INTERNAL AUDIT: CBA Retail Broker Audit - FY 17 … · industry position and CBA's internal position on requirement to obtain the evidence on whether preliminary assessments were

INTERNAL AUDIT: CBA Retail Broker Audit - FY 17

BUSINESS UNIT: Retail Banking Services DIVISION: Home Buying

ACCOUNTABLE EXECUTIVE: Dan Huggins, EGM Home Buying

DATE: 05 September 2017

Refer to Appendix A for guidance on audit issue rating criteria.

Risk exposure due to lack of management's oversight on Aggregators and Aggregators' oversight on Brokers have not been assessed by Home Buying

Third Party Banking team (TPB) have not confirmed if Aggregators are meeting their responsibilities under the individual aggregator agreements. TPB did not exercise their rights to audit until recently.

Management do not have mechanisms in place to confirm if key tasks are being complied with as required by Bank standards, reliance is placed on Third Parties to complete these tasks on our behalf. Further management have not assessed if Aggregator's existing compliance program are designed effectively to provide a sufficient level of assurance.

A. Limited mechanism to confirm if the original customer identification information was sighted by third parties

We found following instances where

• Borrower, Broker and Security Property are in different states at the time of application - 1361 instances

• Borrower and Broker are in different countries at time of application - 332 instances

• Borrower, and Broker are from different states at time application - 2758 instances

Confidential - This report should not be distributed without the permission of Group Audit & Assurance

Inability to prevent or detect noncompliance with key regulatory and other requirements by the Head Group

CBA.0508.0001.0001

Group Audit & Assurance FINAL Issues Log

ComnonwealthBark I

Action Name: Enhancement of the documentation of issue and actions for broker KYC process

Action Description :

1. Update existing issue raised on KYC (IS-055195) to incorporate the investigation of the figures from Audit relating to reliance on third parties for customer identification and if needed amend the process

Action Owner : Simon Kwan

Action Due Date : 30 September 2017

Action Name: Broker Head Groups to be reviewed as part of Financial Crime Compliance (FCC) program

Action Description

1. Integrate audit findings into the FCC Program including EDD, ABC & Sanction Screening on the Broker Head Groups

Page 1of28



ACCOUNTABLE EXECUTIVE: Dan Huggins, EGM Home Buying DATE: 05 September 2017

Management currently do not have a mechanism to confirm if in the above instances a face to face meeting was conducted with the customer and the brokers sighted the original documents in all the instances.

Contingent to PwC' concern on the Customer Identification process raised in the Internal Controls Report last year, management have raised a self-identified issue with an action to obtain customer identification documents from the broker in all the instances. This process has been rolled out in 1st August, 2017 but does not completely address the concern that a face to face meeting was conducted or original customer identification documents were sighted.

B. Broker discussions with customers on product suitability are not validated by RBS to confirm the product meets the customers' intended purpose and desired customer outcome.

Management relies on brokers to confirm product offered to the customer was not unsuitable at the time of application and for in-life changes. Whilst brokers may complete a fact find or customer needs analysis to identify customer needs, management do not obtain this document in order to confirm that product being taken by the customer meets both the customers' needs and satisfies the intended loan purpose.

Our analysis found indications that 75% of broker introduced loans reflected living expenses below Household Expenditure Measure (HEM). In such cases, whilst HEM is used to credit assess the application, this may reflect that brokers are not capturing all customer living expenses.

The implementation of the signed written assessment will address this finding . Issue has already been self-identified by management across all Home Loan Products. Refer to (IS-053235)


CBA.0508.0001.0002


ComnonwealthBark I

Action Owner : Caleb Reeves

Action Due Date: 31 December 2017

Action name: Enhancement to the documentation of Written Assessment Report issue and actions

Action Description:

Update existing issue raised (IS-053235) to investigate requirements relating to credit assistance providers in RG 209 for preliminary assessment for home loan switches. Action owner: Thalia Smith

Action Due Date: 30 September 2017

Action Name: Review of ongoing broker compliance with AMUCTF requirements Action Description:

1. Investigate and establish ongoing monitoring mechanism with MFAA I FBAA for broker compliance with AMUCTF requirements

Action Owner: Bill Kantares Action Due Date: 30 June 2018

Page 2 of 28

INTERNAL AUDIT: CBA Retail Broker Audit- FY17




For in-life changes, the responsible lending obligations requires a Credit assistance provider to make a preliminary assessment that the credit contract is 'not unsuitable' before suggesting that the consumer remain in an existing credit contract. On our request to aggregators to provide us preliminary assessments done on a sample of consumer product switches performed, aggregators had diverse views on whether preliminary assessments are required as part of in-life changes. In the absence of an industry position and CBA's internal position on requirement to obtain the evidence on whether preliminary assessments were completed or not, there is a risk that brokers may not be performing adequate assessments for a number of customers who switch their loans (Principal and interest to Interest Only or Fixed to Variable etc.) within short period of funding.

Management is enhancing the current process to demonstrate adherence to responsible lending obligations. Further, switching controls since our Audit of Interest only home loans have also been implemented.

Whilst these demonstrate management's focus on customer outcomes throughout the portfolio, Internal Audit have not reviewed the above actions as part of this audit.

C. Management have not complied with all the requirements stipulated by Internal Group policies

• Employee Due Diligence of the Third Party - Section 5.6 of Economic and Trade Sanctions Group Standard requires that each Group entity must ensure screening is performed prior to entering into any legally binding arrangement supporting a Third Party Relationship. Further 5. 7.1 of the Anti-Bribery Corruption Standard requires due diligence must be conducted as part of the on-boarding process prior to entering a legally binding arrangement with the third party. Whilst management have conducted due diligence on all 29 Aggregators, management have not complied with these requirements where CBA has intermediary agreements with ACL holders who are not A re ators. While 3 deeds were entered in to with ACL holders i.e.


CBA.0508.0001.0003

Group Audit & Assurance Fl NAL Issues Log

eomnonwea1t11Bark I

Action Name: TPB to review Group Policies (The Management of Third Party Channels and Originating credit through third parties)

Action Description:

1. Review of Group Policy on the Management of Third Party Channels specifically relating to Material Dealer Group and Whistle-blower requirements. For any gaps identified, implement actions to address any gaps and present actions completed to the Broker Governance Forum.

2. Review of Group Credit Manual -Originating credit through third parties. For any gaps identified, implement actions to address any gaps and present actions completed to the Broker Governance Forum.

Action Owner: Bill Kantares

Action Due Date: 30 March 2018

Action Name: TPB to review monitoring over ACL Holders.

