risk culture and internal audit-final presented 24 sep ...–internal%audit...
TRANSCRIPT
Risk Culture and Internal Audit
Angus Ang CISA,PMP, CC
This presenta?on and views expressed are my own and do not represent or aCempt to represent the Bank’s opinion or stand in any way.
1
Risk Culture and Internal IT Audit Synopsis 1. A risk culture maturity ladder model is proposed to categorize these different risk
culture manifesta?ons 2. All the possible job types of internal IT auditors are iden?fied and discussed -‐> to understand the implica-on and challenges of the FI’s risk culture maturity on the auditors.
This presenta?on does • not aim to be prescrip?ve about what FI’s Internal audit should or not do, • through research, personal experiences and interviews • aims to provide a framework for auditors, Chief Audit Execu?ve (CAE) and management to understand where their risk culture stands, its implica-ons and its auditors’ challenges.
2
Risk Culture and Internal IT Audit Speaker’s profile Angus Ang is 1. an IT auditor with Group Audit DBS Bank in Singapore.
2. over 10 years of experience in the IT industry spanning across IT development, project management, consultancy and audit.
3. has a basic degree in Computer Engineering, masters degree in Applied Economics and is a cer?fied CISA and PMP.
3
Introduc?on/Agenda
Why Risk Culture?
Enterprise Risk Management (ERM)
Risk Appe?te
Risk mgmt process
Risk mgmt methods
Risk Culture & ERM
What is IA? IA in Enterprise Risk Management
IA guidelines
4
IA re-‐posi?oning
Working with IA
Conclusion & Take-‐aways
Risk culture and IA jobs
Risk Culture Maturity
IA Jobs
Agenda
This presenta?on and views expressed are my own and do not represent or aCempt to represent the Bank’s opinion or stand in any way.
Why Risk Culture?
‘Cul?va?on of a consistent risk culture throughout firms is the most important element in risk management ‘ 2008 report by Ins'tute of Interna'onal Finance (IIF) on the failings that led to the credit and liquidity crisis among global banks
Sep 2008-‐ The Economist depic>ng Fannie Mae, Freddie Mac, Lehman Bros, AIG spiraling down into a tornado
WIKI: The financial crisis was triggered by a complex interplay of policies that i. encouraged home ownership, … ii. overvalua?on of bundled sub-‐prime mortgages… iii. ques?onable trading prac?ces iv. compensa?on structures, v. Lack of adequate capital holdings…
Risk management culture 22. Supervisors should require that the financial conglomerate have in place processes and procedures to engender an appropriate group-‐wide risk management culture. Principles for the supervision of financial conglomerates, Basel Commi<ee on Banking Supervision (Joint Forum), September 2012
11.6 …the responsibili-es of the Board include, but are not limited to: (a) seJng the tone from the top, and inculca-ng an appropriate risk culture throughout the firm… Guidelines on Corporate Governance for Financial Holding Companies, Banks, Direct Insurers, Reinsurers and Cap>ve Insurers which are Incorporated in Singapore, The Monetary Authority of Singapore, 3 April 2013 6
Enterprise Risk Management serves the corporate objec?ves to achieve performance. Risk appe?te defines the risk management limits & tolerance which guides risk management ac?vi?es
Risk Appe?te
Risk mgmt Ac?vi?es
Biz strategy & Environ
Biz objec?ves
Corporate Planning Enterprise Risk Management
Biz return
Corporate Performance
7
Risk limits & tolerance
Quan?fiable Credit – PD, EAD, LGD,EL, Ra?ng Liquidity – bid-‐offer spread, MCO Market – VAR, stress test
Non* Quan?fiable Opera?onal –’Basel II 3 approaches’, failure/incident Technology – up?me/response Reputa?onal *or harder to quan?fy Abbrevia?ons:
PD – Probability of Default EAD-‐ Exposure at Default LGD – Loss Given Default EL – Expected Loss MCO – Maxiumum Cumula?ve Oullow VAR – Value-‐At-‐Risk
Risk Treatments
Process
While Enterprise Risk Management (ERM) is more complicated involving different units and methodologies, Risk Management process & treatment are clearer and consistent
Avoid Eliminate/ withdraw
Reduce Op?mise/ mi?gate
Share Transfer/ outsource
Retent Accept/ budge
Assess Risk
Control Risk
ReviewControl
Iden?fy Risk
8
Corporate Planning
Enterprise Risk Management
Corporate Performance
