Vendor Management Challenges and Expectations An Open Discussion April 13, 2017
|
|
- Barrie Matthews
- 6 years ago
- Views:
Transcription
1 1 Practical solutions driving tangible results Vendor Management Challenges and Expectations An Open Discussion April 13, 2017
2 Agenda Common Themes Discussion Expectations Overcoming Obstacles Common Comments Cybersecurity Assessment Tool Expectations Reviewing Control Reports Additional Information 2
3 Regulatory Focus Continues FIL Guidance for Managing Third Party Risk FIL Guidance on Payment Processor Relationships FIL Revised Guidance on Payment Processor Relationships CFPB Bulletin on Service Providers FFIEC IT Exam Handbook Outsourcing added Appendix D Managed Security Service Providers (MSSP) FFIEC Statement July Outsourced Cloud Computing FFIEC Administrative Guidelines (Oct 2012) Supervision of Technology Service Providers FDIC Compliance Manual (July 2013) Abusive Practices-Third Party Procedures OCC Third Party Relationships: Risk Management Guidance FFIEC Joint Statement (Oct 2013) on End of Microsoft Support for XP Support FRB SR 13-19/CA Guidance on Managing Outsourcing Risk 3
4 Volunteers? This is a Fun and Exciting System Who is Responsible? Management Appreciates the Effort 4
5 Not My Job Inconsistent Documentation Inconsistent Risk Assessments Limited Final Reviews 5
6 But Paperwork Doesn t Fix Anything It just slows down the process We need it now Marketing already signed the contract But we know these guys, we have had them for years There is nobody else We are stuck with them 6
7 Know Your Vendors 7
8 Aligning the Level of Oversight with Regulatory Expectations PLANNING FOR NEW RELATIONSHIPS 8
9 Prior to Entering Into a Significant New Third Party Relationship Need a formal plan to manage this Identify and document all the risks associated with the significant activity being outsourced Plan for mitigation of those risks proactively Ensure it aligns with strategic direction as well as management and the Board s risk appetite Require Board approval Develop contingency plans 9
10 Due Diligence Review OCC and FRB Changing the Playing Field We ve talked about a lot of this before now it is in writing and very specific! Strategies and Goals Legal and Regulatory Compliance Financial Condition Business Experience and Reputation Fee Structure and Incentives Qualification, background and reputation of company principals Risk Management 10
11 Due Diligence For Significant Relationships (cont.) Information Security Management of Information Systems Resilience Incident Reporting and Management Oversight Physical Security Human Resource Management Reliance on Subcontractors Insurance Coverage Conflicting Contractual Arrangements with Other Parties 11
12 Common Comments Overall Vendor Management Program Documentation Not On Hand / Not Reviewed Continuous Cyclical Process Dependent on Vendor s Documentation and Control Cycles 12
13 Common Comments Customer Information Risk Unaccounted for Critical Vendor versus High Risk Vendors Due Diligence Requirements Based on Risk and Criticality Levels 13
14 Best Practice Double check to be sure you have accurately identified all your critical/significant vendors: Review the significant/critical criteria and run through your vendor list (not suppliers, actual vendors/service providers) to see if any are missing Review the various types of vendor risk and run through list again to identify all vendors with significant compliance/legal risk, then all vendors with significant transaction risk, reputation risk, operations risk, and strategic risk, etc. 14
15 Should you work with a vendor that will not or cannot comply? The OCC explicitly spells it out - if the due diligence results do not meet expectations, management should recommend: That the third party make appropriate changes to comply with expectations, Supplement the third party s resources or strengthen controls to properly manage the risks Find an alternate third party, Conduct the activity in-house, or Discontinue the activity altogether! Third-party relationships that involve critical activities: Management should present results of due diligence to the Board Issues raised in due diligence must be thoroughly reviewed, discussed, analyzed, documented, and the risk mitigated to the Board s satisfaction before the financial institution enters into a contract 15
16 FFIEC Cybersecurity Assessment Tool Contracts Baseline Level Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. A list of third-party service providers is maintained. A risk assessment is conducted to identify criticality of service providers. Formal contracts that address relevant security and privacy requirements are in place for all third parties that process, store, or transmit confidential data or provide critical services. Contracts acknowledge that the third party is responsible for the security of the institution s confidential data that it possesses, stores, processes, or transmits. 16
17 FFIEC Cybersecurity Assessment Tool Contracts Baseline Level and these Contracts stipulate that the third-party security controls are regularly reviewed and validated by an independent party. Contracts identify the recourse available to the institution should the third party fail to meet defined security requirements. Contracts establish responsibilities for responding to security incidents. Contracts specify the security requirements for the return or destruction of data upon contract termination. 17
18 FFIEC Cybersecurity Assessment Tool Due Diligence and Monitoring Baseline these too... Due Diligence: Risk-based due diligence is performed on prospective third parties before contracts are signed, including reviews of their background, reputation, financial condition, stability, and security controls. A list of third-party service providers is maintained. A risk assessment is conducted to identify criticality of service providers. Monitoring: The third-party risk assessment is updated regularly. Audits, assessments, and operational performance reports are obtained and reviewed regularly validating security controls for critical third parties. Ongoing monitoring practices include reviewing critical third-parties resilience plans. 18
19 FFIEC Cybersecurity Assessment Tool Contracts Evolving Level Responsibilities for managing devices (e.g., firewalls, routers) that secure connections with third parties are formally documented in the contract. Responsibility for notification of direct and indirect security incidents and vulnerabilities is documented in contracts or service-level agreements (SLAs). Contracts stipulate geographic limits on where data can be stored or transmitted. 19
