Audit s Role in Risk Governance

Similar documents
Financial Institutions Consulting. Quality service. Personal attention.

GRM OVERSEAS LIMITED RISK MANAGEMENT POLICY

THE ARCG CHARTER. Issued in March 2008

Family Office and Concierge Services

OPERATIONAL RISK EXAMINATION TECHNIQUES

audit typology 115 audit universe 101 data and information pool 103 definition 101 structure and content 101

Internal Audit Best Practices for Community Banks. A CSH White Paper

Internal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP

Risky Business: Internal Audit Best Practices for Community Banks. Presented by: Angela Roberts & Leonard Wagers

A Guide to IT Risk Assessment for Financial Institutions. March 2, 2011

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

Hiring and Staff: An Effective Internal Department

B U S I N E S S R I S K M A N A G E M E N T L T D

Internal Audit Mandate

Best Practices for Establishing a Cost-Effective Internal Audit Function. Article by Heidi Wier June 2016

Community Bankers Conference

Crowe Consumer Compliance Consulting Services

FDICIA Reporting for Financial Institutions. Reporting Changes Under Part 363 and SAS 130

INTERNAL AUDIT CHARTER

CORPORATE GOVERNANCE THEORY, SCOPE AND IMPORTANCE

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Checklist for Higher Education

α β 19 November 2003 Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, N.W. Washington, D.C.

Toyota Financial Services (South Africa) Limited: King III Principles

INTERNAL AUDIT CHARTER

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

THIRD-PARTY RISK MANAGEMENT

Role of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Sarbanes Oxley Impact on Supply Chain Management

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

Proposed Attestation Requirements for FR Y-14A/Q/M reports. Overview and Implications for Banking Institutions

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

risk management ERM Roles & Responsibilities In Community Banks: Who is Responsible for What?

Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum

4. Organic documents. Please provide an English translation of the company s charter, by-laws and other organic documents.

EY Center for Board Matters. Leading practices for audit committees

Certificate in Establishing an Internal Audit Function

Strengthening Your Enterprise Risk Management Process

Risk-Based Environmental Auditing at Bulk Fuel Terminals

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

Positioning Internal Audit to Deliver Value

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Risk-Focused Examinations

AUDIT COMMITTEE HANDBOOK

Developing a Fraud Audit Plan. Glenn E. Sumners

Quality Assessments what you need to know

IT Audit Process Prof. Liang Yao Week Three IT Risk Assessment

Case Study: The Three Lines of Defense Model for Risk Management and Control Adaptation to an In-house Asset Manager

Managing Fraud Risk: New Professional Guidance

Model Risk Management at FinTech organizations Considerations for bank charter applicants

Corporate Governance. Information Request List Family- or Founder-Owned Unlisted Companies. Commitment to Corporate Governance

altercfo White Paper Series September 2018

2. Agenda and minutes. Is an agenda prepared and distributed in advance of board meetings? Are minutes prepared and approved after board meetings?

ENERGY QUEENSLAND LIMITED INTERNAL AUDIT CHARTER. [April 2017]

Susan Schmidt Bies: Corporate governance and community banks

Internal Auditors and Enterprise Risk Management (ERM) ICPAK Presentation

29/11/2017. Risk Management Policy

IT Audit at Brown. A collaboration between the Information Technology and Internal Audit Teams

Audit and Risk Committee Charter

Caribbean Association of Audit Committee Members Inc. Independent Quality Assurance Assessment of the Internal Audit function

Certificate in Internal Audit 3

Heightened standards for compliance risk management. Lines of defense compliance s role

TOYOTA FINANCIAL SERVICES (SOUTH AFRICA) LIMITED

INTERNAL AUDIT PLAN AND CHARTER 2018/19

Employee Dishonesty: Prevention and Detection

Oversight of external auditors by the audit committee

Good Corporate Governance (GCG) Being a good corporate citizen is good risk management

After completing this Session, you should be able to answer the following questions:

