Control and testing transformation

Size: px

Start display at page:

Download "Control and testing transformation"

Melinda Thompson
5 years ago
Views:

1 Control and testing transformation

2 1 Control and testing transformation Innovation and disruption are providing incredible opportunities and challenges to the process, risk and control environment in the financial services industry, impacting nearly every facet of the value chain and the risk profiles of financial institutions.

3 1Introduction Current state Change and disruption are providing incredible opportunities and challenges to the financial services industry, impacting nearly every facet of the value chain and the risk profiles of our organizations. Disruption in financial services manifests itself from a variety of internal and external factors and will require new risk and control capabilities in order for firms to successfully harness the benefits and avoid the pitfalls of innovation. Evolving risk, control and testing strategy Regulatory focus (ring-fencing, transparency, sustainability) Cost pressure (falling ROE, pressure to reduce headcount) Global megatrends (digital everything) Emerging risks (cyber, conduct) Market entrants (FinTech) Scarce capital and liquidity Risk governance framework Internal control framework Testing and monitoring Limited integration between risk governance with internal controls and testing frameworks Multiple process, risk, internal control and testing frameworks Inconsistent coverage of nonfinancial risks across the three lines of defense (3LoD) Manual controls and testing Limited availability of skilled controls and testing resources Limited use of analytics and automation in controls and testing Key challenges Achieve sustainability (coverage, cost, competency) Manage risk and change Drive accountability Improve transparency Drive growth and business value Many firms are not satisfied with the effectiveness or efficiency of their current operating models for control ownership and testing activities. This comes as no surprise since, over the past decade, various programs were constructed in reaction to specific issues or regulatory mandates, rather than through consistent, strategic design. Firms are confronted by overlapping testing frameworks required by different stakeholders and disciplines (e.g., SOX, regulatory reporting, operational risk programs and compliance inspections). The result has been control and testing frameworks that are fragmented, redundant, unreliable and difficult to maintain. Firms are seeking the ability to provide an aggregate view and are therefore evaluating their risks and controls. These drivers are forcing firms to evaluate their risk governance, internal control and testing frameworks, and to assess whether they have the right mix of control testing between the first and the second lines of defense. Control and testing transformation 2

4 1Introduction Current state (Cont.) Determining the right mix of control testing between the first and the second lines of defense and the shifting of activities from the second line to the first line defense is leading firms to re-evaluate their operating models. The IIF/EY (Institute of International Finance) survey showed that the tide is turning away from simply adding more headcount in risk and compliance and turning toward an increase in first-line resources to support first-line accountability. The increase is also consistent with the Federal Reserve s proposed Large Financial Institution (LFI) Rating System where the effectiveness of internal controls and testing frameworks will be assessed and rated as part of the supervisory evaluation. Headcount changes in 2017 Risk management Compliance % 48% 41% % 51% 44% First-line risk-control units % 65% 30% First-line risk-control units % 30% 65% Second-line risk-management function % 44% 35% 10% 33% 57% 2017 Second-line risk-management function % 44% 51% 5% 30% 65% Decrease No change Increase Source: Institute of International Finance (IIF)/EY 2017 Risk Management Survey (n=77 banks). As leaders of risk, control and testing functions look ahead to evaluate the impact of these forces on their organizations, they should begin with two questions: 1 Are my firm s control and testing capabilities agile and flexible enough to adapt and help our organization achieve its desired goals and objectives within a defined range of acceptable variability? 2 How can we better leverage the drivers of disruption to better utilize scarce risk, control and testing resources to be more effective and efficient at controls assurance? In answering these questions, financial firms will find that there is significant opportunity to further optimize both controls and their testing. 3 Control and testing transformation

5 2How do firms identify and implement enhanced control and testing capabilities? Institutions are seeking to evolve their risk and control strategy from a tactical, regulatory-driven approach to a more cost-effective, scalable and sustainable approach to meet both regulatory and business drivers. We have observed institutions using disproportionate amounts of their control and testing resources to address tactical and regulatory requirements. We believe that firms must mobilize attention and resources to standardize frameworks, re-engineer capabilities utilizing emerging technologies and employ alternative staffing models to drive efficiencies and improve effectiveness. As firms evaluate their risk, control and testing frameworks, there are opportunities to optimize control and testing programs. The following image depicts a range of activities that organizations can undertake to standardize, normalize and improve a firm s control and testing capabilities. Program evolution (foundational to optimized) Capabilities Benefits Objectives Control standards Improve coverage of material and emerging risks Enhance control effectiveness Framework standardization Control rationalization Focus on key controls (~40% reduction in controls to be tested) Enhance sustainability of testing programs Achieve sustainability (coverage, cost and competency) Testing execution Improve quality of testing outcomes Increase reliance on testing activities Manage risk and change Capability re-engineering Operational efficiency Testing center of excellence Control automation Testing automation Managed services (external providers) Improve quality of testing outcomes Develop testing competency and knowledge Reduce duplication and costs Improve control effectiveness Transition to monitoring vs. manual testing Reduce cost of control assurance Reduce cost of testing (~40% 50%) Improve testing quality Enhance testing coverage Improve subject-matter knowledge Reduce internal cost (~30% 40%) Improve testing outcomes Drive accountability Promote transparency Drive growth and business value Control and testing transformation 4

