1990 Report of the Auditor General of Canada

Main Points

25.1 The Office of the Superintendent of Financial Institutions (OSFI), established in 1987, has made considerable progress in implementing an effective supervisory framework for deposit-taking institutions. Among its initiatives are the upgrading of its professional staff, the establishment of better working relationships with boards of directors, external auditors, and industry and professional associations, and the development of detailed examination procedures in certain key areas (paragraphs 25.4 and 25.17 to 25.21).

25.2 In spite of this progress, further important improvements are needed. OSFI is already taking steps to deal with many of these challenges. For instance, it needs to ensure that:

• its procedures for monitoring the ongoing operations of institutions are fully in place (25.28 to 25.42);
• particular attention is paid to upgrading the risk assessment processes in annual examinations (25.43 to 25.65);
• procedures for assessing risks to institutions from their securities subsidiaries are fully implemented (25.57 to 25.62);
• procedures and practices for reliance on external and internal auditors are clarified and strengthened (25.66 to 25.76);
• procedures for testing institutions' compliance with applicable legislation, regulations and guidelines are improved (25.82 to 25.86);
• priority is given to achieving better co-ordination of activities with the Canada Deposit Insurance Corporation (CDIC) and, as appropriate, with provincial regulators (25.87 to 25.95); and
• immediate attention is given to developing staff training plans and providing the necessary training (25.101 to 25.106).

25.3 OSFI has generally satisfactory procedures for regulatory policy development and rendering rulings on the interpretation of legislation and guidelines. It has made progress in establishing corporate planning and human resource management practices (25.97 to 25.100 and 25.108).

Introduction

25.4 The Office of the Superintendent of Financial Institutions (OSFI) was established under Part I of the Financial Institutions and Deposit Insurance System Amendment Act in July 1987 with the merger of the Office of the Inspector General of Banks and the Department of Insurance. OSFI was created in recognition of the growing similarity between banks and non-bank financial institutions and the need for a modern regulatory framework, including a strong supervisory activity. It was felt that the supervisory issues would increasingly cut across different financial sectors, and that the merged operation would be better placed to respond with consistent approaches. OSFI reports to the Minister of Finance.

25.5 OSFI is responsible for supervising and regulating banks and investment companies, and the trust and loan companies and co-operative credit associations that are subject to federal legislation. These institutions are collectively known as deposit-taking institutions. It supervises federally regulated insurance companies and pension plans and provides actuarial services for various government pension plans. In all, it administers 10 federal statutes. In addition, OSFI carries out examinations of provincially incorporated financial institutions and pension plans under federal-provincial agreements or as an agent of the Canada Deposit Insurance Corporation (CDIC).

25.6 The 1987 amendments to the financial institutions legislation gave OSFI broader powers to intervene when problems are identified in a financial institution than were available previously. For example, it may issue "directions of compliance" requiring an institution to cease or refrain from certain actions and to perform such acts as the Superintendent may direct.

25.7 The financial services industry is central to every aspect of economic activity in Canada. It plays a key role in allocating capital and serving as a vehicle for the payments system. Financial institutions are in a unique position of trust in handling funds belonging to the general public and businesses. Mismanagement of financial institutions, if it were to occur, could have a significant adverse impact on economic activity in Canada and on public confidence in the financial system. The supervisory role of OSFI, therefore, is an important element in the financial services industry's contribution to the growth of the Canadian economy and the maintenance of public confidence in the industry. OSFI emphasizes that management of a financial institution must be as devoted to its fiduciary responsibility as it is to its entrepreneurial responsibility to the shareholders.

25.8 There has been a tremendous growth in the sophistication, innovation and globalization of financial markets. A much wider use is now being made of instruments such as swaps, note issuance facilities, forward contracts and options (see Exhibit 25.1). Increasing globalization has added new risks as well as new opportunities for financial institutions. There is a continuing trend toward financial conglomerates where some members are regulated federally, some are regulated provincially, and some are not regulated at all. This makes the task of the regulators difficult. Against this backdrop, some of the legislation governing financial institutions, particularly relating to trust and loan companies, has been in place for many years and does not take into account the significant evolution in the financial services industry. All these factors add to the challenges OSFI faces.

Exhibit not available

25.9 OSFI is organized into four sectors: Deposit-taking Institutions; Insurance and Pensions; Regulatory Policy; and Management Services (see Exhibit 25.2). The first two sectors conduct the supervision of their respective industries. The Regulatory Policy Sector carries out research on regulatory issues and provides rulings on the interpretation of legislation, regulations and guidelines. It develops regulations, conducts program review and contributes to the development of federal legislation governing financial institutions. It is also responsible for corporate planning and professional development. The Management Services Sector provides internal support services in the areas of personnel, information systems, finance and general administration.

Exhibit not available

25.10 OSFI's headquarters are in Ottawa. However, the examination activity and a large part of the monitoring activity are carried out from its regional offices in Toronto, Montreal, Winnipeg and Vancouver. Of the 375 staff, 49 are in the Regulatory Policy Sector, 80 in the Deposit-taking Institutions Sector, 158 in the Insurance and Pensions Sector and 88 in the Management Services Sector.