Boards and internal audit: Working together to strengthen risk management

1. Definition & Mission

Leveraging Internal Audit and Corporate Compliance for Effective Risk Management

38 Years of Excellent Client Service New COSO Model and How Internal Controls Help to Reduce Opportunity for Fraud

Using the SMART Method to Assess SMS in Aviation

WELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER

IIROC 2015 Financial Administrators Section Conference

The Red (Book) Rocks The Latest and Greatest Audit Standards

Auditing Governance at Board level October 2017

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

SAMPLE BEC SuperfastCPA Review Notes

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Creating a Risk Intelligent Enterprise: Risk governance

TERMS OF REFERENCE OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Session 21: Building a Strong Risk Culture. Moderator: Presenters: Liz Berger Adam Hamm

How to get the most out of your governance structures. Risk Series Paper 3

Business Risk Services

CLAconnect.com/creditunions. Impact the Future of Credit Unions

Welcome to the BDO Board Matters Quarterly Update Q3 2013

NOVOCURE LIMITED CORPORATE GOVERNANCE GUIDELINES

POSITION DESCRIPTION

ACFE FRAUD PREVENTION CHECK-UP ASSOCIATION OF CERTIFIED FRAUD EXAMINERS

Anti-Fraud Programs and Control Policy

Guidelines of Corporate Governance

International Finance Corporation

Cutting-Edge Internal Auditing Processes

Audit Committee Performance Evaluation

FEDERAL HOME LOAN BANK OF INDIANAPOLIS CHARTER FOR THE AUDIT COMMITTEE

Internal Audit Charter. Aviva plc

VENDOR RISK MANAGEMENT FCC SERVICES

Transcription:

Audit s Role in Risk Governance Presentation to: Auditors Forum Spokane, WA October 12-13, 2016 Jeremy Taylor, Co-CEO AuditOne, LLC

Risk governance Takes in an expanding array of functions and responsibilities. Resulting in 2

3

Audit s response Faced with a growing range and complexity of risks, what s an auditor to do? 4

5

Components of risk governance Establish risk culture Define risk appetite Construct policies and procedures accordingly Implement effective controls Incentives, independence, conflicts of interest Communication Measuring, monitoring and reporting risk 6

Who s responsible? Ultimately, the Board. Management responsible for implementing and operating the risk management framework on behalf of the Board, working within Board-established parameters ( = risk appetite, limits, objectives, strategy, ). Audit s core role: provide assurance to Board and management on the effectiveness of risk management. 7

8 How the IIA sees it

Where Audit fits in Management is responsible for managing risks. Audit s core role is at the back end: reviewing and opining on the effectiveness of management s RM activities. But Audit also has a legitimate role at the front end: assisting in the identification and assessment of risks and in developing appropriate ways to control them. In smaller organizations this secondary role becomes all the more important. But let s start with larger organizations 9

The three Lines of Defense (LOD) The LOD structure is outlined in OCC Bulletin 2014-4a, intended for large organizations ( > $50B assets) but expectations percolate down. 1. Front line 2. Risk management (RM) 3. Internal audit (IA) Both the 2 nd and 3 rd LODs should be independent of management and have unrestricted access to Board (or Board committee). 10

LOD responsibilities Front line (1 st LOD) are the takers of risk, and therefore best placed to manage and control it. RM (2 nd LOD) is responsible for working with line units to measure and monitor risk. IA (3 rd LOD) is there to provide assurances to the Board. 11

The practicalities 2 nd LOD not practical for community banks and other smaller organizations. Risk measurement and monitoring instead shared between IA and front-line. Audit has the cross-organization, cross-risk perspective that front-line units lack. It can help to develop standardized tools and practices for consistent identification and assessment of risks, as well as the requisite controls and monitoring/reporting tools. 12

