Financial Services. Internal Audit: What s on the horizon? kpmg.co.uk



Similar documents
Solvency II benchmarking survey

A NEW APPROACH TO CYBER SECURITY

Under control 2015 Hot topics for IT internal audit in financial services. An Internal Audit viewpoint

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Capital Market Services UK Limited Pillar 3 Disclosure

Public reporting in a Solvency II environment

Navigate the regulatory maze

TAX MANAGEMENT CONSULTING. How can you be more efficient at managing tax?

The Regulatory Framework for Social Housing in England Governance and Financial Viability standard requirement: Governance Annual Assessment

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

Cyber security Building confidence in your digital future

Cyber Security Evolved

Mitigating and managing cyber risk: ten issues to consider

Chief Risk Officer s report

Audit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee

EBA Guidelines on Internal Governance

Close Brothers Group plc

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit

IIA South West Event. A look at key supply chain risks and why contracting is a key step 14 January 2015

Preparing to become a Hedge Fund/Open-ended Fund AIFM. May March2013. Preparing to become an AIFM 1

Forensic Services. kpmg.hu

Internal Audit Landscape 2014

Mastering Finance Business Partnering. The missing pillar in building Finance leadership February kpmg.co.uk

Banking and Financial Services Internal Audit Group

Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

Institute of Internal Auditors Cyber Security. Birmingham Event 15 th May 2014 Jason Alexander

Ensuring Optimal Governance and Relationship Management Between Parties

RISK MANAGEMENt AND INtERNAL CONtROL

GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS

Audit Committee Institute Assessment of audit committees

Business continuity management policy

Technology and Cyber Resilience Benchmarking Report December 2013

shareplc: Pillar 3 Disclosures CONTENTS Oxford House Oxford Road Aylesbury Buckinghamshire HP21 8SZ phone visit

Third party assurance services

RISK MANAGEMENT REPORT (for the Financial Year Ended 31 March 2012)

The value of assurance in managing risks Insurance Internal Audit Governance, risk & assurance Internal audit PRECISE. PROVEN. PERFORMANCE.

Asset management. Strategic use of technology and outsourcing to address cost pressures and enhance market position

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

Solvency II model assurance. 12 April 2012

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Risk Management Programme Guidelines

University of Edinburgh Risk Policy and Risk Appetite

How To Transform It Risk Management

PILLAR 3 DISCLOSURES 2009

Data Centre Managed Services Market

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

the role of the head of internal audit in public service organisations 2010

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

Decision on recovery plans of credit institutions. Subject matter Article 1

CYBER SECURITY DASHBOARD: MONITOR, ANALYSE AND TAKE CONTROL OF CYBER SECURITY

External Supplier Control Requirements

Achieve. Performance objectives

Internal Audit - progress report and plan

Twin-peaks regulation: key changes and challenges

Jupiter Asset Management Ltd Pillar 3 Disclosures as at 31 December 2014

Solihull Clinical Commissioning Group

From ICAAP/ORSA to ERM: Board and Senior Management Oversight. Leon Bloom, Partner, Deloitte & Touche LLP lebloom@deloitte.ca

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

MiFID II/MiFIR. Implications for Fund Managers. May Deloitte LLP. All rights reserved.

Corporate governance statement

1. Introduction Process for determining the solvency need Definitions of main risk types... 9

Relationship Manager (Banking) Assessment Plan

INTERNAL CAPITAL ADEQUACY ASSESSMENT

FCA Thematic Review Delegated Authority: Outsourcing in the General Insurance Market

BOARD OF GOVERNORS FEDERAL RESERVE SYSTEM

AIFM DIRECTIVE: ESMA CONSULTATION PAPER

Cyber security: Are consumer companies up to the challenge?

Nine Steps to Smart Security for Small Businesses

Cyber Security - What Would a Breach Really Mean for your Business?

