2016 planning priorities for internal audit in financial ... · 2016 planning priorities for...

2016 planning priorities for internal audit in financial services

Chris Mayo16 September 2015

Key areas for FS Internal Audit for 2016 3

Risk culture 5

Retail conduct 7

Cyber crime 9

Other topics 11

Contact 20

Contents

© 2015 Deloitte LLP. Private and confidential 2

• Solvency II• Data quality

• New regulators• Retail conduct• Financial crime• Client assets

• Risk appetite framework

• Insurance coverage• Risk culture• Operational risk• Model risk

High impact areas of focus for Internal Audit in 2016

3© 2015 Deloitte LLP. Private and confidential

• Corporate culture• Communication• Individual

accountability• Annual audit opinion

Business Leadership Risk Management Regulatory Matters Capital and Liquidity

• Product & valuation controls

• Fair and Effective Markets Review Unauthorised trading

• High frequency and automated trading

• Cyber crime• IT Disaster recovery

and resilience• Digital forces• Continuous risk

assessment

• Tax risk management• COSO 2013

framework

Trading IT Accounting and tax

Hot Topics for FS IARisk cultureRetail conductCyber crime


Risk managementRisk cultureWhat is it?


Risk culture measurement, monitoring and management – a hot topic on the regulators’ agenda

Risk management processes, systems and internal con trols are only as good as the behaviour of the people operating/ overseeing them

Difficult to document, embed and evidence

The Debate: Should risk and control culture be incl uded in the risk based audit plan ��

what granularity of risk culture should be focused on in audit plan

A shift by IA from generic risk & control culture a udits to audits on a more granular sub risk culture, e.g. conduct, operational & market ri sk culture

• Audits becoming more focused and granular:

� Standalone audits of risk culture by area/function/business unit

� Bolt on to existing audits to challenge behavioural drivers behind audit findings

� Continuous monitoring through regular review of risk culture indicators against a firms framework of control

Risk managementRisk cultureWhat can IA do to address it?


Regulatory mattersRetail conductWhat is it?


A great regulator and industry focus on how retail conduct risk is embedded within a firm’s framework and appetite

A need to demonstrate conduct-focused behaviour and customer outcomes embedded and integral to all strategic and operational decis ions, supporting overall framework to delivery good customer outcomes

A focus from Board of Directors on how this is chal lenged internally and whether internal control environment supports the delivery of fair c ustomer outcomes

• Undertake standalone reviews of conduct

• Look at integrating conduct risk into existing audits to identify themes or systemic issues

• Conduct focused reviews around the firm’s key conduct-related issues/ risks and take a more thematic approach to audits

• Execute end-to-end reviews of a particular product across its lifecycle

Regulatory mattersRetail conductWhat can IA do to address it?


ITCyber crimeWhat is it?


Cyber crime has been an increasingly regular featur e in the media over the past 18 months, with financial services firms continuing to bear the burnt

These upward trends demonstrate a fundamental shift in the nature of attacks, both in terms of complexity and persistence

High profile incidents, consumer concern and media coverage are increasingly a compliance and business issues, with greater regulatory scruti ny, direction and intervention

For many financial institutions, a cyber-security i ncident is not so much a question of IF, but WHEN

More mature organisations are proactively planning and preparing for incidents and their response, including testing wider crisis management skills

With the rise in breach size, impact and complexity in 2015, incident response has seen a shift from point-based ‘fix-it’ type approach towar ds a more holistic and sustainable one

• Adopt a multi-faceted framework involving people, process and technology

• Effectively deal with the challenge of the recruitment and retention of sufficiently technically skilled personnel to execute cyber crime audits and investigations

• Look at organisational collaboration in cyber crime audits, both internally (e.g. HR, IT, security and legal) and externally (e.g. external auditors and third party providers/ partners)

ITCyber crimeWhat can IA do to address it?


Hot Topics for FS IAOther topics


Business LeadershipOther areas of focus in 2016


Topic Internal Audit (IA) Considerations

Corporate culture • Conduct an audit of the organisation’s culture should be conducted while considering the organisation’s structure

• If there is a desired culture, IA can audit to this baseline such as Board approved strategies

• If one has not been defined, IA can audit relative to industry best practices

Communication • Review the framework and related governance around day to day operations and media management, either internally or externally facing

• Review the effectiveness of communications, and benchmarking across peers or the industry.

Individual accountability • Assess how IA itself will be directly affected by the Senior Managers Regime and Senior Insurance Managers Regime from the PRA and FCA, in terms of documented responsibilities

• Assess the impact of these requirements on governance audits, including:

• whether the responsibilities assigned are appropriate; and

• whether responsibilities and reporting lines are mapped, including shared responsibilities and delegated and / or outsourced arrangements.

Annual audit opinions • Determine whether IA will obtain the required level of support for its opinion through the audits contained in the annual audit plan

• Challenge IA’s annual audit plan throughout the year to ensure that the plan is aligned to changes in the risk profile of the business

• Consider how and where IA’s view of risk and control culture has been captured

Risk ManagementOther areas of focus in 2016



Risk appetite framework • Consider the effectiveness of the risk appetite framework by:

• a) The horizontal view – assessing whether the statements, measures and calibration of the limits in the risk appetite framework make sense based on the firm’s business model and strategy and the insight gained from the stress testing and reverse stress testing

• b) The vertical view – assessing how detailed policy limits and standards aggregate to the Board of Directors’ approved risk appetite statements and measures

Insurance coverage • Review the suitability of insurance cover for directors and officers to identify errors, gaps and inadequacies in a firm’s current coverage, as well as unnecessary insurance cover

