Banking and Financial Services Internal Audit Group - Chartered
Transcript of Banking and Financial Services Internal Audit Group - Chartered
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Banking and Financial Services Internal Audit Group Hot topics for 2014 Audit Planning Lunch Time Seminar
10 September 2013
Alana Thorne, Director
+44 20 7007 8479
Chit Ghee Yeoh, Associate Director
+44 20 7303 2882
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Agenda
2
Introduction
• Impact of the code on internal audit functions and understanding the drivers for
change
• Key changes as a result of the code and impact on audit planning
Hot topics for 2014 planning
• A summary of key hot topics
• Industry topics
• Methodology topics
• Deep dive into new and uncomfortable areas of change
Questions
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Introduction Impact of the code on internal audit functions
3
Internal Audit in Financial Services
The Committee on Internal Audit Guidance for Financial Services has issued its
Recommendations for Effective Internal Audit in the Financial Services Sector. This
demonstrates there is and will continue to be increased challenge of and visibility upon
Internal Audit – the bar has been raised. Regulators will look to rely on Internal Audit
creating an opportunity for Internal Audit to demonstrate its relevance and importance in
protecting the assets of a company.
Areas of significant challenge to many audit functions (and applicable to all) include:
• Positioning within the organisation: Internal Audit reporting line to the Chair of the Board
Audit Committee. Secondary reporting lines should be to the CEO;
• Employing significant professional judgement;
• An outcomes-based approach; and
• Resourcing.
Emerging best practices
• Strong communication and consistent language with risk, compliance and finance functions
• Responding to resource challenges
• Auditing culture
• Harnessing the power of data
• Building trust with the regulators
• Quality assurance
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved. 4
Internal Audit Hot
Topics
‘New and
uncomfortable’
•Governance
•Culture
IA processes
• Assessing skills and
capabilities
• Holistic opinions
and IC environment
• Data analytics
Regulatory
• Conduct risk
• Regulatory reporting
• Financial crime
• Client assets
Risk management
• Risk frameworks
• Risk appetite
• Risk data
aggregation
Capital and liquidity
• RWA’s
• Model risk
management
• CRD IV
• Liquidity
Trading
•Unauthorised trading
•Indices and
benchmarks
•High frequency
trading
Accounting and tax
• Loan loss
provisioning
• Tax risk
management
IT
• Resilience
• Third party
management
• Payment services
Hot Topics for 2014 planning Current planning agenda
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
2014 Industry Topics
Planning considerations
5
Topics Consideration for Internal Audit
New and uncomfortable
Governance
Culture
• Governance: assessing the structures, processes and controls to manage a
business
• Culture: how processes, actions and tone at the top align with the values and
behaviours of the business
Risk management
Risk framework
Risk appetite
• Assessing how a risk or group of risks are managed across a Group or
business
• How risk management is linked to strategy
• Aggregation of risk data and MI
Risk data aggregation
• How data management measures up against the BCBS principles for
effective Risk Data Aggregation and Risk Reporting.
Capital and liquidity
CRD IV
RWA
Liquidity
• Readiness/ compliance with new requirements (Internationally agreed
standards on capital and liquidity – Basel III) effective 1 January 2014.
• Completeness, accuracy and integrity of source data inputs and calculated
RWA outputs.
• Board and senior management oversight
• Policies, procedures and limits (e.g. stress-testing)
• Risk measurement and monitoring.
Model risk management • Design and development of model governance and model validation.
Trading
Indices and benchmarking
• The spotlight is starting to shine on other indices (aside from LIBOR),
benchmarks and wider price setting processes that banks contribute to.