Action Description:

1. TPB to first review and validate the findings from the audits of the aggregators that are currently being undertaken by Ernst & Young including the findings from this audit.

Page 3 of 28





~here are two ACL licence holder intermediary relationships i.e. ~here there is non-compliance with EDD requirements. (A have recently merged their ACL & Aggregator relationship in to one company they are no longer in breach of the EDD requirement). Further management should also review the ACL licence holder intermediary relationships in this current environment to determine whether this formal third part~ required i.e. the deeds entered with ACL holders i.e. -

• Employee Due Diligence Program of the Aggregators/Sub Aggregators -Section 1.4 of the Group Joint Anti-Money Laundering & Counter-Terrorism Financing Program Part A (Part A) requires third parties to comply with the Group's requirements in relation to employee due diligence and training. Section 5.2 states that 'where a Business Unit uses a third party that is involved in customer identification processes or in the provision of designated services the Business Unit must be satisfied that the third party has an employee due diligence program that is equivalent with the employee due diligence measures set out in the Financial Crime Employee Due Diligence Group Standard'. Management are not aware if all 29 Aggregators have an EDD program. Further Management have not assessed if Aggregators' EDD program is in line with CBA's Standard as required by Section 5.2. Considering our contract is with Aggregators, not the brokers, and 50% of the broker industry uses Aggregators' ACL to perform the designated service, management have not

explicitly or implicitly required Head Groups (HD) to have an EDD program implemented a mechanism to ensure that EDD program is aligned to CBA's standard


CBA.0508.0001.0004


eomnonwea1t11Bark I

2. TPB to review monitoring over ACL holders approach and determine a proposal to address this risk.


Action Due Date: 30 June 2018

Page 4 of 28





Management stated that they acted on advice provided by AML team at the time i.e. that EDD program of the Aggregators are not required to be reviewed by CBA.

• AMUCTF Training Program - Section 4 requires third parties including brokers to complete AML training within 4 weeks of being accredited and every 2 years thereafter. A key requirement of the accreditation process is to on-board national industry body MFAA or FBAA accredited brokers. because reliance is placed on MFAA or FBAA to carry out some due diligence required including AML training. While processes and checks are in place to confirm brokers are a member of MF AA or FBAA when on-boarding a new broker, there are no on-going checks in place to confirm brokers continue to be active members. As a result this does not satisfy the on-going AML training requirement.

• Review of material dealer Group - The following requirements of Third Party Banking Group Policy have not been complied with by the business

o Appendix A requires regular review of material dealer groups (i.e. Deep Dives; Changes in patterns of the business; external events)

o Section 6.22 requires that the business have a process in place to advise Third Party providers that the Group Whistle blower Protection Policy provides an avenue for the head group and their employees to report suspected fraud or unethical behaviour by Group staff.

o Section 6.5 requires the contract with the third party to include a right to conduct due diligence on third party's third party. However theses rights have not been explicitly or implicitly included in the Aggregator's agreements. Given the complex business models these Aggregators may have, it is critical to include R ht t Audit clause in the Aggregators' Agreement. F~. Aggregator

has outsourced their compliance function to --and another gg g tor is a Credit Representative of BLSSA who is the ACL Holder.


CBA.0508.0001.0005


eomnonwea1t11Bark I

Page 5 of 28





• Complaints Management and Financial Risk Review - The following requirements of the Originate Credit Through Third Party Group Policy have not been complied with by the business

o Section 35 requires the business to monitor the level and nature of complaints made by customers against head groups and investigate any pattern that emerge.

o Section 37 requires the business to conduct a risk review on the head group financial position where there are concerns however, because Sections 35 have not been actioned, the business is unable to determine whether there is a need to assess head group's financial position.

D. No mechanism or Service Level Agreements in place to confirm adherence to requirements outlined in the Head Group or Aggregator Agreements

Aggregators either have direct credit representatives (CRs) under them or ACL Holders (Licensed to undertake credit activities by ASIC) who have their own network of CRs, employees and directors of the ACL Holders. From our initial visits as well as analysis we found, more than 50% of the Aggregators' broker network comprise ACL Holders.

Aggregators do not as a rule audit and or have any compliance monitoring on the ACL Holders because the ACL Holders have to comply with the ASIC licensing requirements in their own right. However according to Head Group Agreement, an Originator Associate is any third party who submits Applications through the Originator and any employee, agent, sub-aggregator, broker or contractor of that third party.

While some aggregators have commenced these audits, at the behest of ASIC/APRA who are requiring heightened vigilance and monitoring in the broker industry, these are in very early stages and does not provide any assurance on ACL credit activities and processes to the aggregators or the Bank.


CBA.0508.0001.0006


ComnonwealthBark I

Page 6 of 28





While we acknowledge that this is an industry-wide problem, and CBA/Bankwest are aware of the gap, it leaves the Group vulnerable to actions of ACL Holders that might result in obligations in relation to the application not being met.

Given the significance of deals originated through ACL Holders, management needs to assess the risk exposure and/or risk accept until remedial action is taken.


CBA.0508.0001.0007


ComnonwealthBark I

Page 7 of 28





Gaps in the monitoring process to prevent or adverse dishonest broker behaviour have not been addressed

Third Party Banking (TPB) currently have 29 head groups with almost 13,000 active brokers submitting over 12,000 loan applications per month. Management do not have mechanisms and tools to proactively identify broker behaviours. This was also highlighted by Line 2 as a high issue on "gaps exist across Broker Governance activities" in April 2016. Management are aware of the gap and are developing a Broker and Head Group assurance framework including consequence management.

A. Following issues found by audit, supports managements concerns across the broker governance process

• The current process over broker monitoring and investigation is managed and executed by one FTE (TPB governance manager). As there is a high degree of judgement there is limited or basic Standard Operating Procedures for a process that involves "case by case" individual incident. Each independent incident requires a high degree of judgement, understanding of key business processes, systems, controls and relationship with brokers. For example, this was evident in December 2016 when the Manager Governance was absent for 2 months. Whilst, there were no incidents warranting urgent investigation during this period, monitoring was limited to fraud Reports and media releases. No monitoring was performed on arrears, broker watch list and other investigations that would normally be performed by the TPB governance manager.