20 FFIEC Cybersecurity Assessment Tool Due Diligence and Monitoring Evolving Level Due Diligence A formal process exists to analyze assessments of third-party cybersecurity controls. The board or an appropriate board committee reviews a summary of due diligence results including management s recommendations to use third parties that will affect the institution s inherent risk profile. Monitoring A process to identify new third-party relationships is in place, including identifying new relationships that were established without formal approval. A formal program assigns responsibility for ongoing oversight of third-party access. Monitoring of third parties is scaled, in terms of depth and frequency, according to the risk of the third parties. Automated reminders or ticklers are in place to identify when required third-party information needs to be obtained or analyzed. 20
21 SSAE16 / SOC Reviews Report of Controls SOC 1 or SOC 2 Ensure the Function is Covered Note the Date of the Review Review the Scope Check for Qualified Opinions Document the User Entity Controls Requirements Note and Analyze Exceptions Noted Maintain Responsibility and Accountability for the Reviews by Third Parties 21
22 Best in Class Systems Due Diligence Complete Prior to Contracts Being Signed Automated Triggers for Periodic Reviews on the Full List of Vendors Automated Document Requirements Based on Risk and Criticality Levels Evaluations of GLBA / Red Flag Documented Review of Materials Documents are Retained 22
23 Questions? Christopher Nolan, CISA, CISM, CGEIT Regional IT Audit Director Risk and Compliance
24 Additional Detailed Information Examiner Expectations and Guidance Critical or Significant Vendors Vendor Risk Assessment Identifying the Risks for Each Critical/ Significant Vendor Planning for New Relationships Aligning Level of Initial Due Diligence and On-Going Oversight with Regulatory Expectations 24
25 FIL Guidance for Managing Third Party Risk Outlined a general framework for third party risk management Four Main Elements of Effective Vendor Risk Management Programs: Risk Assessment Due Diligence in Selecting a Third Party Contract Structuring and Review Oversight Introduced the concept of Significant Vendor Relationships not just Technology vendors 25
26 FIL Guidance for Managing Third Party Risk Identifying Significant Relationships Significant Information Security Exposure Product or Service is a New Activity Critical to On-Going Operations Not just a high, medium, low risk exercise Assign Responsibility for Oversight to Senior Management and Report to the Board Identify and control risks to the same extent as if the activity were handled within the institution 26
27 OCC Bulletin Third Party Relationships: Risk Management Guidance The OCC is concerned that the quality of risk management over third-party relationships may not be keeping pace with the level of risk and complexity of these relationships The OCC specifically cited failure to assess the direct and indirect costs, failure to perform adequate due diligence and monitoring, and multiple contract issues, as troublesome trends. 27
28 OCC Bulletin : Critical Activities Significant bank functions (such as payments, clearing, settlements, and custody) Significant shared services (such as information technology) Other activities that could significantly impact customers, require significant investment in resources to implement the relationship and manage the risk, impose significant risk to the bank if the third-party fails to meet expectations, or have a major impact on bank operations if the bank has to find an alternate vendor or service provider or if the outsourced activity has to be brought in-house. Similar to FDIC significant third party relationship concept 28
29 OCC Bulletin Life Cycle Focus Much more emphasis on planning and ensuring proper due diligence before any contract is signed with a third party Very specific recommendations: Legal and Regulatory Compliance Information Security Contingency Plans Independent Reviews Board Oversight Subcontractors (oversight for the vendor s vendors) 29
30 OCC Bulletin Due Diligence and Selection of Third Party Similar to previous 2001 guidance but adds the following specific areas for review: Legal and Regulatory Compliance Information and Physical Security Fee Structure and Incentives Incident Reporting and Management Oversight Conflicting Contractual Arrangements with Subcontractors or other parties where the risk may be transferred to the financial institution 30
31 OCC Bulletin Contract Negotiation On-going Monitoring Termination New Phase in the Life Cycle Contingency Plans for Data retention and destruction Handling of joint intellectual property Mitigation of reputational risks Continued compliance with laws and regulations 31
32 Contract Considerations ** The Board should formally approve all contracts for critical vendors before the contract is executed ** Guidance Includes Very Detailed Due Diligence and Contract on a multitude of topics, for example: Considerations Verify that the third party has fidelity bond coverage to insure against losses attributable to dishonest acts, liability coverage for losses attributable to negligent acts, and hazard insurance covering fire, loss of data, and protection of documents. Determine whether the third party has insurance coverage for its intellectual property rights, as such coverage may not be available under a general commercial policy. The amounts of such coverage should be commensurate with the level of risk involved with the third party s operations and the type of activities to be provided. Stipulate that the third party is required to maintain adequate insurance, notify the bank of material changes to coverage, and provide evidence of coverage where appropriate. Types of insurance coverage may include fidelity bond coverage, liability coverage, hazard insurance, and intellectual property insurance. 32
33 Federal Reserve 12/5/13 Guidance on Managing Outsourcing Risk Introduces concept of concentration risk Effective programs include the following: Risk Assessments Due Diligence and Selection of Service Providers Contract Provisions and Considerations Incentive Compensation Review Oversight and Monitoring of Service Providers Business Continuity and Contingency Plans 33
