Banking and Financial Services Internal Audit Group - Chartered

Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)

© 2013 Deloitte LLP. All rights reserved.

Banking and Financial Services Internal Audit Group Hot topics for 2014 Audit Planning Lunch Time Seminar

10 September 2013

Alana Thorne, Director

[email protected]

+44 20 7007 8479

Chit Ghee Yeoh, Associate Director

[email protected]

+44 20 7303 2882

mailto:[email protected]




Agenda

2

Introduction

• Impact of the code on internal audit functions and understanding the drivers for

change

• Key changes as a result of the code and impact on audit planning

Hot topics for 2014 planning

• A summary of key hot topics

• Industry topics

• Methodology topics

• Deep dive into new and uncomfortable areas of change

Questions



Introduction Impact of the code on internal audit functions

3

Internal Audit in Financial Services

The Committee on Internal Audit Guidance for Financial Services has issued its

Recommendations for Effective Internal Audit in the Financial Services Sector. This

demonstrates there is and will continue to be increased challenge of and visibility upon

Internal Audit – the bar has been raised. Regulators will look to rely on Internal Audit

creating an opportunity for Internal Audit to demonstrate its relevance and importance in

protecting the assets of a company.

Areas of significant challenge to many audit functions (and applicable to all) include:

• Positioning within the organisation: Internal Audit reporting line to the Chair of the Board

Audit Committee. Secondary reporting lines should be to the CEO;

• Employing significant professional judgement;

• An outcomes-based approach; and

• Resourcing.

Emerging best practices

• Strong communication and consistent language with risk, compliance and finance functions

• Responding to resource challenges

• Auditing culture

• Harnessing the power of data

• Building trust with the regulators

• Quality assurance


© 2013 Deloitte LLP. All rights reserved. 4

Internal Audit Hot

Topics

‘New and

uncomfortable’

•Governance

•Culture

IA processes

• Assessing skills and

capabilities

• Holistic opinions

and IC environment

• Data analytics

Regulatory

• Conduct risk

• Regulatory reporting

• Financial crime

• Client assets

Risk management

• Risk frameworks

• Risk appetite

• Risk data

aggregation

Capital and liquidity

• RWA’s

• Model risk

management

• CRD IV

• Liquidity

Trading

•Unauthorised trading

•Indices and

benchmarks

•High frequency

trading

Accounting and tax

• Loan loss

provisioning

• Tax risk

management

IT

• Resilience

• Third party

management

• Payment services

Hot Topics for 2014 planning Current planning agenda



2014 Industry Topics

Planning considerations

5

Topics Consideration for Internal Audit

New and uncomfortable

Governance

Culture

• Governance: assessing the structures, processes and controls to manage a

business

• Culture: how processes, actions and tone at the top align with the values and

behaviours of the business

Risk management

Risk framework

Risk appetite

• Assessing how a risk or group of risks are managed across a Group or

business

• How risk management is linked to strategy

• Aggregation of risk data and MI

Risk data aggregation

• How data management measures up against the BCBS principles for

effective Risk Data Aggregation and Risk Reporting.

Capital and liquidity

CRD IV

RWA

Liquidity

• Readiness/ compliance with new requirements (Internationally agreed

standards on capital and liquidity – Basel III) effective 1 January 2014.

• Completeness, accuracy and integrity of source data inputs and calculated

RWA outputs.

• Board and senior management oversight

• Policies, procedures and limits (e.g. stress-testing)

• Risk measurement and monitoring.

Model risk management • Design and development of model governance and model validation.

Trading

Indices and benchmarking

• The spotlight is starting to shine on other indices (aside from LIBOR),

benchmarks and wider price setting processes that banks contribute to.

• A focus on reviewing submission processes against definitions and best

practice.