Legitimate vs. illegit activities Per IIA, fine for Audit to promote and assist in development of methodologies for consistent identification and assessment of risks see below. Also to help establish an enterprise-wide approach to managing risks i.e., ERM. But not the responsibility of Audit to determine risk appetite or to allocate RM resources. Nor should it set limits or implement other controls that it audits. 13

In smaller and/or growing organizations Audit has the skills, status and perspective to help develop and implement ERM. No tidy definition/delineation of ERM, but key components are: Risk culture, tone at the top, etc. = the purview of Board and senior executives Systematic and consistent approach to identifying and assessing all sources of risk Figuring out how to manage it see next slide Measurement, monitoring and reporting of risk across the organization 14

How do we manage risk? 1. Avoid it (e.g., exit a business, a product, a client); 2. Control it: Policies and (written) procedures Limits, guidelines Appropriate internal control environment, including: Segregation of duties Documented approvals and authorizations, to ensure accountability Board and management direction, commitment 3. Insure against it; and then, for what s left over: 4. Accept it, price for it, and hold capital against its extreme (low-incidence, high-impact) occurrences. 15

Managing risk across the organization For Audit to bring an enterprise-wide perspective, it doesn t mean telling Credit how to underwrite a loan, telling IT how to configure their servers, etc. It means helping develop/introduce common tools and practices relevant to all risk types e.g., putting place appropriate internal controls (more on this below), sound P&P, useful Board reporting, new methods for risk measurement, etc. Implicit in IIA Standards 2110, 2120. 16

A feedback loop Audit has unique viewpoint to understand organization s risk exposure. Work with front line to craft RM solutions for specific weaknesses, addressing audit exceptions. Audit results will show what works. Outsourced audit provider can also draw on what works elsewhere (e.g., best practice) and on what regulators are comfortable with. Audit can also bring a sensible, standardized approach to assessing risk 17

Risk Assessments Consider all sources of risk: credit, interest rate, liquidity, operational, strategic, compliance, etc. Parallels to new product approval. But ERA should look at everything, at high level, annually. Risk assessments opine on: Inherent risk Residual risk Residual risk (i.e., taking account of internal controls in place) will be less than inherent risk if controls are effective. While we re ultimately interested in residual risk, it can be misleading by itself. 18

A hierarchy of bank Risk Assessments Enterprise Risk Assessment GLBA Risk Asst. Elec. Banking Risk Asst. Compliance Risk Asst. Etc. Fair Lending Risk Asst. UDAAP Risk Asst. Etc. 19

Inherent vs. residual risk ratings A - Internal Changes B - External Changes C - Complexity D - Staffing E - Third-Party Reliance F - Credit Risk Exposure G - Market Risk Exposure H - Liquidity Risk Exposure I - Operational Risk Exposure J - Legal Risk Exposure K - Reputational Risk Exposure L - Compliance Risk Exposure M - Fraud Risk Exposure INHERENT RISK SCORE N - Recent Audit and Exam Results RETROSPECTIVE RESIDUAL RISK SCORE AUDIT AND SCOPE AREAS Likelihood of Loss Event Impact of Loss Event ASSET/LIABILITY MANAGEMENT (ALM) Interest Rate Risk 4 5 5 2 5 1 4 2 1 1 1 4 1 2.62 0.5 1.31 Liquidity Management 3 5 4 2 2 2 3 5 4 1 1 4 3 3.10 0.5 1.55 Investments 5 4 4 2 3 3 3 2 4 3 1 4 2 3.19 0.5 1.60 Capital Management 2 4 3 2 1 1 2 2 1 1 1 3 1 1.81 0.5 0.90 ASSET/LIABILITY MANAGEMENT (ALM) Interest Rate Risk 2.62 High 1.31 Moderate x x x Liquidity Management 3.10 High 1.55 Moderate x x x Investments 3.19 High 1.60 Moderate x x x Capital Management 1.81 Moderate 0.90 Low x RISK SCORE RISK RATING < 1.25 Low 1.25-2.25 Moderate > 2.25 High IF INHERENT RISK RATING IS: AND RESIDUAL RISK RATING IS: RECOMMENDED AUDIT FREQ. Low Low Discretionary Moderate Moderate or Low Annual to Biennial High Low Annual to Biennial High High or Moderate At Least Annual

