2016 planning priorities for internal audit in financial ... · 2016 planning priorities for...
TRANSCRIPT
Key areas for FS Internal Audit for 2016 3
Risk culture 5
Retail conduct 7
Cyber crime 9
Other topics 11
Contact 20
Contents
© 2015 Deloitte LLP. Private and confidential 2
• Solvency II• Data quality
• New regulators• Retail conduct• Financial crime• Client assets
• Risk appetite framework
• Insurance coverage• Risk culture• Operational risk• Model risk
High impact areas of focus for Internal Audit in 2016
3© 2015 Deloitte LLP. Private and confidential
• Corporate culture• Communication• Individual
accountability• Annual audit opinion
Business Leadership Risk Management Regulatory Matters Capital and Liquidity
• Product & valuation controls
• Fair and Effective Markets Review Unauthorised trading
• High frequency and automated trading
• Cyber crime• IT Disaster recovery
and resilience• Digital forces• Continuous risk
assessment
• Tax risk management• COSO 2013
framework
Trading IT Accounting and tax
Hot Topics for FS IARisk cultureRetail conductCyber crime
4© 2015 Deloitte LLP. Private and confidential
Risk managementRisk cultureWhat is it?
5© 2015 Deloitte LLP. Private and confidential
Risk culture measurement, monitoring and management – a hot topic on the regulators’ agenda
Risk management processes, systems and internal con trols are only as good as the behaviour of the people operating/ overseeing them
Difficult to document, embed and evidence
The Debate: Should risk and control culture be incl uded in the risk based audit plan ����
what granularity of risk culture should be focused on in audit plan
A shift by IA from generic risk & control culture a udits to audits on a more granular sub risk culture, e.g. conduct, operational & market ri sk culture
• Audits becoming more focused and granular:
� Standalone audits of risk culture by area/function/business unit
� Bolt on to existing audits to challenge behavioural drivers behind audit findings
� Continuous monitoring through regular review of risk culture indicators against a firms framework of control
Risk managementRisk cultureWhat can IA do to address it?
6© 2015 Deloitte LLP. Private and confidential
Regulatory mattersRetail conductWhat is it?
7© 2015 Deloitte LLP. Private and confidential
A great regulator and industry focus on how retail conduct risk is embedded within a firm’s framework and appetite
A need to demonstrate conduct-focused behaviour and customer outcomes embedded and integral to all strategic and operational decis ions, supporting overall framework to delivery good customer outcomes
A focus from Board of Directors on how this is chal lenged internally and whether internal control environment supports the delivery of fair c ustomer outcomes
• Undertake standalone reviews of conduct
• Look at integrating conduct risk into existing audits to identify themes or systemic issues
• Conduct focused reviews around the firm’s key conduct-related issues/ risks and take a more thematic approach to audits
• Execute end-to-end reviews of a particular product across its lifecycle
Regulatory mattersRetail conductWhat can IA do to address it?
8© 2015 Deloitte LLP. Private and confidential
ITCyber crimeWhat is it?
9© 2015 Deloitte LLP. Private and confidential
Cyber crime has been an increasingly regular featur e in the media over the past 18 months, with financial services firms continuing to bear the burnt
These upward trends demonstrate a fundamental shift in the nature of attacks, both in terms of complexity and persistence
High profile incidents, consumer concern and media coverage are increasingly a compliance and business issues, with greater regulatory scruti ny, direction and intervention
For many financial institutions, a cyber-security i ncident is not so much a question of IF, but WHEN
More mature organisations are proactively planning and preparing for incidents and their response, including testing wider crisis management skills
With the rise in breach size, impact and complexity in 2015, incident response has seen a shift from point-based ‘fix-it’ type approach towar ds a more holistic and sustainable one
• Adopt a multi-faceted framework involving people, process and technology
• Effectively deal with the challenge of the recruitment and retention of sufficiently technically skilled personnel to execute cyber crime audits and investigations
• Look at organisational collaboration in cyber crime audits, both internally (e.g. HR, IT, security and legal) and externally (e.g. external auditors and third party providers/ partners)
ITCyber crimeWhat can IA do to address it?
