Internal Audit Solutions:

Size: px

Start display at page:

Download "Internal Audit Solutions:"

Emerald Nelson
5 years ago
Views:

1 Internal Audit Solutions: Internal Audit Leading Practices - Continuous Monitoring / Auditing Provided to Sioux Falls, SD IIA Chapter Thursday January 25, :30 AM 1:00 PM CT

3 Agenda Continuous monitoring vs. continuous auditing Benefits of continuous auditing Considerations when implementing continuous auditing Components of continuous auditing Continuous risk assessment Continuous controls assessment Leading data analytic practices Practical examples Summary and Q&A Grant Thornton LLP. All rights reserved. 3

for implementing continuous auditing Describe leading data analytics

4 Learning objectives Define continuous monitoring and continuous auditing Discuss the benefits and challenges of continuous auditing Explore methods for implementing continuous auditing Describe leading data analytics practices Illustrate some practical examples Grant Thornton LLP. All rights reserved. 4

6 Continuous Monitoring vs. Continuous Auditing Continuous Monitoring is an automated, ongoing process that enables management to: Assess the effectiveness of controls and detect associated risk issues Improve business processes and activities while adhering to ethical and compliance standards Execute more timely quantitative and qualitative risk-related decisions Increase the cost effectiveness of controls and monitoring through IT solutions Source: Deloitte, LLP Continuous Auditing ("CA") is an automated, ongoing process that enables internal audit to: Collect from processes, transactions, and accounts data that supports internal and external auditing activities Achieve more timely, less costly compliance with policies, procedures, and regulations Shift from cyclical or episodic reviews with limited focus to continuous, broader, more proactive reviews Evolve from a traditional, static annual audit plan to a more dynamic plan based on CA results Reduce audit costs while increasing effectiveness through IT solutions Source: Deloitte, LLP Grant Thornton LLP. All rights reserved. 6

Benefits of Continuous Auditing Internal audit departments are under increased pressure to add value to the business and tell them something they don't already know.

Other benefits include: Reducing costs Increasing efficiencies Providing greater audit coverage Improving risk and control assurance Early detection of potential issues / fraud Enterprise / global

7 Benefits of Continuous Auditing Internal audit departments are under increased pressure to add value to the business and tell them something they don't already know. Using continuous auditing can move Internal Audit closer to becoming a "Trusted Advisor" to the business. Other benefits include: Reducing costs Increasing efficiencies Providing greater audit coverage Improving risk and control assurance Early detection of potential issues / fraud Enterprise / global viewpoints Improving governance Improving performance and accountability Greater transparency Reducing complexities Promotes continuous improvement Trend analysis IIA Standard The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Grant Thornton LLP. All rights reserved. 7

8 Challenges when Implementing Continuous Auditing Obtaining access to data Understanding the data (i.e., data dictionary) Use of tools / software Managing stakeholder expectations Time investment required to develop and execute Technical competencies / skills Process to respond to CA results In-depth knowledge of business processes and systems Grant Thornton LLP. All rights reserved. 8

Implementing Continuous Auditing Determine the goals and objectives for the continuous auditing program Collaborate and coordinate with IT to determine data sets and how data can be accessed Identify

9 Implementing Continuous Auditing Determine the goals and objectives for the continuous auditing program Collaborate and coordinate with IT to determine data sets and how data can be accessed Identify how Continuous Controls Assessment (CCA) will be utilized and leveraged Identify how Continuous Risk Assessment (CRA) will be utilized and leveraged Document the plan for reporting the outputs / results of the CCA and CRA Leading Practices Start small with quick wins and expand program over time Leverage existing tools, such as Excel Develop framework for continuous auditing and integrate with audit methodology Continuous Auditing Objectives Access to the Data Continuous Controls Assessment Continuous Risk Assessment Identification of control deficiencies Insights into the control environment Independent & timely assurance Assessment of corrective actions Identification of new / emerging risks Evaluation of changes in risk levels Informs the audit plan Focus on higher risk areas Data-driven risk indicators Reporting Grant Thornton LLP. All rights reserved. 9

