Financial Services Internal Audit Increased expectations of value

Transcription

1 Financial Services Internal Audit Increased expectations of value The critical issues financial institutions face today are affecting their entire business. The industry continues to face regulatory reform and rapidly growing regulatory demands and expectations, combined with pressures to implement cost-effective technologies, acquire talent, deal with changing customer behaviors, and meet increasing demands from stakeholders are forcing financial institutions to rethink business strategies, which inherently introduces new risk. The volatile business environment in which financial services companies operate is prompting them to transform operations. According to the PwC 2015 State of the Internal Audit Profession Study - Finding True North in a period of rapid transformation, two-thirds of financial services companies have recently gone through or are going through a business transformation, and an additional 13% anticipate doing so in the next two years. Transformation comes hand in hand with new risks: 70% of financial services participants said risks to their companies are increasing either significantly or moderately; only 3% said risks were decreasing. In the asset management, banking and capital markets, business services, and insurance sectors, more than 360 chief audit executives (CAEs), senior management, and board members participated in PwC s annual study by contributing their opinions on the capabilities, skills, and value of their internal audit functions. Our study revealed stakeholder expectations of internal audit performance are rising as financial services institutions react to increased regulatory scrutiny and pressure. Likely as a result of those heightened expectations, the percentage of all financial services respondents who say internal audit provides significant value has decreased from 2014 to 2015 by approximately 14 points. As expectations and the demands on internal audit functions rise, the bar for defining significant value also rises, forcing internal audit functions to elevate their performance in order to continue to add value to their organizations.

2 Our organization is focused on becoming a digital leader, which requires constant innovation in an environment that can easily adapt and flex. Similarly, internal audit must disrupt its conventional thinking innovating in tandem with its business partners and developing centers of excellence to bring value to our stakeholders. Jim Tietjen, Executive Vice President and Chief Auditor, Capital One Financial, USA At a time when the sector is facing business transformation, greater risk, and increased pressure from regulators, internal audit s ability to perform against expectations is of paramount importance. Our study shows that internal audit functions adding the greatest value are adaptive to their company s risk landscape. Internal audit is actively involved in the most impactful business imperatives, offering a proactive perspective on all business risks (strategic, compliance, financial, and operational) and providing recommendations on how to mitigate risks before they occur. The majority of financial services survey respondents report they Figure 1 have not reached that level of value. When asked to define the contribution their internal audit functions are providing, the majority said their internal audit departments were either delivering objective assurance on the effectiveness of internal controls (28%) or delivering a combination of objective assurance and problem solving by performing analysis and offering perspective on the root causes of issues (37%). PwC introduced in the survey the concept of trusted advisor two years ago. In this year s survey, just 10% of financial services respondents identified their internal audit function as being a trusted advisor, providing value-added services and proactive strategic advice for the business well beyond the execution of the audit plan (Figure 1). However, in line with the company s heightened expectations, stakeholders and CAEs alike expect to evolve to be a proactive contributor to business initiatives. Within the next five years, the majority of financial services stakeholders and CAEs (54%) expect internal audit to move up the value spectrum and become a Trusted Advisor Current perception of internal audit value Expected internal audit value in 5 years Trusted advisor 10% 54% Insight generator 23% 28% Problem solver 37% 11% Assurance provider 28% 2% 2

3 To add significant value and become a trusted advisor, an internal audit department must look beyond effective and efficient execution of the audit plan in order to incorporate other value-added services, including providing strategic advice. When asked what would enable internal audit departments to contribute at that strategic level, financial services respondents identified the following critical areas: risk focus, business acumen, talent, alignment across the lines of defense, and use of data analytics (Figure 2). Figure 2: Top factors enabling internal audit to contribute to strategic initiatives Risk focus Business acumen Talent/Resource skills Alignment with ERM, other lines of defense Use of data analytics 0% 20% 40% 60% 80% Percent of respondents rating each area as a significant enabler Finanacial Services Global -all industries Management and audit committee support is clearly imperative if internal audit is to raise its performance and value. That support also ranked high as an enabler of internal audit s success. In large part, such support will be achieved if internal audit executes well across the identified focus areas. That is, internal audit needs to (1) be forward-thinking and risk focused, (2) demonstrate understanding of the business through a diverse team of professionals, and (3) align with the organizational risk management framework. That increased support will also result in management and the audit committee s call for internal audit s input on a more frequent and strategic basis. Thus, progressing in those high-priority areas is fundamental to internal audit remaining a valuable contributor to the business and keeping pace with the rapidly changing financial services industry. 3