Audit Quality Thematic Review

Risk Management & Business Continuity Manual

Brevan Howard Asset Management LLP Pillar 3 Disclosures. Brevan Howard (2014). All Rights Reserved.

Planning ahead Hot topics facing Financial Services organisations in IT Internal Audit

Solvency II Detailed guidance notes

Lot 1 Service Specification MANAGED SECURITY SERVICES

Transforming risk management into a competitive advantage kpmg.com

Risk Management Framework

Implementing and monitoring effective compliance policies & procedures. charlesrussellspeechlys.com

Recognised Investment Exchanges. Chapter 2. Recognition requirements

Solvency ii: an overview. Lloyd s July 2010

Bank of America NA Dublin Branch Market Discipline. Basel II - Disclosures

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Julian Hodge Bank Limited. Pillar 3 disclosures as at 31 October 2012

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK

ICAAP Required Capital Assessment, Quantification & Allocation. Anand Borawake, VP, Risk Management, TD Bank anand.borawake@td.com

ESM Management Comments on Board of Auditors Annual Report to the Board of Governors for the period ended 31 December 2014

System of Governance

treasury risk management

Capital Requirements Directive Pillar 3 Disclosure. Western Asset Management Company Limited December 2008

Fraud and the Government Internal Auditor

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Corporate Governance Report

Compliance. Group Standard

Terms of Reference - Board Risk Committee

Cyber security Building confidence in your digital future

Title here. Successful Business Model Transformation. in the Financial Services Industry. KPMG s Evolving World of Risk Management SECTORS AND THEMES

Transcription:

Financial Services Internal Audit: What s on the horizon? kpmg.co.uk

Contents Introduction 1 Information Security 2 Integrated Assurance any gaps in the plan? 2 Change portfolio is your change portfolio fit for purpose? 2 Business continuity, disaster recovery and business survival can you cope with a crisis? 3 Financial Crime (incl. Anti-Bribery and Corruption (AB&C)) are you covered? 3 Capital and Liquidity Management do you have enough to get by in a squeeze? 4 Corporate Governance how does it fit together? 4 Regulatory conduct preparedness how are your plans and progress reporting? 4 Credit Risk and Impairment how is your coverage and accuracy of systems and reporting? 5 Solvency II does the insurance industry have sufficient capital to cover its risks? 5 Outsourcing and Third Party Management are we still managing the risk effectively? 5

Internal Audit: What s on the horizon? 1 Introduction Being nimble is a critical attribute for all Financial Services Internal Audit teams. There is an ongoing responsibility to survey the landscape to look for new, or heightened, risks and ensuring scarce resources are directed to the areas that matter most. 2012 brings with it a powerful combination of factors that mean the ability to adapt is more important than ever. Economic uncertainty, the fragility of the technology on which we depend, the search for new ways of working to drive efficiency, new market and product opportunities, regulation, human behaviour and the pace of organisational change, are all contributing to the increased velocity of emerging risks that can threaten business stability. With this in mind we have pulled together a summary of common risks impacting how Financial Services Internal Audit teams are looking at their future plans. Teams are also challenging established operating models to re-define how they provide assurance and add value to the organisations they serve. The areas being targeted include: Flexibility: The world is changing at a phenomenal pace. Internal audit plans must be regularly reviewed and challenged to ensure they remain relevant. If a plan looks the same as it did 12 months ago, alarm bells should be ringing. Effective challenge: Internal audit must be the control conscience of the organisation. The team should be clear in articulating what is needed from an assurance perspective and make sure their voice is heard, encouraging debate and securing the right resource and specialist skills. Refresh: Teams are taking a fresh look at their integrated governance, risk and control frameworks. Are roles clearly defined, and do activities fit seamlessly? Assurance mapping is just one example: do you have a clear picture of how all of your assurance activities are working together? Engage: Internal audit have a unique opportunity, and responsibility, to identify emerging risks and support the board and risk teams as part of an effective, integrated governance, risk and assurance cycle. Now is not the time to be a bystander. Innovate: With demands to do more for less, innovation is key. Enhanced self assessment processes or detailed control surveys are two examples. Embedding more and better use of technology is becoming the norm, ranging from data analytics to continuous audit initiatives. Be brave: Assurance spend must be managed efficiently just as in any other part of the business. However, when resource and budget constraints become the primary driver of assurance activity, something is wrong and concerns must be raised. The ongoing global turbulence and sheer velocity of business change means some of the issues faced may be new and uncharted, but the responsibility is no different: Internal Audit must support the strategic and risk management teams to understand the consequences of today s and tomorrow s business operations, what might go wrong and where Internal Audit can best support business objectives. Anthony Kennedy Partner, UK Head of Financial Services Internal Audit