11 Approach to Continuous Risk Assessment Step1: Define Framework Step 2: Initial Analysis Step 3: Meet with Participants Step 4: Evaluate Assessment Results Step 5: Prepare Plan Step 6: Present to Stakeholders Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Review the Audit Entity Universe, the Performance Driver Model, Risk Universe, and Strategic Plan focusing on defining / assessing auditable entities and other concepts from regulatory guidance, such as heightened regulatory expectations and FRB Supervisory Letter SR Perform an initial analysis of risk with input from the organization's executive management team / audit committee members; draft an initial set of Key Risk Indicators (KRIs). Obtain input from key participants (process owners) in order to identify risks and determine the current level of response; review KRIs. Evaluate the collective results from participants, assess, and prioritize risks and KRI's identified to the overall organization. Align Audit Plan (and program for evaluating KRIs) which correlates current residual risk with level of effort. Present results to stakeholders for review and reiteration, as needed. Grant Thornton LLP. All rights reserved. 11

12 Audit Coverage Risk Assessment Determine Audit Universe Organizations typically risk assess the Audit Universe based on Legal Entities, LOB Units and / or Process Areas. Initial / Baseline Risk Assessment (RA) Process The defined process areas are risk rated from a quantitative and qualitative perspective, which dictate the frequency of audit coverage (Low = every three years, Medium = every two years, High = every year). Framework to Consider.capture information for each factor for each auditable entity Inherent Risk Factors: Strategic / Economic Climate Complexity / Changes in Environment Regulatory / Legal Residual Risk Factors Management Governance Policies and Procedures / Standards Internal Controls Technology Grant Thornton LLP. All rights reserved. 12

13 Audit Coverage Risk Assessment Quarterly Continuous (Business) Monitoring Refresh Process Consider aligning Internal Audit (IA) team members to the defined process owners for a quarterly business monitoring exercise (it can be on a less frequent rolling basis, as necessary). Establish a formal process where IA meets with primary business contacts for each of the defined areas to conduct interviews and understand strategic decisions that impact the control environment. Develop a Continuous Monitoring checklist; regulators view this a best in class IA process. Recent audits should also be considered in terms of impact of how it will effect the control environment and the related process area. Additionally, prior audit issues can also affect substantive audit approach. Developing Key Risk Indicators (KRI) Develop KRIs across the process areas to assist with the Risk Assessment Process. Example #1 Collections / Delinquency Establish a monthly data pull to show total delinquency buckets (Current, 1-30, 31-60, 61-90, , 121+, write-off) and then breakout by LOB, facility type, whatever level of granularity is sufficient for evaluation purposes. This should be measured against the organization's Risk Appetite, for example: Risk Appetite = 2.5 % write-off of Residential Mortgage portfolio Risk Tolerance = 5.0% write-off of Residential Mortgage portfolio These metrics can be reviewed monthly by audit teams to identify any red-flags / early warning indicators (EWI). Example #2 Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) / Office Foreign Assets Control (OFAC) Establish a monthly data pull to show total number of AML alerts by loan asset type. Determine if 100% of alerts resulted in a Suspicious Activity Report (SAR) within 60 days. Risk Appetite = 100% of alerts result in a SAR within 30 days Risk Tolerance = 100% of alerts result in a SAR within 60 days These metrics can be reviewed monthly by audit teams to identify any red-flags / early warning indicators (EWI). Grant Thornton LLP. All rights reserved. 13

Audit Coverage Risk Assessment Automating the Risk Assessment Process In terms of making the Risk Assessment more efficient, best in class organizations have automated the process to some extent

Repository to house walkthrough / interview notes, IA risk rating justifications, including prior and current risk ratings Store primary business contacts / responsible auditor, etc.

) Key Activities: 1. Review current audit universe and audit plan from a coverage perspective 2. Develop questionnaires for quarterly continuous monitoring program 3.

