Financial Services. Internal Audit: What s on the horizon? kpmg.co.uk

Transcription

1 Financial Services Internal Audit: What s on the horizon? kpmg.co.uk

2 Contents Introduction 1 Information Security 2 Integrated Assurance any gaps in the plan? 2 Change portfolio is your change portfolio fit for purpose? 2 Business continuity, disaster recovery and business survival can you cope with a crisis? 3 Financial Crime (incl. Anti-Bribery and Corruption (AB&C)) are you covered? 3 Capital and Liquidity Management do you have enough to get by in a squeeze? 4 Corporate Governance how does it fit together? 4 Regulatory conduct preparedness how are your plans and progress reporting? 4 Credit Risk and Impairment how is your coverage and accuracy of systems and reporting? 5 Solvency II does the insurance industry have sufficient capital to cover its risks? 5 Outsourcing and Third Party Management are we still managing the risk effectively? 5

3 Internal Audit: What s on the horizon? 1 Introduction Being nimble is a critical attribute for all Financial Services Internal Audit teams. There is an ongoing responsibility to survey the landscape to look for new, or heightened, risks and ensuring scarce resources are directed to the areas that matter most brings with it a powerful combination of factors that mean the ability to adapt is more important than ever. Economic uncertainty, the fragility of the technology on which we depend, the search for new ways of working to drive efficiency, new market and product opportunities, regulation, human behaviour and the pace of organisational change, are all contributing to the increased velocity of emerging risks that can threaten business stability. With this in mind we have pulled together a summary of common risks impacting how Financial Services Internal Audit teams are looking at their future plans. Teams are also challenging established operating models to re-define how they provide assurance and add value to the organisations they serve. The areas being targeted include: Flexibility: The world is changing at a phenomenal pace. Internal audit plans must be regularly reviewed and challenged to ensure they remain relevant. If a plan looks the same as it did 12 months ago, alarm bells should be ringing. Effective challenge: Internal audit must be the control conscience of the organisation. The team should be clear in articulating what is needed from an assurance perspective and make sure their voice is heard, encouraging debate and securing the right resource and specialist skills. Refresh: Teams are taking a fresh look at their integrated governance, risk and control frameworks. Are roles clearly defined, and do activities fit seamlessly? Assurance mapping is just one example: do you have a clear picture of how all of your assurance activities are working together? Engage: Internal audit have a unique opportunity, and responsibility, to identify emerging risks and support the board and risk teams as part of an effective, integrated governance, risk and assurance cycle. Now is not the time to be a bystander. Innovate: With demands to do more for less, innovation is key. Enhanced self assessment processes or detailed control surveys are two examples. Embedding more and better use of technology is becoming the norm, ranging from data analytics to continuous audit initiatives. Be brave: Assurance spend must be managed efficiently just as in any other part of the business. However, when resource and budget constraints become the primary driver of assurance activity, something is wrong and concerns must be raised. The ongoing global turbulence and sheer velocity of business change means some of the issues faced may be new and uncharted, but the responsibility is no different: Internal Audit must support the strategic and risk management teams to understand the consequences of today s and tomorrow s business operations, what might go wrong and where Internal Audit can best support business objectives. Anthony Kennedy Partner, UK Head of Financial Services Internal Audit