6 do firms identify and implement enhanced control and testing capabilities? (Cont.) 2How It s important for firms to consider the interconnectedness of risk, controls and testing and the interdependencies across frameworks, activities and the supporting infrastructure. Firms can begin by re evaluating their risk, control and testing frameworks to determine whether they are providing adequate alignment and support consistency and integration of the outputs across the lines of defense. Companies should also consider technology enablement for their testing processes and functions; existing and emerging technologies should be considered to (1) create more trustworthy and optimized testing solutions, and (2) develop a dashboard that includes key control indicators or key performance indicators in hopes of reducing sample- based testing or detective testing. To maximize assurance and efficiencies in the risk governance framework, internal controls and testing space, firms should have a strategy that integrates risk governance, controls and testing frameworks. Risk governance framework Internal control framework Testing and monitoring Board oversight Control standards Testing execution Business strategy and change Board and senior management oversight over risk governance framework Risk identification/appetite Framework to identify and define thresholds for material financial and nonfinancial risks Process/risk/control taxonomies Framework to establish consistent firmwide process, risk, control taxonomies Lines of defense Roles and responsibilities across risk takers, enablers, independent risk oversight and Internal Audit Risk reporting Ongoing reporting of risk appetite and related KRIs/KPIs Standards for control design and operating effectiveness, including effective challenge and issue management Control rationalization Identification of key controls to mitigate material financial and nonfinancial risks Control automation Automation of key controls to enhance the sustainability of the control environment Technology (automation, analytics, workflows) Enterprise standards for testing (design/operations) and monitoring of controls Testing center of excellence Centralize testing function to develop specialized testing skill set and enhance testing execution Testing automation Framework, standards and strategy to automate testing Delivery models Strategic process and control transformation Strategy to outsource testing activities to optimize costs In the next two sections, we will discuss two components of this integrated framework. 5 Control and testing transformation

to basics and prerequisites for control transformation 3Back Firms seeking to evolve and innovate within their risk, control and testing capabilities are realizing that, in order to move ahead, they

7 to basics and prerequisites for control transformation 3Back Firms seeking to evolve and innovate within their risk, control and testing capabilities are realizing that, in order to move ahead, they need to revisit some of the foundational elements of their frameworks. Many firms are re-evaluating their internal control standards, process, risk and control taxonomies (including approaches for risk and control identification), and three lines of defense responsibilities; establishing new enterprise-wide control standards; and then executing control rationalization prior to embarking on investments in automation, labor pool transitions and testing execution enhancements. 1 Define and develop risk and control taxonomy, key control and documentation standards Develop a single process, risk and control taxonomy suitable for multiple disciplines Define standards for business-specific process, risk and control documentation 2 Gather control inventories and compare them with defined standards Gather existing control inventories used by business lines and functions Examine control inventories, aided by data analysis tools (e.g., text analytics) Compare existing inventories against defined standards to identify areas for remediation (e.g., blank fields, inconsistent/incomplete control documentation) 3 Prioritize areas for remediation Assess, rationalize and prioritize deficiencies for remediation Leverage data quality scorecards and dashboards to guide the remediation effort and provide reporting 4 Remediate/address deficiencies identified Assess, rationalize and prioritize deficiencies for remediation Establish a quality assurance process to drive consistency in processes and to provide an input into the maintenance of standards Firms are investing time and energy in developing or emerging technologies to facilitate the adoption and maintenance of new taxonomies, standards and linkages across frameworks and disciplines. Some firms are exploring natural language processing to identify opportunities for improvement, perform data enrichment and create linkages that previously were cumbersome and judgment based. Control and testing transformation 6

