ranking
                            when there are concerns about the ability of the FBO to maintain adequate
                            internal controls and compliance procedures at its U.S. offices.


Rating System for FBO       In 1994, U.S. supervisors began phasing in the replacement of the previous
Branches                    asset-focused system of rating FBO branches, which was called the AIM
                            rating system, with the new ROCA rating system. By the beginning of 1996,
                            the ROCA rating system was fully phased in. The ROCA rating system
                            places greater emphasis on the effectiveness of risk management
                            processes and operational controls and was devised to better assess the
                            condition of a branch within the context of the FBO. As we discussed in
                            chapter 1, the ROCA rating system divides an FBO branch’s overall
                            activities into three individual components: risk management, operational
                            controls, and compliance. These components represent the major
                            activities or processes of the FBO branch that may raise supervisory


                            4
                             The comprehensive examination plan is to cover all U.S. operations of an FBO with banking offices
                            licensed by more than one supervisory agency and/or with significant U.S. nonbanking activities with
                            the exception of commercial banks, which are to be treated as domestic institutions for the purpose of
                            examination planning during the initial implementation of the FBO Program.



                            Page 53                                GAO/GGD-97-181 Internal Control and Audit Weaknesses
                          Chapter 4
                          U.S. Supervisors Are Taking Actions to
                          Improve Internal Controls and Audits at
                          Certain FBO Branches




                          concern. The ROCA rating system also provides for a specific rating of the
                          quality of the FBO branch’s stock of assets as of the examination date.

                          Supervisory staff we interviewed said the shift from a focus on asset
                          quality, under the AIM rating system, to a focus on risk management and
                          operational controls, under the ROCA rating system, was an appropriate
                          shift in emphasis. Staff said that the ROCA rating system was designed to
                          look forward, while the AIM rating system’s focus on assets was
                          effectively a backward-looking approach because asset quality reflects an
                          institution’s past business decisions. Staff also said that they found that, to
                          improve their examination rating, some foreign banks had focused on
                          manipulating asset classification ratios and moving assets off the books of
                          the branch to the head office or another entity in the bank. Although asset
                          quality is still considered under the ROCA system, staff said it is not the
                          primary emphasis.

                          Officials representing the foreign banking industry also told us that the
                          ROCA rating system is a better measure of an FBO branch’s operations than
                          was the AIM rating system. The officials said that the change from the AIM
                          rating system to the ROCA rating system mirrored the way FBO branches
                          had changed their businesses to focus on better risk management
                          strategies and operational controls. An official from the Federal Reserve
                          also told us that, although domestic banks are rated under a different
                          system than FBO branches,5 the use of ROCA is consistent with national
                          treatment because U.S. supervisors are still reviewing the same things that
                          they review in domestic banks.


New Examination Manuals   Along with the development of the ROCA rating system, the Federal
                          Reserve, in cooperation with other federal and state banking agencies,
                          developed the examination manual for conducting individual examinations
                          of FBO branches. This manual was drafted to provide a common approach
                          among all supervisory agencies with respect to individual FBO branch
                          examinations. The manual was initially sent out for comment to U.S.
                          supervisors in October 1993 and became effective in January 1995. Its
                          content was drawn in large part from commercial bank examination
                          procedures. However, all aspects of this examination manual were drafted
                          to specifically address the unique characteristics of FBO branch
                          examinations. Supervisory staff we interviewed told us that this is the first
                          examination manual to be used by both state and federal supervisors for

                          5
                           U.S. domestic banks are rated under the CAMELS rating system. The components of the CAMELS
                          system are capital, assets, management, earnings, liquidity, and sensitivity to market risk.



                          Page 54                              GAO/GGD-97-181 Internal Control and Audit Weaknesses
                      Chapter 4
                      U.S. Supervisors Are Taking Actions to
                      Improve Internal Controls and Audits at
                      Certain FBO Branches




                      examinations of FBO branches, and that this has resulted in more
                      consistent examinations. According to Federal Reserve officials, the
                      examination manual has also been widely used as a reference tool by the
                      foreign banking community in the United States to improve its internal
                      controls. The examination manual has also supplemented the U.S.
                      supervisors’ efforts to inform foreign bankers and supervisors about U.S.
                      internal control and audit standards.

