Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Similar documents
RSA ARCHER OPERATIONAL RISK MANAGEMENT

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

How To Transform It Risk Management

Enterprise Risk Management & Information Technology

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Moving Forward with IT Governance and COBIT

The Role of the Board in Enterprise Risk Management

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Executive summary... 3 Overview of S&OP and financial planning processes... 4 An in-depth discussion... 5

Enterprise Risk Management in Colleges and Universities

Solvency II Data audit report guidance. March 2012

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

Enterprise Risk Management

Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance

Data & Analytics in Internal Audit. January 13, 2015

Placing a Value on Enterprise Risk Management ADVISORY

Risk Assessment & Enterprise Risk Management

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

ERM Program. Enterprise Risk Management Guideline

Relationship Manager (Banking) Assessment Plan

RSA ARCHER AUDIT MANAGEMENT

The following is intended to outline our general product direction. It is intended for informational purposes only, and may not be incorporated into

Fraud Risk Management

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

UPTIME MAGAZINE. june/july15 JUNE/JULY uptimemagazine.com

How to Develop Successful Enterprise Risk and Vendor Management Programs

Third Party Risk Management 12 April 2012

Enterprise Risk Management (ERM): In Action. January Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

Internal audit value optimization for insurance organizations

CIIA South West Analytics in Internal Audit - Tackling Fraud

Basel Committee on Banking Supervision. Review of the Principles for the Sound Management of Operational Risk

Business Continuity Position Description

Principles for An. Effective Risk Appetite Framework

Risk management and the transition of projects to business as usual

How To Improve Your Business

The PNC Financial Services Group, Inc. Business Continuity Program

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

Policy : Enterprise Risk Management Policy

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Impact of New Internal Control Frameworks

ENTERPRISE RISK MANAGEMENT POLICY

How quality assurance reviews can strengthen the strategic value of internal auditing*

Auditing Standard 5- Effective and Efficient SOX Compliance

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.

The PNC Financial Services Group, Inc. Business Continuity Program

Chief Risk Officers in the Mutual Fund Industry: Who Are They and What Is Their Role Within the Organization?

NUCSOFT. Asset Liability Management

AGA Kansas City Chapter Data Analytics & Continuous Monitoring

Enterprise risk management: A pragmatic, four-phase implementation plan

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Integration of Risk Management and Internal Audit. Chartered Institute of Management Accountants, New Zealand

Preserving and Growing Value Through Enterprise Risk Management

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Central Bank of Ireland Guidelines on Preparing for Solvency II Pre-application for Internal Models

Portfolio Company Performance Analysis and Reporting Automation

A Risk-Adjusted Operating Model for Insurers: Addressing Regulatory and Market Demands

Introduction to TTC s Enterprise Risk Management (ERM) Program. TTC Audit and Risk Management Committee

Auto Days 2011 Predictive Analytics in Auto Finance

Integrated Stress Testing

Final. North Carolina Procurement Transformation. Governance Model March 11, 2011

How To Manage Risk At Atb Financial

and Risk Tolerance in an Effective ERM Program

IT Governance: framework and case study. 22 September 2010

Beyond risk identification Evolving provider ERM programs

Re-engineering the Credit Approval Process. Presented by: Nancy Hasey-Ross Date: October 5, 2011

6/8/2016 OVERVIEW. Page 1 of 9

Metrics by design A practical approach to measuring internal audit performance

Audit of the Policy on Internal Control Implementation

Management Update: The Eight Building Blocks of CRM

DATA AUDIT: Scope and Content

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

fs viewpoint

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Exhibit 1: Structure of a heat map

How To Manage Risk

PMI Risk Management Professional (PMI-RMP) Exam Content Outline

Risk Management to Contingency Planning. ICD-10 Operational Readiness Keith Hatch, Florida Blue (BCBS of Florida), Senior Manager

Addressing Disclosures in the Audit of Financial Statements

Transcription:

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm Mike Brown Senior Vice President, Corporate Audit State Street Corporation Rich Reynolds Partner PricewaterhouseCoopers

Presentation overview Transforming your focus on the real risks A practical framework for risk assessment Open discussion

