Internal Audit Solutions - chapters.theiia.org adhering to ethical and compliance standards ... IIA Standard 2130 ... • Develop a Continuous Monitoring checklist; ...

Internal Audit Solutions:Internal Audit Leading Practices - Continuous Monitoring / Auditing

Provided to Sioux Falls, SD IIA Chapter

Thursday January 25, 201811:30 AM – 1:00 PM CT

© Grant Thornton LLP. All rights reserved. 2

Today's Presenter

Anne HowardDirectorNational Financial Services Advisory4140 ParkLake Ave., Suite 130, Raleigh, NC 29612D (919) 748-9862E [email protected]

Presenter

Presentation Notes

[Presenter(s) introduce themselves]


Agenda• Continuous monitoring vs. continuous auditing• Benefits of continuous auditing• Considerations when implementing continuous auditing• Components of continuous auditing

• Continuous risk assessment• Continuous controls assessment

• Leading data analytic practices• Practical examples• Summary and Q&A


Learning objectives• Define continuous monitoring and continuous

auditing• Discuss the benefits and challenges of

continuous auditing• Explore methods for implementing

continuous auditing• Describe leading data analytics practices• Illustrate some practical examples


Background


Continuous Monitoring vs. Continuous Auditing

Continuous Monitoring is an automated, ongoing process that enables management to: • Assess the effectiveness of controls and detect

associated risk issues • Improve business processes and activities

while adhering to ethical and compliance standards

• Execute more timely quantitative and qualitative risk-related decisions

• Increase the cost effectiveness of controls and monitoring through IT solutions

Source: Deloitte, LLP

Continuous Auditing ("CA") is an automated, ongoing process that enables internal audit to: • Collect from processes, transactions, and

accounts data that supports internal and external auditing activities

• Achieve more timely, less costly compliance with policies, procedures, and regulations

• Shift from cyclical or episodic reviews with limited focus to continuous, broader, more proactive reviews

• Evolve from a traditional, static annual audit plan to a more dynamic plan based on CA results

• Reduce audit costs while increasing effectiveness through IT solutions

Source: Deloitte, LLP


Benefits of Continuous Auditing

• Reducing costs• Increasing efficiencies• Providing greater audit coverage• Improving risk and control

assurance• Early detection of potential issues /

fraud• Enterprise / global viewpoints

Internal audit departments are under increased pressure to add value to the business and tell them something they don't already know. Using continuous auditing can move Internal Audit closer to becoming a "Trusted Advisor" to the business. Other benefits include:

• Improving governance• Improving performance and accountability• Greater transparency• Reducing complexities• Promotes continuous improvement• Trend analysisIIA Standard 2130 - The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.


Challenges when Implementing Continuous Auditing• Obtaining access to data• Understanding the data (i.e., data dictionary)• Use of tools / software• Managing stakeholder expectations• Time investment required to develop and execute• Technical competencies / skills• Process to respond to CA results• In-depth knowledge of business processes and systems


Implementing Continuous Auditing

• Identification of control deficiencies• Insights into the control environment• Independent & timely assurance• Assessment of corrective actions

Continuous Controls Assessment

• Identification of new / emerging risks• Evaluation of changes in risk levels• Informs the audit plan• Focus on higher risk areas• Data-driven risk indicators

Continuous Risk Assessment

Continuous Auditing

ObjectivesAccess to the Data Reporting

• Determine the goals and objectives for the continuous auditing program• Collaborate and coordinate with IT to determine data sets and how data can be

accessed• Identify how Continuous Controls Assessment (CCA) will be utilized and leveraged• Identify how Continuous Risk Assessment (CRA) will be utilized and leveraged• Document the plan for reporting the outputs / results of the CCA and CRA

Leading Practices• Start small with quick wins and expand program over time• Leverage existing tools, such as Excel• Develop framework for continuous auditing and integrate with

audit methodology


Continuous Risk Assessment


Approach to Continuous Risk Assessment Step1:Define

Framework

Step 2:Initial Analysis

Step 3:Meet with

Participants

Step 4:Evaluate

Assessment Results

Step 5:Prepare Plan

Step 6: Present to

Stakeholders

Step 1 Review the Audit Entity Universe, the Performance Driver Model, Risk Universe, and Strategic Plan – focusing on defining / assessing auditable entities and other concepts from regulatory guidance, such as heightened regulatory expectations and FRB Supervisory Letter SR 13-1.