10© 2015 Deloitte LLP. Private and confidential
Business LeadershipOther areas of focus in 2016
© 2015 Deloitte LLP. Private and confidential 12
Topic Internal Audit (IA) Considerations
Corporate culture • Conduct an audit of the organisation’s culture should be conducted while considering the organisation’s structure
• If there is a desired culture, IA can audit to this baseline such as Board approved strategies
• If one has not been defined, IA can audit relative to industry best practices
Communication • Review the framework and related governance around day to day operations and media management, either internally or externally facing
• Review the effectiveness of communications, and benchmarking across peers or the industry.
Individual accountability • Assess how IA itself will be directly affected by the Senior Managers Regime and Senior Insurance Managers Regime from the PRA and FCA, in terms of documented responsibilities
• Assess the impact of these requirements on governance audits, including:
• whether the responsibilities assigned are appropriate; and
• whether responsibilities and reporting lines are mapped, including shared responsibilities and delegated and / or outsourced arrangements.
Annual audit opinions • Determine whether IA will obtain the required level of support for its opinion through the audits contained in the annual audit plan
• Challenge IA’s annual audit plan throughout the year to ensure that the plan is aligned to changes in the risk profile of the business
• Consider how and where IA’s view of risk and control culture has been captured
Risk ManagementOther areas of focus in 2016
© 2015 Deloitte LLP. Private and confidential 13
Topic Internal Audit (IA) Considerations
Risk appetite framework • Consider the effectiveness of the risk appetite framework by:
• a) The horizontal view – assessing whether the statements, measures and calibration of the limits in the risk appetite framework make sense based on the firm’s business model and strategy and the insight gained from the stress testing and reverse stress testing
• b) The vertical view – assessing how detailed policy limits and standards aggregate to the Board of Directors’ approved risk appetite statements and measures
Insurance coverage • Review the suitability of insurance cover for directors and officers to identify errors, gaps and inadequacies in a firm’s current coverage, as well as unnecessary insurance cover
• Test for a transparent and robust premium allocation model to avoid overpaying
Operational risk • Assessing the proportionality of mitigating activity into a firm’s risk methodologies by considering:
• the concept of probability of operational risk events crystallising; and
• the magnitude of the potential impact of such events
Model risk • Develop a top-down approach to address model risk which transparently demonstrates how compliance with regulatory expectations will be delivered over a 12 month and longer horizon
• Provide an assessment to the Board of Directors that model risk is effectively managed (identified, measured, monitored and controlled) within an entity’s clear statement of model risk appetite
• Test regularly the ongoing independence between model development, validation and application teams to ensure model risk management is effective
Regulatory MattersOther areas of focus in 2016
© 2015 Deloitte LLP. Private and confidential 14
Topic Internal Audit (IA) Considerations
New regulators • Help the business dealing with the UK's Payments Systems Regulator (PSR), the EU's Single Supervisory Mechanism (SSM) and EU's the Single Resolution Mechanism (SRM) by proactively manage the relationship with the underlying business units; and
• Understand the new regulators’ focus areas for inclusion into IA’s audit plan
Financial crime • Determine which specific areas of their firm’s financial crime arrangements warrant IA’s attention
• Utilise more qualitative techniques (including risk analytics and management information reporting) to provide better coverage against a firm’s increasingly complex arrangements
• Focus on the overall financial crime culture, reliability of management information and capabilities across the organisation
Client assets • Focus on client money reconciliations and client money segregation controls
• Review the firm’s responses to the rule changes and how they have been implemented, both in terms of process changes and system enhancements
Capital and LiquidityOther areas of focus in 2016
© 2015 Deloitte LLP. Private and confidential 15
Topic Internal Audit (IA) Considerations
Solvency II • Given the scope of Solvency II on European insurers, IA can:
• Engage with the front line business on the development of capital models and reporting infrastructure for Solvency II;
• Liaising with governance committees on key responsibilities for Solvency II;
• Evaluate the adequacy and effectiveness of the internal control system and other elements of the system of governance;
• Build in flexibility into IA’s annual audit plan to accommodate further work supporting the development of Solvency II;
• Considering whether IA possesses the necessary expertise to review the programmes and models; and
• Review project management for projects supporting the implementation of Solvency II.