Risk Culture is central to the ERM. It tends to result/develop from top-‐down policies, processes & repor?ng structures . However, risk culture ‘feedbacks’ to ERM too in further developing the ERM (policies/procedures,etc)
Biz strategy & Environ
Biz objec?ves
Risk Appe?te
Risk mgmt Ac?vi?es
Biz return
9
Ref: The RMA Journal: Jul-Aug 2013
Risk culture manifests in collec?ve behaviours and mindset. Here we aCempt to show the more dis?nc?ve features of different levels of risk cultures
• Risk issues pushed to inappropriate staff • Risk ac?vi?es opposite to corporate strategic objec?ves
• IA func?on unknown/unfamiliar • IA double hapng • IA repor?ng to opera?onal head
• Risk accountability within mgmt and policies to guide decision making
• Clearly defined RM role • Defined risk mgmt course
• Coherent ERM framework incorpora?ng all the risk and control units • Risk-‐adjusted performance established
• Risk profile op?mised for compara?ve advantage • Risk appe?te, strategic direc?on, risk ac?vi?es aligned
• Risk monitored by excep?on • Some issues not tracked, owned/closed
• KPI against audit issues • Risk mgmt address only past incidents • Mgmt pays lip service to risk control
• Single view of risk across organisa?on (structure, system, process)
• Hire and promo?on considers risk inputs • Sees risk issues as areas to perfect
Abbrevia?ons: IA – Internal Audit KPI – Key Performance Indicator RM – Risk Management ERM – Enterprise Risk Management
10
Ref: pWc-‐Get up to speed
• No commitment to risk; only biz support • BAU-‐firefight, incidents are clearly preventable • Weak IA charter
• IA & compliance role unclear • No KPI on risk ac?vi?es • CRO or Ops Hd as CAE
• Risk en??es part of new project/product risk assessment/opera?on planning & execu?on • Whistle blow procedures established
• IA findings are beyond compliance/policy nature • IA invited to most forums/mee?ngs
• Coherent ERM framework incorpora?ng all the risk and control units • Risk mgmt driven from board level
• CAE is ?er 1 execu?ve • KPI on self iden?fied risk issues or audit recommenda?ons to improve
• CAE repor?ng to execu?ve board only • Some understanding of risk mgmt, roles of risk en??es
• Prevalent and systema?c way to work against risk control and units
• Board assumes defined risks • Risk and control units work closely to complement and advance ERM
Abbrevia?ons: AC-‐ Audit CommiCee CRO – Chief Risk Officer ERM – Enterprise Risk Management 11
While what represent what level of maturity is controversial, we hope to at least provide certain representa?on of each maturity level. It is the CAE, AC and management decision on what level of risk maturity level is op?mal for the company
Abbrevia?ons: BAU – Business As Usual IA – Internal Audit KPI – Key Performance Indicator CAE – Chief Audit Execu?ve
Agenda
This presenta?on and views expressed are my own and do not represent or aCempt to represent the Bank’s opinion or stand in any way.
What is Internal Audit (IA)? What are the roles and objec?ves of auditors?
Ref: www.spf.gov.sg
• Many see auditors as the mata mata (police).
• To catch, reprimand in order to upkeep the law (or policies)
• Is IA/auditors all about catching/finding issues?
13
A closer examina?on of the standard of prac?ce by IIA shows the IA work is not about ‘policing’ If IA focus on finding faults, it would be missing the forest for the trees
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) dated Oct 2012 By Ins'tute of Internal Auditors (IIA)
2100 – Nature of Work The internal audit ac?vity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systema?c and disciplined approach .
2110 – Governance* The internal audit ac?vity must assess and make appropriate recommenda?ons for improving the governance process in its accomplishment of the following objec?ves: • Promo?ng appropriate ethics & values within the organisa?on • Ensuring effec?ve organisa?on performance management & accountability • Communica?ng risk & control • Coordina?ng ac?vi?es & informa?on among board, external auditors, internal auditors & management.
2120 – Risk Management* The internal audit ac?vity must evaluate the effec?veness and contribute to the improvement of risk management processes. 2130 – Control* The internal audit ac?vity must assist the organiza?on in maintaining effec?ve controls by evalua?ng their effec?veness and efficiency and by promo?ng con?nuous improvement.