• A focus on reviewing submission processes against definitions and best
practice.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
2014 Industry Topics
Planning considerations
6
Topics Consideration for Internal Audit
Trading
Unauthorised trading
• Assurance over controls to capture and report unauthorised trading
• The firm’s culture and attitude towards unauthorised trading
High frequency trading • Assurance over trade execution controls given recent glitches and failures in
high frequency trading
Accounting and Tax
Tax risk management
• Tax strategy and tax governance arrangements
• Alignment of tax strategy to wider business strategy
Loan loss provisioning
• Identifying and recognition of loan loss provisioning
• Controls over the functioning of the model
• Reporting and disclosure requirements
IT
Third party
management
• Third party/ out-sourced partners relations
• Data security risk
Resilience • Business continuity and disaster recovery processes
• Resilience controls and processes
Payments • Payment services regulation compliance
• Account switching requirements (going live in September 2013)
• Mobile payments (Spring 2014)
• Resolution and recovery plans, ring-fencing, intraday liquidity management,
FATCA compliance, sanctions compliance and fraud prevention.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
2014 Industry Topics
Planning considerations
7
Topics Consideration for Internal Audit
Cyber crime • Exposure to cyber threats increases as companies embrace the digital world.
Regulatory demands increase over security and public confidence is
challenged.
• Controls over time to recover from a cyber attach and ability to reduce the net
impact as well as preventative controls.
Data governance and
quality
• Controls over the governance and quality of data
• Increasing regulatory attention.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
2014 Industry Topics
Planning considerations
8
Topics Consideration for Internal Audit
Regulatory
Conduct Risk
• Compliance with the Conduct of Business rules (including COBS, ICOBS,
MCOB and BCOBS sourcebooks).
• Identifying the likely end customer and how controls in place ensure focus on
products and services meeting the long term interests of both retail and
wholesale customers.
Financial Crime • Systems and controls to combat financial crime are robust and in line with
regulations.
• Focus on AML.
Client assets • Arrangements over client assets in areas such as management processes,
adequate trust letters, treatment of collateral, completeness and accuracy of the
client money calculations, oversight of outsourced providers and sufficient
management information and reporting.
• Compliance with the CASS rules.
• Second and third line of defence monitoring programmes.
Regulatory reporting • Regulatory data quality.
• Capital, liquidity and other prudential returns is increasingly being challenged as
a result of peer group review.
• Challenge and oversight over regulatory reporting.
• Control framework surrounding the new COREP and FINREP data
requirements.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
2014 Methodology Topics
Planning considerations and emerging best practices
9
Topics Consideration for Internal Audit
IA processes
Assessing skills and
competency
• Internal auditors are expected to increase both the value and impact of internal
audit.
• Internal audit is required to have the necessary skills and experience that is
commensurate with the risks of the organisation.
• The Guidance provides that “the Chief Auditor should provide the Audit
Committee with a regular assessment of the skills required to conduct the work
needed and whether the internal audit budget is sufficient”.
• The Audit Committee should be responsible for approving the internal audit
budget and, as part of the Board’s overall governance responsibility, should
disclose in the annual report whether it is satisfied that Internal Audit has the
appropriate resources.
Opinion on internal
control environment
• The Guidance suggests that an assessment of the “overall effectiveness of the
governance, risk and control framework of the organisation”, including themes
and trends emerging from internal audit work, should be provided at least
annually.
• Internal Audit will need to create methodologies to assess the control
environments, and support their conclusions. These methodologies include:
• review of internal audit data; and
• Review of data from first and second lines of defence.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
2014 Methodology Topics
Planning considerations and emerging best practices
10
Topics Consideration for Internal Audit
Data Analytics • There is now an increased awareness of the power of using data analytics to
support assurance activities, which has led to increased demand for enhanced
analytics capability.
• While it is relatively simple to implement analytics tools, developing the skillsets
to use the tools effectively, embedding their use into the audit plan and
managing the target data is more challenging.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Governance
11
One or more of the following indicators were evident in financial institutions that failed during the crisis:
A dysfunctional board
A domineering CEO
Insufficient active Board involvement
Key posts being held by people without the required technical competence
Inadequate ‘four eyes’ oversight of risk
Inadequate understanding of the aggregation of risk
Alignment of culture, strategy and appetite
Boards, NEDs, Audit and Risk Committees, Remuneration Committees
Internal Audit and Risk Management
External drivers
Internal drivers
Key drivers for focus on governance
A UK listing requirement for an externally facilitated board effectiveness review and an increase in regulatory mandated reviews of governance.
CIIA’s Code for ‘Effective Internal Audit in the FS Sector’
Will audits be carried out on a standalone,
end-to-end audit basis or will there be a series
of intermittent audits to provide a continuous
view or will a governance component be
added to existing audit types?
