Regulatory reform and the role of internal audit

Similar documents
Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

Metrics by design A practical approach to measuring internal audit performance

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Investment Management: Rising to the Risk and Compliance Challenge kpmg.com

How quality assurance reviews can strengthen the strategic value of internal auditing*

July New Entrants: Charting the Health Industry s Risk and Regulatory Landscape Where Risk Meets Opportunity

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

Healthcare Internal Audit: In a Time of Transition

The Role of Internal Audit in Risk Governance

Hedge fund launch considerations Reaching new boundaries. Investment Management

The PNC Financial Services Group, Inc. Business Continuity Program

Dodd-Frank Act: Impact on Business and IT

What s Next for Stress Testing: Expect Surprises, Less Heroic Effort

Vendor Risk Management in the New Regulatory Environment. kpmg.com

The Importance of Credit Data Management

How to improve account reconciliation activities*

Third-party assurance optimization Value creation strategies for service providers

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

The eight attributes. Delivering internal audit excellence as stakeholders expect more

Basel II, Pillar 3 Disclosure for Sun Life Financial Trust Inc.

Financial services regulatory compliance. Changing demands require the right perspective

A worldwide view Successful integration of global mobility programs

Guidelines on preparation for and management of a financial crisis

Risk governance: OCC codifies risk standards, paving the way for increased enforcement actions

Compliance & Internal Audit Collaboration

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR NOAH GOTTESMAN

Project 2013 Customer Solution Case Study

FINANCIAL ASSESSMENT CRITERIA (The Assessment Criteria should be read in conjunction with OSFI s Supervisory Framework)

Simplifying the audit through innovation

Internal Audit Quality Assessment. Presented To: World Intellectual Property Organization

Developing a Free Credit Score Program. kpmg.com

A Closer Look The Dodd-Frank Wall Street Reform and Consumer Protection Act

BOARD OF GOVERNORS FEDERAL RESERVE SYSTEM

Internal audit value optimization for insurance organizations

FS Regulatory Brief. New reporting requirements for exempt reporting advisers Some practical considerations. Who is an exempt reporting adviser?

Benefits Administration: Should You Outsource or Manage In-House? As companies consider options, Health Care Reform may impact decisions

19/10/2012. How do you monitor. (...And why should you?) CAS Annual Meeting - Henry Jupe

DEFINING OUR ROLE IN A CHANGING LANDSCAPE

Managing Risk at Bank of America Corporation. Overview

Internal Auditing Guidelines

The heart of your business*

Establishing a Mature Identity and Access Management Program for a Financial Services Provider

IT GOVERNANCE WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR

Regulatory Practice Letter December 2012 RPL 12-24

Supporting Statement for the Recordkeeping and Reporting Requirements Associated with Regulation Y (Capital Plans) (Reg Y-13; OMB No.

FFIEC Cybersecurity Assessment Tool

Transforming risk management into a competitive advantage kpmg.com

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

EMBEDDING BCM IN THE ORGANIZATION S CULTURE

IT Workforce snapshot

The Framework for Quality Assurance

Re: FINRA Regulatory Notice 13-42: FINRA Requests Comments on a Concept Proposal to Develop the Comprehensive Automated Risk Data System

fs viewpoint

Enterprise Release Management

Compliance Risk Management Survey A Point of View

When should becomes shall

Navigate the regulatory maze

Moving Internal Audit Back into Balance

ESM Management Comments on Board of Auditors Annual Report to the Board of Governors for the period ended 31 December 2014

Rethinking contingency planning for an integrated world

Summary. Background and Justification

PwC Perspectives CFPB s Integrated Mortgage Disclosures under RESPA/TILA Know Before You Owe Introduction Background of Know Before You Owe

Surviving Contact with Reality Crisis exercises as a key element of cyber incident and crisis management response.