Data quality • Review data quality practices & processes surrounding capital and liquidity reporting
• Consider the use of analytics to re-perform the controls in place
• Review the broader data governance, including clearly defined roles and responsibilities, policies, standards, reporting and escalation across the business
• Undertake BCBS 239 preparedness audits to determine the level of compliance with the BCBS 239 Principles
TradingOther areas of focus in 2016
© 2015 Deloitte LLP. Private and confidential 16
Topic Internal Audit (IA) Considerations
Product & valuation controls
• Examine the broader controls supporting the valuation controls, versus only assessing the Independent Price Verification (IPV) process
• Acquire and retain individuals with IA experience with the appropriate technical and product knowledge to challenge the firm and raise insightful observations.
Fair and Effective Markets (FEMR)
• As a result of the expansion of FCA’s supervision from LIBOR to 8 benchmarks, IA:
• Should include semi-annual audits to examine the controls involved in the firm’s benchmark submission process; and
• Should challenge how the investment banking business manages its conflicts of interests.
Unauthorised trading • Test the design and operating effectiveness of the front office supervisory controls on unauthorised trading, including:
• The delegation of authorities from senior management to front line supervisors; and
• Management information provided to senior management.
High frequency and automated trading
• Confirm that algorithmic trading methodologies have been appropriately developed, tested, documented and implemented in the trading system
• Review the adequacy of the reviews by Risk Management to examine whether systems are reviewed regularly, including back testing
• Attract and retain specialists with both trading and IT skillsets
ITOther areas of focus in 2016
© 2015 Deloitte LLP. Private and confidential 17
Topic Internal Audit (IA) Considerations
Cyber crime • Adopt a multi-faceted framework involving people, process and technology to address cyber crime
• Effectively deal with the challenge of the recruitment and retention of sufficiently technically skilled personnel to execute cyber crime audits and investigations
• Look at organisational collaboration in cyber crime audits, both internally (eg HR, IT, security and legal) and externally (eg external auditors and third party providers and partners)
IT disaster recovery and resilience
• Consider the adequacy of broader organisational processes in place to avoid, prevent, respond and recover from planned and unplanned outages
Digital forces • Identify and map the current state of the organisation’s digital footprint with all associated components, including mobile, cloud and social media
• Have the appropriate expertise and experience to independently verify the effectiveness of all elements of the organisation’s digital strategy including the risk management framework
Continuous risk assessment
• Communicating with management to address concerns over the implications of conducting continuous risk assessment in order to identify emerging technology risks to the firm;
• Engaging and collaborating with the 1st and 2nd lines of defence so there are clear roles and responsibilities along with information sharing between the 3 lines of defence
Accounting and TaxOther areas of focus in 2016
© 2015 Deloitte LLP. Private and confidential 18
Topic Internal Audit (IA) Considerations
Tax risk assessment • IA can challenge whether the firm:
• Manages tax risk (including transfer tax) to avoid taxation penalties and damage to its reputation;
• Complies with tax legislation by jurisdiction; and
• Is appropriately transparent and accurate in financial reporting disclosures and reporting.
COSO 2013 framework • IA can examine the risk assessment and scoping process for key financial reporting processes against:
• The COSO 2013 framework;
• Recent trends in regulatory comment letters; and
• Industry best practices.
• IA can apply the lessons learned from the COSO 2013 frameworks for other areas such as operational risk and conduct risk.
Recent Deloitte publications
19© 2015 Deloitte LLP. Private and confidential
For additional publications of current relevance for Internal Audit, visit http://www.deloitte.com/uk/internalaudit
Contact
20© 2015 Deloitte LLP. Private and confidential
Contact
Chris Mayo, [email protected]+44 20 7007 9076
Important noticeDeloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.
© 2015 Deloitte LLP. All rights reserved.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. 21