Fraudulent or dishonest brokers selling CBA products to customer

Inability to timely prevent or detect noncompliance of key requirements

CBA.0508.0001.0008


ComnonwealthBark I

Action Name: Enhance documentation of existing issue and actions

Action Description : Update current issue IS-051070 to reflect activities currently being undertaken by the business that are also in line with Audit findings, including:

1. Scope of coverage of Broker Head Group Assurance Program

2. Scope of Home Buying Monitoring and Supervision Framework

3. Embed a formal Watch list process with Line 2

4. Management will risk assess the copy of the results analytics (Appendix -1)

5. Integrate into assurance

Action Owner: Thalia Smith

Action Due Date: 30 September 2017

Action Name: Define accountabilities of Cross BU broker listing

Action Description: Group Operational Risk and Compliance to transition the GTPF function to an

Page 8 of 28





• Once triggered, the investigation process involves a number of manual information gathering activities, to reasonably confirm a broker's behaviour/involvement in order to determine a course of action e.g. terminate, suspend or add to the watch list. The nature of the investigative activities required to obtain a conclusive position (which often includes external enquiries with Head Groups, Sales Team and broker's employers) is time consuming and does not provide for timely response and ability to cope with a high volume of investigations.

• Due to lack of data analytics support and resources covering a number of key internal and regulatory requirements, the current broker monitoring and triggers used to identify, prevent or detect adverse behaviours are insufficient and limited to reports and intelligence management receives.

• Existing triggers are not effective to monitor adverse behaviours. The scenarios are insufficient to cover concentration risk of location, type of loans, and regulatory requirements. Further, monitoring and investigation of a broker only occurs when a trigger is initiated, making this process mostly reactive. For example brokers listed on the Fraud Report, CIT Report, High Arrears, ASIC Notices, Media Releases, industry intelligence

• Limited ability to review patterns in broker behaviours over time. For example there is no capability to follow individual or groups of brokers that are repeatedly submitting applications that contain lower Monthly Living Expenses (MLE) over time or have a history for refinancing loans with other financial institutions to recycle commissions (repeat offenders).

• Risk appetites against Key Risk Indicators have not been defined and set to monitor KRls against total portfolio, aggregators and or broker portfolios. For example management stated the current measure for reporting MLE KRI is 4.3%. It is unknown whether this is within tolerance or not. Further, it is unclear for Interest Only Loans what would be an acceptable portfolio appetite% for an Aggregator or broker submitting majority interest only home loans.


CBA.0508.0001.0009


ComnonwealthBark I

appropriate home including control enhancements to the governance of the Cross BU Register.

Due date: 31 October 2017

Action Owner : James Rushton

Action Name: Enhancement of the XBU register after transition

Action Description : Enhancement to the governance of the Cross BU Register will make sure the register is accurate, complete and valid and there are sufficient controls to confirm on-going compliance

Action Owner: James Rushton

Action Due Date: 31 December, 2017

Page 9 of 28





• As part of the existing management issue into Monitoring & Oversight, qualitative overlays are being built into the framework to complement analytical data, for example, mystery shopping, outcomes testing, file reviews.

8 . Additional gaps highlighted through audit work and the dashboard are below

• Whilst controls are in place to confirm that all terminated brokers have been processed and updated accurately in My Advisor and Cross BU register, we found 4 brokers terminated in MyAdvisor but not recorded in Cross BU Register. Similar instances of improvements required including capturing of evidence when the terminated broker has been recorded on Cross BU were identified by Line 1 Risk testing for July period.

For detailed analysis and management response, refer to Appendix - II

• My Advisor is used in Third Party Banking (TPB) to support the set up process and terminate or resign brokers. From TPB's perspective Cross BU Register is the single source of truth and should contains all adverse third parties. New brokers are checked against Cross BU register to confirm no adverse brokers are on-boarded or if existing active brokers that have been terminated by other teams are acted upon by TPB. We found 1 instance where Bankwest team did not inform CBA of a terminated broker exposing CBA to compliance and financial risk. Management have taken an action to investigate this broker.

• The Cross BU Register is a Group wide database which is a key element of the Group Third Party Framework (GTPF), underpinned by the Group Policy for the Management of Third Party Channels. Since its inception, caretaker responsibilities for the Cross BU Register administration have been assumed by CFS Wealth Risk Management and, to a lesser extent, Third Party Banking. Maintenance and update of the Cross BU register has been discretionary and not supported by funding a dedicated resource. Since its implementation, despite efforts to enhance the Cross BU Register by improving data hygiene, timeliness. validity, accuracy, completeness of information and end to end governance,


CBA.0508. 0001.0010


ComnonwealthBark I

Page 10 of 28





(including data loss and privacy considerations). it remains a key vulnerability. The action to manage the Cross BU register adequately has been taken by Group Operational Risk and Compliance, who owns the register.

• The Broker Watchlist is a register to monitor broker behaviour over time, where there is inconclusive evidence of a broker's involvement in any breach at a point in time). Once a broker is added to the Watchlist, it is sent to CS&M monthly to perform loan file reviews on these brokers. The following gaps have been identified:

a. Not all brokers on the watch list are selected for audit file review by CS&M even when loan applications are submitted by these brokers. The CS&M audit file review involves randomly selecting loan application files based on a scorecard. All brokers in the watch list who have submitted loans are not reviewed. Random sampling is not adequate as this may leave known suspicious brokers submitting loans without timely investigation to determine whether to terminate broker relationship or remove the broker from the watch list.

b. Third Party Governance team monitors and maintains the watch list and plays an important role in actively working with CS&M to confirm that there are no adverse brokers. However, at the time of our review of the watch list containing 75 brokers shows a number of brokers remaining on the list for a long period of time without appropriate review or a decision not being made. The following were observed:

i. 12 brokers have been listed since 2015 and 2016, and there have been some loan applications submitted without no review performed.

ii. 14 brokers dating back to 2014, 2015 and 2016 have not submitted any loan applications since and no actions or decision have been made.


CBA.0508.0001.0011


ComnonwealthBark I

Page 11of 28





Audit has performed analysis to identify broker behaviour based on the flags & triggers built in the Broker Dashboard. Data analysis has indicated some adverse broker behaviour which require further investigation.

Please refer to Appendix - I


CBA.0508.0001.0012


ComnonwealthBark I

Page 12 of 28



ACCOUNTABLE EXECUTIVE: Dan Huggins, EGM Home Buying DATE: 05 September 2017

Payment controls are not designed effectively to confirm payment accuracy

Our review of the process over payments and management reporting found gaps across the payments value chain A. Limited mechanisms to confirm accuracy and completeness of

commissions There are limited ongoing mechanisms to confirm that • data from Group Data Warehouse (GOW) and product system such as SAP, HLS

is validated before input into SAP ICM (commission calculation system) . ICM is the new commission system, replacing CCS (old system). Whilst the system has been in operation for 2 years, ICM calculations are dependent on the accuracy of the GOW data provided to drive calculations. There is a risk that changes made to GOW can impact the accuracy of the data inputs and hence the commission amounts. This occurred on VLOCs (existing self-identified issue) due to an upgrade in GOW in August 2016.