                      In 1994, the Federal Reserve also adopted a new Trading Activities
                      Manual. Although developed primarily for U.S. commercial banks, the
                      trading activities manual also applies to FBO branches, many of which are
                      actively engaged in transactions involving trading activities. This manual
                      includes detailed examination procedures for evaluating controls in
                      trading activities; for example, it emphasizes the importance of
                      separations of duties in a trading operation such as Daiwa Bank’s.

                      Federal Reserve staff also told us they are in the process of developing a
                      module for supervisors to use during examinations that is intended to help
                      the supervisors give a more risk focused approach to their review of
                      internal controls and audits. Federal Reserve staff told us they would
                      begin pilot testing this module during the last quarter of 1997.


Examiner Training     The Federal Reserve has also taken steps intended to enhance examiner
                      training. For example, Federal Reserve officials developed an Internal
                      Controls School in 1995 that was designed initially for examiners of FBO
                      branches and expanded to meet the needs of examiners of U.S. domestic
                      banks. Federal Reserve officials also told us that they developed a training
                      seminar in 1996 for examiners and in-house international supervisory staff
                      that emphasizes ensuring the appropriate supervisory strategy for the U.S.
                      operations of each FBO.


                      U.S. supervisors have not yet developed a strategy for evaluating the
U.S. Supervisors’     results of their initiatives to improve internal controls and audits at FBO
Measures Do Not       branches. The Federal Reserve has indicated that rough measures, such as
Capture Linkages      examination ratings, currently indicate some degree of improvement.
                      However, such rough measures do not determine whether there are
Between Initiatives   appropriate linkages between examination results and the Federal
and Results           Reserve’s initiatives, such as training and education. Without measures
                      that determine the linkages between the initiatives and improved internal




                      Page 55                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                 Chapter 4
                 U.S. Supervisors Are Taking Actions to
                 Improve Internal Controls and Audits at
                 Certain FBO Branches




                 control practices, the Federal Reserve will not know if it has satisfactorily
                 addressed the internal control and audit weaknesses at FBO branches.


                 U.S. supervisors have recognized that serious weaknesses in internal
Conclusions      controls and audits at certain FBO branches are significant and must be
                 addressed if losses are to be avoided and confidence maintained in the
                 integrity and efficiency of financial markets. To that end, they have
                 developed and implemented several initiatives in the past 2 to 3 years to
                 improve the supervision of FBO branches and educate bank officials and
                 home country supervisors about the importance of resolving internal
                 control and audit weaknesses. These efforts include the FBO Program, the
                 ROCA rating system, the development of new examination manuals,
                 education and training programs, and the new requirement for special
                 audits.

                 The supervisors’ efforts—as they are designed—appear to provide a basis
                 for raising and maintaining control standards at FBO branches, and Federal
                 Reserve supervisors told us that their efforts have already resulted in
                 improved internal controls and audits at fair or lower rated FBO branches.
                 However, supervisors have not yet developed a strategy for evaluating the
                 results of these initiatives, including whether those results satisfactorily
                 address the weaknesses identified or whether additional initiatives may be
                 needed. Such a strategy could, for example, determine whether there are
                 appropriate linkages between examination results and training and
                 education efforts. For information to be available to monitor the impact of
                 the initiatives when they are fully implemented, it is important that the
                 supervisors promptly identify the data that are needed and ensure that the
                 systems necessary to gather and maintain those data are in place and
                 operating.


                 We recommend that the Federal Reserve develop a strategy, including
Recommendation   objective measures, for assessing the progress it is making through its
                 efforts to improve internal controls and audits at FBO branches and ensure
                 that the procedures and systems necessary to collect the data relevant to
                 those measures are in place and operating. Results from such objective
                 evaluation of efforts to improve internal controls and audits should be
                 useful in determining whether additional initiatives may be needed and in
                 communicating with FBO branch officials and home country supervisors
                 about the importance of sound bank management practices.




                 Page 56                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                  Chapter 4
                  U.S. Supervisors Are Taking Actions to
                  Improve Internal Controls and Audits at
                  Certain FBO Branches




                  We requested comments on a draft of this report from the Federal Reserve
Agency Comments   Board, which provided written comments that are reproduced in appendix
                  II. In addition, Federal Reserve staff provided technical comments, which
                  we incorporated in this report where appropriate.