2 Internal Audit: What s on the horizon? Internal Audit What s on the horizon? Information Security Threats to information security are more sophisticated and emerging faster. Now, organisations and individuals are being specifically targeted for attack and motivations arise for many reasons including from organised crime and political beliefs. This, combined with the pace of change and adoption of new technologies make all things IT an imperative. Data leakage have you classified data according to its sensitivity and can you identify where all your data is and who has access to it? Think about how the business is protecting itself against data leakage incidents, monitoring to detect where they may have occurred, creating effective incident response processes and updating your approach when a new threat arises. New technologies cloud computing, server virtualisation, increasing use of social media, near field communication and micro-payment systems are racing forward. Have you identified the risks and audit needs associated with a new technology, planned or recently implemented, for example: security; maintenance; vulnerability; contamination; backup/recovery? Understanding your specific cyber threat internal audit must consider the specific threat; does your industry, profile, nature of operations or relationships put you at a higher risk? If the answer is yes, direct the audit plan to focus on security. Skills and resources IT risks are complex and mercurial. Assurance has to be in place, delivered by teams with the right skills. Leaving black holes in the audit plan because of potential skills gaps must be avoided. Integrated Assurance any gaps in the plan? Do you have a clear picture of how well assurance activities are working together? Mapping out the different sources of assurance will help you challenge the status quo. The growth of the remit of Compliance and Risk has led to a challenge of certain Internal Audit activities. How do the three Lines of Defence operate together? How do you know that there aren t significant levels of assurance duplication? Are you comfortable that there are no gaps in your current overall assurance coverage? Are stakeholders confident that risks are being managed and reported on effectively and that critical obligations are being met? An assurance mapping exercise will provide a coordinated view of your assurance providers and introduce frameworks which promote closer working relationships, common goals, efficient coverage and consolidated reporting. Change portfolio is your change portfolio fit for purpose? It is an unprecedented time of change within the financial sector. In order for a business to meet its strategy, it is therefore key that its change portfolio is set-up and managed appropriately as well as the programmes and projects within it. How is the portfolio of change managed? Who is involved, what basis are prioritisation decisions made upon and how is progress reported to senior management? Are risk management principles sufficiently embedded and demonstrated? Is there a defined programme / project management methodology in place? How rigorously is this adhered to, and how are exceptions flagged and investigated to satisfactory resolution? To what extent are benefits of change projects measured and communicated to senior management? How is change resourced including use of internal and external resource, and also the internal audit team reviewing change? What technology is used in undertaking and monitoring change projects? How user friendly is this? How does Internal Audit collaborate with others?