8 trends with respect to testing operating models 4Industry The fact that many of the testing activities and resources are overlapping and not delivering the desired value has left business, risk and control leaders searching for opportunities to move toward a model that is effective and cost efficient. One recent approach increasingly gaining traction is the standardization and centralization of first-line testing activities through operating models that are tailored to the originations or disciplines. Organizations are evaluating opportunities to gain these efficiencies, with 52% stating that their testing utilizes higher-cost business analysts and 61% of banks evaluating where automation can be used in testing. Source: IIF/EY 2017 Risk Management Survey (n=77 banks). A testing center of excellence can be implemented across one or more key risk domains. Risk domains Key risks Operational risk Compliance risk Strategic risk Reputational risk Interest rate risk Liquidity risk Price risk Credit risk Sub-risks Internal fraud External fraud Employment practices and workplace safety Clients, products and business practices Damage to physical assets Business disruption and systems failures Execution, delivery and process management Regulatory compliance Key design principles First-line accountability Second-line review and challenge Testing COE Competency (single domain vs. cross-domain) Sustainability of COE Firms that are establishing testing centers of excellence (COEs) are seeking to standardize test execution, improve test outcomes, build testing competency knowledge and effectively manage costs. In many examples we are observing in the industry, testing COEs generally cover controls testing and substantive testing. There is a range of practice depending upon the risk domain and whether the COE is established in the first or second line of defense. Most of the testing COEs are being established in the second line of defense across compliance, operational risk and SOX. In limited instances, some testing COEs are being established in the first line, given the decentralized nature of business processes and controls and the requirement for specific product and business knowledge. Even with a wide range of practices across the industry, testing COEs are emerging, given the push to enhance testing reliability, consistency and cost efficiency. 7 Control and testing transformation

9 trends with respect to testing operating models (Cont.) 4Industry Areas where testing is centralized Size of testing function Use of automation in testing Compliance 66% 71% Internal audit 52% 59% Risk Compliance Not planned yet 17% Operational risk 51% Technology risk 38% 33% 19% Piloting in some areas 22% 61% 14% All first-line testing 7% 8% 2% 2% Evaluating where it can be used < >500 Types of resources: Higher-cost business analysts (52%) Low-cost local resources (48%) Low-cost offshore resources (19%) Source: IIF/EY 2017 Risk Management Survey (n=77 banks). In this transition, questions abound: Who should test first line, second line or both? How does testing fit with second-line oversight are we testing the controls or testing the testers? How should we test which skill sets and techniques are needed for meaningful tests of different risk types? Can we afford it how can reliance, risk ordering and technology make our testing effort efficient? Control and testing transformation 8

10 we can help: EY Diagnostic a rapid assessment of the current state with a road map to 5How the future state Many firms are looking for a road map to achieve their desired end state. We have a seasoned group of control testing and risk professionals who can help evaluate your firm s current state and recommend the actions required to arrive at the desired outcome. We have supported our clients by performing diagnostic reviews of their control testing practices across the components of an optimized testing program. We have helped control testing functions enhance their testing standards, methods, procedures and templates. We also help control testing functions identify redundancies in testing programs and have developed control testing playbooks for broader organizations. To implement an optimized testing program, organizations are recommended to perform a current state assessment that includes the steps listed below Step 1: Inventory Identify areas of control testing across the organization and the lines of defense Classify testing into respective lines of defense Step 2: Evaluate Evaluate testing for efficiency and effectiveness opportunity: Standardization of risk and control taxonomies, risk assessment, methodology, testing execution, documentation, reporting and issue management Step 3: Prioritize Based on evaluation results: Summarize opportunity for centralization Develop an optimization plan: Prioritization Control rationalization Automation Benefits of diagnostic reviews Low-cost, shortterm project Are normally short-term projects with low budgets Provide strong foundation for the target state Identify the opportunities for centralization and associated benefits before designing the future operating model Highlight the current state Also assist in documenting the current state of operations Efficiency opportunities We work with our clients to deliver custom solutions after analyzing and understanding their specific control and testing needs and goals. Our cross-functional team has worked with clients to develop plans and solutions for optimizing the control and testing capabilities, taking into consideration the idiosyncratic challenges and priorities. Key takeaways for further consideration: Organizations are defining their target-state risk, control and testing strategy, including strategic process and control transformation, to implement a sustainable and cost-effective framework. Risk, control and testing strategy will continue to evolve to address emerging challenges from disruptive technologies and digital transformation in addition to cost pressure. Regulatory requirements and feedback continue to be the biggest business drivers for implementing internal controls, conducting testing activities and implementing remediation efforts. 9 Control and testing transformation

Ernst & Young LLP contacts Tom Campanile Partner +1 212 773 8461 thomas.campanile@ey.com Gagan Agarwala Principal +1 212 773 2646 gagan.agarwala@ey.

11 Ernst & Young LLP contacts Tom Campanile Partner Gagan Agarwala Principal Mary Lou Peters Executive Director Adam Rosenthal Executive Director Jessica H. Rodgers Partner Patrick D. Pfeil Executive Director Dan Costa Principal Rushabh Mehta Senior Manager Control and testing transformation 10

12 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved. EYG no Gbl ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com