Findings/ Recommenda?ons
Evaluate Improvement of 1. governance, 2. risk mgmt & 3. control environment
Means Objec-ves
14
* sub-points 2110.A1/2,2120 interpretation,2120.A1/2,C1/2/3, 2030.A1,C1 are not reflected here
IA is commonly understood to be the third line of defense against risk events. IA is part of the the ERM ecosystem together with IT governance, compliance and risk mgmt!
IIA: Posi?on paper on 3 lines of defense for ERM. Jan 2013
15
We iden?fy IA job types and categorize them into 7 main types based on commonality, difficulty to conduct and audit approach. The ‘newer’, more difficult and involved job types can bring more value but are also more challenging to conduct. The various considera?ons need to be addressed...
Considera-ons: + Skillsets + Methodology +Engagement +Deliverables +Scope +Value adding +Independence 16
• Regulatory • Corp gov • ERM process • Ethnics • Execu>ve compensa>on • Outsource ops • ISO/QA • Compliance
1. Regular/ Scheduled /Regulatory audits
• Fraud • Regulators' request
• Process imp • Data mgmt
• Whistle blow
3. Ad-‐hoc requests
4. Consultancy
5. Inves-ga-on
2. Post-‐Implementa-on assessment
• Post-‐cutover assessment
6. Pre-‐Implementa-on assessment
• Project assess • Penetra?on test & Vulnerability assessment
7. M&A/ Integra-on assessment
• Due Diligence
Par-cipa-ve/ An-cipa-ve/Reac-ve Approach
Collabora-ve
Commonality of Audit Job types Difficulty of Audit Job types Non-‐compliance Evalua-on Biz/Process
Op-misa-on Standardisa-on
IIA has a posi?on paper on the types of IA jobs that should not be undertaken, can be undertaken with safeguards and are core IA roles.
Ref: -‐Fear Factor Feb 2013. The Internal auditor I-‐IIIA Posi?on Paper Jan 2009: The Role of Internet Audi?ng in Enterprise-‐wide Risk Management
Agenda
This presenta?on and views expressed are my own and do not represent or aCempt to represent the Bank’s opinion or stand in any way.
Now that we have seen the various examples of different risk culture maturity levels, what ERM & IA is about. How are these 3 related?
Risk Culture
Enterprise Risk Management (ERM)
IA Part of …
The various job types of internal IT auditors are iden?fied against the risk culture maturity levels in a typical setup. Different risk culture supports different IA job types. While conduc?ng the more value adding job types help to develop the risk culture, IA faces more ‘head wind’ when the risk culture is rela?vely immature
Commonality of Audit Job types Difficulty of Audit Job types
Considera-ons: + Skillsets + Methodology +Engagement +Deliverables +Scope +Value adding +Independence
Par-cipa-ve/ An-cipa-ve/Reac-ve Approach
Non-‐compliance Evalua-on Value-‐adding
20
• Regulatory • Corp gov • ERM process • Ethnics • Execu>ve compensa>on • Outsource ops • ISO/QA • Compliance
Regular/ Scheduled /Regulatory audits
• Fraud • Regulators' request
• Process imp • Data mgmt
• Whistle blow
Ad-‐hoc requests Consultancy Inves-ga-on
Post-‐Implementa-on assessment
• Post-‐cutover assessment
Pre-‐Implementa-on assessment • Project assess • Penetra?on test & Vulnerability assessment
M&A/ Integra-on assessment
• Due Diligence
Collabora-ve
Biz/Process Op-misa-on
Standardisa-on
IT governance, risk/compliance & IA all risk manages. They all play a part in the same risk ecosystem, more synergy can be derived in working closely together
Process
Assess Risk
Control Risk
ReviewControl
Iden?fy Risk
• All Risk and control units work on the same risk management process • Since all these units belong to the same corporate/bank, why are all units (IT gov, risk/compliance, audit) doing the whole process separately and disparately? Would it make sense for all these units to conduct the ‘iden?fy risk’ process together? Or at least align the same risk focused areas?
21
Takeaway for Internal auditors
Can IA see itself as an integral en?ty within the ERM, align its risk focus areas with all the risk and control units and contribute coherently to the for corporate performance based on established risk appe?te?