IIROC Priorities

Organization transformation in times of change

Attracting pension plan assets What alternative investment managers need to know

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

Statement by. Ben S. Bernanke. Chairman. Board of Governors of the Federal Reserve System. before the

BOARD OF AUDITORS ANNUAL REPORT TO THE BOARD OF GOVERNORS

How To Write An Impactful Audit Report

SEC auditor independence considerations

Private Fund Advisers: Compliance Oversight of Third-Party Administrators

2015 GLOBAL ASSET MANAGEMENT SURVEY

REGULATORY COMPLIANCE SERVICES

Vendor Management. Minimizing Value Leakage. Deloitte Consulting LLP. November 19, 2013

Communications. How to complete the M&A integration process, minimize disruptions, and achieve desired synergies.* *connectedthinking

Housing Association Regulatory Assessment

New CFPB mortgage servicing rules present significant challenges for mortgage servicers

2012 Audit Plan. Finance, Audit and Facilities Committee Board of Regents. November 2011 ATTACHMENT

Building HR Capabilities. Through the Employee Survey Process

Ready, set, FATCA: How the new rules will affect insurers, and why early action is the best policy July 2011

Driving Records & Information Management Transformation: Enabling program adoption

The Compliance Universe

2015 Trends & Insights

Real Property Portfolio Optimization

PwC Advisory Internal Audit. PricewaterhouseCoopers State of the internal audit profession study: internal audit post Sarbanes-Oxley*

Internal Control Strategies. A Mid to Small Business Guide

Vendor Compliance Management Series: Performing an Effective Risk Assessment

FCA Thematic Review Delegated Authority: Outsourcing in the General Insurance Market

On-Site Examination Policy for Fiscal Examination Policy for Fiscal 2016" briefly reviews on-site examinations carried out in

KPMG s National Broker-Dealer Practice Survey Results

Morgan Stanley IDI Resolution Plan

Managing specialty finance compliance requirements with a compliance management system

Audit of the Test of Design of Entity-Level Controls

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

The Future of Investment Compliance for Asset Owners: The Next Great Transformation

Lifting the fog* Accounting for uncertainty in income taxes

Transcription:

At a glance The near collapse of the world economy triggered regulatory reforms with the power to fundamentally change how financial services organizations do business. Regulatory reform and the role of internal audit As the financial services industry responds to an unprecedented level of evolving regulatory reform, internal audit functions must adapt to meet the challenge. Today's environment presents internal audit with a unique opportunity to position itself as a trusted advisor to the audit committee and management while meeting the expanding expectations of regulators.

1 Internal audit functions have a unique opportunity. The last time the United States implemented financial regulatory reform on par with what's happening in this decade was in the 1930s, following the Great Depression. Today's sweeping changes are practically unprecedented and continue to evolve. They're creating myriad business challenges as well as a chance for internal audit to enhance its value proposition. What's at stake? The financial services industry faces its most significant regulatory reforms since the Great Depression. The Dodd-Frank Wall Street Reform and Consumer Protection Act, Solvency II, Basel III, and other new regulations present challenges that transcend compliance. They are causing financial services companies to reconsider significant business and operating strategies. To date, reaction varies among the companies most affected, with the largest financial services institutions taking the most active approach in addressing regulatory reform. The nation s largest banks, investment banks, and other financial institutions are out in front of the rule making, actively reviewing the proposals, commenting on the anticipated effect on their respective business lines, and creating project plans to execute the required changes. Many of the largest organizations have set aside hundreds of resources and have created detailed project governance structures with proactive involvement of business line leaders, compliance and legal professionals, and other support functions. The graphic below shows a typical regulatory reform governance structure. It highlights the resources organizations are expending to comply with the rapidly changing regulations in the financial services industry. Risk/Compliance Steering Committee PMO People Working Group 1 Working Group 2 Strategy Working Group 3 Working Group 4 Operations/IT