14 Audit Coverage Risk Assessment Automating the Risk Assessment Process In terms of making the Risk Assessment more efficient, best in class organizations have automated the process to some extent by developing a customized database where the Audit Universe is established. Repository to house walkthrough / interview notes, IA risk rating justifications, including prior and current risk ratings Store primary business contacts / responsible auditor, etc. Maintain KRIs, which take feeds from the organization's systems (general ledger, risk systems, etc.) Ability to perform static / ad-hoc reports for management (e.g., x % of Risk Ratings changed on a quarter over quarter basis, etc.) Key Activities: 1. Review current audit universe and audit plan from a coverage perspective 2. Develop questionnaires for quarterly continuous monitoring program 3. Develop key risk indicators (KRIs) for continuous monitoring 4. Execute the initial risk assessment at the entity / process level 5. Produce a baseline database repository to house continuous monitoring efforts as described (audit entities / processes / risk ratings / KRIs, etc.) Grant Thornton LLP. All rights reserved. 14

17 Internal Audit's Use of Data Analytics Data analytics Process whereby different types of data (enterprise, third-party, internal/external, etc.) are put into a format where analysis can be done with the goal of identifying useful information that better supports corporate decision-making. Data visualization Used to better understand the significance of those analytics by allowing the review of the data in a visual context. Data visualization can help the internal audit team identify key patterns, trends and correlations within the data that might otherwise go undetected. What should CAEs be prepared to answer? Are you using data analytics? If not, what is / are the barrier(s)? Do you have the necessary resources, tools and training? Can you discuss your plan for using data analytics and data visualization? Are you employing a data analytics approach in audit testing? Are you hiring people with database and data analytics skills? How are you and the internal audit team working with IT to get quality data for analysis? Is IT open to working with you to have more comprehensive internal audit coverage using data analytics and data visualization? How much of the audit plan incorporates the use of data analytics and visualization? How are you able to interpret the data to make an impact in your audit methodology and results? Have you considered using data analytics to predict risk indicators in the future? Source: Grant Thornton LLP. All rights reserved. 17

18 Benefits of Data Analytics in Internal Audit At the forefront of Data Analytics in Internal Audit are Computer Assisted Audit Techniques (CAATs). Developing KRIs assist with Continuous Monitoring establishing KRIs helps identify red flags and emerging risk trends which informs the Risk Assessment process. CAATs enable auditors to perform more focused testing of controls for operating effectiveness use of large data for analysis allows for more focused tests of transactions during audit fieldwork. Bringing tangible results to the business by monitoring the right KRIs in the form of CAATs, Internal Audit is able to bring tangible results to the business on emerging risks that are relevant to the business. Internal auditors can perform trend analyses using CAATs routines developing scripts that run periodically enable auditors to perform trends analyses more efficiently. Use of CAATs improves efficiency of compliance monitoring compliance-related KRIs assist auditors in identifying high risk areas or areas where compliance risk exposures are changing. Identifying the red flags of fraud CAATs can enable auditors to identify areas of potential fraud. Grant Thornton LLP. All rights reserved. 18

and process owners. Where do internal auditors see the greatest opportunity for utilizing data analytics?

Evaluate Current Capabilities To improve internal audit s performance, strategic investments should be made to: 1. Enhance the skills and experience of personnel 2.

19 Data Analytics Approach 1. Develop a Vision Internal audit must consider broader organizational goals, balance short-term investments with long-term vision, and identify ways to gain the assistance of operational management and process owners. Where do internal auditors see the greatest opportunity for utilizing data analytics? Identifying emerging trends (and therefore risks) Continuous monitoring for compliance reporting Detecting fraud, waste and abuse 2. Evaluate Current Capabilities To improve internal audit s performance, strategic investments should be made to: 1. Enhance the skills and experience of personnel 2. Get the right data in the right form to perform analytics 3. Discover the software combination best-suited for the vision 3. Enhance People, Process, and Technology Each internal audit group should assess its current capabilities in the three areas: 1. People 2. Process 3. Technology 4. Implement, Monitor, Evolve After getting started, periodically measure your progress and be prepared to adjust your data analytics program to match your vision. 88% believe there will be a greater emphasis on data analytics in the next 3-4 years 69% of organizations would like to focus more on data analytics Top 3 ways internal audit used data analytics: 1 Analyzing trends 2 Monitoring compliance 3 Detecting fraud Top 3 benefits derived from using data analytics: 1 Audit process is streamlined. 2 Fieldwork time is reduced. 3 Fraudulent transactions are identified. Data Analytics: Elevating Internal Audit s Value, is a 2016 book authored by Grant Thornton partners Warren Stippich and Brad Preber in conjunction with the Institute of Internal Auditors Research Foundation (IIARF). This practical guide helps internal auditors understand, adopt and integrate data analytics into everyday workflows and long-term initiatives; provides a data analytics framework to help broaden risk coverage and enhance audit efficiency; and assists with the necessary steps toward developing a plan to capitalize on data analytics technology and resources. Grant Thornton LLP. All rights reserved. 19