Step 2 Perform an initial analysis of risk with input from the organization's executive management team / audit committee members; draft an initial set of Key Risk Indicators (KRIs).

Step 3 Obtain input from key participants (process owners) in order to identify risks and determine the current level of response; review KRIs.

Step 4 Evaluate the collective results from participants, assess, and prioritize risks and KRI's identified to the overall organization.

Step 5 Align Audit Plan (and program for evaluating KRIs) which correlates current residual risk with level of effort.

Step 6 Present results to stakeholders for review and reiteration, as needed.


• Determine Audit Universe – Organizations typically risk assess the Audit Universe based on Legal Entities, LOB Units and / or Process Areas.

• Initial / Baseline Risk Assessment (RA) Process – The defined process areas are risk rated from a quantitative and qualitative perspective, which dictate the frequency of audit coverage (Low = every three years, Medium = every two years, High = every year).

Framework to Consider….capture information for each factor for each auditable entity

• Inherent Risk Factors:• Strategic / Economic Climate• Complexity / Changes in Environment• Regulatory / Legal

• Residual Risk Factors• Management Governance• Policies and Procedures / Standards• Internal Controls• Technology

Audit Coverage Risk Assessment


• Quarterly Continuous (Business) Monitoring Refresh Process• Consider aligning Internal Audit (IA) team members to the defined process owners for a quarterly business monitoring exercise (it can be on a less frequent rolling

basis, as necessary).• Establish a formal process where IA meets with primary business contacts for each of the defined areas to conduct interviews and understand strategic decisions that

impact the control environment.• Develop a Continuous Monitoring checklist; regulators view this a best in class IA process.• Recent audits should also be considered in terms of impact of how it will effect the control environment and the related process area. Additionally, prior audit issues

can also affect substantive audit approach.

Audit Coverage Risk Assessment

• Developing Key Risk Indicators (KRI) – Develop KRIs across the process areas to assist with the Risk Assessment Process.• Example #1 – Collections / Delinquency

• Establish a monthly data pull to show total delinquency buckets (Current, 1-30, 31-60, 61-90, 91-120, 121+, write-off) and then breakout by LOB, facility type, whatever level of granularity is sufficient for evaluation purposes.

• This should be measured against the organization's Risk Appetite, for example:• Risk Appetite = 2.5 % write-off of Residential Mortgage portfolio • Risk Tolerance = 5.0% write-off of Residential Mortgage portfolio

• These metrics can be reviewed monthly by audit teams to identify any red-flags / early warning indicators (EWI).

• Example #2 – Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) / Office Foreign Assets Control (OFAC) • Establish a monthly data pull to show total number of AML alerts by loan asset type. Determine if 100% of alerts resulted in a Suspicious Activity Report

(SAR) within 60 days. • Risk Appetite = 100% of alerts result in a SAR within 30 days • Risk Tolerance = 100% of alerts result in a SAR within 60 days

• These metrics can be reviewed monthly by audit teams to identify any red-flags / early warning indicators (EWI).


Automating the Risk Assessment Process

• In terms of making the Risk Assessment more efficient, best in class organizations have automated the process to some extent by developing a customized database where the Audit Universe is established.

• Repository to house walkthrough / interview notes, IA risk rating justifications, including prior and current risk ratings

• Store primary business contacts / responsible auditor, etc.• Maintain KRIs, which take feeds from the organization's systems (general

ledger, risk systems, etc.)

• Ability to perform static / ad-hoc reports for management (e.g., x % of Risk Ratings changed on a quarter over quarter basis, etc.)