6


Trading

Unauthorised trading

• Assurance over controls to capture and report unauthorised trading

• The firm’s culture and attitude towards unauthorised trading

High frequency trading • Assurance over trade execution controls given recent glitches and failures in

high frequency trading

Accounting and Tax

Tax risk management

• Tax strategy and tax governance arrangements

• Alignment of tax strategy to wider business strategy

Loan loss provisioning

• Identifying and recognition of loan loss provisioning

• Controls over the functioning of the model

• Reporting and disclosure requirements

IT

Third party

management

• Third party/ out-sourced partners relations

• Data security risk

Resilience • Business continuity and disaster recovery processes

• Resilience controls and processes

Payments • Payment services regulation compliance

• Account switching requirements (going live in September 2013)

• Mobile payments (Spring 2014)

• Resolution and recovery plans, ring-fencing, intraday liquidity management,

FATCA compliance, sanctions compliance and fraud prevention.





7


Cyber crime • Exposure to cyber threats increases as companies embrace the digital world.

Regulatory demands increase over security and public confidence is

challenged.

• Controls over time to recover from a cyber attach and ability to reduce the net

impact as well as preventative controls.

Data governance and

quality

• Controls over the governance and quality of data

• Increasing regulatory attention.





8


Regulatory

Conduct Risk

• Compliance with the Conduct of Business rules (including COBS, ICOBS,

MCOB and BCOBS sourcebooks).

• Identifying the likely end customer and how controls in place ensure focus on

products and services meeting the long term interests of both retail and

wholesale customers.

Financial Crime • Systems and controls to combat financial crime are robust and in line with

regulations.

• Focus on AML.

Client assets • Arrangements over client assets in areas such as management processes,

adequate trust letters, treatment of collateral, completeness and accuracy of the

client money calculations, oversight of outsourced providers and sufficient

management information and reporting.

• Compliance with the CASS rules.

• Second and third line of defence monitoring programmes.

Regulatory reporting • Regulatory data quality.

• Capital, liquidity and other prudential returns is increasingly being challenged as

a result of peer group review.

• Challenge and oversight over regulatory reporting.

• Control framework surrounding the new COREP and FINREP data

requirements.



2014 Methodology Topics

Planning considerations and emerging best practices

9


IA processes

Assessing skills and

competency

• Internal auditors are expected to increase both the value and impact of internal

audit.

• Internal audit is required to have the necessary skills and experience that is

commensurate with the risks of the organisation.

• The Guidance provides that “the Chief Auditor should provide the Audit

Committee with a regular assessment of the skills required to conduct the work

needed and whether the internal audit budget is sufficient”.

• The Audit Committee should be responsible for approving the internal audit

budget and, as part of the Board’s overall governance responsibility, should

disclose in the annual report whether it is satisfied that Internal Audit has the

appropriate resources.

Opinion on internal

control environment

• The Guidance suggests that an assessment of the “overall effectiveness of the

governance, risk and control framework of the organisation”, including themes

and trends emerging from internal audit work, should be provided at least

annually.

• Internal Audit will need to create methodologies to assess the control

environments, and support their conclusions. These methodologies include:

• review of internal audit data; and

• Review of data from first and second lines of defence.



2014 Methodology Topics

Planning considerations and emerging best practices

10


Data Analytics • There is now an increased awareness of the power of using data analytics to

support assurance activities, which has led to increased demand for enhanced

analytics capability.

• While it is relatively simple to implement analytics tools, developing the skillsets

to use the tools effectively, embedding their use into the audit plan and

managing the target data is more challenging.



Internal Audit Hot Topics Governance

11

One or more of the following indicators were evident in financial institutions that failed during the crisis:

A dysfunctional board

A domineering CEO

Insufficient active Board involvement

Key posts being held by people without the required technical competence

Inadequate ‘four eyes’ oversight of risk

Inadequate understanding of the aggregation of risk

Alignment of culture, strategy and appetite

Boards, NEDs, Audit and Risk Committees, Remuneration Committees

Internal Audit and Risk Management

External drivers

Internal drivers

Key drivers for focus on governance

A UK listing requirement for an externally facilitated board effectiveness review and an increase in regulatory mandated reviews of governance.

CIIA’s Code for ‘Effective Internal Audit in the FS Sector’

Will audits be carried out on a standalone,

end-to-end audit basis or will there be a series

of intermittent audits to provide a continuous

view or will a governance component be

added to existing audit types?