4 Focusing on the right risks at the right time In our survey, 85% of financial services companies reported their internal audit function performs well in focusing on the critical risks and issues the companies are facing, yet when asked about internal audit s role in their transformational initiatives, financial services respondents reported that internal audit is not always involved (Figure 3). For example, most financial services internal audit functions are involved in increasing their companies risk management and compliance capabilities, which is important given the expectations of regulatory requirements such as the Volcker rule in Dodd-Frank. However, less than half are involved in growth initiatives such as developing new products and services and increasing sales and marketing activities. Internal audit s involvement in these areas is also important. For example, given the heavy focus on anti money laundering (AML) compliance requirements, internal audit needs to be involved in new products and services, with a process in place to understand such new offerings and provide insight on new AML risks. Internal audit functions that are involved in sales and marketing discussions are providing advice on emerging regulatory risks and controls critical given the uptick in consumer regulations within the sector. Figure 3: Top financial services initiatives and internal audit s involvement Implementing privacy and security controls Increasing risk management or compliance capabilities Focusing on cost reduction and/or learn initiatives Developing new products and services Increasing marketing and sales activities 0% 10% 20% 30% 40% 50% 60% 70% Internal audit is involved Company is undertaking the initiative 4

5 The survey data also shows that financial services internal audit functions that are adding significant value are not just involved in the initiatives but also engaging at the optimal time in the process to be able to focus on strategic risks ahead of risk occurrence. More than twothirds of these highly valued internal audit functions get involved in transformational initiatives early, providing a proactive perspective on controls before risk occurrence (Figure 4). That compares with just 15% of all other financial services internal audit functions. This represents a marked difference in the ways valued internal audit functions are operating relative to their peers. Figure 4: How financial services internal audit functions are participating in transformational initiatives Financial services internal audit functions contributing significant value 12% 16% 3% 68% Providing a proactive perspective and recommendations on internal control before risk occurrence Identifying risk during the annual risk assessment process Auditing processes and controls for mitigating risk once they are in place, but before risk occurrence Auditing processes and controls for mitigating risk after risk occuerence (in response to risk occurrence) All other financial services internal audit functions 46% 17% 15% 22% To continue elevating both strategic and proactive involvement, audit functions that contribute significant value look for opportunities to partner with the business outside of audits and to increase trust through such activities as helping the business prepare for regulator examinations. Additionally, those internal audit functions look for ways to innovate and to disrupt their conventional thinking. They are creative in their approach and keep an open mind toward new methods and technologies so as to better address today s growing stakeholder and regulatory expectations. If internal audit says it is going to learn business acumen, it will fail. Internal audit needs people who will train themselves by digging into the details, and that starts with intellectual curiosity. Intellectual curiosity is key. Ninette Caruso, Chief Audit Executive, Genworth Financial, USA 5

6 Elevating talent and business acumen Sourcing and developing internal audit talent are continuing battles in the financial services industry. Internal audit s performance in this area dropped by 15 points from 2014 to 2015: from 68% performing well in obtaining, training, and/or sourcing the right talent in 2014 to 53% performing well this year. Despite all of the change the industry is undergoing, many financial services internal audit groups are comprised primarily of traditional internal audit skills. Financial controls, general information technology (IT), compliance, and business continuity are all skills that the vast majority of financial services internal audit departments possess internally (Figure 5). Internal audit functions providing significant value have a mix of talent, recognizing that nontraditional backgrounds bring different and valued perspectives. In areas where internal audit might not have deep experience such as model validation, data, credit, liquidity, and market risks internal audit tends to turn to third parties for specialized skills. Many find cosourcing an effective way to gain access to a variety of talent and technological capabilities. Further, financial services internal audit departments we interviewed are expanding their use of data analytics and elevating their data skills across all auditors. Survey results indicate that nearly two-thirds of financial services CAEs believe their internal audit departments already possess data analytics skills. Of those who say they don t possess those skills, just over half plan to build them internally, and 12% plan to fill the gap by using third parties. Figure 5: Skills currently possessed by internal audit departments in financial services Financial controls Compliance (including fraud & ethics) General IT Business continuity Data analytics Data privacy Specialized IT 0% 20% 40% 60% 80% 100% Internally Internally and through third parties Through third parties 6

7 Aligning with enterprise risk management and other second-line-ofdefense functions Protecting a company from risks presented by industry change and reaching the elevated value expected by stakeholders are far more possible and more effective if internal audit is aligned with the company s enterprise risk management program and other second-line-of-defense functions, including operational risk and compliance. However, our study showed that only 49% of financial services companies said they have formal processes to aggregate and review risk across the company. While internal audit functions need to remain independent of the other risk functions, and be positioned to evaluate their effectiveness, by aligning their efforts where possible and operating with a common definition of risk, the overall risk coverage and risk management effectiveness are improved. Internal audit departments we interviewed indicated that the time is right to synchronize the efforts of the three lines of defense and drive collaboration. That collaboration can positively affect the organization s viewpoint toward internal audit as well as internal audit s overall relationships across the organization. Our study also shows that among internal audit functions adding significant value: 81% agree with the statement, We do our best to determine all the risks associated with our growth strategy, and we focus our efforts on mitigating risks once we ve put our plans into action. In considering the increased regulations financial services companies are facing today, companies have sharpened their focus on reputation risk because news headlines routinely highlight noncompliance. For instance, with new legislation and regulations in the US such as OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches legislation at the forefront of management and internal audit focus, leading internal audit functions in the US we interviewed are coordinating with second-line-ofdefense functions to develop plans that will validate the new regulatory expectations. Part 30 establishes minimum standards for the design and implementation of a risk governance framework. In short, the guidelines require management to define and communicate its risk appetite, establish a well-defined personnel management program, and have internal audit monitor management s alignment efforts. As discussed in PwC s Financial Services Regulatory Brief from February 2014, some firms will have more difficulty than others in enhancing their operations so as to meet the new requirements. Even though the new requirements are not yet in effect, our research indicates that as banks are developing their plans, internal audit departments may be called on to assist in both performing initial assessment of plans and certifying overall validation of compliance along with the second-line-ofdefense functions. More data is not better; better data is better. Carolyn Chin, Audit Committee Chair, State Farm Bank, USA 92% said their company s risk management program is fully aligned with internal audit. 7