Audit Coverage Risk AssessmentKey Activities:

1. Review current audit universe and audit plan from a coverage perspective

2. Develop questionnaires for quarterly continuous monitoring program

3. Develop key risk indicators (KRIs) for continuous monitoring

4. Execute the initial risk assessment at the entity / process level

5. Produce a baseline database repository to house continuous monitoring efforts as described (audit entities / processes / risk ratings / KRIs, etc.)


Audit Coverage Risk Assessment (Example) Initial Risk Assessment

QuarterlyRisk Assessment


Continuous Auditing & Data Analytics


Internal Audit's Use of Data AnalyticsData analytics – Process whereby different types of data (enterprise, third-party, internal/external, etc.) are put into a format where analysis can be done with the goal of identifying useful information that better supports corporate decision-making.

Data visualization – Used to better understand the significance of those analytics by allowing the review of the data in a visual context. Data visualization can help the internal audit team identify key patterns, trends and correlations within the data that might otherwise go undetected.

What should CAEs be prepared to answer?• Are you using data analytics? If not, what is / are the barrier(s)? Do you have the necessary resources, tools and training?• Can you discuss your plan for using data analytics and data visualization?• Are you employing a data analytics approach in audit testing?• Are you hiring people with database and data analytics skills?• How are you and the internal audit team working with IT to get quality data for analysis?• Is IT open to working with you to have more comprehensive internal audit coverage using data analytics and data visualization?• How much of the audit plan incorporates the use of data analytics and visualization?• How are you able to interpret the data to make an impact in your audit methodology and results?• Have you considered using data analytics to predict risk indicators in the future?

Source: http://www.grantthornton.com/issues/library/newsletters/advisory/2016/audit-committee-influencing-data-analytics-usage.aspx


At the forefront of Data Analytics in Internal Audit are Computer Assisted Audit Techniques (CAATs).

• Developing KRIs assist with Continuous Monitoring – establishing KRIs helps identify red flags and emerging risk trends which informs the Risk Assessment process.

• CAATs enable auditors to perform more focused testing of controls for operating effectiveness – use of large data for analysis allows for more focused tests of transactions during audit fieldwork.

• Bringing tangible results to the business – by monitoring the right KRIs in the form of CAATs, Internal Audit is able to bring tangible results to the business on emerging risks that are relevant to the business.

• Internal auditors can perform trend analyses using CAATs routines – developing scripts that run periodically enable auditors to perform trends analyses more efficiently.

• Use of CAATs improves efficiency of compliance monitoring – compliance-related KRIs assist auditors in identifying high risk areas or areas where compliance risk exposures are changing.

• Identifying the red flags of fraud – CAATs can enable auditors to identify areas of potential fraud.

Benefits of Data Analytics in Internal Audit


Where do internal auditors see the greatest opportunity for utilizing data analytics?• Identifying emerging trends (and therefore risks)• Continuous monitoring for compliance reporting• Detecting fraud, waste and abuse

Data Analytics Approach1. Develop a Vision 2. Evaluate Current

Capabilities3. Enhance People,

Process, and Technology

4. Implement, Monitor, Evolve

Internal audit must consider broader organizational goals, balance short-term investments with long-term vision, and identify ways to gain the assistance of operational management and process owners.

To improve internal audit’s performance, strategic investments should be made to:1. Enhance the skills and experience of personnel2. Get the right data in the right form to perform analytics3. Discover the software combination best-suited for the vision

Each internal audit group should assess its current capabilities in the three areas:1. People2. Process3. Technology

After getting started, periodically measure your progress and be prepared to adjust your data analytics program to match your vision.

Top 3 benefits derived from using data analytics:

1 Audit process is streamlined.

2 Fieldwork time is reduced.

3 Fraudulent transactions are identified.

69%of organizations

would like to focus more on data

analytics

88%believe there will be a greater emphasis on data analytics in the

next 3-4 years

Data Analytics: Elevating Internal Audit’s Value, is a 2016 book authored by Grant Thornton partners Warren Stippich and Brad Preber in conjunction with the Institute of Internal Auditors Research Foundation (IIARF). This practical guide helps internal auditors understand, adopt and integrate data analytics into everyday workflows and long-term initiatives; provides a data analytics framework to help broaden risk coverage and enhance audit efficiency; and assists with the necessary steps toward developing a plan to capitalize on data analytics technology and resources.