What will be the split of focus
on assessing the design
versus the operating
effectiveness of governance
arrangements?
Will governance audits
seek to provide a current
point-in-time assessment
or will they also have a
forward looking
component?
The financial services sector has seen tremendous debate and increased scrutiny on governance. The Institute of Internal Auditors has recently recommended that internal auditors should have a voice in this area and include governance within its remit.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Governance (continued)
12
Text
Setting
strategy
Board and
Board
Committees
Management
Committees
Organisational
structure
Governance
model
Control
functions
Setting
incentivisation
Policy
management
Performance
monitoring &
management
Setting risk
appetite
People
& culture
Management
InformationS
tructu
res
Pro
cesses
Reporting &
analysis
The role of Internal Audit
Scope and priorities
The Code’s guiding principles recommend IA to have a view
Board and Committee: embedded within the activities, limits and reporting.
People and Culture: processes (e.g. remuneration, decision making), actions (e.g. accountability and direction) and “tone at the top” align with values, ethics, risk appetite, policies.
MI for strategic and operational decision making: represents the risks.
Basic extent of testing
Review meeting minutes to demonstrate the existence of a
committee and the fact that it meets frequently
Reconcile the committee’s Terms of Reference against meeting
minutes to evidence core areas within its remit
Depth of testing (an example)
Moderate extent of testing
Review member biographies to understand and assess the
skills and experiences they bring
Carry out a survey or conduct interviews with committee
members to provide a qualitative dimension to the assessment
e.g. asking for opinions and requesting examples of recent
decisions and how those decisions were arrived at
Review meeting minutes and action logs to assess the extent to
which actions have “teeth” and are followed-up
Leading extent of testing
Carry out a sample of stakeholder interviews outside of the
committee to understand broader perceptions and experiences
Assess how decisions are made via a sample of case studies,
for example, evaluate the strategy setting process, evaluate
how risk appetite is set and monitored.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Culture
13
Increasing regulatory focus Alignment of risk culture, strategy, appetite and remuneration frameworks PRA ‘Approach to Supervision’
CIIA’s Code for ‘Effective Internal Audit in the FS Sector’
Boards, NEDs, Audit and Risk Committees, Remuneration Committees
Internal Audit, Risk Management, Human Resources and Tax
A key lever in building sustainable businesses
External drivers
Internal drivers
Standard & Poor’s approach for assessing companies’ ERM
Within three to five years, risk intelligence is likely to be a
priority measure for assessing the quality and embedding of a
firm’s strategic plan, risk appetite, governance structure and its risk management and
remuneration frameworks.
Key drivers for risk intelligent cultures What the future looks like
Tax - Annual Remuneration Report – Remuneration Policy Statement form
Increasing stakeholder pressures
Banks, insurers, asset managers and broker firms are being driven to understand, measure, strengthen and report on their risk culture and the risk intelligence of their people as part of enhancing their risk management and control systems.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Culture (continued)
14
Cu
ltu
re
Ris
k in
telli
gen
ce
The organisation’s behavioural norms, management systems and symbols, and how these are aligned to encourage people to make the right risk-related decisions, and exhibit desired risk management behaviours
What does good look like? Why does it matter? What is it?
The values, implicit beliefs and ideas that give meaning to an organisation
How values translate into behaviours
The way people act – how they work, make decisions, interact and ultimately how they deliver results
Can create a powerful and sustainable competitive advantage
Risk management systems and controls are only as good as the people operating them.
Vital for informed risk based decision making
Increased confidence of external stakeholders.
Has a major impact on organisations
Enables or inhibits achieving strategy
Impacts bottom line results
Culture and risk culture are really useful if done right; in particular they save a lot of time showing people how to do things; e.g. How can I be successful in my career – follow or don’t follow the normal behaviour of those around me. Commonality of purpose
Universal adoption and application
A learning organisation – continuously improving
Prompt, transparent, and honest communications
Understanding the value of effective risk management
Responsibility – individual and collective
Expectation of challenge
Behaviours
Systems
Symbols Risk intelligence helps to protect the organisation’s assets, reputation and sustainability.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Culture (continued)
15
The role of Internal Audit
Polices and Processes: operating effectively; i.e. outcomes achieved align with the organisation’s objectives, risk appetite and values.
