Embed Size (px)
Citation preview
The views expressed in this presentation do not necessarily reflect those of
the Federal Reserve Bank of New York or the Federal Reserve System
Internal / External Audit May 19, 2015
Presented By: Martin Hayes
2
AGENDA
• The Role of Internal Audit • Effective Components of Internal Audit
• Areas Emphasized During Supervisory Reviews
• Additional Internal Audit Processes
• Role of External Audit
3
INTERNAL AUDIT RESPONSIBILITY
• Independent assessment of the effectiveness of controls, risk management, and governance processes
• Understanding/analysis of key businesses/risks
• Detailed review of controls based on sufficient transaction testing
• Inclusion of all legal entities and business lines in Audit coverage
4
KEY COMPONENTS OF EFFECTIVE INTERNAL AUDIT
• Effective Oversight by Audit Committee
• Independent and Competent Audit Group
• Ongoing Engagement with Senior Management
• Comprehensive Audit Universe
• Effective Risk Assessment Process
• Appropriate Audit Frequency
• Adequate Controls Identification and Testing
• Comprehensive Reporting
• Adequate Issue Tracking / Issue Follow-Up
• Timely Clearance of Audit Issues • SR 13-1 Supplemental Policy Statement on the Internal Audit Function and Its
Outsourcing (www.federalreserve.gov / Banking Information & Regulation)
5
ROLE OF THE AUDIT COMMITTEE
• Provides oversight over the internal audit function
• On an annual basis the audit committee should approve: Audit charter Budget/staffing levels Audit plan
• Should receive ongoing MIS regarding the audit function including: Audit results Audit plan status including changes Audit issue information including aging of issues and root
cause/thematic trends Significant changes in audit processes
6
INDEPENDENCE
• Reporting Line: • Domestic: Audit Committee of the Board of Directors • US Branches and Agencies of Foreign Banks - Head Office Audit
• Administrative Reporting Lines to Senior Management preferably the CEO
• No Operational Responsibility • Management is responsibility for the internal control environment!
7
AUDIT STAFF COMPETENCY
• Adequacy of Resources
• Qualifications of Staff
• Appropriate Skill Level and Training
• Professional Development
• Opportunities for Transfer
• Career Path
8
SENIOR MANAGEMENT INTERACTION
• Discussions regarding Risk Assessment
• Audit Meetings with Senior Management
• Prompt Issue Resolution by Management
• Self-Identified Issues discussed with Audit
• Participation on Committees
• Non-Operational Special Projects
9
COMPREHENSIVE AUDIT UNIVERSE
• Establish auditable entities - • E.g. identify all legal entities, departments, corporate functions,
geographic locations, committees • Wide variety of tools can be utilized, including:
• General ledger • Cost Centers • Organizational Charts • Department Listings • New Product Approval Process
• Review at least once a year for changes
10
RISK ASSESSMENT
• Credit Risk • Market & Interest Risk • Liquidity Risk • Operational Risk • Information Technology • Reputation Risk • Legal & Compliance Risk • Other Specific Entity Risks (systemic, strategic, etc.)
11
RISK ASSESSMENT (cont.)
• Changes in: Transaction Values &Volumes Quality and Turnover in Management and Staff Products & Processes Laws and Regulations Organizational Structure
• Access to Physical Assets • Systems/Technology Impact and Errors & Outages • Last Audit Date • Last Audit Rating
12
CONTINUOUS MONITORING
• Integral part of risk assessment and audit plan processes
• Facilitates changes in the audit universe • Can drive changes in the audit plan • Types of continuous monitoring Meetings with management Review of metrics and self-assessment results Participation on Committees
13
ANNUAL AUDIT PLAN
• Should provide comprehensive coverage of all identified auditable entities
• Two approaches: • Multi-year plan • Dynamic plan with focus on most significant risks
• For the multi-year plan approach, typically firms utilize a 3 or 4 year plan with high risk areas being evaluated at least every 18 months
• For the dynamic plan approach, the firm must have robust risk assessment and continuous monitoring processes
• There also should be a mechanism whereby areas that have not been audited for extended time are approved by the Audit Committee
14
AUDIT TESTING
• Full Scope Audits
• Target Audits
• Conversion/System Development Audits/Data Center and Application Reviews
• Non-Rated Audits
15
AUDIT TESTING (cont.)