Top 3 ways internal audit used data analytics:

1 Analyzing trends

2 Monitoring compliance

3 Detecting fraud

http://www.theiia.org/bookstore/product/preorder-data-analytics-elevating-internal-audits-value-1980.cfm


Data Analytics – Implementation Template

1. Identify processes & prioritize

2. Define success factors,

KRIs, KPIs

3. Design tests / KRIs

/ KPIs4.

Configure &

implement tests

5. Manage & report results

6. Lessons learned

1. Identify processes & prioritize• Focus on critical business processes• Target top risks• Understand available data• Assess anticipated benefits

2. Define success factors, KRIs, KPIs• Identify thresholds that trigger reporting• Align with organization's risk appetite and tolerances

3. Design tests / KRIs / KPIs• Determine process frequency• Define roles and responsibilities• Allocate resources

4. Configure & implement tests• Collaborate with business process owners and IT• Develop test scripts• Run test scripts

5. Manage & report results• Vet observations / results with business management• Report results to executive management and the Audit Committee• Highlight value added

6. Lessons learned• Evaluate performance and quality of results• Adjust tests as needed• Incorporate results into business monitoring and risk assessment


Examples of Data AnalyticsRisk ReportingOrganizations are focusing on deeper analysis of risk-related issues and related remediation activities. Leading practice organizations aggregate audit-identified, management self-identified, and external / regulator-identified issues, and identify / assess / report on the following items; issues by:

• Risk Category / Type

• Risk Rating

• Risk Theme

• Root Cause

• Source

• Executive Owner

• Business Process Owner

• Target Completion Date

• Aging – Missed Target Completion Dates

Regulatory ComplianceOrganizations are utilizing data analytics as a means to assess regulatory compliance, which can be performed on larger sets (in certain cases 100%) of the population. Institutions are utilizing data analytics to assess the completeness and accuracy of data input into models and also daily / regular transaction activity. Types of compliance analytics currently being used include:

• Data Accuracy Testing• Calculation Re-performance• Data Quality Reviews / Completeness of

Input• Entitlement Reviews• Case Steps Analysis• Wire Stripping Analysis• Maker / Checker on Alert Disposition• Jurisdiction of Maker / Checkers• Completeness of Fields Captured for KYC

• Credit Limit / Authorizations• Credit Concentration / CRA Compliance• HMDA LAR Filing – Accuracy and

Completeness• Trade Execution, Settlement, Valuation• Loss Mitigation Trial Payments• System / Application; Side-by-Side

Comparisons


Consider developing customized dashboards for continuous monitoring / auditing. Below are examples for monitoring BSA / AML risks.

Data Analytics Dashboard (Examples)


Practical Examples


Example #1 – Review of the End to End Sales Process CAAT: Investigation of Customer Complaints

Step 1: Obtain system access to source system database which house the total population of Customer Complaints.

Step 2: Evaluate total population to determine all relevant customer complaint information is captured.• Customer complaint date• Data of investigation• Product type• Relationship Manager

Step 3: Analysis of transactional data• Compare the complaint date to the investigation date to verify adherence with company policy and / or regulatory requirement.• Evaluate whether thematic / root cause analysis has been performed.• Evaluate whether nature of customer complaints and results of investigation have been escalated to the appropriate risk

committees.• Determine whether specific complaints against specific Relationship Managers were escalated to relevant management and

appropriate disciplinary action was take.• Independently assess whether relevant risk committees are executing appropriate strategic corrective action within the wider

organization.

Examples of Computer Assisted Audit Techniques (CAATs)


Example #2 – Review of Anti-Money Laundering CAAT: AML Alert Monitoring

Step 1: Obtain system access to source system database which house the total population of AML Alerts for terrorist financing.