                  The Federal Reserve Board commented that our recommendation was
                  useful and said that it will take steps to (1) evaluate in a more systematic
                  fashion the results of its initiatives to improve the supervision of the U.S.
                  operations of FBOs and (2) identify and address internal control and audit
                  weaknesses in those operations. The Board also said that several rough
                  measures currently indicate some degree of improvement in those areas.
                  As an example of such measures, the Board noted a decline, since 1993, in
                  the number of FBO branches with fair or lower overall examination ratings
                  or component ratings that are substantively affected by internal control
                  and audit weaknesses.




                  Page 57                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
Appendix I

Data Collected From Examination Reports
Using Data Collection Instrument

                                          Using our data collection instrument (DCI), we collected data on a variety
                                          of internal control and audit weaknesses reported at foreign banking
                                          organizations’ branches and agencies (FBO branches) in addition to those
                                          presented in chapter 3. The DCI was organized by type of internal control
                                          and audit weakness. Table I.1 provides a description of the types of
                                          internal control and audit weaknesses from the DCI.


Table I.1: Descriptions of DCI Internal Control and Audit Weakness Categories
Category                                     Description
Internal control
  weaknesses:
Lack of                                   Instances in which the examiner notes that a single individual or department has control
  segregation of                          over two functions within the FBO branch that ought to be separate due to the potential
  duties                                  for damaging the FBO branch.
Lack of adequate                          Situations where the examiner notes that there is a lack of policies, procedures, or
  policies,                               manuals covering certain aspects of an FBO branch’s operations or functions.
  procedures, and
  manuals
Problems with                             Situations where a problem exists with regard to personnel issues or practices, probably
  personnel                               involving one or a few individuals.
  practices
Lack of proper and                        Situations in which there is a specific shortcoming with regard to an accounting principle
  accurate                                or practice that is failing to be performed within the FBO branch. This would include
  accounting for                          situations where the FBO branch’s banking activities are not being properly recorded or
  all activities                          reconciled according to standard accounting principles.


Inadequate                                Instances where there is a lack of records or documentation being maintained for various
  safekeeping                             activities for which records ought to be maintained. The category also covers instances
  and/or                                  where such records are maintained under inadequate security.
  documentation
Lack of compliance                        Instances where there is clearly a policy or procedure in place, but it is not followed.
  with policies
  and procedures
Inaccurate                                Used when the examiner determines that the FBO branch is filing inaccurate regulatory
  regulatory                              reports.
  reporting
Lack of dual                              Applies to situations where a procedure that ought to be controlled in some way by at
  control and                             least two individuals is not. For example, in the case of dual control, an action such as
  independent                             wiring funds out of the FBO branch or opening the vault can only be done by two
  verification                            individuals simultaneously. In other cases, it might be appropriate for a single individual
                                          to carry out a specific function, but it might be necessary for another individual to
                                          independently verify that the function was done properly.
Lack of security                          A lack of security for any number of banking operations that require security, usually in
  and/or access                           the form of restrictions, physical or electronic, on access to information or machinery that
  restrictions                            could potentially be used to do financial harm to individuals or the FBO branch.
                                                                                                                           (continued)




                                          Page 58                            GAO/GGD-97-181 Internal Control and Audit Weaknesses
                     Appendix I
                     Data Collected From Examination Reports
                     Using Data Collection Instrument