Transforming your focus on the real risks

Transforming your focus on the real risks The Credit Crisis has surfaced new challenges for risk management and challenged internal audit to reconsider its role Board oversight. Shareholders are demanding that Boards demonstrably strengthen their oversight of risk management activities. No Silver Bullets in terms of risk management design, methodology or technology. Execution has been the clear differentiator. Timely and effective identification, communication and escalation of issues combined with clear roles and responsibilities, strong supervisory oversight, and good judgment have separated the market causalities from the big lossers. Change management is key to risk management. In general, there has been an overreliance among all firms on objective factors and historical data points. As a result, many firms were on auto pilot and did not identify or appropriately react to changes in market conditions, increases in risk appetite and/or aggressive business strategies. Operating style and culture are critical to execution effectiveness. Accountability clear roles and responsibilities from top to bottom Full transparency rapid escalation of issues, quick to admit mistakes Attention to detail applies to all levels Continuous improvement emphasis on lessons learned from unexpected events (positive or negative) Collegial tension challenging others is the expected behavior of real partners Leaders of support and control functions have equal stature to front office personnel no overrides Page 4

Transforming your focus on the real risks Are you focused on the real risks? Source: The Future of Internal Audit, Corporate Executive Board, 2010 (see Appendix for breakdown of value decline drivers) How value is destroyed in companies reasons for decreases in shareholder value Strategic & Business 68% Operational 13% Financial 12% Compliance 6% However, a significant percentage of internal audit resources are focused on financial controls in most organizations Page 5

Transforming your focus on the real risks Transformed vs. traditional risk assessment approach Page 6

Transforming your focus on the real risks Strategic Alignment of Internal Audit s Plan Focus should be on processes that are critical to shareholder value Internal Audit scope should be directly linked to the organization s strategic themes and critical processes Prioritize Internal Audit resources to audits with potential for greatest impact A value driver analysis can be a holistic way of capturing and understanding company business strategy and shareholder value driving activities. The underlying logic is that Financial performance is a result of delivering an attractive Customer value proposition The combination of Value Creating Activities and Core Enablers deliver value for customers and shareholders The value driver analysis allows Internal Audit to catalog key value drivers and better link audit activities to shareholder value Page 7

Transforming your focus on the real risks Using a strategy map Page 8

Transforming your focus on the real risks Audit universe is constructed from these critical processes and programs, and key change initiatives Process, Programs and Initiatives Targeted Improvement Capital Management 1. Balance sheet management Significant 2. Liquidity risk management and reporting Limited 3. Global cash management Significant 4. Capital allocation and RAPM Limited 5. TARP compliance Major Customer Service 6. Off-shored processes Limited 7. Client relationship management Significant 8. Lean initiative Limited Innovation and Branding 9. Alliance development Limited 10. New product development and launch Limited 11. Research and Development Significant Corporate and Social Responsibility 12. CSR reporting Significant 13. Labor compliance program Significant 14. Social responsibility program Significant 15. Diversity program Significant Audit Priority Matrix Impact on Shareholder Value Insignificant Low Moderate Major Critical 5 7,12 1 4 3 11 14, 15 5 3 2,6,9 4,8 13 2 10 1 5 4 3 2 1 Optimized Managed Defined Repeatable Ad-hoc Current Process & Control Maturity Audit universe is prioritized based on impact on shareholder value drivers, and the current and targeted maturity of the processes, programs and initiatives Page 9

Key Considerations for Designing a Risk Assessment Process There is no one size fits all solution and no two audit departments have identical processes. Sample leading practice elements include Top-down versus bottoms-up approach Macro and micro plan Continuous risk assessment and dynamic plan Tiered audit scoping approach The solution should focus on resolving known weaknesses without losing current strengths High performing audit departments have approaches to address emerging risks and incorporate them into their current audit plans Regulatory and other stakeholder expectations must be considered but should not be the sole driver of a solution Technology is an enabler, not a solution Ultimately, the risk assessment process must align with the company s strategic objectives Page 11