20 Data Analytics Implementation Template 6. Lessons learned 5. Manage & report results 1. Identify processes & prioritize 4. Configure & implement tests 2. Define success factors, KRIs, KPIs 3. Design tests / KRIs / KPIs 1. Identify processes & prioritize Focus on critical business processes Target top risks Understand available data Assess anticipated benefits 2. Define success factors, KRIs, KPIs Identify thresholds that trigger reporting Align with organization's risk appetite and tolerances 3. Design tests / KRIs / KPIs Determine process frequency Define roles and responsibilities Allocate resources 4. Configure & implement tests Collaborate with business process owners and IT Develop test scripts Run test scripts 5. Manage & report results Vet observations / results with business management Report results to executive management and the Audit Committee Highlight value added 6. Lessons learned Evaluate performance and quality of results Adjust tests as needed Incorporate results into business monitoring and risk assessment Grant Thornton LLP. All rights reserved. 20

21 Examples of Data Analytics Risk Reporting Organizations are focusing on deeper analysis of risk-related issues and related remediation activities. Leading practice organizations aggregate auditidentified, management self-identified, and external / regulator-identified issues, and identify / assess / report on the following items; issues by: Risk Category / Type Risk Rating Risk Theme Root Cause Source Executive Owner Business Process Owner Target Completion Date Aging Missed Target Completion Dates Regulatory Compliance Organizations are utilizing data analytics as a means to assess regulatory compliance, which can be performed on larger sets (in certain cases 100%) of the population. Institutions are utilizing data analytics to assess the completeness and accuracy of data input into models and also daily / regular transaction activity. Types of compliance analytics currently being used include: Data Accuracy Testing Credit Limit / Authorizations Calculation Re-performance Credit Concentration / CRA Compliance Data Quality Reviews / Completeness of HMDA LAR Filing Accuracy and Input Completeness Entitlement Reviews Trade Execution, Settlement, Valuation Case Steps Analysis Loss Mitigation Trial Payments Wire Stripping Analysis System / Application; Side-by-Side Maker / Checker on Alert Disposition Comparisons Jurisdiction of Maker / Checkers Completeness of Fields Captured for KYC Grant Thornton LLP. All rights reserved. 21

22 Data Analytics Dashboard (Examples) Consider developing customized dashboards for continuous monitoring / auditing. Below are examples for monitoring BSA / AML risks. Grant Thornton LLP. All rights reserved. 22

24 Examples of Computer Assisted Audit Techniques (CAATs) Example #1 Review of the End to End Sales Process CAAT: Investigation of Customer Complaints Step 1: Obtain system access to source system database which house the total population of Customer Complaints. Step 2: Evaluate total population to determine all relevant customer complaint information is captured. Customer complaint date Data of investigation Product type Relationship Manager Step 3: Analysis of transactional data Compare the complaint date to the investigation date to verify adherence with company policy and / or regulatory requirement. Evaluate whether thematic / root cause analysis has been performed. Evaluate whether nature of customer complaints and results of investigation have been escalated to the appropriate risk committees. Determine whether specific complaints against specific Relationship Managers were escalated to relevant management and appropriate disciplinary action was take. Independently assess whether relevant risk committees are executing appropriate strategic corrective action within the wider organization. Grant Thornton LLP. All rights reserved. 24

