System Auditing and Reporting for the Federal Reserve System

Transcription

1 System Auditing and Reporting for the Federal Reserve System Audrey A. Foster, Officer Audit May 21, 2015 Internal FR

2 System Auditing and Reporting for the FRS - Agenda FRS Audit Structure Summary Conference of General Auditors Committee on Audit Standards and Effectiveness Committee on System Auditing Types of Audits System Auditing General Auditors Responsibilities Alignment of Businesses System Audit Competencies Centers System Audit Plan Endorsement and Execution System Reporting 2

3 FRS Audit Structure Summary 12 Districts, 12 Reserve Banks, 12 Entities Board of Directors and Audit Committees General Auditors Conference of General Auditors (COGA) 3

4 Conference of General Auditors (COGA) Mission Provide independent, objective internal audit services designed to add value and improve the Federal Reserve System s risk management, control, and governance processes, and support the achievement of its objectives. Vision Serve as valued advisors who provide innovative internal audit services and deliver forward-looking, risk-focused perspectives to influence positive outcomes. 4

5 Conference of General Auditors (COGA) Bring a comprehensive approach to assessing the effectiveness of the Federal Reserve Banks risk management, control and governance processes using an independent vantage point, audit skills and broad knowledge of System activities Discuss matters of mutual concern and, as may be appropriate, adopt policies and/or solutions to shared problems Confer with and suggest specific courses of action to the Conference of Chairmen and the Board of Governors of the Federal Reserve System ( BOG ) or other appropriate entity on matters of mutual concern or risk/control that affect the Federal Reserve Banks Annually review and endorse the scope of internal audit coverage included in the System Audit Plan for consolidated and centralized services, as well as other business and support functions 5

6 COGA Organization Steering Committee Brian Bowling, Chair Josias Aleman, Vice Chair Ted Smith, Past Chair Mike Renfro, Emeritus Mark Meder, Member Paul Bettge, BOG Liaison Committee on System Auditing (CoSA) Jeff Marcus, Chair Linda Gilligan Mike Stough Clive Blackwood Bill Pullen, BOG Liaison Committee on Audit Standards and Effectiveness (CASE) Glenda Balfantz, Chair Buddy Marx Azher Abassi Michelle Scipione Jeff Thomas, SCAD Liaison Heather Robinson, BOG Liaison 6

7 Committee on Audit Standards and Effectiveness (CASE) Chaired by Glenda Balfantz, VP and General Auditor FRB Dallas Role Promote effective and efficient internal audit practices in Federal Reserve Banks that are consistent with professional auditing standards. Responsibilities Monitor developments in professional auditing standards Maintain risk assessment methodology Promote talent development Provide efficient and effective audit automation environment 7

8 Committee on System Auditing (CoSA) Chaired by Jeff Marcus, VP and General Auditor FRB Chicago Role Assure COGA awareness of and involvement in System level issues and initiatives of significant audit interest, including System coverage of System business activities commensurate with risk. Responsibilities Assess current and emerging System risks and trends and recommend action Coordinate annual process to develop and maintain a System Audit Plan Recommend audit coverage, which may encompass both common audit strategies and programs for implementation in individual Reserve Banks Prepare COGA Annual Report for distribution to key stakeholders 8

9 Types of Audits Local Audit An audit activity performed at the direction of the local GA on operations that generally only impact the respective Reserve Bank. Reliance Audit An audit of a shared risk activity / centralized business line that is concentrated in one or a few Reserve Banks. Work done for the benefit of all Reserve Banks Driven by the Risk Assessment Methodology System Overarching and Key Business Risks 9

10 Types of Audits System Audit Risks and controls that span across the FRS, and generally requires the participation of all Reserve Bank audit functions. Strongly tie to a System Risks and/or focus on interdependencies that have a System impact. The individual or group with accountability for taking action on audit recommendations should be defined, including the relationship to applicable governance bodies. This determines the report recipient(s). The lead GA provides oversight of the System audit to ensure adherence to IIA Standards and take steps to promote consistency in the work performed across districts to support rendering an audit opinion. 10

11 System Auditing On an annual basis, COGA develops and endorses a System Audit Plan to ensure there is a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes in the Federal Reserve System The plan allows the System audit community to coordinate resources and provide risk-based audit coverage to consolidated or centralized business activities and other district specific activities warranted by risk. 11

12 System Audit Plan Development The System Audit Plan development process begins with an identification of broad overarching risk themes present in the Federal Reserve System. The themes are based on: Enterprise Risk Management (ERM) Community Perspective Board of Governors Perspectives on System Risks Interviews with System Leaders COGA s Perspective In addition to the overarching risks, business line-specific risks are also identified. 12

13 System Auditing Process Inputs Risk Discussions with Senior Management Enterprise Risk Management Consolidated Assessment of Risk (CAR) report Prior Audits Performed Business Liaison Activities Risk Events New Products Laws and Regulations 13

14 Evolution of General Auditor Point of Contact/Risk Champions Coordinating General Auditor General Auditor Point of Contact Risk Champion 14

15 Coordinating General Auditors Roles and Responsibilities Develop and follow an approach to provide comprehensive audit attention for a business function. The CGA may provide this provide audit attention independently or may rely on other GAs. Assess risks for central services & assist COGA in understanding risks Plan and execute comprehensive coverage for central service Recommend audit strategies that may span Districts Summarize results of audit work for the COGA Annual Report 15