Establishing the Overall Objectives of the Process Since there are practical limitations to any approach to assessing risk and developing an audit plan, it is important to establish and prioritize the primary objectives of the process. Some typical objectives include: Protecting and help focus resources appropriately (i.e., in areas of high risk) Empowering auditors with the appropriate flexibility to decide the right product, at the right time Rationalizing the audit universe while ensuring completeness and consistency Ensuring convergence coordinate with other governance and control functions to the extent practical Creating a responsive, dynamic planning and risk assessment process Promoting more effective relationship management / regular engagement with the business Establishing clear linkage among risk assessment, continuous monitoring and audit plan to ensure appropriate coverage Increasing efficiency and effectiveness Satisfying key parties (management, external clients, regulators, E&AC) in a manner that is demonstrable Page 12

Banks differ in their approaches to risk assessment Attribute* Description # Institutions Audit Universe Risk Rating Methodology Business Monitoring Basis Objective view of organization taken from other sources 6 Audit s view of the organization, no formal reconciliation to objective source 2 Audit s view of organization, reconciliation to objective source 2 Purpose Audit entity audit 6 Basis for risk assessment 4 Scoring Formal scoring model with weighting of risk categories 3 Judgmental based on risk factor and/or category ratings 7 Basis of rating Inherent risk 2 Residual risk 8 Process Formal (established process and outputs) 5 Informal (process and outputs are ad-hoc or inconsistent) 3 No business monitoring process (or very light) 2 Frequency 4-year risk based cycle 6 Audit Plan 2-year risk based cycle 1 Dynamic audit plan 2 Annual but vary intensity based on risk 1 Products Dedicated portion of plan devoted to non-traditional products 5 Limited (or no) portion of plan devoted to non-traditional products 5 * Attributes are mutually exclusive (e.g., formal scoring model and judgmental based on do not align within same approach) Page 13

A Sample Risk Assessment Framework 6. Continuous Risk Assessment and Monitoring Encourages changes to plan to focus on emerging risks Mandates regular engagement with the business 1. Define Audit Universe 2. Conduct Top-down Analysis 3. Conduct Bottom-up Risk Assessment 4. Develop Audit Plan 5. Audit Level Planning Key Considerations Aligns to organization not audits Ensures completeness of risk coverage Covers legal entities and local jurisdictions Uncovers issues impacting shareholder value Links to strategic objectives Identifies most critical risks Leads to targeted audits, horizontal audits and special projects Risk unit priority based on inherent risk and control environment ratings Ratings based on objective guidance judgmentally applied, not mathematical model Priority drives the frequency and level of intensity Based on prioritized audit universe, topdown analysis, and local regulatory requirements Multiple audit products Coverage will be assessed against a risk priority matrix Analyzed periodically Considers output of risk assessment Leverages documented business profile and cumulative knowledge Focuses on risks assessed as high Level of assurance based on risk category ratings Page 14

Defining the Audit Universe 6 1 2 3 4 5 The audit universe will Align to how management views the organization Represent a complete and relatively static picture of the company with multiple levels that can be aggregated and drilled down Be defined based on Management Committee accountable units to ensure ownership Be mapped to other elements (e.g., legal entities, jurisdiction, HR organizational structure) periodically to ensure completeness Audit entities ( risk units ) Are defined at a level of granularity at which risk can be effectively identified, rated and monitored Do not necessarily map 1:1 to audits Objectives Rationalize universe while ensuring completeness and consistency Satisfy key parties (management, external clients, regulators, E&AC) in a manner that is demonstrable Page 15

Addressing Legal and Regulatory Requirements 6 1 2 3 4 5 Legal entities/jurisdictions requiring independent universe/risk assessment Global Markets International Limited (England) State Street Management S.A. (Luxembourg) International Fund Services Ireland Limited (Ireland) Risk unit impact rating Audit Universe Securities Finance Medium Not Applicable Not Applicable High Global Human Resources Medium Medium Low Medium Global Security High Low Medium Low 97 other risk units Page 16

