This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
One or more of the following indicators were evident in financial institutions that failed during the crisis:
A dysfunctional board
A domineering CEO
Insufficient active Board involvement
Key posts being held by people without the required technical competence
Inadequate ‘four eyes’ oversight of risk
Inadequate understanding of the aggregation of risk
Alignment of culture, strategy and appetite
Boards, NEDs, Audit and Risk Committees, Remuneration Committees
Internal Audit and Risk Management
External drivers
Internal drivers
Key drivers for focus on governance
A UK listing requirement for an externally facilitated board effectiveness review and an increase in regulatory mandated reviews of governance.
CIIA’s Code for ‘Effective Internal Audit in the FS Sector’
Will audits be carried out on a standalone,
end-to-end audit basis or will there be a series
of intermittent audits to provide a continuous
view or will a governance component be
added to existing audit types?
What will be the split of focus
on assessing the design
versus the operating
effectiveness of governance
arrangements?
Will governance audits
seek to provide a current
point-in-time assessment
or will they also have a
forward looking
component?
The financial services sector has seen tremendous debate and increased scrutiny on governance. The Institute of Internal Auditors has recently recommended that internal auditors should have a voice in this area and include governance within its remit.
The Code’s guiding principles recommend IA to have a view
Board and Committee: embedded within the activities, limits and reporting.
People and Culture: processes (e.g. remuneration, decision making), actions (e.g. accountability and direction) and “tone at the top” align with values, ethics, risk appetite, policies.
MI for strategic and operational decision making: represents the risks.
Basic extent of testing
Review meeting minutes to demonstrate the existence of a
committee and the fact that it meets frequently
Reconcile the committee’s Terms of Reference against meeting
minutes to evidence core areas within its remit
Depth of testing (an example)
Moderate extent of testing
Review member biographies to understand and assess the
skills and experiences they bring
Carry out a survey or conduct interviews with committee
members to provide a qualitative dimension to the assessment
e.g. asking for opinions and requesting examples of recent
decisions and how those decisions were arrived at
Review meeting minutes and action logs to assess the extent to
which actions have “teeth” and are followed-up
Leading extent of testing
Carry out a sample of stakeholder interviews outside of the
committee to understand broader perceptions and experiences
Assess how decisions are made via a sample of case studies,
for example, evaluate the strategy setting process, evaluate
Increasing regulatory focus Alignment of risk culture, strategy, appetite and remuneration frameworks PRA ‘Approach to Supervision’
CIIA’s Code for ‘Effective Internal Audit in the FS Sector’
Boards, NEDs, Audit and Risk Committees, Remuneration Committees
Internal Audit, Risk Management, Human Resources and Tax
A key lever in building sustainable businesses
External drivers
Internal drivers
Standard & Poor’s approach for assessing companies’ ERM
Within three to five years, risk intelligence is likely to be a
priority measure for assessing the quality and embedding of a
firm’s strategic plan, risk appetite, governance structure and its risk management and
remuneration frameworks.
Key drivers for risk intelligent cultures What the future looks like
Tax - Annual Remuneration Report – Remuneration Policy Statement form
Increasing stakeholder pressures
Banks, insurers, asset managers and broker firms are being driven to understand, measure, strengthen and report on their risk culture and the risk intelligence of their people as part of enhancing their risk management and control systems.
The organisation’s behavioural norms, management systems and symbols, and how these are aligned to encourage people to make the right risk-related decisions, and exhibit desired risk management behaviours
What does good look like? Why does it matter? What is it?
The values, implicit beliefs and ideas that give meaning to an organisation
How values translate into behaviours
The way people act – how they work, make decisions, interact and ultimately how they deliver results
Can create a powerful and sustainable competitive advantage
Risk management systems and controls are only as good as the people operating them.
Vital for informed risk based decision making
Increased confidence of external stakeholders.