• duplicate commission payments are not made. We have identified and confirmed with management 5 instances were duplicate payments of same amount in the last 2 years were made. Management have implemented a manual control to detect duplicate payments in March 2017. Although we have not tested the control, we found no further duplicate payments between Mar 2017 & June 2017, which would indicate the control is effective.

B. Control gaps in Broker Head Group Bank Account Set up and changes • TPB Accreditation team manager and team leader initiate, approve and perform

checks on bank account set up and the same team manager checks


Financial Loss and Brand Damage if commissions to third parties are not in line with agreements

Significant financial loss and reputational damage if weaknesses in internal processes are exploited

CBA.0508. 0001.0013


ComnonwealthBark I

Action Name: Enhance documentation of issue and actions and review fraud environment for commissions.


1. Update current issue IS-059621 to reflect activities currently being undertaken by the business that are also in line with Audit findings including:

• Scope of coverage • Objectives • Testing of new duplicate payments control • Implement reporting on commission

payments (forecast vs actuals) 2. Commission payments to be assessed as part of Home Buying Fraud risk bowtie. Action Owner: Thalia Smith


Action Name: Engage Group Accounting to identify the correct treatment of all payments made to brokers

Page 13 of 28





commission payments. There are no system enforced controls to segregate duties. This offers a straight through opportunity for staff in these roles to

a. manipulate bank account details by sending a request to set up or change bank account via email

b. create fraudulent source documents c. approve set up and changes to bank accounts d. reconcile payments

During our walkthroughs we also identified similar manual processes in BTS Admin Commlnsure team, for example,

a. BTS Admin team manager can add and change bank account details and is also the reviewer. This is compounded further by having unlimited payment amount in RPAY and the excel based editable report from RPAY that is used to check and approve bank account changes.

b. There are currently 3 team managers with edit access (e.g. ability to set up and change bank account details).

c. The procedure document on bank account set up and changes does not stipulate the requirement to check against source documents and confirm if authority is within Home Buying delegation matrix.

Home Buying team have no formal arrangement stating the expectations from BTS team to confirm the accuracy and timeliness of the requests completed.

Management should consider of engaging Fraud Risk & Advisory to perform end to end fraud risk and controls assessment.

• The below table provides a summary of the key process and control points over bank account set up and change and manual commission adjustment payment process:

Bank Account Process


CBA.0508. 0001.0014


ComnonwealthBark I

Action Description : Obtaining accounting treatment and rationale for the current accounting treatment

Action Owner: Tali Holtzman

Action Due Date: 31October2017

Action Name: Update Home Buying Delegation Matrix


The Home Buying delegations matrix to be updated to include individual adjustment clarification for commission payments.



Page 14 of 28





ll~-.il';J~ =""""""·=·

1=.r .. . ~~ •• r:.111uare11-~•• -...._ .............. 1.;:,l.l.L.!.i§r.-~~-;.1111- ;;. '"'.l ••~~•ns-...... 11•• .. -e111iTti~l1er .. a~~ •• r:.111if: r-•11.-.•-•• ·~ - ·-· ~ ... --- ... ·- - -.-. "· ·--

Bank A/C Set Up Bank A/C Changes

Role Initiate Approve Initiate Approve Request Changes Request Changes

Team ~ ~ Can• ~

Mgr

Team ~ ~ Can• ~

Leader

•BAU process is for a team member to perform this task. But the team manager and team leader can initiate request. There is no mandate or system enforced controls to segregate duties

c. Controls gaes in VLOC eallment and reconciliations erocess

• In particular, the current VLOC manual payment adjustment process allows the team manager to complete an end to end payment process from setting up a bank account. to approving payments and completing payment reconciliation.

Manual Commission Adj. BAU Process VLOC process

Role Send Check Send Check file to Pay run file to Pay run BTS BTS

Team Can .. ~ ~ ~ Mgr

Team ~ x x x Leader

.. BAU process is for a team leader to perform this task however, the team manager can also do this. In this case the Team leader will check pay run.

D. Non Comeliance with Home Bul£ing Third Partll Broker Delegation Matrix (The Matrix}

In-house Home Buying Delegation matric is unclear on whether the delegation of approving at the defined threshold is at accumulated payment run or at an individual payment level. Based on previous delegations that have existed, TPB is


CBA.0508.0001.0015


ComnonwealthBark

'

Page 15 of 28





interpreting the threshold at an individual payment. For example, Accreditation team manager has been approving payments totalling 11k (consisting of multiple individual adjustments) for VLOC and totalling 30Mil (consisting of multiple individual payments) for all other product commissions in a payment run.

Whilst matrix stipulate commission adjustments threshold of $10k for Accreditation Team Manager, the Group Payment Standard stipulates that two people should authorise the payment over 1 OOk.

E. Design ineffectiveness of Line 1 test plan to mitigate fraud risk

The total upfront and trail commission amount to approximately $30M per payment run. With processes and controls to manage bank account changes and commission payments shared across two teams. line 1 assurance testing over payments have not been designed to address fraud risks.

F. No management reporting on Commissions

There is no management reporting and reconciliations to monitor/ confirm if fortnightly commission payments are in line with management expectations. Management stated that as the amount is contingent to home loans settlements, it is not monitored. We believe management should monitor this as each fortnightly payment run is around $30M i.e. a significant payment over a year. Also our understanding is that commissions are netted against a contra-revenue account therefore it may be harder to detect internal fraud if any

G. No evidence to confirm that current accounting treatment is in line with Accounting Standards

The current treatment of Relationship Development Scheme (RDS) can lead to an overstated revenue as the payment is amortised through a contra-revenue account


CBA.0508. 0001.0016


ComnonwealthBark I

Page 16 of 28





for the expected life of a loan (6 years). We cannot obtain the evidence of approval and the justification to account for RDS payments under this method.

Management have an existing low issue {IS-059621) on" lack of governance and ongoing assurance over the Broker Commissions Model". This issue was raised In Oct 2016.