25 Examples of Computer Assisted Audit Techniques (CAATs) Example #2 Review of Anti-Money Laundering CAAT: AML Alert Monitoring Step 1: Obtain system access to source system database which house the total population of AML Alerts for terrorist financing. Step 2: Evaluate total population to determine all relevant alert information is captured. # of transactions with sanctioned countries Facility type / facility risk rating Alert date Date of AML alert investigation Result of investigation Relationship Manager Step 3: Analysis of transactional data Compare the alert date with the investigation date to verify adherence with company policy and / or regulatory requirement. Evaluate whether a Suspicious Activity Report (SAR) was filed. Evaluate whether nature of facility risk rating is appropriate based on facility classification (i.e., bulk transactions should have a higher risk rating). Determine whether late SAR filings are associated with specific Relationship Managers and whether associated issue was escalated to appropriate management for disciplinary action, if warranted. Independently assess whether relevant risk committees are executing appropriate strategic corrective action within the wider organization. Grant Thornton LLP. All rights reserved. 25

26 Examples of Computer Assisted Audit Techniques (CAATs) Example #3 Review of adherence to Credit Policies CAAT: Credit Limit Breaches Step 1: Obtain system access to source system database which house the loan / credit card portfolio(s). Step 2: Evaluate total population to determine all relevant credit information is captured. Loan date Loan amount Type of loan Credit terms Lender Lender credit authorities Step 3: Analysis of transactional data Compare the loan amount to the lender's credit authority to determine whether the lender exceeded his / her authority. Trend the data over time to determine if there are patterns of certain lenders consistently exceeding their authority. Perform a geographical analysis to determine if lenders in certain regions / branches routinely exceed their credit authorities. Determine whether credit limit breaches associated with specific lenders were escalated to appropriate management for disciplinary action, if warranted. For systemic issues, independently assess whether appropriate escalation to risk committees took place and appropriate corrective action was taken within the wider organization. Grant Thornton LLP. All rights reserved. 26

27 Examples of Computer Assisted Audit Techniques (CAATs) Example 4 Assess third party risk CAAT: Analysis of Vendor Spend Step 1: Obtain system access to source system database which house the total population of vendors and related annual spend. Step 2: Evaluate total population to determine all relevant vendor information is captured. Date Vendor became a preferred vendor Lifetime to Date (LTD) and Year to Date (YTD) spend column Vendor Discount Column Column to capture Nature of spend Step 3: Analysis of transactional data Evaluate whether all vendors have an Master Service Agreement in place (i.e., truly a preferred vendor). Determine whether a vendor spend analysis occurs, increases of 10% or more should be investigated, reasonable, etc. Evaluate whether organization is taking advantage of all vendor discounts. Analyze if there are opportunities to reduce number of vendors for common spend where there is use of 5+ vendors to achieve additional volume discount. Grant Thornton LLP. All rights reserved. 27

28 Examples of Computer Assisted Audit Techniques (CAATs) Example 5 Review model inventory risks CAAT: Model Inventory & Model Governance Step 1: Obtain system access of the Model Inventory Database which houses the total population of models. Step 2: Evaluate total population of Model Inventory information is captured. Does the model support DFAST? Was the model risk rated? When did the model become approved for use? When was the model last validated? Step 3: Analysis of transactional data Evaluate whether all models with large overlays supporting DFAST were evaluated be relevant risk committees. If the model is risk rated High and it hasn t been validated in line with company policy, it s a red flag (i.e., 1 year) and risk increases. When models are retired are they removed from the model inventory or marked expired? For models with overlays greater than 10% of the modeled result, are they still used, is enhanced documentation supporting the overlay required? Grant Thornton LLP. All rights reserved. 28

30 Disclaimer This Grant Thornton LLP presentation is not a comprehensive analysis of the subject matters covered and may include proposed guidance that is subject to change before it is issued in final form. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this presentation. The views and interpretations expressed in the presentation are those of the presenters and the presentation is not intended to provide accounting or other advice or guidance with respect to the matters covered. For additional information on matters covered in this presentation, contact your Grant Thornton, LLP adviser. Grant Thornton LLP. All rights reserved. 30

Thank you for attending Visit us online at: www.