What will be the split of focus

on assessing the design

versus the operating

effectiveness of governance

arrangements?

Will governance audits

seek to provide a current

point-in-time assessment

or will they also have a

forward looking

component?

The financial services sector has seen tremendous debate and increased scrutiny on governance. The Institute of Internal Auditors has recently recommended that internal auditors should have a voice in this area and include governance within its remit.



Internal Audit Hot Topics Governance (continued)

12

Text

Setting

strategy

Board and

Board

Committees

Management

Committees

Organisational

structure

Governance

model

Control

functions

Setting

incentivisation

Policy

management

Performance

monitoring &

management

Setting risk

appetite

People

& culture

Management

InformationS

tructu

res

Pro

cesses

Reporting &

analysis

The role of Internal Audit

Scope and priorities

The Code’s guiding principles recommend IA to have a view

Board and Committee: embedded within the activities, limits and reporting.

People and Culture: processes (e.g. remuneration, decision making), actions (e.g. accountability and direction) and “tone at the top” align with values, ethics, risk appetite, policies.

MI for strategic and operational decision making: represents the risks.

Basic extent of testing

Review meeting minutes to demonstrate the existence of a

committee and the fact that it meets frequently

Reconcile the committee’s Terms of Reference against meeting

minutes to evidence core areas within its remit

Depth of testing (an example)

Moderate extent of testing

Review member biographies to understand and assess the

skills and experiences they bring

Carry out a survey or conduct interviews with committee

members to provide a qualitative dimension to the assessment

e.g. asking for opinions and requesting examples of recent

decisions and how those decisions were arrived at

Review meeting minutes and action logs to assess the extent to

which actions have “teeth” and are followed-up

Leading extent of testing

Carry out a sample of stakeholder interviews outside of the

committee to understand broader perceptions and experiences

Assess how decisions are made via a sample of case studies,

for example, evaluate the strategy setting process, evaluate

how risk appetite is set and monitored.



Internal Audit Hot Topics Culture

13

Increasing regulatory focus Alignment of risk culture, strategy, appetite and remuneration frameworks PRA ‘Approach to Supervision’



Internal Audit, Risk Management, Human Resources and Tax

A key lever in building sustainable businesses

External drivers

Internal drivers

Standard & Poor’s approach for assessing companies’ ERM

Within three to five years, risk intelligence is likely to be a

priority measure for assessing the quality and embedding of a

firm’s strategic plan, risk appetite, governance structure and its risk management and

remuneration frameworks.

Key drivers for risk intelligent cultures What the future looks like

Tax - Annual Remuneration Report – Remuneration Policy Statement form

Increasing stakeholder pressures

Banks, insurers, asset managers and broker firms are being driven to understand, measure, strengthen and report on their risk culture and the risk intelligence of their people as part of enhancing their risk management and control systems.



Internal Audit Hot Topics Culture (continued)

14

Cu

ltu

re

Ris

k in

telli

gen

ce

The organisation’s behavioural norms, management systems and symbols, and how these are aligned to encourage people to make the right risk-related decisions, and exhibit desired risk management behaviours

What does good look like? Why does it matter? What is it?

The values, implicit beliefs and ideas that give meaning to an organisation

How values translate into behaviours

The way people act – how they work, make decisions, interact and ultimately how they deliver results

Can create a powerful and sustainable competitive advantage

Risk management systems and controls are only as good as the people operating them.

Vital for informed risk based decision making

Increased confidence of external stakeholders.

Has a major impact on organisations

Enables or inhibits achieving strategy

Impacts bottom line results

Culture and risk culture are really useful if done right; in particular they save a lot of time showing people how to do things; e.g. How can I be successful in my career – follow or don’t follow the normal behaviour of those around me. Commonality of purpose

Universal adoption and application

A learning organisation – continuously improving

Prompt, transparent, and honest communications

Understanding the value of effective risk management

Responsibility – individual and collective

Expectation of challenge

Behaviours

Systems

Symbols Risk intelligence helps to protect the organisation’s assets, reputation and sustainability.