Category             Description
Inadequate           Cases where the examiner specifically notes a lack of or inaccurate information, or
  /Inaccurate        control on the part of an FBO branch’s management. This category is to be used when
  management         there is a lack of information on the part of management that hinders its ability to direct
  control or         the FBO branch’s operations, or where there is a lack of management control in a case in
  information        which the examiner clearly believes there should be.
Inadequate           Instances where the examiner states that the FBO branch’s management, in general, is
  management         poor or where the examiner notes a lack of adequate oversight by the home office.
  oversight
Lack of expertise    This category should be used in cases where the examiner notes that management or
                     staff lack either the education, training, or experience to effectively execute their duties.
Audit weaknesses:
Inadequate scope     Situations where the scope of the audit is considered to be inadequate to cover all of the
  of audit           FBO branch’s activities.
  coverage
Inadequate           Any case where the frequency of audits is criticized.
  frequency of
  completed audits
Inadequate audit     Cases where the independence of the audit function is questioned. A lack of segregation
  independence       of duties involving the audit function would be noted here.
Audit manual and     Cases where audit manuals and reports are not available to the examiners in English.
 reports not in
 English
Lack of head         Cases where the examiner notes a lack of head office involvement in the audit function,
  office             including approving the general audit program, and reviewing audit results.
  supervision of
  audit function
Inadequate audit     Situations where there is insufficient retention and protection of audit workpapers as
  workpapers         required by generally accepted auditing standards.
  /documentation
Inadequate           Cases where the examiner determines that the FBO branch has been too slow in
  /Untimely          responding to audit recommendations or criticisms or appears to have ignored audit
  response to        recommendations or criticisms.
  audit
  recommendations
  or criticisms
Lack of self         Instances where there is a shortcoming with a FBO branch’s self-inspection program.
  inspection
Audit manual and     Instances where the examiner notes that an audit manual or report is not available.
 reports not
 available
Inadequate audit     Cases where the audit department staff is considered inadequate in terms of number or
  department staff   level of audit expertise.

                     Source: GAO analysis.




                     Page 59                             GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                          Appendix I
                                          Data Collected From Examination Reports
                                          Using Data Collection Instrument




                                          Figure I.1 shows the percentage of the 254 FBO branches rated fair or lower
                                          that were reported to have each type of internal control weakness listed
                                          above from January 1, 1993, to June 30, 1996. Figure I.2 shows the
                                          percentage of the 254 FBO branches rated fair or lower that were reported
                                          to have each of the audit weaknesses described above during the same
                                          period.



Figure I.1: Percentage of FBO Branches Rated Fair or Lower That Were Reported to Have Each Type of Internal Control
Weakness, January 1993 to June 1996

 Percentage of branches
 100
        91


  80

                  70      69


  60
                                   51
                                             48
                                                        45         44
  40
                                                                              35

                                                                                         26
                                                                                                     24
  20                                                                                                               19
                                                                                                                                13



   0
                                                                                                                                  e
                                                                    ns &
                              ing




                                                                         t/
                                /




                                                                                                                              rtis




                                                                                                                          ati t.
                     ti es ng




                                                                        s




                                                                         l
                     ma ies,
                             als




                                                                         f
                    tio ing




                                                                       nt




                                                                      ne
                                                             tie n o




                                                                      en
                                                                     ure




                                                                                                                     orm mgm
                                                             roc ith




                                                            tric rity




                                                                                                                             on
                                                                     de
                           ort




                 tivi ounti




                                                                                                                           pe
                           nu




                                                     ca ep l




                                                           es son
               nta eep




                                                         igh em
                                                 rifi nd ua
                                                        & p nce w
                , & lic




                                                          du ratio




                                                                  ed



                                                        res secu




                                                        ti o en
                                                                 tio
                      rep




                                                                                                                         ex
                         n
           r es te po




                                              ve l & i of d
                                                                 s




                                                    ers nag




                                                      ctic per




                                                                                                               ol/ uate
           me ek




         all acc




                                                               g




                                                                                                                      of
               ory



        cu saf




                                               lici plia
                                                          gre




                                                             t
                                                            n
                                                ce ate




                                               Ov e m a
                                               ntr ack




                                                                                                                  inf
                                                 pra ate
     ce qua




                                                                                                                 ck



                                                                                                          co deq
             ac
     for ate
            lat




                                                     Se
    Do te




                                            po Com




                                             ac qu




                                                                                                              La
                                                    qu
                                                      L
                                                    es




                                                    ss
 pro nade




         gu




        qu




                                                                                                            Ina
          a




                                                                                                            ntr
        du




                                                  at
                                                 de




                                                  o
       qu




                                                de
     Re




     de




                                               qu
                                             Ina
    de




                                            Ina
     I




 In a




                                           de
                                            co
Ina




                                        Ina




                                          Source: GAO analysis of supervisory examination reports.