25.11 Pursuant to the legislation governing the various financial institutions, OSFI recovers its operating expenses from the institutions using pre-determined formulae. Expenses incurred in connection with the work done for the Canada Pension Plan, CDIC and certain provinces are recovered from them. For 1989/90, OSFI will recover $36.2 million of the $39.3 million spent on its operations, with the balance, primarily relating to the actuarial services provided to federal programs, absorbed by the federal government.

Audit Scope

25.12 Our audit covered the major activities of the Deposit-taking Institutions Sector, the Regulatory Policy Sector, and the Management Services Sector.

25.13 In the Deposit-taking Institutions Sector, we audited the processes for examinations and ongoing monitoring of the activities of the institutions, and the handling of troubled institutions. We examined OSFI's activities relating to the Canadian Payments Association. We assessed whether the Deposit-taking Institutions Sector had procedures in place to monitor compliance by the institutions with applicable legislation, regulations and guidelines, and to take appropriate action when non-compliance was detected.

25.14 Our audit of the Regulatory Policy and Management Services Sectors covered such activities as the development of regulatory policy, rulings, corporate planning, program review, professional development and training, human resource management, security and information systems.

25.15 We conducted our audit at the OSFI head office in Ottawa and at all the regional offices. We met with industry officials, industry associations, relevant federal agencies and provincial regulators to seek their views on OSFI's operations. We also discussed with the U.S. regulatory authorities their approaches to the monitoring and examination of deposit-taking institutions.

25.16 Only limited reliance was placed on OSFI's internal audit function because of its limited coverage relative to our audit scope. The Program Review Division comprising internal audit and program evaluation, was just established in October 1989. Its only activities had been two internal audit studies in records management and personnel functions. These studies were taken into account in our audit.

Supervision of Deposit-taking Institutions

OSFI Has Taken Important Steps to Develop Further Its Framework for Supervision of Deposit-taking Institutions, but Improvements Are Needed in a Number of Significant Areas

25.17 In 1989, OSFI supervised 160 deposit-taking institutions, which had total assets of $666 billion (see Exhibit 25.3). Since its beginning in 1987, OSFI has further developed its framework for carrying out statutory examinations of deposit-taking institutions, including detailed examination procedures in certain areas, to guide its examiners. OSFI has revised its capital adequacy guidelines for banks, based on the framework agreed upon by the members of the Bank for International Settlements (BIS). Work is under way to determine whether similar guidelines could apply to trust and loan companies once the proposed new legislation covering such companies is passed. OSFI is a participant in the BIS subcommittees, which assess and measure risks in interest rate, foreign exchange and equities positions, and off-balance sheet activities to determine the appropriate supervisory response.

Exhibit not available

25.18 The examination and monitoring activity for the deposit-taking institutions that was previously in Ottawa was substantially transferred to the Toronto and other regional offices to bring it closer to the institutions supervised. The Office launched a major drive to recruit staff with industry background to expand its complement of examiners. This effort is now by and large complete.

25.19 OSFI has taken steps to foster better working relationships with boards of directors of deposit-taking institutions, external auditors, managers of institutions, industry associations, professional bodies and other regulators. It has expanded the scope of the advisory committee of auditors of banks and has set up one for trust companies in order to strengthen relationships with the institutions' auditors.

25.20 Our interviews with industry officials, industry associations and others indicated that the financial services industry has responded well to OSFI's initiatives. OSFI has also established a useful relationship with provincial regulators, with scope for further co-operation. In all, it has developed a positive image for itself and a rapport that will undoubtedly facilitate its future operations.

25.21 While OSFI has made progress in a number of important areas in implementing an effective supervisory framework, further significant improvements are needed. OSFI is taking steps to deal with many of these challenges.

Principles of Self-Governance and Self-Regulation Need Better Specification and Assessment

25.22 The Superintendent attaches great importance to effective and professional self-governance and self-regulation as "the core of financial institutions' regulation". He regards these principles as a key to preventing problems associated with the institutions' solvency and compliance with legislation, regulations and guidelines. He further states that OSFI's "examination of financial institutions represents a de facto assessment of management and its ability to manage".

25.23 Section 34 of the Bank Act states that "the directors shall manage the business and affairs of a bank". Thus the role of the board of directors of a deposit-taking institution is vital to the implementation of the principle of self-governance and self-regulation, as it has the ultimate responsibility for management of the institution.

25.24 OSFI has identified elements of self-governance and self-regulation. These include competent and honest management, a board of directors that understands its fiduciary responsibilities, sound management practices, adequately capitalized operations and tight controls over related party transactions.

25.25 OSFI advised us that it has met with the boards of directors of a number of institutions with whom it has discussed in greater detail its views on self-governance and self-regulation. It has not, however, formalized and documented in its examination framework its expectations of the boards in this respect. The formalization would be helpful to the examination staff in their assessment of the institutions' practices in this area, including management practices.

25.26 Management practices include financial and management controls designed to provide assurance to the operating management and the board of directors that corporate policies are being adhered to and assets are being safeguarded. We observed weaknesses in OSFI's documentation of the examination of management practices. In most of the files we examined, there was little evidence that the examination staff had discussed with the operating management or the board the institutions' strategic and operational plans. Also, in several cases, there was little evidence that OSFI had examined the institutions' processes to provide timely and relevant information to the boards of directors on the operations of the institutions.

25.27 OSFI should formalize in its examination framework, its expectations of the boards of directors and operating management, in respect to self-governance and self-regulation and should strengthen its procedures for assessing management practices of deposit-taking institutions.