4 2 Internal Audit: What s on the horizon? Internal Audit What s on the horizon? Information Security Threats to information security are more sophisticated and emerging faster. Now, organisations and individuals are being specifically targeted for attack and motivations arise for many reasons including from organised crime and political beliefs. This, combined with the pace of change and adoption of new technologies make all things IT an imperative. Data leakage have you classified data according to its sensitivity and can you identify where all your data is and who has access to it? Think about how the business is protecting itself against data leakage incidents, monitoring to detect where they may have occurred, creating effective incident response processes and updating your approach when a new threat arises. New technologies cloud computing, server virtualisation, increasing use of social media, near field communication and micro-payment systems are racing forward. Have you identified the risks and audit needs associated with a new technology, planned or recently implemented, for example: security; maintenance; vulnerability; contamination; backup/recovery? Understanding your specific cyber threat internal audit must consider the specific threat; does your industry, profile, nature of operations or relationships put you at a higher risk? If the answer is yes, direct the audit plan to focus on security. Skills and resources IT risks are complex and mercurial. Assurance has to be in place, delivered by teams with the right skills. Leaving black holes in the audit plan because of potential skills gaps must be avoided. Integrated Assurance any gaps in the plan? Do you have a clear picture of how well assurance activities are working together? Mapping out the different sources of assurance will help you challenge the status quo. The growth of the remit of Compliance and Risk has led to a challenge of certain Internal Audit activities. How do the three Lines of Defence operate together? How do you know that there aren t significant levels of assurance duplication? Are you comfortable that there are no gaps in your current overall assurance coverage? Are stakeholders confident that risks are being managed and reported on effectively and that critical obligations are being met? An assurance mapping exercise will provide a coordinated view of your assurance providers and introduce frameworks which promote closer working relationships, common goals, efficient coverage and consolidated reporting. Change portfolio is your change portfolio fit for purpose? It is an unprecedented time of change within the financial sector. In order for a business to meet its strategy, it is therefore key that its change portfolio is set-up and managed appropriately as well as the programmes and projects within it. How is the portfolio of change managed? Who is involved, what basis are prioritisation decisions made upon and how is progress reported to senior management? Are risk management principles sufficiently embedded and demonstrated? Is there a defined programme / project management methodology in place? How rigorously is this adhered to, and how are exceptions flagged and investigated to satisfactory resolution? To what extent are benefits of change projects measured and communicated to senior management? How is change resourced including use of internal and external resource, and also the internal audit team reviewing change? What technology is used in undertaking and monitoring change projects? How user friendly is this? How does Internal Audit collaborate with others?

5 Internal Audit: What s on the horizon? 3 Business continuity, disaster recovery and business survival can you cope with a crisis? Constant change is todays norm but are those changes reflected in existing and new business and IT service continuity arrangements? In planning audit work there are a broad range of considerations to consider. Is your business impact analysis good enough? Does it adequately determine business critical processes and functions, their critical dependencies, partners and recovery timescales? Have plans been adequately tested? Have you covered all the angles legacy infrastructure, a growing technology estate and new technologies such as Cloud? Are all group operations and different parts of the business fully aligned? Has crisis management been tested to restrict reputational damage? Has the business identified and worked with its critical partners? Ask suppliers for evidence of their testing plans. When looking at business continuity, consider more extreme disruptions; for example rioting, regime change, and extreme natural disasters. Is an industry recognised approach being followed to business continuity management (e.g., BS25999)? Skills and resources IT risks are complex and mercurial. Assurance has to be in place, delivered by teams with the right skills. Leaving black holes in the audit plan because of potential skills gaps must be avoided. Financial Crime (inc. Anti-Bribery and Corruption (AB&C)) are you covered? Firms continue to invest in improving their antifraud controls, including incorporating AB&C controls, to meet requirements of the UK Bribery Act 2010, effective from 1 July 2011, yet the level of internal and external fraud is still rising. Has the business mapped the fraud threat landscape against a changing controls environment? Has the exercise been reviewed to incorporate AB&C requirements? Is the business aware or in denial of the risk? Is there a fraud risk management strategy? Have you reviewed the existence and adequacy of fraud policy, staff training and awareness, and the fraud reporting structure? Do you include fraud risks in all audits and pull together a fraud risk picture as part of progress/annual reporting? Has restructuring of areas such as finance exposed controls to weakness or breach? Are fraud related roles clear? How robust and embedded is the programme in place to manage AB&C risks? Do contractual clauses with third parties and suppliers contain the appropriate AB&C clauses? How confident are you that your Anti Money Laundering (AML) controls are aligned to regulatory requirements and operating effectively, including AML reporting?