CBA.0508. 0001.0017


ComnonwealthBark I

Page 17 of 28





APPENDIX - I

Test Risk Implication Low income and net Manipulating Loan Serviceability monthly surplus of $100 requirements to obtain approval or less for customer's application

Monthly Living Expenses Manipulating Loan Serviceability (MLE) less than requirements to obtain approval Household Expenditure for customer's application Measure (HEM)

Instances 1,324

191,534


CBA.0508. 0001.0018


ComnonwealthBark I

Data Investigations & Actions - There are 1,324 number of applications with a Low income and net monthly surplus of $100 or less and commitment level greater than 40% - Management will risk assess the results of analytics and will integrate into assurance activities - There are 191,534 approved loans with monthly living expenses (MLE) equal or less than HEM - From our testing, on average, declared MLE is only 75% of the Group's HEM. This may indicate the customers and brokers are not truly reflecting the customers' MLE (understanding expenses) - Management will risk assess the results of analytics and will integrate into assurance activities

Page 18 of 28





Test Risk Implication Switched Investor Home Manipulating Loan Serviceability Loans to Owner Occupied requirements to obtain approval Home Loans immediately for customer's application by using after funding rent as source to gain more loan

or to get approval in the first instance then switching to Owner Occupied

Declined by one broker Manipulating or falsifying and accepted by another documents to obtain approval for broker customer's loan application

Training/Education Issue

Declined by one CSA/branch and accepted by another broker

Instances 305

4

83


CBA.0508. 0001.0019


ComnonwealthBark

' Data Investigations & Actions - Proposed rental income used for serviceability and switched to owner occupied within a short period of time across< 30, 31-90, and 91-120 days - There are 305 instances of accounts switching from INV to 00 within a short period - 2 out of 12 instances whereby evidence of rental income i.e. rental appraisal was not evidenced - The earliest switch was completed 12 days after funding date. On average, customers switched after 56 days; and - For all customers (switching from INV to 00) - their serviceability surplus was not sufficient to cover the loss in proposed rental income. This means that if t hey had not had the proposed rental income in the original application, they may not pass serviceability. - Management will risk assess the results of analytics and will integrate into assurance activities

- 4 out of the 8 accounts used the same security in their Application 1 and Application 2; - Reasons for decline range from high risk category 5, poor credit history to fully relying on gifted funds etc. - 1 case whereby for both applications, it was submitted by the same broker (Scott Minto-who moved from Connective to Vow) - Management will risk assess the results of analytics and will integrate into assurance activities

- 83 instances of Loan application declined by CBA branch/store and accepted by a broker within a 6 month window - Management will risk assess the results of analytics and will integrate into assurance activities

Page 19 of 28





Test Risk Implication Borrower, Broker and Broker may not comply AML Property are all from requirements & Banks Internal different states at time of policies for AML application Borrower and Broker are Broker may not comply AML in different countries at requirements & Banks Internal time of application policies for AML Borrower, and Broker are Broker may not comply AML from different states at requirements & Banks Internal time appl ication policies for AML Commission payment Financial Loss made to broker before funding Monthly Living Expenses Manipulating Loan Serviceability less than $500 requirements to obtain approval

for customer's application

Funded apps with Broker may not comply AML overseas customers requirements & Banks Internal

policies for AML

Number of loan accounts Broker have not acted in the best with 30 days in arrears. interest of the customer and in Loan was approved breach of responsible lending within last 2 years. In requirements these 2 years a customer was in arear s for 30 days consecutively

Instances 1,361

332

2,758

0

718

332

281


CBA.0508.0001.0020


ComnonwealthBark

' Data Investigations & Actions

As per the Actions in the Issue 1, management will update existing issue raised on KYC (IS-055195) to incorporate the investigation of the figures from Audit relating to reliance on t hird parties for customer identificat ion and if needed amend the process

No management actions required

- Management will risk assess the results of analytics and will integrate into assurance activit ies

As per t he Actions in t he Issue 1, management will update existing issue raised on KYC (IS-055195) to incorporate the investigation of the figures from Audit relat ing to reliance on t hird parties for customer identification and if needed amend the process - Internal Audit to relay exceptions to Business to validate (281 exceptions) - Need OSCA access to check past arrears - Management will risk assess the results of analytics and will integrate into assurance activit ies

Page 20 of 28





Test Risk Implication Number of loan accounts Broker have not acted in the best with 90 days in arrears. Loan was approved within last 2 years. In these 2 years a customer was in arear s for 90 days consecutively Number of loan accounts with 90 days in arrears and LVR > 90%

Brokers with nearly all applications under HEM

Brokers with high rat io of Not Proceeded Wit h {NPW) applications

Brokers with high rat io of applications for risky post codes

interest of t he customer and in breach of responsible lending requirements

Pat tern of individual brokers potentially incorrect ly recording customer expenses

Instances 98


CBA.0508.0001.0021


eomnonwea1t118ark I

Data Investigations & Actions - Internal Audit to relay exceptions to Business to validate {98 exceptions) - Need OSCA access to check past arrears - Management w ill risk assess t he results of analytics and w ill integrate into assurance activit ies

- Internal Audit to relay exceptions to Business to validate (6 exceptions) - Need OSCA access to check past arrears - Management will risk assess the results of analytics and w ill integrate into assurance activit ies

2 applications 98% under HEM 34 applications 93% under HEM

220 applicat ions 91% under HEM Management will risk assess the results of analytics and will integrate into assurance activit ies

Management will risk assess t he results of analytics and will integrate into assurance activit ies

Page 21 of 28





CBA.0508.0001.0022


eomnonwea1t11Bark I

Test Risk Implication Instances Data Investigations & Actions 1--~~~~~~~~~--+-~~~-'-~~~~~~~~~--+-~~~~~~~~--+

Brokers with high ratio of 27 applications 56% external refinance

external refinance 219 application 49% external refinance

applications 63 applications 48% external refinance

Brokers with high ratio of

interest only loans


investment loans

Brokers with high

volumes of clawbacks


Pl to 10 switches

Brokers with high

volumes of interest only,

investment with high LVR

loans


Management will risk assess the results of analytics and will

integrate into assurance activities

475 accounts 92% interest only

:1!1!!1!!!!1!!!!1111 145 accounts 93% interest only

- 707 accounts 90% insterest only Management will risk assess the results of analytics and will

integrate into assurance activities :--~~~~~~~~~~~~~~~~~~~~~____,

475 accounts 93% investment


67 interest only investment accounts with LVR > 90



Management will risk assess the results of analytics and will


Page 22 of 28





Test Brokers with high rat io of application rework

Brokers with high volumes of MLE less t han 50%of HEM

Risk Implication Instances


CBA.0508.0001.0023


eomnonwea1t11Bark I

105 applications 43% with considerable rework

Management will risk assess t he results of analytics and will integrate into assurance activities