Internal Audit Hot Topics Culture (continued)

15


Polices and Processes: operating effectively; i.e. outcomes achieved align with the organisation’s objectives, risk appetite and values.

Risk and Control Culture: attitude and approach at all levels to risk management and internal control.

Scope and priorities

The Code’s guiding principles recommend IA to have a view

Internal Governance: structures and processes operating effectively.

Adherence to Risk Appetite: embedded within the activities, limits and reporting.

Risk and Control Culture: processes (e.g. remuneration, appraisal), actions (e.g. decision making) and “tone at the top” align with values, ethics, risk appetite, policies.

MI for strategic and operational decision making: represents the risks.

• Relationship• Motivation

• Organisation• Risk Competence

Strategy and Objectives Values and EthicsPolicies, Processes

and ProceduresRisk Governance

ChallengeManagement LeadershipCommunication

Knowledge Skills LearningRecruitment,

Induction and Retention

RiskIntelligence

Performance Management IncentivesReward and

RecognitionAccountability



Internal Audit Hot Topics

An example approach:

16

Ob

jec

tive

s

Ac

tivit

ies

D

eli

ve

rab

les

3. Develop implementation roadmap

• Develop a flexible implementation roadmap

that is tailored to the aims, objectives and

timescales of the company.

• Understand Internal Audit’s immediate,

medium and long term objectives relating to

the level or assurance required.

• Define the phases, timings, priorities and

resources required to embed the Cultural

Assessment Framework as business as usual.

• Implementation Roadmap.

1. Develop tailored Cultural Assessment Model

• Provide a holistic, integrated company specific

Cultural Assessment Model.

• Identify and review existing frameworks.

• Leverage external culture and risk models as

necessary.

• Develop an appropriate number of company

specific cultural indicators.

• Company specific Cultural Assessment Model.

2. Define Evidence Source Model

• Define a portfolio of sources of evidence that

enable an assessment of culture at the

company.

• Identify existing sources of evidence.

• Assess availability and credibility of evidence

sources.

• Develop additional/alternative sources of

evidence, as required.

• Map evidence points to cultural indicators.

• Evidence Source Model.

Culture (continued)



Internal Audit Hot Topics Risk Management

17

Increasing regulatory focus Alignment of risk management with business operations Basel Committee




Challenge of the second line of defence

External drivers

Internal drivers

Financial Stability Board

Key drivers for risk management


There is a drive to not just challenge the processes and controls of a function but look at the way a risk is managed across the business and the responsibilities across the three lines of defence.



Internal Audit Hot Topics Risk Management (continued)

18


Key areas for consideration: • Assess Risk Management Frameworks (RMF) on a firm-wide

basis as well as on an individual business line and legal entity basis;

• Identification, escalation and reporting of breaches in risk limits;

• Design and effectiveness of the RMF and its alignment with supervisory expectations;

• Implementation of the RMF, including linkage to strategic and business planning, compensation, and decision-making processes;

• Risk measurement techniques and MI used to monitor the firm’s risk profile in relation to its risk appetite; and

• Deficiencies in the RMF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner.

Risk Strategy & Appetite

Risk Governance

Risk Processes & Methodologies

Risk Data & IT Systems

Risk Management Skills, Resources &

Culture

Valid

ati

on



Internal Audit Hot Topics Model Risk Management

19

Increasing regulatory focus A need to improve and automate business operational processes High profile cases of model

failures like Gaussian copulas in 2006 and JP Morgan in 2012




External drivers

Internal drivers

Key drivers for Model Risk Management


Risk Strategy & Appetite

Risk Governance

Risk Processes & Methodologies

Risk Data & IT Systems

Risk Management Skills, Resources &

Culture

Valid

ati

on



Internal Audit Hot Topics Model Risk Management (continued)

20


Governance, Policies & Controls • Model Governance framework. • Policies, Standards and Procedures. • Model inventory and documented limitations. Legal & Regulatory Compliance • Compliance with legal and regulatory requirements. • Gaps against compliance requirements. Development, Implementation & Use • Model approach and design including model methodology / technique. • Quality of data and variables. • Completeness of population and review. • Model documentation, including verification of attempts to rebuild the model based on the documentation. • Systems and accuracy of implementation. • Verification of appropriate model usage subject to controls and limitations. Validation • Validation standards and techniques; and verification of independence of development and validation teams. • Testing model approval, overrides and calibration process. • Assessment of regular review cycle.