• Test for a transparent and robust premium allocation model to avoid overpaying

Operational risk • Assessing the proportionality of mitigating activity into a firm’s risk methodologies by considering:

• the concept of probability of operational risk events crystallising; and

• the magnitude of the potential impact of such events

Model risk • Develop a top-down approach to address model risk which transparently demonstrates how compliance with regulatory expectations will be delivered over a 12 month and longer horizon

• Provide an assessment to the Board of Directors that model risk is effectively managed (identified, measured, monitored and controlled) within an entity’s clear statement of model risk appetite

• Test regularly the ongoing independence between model development, validation and application teams to ensure model risk management is effective

Regulatory MattersOther areas of focus in 2016



New regulators • Help the business dealing with the UK's Payments Systems Regulator (PSR), the EU's Single Supervisory Mechanism (SSM) and EU's the Single Resolution Mechanism (SRM) by proactively manage the relationship with the underlying business units; and

• Understand the new regulators’ focus areas for inclusion into IA’s audit plan

Financial crime • Determine which specific areas of their firm’s financial crime arrangements warrant IA’s attention

• Utilise more qualitative techniques (including risk analytics and management information reporting) to provide better coverage against a firm’s increasingly complex arrangements

• Focus on the overall financial crime culture, reliability of management information and capabilities across the organisation

Client assets • Focus on client money reconciliations and client money segregation controls

• Review the firm’s responses to the rule changes and how they have been implemented, both in terms of process changes and system enhancements

Capital and LiquidityOther areas of focus in 2016



Solvency II • Given the scope of Solvency II on European insurers, IA can:

• Engage with the front line business on the development of capital models and reporting infrastructure for Solvency II;

• Liaising with governance committees on key responsibilities for Solvency II;

• Evaluate the adequacy and effectiveness of the internal control system and other elements of the system of governance;

• Build in flexibility into IA’s annual audit plan to accommodate further work supporting the development of Solvency II;

• Considering whether IA possesses the necessary expertise to review the programmes and models; and

• Review project management for projects supporting the implementation of Solvency II.

Data quality • Review data quality practices & processes surrounding capital and liquidity reporting

• Consider the use of analytics to re-perform the controls in place

• Review the broader data governance, including clearly defined roles and responsibilities, policies, standards, reporting and escalation across the business

• Undertake BCBS 239 preparedness audits to determine the level of compliance with the BCBS 239 Principles

TradingOther areas of focus in 2016



Product & valuation controls

• Examine the broader controls supporting the valuation controls, versus only assessing the Independent Price Verification (IPV) process

• Acquire and retain individuals with IA experience with the appropriate technical and product knowledge to challenge the firm and raise insightful observations.

Fair and Effective Markets (FEMR)

• As a result of the expansion of FCA’s supervision from LIBOR to 8 benchmarks, IA:

• Should include semi-annual audits to examine the controls involved in the firm’s benchmark submission process; and

• Should challenge how the investment banking business manages its conflicts of interests.

Unauthorised trading • Test the design and operating effectiveness of the front office supervisory controls on unauthorised trading, including:

• The delegation of authorities from senior management to front line supervisors; and

• Management information provided to senior management.

High frequency and automated trading

• Confirm that algorithmic trading methodologies have been appropriately developed, tested, documented and implemented in the trading system

• Review the adequacy of the reviews by Risk Management to examine whether systems are reviewed regularly, including back testing

• Attract and retain specialists with both trading and IT skillsets

ITOther areas of focus in 2016



Cyber crime • Adopt a multi-faceted framework involving people, process and technology to address cyber crime

• Effectively deal with the challenge of the recruitment and retention of sufficiently technically skilled personnel to execute cyber crime audits and investigations

• Look at organisational collaboration in cyber crime audits, both internally (eg HR, IT, security and legal) and externally (eg external auditors and third party providers and partners)

IT disaster recovery and resilience

• Consider the adequacy of broader organisational processes in place to avoid, prevent, respond and recover from planned and unplanned outages

Digital forces • Identify and map the current state of the organisation’s digital footprint with all associated components, including mobile, cloud and social media

• Have the appropriate expertise and experience to independently verify the effectiveness of all elements of the organisation’s digital strategy including the risk management framework

Continuous risk assessment

• Communicating with management to address concerns over the implications of conducting continuous risk assessment in order to identify emerging technology risks to the firm;

• Engaging and collaborating with the 1st and 2nd lines of defence so there are clear roles and responsibilities along with information sharing between the 3 lines of defence

Accounting and TaxOther areas of focus in 2016



Tax risk assessment • IA can challenge whether the firm:

• Manages tax risk (including transfer tax) to avoid taxation penalties and damage to its reputation;

• Complies with tax legislation by jurisdiction; and

• Is appropriately transparent and accurate in financial reporting disclosures and reporting.

COSO 2013 framework • IA can examine the risk assessment and scoping process for key financial reporting processes against:

• The COSO 2013 framework;

• Recent trends in regulatory comment letters; and

• Industry best practices.

• IA can apply the lessons learned from the COSO 2013 frameworks for other areas such as operational risk and conduct risk.

Recent Deloitte publications


For additional publications of current relevance for Internal Audit, visit http://www.deloitte.com/uk/internalaudit

Contact


Contact

Chris Mayo, [email protected]+44 20 7007 9076

Important noticeDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte LLP is the United Kingdom member firm of DTTL.

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

© 2015 Deloitte LLP. All rights reserved.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. 21

2016 planning priorities for internal audit in financial ... · 2016 planning priorities for...

Documents