Page 23 of 28





APPENDIX - II

Termination data flow between source systems and triggers

Purpose

Broker System (Where brokers CFJI are set up and terminated)

Database that hold all adverse third parties, includ ing BW (e.g. brokers, advisors/financial planners). Use for On-board ing and screening

Source System/Database

My Advisor

Monthtvched< of ntwaddltbnln cro»8V ~~inst

MvAt;lviS«bv 6ruce Uttle

• • 1S &W ~m1natttfbrob1S1nCrOS&&U but sHll C8A a<ttile •4 red ff .,n:ed C8Abrokcrsln Croz ev but ~ill C8A&(l1YC • ! tttmlna ted. b t oki?r toolc7 days to update In MV-'d\11S« •4 miss-.: In CtossSU rq.1ster bot tttm1A<(ed IA MvAdvlscr

Cross BU Register


!. tttminatedbroker took l . days tot.1pdate 1nMVAdY1SOr

• •:. act~bro!(ersactM-'n

MyAcM~or but 9W tcrmtnM«I

• •;:. leost~DW tumlnetedbui

ml~:; 1nz lnCr0?.;.6tJ

CBA.0508.0001.0024


Triggers

TB Governance (Bruce Little) Obtainsintel from:

Group Security Credit Investigation Team (CIT) CS&M Arrears Report M lE Report ASIC Report

l Noilfv/cm.;mll

Bank West Obtains intel from:

Fraud

l Aggregator's adverse broker notification CBAAdvice Arrears Report ASIC Report

ComnonwealthBark

'

Page 24 of 28

CBA.0508.0001.0025

INTERNAL AUDIT: CBA Retail Broker Audit - FY17



DATE: 05 September 201 7


Scenario

l5 BW terminated brokers in Cross BU potentially still CBA MyAclviser .active

4 red flagged CllA brokers in Cross BU potentially still CBA My Adviser active- Fa ls~ positiv~f no issu~

1 tennlnated broker took 7 days to update In Cross SU Register byCBA after termination in My Adviser

9 MyAdviser terminalions potentially missing in Cross BU register - 4 opJHOr to b~ Juu,.

#brokers potentially active in MvAdvlsor but terminated by BW

At least~ SW terminated but potentla11v missing In XBU

l terminated broker by Bruce took at least 11 days to update In My Advisor

ComnonwealthBark

-~~~~!~!=!~~!~~~!~!~~~~~ terminat.edbyBWin Cross BU Re ister i termina ted by BW in Cross BU Register 25"' Nov 2009 for brand damage -•!IJ!ll!llll!!l!!IJ!!l!llll[I•" ......... IJ..e rmlnated by SW in Cross BU Register on the 16"' Nov 2016fortraud -terml ated by BW In Closs BU Register on the 10"" IJl?c 2009 -> ill actl e In

terminated by SW In Cross BU Reg)ster on the 21" Aug 2007for Industry lntelllgen<e-> erminated by BW in Cross BU Register on 29"' Jan 2015 for brand damage ·>

Reactivated on approval 19/0212014 after suspe~ ker that is active has a similar name - but are not the same person (diflerent gender, different DOB, etc) Not the same individual -Confirmation received from ASIC this is not the same applicant listed as banned & disqualified from ASIC.

Notthe same lndlvldual. One Is from Wt. and the other rom NSW

•••••••••••••added to Cross BU Reglster21*June2016 by CBA ·> 7 day gap

••••••••••• terminated in My Adviser on 12"' May 2009 -> not in Cross BU Register (business unable to locate a termination requesL I can see there was a uansfer of accreditation from AHL 10 AFG at the same time. I think GOS may have incorrectly noted this as a termination, instead of resignation.)

••••••••••• terminated In MyAdvlser on 17" June 2016 -> not In Cross BU Reglster (business unable to locate these on the Cross BU register. They were previously resigned and then upda ted to a termination, due to advice from Group Security, Credit Invest igat ions Team; these details were already noted In the fraud database.)

to a terminarlon. due to adJee from Gro:~~:~~:~~~~~~~::ti:~:~::~~~~~;:;~~~;i~:~~:~l~eC:~~t~~~~~~:~~~ ~,::~~:~~~:~these on the Cross BU register. They were previously resigned and then updated

ll!!!!!!!!!!!!!!!!!!!!!IJ'dded to Cross BU Register ZO"' June 2017 - termination advice was from Sankwest, under the old manual process this should have been inputted by Bankwest onto Cross BU

business unable to locate termination folder to advise if/how this was missed under the old process. Broker Is terminated and should be noted on Cross BU. MyAdv1ser notes this was a transfer of accreditation. GOS may need to be eng~ed as to why this Is noted as termina ted. Not a terminat ion

My Adviser notes this was a resignation due to a transfer. Not a termination. his was a status update to terminate for internal records only, for future accreditations we re to be referred to management. There was no outcome of Head Group Suspension ohhe broker,

therefore reasoning could not be added to Cross SU listing.

erminated by BWfor fraud on the 1" Feb 2012->not in Cross BU register -~ctive in MyAdviser. ted by BW for adverse Invest igat ion on 13"'May 2016 ·> not In Cross BU reglstet ->~till active In MyAvlser

terminated by 8W for ASIC wash and adverse circumstances on 16'" May 2016-> not In Cross BU register -> iil•••••••••••••fstlll active In

erminated by BW for adverse investiga tion on 11"' May 2016-> r>Ot in Cross BU register ->W•••••••••••rill active in MyAdviser erminated by BW for fraud on 20'" Jan 2014 ->not in Cross OU register-> still active in My Adviser

--terminated by BW lor fraud on 14•• Dec 2011->on Cross BU register 13" Oec 2011 by CBA-> till active in My Adviser ~terminated by BW for adverse investigation on 13"May 2016-> not in Cross BU regrster ·> still act ive In My Adviser

~iiiiiiiiii~t~e~rm=lnated by BW for fraud on the l n Feb 2012 ->not In Cross BU re&lster terminated by BW for adverse Investiga tion on 13"'May 2016 ·> not In Cross BU register erminated by BW for ASIC wash and adverse circumstances on 16'" May 2016-> not in Cross BU register

terminated by BW for adverse investigation on 11"' May 2016·>not in Cross BU register terminated by BW for lraud on 20'" Jan 2014 ->not In Cro>S SU registu

terminated by BW for adverse investigation on 13iti.May 2016 ·>not in Cross SU register lllllllllltermlnatedin MyAdviser ll'"April 2017