Has a major impact on organisations
Enables or inhibits achieving strategy
Impacts bottom line results
Culture and risk culture are really useful if done right; in particular they save a lot of time showing people how to do things; e.g. How can I be successful in my career – follow or don’t follow the normal behaviour of those around me. Commonality of purpose
Universal adoption and application
A learning organisation – continuously improving
Prompt, transparent, and honest communications
Understanding the value of effective risk management
Responsibility – individual and collective
Expectation of challenge
Behaviours
Systems
Symbols Risk intelligence helps to protect the organisation’s assets, reputation and sustainability.
Polices and Processes: operating effectively; i.e. outcomes achieved align with the organisation’s objectives, risk appetite and values.
Risk and Control Culture: attitude and approach at all levels to risk management and internal control.
Scope and priorities
The Code’s guiding principles recommend IA to have a view
Internal Governance: structures and processes operating effectively.
Adherence to Risk Appetite: embedded within the activities, limits and reporting.
Risk and Control Culture: processes (e.g. remuneration, appraisal), actions (e.g. decision making) and “tone at the top” align with values, ethics, risk appetite, policies.
MI for strategic and operational decision making: represents the risks.
• Relationship• Motivation
• Organisation• Risk Competence
Strategy and Objectives Values and EthicsPolicies, Processes
Increasing regulatory focus Alignment of risk management with business operations Basel Committee
CIIA’s Code for ‘Effective Internal Audit in the FS Sector’
Boards, NEDs, Audit and Risk Committees, Remuneration Committees
Internal Audit and Risk Management
Challenge of the second line of defence
External drivers
Internal drivers
Financial Stability Board
Key drivers for risk management
Increasing stakeholder pressures
There is a drive to not just challenge the processes and controls of a function but look at the way a risk is managed across the business and the responsibilities across the three lines of defence.
Internal Audit Hot Topics Risk Management (continued)
18
The role of Internal Audit
Key areas for consideration: • Assess Risk Management Frameworks (RMF) on a firm-wide
basis as well as on an individual business line and legal entity basis;
• Identification, escalation and reporting of breaches in risk limits;
• Design and effectiveness of the RMF and its alignment with supervisory expectations;
• Implementation of the RMF, including linkage to strategic and business planning, compensation, and decision-making processes;
• Risk measurement techniques and MI used to monitor the firm’s risk profile in relation to its risk appetite; and
• Deficiencies in the RMF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner.
Internal Audit Hot Topics Model Risk Management (continued)
20
The role of Internal Audit
Governance, Policies & Controls • Model Governance framework. • Policies, Standards and Procedures. • Model inventory and documented limitations. Legal & Regulatory Compliance • Compliance with legal and regulatory requirements. • Gaps against compliance requirements. Development, Implementation & Use • Model approach and design including model methodology / technique. • Quality of data and variables. • Completeness of population and review. • Model documentation, including verification of attempts to rebuild the model based on the documentation. • Systems and accuracy of implementation. • Verification of appropriate model usage subject to controls and limitations. Validation • Validation standards and techniques; and verification of independence of development and validation teams. • Testing model approval, overrides and calibration process. • Assessment of regular review cycle.
Internal Audit Hot Topics Financial Crime (continued)
24
The role of Internal Audit
Increasing stakeholder pressures
Key areas for consideration: • Financial Crime risk definition, identification and assessment; Financial Crime risk appetite
and tolerance framework • Transaction Monitoring Optimisation to produce more good alerts and fewer bad alerts • Data Quality Assessments to allow for more reliable inputs into the customer screening and
transaction monitoring processes
• Testing the effectiveness of customer screening to improve the firm’s ability to identify PEPs
• Fine tuning threshold settings to reduce alerts whilst managing risk
• Validate that monitoring logic has been correctly implemented.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of
member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the
legal structure of DTTL and its member firms.
Deloitte LLP is the United Kingdom member firm of DTTL.
This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out
will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from
acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this
publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining
from action as a result of any material in this publication.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New
Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198.