Conducting a Top-Down Analysis 6 1 2 3 4 5 Perform Company Analysis Develop Value Driver Analysis Evaluate Enterprise Risk Themes 1. Gather information: A research template will be used as a tool to gather the required information. The tool will highlight relevant points of information to use during the research process. Information will be collected and retained in a central location. a. Review External Data: External data points such as SSC s website, company press releases, industry-related articles, and reports will be utilized. b. Review Internal Data: Strategic plan, ERM output, compliance and regulatory reports, external auditor management letter comments, and high risk SOX findings will be reviewed to extract significant risk themes. 2. Develop value-driver analysis: Once information has been gathered, the cross-functional team will be able to review relevant information and collectively discuss themes and trends within the organization and industry. This information will be used to complete and update the Value Driver Analysis. 3. Understand and evaluate enterprise risk themes: Meet with key stakeholders to collaboratively discuss key themes and start to form assumptions around the risks associated with the key company initiatives/strategies/etc. Brainstorm potential audit activities considering the risk themes identified and the overall management of risks. Page 17

Sample Value Driver Analysis 1 2 3 4 5 This SAMPLE value driver analysis depicts how a large bank creates value by demonstrating the connection of strategic objectives to underlying activities in causeand-effect relationships. 6 Page 18

Evaluating Risk Unit Priority 6 1 2 3 4 5 Assess Inherent Risk Assess Control Environment Determine Risk Unit Priority 1. Assess inherent risk: Each risk unit s potential impact on the corporation will be assessed by considering the risk unit s inherent risk across risk categories a. Risk categories will be rated relative to each other within that risk unit on a 0-5 scale b. Risk category ratings will be determined judgmentally by considering (not rating) a series of risk factors for each category c. Taking into account each risk unit s rated risk categories, the unit s impact to the entire corporation will be assessed considering three dimensions (financial, reputation/brand, regulatory) on a three-point scale (high, medium, low) 2. Assess control environment: Each risk unit s control environment will be assessed by considering the control effectiveness and culture of the risk unit a. Taking into account each risk unit s control effectiveness and culture, the unit s control environment will be assessed on a three-point scale (light, sound, robust) 3. Determine risk unit priority: Risk unit priority will be derived from a matrix of inherent risk and control environment Page 19

1 2 3 4 5 Developing the Audit Plan 6 Page 20

Audit Level Planning 6 1 2 3 4 5 Audit planning and scoping will Consider output of risk assessment as outlined in SSCA s Audit Methodology and Guidance Leverage documented business profile and cumulative knowledge of risk unit s business strategies, objectives, and risks Focus on risks assessed as high per applicable risk unit Involve application of the three levels of assurance (testing, assessment, validation) based on risk category ratings Objectives Create a responsive, dynamic planning and risk assessment process Establish clear linkage among risk assessment, continuous monitoring and audit plan to ensure appropriate coverage Empower auditors with the appropriate flexibility to decide the right product, at the right time Satisfy key parties (management, external clients, regulators, E&AC) in a manner that is demonstrable Page 21

Continuous Risk Assessment and Monitoring Key attributes: Frequency and focus of all three processes will be based on the priority and risks identified for each risk unit. Formal process for elevating and reporting output from all three processes. Continuous risk assessment Continuous monitoring Benefits/Attributes Periodic update of bottom-up and top-down risk assessment Provides early warning of high risk activities Can trigger changes to risk assessment and/or audit plan Involves monitoring of KRIs and KPIs Provides insights into current performance, changes, emerging risks, etc. Can trigger changes to risk assessment and/or an audit Continuous auditing Can detect control deficiencies Can trigger and/or direct additional audit procedures Involves independent automated testing (e.g., use of CAATs) Findings require management response and remediation Linkage to audit plan - Business/risk monitoring as required in the audit frequency and intensity matrix ideally entails a well-developed continuous risk assessment and monitoring process for each risk unit Page 22

Open discussion

For more information contact Mike Brown Senior Vice President Rich Reynolds Internal Audit Partner State Street Corporation 617-662-4626 mfbrown@statestreet.com PricewaterhouseCoopers LLP 646-471-8559 richard.reynolds@us.pwc.com Page 24

Appendix Root Cause Analysis of Large Market Declines Source: The Future of Internal Audit, Corporate Executive Board, 2010 Page 25

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information