Internal Audit: What s on the horizon? 3 Business continuity, disaster recovery and business survival can you cope with a crisis? Constant change is todays norm but are those changes reflected in existing and new business and IT service continuity arrangements? In planning audit work there are a broad range of considerations to consider. Is your business impact analysis good enough? Does it adequately determine business critical processes and functions, their critical dependencies, partners and recovery timescales? Have plans been adequately tested? Have you covered all the angles legacy infrastructure, a growing technology estate and new technologies such as Cloud? Are all group operations and different parts of the business fully aligned? Has crisis management been tested to restrict reputational damage? Has the business identified and worked with its critical partners? Ask suppliers for evidence of their testing plans. When looking at business continuity, consider more extreme disruptions; for example rioting, regime change, and extreme natural disasters. Is an industry recognised approach being followed to business continuity management (e.g., BS25999)? Skills and resources IT risks are complex and mercurial. Assurance has to be in place, delivered by teams with the right skills. Leaving black holes in the audit plan because of potential skills gaps must be avoided. Financial Crime (inc. Anti-Bribery and Corruption (AB&C)) are you covered? Firms continue to invest in improving their antifraud controls, including incorporating AB&C controls, to meet requirements of the UK Bribery Act 2010, effective from 1 July 2011, yet the level of internal and external fraud is still rising. Has the business mapped the fraud threat landscape against a changing controls environment? Has the exercise been reviewed to incorporate AB&C requirements? Is the business aware or in denial of the risk? Is there a fraud risk management strategy? Have you reviewed the existence and adequacy of fraud policy, staff training and awareness, and the fraud reporting structure? Do you include fraud risks in all audits and pull together a fraud risk picture as part of progress/annual reporting? Has restructuring of areas such as finance exposed controls to weakness or breach? Are fraud related roles clear? How robust and embedded is the programme in place to manage AB&C risks? Do contractual clauses with third parties and suppliers contain the appropriate AB&C clauses? How confident are you that your Anti Money Laundering (AML) controls are aligned to regulatory requirements and operating effectively, including AML reporting?

4 Internal Audit: What s on the horizon? Capital and Liquidity Management do you have enough to get by in a squeeze? The unprecedented events of the global financial crisis have led to worldwide tightening of credit lines and an increasing level of information demanded by regulators. There is a general drive towards understanding exposures and calculating associated liquidity and capital needs. How robust is the link between credit risk and capital requirements? Are you compliant with Basel II? What is the current role of Internal Audit in the ICAAP process? Are ratings and capital calculation models fit for purpose? How prepared are you for Basel III implementation and the requirements of the Independent Commission on Banking? Is your stress testing aligned with your peer group? How robust is your Individual Liquidity Adequacy Assessment (ILAA) reporting? How advanced/effective is your Recovery and Resolution Planning? What is the role of Internal Audit in this process? Corporate Governance how does it fit together? Turner, Walker, the FRC and the Independent Commission on Banking several independent bodies, all highlighting weaknesses in Corporate Governance. In the light of the worst global recession for almost 100 years; governments, regulators and the public alike are asking where did it all go wrong? What is the composition and skills of the Board? Is this evaluated annually? Are independence issues fully investigated and appropriately disclosed? Is succession planning effective? How are NEDs inducted? What knowledge and skills are they equipped with? How are they remunerated? Is there clear evidence of challenge? How does the Board Committee structure (including Sub-Committees) work? Is there transparency in reporting lines, responsibility and accountability? Is this effective and up to date? How are strategic goals defined, resources allocated and expectations managed? How effective are Risk Management and Internal Control processes? Are you aligned to the FSA Remuneration Code? Regulatory conduct preparedness how are your plans and progress reporting? The global regulatory regime is experiencing unprecedented change, none more so than in the UK. Against this backdrop the Financial Conduct Authority is being established (2013) and a series of policies are being released which firms will be required to comply with. Are you familiar with timetables of AIFMD, UCITS IV, Retail Distribution Review, FATCA, MiFID, MMR and Client Assets? Are you ready to assist a more intrusive regulator with their enquiries? Is your MI accurate, timely and complete? What independent assurance are Internal Audit providing regarding the preparedness of your organisation to meet these new requirements? What is the extent of your role? Are you consulted as plans progress? Is your progress reporting timely and correctly focused? Is your existing Internal Audit coverage of conduct issues sufficient covering sales, customer targeting, TCF, the effectiveness of the Compliance function, etc