                                          Page 60                              GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                                                          Appendix I
                                                                          Data Collected From Examination Reports
                                                                          Using Data Collection Instrument




Figure I.2: Percentage of FBO Branches Rated Fair or Lower That Were Reported to Have Each Type of Audit Weakness,
January 1993 to June 1996

Percent of branches


 100




  80

              67

  60



                              41
  40

                                                    28                  26
                                                                                              24        22
  20
                                                                                                                 12
                                                                                                                              9
                                                                                                                                         7             6

   0




                                                                                                                                                    ctio f-
                                                                                                                                    s




                                                                                                               ctio f au fice




                                                                                                                        le orts
                                                                                          ers it
                                                                      nc d it
                                                    sm e
              it




                            cy it




                                                                                                                         t s it




                                                                                                                                ort




                                                                                                                                                 pe sel
                                                                                        ap ud
        pe aud




                          en ud




                                                                                                                      en ud
                                                tici ns




                                                                                                                                                        n
                                                                                                                                f
                                                                 e n te au
                                                                         e




                                                                                                                            taf




                                                                                                         fun ion o ad of
                                                                                                                    glis rep




                                                                                                                    ilab ep
                                                                                    r kp e a
                                                      s
                                             cri espo




                                                                                                                           d it
                        qu e a




                                                                                                                  rtm e a




                                                                                                                                              ins k of
     sco uate




                                                                                                                va l & r
                                                                    de



                                                                                 wo quat
                     fre quat




                                                                                                               pa uat




                                                                                                                En l &
                                                           ind e qua




                                                                                                                        h




                                                                                                                                                 c
                                                                                                                       e
                                                  r




                                                                                                                                              La
                                                                                                         rvi ate h
                                                                                                          t i n ua




                                                                                                         no anua
       q




                                                                                                         de deq
                                       au te




                                                                                                                    n
                                                                                   de
     de




                       de




                                                               ep
                                     to e qua




                                                                                                      no an
                                                               d
                                         dit




                                                                                Ina
                                                            Ina
 I na




                                                                                                             Ina
                   Ina




                                                                                                              ta
                                                                                                   su dequ
                                                                                                              s
                                                                                                             m




                                                                                                             m
                                       d




                                                                                                        dit




                                                                                                        dit
                                    Ina




                                                                                                      pe
                                                                                                    In a
                                                                                                    Au




                                                                                                    Au




                                                                          Source: GAO analysis of supervisory examination reports.




                                                                          For each type of internal control and audit weakness, we noted in what
                                                                          part of the FBO branch’s operations the weakness was reported. For
                                                                          example, we noted whether a weakness in an FBO branch’s segregation of
                                                                          duties was reported in its trading, electronic funds transfer, or some other
                                                                          activity. Table I.2 provides the percentage of the 254 FBO branches that
                                                                          were reported to have each type of weakness listed above, and shows
                                                                          where in the FBO branches’ operations the weaknesses were found.




                                                                          Page 61                                GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                        Appendix I
                                        Data Collected From Examination Reports
                                        Using Data Collection Instrument




Table I.2: Internal Control and Audit
Weaknesses Reported at FBO                                                                                    Percentage of FBO
Branches Rated Fair or Lower During     Internal control and/or audit weakness                           branches with weakness
January 1993 to June 1996               Lack of segregation of duties:
                                          Trading activities                                                                   15
                                          Treasury activities (asset/liability                                                 14
                                            management)
                                          Electronic funds transfer                                                            17
                                          Intrabank funds transfer                                                              1
                                          Security officer                                                                      3
                                          EDP                                                                                   7
                                          Internal controls officer                                                             1
                                          Internal auditor                                                                      7
                                          Other                                                                                28
                                        Lack of adequate policies, procedures, and manuals:
                                          Treasury activities (asset/liability                                                 42
                                            management)
                                          Employees in sensitive positions not                                                  9
                                           absent for a minimum number of
                                           consecutive days
                                          Electronic funds transfer                                                            32
                                          Intrabank funds transfer                                                              3
                                          Trading activities                                                                   35
                                          Emergency preparedness/Disaster recovery                                             39
                                          Accounting practices                                                                 45
                                          Credit administration                                                                63
                                          Returned mail/Hold mail                                                              15
                                          Dormant accounts                                                                     18
                                          Official checks and other negotiable                                                 15
                                           instruments
                                          Bank Secrecy Act                                                                     26
                                          Criminal referrals                                                                   14
                                          Payable through accounts                                                              1
                                          Clearing services                                                                     2
                                        Problems with personnel practices:
                                          Employees in sensitive positions not                                                 22
                                           absent for a minimum number of
                                           consecutive days
                                          Conflict of interest                                                                  2
                                          Lack of internal controls officer                                                     1
                                          Lack of effective supervision                                                         1
                                        Lack of proper and accurate accounting:
                                                                                                                       (continued)


