Audit s Role in Risk Governance Presentation to: Auditors Forum Spokane, WA October 12-13, 2016 Jeremy Taylor, Co-CEO AuditOne, LLC
Risk governance Takes in an expanding array of functions and responsibilities. Resulting in 2
3
Audit s response Faced with a growing range and complexity of risks, what s an auditor to do? 4
5
Components of risk governance Establish risk culture Define risk appetite Construct policies and procedures accordingly Implement effective controls Incentives, independence, conflicts of interest Communication Measuring, monitoring and reporting risk 6
Who s responsible? Ultimately, the Board. Management responsible for implementing and operating the risk management framework on behalf of the Board, working within Board-established parameters ( = risk appetite, limits, objectives, strategy, ). Audit s core role: provide assurance to Board and management on the effectiveness of risk management. 7
8 How the IIA sees it
Where Audit fits in Management is responsible for managing risks. Audit s core role is at the back end: reviewing and opining on the effectiveness of management s RM activities. But Audit also has a legitimate role at the front end: assisting in the identification and assessment of risks and in developing appropriate ways to control them. In smaller organizations this secondary role becomes all the more important. But let s start with larger organizations 9
The three Lines of Defense (LOD) The LOD structure is outlined in OCC Bulletin 2014-4a, intended for large organizations ( > $50B assets) but expectations percolate down. 1. Front line 2. Risk management (RM) 3. Internal audit (IA) Both the 2 nd and 3 rd LODs should be independent of management and have unrestricted access to Board (or Board committee). 10
LOD responsibilities Front line (1 st LOD) are the takers of risk, and therefore best placed to manage and control it. RM (2 nd LOD) is responsible for working with line units to measure and monitor risk. IA (3 rd LOD) is there to provide assurances to the Board. 11
The practicalities 2 nd LOD not practical for community banks and other smaller organizations. Risk measurement and monitoring instead shared between IA and front-line. Audit has the cross-organization, cross-risk perspective that front-line units lack. It can help to develop standardized tools and practices for consistent identification and assessment of risks, as well as the requisite controls and monitoring/reporting tools. 12
Legitimate vs. illegit activities Per IIA, fine for Audit to promote and assist in development of methodologies for consistent identification and assessment of risks see below. Also to help establish an enterprise-wide approach to managing risks i.e., ERM. But not the responsibility of Audit to determine risk appetite or to allocate RM resources. Nor should it set limits or implement other controls that it audits. 13
In smaller and/or growing organizations Audit has the skills, status and perspective to help develop and implement ERM. No tidy definition/delineation of ERM, but key components are: Risk culture, tone at the top, etc. = the purview of Board and senior executives Systematic and consistent approach to identifying and assessing all sources of risk Figuring out how to manage it see next slide Measurement, monitoring and reporting of risk across the organization 14
How do we manage risk? 1. Avoid it (e.g., exit a business, a product, a client); 2. Control it: Policies and (written) procedures Limits, guidelines Appropriate internal control environment, including: Segregation of duties Documented approvals and authorizations, to ensure accountability Board and management direction, commitment 3. Insure against it; and then, for what s left over: 4. Accept it, price for it, and hold capital against its extreme (low-incidence, high-impact) occurrences. 15
Managing risk across the organization For Audit to bring an enterprise-wide perspective, it doesn t mean telling Credit how to underwrite a loan, telling IT how to configure their servers, etc. It means helping develop/introduce common tools and practices relevant to all risk types e.g., putting place appropriate internal controls (more on this below), sound P&P, useful Board reporting, new methods for risk measurement, etc. Implicit in IIA Standards 2110, 2120. 16
A feedback loop Audit has unique viewpoint to understand organization s risk exposure. Work with front line to craft RM solutions for specific weaknesses, addressing audit exceptions. Audit results will show what works. Outsourced audit provider can also draw on what works elsewhere (e.g., best practice) and on what regulators are comfortable with. Audit can also bring a sensible, standardized approach to assessing risk 17
Risk Assessments Consider all sources of risk: credit, interest rate, liquidity, operational, strategic, compliance, etc. Parallels to new product approval. But ERA should look at everything, at high level, annually. Risk assessments opine on: Inherent risk Residual risk Residual risk (i.e., taking account of internal controls in place) will be less than inherent risk if controls are effective. While we re ultimately interested in residual risk, it can be misleading by itself. 18
A hierarchy of bank Risk Assessments Enterprise Risk Assessment GLBA Risk Asst. Elec. Banking Risk Asst. Compliance Risk Asst. Etc. Fair Lending Risk Asst. UDAAP Risk Asst. Etc. 19