Step 2: Evaluate total population to determine all relevant alert information is captured.• # of transactions with sanctioned countries• Facility type / facility risk rating• Alert date• Date of AML alert investigation• Result of investigation• Relationship Manager

Step 3: Analysis of transactional data• Compare the alert date with the investigation date to verify adherence with company policy and / or regulatory requirement.• Evaluate whether a Suspicious Activity Report (SAR) was filed.• Evaluate whether nature of facility risk rating is appropriate based on facility classification (i.e., bulk transactions should have a

higher risk rating).• Determine whether late SAR filings are associated with specific Relationship Managers and whether associated issue was

escalated to appropriate management for disciplinary action, if warranted.• Independently assess whether relevant risk committees are executing appropriate strategic corrective action within the wider

organization.



Example #3 – Review of adherence to Credit Policies CAAT: Credit Limit Breaches

Step 1: Obtain system access to source system database which house the loan / credit card portfolio(s).

Step 2: Evaluate total population to determine all relevant credit information is captured.• Loan date• Loan amount• Type of loan• Credit terms• Lender• Lender credit authorities

Step 3: Analysis of transactional data• Compare the loan amount to the lender's credit authority to determine whether the lender exceeded his / her authority.• Trend the data over time to determine if there are patterns of certain lenders consistently exceeding their authority.• Perform a geographical analysis to determine if lenders in certain regions / branches routinely exceed their credit authorities.• Determine whether credit limit breaches associated with specific lenders were escalated to appropriate management for

disciplinary action, if warranted.• For systemic issues, independently assess whether appropriate escalation to risk committees took place and appropriate

corrective action was taken within the wider organization.



Example 4 – Assess third party risk CAAT: Analysis of Vendor Spend

Step 1: Obtain system access to source system database which house the total population of vendors and related annual spend.

Step 2: Evaluate total population to determine all relevant vendor information is captured.• Date Vendor became a “preferred” vendor• Lifetime to Date (LTD) and Year to Date (YTD) spend column • Vendor Discount Column • Column to capture “Nature of spend”

Step 3: Analysis of transactional data• Evaluate whether all vendors have an Master Service Agreement in place (i.e., truly a preferred vendor). • Determine whether a vendor spend analysis occurs, increases of 10% or more should be investigated, reasonable, etc. • Evaluate whether organization is taking advantage of all vendor discounts.• Analyze if there are opportunities to reduce number of vendors “for common spend” where there is use of 5+ vendors to achieve

additional volume discount.



Example 5 – Review model inventory risks CAAT: Model Inventory & Model Governance

Step 1: Obtain system access of the Model Inventory Database which houses the total population of models.

Step 2: Evaluate total population of Model Inventory information is captured.• Does the model support DFAST?• Was the model risk rated?• When did the model become approved for use?• When was the model last validated?

Step 3: Analysis of transactional data• Evaluate whether all models with large overlays supporting DFAST were evaluated be relevant risk committees.• If the model is risk rated “High” and it hasn’t been validated in line with company policy, it’s a red flag (i.e., 1 year) and risk

increases.• When models are retired – are they removed from the model inventory – or marked “expired”?• For models with overlays greater than 10% of the modeled result, are they still “used,” is enhanced documentation supporting

the overlay required?



Questions?


Disclaimer

This Grant Thornton LLP presentation is not a comprehensive analysis of the subject matters covered and may include proposed guidance that is subject to change before it is issued in final form. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this presentation. The views and interpretations expressed in the presentation are those of the presenters and the presentation is not intended to provide accounting or other advice or guidance with respect to the matters covered.

For additional information on matters covered in this presentation, contact your Grant Thornton, LLP adviser.


Thank you for attending

Visit us online at:

www.GrantThornton.com

twitter.com/GrantThorntonUS

linkd.in/GrantThorntonUS

[email protected]

mobile: 919-748-9862

Presenter

Presentation Notes

mailto:[email protected]

Internal Audit Solutions - chapters.theiia.org adhering to ethical and compliance standards ... IIA Standard 2130 ... • Develop a Continuous Monitoring checklist; ...

Documents