Risk and Control Culture: attitude and approach at all levels to risk management and internal control.
Scope and priorities
The Code’s guiding principles recommend IA to have a view
Internal Governance: structures and processes operating effectively.
Adherence to Risk Appetite: embedded within the activities, limits and reporting.
Risk and Control Culture: processes (e.g. remuneration, appraisal), actions (e.g. decision making) and “tone at the top” align with values, ethics, risk appetite, policies.
MI for strategic and operational decision making: represents the risks.
• Relationship• Motivation
• Organisation• Risk Competence
Strategy and Objectives Values and EthicsPolicies, Processes
and ProceduresRisk Governance
ChallengeManagement LeadershipCommunication
Knowledge Skills LearningRecruitment,
Induction and Retention
RiskIntelligence
Performance Management IncentivesReward and
RecognitionAccountability
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics
An example approach:
16
Ob
jec
tive
s
Ac
tivit
ies
D
eli
ve
rab
les
3. Develop implementation roadmap
• Develop a flexible implementation roadmap
that is tailored to the aims, objectives and
timescales of the company.
• Understand Internal Audit’s immediate,
medium and long term objectives relating to
the level or assurance required.
• Define the phases, timings, priorities and
resources required to embed the Cultural
Assessment Framework as business as usual.
• Implementation Roadmap.
1. Develop tailored Cultural Assessment Model
• Provide a holistic, integrated company specific
Cultural Assessment Model.
• Identify and review existing frameworks.
• Leverage external culture and risk models as
necessary.
• Develop an appropriate number of company
specific cultural indicators.
• Company specific Cultural Assessment Model.
2. Define Evidence Source Model
• Define a portfolio of sources of evidence that
enable an assessment of culture at the
company.
• Identify existing sources of evidence.
• Assess availability and credibility of evidence
sources.
• Develop additional/alternative sources of
evidence, as required.
• Map evidence points to cultural indicators.
• Evidence Source Model.
Culture (continued)
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Risk Management
17
Increasing regulatory focus Alignment of risk management with business operations Basel Committee
CIIA’s Code for ‘Effective Internal Audit in the FS Sector’
Boards, NEDs, Audit and Risk Committees, Remuneration Committees
Internal Audit and Risk Management
Challenge of the second line of defence
External drivers
Internal drivers
Financial Stability Board
Key drivers for risk management
Increasing stakeholder pressures
There is a drive to not just challenge the processes and controls of a function but look at the way a risk is managed across the business and the responsibilities across the three lines of defence.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Risk Management (continued)
18
The role of Internal Audit
Key areas for consideration: • Assess Risk Management Frameworks (RMF) on a firm-wide
basis as well as on an individual business line and legal entity basis;
• Identification, escalation and reporting of breaches in risk limits;
• Design and effectiveness of the RMF and its alignment with supervisory expectations;
• Implementation of the RMF, including linkage to strategic and business planning, compensation, and decision-making processes;
• Risk measurement techniques and MI used to monitor the firm’s risk profile in relation to its risk appetite; and
• Deficiencies in the RMF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner.
Risk Strategy & Appetite
Risk Governance
Risk Processes & Methodologies
Risk Data & IT Systems
Risk Management Skills, Resources &
Culture
Valid
ati
on
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Model Risk Management
19
Increasing regulatory focus A need to improve and automate business operational processes High profile cases of model
failures like Gaussian copulas in 2006 and JP Morgan in 2012
CIIA’s Code for ‘Effective Internal Audit in the FS Sector’
Boards, NEDs, Audit and Risk Committees, Remuneration Committees
Internal Audit and Risk Management
External drivers
Internal drivers
Key drivers for Model Risk Management
Increasing stakeholder pressures
Risk Strategy & Appetite
Risk Governance
Risk Processes & Methodologies
Risk Data & IT Systems
Risk Management Skills, Resources &
Culture
Valid
ati
on
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Model Risk Management (continued)
20
The role of Internal Audit
Governance, Policies & Controls • Model Governance framework. • Policies, Standards and Procedures. • Model inventory and documented limitations. Legal & Regulatory Compliance • Compliance with legal and regulatory requirements. • Gaps against compliance requirements. Development, Implementation & Use • Model approach and design including model methodology / technique. • Quality of data and variables. • Completeness of population and review. • Model documentation, including verification of attempts to rebuild the model based on the documentation. • Systems and accuracy of implementation. • Verification of appropriate model usage subject to controls and limitations. Validation • Validation standards and techniques; and verification of independence of development and validation teams. • Testing model approval, overrides and calibration process. • Assessment of regular review cycle.