• Workprograms • Detailed, customized to business relevant, and risk based
audit programs • Completed as part of initial audit and updated/tailored for
subsequent audits • Appropriate level of testing • Scope Exclusions
• Audit Work Papers • Proper documentation, referencing, and supervisory sign-
off • Sampling methodology • Validation of Controls • Appropriate Narratives and Conclusions • Audit Trail for Findings/Report Issues
16
AUDIT REPORTS
• Executive Summary • Scope & Objective • Description of the Work Performed • Audit Comments & Recommendations • Analysis of Conditions • Audit Ratings • Management Responses
17
ATTRIBUTES OF AN AUDIT RESULT
• Condition – “What is”
• Criteria – “What should be”
• Cause – “Reason for the condition”
• Effect – “Impact/risk of the condition”
• Recommendation – “Suggested corrective action”
18
EXCEPTION FOLLOW-UP • Tracking Process/System
• Target Dates for both tactical and strategic remediation
• Follow-Up Process/Timing
• Documentation for Issue Follow-Up
• Significant items cleared in a timely manner
• Escalation and Reporting Process for Open Issues
• Perform validation prior to issue closure with substantive testing for high risk issues
19
ENHANCED INTERNAL AUDIT PRACTICES
• Risk Analysis
• Thematic Control Issues
• Challenging the Adequacy of Controls
• Governance
• Infrastructure
• Business Strategy and Risk Tolerance
20
RISK ANALYSIS
Analysis of risks including risk management functions on a cross-business and cross-functional basis including IA’s evaluation of the level of risks in both individual areas and on a cross-functional basis including the effectiveness of the risk management functions.
21
THEMATIC CONTROL ISSUES Identification of themes across all audit areas and the
impact on the institution's overall risks (e.g. reconciliations, information security, significant use of manual processes, etc) and effectively communicating these issues to Senior Management and the Audit Committee
22
CHALLENGING THE ADEQUACY OF CONTROLS
The extent to which Internal Audit challenges management when audit believes that existing controls are inadequate or could be enhanced including enforcing new controls prior to a business expanding.
23
GOVERNANCE
Internal audit should develop procedures to evaluate governance at all levels within the institutions including both at the senior management level and within all business lines.
24
INFRASTRUCTURE Internal Audit’s role in notifying management of potential
internal control issues if infrastructure is not sufficient (e.g., applications, MIS reporting, etc)
25
BUSINESS STRATEGY AND RISK TOLERANCE
The role of audit in both understanding and pointing out to management the risks in the institution and ensuring that management is aware of the risk appetite that is being taken.
26
AUDIT’S ANALYSIS OF CONTROL ISSUES
When an adverse event occurs at the institution, internal audit should: Review the post-mortem analysis conducted by management to analyze the causes of the event Perform its own “post-mortem” analysis of internal audit coverage and determine whether additional audit coverage is needed in specific areas
27
ADDITIONAL AUDIT PROCESSES
• Outsourcing/Co-sourcing
• Internal/External Quality Assurance
• Emerging Best Practices
28
AUDIT OUTSOURCING/ CO-SOURCING
• The Performance of Internal Audit Activities by an External Party e.g., an External Audit Firm
• Co-sourcing, Contract to work with Internal Audit
• Important Issues/Concerns: Independence, Conflicts of Interest, Skill Level, Continuity of Staffing, Familiarity with the Organization, Responsibility for Compliance with Audit Department Standards/Processes/Review Process
• Internal Audit management is responsible for all audit activities performed by External Party
29
INTERNAL AND EXTERNAL QUALITY ASSURANCE (QA)
• Internal Assessments • Periodic reviews to assess consistency of audit work across
groups • Internal Audit management should reach conclusions on whether
changes to processes or additional training is needed • Results should be communicated to the Audit Committee at least
annually
• External Assessments • IIA requires an external review by an outside firm once every 5
years • Focus on compliance with IIA’s definition of internal auditing, code
of ethics, and standards • Review compliance with the internal audit charter and policies • Results reported to the Audit Committee
30
EMERGING BEST PRACTICES
Assessment rating of the Control Environment and Management Control Approach for business units and global functions reported to the Audit Committee (also on individual audit reports). Used as an input to management scorecards affecting compensation.
Enhanced accountability and MIS related to issue remediation (for “critical” past due issues, the issue owner must present explanation and mitigating actions to the Audit Committee).
Audits Quality Assurance incorporation of “Hot reviews” (involvement in live audits, providing challenge and coaching, from planning through the final audit report and file closure process).
Greater use of data analytics and “real time” automated testing.
31
ROLE OF EXTERNAL AUDIT
• Services provided - Financial Statement Audits, Internal Control Reviews, Consulting
• In the U.S., Rules for the profession will be stricter under Sarbanes/Oxley Law - Public Company Accounting Oversight Board
• Opine on the appropriateness of financial data, emphasis on analyzing both risk factors and the institution’s financial condition
• Legal requirements dictate the type of audit work performed
32
RULES FOR EXTERNAL AUDITORS
• Sarbanes-Oxley (Public Companies & Public Banking Organizations) Lead and Concurring Partners rotate every 5 years (Section 206) CPA firm cannot Audit a client for one year if a CEO, CFO, Controller or Chief Accounting Officer was employed by the Firm and participated in the Audit in any capacity (Section 206) CPA Firm cannot provide audit and non-audit services (Section 201) Bans certain consulting services performed by the same external auditor who performs the financial statement audit
33
QUESTIONS?