6 4 Internal Audit: What s on the horizon? Capital and Liquidity Management do you have enough to get by in a squeeze? The unprecedented events of the global financial crisis have led to worldwide tightening of credit lines and an increasing level of information demanded by regulators. There is a general drive towards understanding exposures and calculating associated liquidity and capital needs. How robust is the link between credit risk and capital requirements? Are you compliant with Basel II? What is the current role of Internal Audit in the ICAAP process? Are ratings and capital calculation models fit for purpose? How prepared are you for Basel III implementation and the requirements of the Independent Commission on Banking? Is your stress testing aligned with your peer group? How robust is your Individual Liquidity Adequacy Assessment (ILAA) reporting? How advanced/effective is your Recovery and Resolution Planning? What is the role of Internal Audit in this process? Corporate Governance how does it fit together? Turner, Walker, the FRC and the Independent Commission on Banking several independent bodies, all highlighting weaknesses in Corporate Governance. In the light of the worst global recession for almost 100 years; governments, regulators and the public alike are asking where did it all go wrong? What is the composition and skills of the Board? Is this evaluated annually? Are independence issues fully investigated and appropriately disclosed? Is succession planning effective? How are NEDs inducted? What knowledge and skills are they equipped with? How are they remunerated? Is there clear evidence of challenge? How does the Board Committee structure (including Sub-Committees) work? Is there transparency in reporting lines, responsibility and accountability? Is this effective and up to date? How are strategic goals defined, resources allocated and expectations managed? How effective are Risk Management and Internal Control processes? Are you aligned to the FSA Remuneration Code? Regulatory conduct preparedness how are your plans and progress reporting? The global regulatory regime is experiencing unprecedented change, none more so than in the UK. Against this backdrop the Financial Conduct Authority is being established (2013) and a series of policies are being released which firms will be required to comply with. Are you familiar with timetables of AIFMD, UCITS IV, Retail Distribution Review, FATCA, MiFID, MMR and Client Assets? Are you ready to assist a more intrusive regulator with their enquiries? Is your MI accurate, timely and complete? What independent assurance are Internal Audit providing regarding the preparedness of your organisation to meet these new requirements? What is the extent of your role? Are you consulted as plans progress? Is your progress reporting timely and correctly focused? Is your existing Internal Audit coverage of conduct issues sufficient covering sales, customer targeting, TCF, the effectiveness of the Compliance function, etc

7 Internal Audit: What s on the horizon? 5 Credit Risk and Impairment how is your coverage and accuracy of systems and reporting? From a micro level the ability of individuals to repay loans, to a macro level the threats to sovereign debt within the EU the area of credit risk is increasingly becoming a key driver in business strategy, exacerbated by the direct link to capital requirements under Basel III and Solvency II. What does credit risk mean to your organisation? Does this cover retail, commercial and wholesale risks? What MI and training is provided to senior management in this area? What kind of measures are used to capture and monitor wholesale counterparty risk, does this include primary and market sensitive indicators, and are all deposits and derivatives of subsidiaries covered? How timely is this measurement? Are the Board aware of the scale of forbearance activities and possible impact on arrears and provision balances? How involved are Internal Audit in reviewing impairment processes? Can management be confident in the accuracy of arrears and impairment data? Are models fit for purpose? Solvency II does the insurance industry have sufficient capital to cover its risks? The goal of Solvency II is to create a risk-based Solvency regime for the insurance industry, consistently applied throughout Europe. The first wave of implementation is scheduled for 1 Jan Is Internal Audit geared to fulfil its role in the drive for implementation and embedding? What is the nature of Internal Audit involvement in Pillar I calculations data integrity, capital model reviews, stress and reverse stress testing, etc? How robust is the change programme to support Solvency II activity are systems and governance structures embedded and fit for purpose? Is Internal Audit independently assessing Pillar II processes, including how the organisation has calculated it Own Risk and Solvency Assessment (ORSA), particularly challenging the completeness of risks faced and compliance, on a continuous basis, with capital requirements and technical provisions. Are Pillar III disclosures consistent (private and public reporting), timely, complete and analysis undertaken to align with wider financial reporting? Outsourcing and Third Party Management are we still managing the risk effectively? The increasing globalisation of business has led to a significant volume of outsourcing and use of third parties, typically including off-shoring of support functions. Is there adequate understanding of the risks of outsourcing and offshoring? Have these circumstances been factored into the work of assurance providers, including the Internal Audit plan? Are you brave enough to de-scope immaterial areas? How do you assess third parties risk management and regulatory compliance systems and controls? Role for ISAE3402/3000? Do we know which third parties we are doing business with? Have we run all required background checks and investigated results to satisfactory resolution? Are suitable contracts in place? Are we compliant with SYSC 8 requirements, and can we clearly demonstrate this ongoing compliance, including reporting to Executive Management? What is the strategy for third parties? Are there clear lines of accountability and responsibility when dealing with third parties? How effectively are controls operated across Procurement, Finance, Risk, HR and the Operations? If you are an outsourcer, how do you manage client reviews?

8 If you have any questions, please feel free to contact any of the below: Anthony Kennedy Partner, UK Head of Financial Services Internal Audit T: M: E: Richard Gabbertas Partner, FS Internal Audit, Head of Regions T: M: E: David Fineberg Director, Internal Audit, Banking T: M: E: Katie Clinton Director, Internal Audit, Insurance T: M: E: Amir Sethu Director, Internal Audit, Insurance T: M: E: Richard Scott-Hopkins Director, Internal Audit, Investment Management T: M: E: The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. Printed in the United Kingdom. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. RR Donnelley I RRD I March 2012 I Printed on recycled material.