Confidential - This report should not be distributed without the permission of Group Audit & Assurance Page 25 of 28

I

CBA.0508.0001.0026






3

4

5

6

7

8

9

10

11

12

Poor data quality, inconsistencies and missing capabilities

Terminated in XBU ·> Resigned in My Advisor

Terminated in My Advisor but should not have been dassed as terminated

Termlnoted In MyAc:Msor-> no record In X8U

Terminated In XBU ·>no record In My Advisor

Termination revised to reinstate but st lll In XBU

Key ma tchinB data missing in XUU for efficient and accurate matching (unique cross BU Iden tiller like MFAA ID, photo ID number)

Inconsistent flag colours used In the XBU (I.e. red when should be amber and visa versa) Unclear meanings reaa rdlng the use of XBU flag colours

Poor reason codes used In XBU (i.e. 'Other')

Terminated BW Broke is-> not in XBU

Multiple entries for the same individual

N<>automated ability to check XBU to My Advise• for completeness o f terminations. accuracy of departure' ea son {resig.n/te(rnination). and timeliness of te<rnination entries

Mlsslng broker S!Jtuscode In MyAdvlser I.e. no suspended or under Investiga tion category

13 Manualty entered names into XBU that result in misspellin,t;>, preferred names optional and in Inconsistent ways If Included

14 Incomplete XBU data like broker DOB, Aggregator past and present, and termination not lflca tlon date

ComnonwealthBark

Examples/explanation

-

nMyAdviscr ·>terminatcdinXSU ermlnated In XBU on the 27 /ll/201Sby CSA as Red Fraud and Amber Fraud by BW ·>resigned 7 /6/20161n MyAdlAser

M Adviser notes this was a transfer of accreditation. GOS may need to be eneaged as to why this is noted as tem1inated. Not a termination My Adviser notes this was a resignation doe to a transfer. Not a termination.

nable to locate a t ermination request. I can see there was a transfer of accredltatlon from AHL to AFG at the same time. I think GOS may have Incorrectly noted this as a termination.. instead of resignation.

uslnes• are unable to locate these on the Cross BU register. They were previously resigned and then updated to a termination, due to advice from Group Security, Credit lnvestigatiolls Team; these details we1e a heady noted in the lraud database. •••••am unable to locate te<mlnation folder to advise If/how this was missed under the old process. Broker Is terminated and should be noted on Cross BU .

••••••••••••• terminated by BWforAS!Cwash and adverse circumstances on 16" May2016-111111111111111•tlll active in MyAdviser I

··········~eactlvated on approval 19/02/2014 after suspenslon->still llsted as Terminated and Red In XBU

Refer to #12 regarding missing reconciliation capability. In order to facilitate more accurate and timely checks between XUU and My Adviser a unique identifier that uniquely identifies a broker operating across multiple BUs, overcoming name variations. aggregator variations and brokers with similar names. would be necessary.

~!<"'ln<>~teda 'fraud' but with an amberllag .___.rmlnated In XBU on the 27 /11/2015 by CSA as Red fraud and separately as Amber fraud by SW

What are the boundaries for using red over amber or blue. What are the clear actions that result from a broker being classified as red, amber or blue.

·······••J•ermlnated in XBU 26/S/2017for 'Other' reason by RBS TPS 462 listed brokers with thecause reason being 'Other'

-

letminated by BWfor ASIC wash and adve1se circumstances on 16" May 2016·> not in Cross BU 1egister rom Bankwest, under the old manual process thisshould have been inputted by S..nkwest onto Cross BU.

• --termination in XBU on 15/2/2017 by SW and 12n /2016by CSA • ~erminated inXBU on the 27/11/2015b•1 CSA as Red Fraud and Amber Fraud by SW

Cu11ently all checks appea1 to be manually dfrven by multiple individuals across multiple BUs and companies with no detecliveconlrol thatcan efficiently reconcile MvAdvise1 to XBU or even SW termination register. Therefore wtiat assurances can the1e be that no adve<se brokers has 01 continues to do business with CBAand BW

In My Adviser a broker can only be Active, Resigned or Terminated. Bulin reallty a broker can also be suspended or under Investigation. Having these additional classlftcatlon options would aid in an accurate automated p1ocess and avoid confusion.

1,104 OOBs mlssi~

ermlnated In XBU on 5/4/2017 by RBS TPB with no 008 ermlna ted ln XBU on 15/2/ 2017 by RBS TPS with no DOB

304 misslng termination notification dates 328 missinglast known aooregator


I

CBA.0508.0001.0027

Appendix A: Issue Escalation and Ratings

Issue Escalation and Reporting Protocols

BU Risk Matrix

Audit Committee, BU Group Executive, Group Operational Risk

M Medium Executive General Manager

L Low Executive General Manager, Line Management

Insignificant

Issue Rating Matrix Definition of Likel ihood Ratings

1 2 3 4 5 Level Rating Description

5 Low Medhlm Medhlm 5 Almost Certain 80% or greater probability of the risk or event occurring within the next 12 months.

4 Low Low Medium 4 Likely Less than 80% probability of the risk or event occurring within the next 12 months.

3 Insign ificant Low ...... 3 Possible Less t han 50% probability of the risk or event occurring within the next 12 months.

2 Insignificant Low MidlUh'a 2 Unlikely Less than 20% probability of the risk or event occurring within the next 12 months.

1 Insignificant Insignificant Low 1 Rare Less t han 5% probability of the risk or event occurring within the next 12 months.