8 Leveraging data to provide direction As business operations become more proficient in their use of both structured and unstructured data, analytics are informing decisions across the company in ways never before considered. Whereas most internal audit functions are experimenting with analytics (Figure 6), those internal audit functions that are keeping pace with their companies in this area are more advanced in their use of data, including wider application across the audit life cycle. For example, survey results indicate there is a desire that internal audit use data analytics to help in its risk assessments. And even though 52% of financial services respondents said they are currently using data analytics for risk analysis, more can be done. Effective analytics as part of risk analysis is an area where internal audit can expand its organizational role to that of a trusted advisor by adding value beyond effective and efficient execution of the audit plan. Financial services companies are starting to use data analytics in AML, but this, too, is an area in which more could be done. Internal audit could also use analytics around mortgage and credit card approvals to find out whether the business is redlining, following its own guidelines on credit scores, and more. Our research shows that highperforming functions are using data in support of antibribery and anticorruption by analyzing s, scrutinizing expenses, investigating vendors, and researching other data to target audits and test controls. In the insurance sector, claims processing is a high-priority area for internal audit s use of data analytics by providing a focus for audits based on claims denied versus claims paid and other demographic characteristics. Building the right skills in internal audit paves a critical path to broader use of analytics by the function. Among internal audit functions that have the skills in place, the next step has involved promoting creativity in the ways analytics are being used in audits and across the risk assessment, planning, scoping and reporting phases of the audit lifecycle. Figure 6: Internal audit's use of data analytics (all respondents) Risk analytics Fraud management Compliance monitoring of operational controls Anti money laundering Dashboard reporting Customer-and revenue-related analytics Profit and loss; pricing and profitability Vendor analysis Investments and trade Customer care and customer service management 0% 20% 40% 60% 80% 100% Currently using Not using but plan to Do not plan to use 8

9 Contributing value as the business changes In an environment in which financial services companies are pressured to evolve on many fronts, internal audit functions providing significant value are evolving as well, thereby raising the bar on the levels of performance and value they deliver for their organizations. To make the journey, CAEs and stakeholders begin by determining how and where internal audit should be contributing, with a vision that challenges the status quo and pushes internal audit to think beyond standard objectives and deliverables. That vision comes to life by way of an internal audit strategic plan where the function s true north is defined, charting a path to where the function should move, not constrained by current limitations. This new vision almost always begins with a mind-set shift. As our research indicates, such a plan will include a focus on the right risk at the right time, intentional and proactive talent development, alignment with other lines of defense, and the use of data throughout the internal audit life cycle. It is important for internal audit to have a strategic plan to complement the audit plan a plan that focuses on what internal audit needs to do to continue to evolve, improve, and deliver value to the organization. Karla Munden, Senior Vice President, Chief Audit Executive, Lincoln Financial Group, USA 9

10 To have a deeper conversation about how this subject may affect your business, contact: Jason Pett, Partner US Internal Audit Services Leader jason.pett@us.pwc.com John Feely, Partner Global Internal Audit Services Leader +61 (2) john.feely@au.pwc.com Michelle Hubble, Partner US Internal Audit Services Center of Excellence Leader michelle.hubble@us.pwc.com Princy Jain, Partner Internal Audit Services princy.jain@us.pwc.com Thomas Snyder, Partner Internal Audit Services thomas.h.snyder@us.pwc.com Abhinav Aggarwal, Partner Financial Services Internal Audit Services abhinav.aggarwal@us.pwc.com Hanh Pham, Director Financial Services Internal Audit Services hanh.pham@us.pwc.com 2015 PwC. All rights reserved. PwC and PwC US refer to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only and should not be used as a substitute for consultation with professional advisors. PwC US helps organizations and individuals create the value they re looking for. We re a member of the PwC network of firms, with 169,000 people in 158 countries. We re committed to delivering quality in assurance, tax, and advisory services. Tell us what matters to you and find out more by visiting us at