16 Coordinating General Auditor Responsibilities Coordinating General Auditor (CGA) Business Line District Cash Product Office Customer Relations and Support Office Financial Support Office Information Technology Retail Product Office Treasury Relations and Support Office Wholesale Product Office San Francisco Chicago Boston Richmond Atlanta St. Louis New York 16

17 General Point of Contact (GPC) Roles and Responsibilities Develop audit objectives and steps and keeping common audit programs based on common risks across Reserve Banks Assess risk in business function and assist COGA in understanding the potential risks in District operations Recommend audit objectives for District business functions Maintain common audit programs and related information Summarize results of work for the COGA Annual Report 17

18 Coordinating General Auditor Responsibilities General Auditor Point of Contact (GPC) Business Function Administrative Services Banking Supervision Business Continuity & Resiliency Credit and Risk Management Enterprise Risk Management Human Resources Office of Employee Benefits OMWI Open Market and CBIAS Public Information, Research and Statistics & Reserves District Philadelphia Minneapolis Cleveland New York Cleveland Kansas City New York Kansas City New York Dallas 18

19 Risk Champion Roles and Responsibilities Developing and follow an approach to promote awareness and understanding of a System wide risk by encouraging adequate coverage in System and District level audits Identify factors contributing to the risk theme Provide direction on specific steps to be performed to gather information needed to assess risk theme Gather the results of related internal audit work and facilitate forums Maintain awareness of and evaluate management s actions to address risk 19

20 Risk Champions 2015 System Overarching Risk Risk Champion Cyber Security Program & Technology Management Outsourced Service Providers Resiliency Richmond Dallas & Richmond Kansas City Cleveland 20

21 12 Districts Alignment of Businesses 9 Minneapolis Banking Supervision 7 Chicago Customer Relations 4 Cleveland Business Continuity Enterprise Risk Mgmt 1 Boston Financial Management 12 San Francisco Cash 10 Kansas City Human Resources 8 St. Louis Treasury 2 New York SOMA, Wholesale, OEB 3 Philadelphia Administrative Services 11 Dallas Public Affairs, Research and Statistics 6 Atlanta Retail 5 Richmond Information Technology, Credit and Risk Management District CGA Responsibility Example Wholesale footprint in shaded Districts 21

22 Audit Competency Centers Financial Management Human Resources IT Audit Group (ITAG) QA Knowledge Forum System Audit Tools Repository RBOPS Internal Audit Information Exchange Administrative Services Treasury Services Program Management Knowledge Forum Business Continuity Cash Supervision and Regulation Statistics and Reserves 22

23 System Audit Competency Centers Information Technology Audit Group (ITAG) Leverages the collective talents of the IT audit community to facilitate consistent, comprehensive, and effective coverage of the Federal Reserve System s IT environment. Audit Competency Center for Treasury Services Facilitate a collaborative system-wide information exchange for guidance, awareness, training, and communication to strengthen technical knowledge and system-wide audit expertise. Statistics and Reserves Audit Competency Center (StRACC) Serving as a knowledge resource of System Audit Community. Research Audit Competency Center (RACC) Focuses on expertise and support to district auditors as they monitor and audit local research operations. Human Resources Audit Coordination Team (HRACT) Facilitate the sharing of Human Resources (HR) information across the System and supports the development of audit competency centers. 23

24 System Audit Plan Timeline 24

25 System Audit Plan Endorsement and Execution Present to COGA for endorsement Request Audit and Risk Committee approval for the Audit Plan which includes System and FRBNY specific activities. Begin execution of the Audit Plan. Report the progress and results of Audit and Program Management Reviews on an ongoing basis. Deliver a summary of the effectiveness of risk management, control, and governance processes in the Federal Reserve System to Audit Committees and Senior Management in the COGA Annual Report. 25

26 System Reporting 2014 COGA Annual Report Timeline January 16, 2015 FINAL: October 28, COGA approval of timeline & milestones 2. COGA approval of Report approach 1. Summaries from Risk Champions 2. Summaries of Audit Work Related to Centralized & Consolidated Activities 3. CGAs and GPCs Communicate Thematic Concerns (GPCs if needed) End of year - AACC to provide data on results of the 2014 SAP (Coordinate with SAP Liaison). January 28, 2015 Solicit comments from ERM and Board February 9-16, 2015 COGA discussion of report December 13, 2014 DRAFT (as available): 1. Summaries from Risk Champions 2. Summaries of Audit Work Related to Centralized & Consolidated Activities 3. CGAs and GPCs Communicate Thematic Concerns (GPCs if needed) January 19-23, 2015 CoSA discussion February 2, 2015 Draft Report provided to COGA February 27, 2015 Issue Final 2014 COGA Annual Report End of year - AACC to provide data on results of the 2014 SAP (Coordinate with SAP Liaison). 26

27 System Reporting Stakeholders Audit Committees of the 12 Banks and key business leaders across the FRS Report results of System audit coverage and System Risks Forward looking perspective Trends and emerging issues 27

28 2014 COGA Annual Report Contents Executive Summary 2014 System Overarching Risks 2015 System Risks 2014 System Audit Plan and Results 2014 Summaries of Audit Work Related to Centralized and Consolidated Activities Local Unconsolidated Activities with Work Coordinated by COGA 2015 System Audit Plan 28

29 Effective System Auditing and Reporting for the FRS Communication Coordination Collaboration 29

30 Questions Address: Audrey A. Foster Internal FR