Ongoing Monitoring System that Provides Early Warning of Emerging Problems Is Not Fully in Place

25.28 OSFI sees its supervisory role as forward-looking. This requires it to identify emerging problems in a financial institution and in the industry at an early stage. To this end, the supervisory framework calls for a continuing program of monitoring the ongoing operations of institutions to complement OSFI's annual examination process. Monitoring includes review of financial data, screening of the information available to the public and contacts with management of the institutions to discuss such information.

25.29 We examined whether OSFI had in place procedures for effective monitoring of deposit-taking institutions, aimed at assessing the continuing solvency of institutions and providing an early warning of any developments that might alter their risk profiles. We identified several areas where OSFI's monitoring procedures could be improved.

25.30 OSFI's system for monitoring the ongoing operations of institutions needs to be better organized and systematized. We observed that the results of monitoring by the examination staff were not always documented. In some cases, no files were maintained for monitoring. Thus, the work of the examiners did not permit adequate review by the supervisors, nor could it be used as a reference for planning future examination and monitoring work.

A centralized data base would facilitate monitoring

25.31 Deposit-taking institutions file a variety of data returns with OSFI, the Bank of Canada and Statistics Canada. A number of such returns are required by the relevant statutes to serve the needs of different users. They contain such information as balance sheet and income statement data, sources of income and foreign currency assets. Some of the data gathered are used for monitoring and examinations of deposit-taking institutions.

25.32 The data are not only voluminous but also have several areas of duplication. There is a need to rationalize and consolidate the government's data requirements and to examine the use of technology in the process. This would reduce the paper burden on financial institutions and lead to greater operational efficiency in relevant departments and agencies. There is no centralized data base on institutions that is readily accessible to OSFI. Since November 1988, an interdepartmental committee under the chairmanship of OSFI has been trying to identify and rationalize information requirements from financial institutions, but it has not yet produced its final recommendations. Its preliminary report dealing with data on banks is currently under discussion with the departments and agencies concerned.

Limited financial analysis is done

25.33 Analysis of financial data on each institution is the responsibility of the examination staff. However, OSFI has provided few guidelines to the staff outlining the nature, depth and timing of the financial analysis needed. While the examination staff conducts some analysis at the annual examination time, it does insufficient analysis on an ongoing basis to assist in the monitoring of the deposit-taking institutions. For example, OSFI has not carried out adequate monitoring of certain key indicators dealing with an institution's geographical and industry exposure.

Tracking of system-wide and sectoral trends needs improvement

25.34 The Financial Analysis Division in Ottawa is responsible for conducting cross-industry analysis on specific topics. It has produced reports on profitability trends, banks' capital adequacy and banks' non-performing loans. It has also done studies on such areas as real estate lending and certain aspects of trust companies' business. Other groups in OSFI have conducted studies on leveraged buyouts and the fisheries industry.

25.35 The Financial Analysis Division spends a considerable amount of its time on ad hoc projects and has not been fully staffed. This has limited its capacity to provide effective support to OSFI's monitoring process. The Division's role needs to be confirmed and a systematic plan of action developed. The Division could provide a valuable support to the examination staff by conducting analysis in such areas as industry-wide interest rate spreads, fee income, non-interest expenses and off-balance sheet exposure of institutions. In addition, the Division could study any developments in the economic environment, domestic or international, that might have implications for the continuing financial health of deposit-taking institutions.

OSFI's newly implemented computerized system is only occasionally used

25.36 In October 1989, OSFI implemented the Institutional Information System (IIS) at an estimated cost of some $400,000. IIS is designed to store and assemble financial information received by OSFI from institutions and other sources. It was expected to be a principal tool for monitoring, but the system is not being used as envisaged. Information from it is not available on a timely basis and in sufficiently disaggregated form to serve most monitoring and examination needs. Its software is slow and awkward to use. Only about 35 percent of potential users, including the examiners, have used the system. Even these have used it only on a few occasions.

25.37 A comprehensive computerized data base on financial institutions, accompanied by appropriate analysis -- the results of which could be used in the monitoring and examination processes -- would assist OSFI in better identifying emerging risks in financial institutions.

Periodic contacts need to be maintained with management of institutions

25.38 OSFI has advised us that its senior officials maintain regular contacts with deposit-taking institutions. In addition, the Regulatory Policy Sector is in contact with the institutions, industry associations and professional bodies. However, in the monitoring process, there is need for the examination staff to make periodic contacts with management of the institutions, to discuss emerging trends or changes in the management structure or corporate policies and to gather information on any developments in the industry or institutions. While the examination staff establishes contacts with the institutions when problems are identified, OSFI does not have a periodic program of contacts. The frequency of contacts would take into account the risk profile of the institutions.

Procedures for troubled institutions are not fully defined

25.39 Responsibility for monitoring troubled institutions is shared by the Registration and Investigations Division and the examination staff, with the former taking the lead role.

25.40 OSFI has not consolidated its procedures for dealing with troubled institutions. Such procedures could cover the progressive enforcement steps needed to ensure compliance with legislation, regulations and guidelines and OSFI's requests for information. Also, there is a need to set out procedures for managing crisis situations relating to deposit-taking institutions.

25.41 The importance of effective and timely monitoring cannot be overemphasized when dealing with the dynamic financial services industry, where an institution's asset and liability profile can change rapidly. OSFI has begun strengthening its monitoring role, including the development of a monitoring checklist, which is being field tested.