2 As financial regulators begin to push out the final rules associated with Dodd-Frank and Basel III, among others, the business focus is changing from reviewing proposed rules and assessing the impact on the business to implementing the required changes by identifying and executing specific projects. Internal audit can play a significant role in enhancing management's action plans to increase the likelihood of success. Role of internal audit As institutions begin executing their implementation plans, internal audit has a unique opportunity. It may strengthen or even reposition its organizational relevance by providing timely, valuable, and meaningful insights and perspective as management works toward successful completion of the changes required by the new regulatory program. To capitalize on this opportunity, internal audit should take maximum advantage of its unique vantage point and unrestricted access across all aspects of the organization. Playing an active part To help internal audit organizations avoid being surprised by the breadth of regulatory change, leading internal audit teams in large, midsize, and small institutions are becoming increasingly engaged in developments on the regulatory front. Based on input from a number of leading financial services clients, we've learned that most internal audit functions believe they are expected to and should play a role in understanding the changes that are being implemented throughout the organization. But there's no consensus regarding how active its role should be. And while a majority of our clients say they should have a role in regulatory reforms, few acknowledge having a plan, the resources, or necessary knowledge to cover those regulatory reforms that will have the greatest effect on the financial services industry. Seizing the opportunities of regulatory reform The size and business scope of an institution will dictate the degree to which regulatory reform affects it. Global institutions will face the full force of multiple regulatory regimes all flexing their muscles in response to the financial crisis. Smaller, domestic institutions will carry a lesser burden, but will still be subject to a myriad of new regulatory expectations. Regardless of the scope of the regulatory reforms an institution faces, internal audit can position itself in several important roles. It will support multiple stakeholders as an objective monitor and assessor of the implementation efforts for the audit committee, executive management, and the regulators. In addition, through the development of a deep understanding of the changing environment and the organization's planned actions, internal audit can also serve as a trusted advisor to management. The first step for internal audit as it establishes its role in regulatory reform is to connect with the broader organizational efforts. Internal audit should consider creating an "internal audit regulatory reform response team." This team would align with the various workstreams and committees of the regulatory reform program to gain insights into the organization's approach, priorities, and challenges. With its insights, internal audit may better understand risks associated with the regulatory reforms to prepare a risk-based coverage plan.

3 Internal audit should also consider the following as it establishes its role in regulatory reforms: Positioning Understand the expectations from internal audit's major stakeholders (i.e., board, management, and regulators). Positioning Risk assessment and coverage plan Develop a coverage plan to address stakeholders' expectations and internal audit s mandate. Risk assessment and coverage plan Methodology and people Methodology and people Determine and address the impact of the coverage plan on internal audit's methodology and people. Positioning Internal audit functions have broad visibility and a mandate that cuts across the entire organization, enabling internal audit to provide insights and perspective which will aid management as they address significant challenges and risks. Considering the pervasive effects regulatory reform will have on financial institutions, internal audit has never had a better opportunity to demonstrate its true value. To do so, internal audit must use its understanding of the expectations of its stakeholders and align its coverage plan to meet: Board expectations The audit committee and other board members will naturally look to internal audit to be their eyes and ears to help assess the assertions made by management. They will be sought out to evaluate whether changes to the business and operations stemming from regulatory reforms are being implemented completely and accurately. Management expectations Management will also look to internal audit for advice on internal control matters, especially as they relate to new businesses and new processes as they are rolled out. Internal audit can also provide objective assurance on the progress of the changes to processes that support compliance with regulatory reforms. And it can be an effective sounding board by challenging management s approach to decisions and project management processes. Regulatory expectations Internal audit will be expected to provide coverage of the regulatory reform program. As regulators are stretched because of their own organizational changes and expanded mandates, they are frequently expecting to rely on the work of internal audit to assist them in making assessments of the organization's adherence with the new requirements. Risk assessment and coverage plan Internal audit should evaluate its current risk assessment process to incorporate regulatory reforms. It should also develop a risk-based coverage plan that addresses the most pressing challenges of the organization and aligns with the expectations of its stakeholders. This requires proactive discussions with the audit committee and management to understand their concerns and priorities and develop a plan that addresses them. Internal audit departments may also need to set aside extra time for