Inherent vs. residual risk ratings A - Internal Changes B - External Changes C - Complexity D - Staffing E - Third-Party Reliance F - Credit Risk Exposure G - Market Risk Exposure H - Liquidity Risk Exposure I - Operational Risk Exposure J - Legal Risk Exposure K - Reputational Risk Exposure L - Compliance Risk Exposure M - Fraud Risk Exposure INHERENT RISK SCORE N - Recent Audit and Exam Results RETROSPECTIVE RESIDUAL RISK SCORE AUDIT AND SCOPE AREAS Likelihood of Loss Event Impact of Loss Event ASSET/LIABILITY MANAGEMENT (ALM) Interest Rate Risk 4 5 5 2 5 1 4 2 1 1 1 4 1 2.62 0.5 1.31 Liquidity Management 3 5 4 2 2 2 3 5 4 1 1 4 3 3.10 0.5 1.55 Investments 5 4 4 2 3 3 3 2 4 3 1 4 2 3.19 0.5 1.60 Capital Management 2 4 3 2 1 1 2 2 1 1 1 3 1 1.81 0.5 0.90 ASSET/LIABILITY MANAGEMENT (ALM) Interest Rate Risk 2.62 High 1.31 Moderate x x x Liquidity Management 3.10 High 1.55 Moderate x x x Investments 3.19 High 1.60 Moderate x x x Capital Management 1.81 Moderate 0.90 Low x RISK SCORE RISK RATING < 1.25 Low 1.25-2.25 Moderate > 2.25 High IF INHERENT RISK RATING IS: AND RESIDUAL RISK RATING IS: RECOMMENDED AUDIT FREQ. Low Low Discretionary Moderate Moderate or Low Annual to Biennial High Low Annual to Biennial High High or Moderate At Least Annual
Internal controls - Examples Limits Segregation of duties Approval authorities Dual control Review and reconciliation activities Independent call-backs Required 2-week vacations Recording (transactions, events) Physical safeguards 21
Assessing controls 1. Are controls designed appropriately? 2. Are controls operating effectively? #2 is backwards-looking i.e., focused on past exceptions, violations. #1 is more forward-looking i.e., are the right controls in place to prevent future exceptions. An ERA (high-level, cross-bank) generally won t get into controls, but other (function- or productspecific) Risk Assessments will; they ll opine on control design (#1), but assessing effectiveness of controls (#2) requires audit testing. 22
Audit planning Board approval of annual audit plan. Importance of risk-based approach. Annual enterprise-wide risk assessment (ERA) should guide audit plan recommendations. Risk assessments for individual products, functions, etc. should guide scope items and testing needs for each audit. 23
Audit planning cont d Audit frequency and depth should reflect assessed risk. Likewise, audit technique (e.g., sampling, vs. interview, etc.) should be driven by the relative risk for each scope item within an audit. Don t just look at violations/exceptions ( = past problems); look also at the design of controls to help avoid future problems. 24
Audit management De novos and very small organizations can get away with CFO or COO as audit liaison. Past about $100 million assets: typically the Compliance Officer. Independence issues. Past about $500 million (very roughly): dedicated audit executive. Audit Committee: technically for > $500 million. Outsourcing: gives you specialists with current market/industry familiarity; when you need it; cost-effectively; independently. 25
Summary: A bifurcated role for Audit First, there s the core assurance role: providing assurance to the Board (and senior executives) that risks are being effectively managed and controlled. This is 3 rd LOD role: an independent reviewer. As auditors we ve long emphasized the valueadded from going beyond findings in our reporting e.g., corrective action, emerging vulnerabilities, best-practice suggestions, etc. But a bifurcation recognizes a more direct, proactive role 26
A facilitator Audit can play a facilitating (i.e., advice and assistance) role at the front end, to promote adoption of better RM tools and practices. This is particularly relevant in organizations too small/simple to have a 2 nd LOD. This means working with the 1 st LOD (i.e., the front line) to perform what a 2 nd LOD should do. The front line understands the products, clients and markets. Audit understands the interplay of resultant risks. 27
Conclusion Role of audit can and should be broader than simple ( back end ) assurance role. Draw on skills and organizational perspective (i.e., the feedback loop) to enhance RM at front end not to be managing risks but to help develop RM framework (ERM approach). Recognize that good RM can be a source of competitive advantage: Strengthen/stabilize financial performance and build capital via enhanced reputation with regulators, investors, customers. 28
Appendix: Overview of AuditOne LLC 29
AuditOne: Who We Are A high-quality, cost-effective provider of outsourced internal audit and credit review services, plus related advisory work. Over 250 clients nationally, most of them community banks or credit unions and based mainly in the Western states. We are the largest firm in the Western US focused on internal audit services for FIs. Over 40 professional employees, with a broad and deep range of banking expertise. Our staff averages 20+ years of relevant experience. 30
A Full-Service Menu Five practice areas: Credit/ALLL Compliance/BSA IT/IS Operations/Administration Asset/Liability Management We also offer advisory services (via our affiliate, Insight Risk Consulting), as well as set-up and testing for both Sarbanes- Oxley Section 404 and FDICIA 36. 31
Our Management Team Bud Genovese, Chairman Jeremy Taylor, Co-CEO (Northern clients) Kevin Watson, Co-CEO (Southern clients) Celeste Burton, Compliance Practice Director Gary Andreini, Operations Practice Director Kevin Tsuei, Technology Practice Co-Director Robb Kluba, Technology Practice Co-Director Angela Canda, Office Manager 32
How to Reach Us Northern office: 408-980-8099 Southern office: 562-802-3581 jeremy.taylor@auditonellc.com, 949-981-0420 kevin.watson@auditonellc.com, 562-455-6979 bud.genovese@auditonellc.com, 408-691-6844 33