Internal Audit: What s on the horizon? 5 Credit Risk and Impairment how is your coverage and accuracy of systems and reporting? From a micro level the ability of individuals to repay loans, to a macro level the threats to sovereign debt within the EU the area of credit risk is increasingly becoming a key driver in business strategy, exacerbated by the direct link to capital requirements under Basel III and Solvency II. What does credit risk mean to your organisation? Does this cover retail, commercial and wholesale risks? What MI and training is provided to senior management in this area? What kind of measures are used to capture and monitor wholesale counterparty risk, does this include primary and market sensitive indicators, and are all deposits and derivatives of subsidiaries covered? How timely is this measurement? Are the Board aware of the scale of forbearance activities and possible impact on arrears and provision balances? How involved are Internal Audit in reviewing impairment processes? Can management be confident in the accuracy of arrears and impairment data? Are models fit for purpose? Solvency II does the insurance industry have sufficient capital to cover its risks? The goal of Solvency II is to create a risk-based Solvency regime for the insurance industry, consistently applied throughout Europe. The first wave of implementation is scheduled for 1 Jan 2013. Is Internal Audit geared to fulfil its role in the drive for implementation and embedding? What is the nature of Internal Audit involvement in Pillar I calculations data integrity, capital model reviews, stress and reverse stress testing, etc? How robust is the change programme to support Solvency II activity are systems and governance structures embedded and fit for purpose? Is Internal Audit independently assessing Pillar II processes, including how the organisation has calculated it Own Risk and Solvency Assessment (ORSA), particularly challenging the completeness of risks faced and compliance, on a continuous basis, with capital requirements and technical provisions. Are Pillar III disclosures consistent (private and public reporting), timely, complete and analysis undertaken to align with wider financial reporting? Outsourcing and Third Party Management are we still managing the risk effectively? The increasing globalisation of business has led to a significant volume of outsourcing and use of third parties, typically including off-shoring of support functions. Is there adequate understanding of the risks of outsourcing and offshoring? Have these circumstances been factored into the work of assurance providers, including the Internal Audit plan? Are you brave enough to de-scope immaterial areas? How do you assess third parties risk management and regulatory compliance systems and controls? Role for ISAE3402/3000? Do we know which third parties we are doing business with? Have we run all required background checks and investigated results to satisfactory resolution? Are suitable contracts in place? Are we compliant with SYSC 8 requirements, and can we clearly demonstrate this ongoing compliance, including reporting to Executive Management? What is the strategy for third parties? Are there clear lines of accountability and responsibility when dealing with third parties? How effectively are controls operated across Procurement, Finance, Risk, HR and the Operations? If you are an outsourcer, how do you manage client reviews?

If you have any questions, please feel free to contact any of the below: Anthony Kennedy Partner, UK Head of Financial Services Internal Audit T: 020 7694 2875 M: 07780 957 561 E: anthony.kennedy@kpmg.co.uk Richard Gabbertas Partner, FS Internal Audit, Head of Regions T: 0113 231 3123 M: 07802 615 002 E: richard.gabbertas@kpmg.co.uk David Fineberg Director, Internal Audit, Banking T: 020 7311 6191 M: 07824 378 244 E: david.fineberg@kpmg.co.uk Katie Clinton Director, Internal Audit, Insurance T: 0161 246 4480 M: 07904 102 250 E: katie.clinton@kpmg.co.uk Amir Sethu Director, Internal Audit, Insurance T: 020 7311 4188 M: 07720 718 466. E: amir.sethu@kpmg.co.uk Richard Scott-Hopkins Director, Internal Audit, Investment Management T: 020 7694 2623 M: 07770 393 462 E: richard.scott-hopkins@kpmg.co.uk www.kpmg.co.uk The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. Printed in the United Kingdom. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. RR Donnelley I RRD-266844 I March 2012 I Printed on recycled material.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information