                                        Page 62                               GAO/GGD-97-181 Internal Control and Audit Weaknesses
Appendix I
Data Collected From Examination Reports
Using Data Collection Instrument




                                                                     Percentage of FBO
Internal control and/or audit weakness                          branches with weakness
  Trade activities                                                                    14
  Credit administration                                                               15
  Separate accounts for home office and                                                1
    branches
  Improper reconciliation of general ledger                                           25
    accounts
  Suspense accounts                                                                   12
  Expenses                                                                             2
  Chart of accounts                                                                   16
  Incorrect use of accounts                                                            9
Inadequate safekeeping and/or documentation:
  Trading activities                                                                  15
  Inadequate confirmation of discrepancy log                                           4
  Credit files                                                                        61
  Accounting                                                                           6
  Electronic funds transfer                                                            8
  Intrabank funds transfer                                                             1
  Minutes of committee meetings                                                        4
  Bill paying services                                                                 2
  Bank Secrecy Act                                                                    14
Lack of compliance with policies and procedures:
  Trading activities                                                                  11
  Treasury activities (asset/liability                                                10
    management)
  Credit administration                                                               36
Regulatory reporting:
  Inaccurate reporting                                                                70
Lack of dual control and independent verification:
  Electronic funds transfer                                                           13
  Intrabank funds transfer                                                             1
  Revaluation of trading positions                                                     8
  Trading activities                                                                   8
  Authorized signatures                                                                6
  Vault                                                                               10
Lack of security and/or access restrictions:
  Electronic funds transfer                                                           22
  Back office                                                                          6
  Accounting systems/Software                                                          6
  Signature list                                                                       2
                                                                              (continued)


Page 63                              GAO/GGD-97-181 Internal Control and Audit Weaknesses
Appendix I
Data Collected From Examination Reports
Using Data Collection Instrument




                                                                  Percentage of FBO
Internal control and/or audit weakness                       branches with weakness
  Checks and other negotiable items                                                17
  Vault security                                                                    5
  Electronic security                                                               6
  Premises                                                                          8
Inadequate/Inaccurate management
  control or information:
  Client services                                                                   1
  Electronic funds transfer                                                         2
  Control of client accounts                                                        2
  Reporting to head office                                                          3
  Trading activities                                                                9
Inadequate management/oversight:
  Home office                                                                      23
  Management                                                                       17
Lack of Expertise:
  Management                                                                        5
  Staff                                                                            17
Inadequate scope of audit coverage                                                 67
Inadequate frequency of completed audits                                           41
Inadequate audit independence                                                      26
Audit manual and reports not in English                                            12
Lack of head office supervision of audit                                            9
  function
Inadequate audit workpapers/documentation                                          24
Inadequate/Untimely response to audit                                              28
  criticisms
Lack of self inspection:
  Independence                                                                      2
  Documentation                                                                     2
  Procedures and scope                                                              4
Audit manual and reports not available                                              7
Inadequate audit department staff:
  Staff size                                                                       13
  Staff audit expertise                                                            12

Source: GAO analysis.




Page 64                           GAO/GGD-97-181 Internal Control and Audit Weaknesses
                                                            Ina
                                                               de




                                                                                            20
                                                                                                  40
                                                                                                            60
                                                                                                                            80
                                                                                                                                 100




                                                                                        0
                                                                 q
                                                              rep uate
                                                                 ort re
                                                                    ing gul
                                                                           ato
                                                                              ry




                                                                                                                       70
                                                                 Ina
                                                                    de
                                                                      q
                                                                   of uate
                                                                     au
                                                                        dit scop
                                                                                 e