25.42 OSFI should improve and systematize its processes for monitoring deposit-taking institutions. In particular, it should:

• have ready access to a comprehensive computerized data base on deposit-taking institutions;
• conduct regular financial analysis of individual deposit-taking institutions to identify emerging risks on a timely basis;
• strengthen its processes for conducting studies of system-wide and sectoral issues;
• conduct a review of the concept and operations of IIS with a view to assessing the system's design and its adequacy to meet OSFI's needs;
• ensure that its examiners maintain periodic contacts with management of the deposit-taking institutions to review their operations; and
• consolidate procedures for the investigation of troubled institutions.

Particular Attention Is Needed to Upgrade the Risk Assessment Process in Annual Examinations

25.43 Legislation governing banks and trust and loan companies requires the Superintendent to conduct annual examinations of individual deposit-taking institutions. There is no legislative requirement for annual examinations of investment companies and the Canadian co-operative credit associations, although OSFI examines their operations periodically.

25.44 The objectives of the examinations are to detect solvency and compliance problems in deposit-taking institutions, and to see that such problems are resolved promptly. Other objectives are to collect information on system-wide and policy issues and to develop a thorough understanding of an institution and its environment. We expected OSFI to have in place policies, procedures and practices for the conduct of examinations to meet these objectives.

25.45 OSFI follows a risk-based approach to examinations. In planning for examinations, it develops risk profiles of institutions and judges the materiality of the risks so that higher risk issues receive greater attention.

25.46 The actions taken by OSFI in using a common framework for the bank and trust and loan company examinations and decentralizing of bank examinations to the regional offices have made the examination process stronger. OSFI has also created a new specialist support division whose function is to assist examiners in the complex areas of treasury instruments and electronic data processing (EDP) systems. It has taken steps to develop and refine methodology for examinations and other supervisory activities. All these point to progress, but there are a number of areas where further initiatives are needed.

Review of specialized risk areas by examiners is weak

25.47 Credit risk is regarded by OSFI to be the major risk to deposit-taking institutions. As such, OSFI gives this risk considerable attention in the examination process. It uses retired financial industry executives in addition to its own staff for the purpose. In recent years, three special areas of risk have been receiving greater attention. These are treasury instruments risk, EDP systems risk and conglomerate risk. Our audit indicated that OSFI's examination process needs to be strengthened in these areas.

25.48 Examination of treasury instruments risk needs strengthening. Many financial institutions, particularly banks, deal in treasury instruments such as interest rate and foreign currency swaps, forwards, futures and options contracts. The risks associated with these instruments require adequate internal controls in the institutions to manage them. In turn, the regulators need appropriate procedures to assess the impact of the risks on the institutions' liquidity and solvency.

25.49 We observed that in some cases there was little evidence in OSFI's files to indicate that the examiners had checked the processes for managing treasury risk in the institutions. For example:

• Important aspects of treasury operations were not always dealt with either in the planning or execution of the examinations. Some files contained little evidence that the institutions' processes for setting trading limits in respect of foreign exchange and liquidity exposures had been examined. In one case, although the examination plan identified currency risk and swaps as being key treasury risks in the institution, there was no evidence on file that the examiners had reviewed the risk management process.
• In a few examination files, there was little evidence that controls relating to the "back office" treasury operations of the institutions had been assessed. The back office operation normally records transactions initiated by telephone or other means and sends confirmation to the customer. The effectiveness of the back office treasury operation is critical to monitoring and controlling treasury risk.

25.50 Some members of the examination staff who were examining treasury risks did not have sufficient understanding of treasury instruments and the risks associated with them. We observed that the staff had been given very little training in this area. In some cases, they had carried out such examinations without the assistance of the specialist staff. This was due to the fact that the only specialist on staff did not have time available. For example, the treasury specialist did not participate in the examination of an institution that generated most of its income from trading in off-balance sheet treasury instruments.

25.51 EDP systems risk is not adequately examined. Given the significant investment by deposit-taking institutions in EDP technology, and their heavy dependence on it, OSFI has recognized that EDP systems can present a major source of risk to the solvency and soundness of the institutions. OSFI has one specialist in EDP systems of deposit-taking institutions.

25.52 As in the area of treasury risk, OSFI's examination procedures do not cover adequately the review of EDP systems risk and therefore the risk management processes in the institutions are not being fully examined. We found several cases where the EDP systems risk was not identified.

25.53 In some cases there was little evidence of any review having been carried out of processes in institutions for data security, data integrity, disaster recovery and EDP management. For example, in one instance, the risks associated with an institution's outdated EDP systems were not identified and examined.

25.54 Many of the examiners did not have an adequate knowledge base to identify and examine EDP systems risk. In the examination of several institutions with extensive and complex EDP systems, OSFI's specialist staff was not involved. At the time of our audit, OSFI was not using any formal procedures for examining EDP systems risk in deposit-taking institutions. However, some procedures have recently been developed and are to be field tested.

25.55 OSFI has difficulty obtaining information it needs to assess conglomerate risk. Conglomerate risk arises when a regulated financial institution is part of a group of companies in which the parent or some of the sister or subsidiary companies are unregulated. In such situations, OSFI has noted a number of concerns in supervising the federally regulated financial institutions, primarily because it does not have authority under existing legislation to seek information from the unregulated companies in a conglomerate.

25.56 In our review of OSFI's files on some financial institutions which are part of conglomerates, we noted how difficult it was for OSFI to adequately identify and assess the risks. For example, it has had difficulty in obtaining access to the business plans of the unregulated parent for the regulated deposit-taking subsidiary.

Assessment of risks to deposit-taking institutions from their securities subsidiaries needs strengthening

25.57 In 1987, the then federal Minister of State (Finance) and the Ontario Minister of Financial Institutions signed an accord with respect to the implementation of their respective regimes for regulating securities- related activities of federal financial institutions and the securities subsidiaries or affiliates of these institutions. According to the accord, OSFI regulates the securities-related activities carried on directly by the federal financial institutions. Such activities are defined in the accord. All other securities activities are to be carried out through the subsidiaries or affiliates, which are regulated provincially. The allocation of responsibilities was clarified and confirmed in correspondence and a memorandum of understanding between OSFI and the Ontario Securities Commission. OSFI has similar memoranda of understanding with the securities commissions of Quebec and British Columbia. However, there are no accords at the ministerial level with these provinces.

25.58 The memoranda of understanding state that OSFI is relying on the system of regulation currently applicable under the provincial securities legislation and the by-laws of the self-regulatory organizations, such as the Investment Dealers Association. The memoranda further state that OSFI is relying, in particular, on the capital adequacy rules governing the securities subsidiaries as specified by the provinces. At the present time, 14 banks and two federally chartered trust companies have securities operations in Canada.

25.59 Our examination of this area was directed at finding out whether OSFI had ensured that adequate mechanisms and controls were in place to insulate federal deposit-taking institutions from inappropriate risks assumed by their securities subsidiaries.

25.60 OSFI has advised us that the provincial regulation of the operations of securities subsidiaries is very complete and the capital rules for high risk activities very onerous. According to OSFI, these help to ensure that the securities subsidiaries do not take inappropriate risks.

25.61 The memoranda permit OSFI to seek information from the commissions about securities dealers after following a specified process. OSFI has identified the regulatory reports it wishes to obtain from the securities commissions. It has not, however, developed any procedures for determining how to use the information it receives to assess risks from securities subsidiaries or how to obtain follow-up information from the commissions. In cases where it has sought these regulatory reports, it has not followed up to ensure that they are provided in a timely fashion. Furthermore, there may be a need to upgrade the knowledge base of the examination staff to enable them to properly assess risks associated with the securities subsidiaries.

25.62 Banks and securities dealers cover certain similar areas. For example, both deal in high-risk treasury instruments such as swaps, options and futures. OSFI can examine such operations directly when they are conducted by banks but not when conducted by securities dealers. OSFI needs to continue to monitor developments in the securities industry and in the regulatory framework applicable to it to ensure that gaps in the regulation and supervision do not occur and that its reliance on provincial regulation is soundly based. Furthermore, in the case of Ontario, OSFI needs to satisfy itself that comparable activities continue to be regulated in a comparable manner as stated in the accord with that province.

CAMEL, a measure of financial soundness, needs elaboration and consistent application

25.63 OSFI uses a rating system known by the acronym CAMEL in examinations and ongoing monitoring of deposit-taking institutions. CAMEL, which stands for capital adequacy, asset quality, management, earnings and liquidity, summarizes the results of the examinations with a five-point rating scale covering the five critical areas of the institution's operations. Institutions are given a rating from 1 to 5 for each CAMEL component, with 1 representing a very healthy condition and 5 representing a critically weak condition. In addition, a composite rating of 1 to 5 is given to each institution, using the individual components as a basis. The system provides a ready reference to the performance of a financial institution and is designed to give management an indication of the level of monitoring and scrutiny needed. CAMEL is also used as a guide for transferring the lead responsibility for institutions warranting closer monitoring from the examination staff to the Registration and Investigations Division.

25.64 The essence of the system is that the ratings should be meaningful and consistent. In some cases, however, they were not, judging by the evidence in OSFI's files. The examiners were not provided with detailed criteria for arriving at the rating, or training in applying the criteria. There was therefore no assurance that individual examiners would rate all the institutions they examined in a consistent manner, or that different examiners would use a consistent approach. Furthermore, the ratings given by the examiners did not receive rigorous review by management.

25.65 OSFI should improve its processes for assessing risks to the solvency and soundness of deposit-taking institutions. In particular it should:

• ensure that the specialized expertise and knowledge base needed for assessing treasury instruments and EDP systems risks are available and used as appropriate;
• fully implement its procedures for assessing risks to federally regulated deposit-taking institutions from the operations of their securities subsidiaries; and
• develop detailed criteria for the CAMEL rating system for financial soundness in order to facilitate consistent ratings by all examination staff.

Extent of Reliance on External and Internal Auditors Is Unclear and Sometimes Unsupported

25.66 External auditors. In carrying out examinations of deposit-taking institutions, OSFI places a high degree of reliance on the external auditors' work. It exchanges letters annually with external auditors to inform them that it will be relying on their examination and opinion on the financial statements of the institutions. OSFI's Examination Framework requires the examiners to review the work of external auditors to "determine the extent and nature of the work done by the external auditors particularly in areas identified as high risk by the Office, in order to assess the Office's basis for reliance on the auditors' work".

25.67 In our audit, we checked to see whether adequate procedures were in place to ensure that the scope of OSFI's reliance on the work of the external auditors was soundly based.

25.68 The primary responsibility of the external auditors is to report to the shareholders of the institutions on the fairness of their financial statements at a point in time. On the basis of its review, OSFI may properly rely on the external auditors' work with respect to those statements. However, we believe that OSFI needs to satisfy itself independently that all major risk areas are being managed effectively.

25.69 The Bank Act requires the external auditors to report to OSFI any transactions or conditions affecting the well-being of a bank that, in their opinion, are not satisfactory and require rectification. However, they are not obliged to extend the scope of their audit of the financial statements to specifically search for such transactions or conditions. The Bank Act specifically permits the Minister to enlarge or extend the scope of the auditors' examination and may require that the auditors of a bank report to the Minister on the adequacy of the procedure adopted by the bank for the safety of its creditors and shareholders. This provision has been used in a limited number of cases. There are similar provisions in the legislation governing trust and loan companies.

25.70 The external auditors' objectives in carrying out a shareholders' audit are in some respect different from those of OSFI. In addition to satisfying itself as to the fairness of the financial statements at a point in time, OSFI needs to satisfy itself that all major risks in an institution are being effectively managed on an ongoing basis by the institution. External auditors' perspective may also be different from OSFI's in such areas as management controls, asset quality and materiality of risks.

25.71 We observed that OSFI satisfied itself independently on asset quality of financial institutions. However, we identified several cases in other risk areas, such as treasury instruments, where OSFI carried out little independent work itself but relied on external auditors.

25.72 Also, although OSFI's Examination Framework requires that before placing reliance on external auditors, the examiners must assess their work, this was not always done. Several examination files contained little evidence of such an assessment. In a number of cases, we could not identify the specific areas of risk in which reliance was being placed. In some areas of risk where reliance was in fact placed, there was no indication how it had affected the scope of the examiner's own work.

25.73 Internal auditors. A properly designed internal audit provides management of a deposit-taking institution with an independent, systematic review and appraisal of the effectiveness of management and internal controls in the institution. Internal audits are conducted on specific activities of the institution and reports are made to management on the activities reviewed.

25.74 OSFI requires its examiners to review the procedures and working papers of the internal auditors as a basis for reliance on their work. We observed that OSFI's reliance on internal audit is in several cases based on the external auditors' examination of the internal auditors' work. As noted earlier, the objectives of OSFI and those of external auditors may be different. The perspective from which the external auditor reviews the work of internal audit, including internal controls, may not be fully suitable for OSFI's purposes.

25.75 In reviewing the work of internal auditors, OSFI focusses on the internal audit reports prepared during the year and discussions with the internal audit staff on their audit plans and coverage. In the majority of the cases we examined there was little evidence of review of internal auditors' working papers or assessments of whether they had covered all significant internal controls in a given year. Thus, there was limited assurance that the steps necessary to establish reliance on the work of internal auditors were carried out.

25.76 OSFI should:

• ensure that its position on reliance on external auditors reflects the differences in responsibilities and perspectives of the auditors and OSFI; and
• clarify and document its procedures and practices for reliance on external and internal audits to ensure that the reliance is soundly based.

More Complete Examination of the Canadian Payments Association Is Needed

25.77 The Canadian Payments Association (CPA), created by an Act of Parliament, has the mandate to establish and operate a national clearing and settlement system and to plan the evolution of the national payments system. About 9 percent of the fund transfers of deposit-taking institutions are carried out by its members electronically through CPA. According to OSFI, some 8 to 12 percent of the assets of banks are turned over daily through CPA.

25.78 Settlement risk is a risk that a party to a financial transaction will fail to honour its obligations, due to financial, technical or operational problems relating to the settlement or finalization of the transaction. This type of risk is inherent in the operations of deposit- taking institutions as well as in those of CPA, to which most of them belong.

25.79 The Canadian Payments Association Act requires OSFI to conduct such examination of the Association as it thinks necessary to enable it to report to the Minister of Finance whether or not the Association is operating in conformity with its Act and the by-laws.

25.80 In examining CPA, OSFI uses a checklist that covers such areas as review of CPA's board at directors' minutes and of the conduct at annual meetings of CPA members. To date it has not reviewed the risk areas and the controls CPA has in place over the various systems. No examination has been carried out of the risks associated with CPA's EDP system and its links with the regional data centres of the financial institutions involved. This would include consideration of back-up and contingency plans. OSFI has not carried out a review of CPA's planning for the evolution of the national payments system despite the revolutionary changes taking place in the industry, including electronic banking. In late 1989, the Deputy Superintendent, Deposit-taking Institutions wrote to CPA advising it that OSFI intends to carry out a more comprehensive examination covering the above areas.

25.81 OSFI should conduct a full-scope examination of CPA.

Compliance by Institutions with Legislation Is Not Being Appropriately Tested

25.82 The Examination Framework calls for appropriate testing of compliance by institutions with applicable legislation, regulations and guidelines. It requires that all detected problems be documented and handled in a manner consistent with their importance and materiality. Our review was aimed at determining whether adequate procedures were in place to verify testing for such compliance.

25.83 OSFI verifies compliance with the capital adequacy rules governing deposit-taking institutions. Its Registration and Investigations Division tests compliance with the requirements of the Bank Act in areas such as particulars of directors and officers and insider reports. The Rulings' Division of OSFI carries out some testing of compliance in the course of rendering rulings. In addition, OSFI has a systematic process in place for testing compliance by trust and loan companies with key sections of the relevant legislation and supervisory rules.

25.84 For banks, however, OSFI examiners carried out limited verification of their own but relied on the external auditors. As it stands, the external auditors are not specifically required to verify compliance with the legislation under the terms of their arrangements with OSFI. Their only obligation is to report to OSFI if they encountered any conditions in the course of their audit which, if unaddressed, could affect the well-being of the bank or which were beyond the powers of the bank. Verification of compliance for the deposit-taking institutions was divided between Ottawa and regional offices. There was a lack of clarity among staff about the areas being checked at different places.

25.85 With respect to banks, subsection 246(3) of the Bank Act requires OSFI to report to the Minister whether the provisions of the Act having reference to the safety of the interests of the depositors, creditors and shareholders and other provisions of the Act are being duly observed. These "other provisions" cover matters such as business powers, corporate structure and financial disclosure. We noted that while OSFI reports to the Minister on whether the institutions are in a sound financial position, it has failed to specifically report on the provisions of the Act having reference to the safety of depositors and on the "other provisions" of the Act.

25.86 OSFI should improve its procedures for testing compliance by deposit-taking institutions with the applicable legislation, regulations and guidelines. The annual reporting to the Minister on the banks should cover all elements required under subsection 246(3) of the Bank Act.

Improved Co-ordination Is Needed with CDIC and Provincial Regulators

25.87 In its examination and monitoring activities, OSFI needs ongoing contact with CDIC and provincial regulatory bodies. We expected OSFI to maintain effective relationships with these organizations with a view to harmonizing supervisory standards and obtaining information as necessary.

There is no memorandum of understanding with CDIC

25.88 The Canada Deposit Insurance Corporation Act designates OSFI to examine, on CDIC's behalf, all banks and federally regulated trust and loan companies. In addition, CDIC has appointed OSFI to conduct examinations of provincially regulated trust and loan companies that are members of CDIC, except those regulated by Quebec. After completing an examination, OSFI is required to report to CDIC on whether the operations of the institution are being conducted in accordance with the standards of sound business and financial practices, and on whether the institution is in a satisfactory financial condition. OSFI also reports on whether the Return of Insured Deposits submitted by an institution is correct. As well, CDIC relies on OSFI to carry out ongoing monitoring of all banks and federally regulated trust and loan companies.

25.89 In spite of the reliance CDIC places on the work of OSFI, and the distinct statutory responsibilities each has under its respective Act, there is no memorandum of understanding setting out the responsibilities and obligations of the parties. Such a memorandum could cover sharing of information on institutions, handling of troubled companies, and the extent and depth of monitoring needed. OSFI advised us that while considerable discussion has taken place with CDIC, the matter is not close to completion.

25.90 The Canada Deposit Insurance Corporation Act requires the examiner to report on the correctness of the Return of Insured Deposits. We found that the nature and extent of verification done by OSFI was insufficient to meet this requirement. The verification was usually limited to a comparison of amounts in the returns with those in the relevant ledgers of the institution, rather than more substantive testing. We were informed that OSFI and CDIC are in the process of finalizing a comprehensive verification program.

Co-ordination of supervisory activities with provincial regulators is limited

25.91 In a corporate group, some financial institutions may be federally regulated while others are under provincial jurisdiction. There are also situations where a federally regulated company may be subject to monitoring or examination by provincial regulators. OSFI has indicated that its objective is to achieve a consistency in supervisory approaches with its provincial counterparts and to avoid gaps in the supervisory system.

25.92 Several provinces have recently made changes to their trust and loan legislation. For example, Ontario's legislation now calls for an "equals approach" where all trust and loan companies operating in Ontario, regardless of the jurisdiction of their incorporation, are subject to Ontario's supervisory rules. To ensure that there are no gaps in the supervisory system and to reduce the regulatory burden on the companies, there is need for consistency of supervisory approaches and co-ordination of activities.

25.93 Areas where co-operation would seem to be desirable include rationalization of information demands on financial institutions and reduction of information burden. It is not uncommon for a deposit-taking institution to submit information returns to half a dozen jurisdictions when much of the information required is very similar. Other areas include co-ordination of activities in dealing with troubled institutions and reliance by one regulator on the examination and monitoring of institutions carried out by the other.

25.94 OSFI has stated that, for examinations of a federal institution forming part of a corporate group containing provincially regulated companies, it will try to co-ordinate work with provincial regulators so that the examinations are conducted at the same time. We noted that such co-ordination had not taken place.

25.95 OSFI should:

• enter into a memorandum of understanding on co-ordination of activities with CDIC as quickly as possible; and
• co-ordinate, as appropriate, supervisory roles with the provincial regulators and achieve consistency in approaches for supervision.

Regulatory Policy Sector

25.96 Our examination focussed on whether OSFI had adequate procedures for developing regulatory policy, conducting corporate planning and professional development, and rendering rulings on the interpretation of legislation, regulations and guidelines.