Model Risk Management
Qualitative
Governance, Policies &
Control
Legal & Regulatory Compliance
Quantitative
Development, Implementation
& Use Validation
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Tax Risk Management
21
Increasing focus on reputational risk (e.g. Starbucks, Amazon)
Ensure governance and control environment fulfils obligations to stakeholders
Focus on minimising financial risk
Increased complexities of financial products
Identification of significant errors and control deficiencies
Ensuring new product approval processes and post implementation controls are adequate
External drivers
Internal drivers
Key drivers for Tax Risk Management
Increasing stakeholder pressures
Corporate Tax
Transfer pricing
Tax return process
Group relief and cash payments
PE risks
VAT
Quarterly VAT return process
Taxable vs exempt supplies
Partial exemption Special Method
Reverse charge application
Capital Goods scheme
Employment Taxes
Payroll
Benefits in kind
Share plans and long term incentive
schemes
Pensions – salary sacrifice
Global mobility – travel expense policy, short
term business visitors
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Tax Risk Management (continued)
22
The role of Internal Audit
Governance, Policies & Controls • Tax Strategy. • Tax Governance framework. • Tax controls and systems – Senior Accounting Officer
certification; tax review processes for new products, investments and transactions; impact assessment of new tax legislation (e.g FATCA).
Legal & Regulatory Compliance • Compliance with legal and regulatory requirements. • Gaps against compliance requirements.
Withholding and
Reporting Regimes
Type 17 reporting
TDSI
FATCA
EU Savings Directive
CT61 returns
Sch 36
SX1 returns
ISA compliance
Type 18 reporting
Yearly Interest
Operational Taxes
Increasing stakeholder pressures
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Financial Crime
23
Increasing stakeholder pressures
Governance & Compliance
Po
licie
s &
Pro
ce
du
res
Op
era
tion
s &
Pe
op
le
CDD Definition & Quality
(Static &Transactional)
Strategy & Risk Appetite
Fraud, Market Abuse,
Insider Trading
Bribery & Corruption
AML / CTF/ Sanctions
Identity Theft
Technology & Systems
Analytics, MI & Reporting
Increasing regulatory focus
A need to improve and automate business operational processes
High profile cases of AML/ alleged CTF failures, leading to fines (both personal and corporate)
Boards, Audit and Risk Committees
Element of personal accountability for the MLRO
External drivers
Internal drivers
Key drivers for Financial Crime risk
Increasing stakeholder pressures
A need to upgrade skills, and refresh training
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Internal Audit Hot Topics Financial Crime (continued)
24
The role of Internal Audit
Increasing stakeholder pressures
Key areas for consideration: • Financial Crime risk definition, identification and assessment; Financial Crime risk appetite
and tolerance framework • Transaction Monitoring Optimisation to produce more good alerts and fewer bad alerts • Data Quality Assessments to allow for more reliable inputs into the customer screening and
transaction monitoring processes
• Testing the effectiveness of customer screening to improve the firm’s ability to identify PEPs
• Fine tuning threshold settings to reduce alerts whilst managing risk
• Validate that monitoring logic has been correctly implemented.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Key Contacts
Alana Thorne
Director
+44 20 7007 8479
25
Staying ahead www.deloitte.com/view/en_GB/uk/industries/financial-services/issues-trends/financial-
services-internal-audit/index.htm
Chit Ghee Yeoh
Associate Director
+44 20 7303 2882
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm)
© 2013 Deloitte LLP. All rights reserved.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the
legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out
will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from
acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this
publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining
from action as a result of any material in this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New
Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.
© 2013 Deloitte LLP. All rights reserved.