                                                                                                                                       Percentage of branches




                                                                                                                      67
                                                            po Inade




                                                                                                                                                                January 1993 to June 1996
                                                              lici
                                                                  es quat
                                                                     &p ec
                                                                        roc red
                                                                           ed it
                                                                             ure
                                                                                s




                                                                                                                  63
                                                                 Ina
                                                                    d
                                                                 do equa
                                                                   cu
                                                                      me te cr
                                                                        nta edi
                                                                           tio t
                                                                              n




                                                                                                                 61
                                                           Ina
                                                          po dequ




Page 65
                                                             lici ate
                                                                 es
                                                                      & p acco
                                                                                                                                                                                                                                                                                                                                                   Appendix I




                                                                          roc unt
                                                                              ed ing
                                                                                ure
                                                                                    s




                                                                                                       45
                                                                                                                                                                                                                                                                               weaknesses.




                                                                Ina
                                                                    de
                                                               &       q
                                                            as proc uate
                                                               se
                                                                  t/lia edur polic
                                                                       bili es ies
                                                                           ty    f




                                                                                                       42
                                                                              mg or
                                                                                mt
                                                                                   .
                                                                                                                                                                                                                                                                                                                                                   Using Data Collection Instrument




                                                                 Ina
                                                                     de
                                                                   fre quate
                                                                      qu
                                                                        en aud
                                                                          cy  it
                                                                                                      41
                                                       I na
                                                                                                                                                                                                                                                                                                                                                   Data Collected From Examination Reports




                                                           de
                                                               q
                                                           Dis uate
                                                               as pre
                                                                   te     p
                                                                po r re c ar ed
                                                                   lici ov ne
                                                                       es ery ss/
                                                                                                  39




                                                            Ina
                                                                de
                                                             wit qua
                                                                 h c te c
                                                               & p redit omp
                                                                     roc pol lian
                                                                        ed icie ce
                                                                                                 36




                                                                          ure s
                                                                              s
                                                                 Ina
                                                              po de
                                                                 lici qu
                                                                     es ate
                                                                        & p tra
                                                                                                                                                                Figure I.3: The 10 Most Frequently Reported Internal Control Weaknesses at FBO Branches Rated Fair or Lower,




                                                                            roc din
                                                                               ed g
                                                                                 ure
                                                                                                 35




                                                                                    s
                                                                                                                                                                                                                                                                               Figure I.3 shows the 10 most frequently reported internal control




GAO/GGD-97-181 Internal Control and Audit Weaknesses
Appendix II

Comments From the Federal Reserve Board


Note: GAO comments
supplementing those in the
report text appear at the
end of this appendix.




                             Page 66   GAO/GGD-97-181 Internal Control and Audit Weaknesses
                 Appendix II
                 Comments From the Federal Reserve Board




See comment 1.




                 Page 67                        GAO/GGD-97-181 Internal Control and Audit Weaknesses
              Appendix II
              Comments From the Federal Reserve Board




              The following is GAO’s comment on the Federal Reserve Board’s
              September 5, 1997, letter.


              We added information on page 55 about the Federal Reserve’s rough
GAO Comment   measures for assessing progress in its efforts to improve internal controls
              and audits at FBO branches.




              Page 68                        GAO/GGD-97-181 Internal Control and Audit Weaknesses
Appendix III

Major Contributors to This Report


                        Susan S. Westin, Acting Associate Director
General Government      Thomas L. Conahan, Evaluator-in-Charge
Division, Washington,   Kristi A. Peterson, Senior Evaluator
D.C.                    Barry Reed, Senior Social Science Analyst
                        John J. Strauss, Senior Evaluator
                        Desiree W. Whipple, Communications Analyst


                        Bruce K. Engle, Evaluator
San Francisco Field
Office




(233507)                Page 69                     GAO/GGD-97-181 Internal Control and Audit Weaknesses
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order
made out to the Superintendent of Documents, when
necessary. VISA and MasterCard credit cards are accepted, also.
Orders for 100 or more copies to be mailed to a single address
are discounted 25 percent.

Orders by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000
or by using fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any
list from the past 30 days, please call (202) 512-6000 using a
touchtone phone. A recorded menu will provide information on
how to obtain these lists.

For information on how to access GAO reports on the INTERNET,
send an e-mail message with "info" in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov




PRINTED ON    RECYCLED PAPER
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                 Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested