Banking and Financial Services Internal Audit Group

Transcription

1 Banking and Financial Services Internal Audit Group Hot topics for 2014 Audit Planning Lunch Time Seminar Alana Thorne, Director Chit Ghee Yeoh, Associate Director September 2013

2 Agenda Introduction Impact of the code on internal audit functions and understanding the drivers for change Key changes as a result of the code and impact on audit planning Hot topics for 2014 planning A summary of key hot topics Industry topics Methodology topics Deep dive into new and uncomfortable areas of change Questions 2

3 Introduction Impact of the code on internal audit functions Internal Audit in Financial Services The Committee on Internal Audit Guidance for Financial Services has issued its Recommendations for Effective Internal Audit in the Financial Services Sector. This demonstrates there is and will continue to be increased challenge of and visibility upon Internal Audit the bar has been raised. Regulators will look to rely on Internal Audit creating an opportunity for Internal Audit to demonstrate its relevance and importance in protecting the assets of a company. Areas of significant challenge to many audit functions (and applicable to all) include: Positioning within the organisation: Internal Audit reporting line to the Chair of the Board Audit Committee. Secondary reporting lines should be to the CEO; Employing significant professional judgement; An outcomes-based approach; and Resourcing. Emerging best practices Strong communication and consistent language with risk, compliance and finance functions Responding to resource challenges Auditing culture Harnessing the power of data Building trust with the regulators Quality assurance 3

4 Hot Topics for 2014 planning Current planning agenda Trading Unauthorised trading Indices and benchmarks High frequency trading New and uncomfortable Governance Culture IA processes Assessing skills and capabilities Holistic opinions and IC environment Data analytics Capital and liquidity RWA s Model risk management CRD IV Liquidity Internal Audit Hot Topics Regulatory Conduct risk Regulatory reporting Financial crime Client assets Risk management Risk frameworks Risk appetite Risk data aggregation Accounting and tax Loan loss provisioning Tax risk management IT Resilience Third party management Payment services 4

5 2014 Industry Topics Planning considerations 5 Topics New and uncomfortable Governance Culture Risk management Risk framework Risk appetite Risk data aggregation Capital and liquidity CRD IV RWA Liquidity Model risk management Trading Indices and benchmarking Consideration for Internal Audit Governance: assessing the structures, processes and controls to manage a business Culture: how processes, actions and tone at the top align with the values and behaviours of the business Assessing how a risk or group of risks are managed across a Group or business How risk management is linked to strategy Aggregation of risk data and MI How data management measures up against the BCBS principles for effective Risk Data Aggregation and Risk Reporting. Readiness/ compliance with new requirements (Internationally agreed standards on capital and liquidity Basel III) effective 1 January Completeness, accuracy and integrity of source data inputs and calculated RWA outputs. Board and senior management oversight Policies, procedures and limits (e.g. stress-testing) Risk measurement and monitoring. Design and development of model governance and model validation. The spotlight is starting to shine on other indices (aside from LIBOR), benchmarks and wider price setting processes that banks contribute to. A focus on reviewing submission processes against definitions and best practice.

6 2014 Industry Topics Planning considerations Topics Trading Unauthorised trading High frequency trading Accounting and Tax Tax risk management Loan loss provisioning IT Third party management Resilience Payments Consideration for Internal Audit Assurance over controls to capture and report unauthorised trading The firm s culture and attitude towards unauthorised trading Assurance over trade execution controls given recent glitches and failures in high frequency trading Tax strategy and tax governance arrangements Alignment of tax strategy to wider business strategy Identifying and recognition of loan loss provisioning Controls over the functioning of the model Reporting and disclosure requirements Third party/ out-sourced partners relations Data security risk Business continuity and disaster recovery processes Resilience controls and processes Payment services regulation compliance Account switching requirements (going live in September 2013) Mobile payments (Spring 2014) Resolution and recovery plans, ring-fencing, intraday liquidity management, FATCA compliance, sanctions compliance and fraud prevention. 6

7 2014 Industry Topics Planning considerations Topics Cyber crime Data governance and quality Consideration for Internal Audit Exposure to cyber threats increases as companies embrace the digital world. Regulatory demands increase over security and public confidence is challenged. Controls over time to recover from a cyber attach and ability to reduce the net impact as well as preventative controls. Controls over the governance and quality of data Increasing regulatory attention. 7

8 2014 Industry Topics Planning considerations Topics Regulatory Conduct Risk Financial Crime Client assets Regulatory reporting Consideration for Internal Audit Compliance with the Conduct of Business rules (including COBS, ICOBS, MCOB and BCOBS sourcebooks). Identifying the likely end customer and how controls in place ensure focus on products and services meeting the long term interests of both retail and wholesale customers. Systems and controls to combat financial crime are robust and in line with regulations. Focus on AML. Arrangements over client assets in areas such as management processes, adequate trust letters, treatment of collateral, completeness and accuracy of the client money calculations, oversight of outsourced providers and sufficient management information and reporting. Compliance with the CASS rules. Second and third line of defence monitoring programmes. Regulatory data quality. Capital, liquidity and other prudential returns is increasingly being challenged as a result of peer group review. Challenge and oversight over regulatory reporting. Control framework surrounding the new COREP and FINREP data requirements. 8

9 2014 Methodology Topics Planning considerations and emerging best practices Topics IA processes Assessing skills and competency Consideration for Internal Audit Internal auditors are expected to increase both the value and impact of internal audit. Internal audit is required to have the necessary skills and experience that is commensurate with the risks of the organisation. The Guidance provides that the Chief Auditor should provide the Audit Committee with a regular assessment of the skills required to conduct the work needed and whether the internal audit budget is sufficient. The Audit Committee should be responsible for approving the internal audit budget and, as part of the Board s overall governance responsibility, should disclose in the annual report whether it is satisfied that Internal Audit has the appropriate resources. Opinion on internal control environment The Guidance suggests that an assessment of the overall effectiveness of the governance, risk and control framework of the organisation, including themes and trends emerging from internal audit work, should be provided at least annually. Internal Audit will need to create methodologies to assess the control environments, and support their conclusions. These methodologies include: review of internal audit data; and Review of data from first and second lines of defence. 9

10 2014 Methodology Topics Planning considerations and emerging best practices Topics Data Analytics Consideration for Internal Audit There is now an increased awareness of the power of using data analytics to support assurance activities, which has led to increased demand for enhanced analytics capability. While it is relatively simple to implement analytics tools, developing the skillsets to use the tools effectively, embedding their use into the audit plan and managing the target data is more challenging. 10

11 Internal Audit Hot Topics Governance The financial services sector has seen tremendous debate and increased scrutiny on governance. The Institute of Internal Auditors has recently recommended that internal auditors should have a voice in this area and include governance within its remit. Key drivers for focus on governance External drivers One or more of the following indicators were evident in financial institutions that failed during the crisis: A dysfunctional board A domineering CEO Insufficient active Board involvement Key posts being held by people without the required technical competence Inadequate four eyes oversight of risk Inadequate understanding of the aggregation of risk A UK listing requirement for an externally facilitated board effectiveness review and an increase in regulatory mandated reviews of governance. CIIA s Code for Effective Internal Audit in the FS Sector Internal drivers Alignment of culture, strategy and appetite Boards, NEDs, Audit and Risk Committees, Remuneration Committees Internal Audit and Risk Management Will audits be carried out on a standalone, end-to-end audit basis or will there be a series of intermittent audits to provide a continuous view or will a governance component be added to existing audit types? Will governance audits seek to provide a current point-in-time assessment or will they also have a forward looking component? What will be the split of focus on assessing the design versus the operating effectiveness of governance arrangements? 11

12 Processes Internal Audit Hot Topics Governance (continued) The role of Internal Audit The Code s guiding principles recommend IA to have a view Scope and priorities People and Culture: processes (e.g. remuneration, decision making), actions (e.g. accountability and direction) and tone at the top align with values, ethics, risk appetite, policies. Board and Committee: embedded within the activities, limits and reporting. MI for strategic and operational decision making: represents the risks. Setting strategy Board and Board Committees Depth of testing (an example) Basic extent of testing Review meeting minutes to demonstrate the existence of a committee and the fact that it meets frequently Reconcile the committee s Terms of Reference against meeting minutes to evidence core areas within its remit Moderate extent of testing Review member biographies to understand and assess the skills and experiences they bring Carry out a survey or conduct interviews with committee members to provide a qualitative dimension to the assessment e.g. asking for opinions and requesting examples of recent decisions and how those decisions were arrived at Review meeting minutes and action logs to assess the extent to which actions have teeth and are followed-up Setting risk appetite Management Information Management Committees Leading extent of testing Performance monitoring & management People Text & culture Organisational structure Structures Carry out a sample of stakeholder interviews outside of the committee to understand broader perceptions and experiences Policy management Setting incentivisation Reporting & analysis Control functions Governance model Assess how decisions are made via a sample of case studies, for example, evaluate the strategy setting process, evaluate how risk appetite is set and monitored. 12

13 Internal Audit Hot Topics Culture Banks, insurers, asset managers and broker firms are being driven to understand, measure, strengthen and report on their risk culture and the risk intelligence of their people as part of enhancing their risk management and control systems. Key drivers for risk intelligent cultures What the future looks like External drivers Increasing regulatory focus PRA Approach to Supervision CIIA s Code for Effective Internal Audit in the FS Sector Standard & Poor s approach for assessing companies ERM Increasing stakeholder pressures Tax - Annual Remuneration Report Remuneration Policy Statement form Internal drivers Alignment of risk culture, strategy, appetite and remuneration frameworks Boards, NEDs, Audit and Risk Committees, Remuneration Committees Internal Audit, Risk Management, Human Resources and Tax A key lever in building sustainable businesses Within three to five years, risk intelligence is likely to be a priority measure for assessing the quality and embedding of a firm s strategic plan, risk appetite, governance structure and its risk management and remuneration frameworks. 13

14 Risk intelligence Culture Internal Audit Hot Topics Culture (continued) What is it? What does good look like? Why does it matter? The values, implicit beliefs and ideas that give meaning to an organisation How values translate into behaviours The way people act how they work, make decisions, interact and ultimately how they deliver results The organisation s behavioural norms, management systems and symbols, and how these are aligned to encourage people to make the right riskrelated decisions, and exhibit desired risk management behaviours Behaviours Systems Symbols Commonality of purpose Universal adoption and application A learning organisation continuously improving Prompt, transparent, and honest communications Understanding the value of effective risk management Responsibility individual and collective Expectation of challenge Has a major impact on organisations Enables or inhibits achieving strategy Impacts bottom line results Culture and risk culture are really useful if done right; in particular they save a lot of time showing people how to do things; e.g. How can I be successful in my career follow or don t follow the normal behaviour of those around me. Can create a powerful and sustainable competitive advantage Risk management systems and controls are only as good as the people operating them. Vital for informed risk based decision making Increased confidence of external stakeholders. Risk intelligence helps to protect the organisation s assets, reputation and sustainability. 14

15 Internal Audit Hot Topics Culture (continued) The role of Internal Audit The Code s guiding principles recommend IA to have a view Risk and Control Culture: processes (e.g. remuneration, appraisal), actions (e.g. decision making) and tone at the top align with values, ethics, risk appetite, policies. Adherence to Risk Appetite: embedded within the activities, limits and reporting. Internal Governance: structures and processes operating effectively. MI for strategic and operational decision making: represents the risks. Scope and priorities Risk and Control Culture: attitude and approach at all levels to risk management and internal control. Polices and Processes: operating effectively; i.e. outcomes achieved align with the organisation s objectives, risk appetite and values. Risk Competence Motivation Knowledge Skills Learning Recruitment, Induction and Retention Performance Management Incentives Reward and Recognition Accountability Risk Intelligence Strategy and Objectives Values and Ethics Policies, Processes and Procedures Risk Governance Challenge Management Leadership Communication Organisation Relationship 15

16 Deliverables Activities Objectives Internal Audit Hot Topics Culture (continued) An example approach: 1. Develop tailored Cultural Assessment Model 2. Define Evidence Source Model 3. Develop implementation roadmap Provide a holistic, integrated company specific Cultural Assessment Model. Define a portfolio of sources of evidence that enable an assessment of culture at the company. Develop a flexible implementation roadmap that is tailored to the aims, objectives and timescales of the company. Identify and review existing frameworks. Leverage external culture and risk models as necessary. Develop an appropriate number of company specific cultural indicators. Identify existing sources of evidence. Assess availability and credibility of evidence sources. Develop additional/alternative sources of evidence, as required. Map evidence points to cultural indicators. Understand Internal Audit s immediate, medium and long term objectives relating to the level or assurance required. Define the phases, timings, priorities and resources required to embed the Cultural Assessment Framework as business as usual. Company specific Cultural Assessment Model. Evidence Source Model. Implementation Roadmap. 16

17 Internal Audit Hot Topics Risk Management There is a drive to not just challenge the processes and controls of a function but look at the way a risk is managed across the business and the responsibilities across the three lines of defence. Key drivers for risk management External drivers Increasing regulatory focus Basel Committee CIIA s Code for Effective Internal Audit in the FS Sector Financial Stability Board Increasing stakeholder pressures Internal drivers Alignment of risk management with business operations Boards, NEDs, Audit and Risk Committees, Remuneration Committees Internal Audit and Risk Management Challenge of the second line of defence 17

