Embed Size (px)
Citation preview
Credit Union User Group
Portlaoise Heritage Hotel13 February 2013
Introductionso Finbarr McCarthy – Independent Consultant
o Ogie Sheehy – Founder / CEO of ViClarity
o Paul Griffin – Commercial Director
o Tom Faraday – Business Development Manager
o Tracy Fitzgerald – Marketing & Product Specialist
Agenda 10.00 – Introduction 10.10 – “The relationship between Risk, Governance and Audit” Finbarr McCarthy10.30 - Workshop – Focus Groups 11.45 - Tea/Coffee12.00 - System Training12.30 - General discussion12.55 – Close1.00 - Lunch
FINBARR MCCARTHY
Risk, Governance & AuditThe relationship
Overview
Steps1. What risks do you have in your credit union?
1. Identify them2. Record what you are doing3. Is it enough?
2. Are the board satisfied?Y You are ready to monitor N You need to improve what you are doing
Y completed = you are ready to monitor1. Step 3
1. Monitor2. Review 3. Improve
Risk Identification
What risks are you exposed to? Outline actual risks “There is a risk that …….
The lending policy is out of date Unauthorised people can approve a loan
Take care Be systematic & use external research
Otherwise you may miss things
Control Documentation
Risk What is done
Assigned to Monitored by
Evidence
Lending policy is out of date
Annual review Manager Credit Committee
Policy register
Unauthorised person approving loan
User rights defined (only loan officer can approve loanPassword protected
Manager or IT person
Credit CommitteeTechnology committee
Job description,System specificationLog of password changes
Are you doing enough?
Rate what you are doing Effective ?
Is it done every year? How are changes in regulation/legislation linked How is it evidenced & stored
Gaps? Regulations not identified quickly enough Evidence is weak
Recommendations? Annual Calendar Monthly practice checking for legislative/regulatory changes Stored electronically in pdf format
Unauthorised Access
Rate what you are doing Effective ?
Is the system tested so that user privileges are documented and tested Are passwords strong enough
At least 6 characters long Mixture of letters, numbers, special characters Changed every 90 days
Gaps? Passwords are not strong enough Passwords don’t change frequently enough
Recommendations? Increase password strength and change every 90 days
Risk RegisterResidual risk within board appetite for risk
Are the board satisfied with current practices
Risk within tolerance
ViClarity & control
questions
Risk Mitigation
Programme
Y
N
When completed then needs to be monitored
RMP
Risk Issue Outcome Sought
Actions Deadline
Lending policy is out of date
Not checking and updating Policy between annual reviews
Formal process to keep policy current
Develop, approve and implement process
June 30th 2014
Within Tolerance Outside Tolerance
Monitor adherence to controls Viclarity
Monitor progress of RMP Outside Viclarity Similar to managing implementation
of Strategic Plan
Governance & RMO
Compliance Effectiveness
Internal Audit review practice and make findings.
If within tolerance Yes
Continue monitoring (viclarity) No
RMP
Audit
Are staff/volunteers following the practice Yes
Continue monitoring (viclarity) No
Review assessment & if inside tolerance Yes – Viclarity No - RMP
Review
RMO Identify, document and assess what is currently done in the cu to manage specific
risksBoard/Risk Committee
Set tolerance/appetite for riskRMO
If controls are ok with respect to tolerance then monitor If controls are not ok then must be improved RMP
Audit Review compliance/effectiveness & make recommendations RMO with management create RMP if required
Focus Group Breakout
Focus Group Objectives1. Review of Controls for Deletions2. Review of Controls for Additions3. Sub Levels of Verification
Tea & Coffee Break
System training1. Adding/Editing Controls2. Interpretation of data3. How to create reports
www.viclarity.com
Thank You
Lunch