4 unexpected events and special requests in 2012 and 2013 as a result of the anticipated impacts of regulatory reforms. Some factors to consider when developing a risk assessment and coverage plan include the following: Risk assessment Internal audit should revisit its risk assessment framework to determine the adequacy of regulatory risk coverage and whether enhancements are needed. Temporary changes may be needed in the risk assessment framework to cover greater risk during reform implementation. The new realities of doing business in the regulatory regime may require more permanent changes. Changes to the risk assessment framework must consider regulatory reforms on a global basis and address the extraterritorial nature of regulatory regimes (e.g., the effect of the Volcker Rule on foreign banking entities). Internal audit should consider updating the risk and controls matrices (if used) for regulatory reform-driven changes in processes, risks, and controls. Coverage plan Strategy and governance: Evaluate the organizational strategy and governance structure to identify, assess, interpret, and implement regulatory reforms across the organization. Assess the effectiveness of the program management office in managing change across the entity. Rule-based coverage: Perform pre-implementation and parallel reviews that focus on assessing the effectiveness of the process and system implementation plans in addressing the critical rules and requirements. Internal audit should consider building rule-specific coverage plans (e.g., Volcker, over-the-counter derivatives, recovery and resolution) to assess the changes being implemented in the business areas. Additionally, internal audit should consider performing readiness reviews to assess the organization's preparedness to meet the Consumer Financial Protection Bureau's (CFPB) examination standards. Rule Based Coverage Strategy & Governance OTC Derivatives Volcker Rule Recovery & Resolution Stress Testing Compliance CFPB IT Operations Business as Usual Audits Functional / Process Based Coverage Functional/process-based coverage: Assess functions/processes preparedness to respond to the various regulatory changes affecting the business area (e.g., effectiveness of the risk management function in establishing compliance with the business conduct standards established for the major swap participants, mock CFPB examination). In addition, conduct periodic reviews of the completeness and accuracy of PMO management reporting on implementation progress.

5 Business-as-usual audits: Assess the impact of regulatory reforms on the business-as-usual audits for critical processes (e.g., market, operational, and risk management; trading and settlement; annual stress testing) and perform additional procedures as necessary. This assessment should include measuring the effect on the business strategy, systems, and procedural changes that will result from the regulatory reforms. Regulatory rule making is a fluid process. Internal audit s plan should allow for flexibility to respond to changes in the rule-making process and ultimately the implementation timeline. The timeline that follows represents example audit areas to consider while developing the risk-based coverage plan. Initial phase As rules are implemented Ongoing Strategy and governance Reform strategy review Central PMO governance review Rule-based coverage OTC derivatives Record keeping and reporting Position limits Registration requirements SEFs End-user exemption Volcker Rule Record keeping and reporting Compliance program Extraterritorial application Functional / Process Reviews Compliance function review CFPB readiness reviews and mock regulatory examinations IT governance Regulatory reporting New product development Rule-based coverage (Cont d) Recovery and resolution Scenario planning Stress testing Capital and liquidity impact OTC derivatives Investment of customer funds Business conduct standards Rule-based coverage (ongoing) OTC derivatives Clearing and settlement process Recovery and resolution planning Annual reporting Volcker Rule Annual compliance testing Business as usual audits Methodology and people Internal audit should also consider the impact of the regulatory reforms on its core processes, methodology, and people. Key areas for consideration follow. Methodology An internal audit team's methodology considers the risks the institution faces and the way management controls these risks. Flexibility in the methodology allows for changes to meet the demands of regulatory reform. Continuous monitoring Many internal audit functions are beginning to use continuous monitoring processes in a meaningful way to keep track of the emerging risks in the organization and their effect on the audit plan.

6 Given the extensive nature of the regulatory reforms, internal audit may consider adapting its continuous monitoring process to identify the effect of regulatory risk and consider it while periodically updating the audit plan. Continuous monitoring efforts also can be tuned to identify additional stresses in existing processes as resources are redirected to address the regulatory reforms. Continuous auditing As internal audit is assessing new risks associated with regulatory reforms, it will be considering how best to audit these new risks. Using data analytics and continuous audit techniques should be a prime consideration. Now more than ever, this use of technology in the audit process may allow internal audit to address the new risks in a more efficient way. Internal audit reporting Critically assess whether current reporting channels to the audit committee and management are adequate and provide a consolidated view of regulatory reform activities based on the audit coverage. Internal audit may also consider sharing through its reports leading practices across workstreams, issues noted in its reviews, and follow-up on the implementation of management action plans. In addition, internal audit may consider enhancing its reporting on issues to include not just its own action plans, but also the plans associated with regulatory examinations, SOX, and risk and control self-assessment. Internal audit can request regulatory reform-focused meetings with the audit committee to establish clarity regarding expectations and provide a thorough assessment of the organization s reform program. Clear documentation of internal audit's work on regulatory reform-related areas can improve the likelihood of reliance by regulators. People Performing a skill set assessment and gap analysis can help to identify the skills and training required to execute the enhanced coverage plan. Internal audit should focus on: Audit teams affected by the reform activities In the short term, risk, corporate, and capital markets audit teams are expected to face the most stringent demand for resources. Internal audit should consider short-term staffing solutions, which may include guest auditors and co-sourcing, and a long-term staffing plan to address resource needs. Knowledge management program Develop a program so internal audit staff members are knowledgeable about the aspects of regulatory reform that affect the institution. This may include additional training, where necessary, to improve audit's ability to provide value-added audit coverage. Also, keep staff members current on the status of the institution's remediation program, and encourage enhanced communications among team members to identify company issues.