34 FRB Incentive Compensation Review Effective Review and Approval of any Incentive Compensation Embedded in Service Provider Contracts Is the Servicer incented to take imprudent risks? Inappropriate incentives may encourage selling of services to customers that have higher margins and not in their best interest 34
35 FRB - Other Risks Suspicious Activity Reporting Functions Foreign Based Service Providers Internal Audit Specifically references SOX prohibition against external account firm providing internal audit services Outsourcing Risk Management Activities 35
36 Revisiting Vendor Risk Assessment IDENTIFYING CRITICAL OR SIGNIFICANT VENDORS 36
37 Refining the Risk Assessment Most Vendor Risk Assessments rank each third party relationship (excluding suppliers) as high, medium, or low risk High risk vendors usually have information security exposure or are critical to bank operations But are all high risk vendors really critical and/or significant - requiring Board level oversight? 37
38 Critical or Significant Third Party Relationships Likely Require: Extensive Planning and Due Diligence Board Oversight and Approval Clear Senior Management Responsibility Cost/Benefit Analysis Contingency Plan for Termination Board Review of Management s Monitoring Results Extensive Contract Review and Monitoring for Performance More than a simple vendor file that is updated each year with new documents! 38
39 Characteristics of Critical or Significant Third Party Relationships Significant Information Security Exposure High Volume of Confidential Customer Information Stored by or Accessible to the Third Party Service is Critical to Maintaining the Institution s Information Security Program/Protection/Controls Critical to Operations Transaction Processing; Payments, Clearing, Settlement, Custody Core Accounting and Account Maintenance Disaster Recovery/Business Continuity Services in an in-house data center environment 39
40 Characteristics of Critical or Significant Third Party Relationships Substantial Impact on Financial Condition Potential for civil money penalties and fines Credit risk associated with vendor activities Risk of significant affect on earnings or capital New Products or Services Institution does not have experience or expertise Management may not understand the risks Material Compliance Risk Third Party Markets Institution s Products/Services Activity Involves Subprime Lending or Card Payments 40
41 Customized review and documentation requirements IDENTIFYING THE RISKS FOR EACH CRITICAL OR SIGNIFICANT VENDOR 41
42 Compliance Risk Risk arising from violations of laws, rules, or regulations or from noncompliance with the institution s policies, procedures, or business standards 42
43 Compliance Risk Examples Third Party Payment Processors Flood Determination Services Reverse Mortgage Programs Automobile Dealer Relationships Subprime Lending Programs Overdraft Programs Outsourced Trust Operations 43
44 Reputation Risk Risk arising from negative public opinion Dissatisfied customers Unexpected customer financial loss Inappropriate recommendations Security breaches Vendor insider fraud Any negative publicity whether or not associated directly with the third party 44
45 Reputation Risk Examples Core Application Internet Banking Any vendor that accesses, processes, stores or transmits confidential customer information Overdraft protection programs Nearly any third party relationship that impacts your customers in any way 45
46 Strategic Risk Risk arising from adverse business decisions Failure to implement appropriate business decisions consistent with the institution s strategic goals Use of a third party to perform banking functions or to offer products or services that do not help to achieve corporate goals and provide an inadequate return on investment 46
47 Strategic Risk Examples Outsourcing Call Center Operations to a competitor Utilizing Outsourced Remote Deposit Capture services to service multiple out of market Money Service Businesses Outsourced Subprime Lending originations Outsourced Compliance Management or BSA Oversight Any offering that will involve intense regulatory scrutiny without a strong business case and thorough risk assessment/monitoring. 47
48 Transaction Risk Risk arising from problems with service or product delivery Third party s failure to perform as expected due to inadequate capacity, technological failure, human error, or fraud Lack of an appropriate business resumption and contingency plan Weak controls over technology; threats to security and integrity of systems and data May result in unauthorized transactions or inability to perform transactions as expected 48
49 Transaction Risk Examples Core application servicer Internet Banking On-Line Bill Pay, ACH and/or Wire Originations On-Line Backup Services Cloud Computing Services 49
50 Operational Risk Risk of a loss due to inadequate or failed internal processes, people, systems, or external events Increase in operational complexity due to integration of institution processes with third party internal processes 50
51 Operational Risk Examples Cloud Computing Service Provider Remote Deposit Capture Services New Products and Services without sufficient experience or expertise to properly implement and oversee 51
52 Credit Risk Risk that a third party is unable to meet the terms of the contractual arrangements or otherwise financially perform as agreed Financial condition of the third party itself Third parties that market or originate certain types of loans, solicit or refer customers, conduct underwriting analysis, or set up product programs for the institution 52
53 Credit Risk Examples Mortgage brokers Automobile Dealer Relationships Credit Cards Critical Vendors Core Processor/Data Center Can they invest properly in on-going information security and regulatory compliance? Are they likely to be acquired or go out of business? 53
54 Country Risk Exposure to the economic, social, and political conditions and events in a foreign country Potential for loss of data, research and development efforts, or other assets 54
55 Examples of Country Risk Cloud Computing Service Provider Foreign Correspondent Bank Relationships Outsourced Call Centers 55
56 Other Risks Liquidity Interest Rate Price Legal Foreign Currency Translation Risk Concentration Risk 56
THIRD-PARTY RISK MANAGEMENT
THIRD-PARTY RISK MANAGEMENT Beyond a Regulatory Requirement April 28, 2017 Ken Glascock, CPA, CAMS, CIA, CFSA, CRCM Director kglascock@bkd.com AGENDA Let s Break It Down What Is Third-Party Risk Management?