Model Risk Management

Qualitative

Governance, Policies &

Control

Legal & Regulatory Compliance

Quantitative

Development, Implementation

& Use Validation



Internal Audit Hot Topics Tax Risk Management

21

Increasing focus on reputational risk (e.g. Starbucks, Amazon)

Ensure governance and control environment fulfils obligations to stakeholders

Focus on minimising financial risk

Increased complexities of financial products

Identification of significant errors and control deficiencies

Ensuring new product approval processes and post implementation controls are adequate

External drivers

Internal drivers

Key drivers for Tax Risk Management


Corporate Tax

Transfer pricing

Tax return process

Group relief and cash payments

PE risks

VAT

Quarterly VAT return process

Taxable vs exempt supplies

Partial exemption Special Method

Reverse charge application

Capital Goods scheme

Employment Taxes

Payroll

Benefits in kind

Share plans and long term incentive

schemes

Pensions – salary sacrifice

Global mobility – travel expense policy, short

term business visitors



Internal Audit Hot Topics Tax Risk Management (continued)

22


Governance, Policies & Controls • Tax Strategy. • Tax Governance framework. • Tax controls and systems – Senior Accounting Officer

certification; tax review processes for new products, investments and transactions; impact assessment of new tax legislation (e.g FATCA).

Legal & Regulatory Compliance • Compliance with legal and regulatory requirements. • Gaps against compliance requirements.

Withholding and

Reporting Regimes

Type 17 reporting

TDSI

FATCA

EU Savings Directive

CT61 returns

Sch 36

SX1 returns

ISA compliance

Type 18 reporting

Yearly Interest

Operational Taxes




Internal Audit Hot Topics Financial Crime

23


Governance & Compliance

Po

licie

s &

Pro

ce

du

res

Op

era

tion

s &

Pe

op

le

CDD Definition & Quality

(Static &Transactional)

Strategy & Risk Appetite

Fraud, Market Abuse,

Insider Trading

Bribery & Corruption

AML / CTF/ Sanctions

Identity Theft

Technology & Systems

Analytics, MI & Reporting

Increasing regulatory focus

A need to improve and automate business operational processes

High profile cases of AML/ alleged CTF failures, leading to fines (both personal and corporate)

Boards, Audit and Risk Committees

Element of personal accountability for the MLRO

External drivers

Internal drivers

Key drivers for Financial Crime risk


A need to upgrade skills, and refresh training



Internal Audit Hot Topics Financial Crime (continued)

24



Key areas for consideration: • Financial Crime risk definition, identification and assessment; Financial Crime risk appetite

and tolerance framework • Transaction Monitoring Optimisation to produce more good alerts and fewer bad alerts • Data Quality Assessments to allow for more reliable inputs into the customer screening and

transaction monitoring processes

• Testing the effectiveness of customer screening to improve the firm’s ability to identify PEPs

• Fine tuning threshold settings to reduce alerts whilst managing risk

• Validate that monitoring logic has been correctly implemented.



Key Contacts

Alana Thorne

Director

+44 20 7007 8479

[email protected]

25

Staying ahead www.deloitte.com/view/en_GB/uk/industries/financial-services/issues-trends/financial-

services-internal-audit/index.htm

Chit Ghee Yeoh

Associate Director

+44 20 7303 2882

[email protected]





Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of

member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the

legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out

will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from

acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this

publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining

from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New

Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.


Banking and Financial Services Internal Audit Group - Chartered

Documents

Transcript of Banking and Financial Services Internal Audit Group - Chartered