7 Bringing it all together The following graphic shows a summary of short-term take-aways and action items for internal audit as it establishes its role in regulatory reform and creates its coverage plan. Short-term focus for internal audit Start now Get involved Create internal audit regulatory reform response teams Set up liaison teams in each business and functional areas Understand and assess organization s reform strategy and approach Understand stakeholders expectations Establish and communicate expectations Provide real time advice and counsel on control matters Develop and execute coverage plan Develop risk-based coverage plan Execute PMO and governance reviews Begin rule-based coverage that coincides with the rule making timeline Focus on priority areas such as OTC, Volker rule, recovery and resolution, mock examination, etc. Manage effect on internal audit methodology and people model Revisit risk assessment process for changes in the organizational risk profile Update audit universe, risk and control libraries Assess skill set gap and develop plan for acquiring required skills Develop knowledge management programs for internal audit Review existing reporting protocols How PwC can help with positioning, risk assessment and coverage plan, and methodology and people As regulatory reforms develop and take shape, internal audit teams have an opportunity to elevate their value and relevancy to management and the audit committee. To remain relevant, internal audit must stay abreast of the changes from a regulatory perspective and be aware of how peer organizations interpret the regulatory reforms and implement the processes and controls necessary to comply. As discussed, internal audit will need to focus on positioning, the risk assessment and coverage plan as well as methodology and people. PwC can assist internal audit functions by: Positioning Assisting chief audit executives (CAEs) in establishing and messaging the role of internal audit in the regulatory reforms within the organization Assisting the CAE in enhancing internal audit reporting to its stakeholders (audit committee, management and regulators) to highlight internal audit's regulatory reform coverage Performing an analysis of gaps in company and internal audit regulatory reform programs and identifying areas for improvement

8 Risk assessment and coverage plan Assisting CAEs in revisiting and updating internal audit's core processes such as audit universe, risk assessment, and continuous monitoring programs for adequate regulatory coverage and seamless transition from project to business as usual Assisting CAEs in developing a risk-based internal audit plan to cover regulatory reforms within the organization Assisting internal audit in performing strategy and governance reviews of the organization's regulatory reform program for effective ongoing program management Performing a regulatory reform risk assessment to identify areas of focus for internal audit Performing readiness reviews to assist the organization in identifying and remediating the gaps that may be the focus of a CFPB examination Performing mock regulatory examinations after processes and controls are in place (e.g., OCC, Securities and Exchange Commission, Federal Reserve, CFPB) to help the organization prepare for eventual regulatory examinations Co-sourcing or outsourcing with the internal audit function to execute the regulatory reform internal audit coverage plan Methodology and people Assisting CAEs in evaluating skill sets necessary to adequately cover regulatory reforms, performing gap analysis against existing skill sets, and developing a short- and long-term resourcing plan to address gaps Providing ongoing training to the internal audit function and the broader organization on the proposed and final rules being issued by the various regulatory authorities and the market responses

9 Contacts: Doug Watt Partner, Banking and Capital Markets (203) 570-4761 doug.watt@us.pwc.com Abhinav Aggarwal Principal, Financial Services Internal Audit (646) 471-0820 abhinav.aggarwal@us.pwc.com Carmine Spinelli Managing Director, Financial Services Internal Audit (646) 471-8104 carmine.spinelli@us.pwc.com Leslie Hawkes Director, Financial Services Internal Audit (646) 831-7806 leslie.j.hawkes@us.pwc.com

pwc.com 2012 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. This document is for general information purposes only, and should not be used as a substitute forf consultation with professional advisors.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information