Biz strategy & Environ
Biz objec?ves
Risk Appe?te
Risk mgmt Ac?vi?es
Biz return
Corporate Planning Enterprise Risk Management
Corporate Performance
Def Risk Appe?te
Iden?fy, assess, control
Risk Monitoring
22
Takeaway for Internal auditors
1. IT Gov
2. Risk, Compliance
3. Audit 3 lines of defenses!
By asser?ng its independence in its IA, IA can value-‐add in providing independent assessment and recommenda?on while remaining coherent in addressing the iden?fied higher-‐priority enterprise risks. In this way, the real strength of 3 lines of defense can be realised
IT Gov
Risk, Compliance
Audit
Risk event
Risk event
Risk event
Risk event
Risk event
23
Takeaway for Internal auditors
1.IT Gov
2. Risk, Compliance
3.Audit 23
Risk Focus Area1
Risk Focus Area3
Risk Focus Area4
Risk Focus Area5
Risk Focus Area2
Food for thought 1. IA can move an organization forward-not just prevent it from going backward
2. Few (IA functions) are confident enough to provide specific assurance and recommendations to move risk management ahead in their organization. – barriers cited:1. beyond scope,2. lack of mgmt support,3. lack of coordination or clarity of roles, 4.lack of knowledge, 5.need for training
3. IIA and IA units were not setup to find faults or establish themselves as public enemies. Indeed, if IA focuses on its end objectives (rather than its means) to value add and improve the overall risk culture together with its stakeholders, it would be able to establish its creditability and become a trusted function of the Bank in advancing its corporate objectives. Similarly, the rest of the IT functions can work with IA to improve its processes and systems with a win-win mindset.
4. What KPI can be set for IA and other risk-control units to align their efforts to the business and corporate strategy? How does one quantify the value of raising an issue on a risk event that will be mitigated or prevented? Can KPI be set on the 3 key objectives of IA?
5. If IA’s objective is in the improvement of governance, risk mgmt & control environment. Why is IA spending so much time looking/identifying the weakness, rather than building on the strengths? Are there other ways for IA to meet these objectives short of raising issues
6. The Risk appetite statement (for credit, market & liquidity) sets the limits & tolerance levels for this risks. This serves as Basis in assessing internal control adequacy (for Audit Committee & SGX). In the absence of a quantifiable risk appetite statement for operation & technology (and corresponding limits & tolerance levels), what then is the basis to assess the adequacy of operational and technology control environment?
7. Should operation and technology risk be assessed together with the Bank risk (credit, market, liquidity) to understand the interdependencies and impact? 24
Working with IA
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) dated Oct 2012 2100 – Nature of Work The internal audit ac?vity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systema?c and disciplined approach. 2110 – Governance The internal audit ac?vity must assess and make appropriate recommenda?ons for improving the governance process in its accomplishment of the following objec?ves: promo?ng appropriate ethics & values, effec?ve organisa?on performance management & accountability, communica?ng risk & control, coordina?ng ac?vi?es & informa?on among board, external auditors, internal auditors & management. 2120 – Risk Management The internal audit ac?vity must evaluate the effec?veness and contribute to the improvement of risk management processes. 2130 – Control The internal audit ac?vity must assist the organiza?on in maintaining effec?ve controls by evalua?ng their effec?veness and efficiency and by promo?ng con?nuous improvement.
25
Takeaway for other IT functions
Working with IA IA’s objec?ves • for improving the governance process • effec?ve organisa?on performance management • contribute to the improvement of risk management processes.
Misconcep?on: IA’s KPI is on the number of issues it raises However, IA needs to demonstrate its work done & jus?fy for its hours 1. Engage/use/leverage on IA’s wealth of knowledge in regula?on, process and control
vulnerability especially in pre-‐implementa?on 2. Setup ground rules with IA so that IA can value-‐add in providing opinions (not
necessary issues) such that process and systems can be improved and not layered with extra control (especially pre-‐implementa?on projects)
3. Awer excep?on is found, work with IA to improve control environment and op?mise process/system to derive effec?ve and efficient control
26
Takeaway for other IT functions
Conclusion IA need not retreat into its secure realms of familiar jobs
• By ac?vely engaging to re-‐posi?on itself as an integral func?on of the corporate ERM
• And exploring newer job types to value add, • it can establish itself as a trusted partner in advancing the
corporate objec?ves too.
IT stakeholder can learn to work with IA in a win-‐win situa?on • Understand IA beCer • Understand IA’s role • Engage IA in a win-‐win scenario
27
29
Interna?onal Standards for the Professional Prac?ce of Internal Audi?ng (standards) by IIA
For ref only: hidden