Procedures for Developing Regulatory Policy and Rendering Rulings Are Generally Satisfactory

25.97 We observed that OSFI's policy research and rulings activities are generally well organized. Priorities are assigned for the completion of research projects and there is a regular reporting system on their level of completion. However, there are some 50 issues for study currently outstanding and most of them have not been assigned target dates for completion. It is important that OSFI reviews the progress on these issues periodically to ensure that they are dealt with on a timely basis.

25.98 OSFI has made considerable progress in consolidating its rulings activities concerning both deposit-taking and insurance and pensions sectors in one operational unit. It is in the process of establishing a comprehensive record of all rulings given in the past so that they can serve as a basis for ensuring consistency in future rulings.

A Positive Start Has Been Made in Corporate Planning and Program Review

25.99 OSFI has taken initiatives to translate its legislative mandate into operational objectives and goals. It has developed a strategic planning framework. While the framework is not yet fully implemented, OSFI has recently for the first time developed a strategic plan that identifies its mission, goals and responsibility centres for achieving the goals. OSFI also produces business plans for its various operating units. While these are important steps in the corporate planning process, OSFI still has some way to go in integrating business plans with strategic objectives and ensuring that the plans are used as a management tool for monitoring the performance of operating units against established objectives.

25.100 OSFI has recently taken the positive step of establishing a program review function responsible for program evaluation and internal audit. The terms of reference of the function are being developed. A properly constituted and independent program review unit can serve as a useful management tool in the effective implementation of OSFI's mandate.

Professional Development and Training Need Strengthening

25.101 We examined OSFI's procedures and practices for the professional development and training of its staff to ensure that sufficient and properly qualified personnel were available to carry out its mandate.

25.102 OSFI has taken a number of initiatives in the area of training and professional development, including establishment of a professional development and training policy and drafting of knowledge and skills requirements for examiners.

25.103 We observed that the roles and responsibilities for training and professional development are split between line managers and two staff divisions of OSFI. This has resulted in unclear accountability and some duplication of activities. Some employees are uncertain about appropriate contacts for requesting training. Further, OSFI has not yet developed an overall training plan, although it has recently established a committee to co-ordinate training and development activities, develop procedures and recommend training priorities.

25.104 Identification of training needs is done primarily through the employee performance appraisal process. However, in deciding on the training requirements of their staff, some managers have not considered OSFI's established guidelines on knowledge and skill requirements for examiners or the special operational requirements of their own units. Instead, there is a reliance on informal on-the-job training. It is not known which employees need formal training in critical operational and examination areas, such as the risk-based approach to examinations, treasury instruments risk, EDP systems risk, management practices of institutions and application of the CAMEL approach. At the time of our audit most examiners had not received formal training in these areas. Furthermore, there is only a limited review of the training requirements identified by managers to determine whether the training proposed is in line with OSFI's strategic objectives and priorities.

25.105 As a result, there is a need to determine training requirements better, establish training plans and priorities, and provide organized and more formal training in appropriate areas of the examination and monitoring processes.

25.106 OSFI should give immediate attention to developing its training plans and providing the necessary training to its staff. It should also review the roles and responsibilities of the various groups engaged in professional development and training with a view to achieving better co-ordination of activities and more focussed accountability for the planning and execution of training.

Management Services Sector

25.107 We examined whether OSFI's procedures relating to human resource management, information and personnel security and conflict of interest were adequate to meet its personnel requirements and to prevent conflict of interest and undue disclosure of information.

Progress Has Been Made in Human Resource Management

25.108 OSFI has developed, but not fully implemented, a human resource management framework for the various activities undertaken to identify the personnel needs of the organization, compare these needs with the available resources and develop action plans to provide for any unmet needs. It has developed and implemented a variety of personnel-related programs such as those for performance review and appraisal, recruitment and exit interviews. While OSFI has some further tasks ahead of it in such areas as integrating human resource planning with strategic business plans, it has made reasonable progress in establishing a unified personnel service after the merger in 1987 of the two previously separate organizations.

Security and Conflict of Interest Practices Require Improvement

25.109 OSFI receives and produces sensitive information on financial institutions and on government policies, which must be safeguarded against major risks. Similarly, the potential for improper use of such information requires that appropriate rules be adopted and implemented to prevent conflict of interest situations.

25.110 OSFI has recently put in place policies for conflict of interest and for information and personnel security. However, we saw no evidence that the establishment of these policies was accompanied by a comprehensive threat and risk analysis. Such an analysis would have permitted proper assessment and implementation of protective measures needed to meet operational requirements. OSFI has advised us that a threat and risk analysis in respect of conflict of interest was carried out but not documented.

25.111 We observed several deficiencies in the areas of information and personnel security. For example, the procedures in place did not ensure proper security classification of documents and did not limit access to authorized persons only. Furthermore, OSFI did not have any system in place to carry out periodic security and conflict of interest reviews to identify any weaknesses and departures from the established policy.

25.112 While there have been no known conflict of interest situations or breaches of security, without a properly executed and documented threat and risk analysis of OSFI's operations there can be no assurance of the adequacy of its procedures. An improper use of sensitive information might not only prejudice the competitive position of financial institutions but also cause serious embarrassment to OSFI and the government.

25.113 OSFI should:

• conduct a comprehensive threat and risk assessment of its operations to identify vulnerabilities and implement proper procedures for ensuring that the security of information is protected;
• complete its processes for conducting and documenting threat and risk assessment in respect of conflict of interest; and
• carry out periodic reviews of its policies and procedures to ensure their continuing adequacy.