Arnold Kling  

Audits and Principles-Based Regulation

PRINT
Edward Glaeser on GSE Reform... A Memorial Day Appreciation...

One point that many people miss about principles-based regulation is that it gives regulators an additional enforcement tool, other than addressing actions that are improper. That tool is a process audit.

Audits can be very useful. In 1990, Freddie Mac's "internal audit" unit found severe problems in its Quality Control department (QC). QC was supposed to protect Freddie Mac from purchasing defective mortgages. (No, this was not the problem in 2005-2007. During those years, purchasing defective mortgages became a strategic objective--they might as well have abolished QC.)

The audit found that the QC's internal management and reporting were so weak that there was no way of even knowing whether it was doing its job or not. I was one of the people brought in to help with that (internal audit ultimately gave us a passing grade).

But there is more to the story of QC. This was before automated underwriting, and it was up to human underwriters working for mortgage lenders to decide whether, say, a mortgage to a borrower with a 60-day late credit card bill could be sold to Freddie Mac or should be viewed as defective. Freddie Mac had some bright-line regulations, but there was a lot of allowance for exceptions, based on underwriting judgment.

It turned out that one of the most effective tools for QC, when working with high-volume lenders, was an "onsite audit," where our staff would go to the mortgage lender's office and examine the process of underwriting loans there. You could examine the training, the lender's internal QC, and their management reporting. You could pull out loan files at random, interview underwriters to gauge their knowledge and experience, and so forth.

It is with that experience in mind that I think that if I were at a regulatory agency charged with implementing principles-based regulation, I would use audit teams. If a company really intends to comply with a principle, it will have a powerful executive responsible. It will have training programs in place. Low-level employees will understand how compliance with the principle affects their jobs. And so forth.

So don't just think of principle-based regulation as an alternative criterion for prosecuting action X. Think of it as the basis for rigorous audits of corporate processes. These audits can expose weaknesses in systems and controls, so that the problems are corrected prior to any violation taking place.

Of course, that may not work in practice. But I believe it would be better to see it tried in some way than to just have it vetoed out of hand by those who criticize it in theory.


Comments and Sharing





COMMENTS (6 to date)
Mdb writes:

This looks more and more like the FDA regulation, are you using it as a model? Have you looked at it as an example of principled based regulation in practice?

Sonic Charmer writes:

You almost speak as if audits don't exist now, as if audits are something we should 'try'. One word: Huh?

Also, I am clearly less convinced than you of the power of audits. Typically the outcome is a list of 'audit points', that people have to jump through hoops to satisfy - but many/most of which are wasteful red herrings, but whose existence closes off all further thought. 'Why do I have to press this useless button daily?' 'It was an audit point.'

Not convinced this is the direction of salvation...

Gaspard writes:

Can I recommend the book "The Audit Society" by M.Power, which draws from principles-based UK sources, and shows how it it easily subverted into an empty ritual just as Sonic Charmer describes above. One would hope the "auditor judgement" would enable more searching questions to be asked, but it can also allow corners to be cut and collegiality to replace objectivity.

Risk Management as a profession has proliferated in the last 20 yrs, to little perceptible effect.

Youri writes:

There's a series of posts over on FT Alphaville about tax driven investment structures and their uses. I could think of no better illustration of the need for principles based regulation. If you get very smart, highly incentivized people and strict rules together, the smart people will end up running rings around the rules. If you manage to legally break the tax code, creating riskfree returns, or money out of thin air, getting around banking regulation is a piece of cake.

I remember presentations on Basel 2 at a bank I used to work for that would end with the opportunities the new regulations would provide; most of these focussed on arbitraging the different regulatory regimes (e.g. an AIRB bank trading with a bank on the standardized approach, profiting from different risk weights).

Sonic Charmer writes:

One reaction to regs being easily & predictably arbed is to say it 'illustrates the need for principles based regulation'.

Another is to consider it a strike against the nature of the regs themselves.

Peter writes:

I'm with the comments above. As a long time private sector external auditor and now a government internal regulator, audits are useless (as is the IG really). Internal audits are ignored and outside audit are filed with "we will get to that" given they are usually either so weak to be meaningless or so extreme they are impossible to comply with. Audits are purely CYA telling the top what they already know and done so to appease the masses and/or leveraged for internal politics to fire somebody (the entire point of the audit, to provide ammunition).

The best thing I have ever been told about audits (and the IG) was: "Remember the IG and internal auditors are there to protect the organization and top, not you. Externals audits are simply there to comply with meaningless regulations and/or lower insurance premiums plus give the external party, who really doesn't care, some cover if things go wrong with their partner. Nobody cares about audits because if the thing you were auditing was important or relevant they would comply without the audits. "

If fifteen years of auditing and I have yet to find a single party that has even attempted (in good faith) to comply with a regulatoin, policy, law, etc they were being audited for, much less pass. Note here we are talking large broad audits, not audits of individual instances or single records.

Comments for this entry have been closed
Return to top