More informationNavigating the Intersection of Vendor Management and Business Continuity
Navigating the Intersection of Vendor Management and Business Continuity MICHAEL BERMAN, J.D. Table of Contents Why are we here? Business Continuity and Vendor Management Primary Intersection BCP Each
More informationGUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))
GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2)) Operational Risk Management MARCH 2017 STATUS OF GUIDANCE The Isle of Man Financial Services Authority ( the Authority ) issues guidance for
More informationVENDOR RISK MANAGEMENT FCC SERVICES
VENDOR RISK MANAGEMENT FCC SERVICES Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly Agenda
More informationCFPB Examination Procedures
Compliance Management Review General Principles and Introduction Institutions within the scope of the CFPB s supervision and enforcement authority include both depository institutions and non-depository
More informationInternal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP
Internal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP March 28, 2012-1 - Speaker Introduction Laurie Shen is a Director at Grant Thornton's Northeast Internal Audit
More informationTHE IMPORTANCE OF DEVELOPING A SOCIAL MEDIA COMPLIANCE POLICY
THE IMPORTANCE OF DEVELOPING A POLICY Why Your Financial Institution Needs to Have a Proactive Policy in Place BY OPTIMAL BLUE e-series of 7 WHITE PAPER THE IMPORTANCE OF DEVELOPING A POLICY Why Your Financial
More informationPresent and functioning: Fine-tuning your ICFR using the COSO update
Present and functioning: Fine-tuning your ICFR using the COSO update November 2014 With the COSO s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time
More informationCorporate Governance Management tool. Executing On Corporate Governance
Corporate Governance Management tool Executing On Corporate Governance Corporate Governance continues to be rated HIGH on the Regulatory priority for safety and soundness 2 Corporate Governance Guidance...
More informationRisk Assessment. Consumer Risk Assessment. Using the Risk Assessment Template
Consumer CFPB s process is designed to evaluate on a consistent basis the extent of risk to consumers arising from the activities of a particular supervised entity and to identify the sources of that risk.
More informationIT Framework Memorandum. For. Supervised Institutions
CENTRALE BANK VAN CURAÇAO EN SINT MAARTEN (Central Bank) IT Framework Memorandum For Supervised Institutions WILLEMSTAD, Updated version April 2011 IT Framework Memorandum for Supervised Institutions 1.
More informationAuditing for Effective Training
Maleka Ali M. Ali 2013 Director of Consulting & Education Page 0 Banker s Toolbox Auditing for Effective Training I. INTRODUCTION Banking organizations must develop, implement, and maintain effective AML
More informationBOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems
BOM/BSD 2/November 1994 BANK OF MAURITIUS Guideline on Maintenance of Accounting and other Records and Internal Control Systems November 1994 Revised November 2013 Revised December 2017 TABLE OF CONTENTS
More informationDecember 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:
December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS: 2014 www.bcauditor.com CONTENTS Auditor General s Comments 3 623 Fort Street Victoria, British Columbia Canada V8W 1G1 P: 250.419.6100
More informationTERMS OF REFERENCE OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS
TERMS OF REFERENCE OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS 1. Purpose An Audit Committee (hereinafter called the Committee ) of the Board of Directors (hereinafter called the Board ) of the Business
More informationRDC Audit & Compliance: Lessons from the Battlefield
RDC Audit & Compliance: Lessons from the Battlefield Kevin Olsen, AAP, NCP Payments Space Advisors September / October 2, 2014 Be sure to tweet about the #RDCSummit and mention @RDCTweet Disclaimer This
More informationExpand Remote Deposit & Mitigate Risk:
IMAGING & PAYMENTS PROCESSING : How Smart Financial Institutions Can Apply the FFIEC Guidelines to Remote Deposit sales@profitstars.com 877.827.7101 How Smart Financial Institutions Can Apply the FFIEC
More informationPolicy Outsourcing and Cloud-Based File Sharing
Policy Outsourcing and Cloud-Based File Sharing Version 3.3 Table of Contents Outsourcing and Cloud-Based File Sharing Policy... 2 Outsourcing Cloud-Based File Sharing Management Standard... 2 Overview...
More informationASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016 Charles J. Brennan Chief Information Officer Office of Innovation and Technology 1234 Market
More informationRetail Payment Systems Internal Control Questionnaire
Retail Payment Systems Internal Control Questionnaire Completed by: Date Completed: POLICIES AND PROCEDURES 1. Has the board of directors, consistent with its duties and responsibilities, adopted formal
More informationAnti-Money Laundering Training. One Size Does Not Fit All
Anti-Money Laundering Training One Size Does Not Fit All Norma I Lopez Disclaimer: The views expressed in this paper are those of the author, and the author alone. The author is not representing the views
More informationEMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team
EMV, PCI, Tokenization, Encryption What You Should Know for 2015 Presented by: The Bryan Cave Payments Team Agenda Overview of Secured Payments Judie Rinearson (NY) EMV Courtney Stout (DC) End to End Encryption
More informationModel Risk Management
Model Risk Management Brian Nappi, Crowe Horwath 2017 Crowe Horwath LLP Agenda Regulatory Perspectives on Model Risk Management Model Basics MRM Audit Considerations MRM Best Practices FAQ s 2017 Crowe
More informationBERMUDA MONETARY AUTHORITY
BERMUDA MONETARY AUTHORITY CORPORATE GOVERNANCE POLICY FOR TRUST (REGULATION OF TRUST BUSINESS) ACT 2001 INVESTMENT BUSINESS ACT 2003 INVESTMENT FUNDS ACT 2006 JANUARY 2014 TABLE OF CONTENTS I. INTRODUCTION...
More informationACFE FRAUD PREVENTION CHECK-UP ASSOCIATION OF CERTIFIED FRAUD EXAMINERS
ACFE FRAUD PREVENTION ASSOCIATION OF CERTIFIED FRAUD EXAMINERS ACFE FRAUD PREVENTION One of the ACFE s most valuable fraud prevention resources, the ACFE Fraud Prevention Check-Up is a simple yet powerful
More informationFinal Report. Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP) EBA/GL/2017/05.
EBA/GL/2017/05 11 May 2017 Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP) 1 Contents Executive Summary 3 Background and rationale 5 Guidelines
More informationConsiderations when Choosing a Managed IT Services Provider. ebook
Considerations when Choosing a Managed IT Services Provider ebook Contents Considering Managed Services?...3 Consideration 1: Depth...4 Consideration 2: Proactive...5 Consideration 3: Knowledge & Processes...6
More informationCorporate Governance Guidelines of Audi Private Bank sal
Corporate Governance Guidelines of Audi Private Bank sal In 2012, the Board of Directors of Audi Private Bank sal (herein referred to as the «Bank»), made corporate governance improvement a central goal.
More informationLiving Our Purpose and Core Values CODE. Code of Business Ethics and Conduct for Vendors
Living Our Purpose and Core Values CODE Code of Business Ethics and Conduct for Vendors December 2016 HCSC Vendor Code of Business Ethics and Conduct Since 1936, Health Care Service Corporation, a Mutual
More information4A s Client Audit Guidance
4A s MSA Guidance Series January 2017 4A s Client Audit Guidance A Guidance Directive from the American Association of Advertising Agencies 4A s Client Audit Guidance A Guidance Directive from the American
More informationCLAconnect.com/creditunions. Impact the Future of Credit Unions
CLAconnect.com/creditunions Impact the Future of Credit Unions We Believe Enabling your success means a better world for all of us, but now, more than ever, a greater number of operational, regulatory,
More informationWELCOME. 1
WELCOME 1 The AML Risk Conundrum What Does AML Risk Really Mean? BSA Coalition Training Event November 17, 2016 2 Opening Remarks: Amanda Tucker, BSA Coalition Board Member Executive Vice President I Chief
More informationPOLICY The following are the principles of the Conduent Global Ethics Policy that govern all practices concerning business ethics:
SCOPE Conduent Business Services, LLC and its subsidiaries provide this policy as a guide for employees. This policy applies to all employees of Conduent Business Services, LLC and its subsidiaries and
More informationThird Party Risk Management ( TPRM ) Transformation
Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement
More information(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS
INTERNATIONAL STANDARD ON AUDITING 315 (REVISED) IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT Introduction (Effective for audits of
More informationS12 - Guidelines for Planning an IS Audit Christopher Chung
S12 - Guidelines for Planning an IS Audit Christopher Chung IS Auditing Guidelines for Planning an IS Audit Session Objectives Agenda Information Systems Audit Planning and Scoping o Understanding Business
More informationSecurity Monitoring Service Description
Security Monitoring Service Description Contents Section 1: UnderdefenseSOC Security Monitoring Service Overview 3 Section 2: Key Components of the Service 4 Section 3: Onboarding Process 5 Section 4:
More informationMARIANNE E. ROCHE ATTORNEY AT LAW
CORPORATE GOVERNANCE FOR FINANCIAL INSTITUTION DIRECTORS Prepared and presented by: MARIANNE E. ROCHE ATTORNEY AT LAW SILVER, FREEDMAN & TAFF, L.L.P. DIRECT DIAL NUMBER 3299 K STREET, N.W., SUITE 100 (202)
More informationTriple C Housing, Inc. Compliance Plan
Triple C Housing, Inc. Compliance Plan Adopted by Board of Directors on draft November 13, 2014 Overview Triple C Housing, Inc. is committed to its consumers, employees, contractual providers, vendors,
More informationBERMUDA MONETARY AUTHORITY
BERMUDA MONETARY AUTHORITY CONSULTATION PAPER CORPORATE GOVERNANCE POLICY TRUST (REGULATION OF TRUST BUSINESS) ACT 2001 INVESTMENT BUSINESS ACT 2003 INVESTMENT FUNDS ACT 2006 DECEMBER 2012 Table of Contents
More informationThe Case for Outsourcing Accounts Payable
Presented by Lynn Belletti BNY Mellon Transaction Processing Director The & Procure-To-Pay Conference & Expo is produced by: The world is changing. How will you respond to the new pressures of regulatory
More informationSARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017
SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017 Pat Mitchell Managing Director Internal Audit, Risk, Business & Technology Consulting CHANGES IN THE COST AND SCOPE OF SOX COMPLIANCE
More informationISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014
ISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014 MANAGING IT RISKS IN THE BANKING INDUSTRY Emmanuel Ofori Boateng, Dep. Head, IT, Ecobank Ghana OVERVIEW - HISTORY OF RISK MANAGEMENT
More informationJOB TITLE: VP, BSA Officer REPORTS TO: SVP, Deposit Operations and Regulatory Compliance/CRA Officer DEPARTMENT: Compliance
Name: TBD JOB DESCRIPTION JOB TITLE: VP, BSA Officer REPORTS TO: SVP, Deposit Operations and Regulatory Compliance/CRA Officer DEPARTMENT: 140 - Compliance EXEMPT GENERAL SCOPE / SUMMARY A brief description
More informationCODE OF ETHICS/CONDUCT
CODE OF ETHICS/CONDUCT This Code of Ethics/Conduct ( Code ) covers a wide range of business practices and procedures. It does not cover every possible issue that may arise, but rather provides information
More informationBest Practices for Establishing a Cost-Effective Internal Audit Function. Article by Heidi Wier June 2016
Best Practices for Establishing a Cost-Effective Internal Audit Function Article by Heidi Wier June 2016 Best Practices for Establishing a COST-EFFECTIVE INTERNAL AUDIT FUNCTION BY HEIDI WIER The heightened
More informationand Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment
IFACIAAS Board IAASB Main Agenda (April 2013) Agenda Iten 5-D Final Pronouncement March 2012 International Standard on Auditing ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement
More informationTHE AUDIT COMMITTEE HANDBOOK
Summer 2009 THE AUDIT COMMITTEE HANDBOOK Ce document est également disponible en français. TABLE OF CONTENTS 1 INTRODUCTION 3... Part 1: ORGANIZATION OF THE AUDIT COMMITTEE 3... 1. Composition and Organization
More informationCODE OF ETHICS AND BUSINESS CONDUCT
CODE OF ETHICS AND BUSINESS CONDUCT 1.0 SCOPE This Code of Ethics and Business Conduct (the Code of Conduct ) is implemented by the Board of Directors (the Board ) of Dominion Diamond Corporation and applies
More informationTypes of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA
Types of Systems Audit & Relevance Presented By: Prasad Pendse, CISA Agenda Systems Audit Categories & Types of Systems Audit, Relevance IT & Application Audits Security Audits Process Audits Advantages
More informationRole of Operational Risk in the Product Lifecycle Presented By: Chris Nestore, SVP Head of Operational Risk Management, TD Bank
Role of Operational Risk in the Product Lifecycle Presented By: Chris Nestore, SVP Head of Operational Risk Management, TD Bank Product Governance Overview Regulatory agencies have increased interest and
More informationIIROC 2015 Financial Administrators Section Conference
IIROC 2015 Financial Administrators Section Conference September 11, 2015 kpmg.ca Presenters Chris Cornell KPMG Partner, Financial Services Steven Sharma KPMG Partner, Financial Services 2 Agenda Current
More informationContents. Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule
BEST PRACTICES Iron Mountain Document Conversion Services HEALTHCARE HIPAA Omnibus and the Implications for Document Conversion Primer Series: HIPAA Privacy, Security, and the Omnibus Final Rule Contents
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationAudit and Risk Committee Charter
Audit and Risk Committee Charter This Charter sets out the role, responsibilities, structure and processes of the Audit and Risk Committee (Committee), established by the Board of Directors of Wesfarmers
More informationGeneral Policies & Procedures. SV 5.0 Clean Harbors Vendor Code of Business Conduct and Ethics
1. Purpose This Code is intended to govern the conduct of Clean Harbors, Inc. and all of its subsidiaries Vendors when doing business with or on behalf of Clean Harbors, Inc. For the purpose of this Code,
More informationCERTIFIED BANK BRANCH MANAGER
2018 Institute of Banking Studies CERTIFIED BANK BRANCH MANAGER Group 2 2017/2018 INDEX No Content Page No. 1 Administration Details 3 2 Program Schedule 9 Individual Module Outlines: Banking Business
More informationAn Assessment of the Corporate Governance Practices of Fifth Federal Reserve District Banking Institutions
An Assessment of the Corporate Governance Practices of Fifth Federal Reserve District Banking Institutions June 30, 2004 Authors Robert A. Greene C. Benjamin Jones, Jr. David W. Powers, Jr., CPA Table
More informationInternal Control Questionnaire and Assessment
Bureau of Financial Monitoring and Accountability Florida Department of Economic Opportunity September 30, 2017 107 East Madison Street Caldwell Building Tallahassee, Florida 32399 www.floridajobs.org
More informationRSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM
RSM ANTI-MONEY LAUNDERING SURVEY BEST PRACTICES AND BENCHMARKING FOR YOUR BSA/AML PROGRAM Anti-money laundering (AML) regulations are at times challenging for banks. Emerging risks and increased scrutiny
More informationKPMG Internal Audit: Top 10 key risks in 2016
KPMG Internal Audit: Top 10 key risks in 2016 Financial Services kpmg.nl I Six years after the financial crisis, internal auditors at banks, insurance companies and capital markets firms continue to face
More informationAuditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards
Auditing & Assurance Services, 7e (Louwers) Chapter 2 Professional Standards 1) Control risk is A) the probability that a material misstatement could not be prevented or detected by the entity's internal
More informationTier I assesses an institution's process for identifying and managing risks. Tier II provides additional verification where risk is eviden
Appendix A: Examination Procedures EXAMINATION OBJECTIVE: Determine the quality and effectiveness of the organization's business continuity planning process, and determine whether the continuity testing
More informationMerchant Services What You Need to Know. Agenda 6/5/2017. Overview of Merchant Services. EMV, Tokenization/Encryption, and PCI (Oh My!