18 Validation Internal Audit Hot Topics Risk Management (continued) The role of Internal Audit Key areas for consideration: Assess Risk Management Frameworks (RMF) on a firm-wide basis as well as on an individual business line and legal entity basis; Risk Strategy & Appetite Risk Governance Risk Processes & Methodologies Identification, escalation and reporting of breaches in risk limits; Design and effectiveness of the RMF and its alignment with supervisory expectations; Implementation of the RMF, including linkage to strategic and business planning, compensation, and decision-making processes; Risk measurement techniques and MI used to monitor the firm s risk profile in relation to its risk appetite; and Risk Data & IT Systems Risk Management Skills, Resources & Culture Deficiencies in the RMF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner. 18

19 Validation Internal Audit Hot Topics Model Risk Management Key drivers for Model Risk Management Risk Strategy & Appetite External drivers Internal drivers Risk Governance Risk Processes & Methodologies Increasing regulatory focus High profile cases of model failures like Gaussian copulas in 2006 and JP Morgan in 2012 CIIA s Code for Effective Internal Audit in the FS Sector Increasing stakeholder pressures A need to improve and automate business operational processes Boards, NEDs, Audit and Risk Committees, Remuneration Committees Internal Audit and Risk Management Risk Data & IT Systems Risk Management Skills, Resources & Culture 19

20 Internal Audit Hot Topics Model Risk Management (continued) The role of Internal Audit Governance, Policies & Controls Model Governance framework. Policies, Standards and Procedures. Model inventory and documented limitations. Legal & Regulatory Compliance Governance, Policies & Control Qualitative Legal & Regulatory Compliance Model Risk Management Development, Implementation & Use Quantitative Validation Compliance with legal and regulatory requirements. Gaps against compliance requirements. Development, Implementation & Use Model approach and design including model methodology / technique. Quality of data and variables. Completeness of population and review. Model documentation, including verification of attempts to rebuild the model based on the documentation. Systems and accuracy of implementation. Verification of appropriate model usage subject to controls and limitations. Validation Validation standards and techniques; and verification of independence of development and validation teams. Testing model approval, overrides and calibration process. Assessment of regular review cycle. 20

21 Internal Audit Hot Topics Tax Risk Management Key drivers for Tax Risk Management External drivers Increasing focus on reputational risk (e.g. Starbucks, Amazon) Focus on minimising financial risk Increased complexities of financial products Internal drivers Ensure governance and control environment fulfils obligations to stakeholders Identification of significant errors and control deficiencies Ensuring new product approval processes and post implementation controls are adequate Corporate Tax Transfer pricing Tax return process Group relief and cash payments PE risks VAT Quarterly VAT return process Taxable vs exempt supplies Partial exemption Special Method Reverse charge application Capital Goods scheme Employment Taxes Payroll Benefits in kind Share plans and long term incentive schemes Pensions salary sacrifice Global mobility travel expense policy, short term business visitors 21

22 Internal Audit Hot Topics Tax Risk Management (continued) Operational Taxes The role of Internal Audit Governance, Policies & Controls Yearly Interest Type 17 reporting TDSI Tax Strategy. Tax Governance framework. Tax controls and systems Senior Accounting Officer certification; tax review processes for new products, investments and transactions; impact assessment of new tax legislation (e.g FATCA). Legal & Regulatory Compliance Type 18 reporting ISA compliance Withholding and Reporting Regimes FATCA EU Savings Directive Compliance with legal and regulatory requirements. Gaps against compliance requirements. SX1 returns CT61 returns Sch 36 22

23 Internal Audit Hot Topics Financial Crime Key drivers for Financial Crime risk Strategy & Risk Appetite External drivers Internal drivers Governance & Compliance Analytics, MI & Reporting Increasing regulatory focus High profile cases of AML/ alleged CTF failures, leading to fines (both personal and corporate) Increasing stakeholder pressures A need to upgrade skills, and refresh training A need to improve and automate business operational processes Boards, Audit and Risk Committees Element of personal accountability for the MLRO Policies & Procedures AML / CTF/ Sanctions Identity Theft Fraud, Market Abuse, Insider Trading Bribery & Corruption Technology & Systems Operations & People CDD Definition & Quality (Static &Transactional) 23

24 Internal Audit Hot Topics Financial Crime (continued) The role of Internal Audit Key areas for consideration: Financial Crime risk definition, identification and assessment; Financial Crime risk appetite and tolerance framework Transaction Monitoring Optimisation to produce more good alerts and fewer bad alerts Data Quality Assessments to allow for more reliable inputs into the customer screening and transaction monitoring processes Testing the effectiveness of customer screening to improve the firm s ability to identify PEPs Fine tuning threshold settings to reduce alerts whilst managing risk Validate that monitoring logic has been correctly implemented. 24

25 Key Contacts Staying ahead Alana Thorne Director Chit Ghee Yeoh Associate Director

26 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) Fax: +44 (0)