Group and Business Unit Financial Impacts Table

ASB ES/SS Group Wide Group Retail B&PB IB & M WM

NZD Ban kw est IFS Functions

5 - Severe > $500m > $180m '> $90m >$90m > $100m >$50m >$40m >$8m > $500m

4 - Major > $120m >$50m > $20m >$20m >$50m > $10m > $10m >$6m > $120m

3 - Moderate >$30m > $10m >$5m > $5m >$20m >$3m >$2m >$4m >$30m

' 2 - Minor >$10m > $3m >$1m > $1m > $1m >$1m >$1m > $1m > $10m

1 - Negligible ~$10m ~$3m ~$1m ~$1m ~$1m ~$1m ~$1m ~$1m ~$10m '

***This table supports column A1 of the Internal Control Weakness Impact Assessment Table below, showing Group and Business Units financial values


Appendix A: Issue Escalation and Ratings

Internal Control Weakness Impact Assessment Table

FINANCIAL FINANCIAL FINANCIAL CUSTOMER SERVICE & LEGAUREGULATORY (BUSINESS) (TRUSTEE)' FUM/FUA)* OPERATIONS

REPUTATION/ BRAND COMPLIANCE

PEOPLE CUSTOMERS*

A1 .. ' A2 A3 B c D E F

As per Group lf'l1)act on Impact on . Loss of existing customers/market share . Fall in the Group's share price . Regulatory action • Workplace health & safety . Actual or potential or Business Unit Price Funds under • Cost of remediation/recovery . Loss of new business /market share (Includes . Customer/third party legal • Workplace relations if'l1)acton

Assessment Unit defined Management impacts on all b<ands e.g. Colonial, ASB & BW actions . -Staff moralenoyalty customers

based on: values or . Damage to reputation by actions of both

Ad ministration . individual staff and the Group as a whole Lack of confidence in financial sector generally . Significant loss of market share and ' Significant fall (>20%) in the Group's share price . Actual or potential loss of ' Death or severe injury to ' Serious financial

customer numbers because of extensive resulting from financial performance ....;th recovery license, loss of ASX listing ef'l1)1oyees whilst on Group or reputational interruption to service capability. over several rn:mths and/or penalties on business, or customers on impact to all or

SEVERE As per Group . Group wde data availabil~y or integrity . Major failure of payment systems and/or Group's directors Group property most customers

6 or Business >100bp >20%

issues or information security is systems impacting personal and business . Severe impact on regulator . Widespread loss of morale Unit defined compromised customers relationships among management and staff values . Widespread and prolonged inability to . Prolonged media and I or political attention as a . Imposition of signmcant resulting in high staff turnover

service all or the majority of our customer result o f inappropriate pricing or product decision regulatory restrictions, e .g . . Industrial dispute/action -base irrespective of geographic location, or operational incident enforceable undertakings, Group wide impact channel or product conditions or d irections . Some loss of market share and customer . Medium fall (10-20%) in the Group's share price . Major fines and sanctions . Severe injury to employees . Serious or numbers because of major interruption to or a loss of market share or damage to Group . Multiple legal actions v.tiilst on Group business, or reputational impaci service capability. brands resulting from detrimental national . Focused regulatory customers on G roup property to a significant

As per Group . Extensive management involvement and publicity or extensive negative local publicity surveillance/ significant . Serious but localised loss of number of

MAJOR or Business

signiftcant costs incurred to restore critical . S hort term media a nd I or political attention as a increased regulatory n"Drale among management customers 4 Unit defined >50bp-1 OObp >10-20% processes result o f inappropriate pricing or product decision oversight and staff resulting in high staff ' Moderate financial

values . Significant data availability or integrity or operational incident . Major systemic, recurring turnover or reputational

issues or compromise o f info security ' Medium but ....;despread disruption of the or significant breaches ' Industrial dispute/action - impact to all . Widespread inabilfy to service a significant payments system and.'or Group's systems lasting . Major impact on regulator State or BU based impact customers proportion of customers irrespective of several days relationships aeoaraphic location, channel or product . Minimal loss of market share and customer . Short term fall (<10%) in Group's share price as . Fines . Injuries to ef'l1)1oyees whilst . Moderate financial numbers because o f minor interruption to a result of product/ pricing decisions . Multiple agreements Wth on G roup business, or or reputational service capability. . Reduced market share or temporary damage to customers at risk customers on Group property if'l1)act to a limited

MODERATE Asper Group . Some costs incurred to restore critical Group brands resulting from limited negative . Systemic complaints or . Some loss of morale among number of

3 or Business >25bp-50bp >5-10% processes national publicity or detrimental local publicity COf11lliance incidents management and staff customers Unit defined . Localised data availability or integrity . Minor but wdespread disruption of the payments . Significant breaches . Industrial dispute/action - . Minor financial or values issues, or compromise of info security system and/or Group's systems lasting several . Potential impact on localised department level reputational impaci . Inability to satisfactorily service a material days regulator relationships i01>act to a significant

proportion of customers irrespective of . Increased general number of aeoaraphic location, channel or oroduct regulatory oversight customers . Service standards not achieved but no . No fall in Group's share price due to pricing . Multiple customer . Injury to an employee whilst . Minor financial or impact on market sha re or customer decision/ products COf11llaints or CORl>liance on G roup business, or a reputational impad

MINOR As per Group numbers . Small, short term loss in market share resulting incidents v.tiich are not customer on Group property toa limited

2 or Business 3bp-25bp 1-5%

. Minimal time, effort and cost required to from limited negative local publicity systemic or significant . Short term and localised loss number of Unit defined correct critical processes . Limited disruption of the payments system and/or . Individual legal actions of rrorale arn:mg customers values . Minimal diStuption to satisfactorily servicing Group's systems if'l1)acting some geographical . Low range fines management and staff

some customers irrespective of geographic areas . Industrial dispute/action -location, channel or product localised at team level impact . No measurable operational il'fl)act on . Limited adverse publicity= 1-2 days as a result of . One off complaints or . No impact on staff morale . Insignificant

As per Group business isolated customer co~laint impacting little or no co~liance incidents financial or

NEGLIGIBLE or Business . Limited operational impact on business; customers nationally reputational impaci

1 Unit defined <3bp <1% ability to service individual customers . Intra-day disruption of the payments system toa limited

values impacted but no systerric issues and/or Group's systems nuni>er of . No measurable loss ol market share resulting customers

from limited negative local publicitv.

• = Columns (A2 & A3) relate to funds management, investment management, superannuation and hfe insurance businesses and can be deleted by Business Units that do not market these p roducts. -=To be used as additional guidance in determining the level and amount or management effort to resolve any event impacts. To be used in conjunction with other impact categories .


CBA.0508.0001.0028

MANGEMENT EFFORT

GUIDANCE**

. Drain on Executive resources . Opportunity cost

. Potential to lead to the significant damage to the business . Sustained ExCo/ Senior Managemen effort

. A significant event requiring major Group Executive/ Senior Managemen effort to absorb the if'l1)act

. Moderate EGM/Senior Management effort is required to absorb the event if'l1)act

. Impact can be absorbed through normal activity-Mth minor effort required from Senior Management

. Impact can be absorbed through normal activity IMth no senior management effort required

Page 28 of 28

Documents

INTERNAL AUDIT: CBA Retail Broker Audit - FY 17 … · industry position and CBA's internal position on requirement to obtain the evidence on whether preliminary assessments were