Merchant Services What You Need to Know Heather Nowak VP, CPP Senior Product Manager Agenda Overview of Merchant Services Why accept cards? What you need to know/consider Capabilities/Pricing/Contract
More informationAudit Project Process Overview 1/18/ Compliance and Audit Symposium. Agenda. How to Kick-start your. Audit Planning and Risk Assessment
2013 Compliance and Audit Symposium How to Kick-start your Audit Planning and Risk Assessment Jaime Jue, Associate Director, UC Berkeley David Meier, Manager Campus Audits, UC San Diego January 2013 Agenda
More informationSUPPLIER CODE OF BUSINESS ETHICS AND CONDUCT
Compliance with Laws We expect our suppliers to maintain full compliance with all laws and regulations applicable to their business. When conducting international business, or if their primary place of
More informationCertified Identity Governance Expert (CIGE) Overview & Curriculum
Overview Identity and Access Governance (IAG) provides the link between Identity and Access Management (IAM) rules and the policies within a company to protect systems and data from unauthorized access,
More informationGovernance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.
Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS www.fic.gov.bc.ca INTRODUCTION The Financial Institutions Commission 1 (FICOM) holds the Board of Directors 2 (board) accountable for the stewardship
More informationCPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks
Page 1 of 7 CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a Related PSAs: PSA 400, 315 and 330 AUDITING THEORY Risk Assessment and Response to Assessed Risks 1. Which of the following is correct statement?
More informationPublic Company Accounting Oversight Board
1666 K Street, N.W. Washington, DC 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8433 www.pcaobus.org Report on 2008 (Headquartered in New York, New York) Issued by the Public Company Accounting
More informationMODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING
MODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING 2 0 1 4 A Message From Our CEO and Compliance Officer At PacificSource, we pride ourselves on maintaining a culture of compliance and high ethical
More informationDIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015
DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015 DIRECTOR TRAINING AND QUALIFICATIONS SAMPLE SELF-ASSESSMENT TOOL INTRODUCTION The purpose of this tool is to help determine
More informationINTERNATIONAL STANDARD ON AUDITING 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE CONTENTS
Introduction INTERNATIONAL STANDARD ON AUDITING 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE (Effective for audits of financial statements for periods beginning on or after December 15, 2009) +
More informationAn Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements
ASB Meeting July 30 August 1, 2013 Agenda Item 3B AT Section 501 An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements Source:
More informationCAMELS RATINGS AND FINANCIAL REGULATORY REFORM: THE (M)ANAGEMENT ELEMENT
CAMELS RATINGS AND FINANCIAL REGULATORY REFORM: THE (M)ANAGEMENT ELEMENT Thomas Hinkel, Director of Compliance Up until just shortly before it failed, Washington Mutual had received either average or above
More informationOPERATIONAL RISK MANAGEMENT MODULE
OPERATIONAL RISK MANAGEMENT MODULE MODULE OM Operational Risk Management Table of Contents OM-A OM-B OM-1 OM-2 OM-3 OM-4 Date Last Changed Introduction OM-A.1 Purpose 01/2012 OM-A.2 [This Chapter was deleted
More informationJob Family Matrix. Core Duties Core Duties Core Duties
Job Family Matrix Job Function: Finance Job Family: Banking - Professional Job Family Summary: Perform or manage a wide range of banking activities while ensuring compliance in various functions which
More informationKEY. riskupdate PREDICTIONS FOR Risk Reward. Jan 2011
riskupdate Risk Reward Jan 2011 The quarterly independent risk review for banks and financial institutions worldwide 10 KEY PREDICTIONS FOR 2011 Also in this issue DO WE HAVE ANYTHING NEW SINCE 2008 TO
More informationRecommended Practices for Subcontractor Management
Recommended Practices for Subcontractor Management Athens PM Conference June 18, 2012 Christos Vassilicos Agenda Introduction & Context A Subcontractor Management Case Study Recommended practices across
More informationMicrosoft Cloud Agreement Financial Services Amendment
Microsoft Cloud Agreement Financial Services Amendment This Financial Services Amendment ( Amendment ) is entered into between Customer and the Microsoft Affiliate who are parties to the Microsoft Cloud
More informationThe Bank of Elk River: Digital Wallet Terms and Conditions
The Bank of Elk River: Digital Wallet Terms and Conditions These Terms of Use ("Terms") govern your use of any eligible debit card issued by The Bank of Elk River (a "Payment Card") when you add, attempt
More informationOPERATIONAL RISK MANAGEMENT MODULE
OPERATIONAL RISK MANAGEMENT MODULE MODULE OM Operational Risk Management Table of Contents OM-A OM-B OM-1 OM-2 OM-3 OM-4 Date Last Changed Introduction OM-A.1 Purpose 01/2012 OM-A.2 [This Chapter was deleted
More informationA Guide to Professional Standards
A Guide to Professional Standards Jones Lang LaSalle Incorporated LaSalle Investment Management Table of Contents Introduction; Purpose of this Guide... 3 Resources... 4 Specific Actions to Promote Professional
More informationIn Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015
In Control: Getting Familiar with the New COSO Guidelines CSMFO Monterey, California February 18, 2015 1 Background on COSO Part 1 2 Development of a comprehensive framework of internal control Internal
More informationMONITORING YOUR EMPLOYEES SOCIAL MEDIA ACTIVITY
MONITORING YOUR EMPLOYEES SOCIAL MEDIA ACTIVITY How to Maintain Compliance and Your Corporate Reputation While Promoting Use of Social Media BY OPTIMAL BLUE e-series of 7 WHITE PAPER MONITORING YOUR EMPLOYEES
More informationDiving into the 2013 COSO Framework. Presented by: Ronald A. Conrad
Diving into the 2013 COSO Framework Presented by: Ronald A. Conrad 2 Objectives Obtain an understanding of why the COSO Framework has been updated Understand how the framework has changed Identify the
More informationGuidelines of Corporate Governance
Guidelines of Corporate Governance December 2017 The Board of Directors (the Board ) of Radian Group Inc. ( Radian or the Company ) has established guidelines for corporate governance based on an assessment
More informationSelf Assessment Workbook
Self Assessment Workbook Corporate Governance Audit Committee January 2018 Ce document est aussi disponible en français. Applicability The Self Assessment Workbook: Corporate Governance Audit Committee
More informationJuan Carlos Ramirez, VP, AML/ATF & Sanctions Audit, Scotiabank. Compliance and Risk Management
Juan Carlos Ramirez, VP, AML/ATF & Sanctions Audit, Scotiabank Compliance and Risk Management Governance Service providers Operational Risk Fraud AML Sanctions Risk Management Compliance Assessment Financial
More informationInformation paper. Transaction filtering, systems testing and annual certification: driving business benefits
Information paper Transaction filtering, systems testing and annual certification: driving business benefits Introduction Overview of the changes The new DFS anti-terrorism transaction monitoring and filtering
More informationContract Risk and Compliance & Warranty Fraud. David Maberry Chief Risk Officer American Fidelity Assurance Company
Contract Risk and Compliance & Warranty Fraud David Maberry Chief Risk Officer American Fidelity Assurance Company Who am I and Why Am I Here? David Maberry is the Chief Risk Officer for American Fidelity
More informationGuidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Audit Committee March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance Audit Committee (the Guidance Note )
More informationAn Overview of the 2013 COSO Framework. August 2013
An Overview of the 2013 COSO Framework August 2013 Introduction Dean Geesler, KPMG Senior Manager Course Objectives Summarize the key changes from the 1992 Framework to the 2013 Framework including the
More informationFinal Guidance on Sound Incentive Compensation Policies
Final Guidance on Sound Incentive Compensation Policies By Gayle Appelbaum, Jim Bean, Todd Leone & Chris Richter July 1, 2010 On June 21, 2010 the Federal Reserve, the Office of the Comptroller of the
More informationStatement on Risk Management and Internal Control
INTRODUCTION The Board affirms its overall responsibility for the Group s system of internal control and risk management and for reviewing the adequacy and effectiveness of the system. The Board is pleased
More informationPCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline
PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline Presented by the Bryan Cave Payments Team and Special Guest Speaker Andi Baritchi Agenda Introduction
More informationnpliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for
IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION EUROS (US $1.15 BILLION) BY EUROPEAN UNION REGULATORS for failing to comply with a 2004 antitrust order. The previous year, DaimlerChrysler paid a US $30
More informationInternal Audit How the Internal Audit Function Facilitates Internal Controls. Office of the City Auditor City of Tallahassee
Internal Audit How the Internal Audit Function Facilitates Internal Controls Office of the City Auditor City of Tallahassee 1 Internal Audits and Internal Controls Session Purpose: How does an internal
More informationChief Executive Officers, General Managers and Board Presidents Saskatchewan Credit Unions
CREDIT UNION DEPOSIT GUARANTEE CORPORATION P.O. Box 3030 2055 Albert Street Regina, SK S4P 3G8 www.cudgc.sk.ca PH (306) 566-1286 FX (306) 566-1770 Date: July 8, 2014 To: From: Chief Executive Officers,
More information