Internal controls - Examples Limits Segregation of duties Approval authorities Dual control Review and reconciliation activities Independent call-backs Required 2-week vacations Recording (transactions, events) Physical safeguards 21

Assessing controls 1. Are controls designed appropriately? 2. Are controls operating effectively? #2 is backwards-looking i.e., focused on past exceptions, violations. #1 is more forward-looking i.e., are the right controls in place to prevent future exceptions. An ERA (high-level, cross-bank) generally won t get into controls, but other (function- or productspecific) Risk Assessments will; they ll opine on control design (#1), but assessing effectiveness of controls (#2) requires audit testing. 22

Audit planning Board approval of annual audit plan. Importance of risk-based approach. Annual enterprise-wide risk assessment (ERA) should guide audit plan recommendations. Risk assessments for individual products, functions, etc. should guide scope items and testing needs for each audit. 23

Audit planning cont d Audit frequency and depth should reflect assessed risk. Likewise, audit technique (e.g., sampling, vs. interview, etc.) should be driven by the relative risk for each scope item within an audit. Don t just look at violations/exceptions ( = past problems); look also at the design of controls to help avoid future problems. 24

Audit management De novos and very small organizations can get away with CFO or COO as audit liaison. Past about $100 million assets: typically the Compliance Officer. Independence issues. Past about $500 million (very roughly): dedicated audit executive. Audit Committee: technically for > $500 million. Outsourcing: gives you specialists with current market/industry familiarity; when you need it; cost-effectively; independently. 25

Summary: A bifurcated role for Audit First, there s the core assurance role: providing assurance to the Board (and senior executives) that risks are being effectively managed and controlled. This is 3 rd LOD role: an independent reviewer. As auditors we ve long emphasized the valueadded from going beyond findings in our reporting e.g., corrective action, emerging vulnerabilities, best-practice suggestions, etc. But a bifurcation recognizes a more direct, proactive role 26

A facilitator Audit can play a facilitating (i.e., advice and assistance) role at the front end, to promote adoption of better RM tools and practices. This is particularly relevant in organizations too small/simple to have a 2 nd LOD. This means working with the 1 st LOD (i.e., the front line) to perform what a 2 nd LOD should do. The front line understands the products, clients and markets. Audit understands the interplay of resultant risks. 27

Conclusion Role of audit can and should be broader than simple ( back end ) assurance role. Draw on skills and organizational perspective (i.e., the feedback loop) to enhance RM at front end not to be managing risks but to help develop RM framework (ERM approach). Recognize that good RM can be a source of competitive advantage: Strengthen/stabilize financial performance and build capital via enhanced reputation with regulators, investors, customers. 28

Appendix: Overview of AuditOne LLC 29

AuditOne: Who We Are A high-quality, cost-effective provider of outsourced internal audit and credit review services, plus related advisory work. Over 250 clients nationally, most of them community banks or credit unions and based mainly in the Western states. We are the largest firm in the Western US focused on internal audit services for FIs. Over 40 professional employees, with a broad and deep range of banking expertise. Our staff averages 20+ years of relevant experience. 30

A Full-Service Menu Five practice areas: Credit/ALLL Compliance/BSA IT/IS Operations/Administration Asset/Liability Management We also offer advisory services (via our affiliate, Insight Risk Consulting), as well as set-up and testing for both Sarbanes- Oxley Section 404 and FDICIA 36. 31

Our Management Team Bud Genovese, Chairman Jeremy Taylor, Co-CEO (Northern clients) Kevin Watson, Co-CEO (Southern clients) Celeste Burton, Compliance Practice Director Gary Andreini, Operations Practice Director Kevin Tsuei, Technology Practice Co-Director Robb Kluba, Technology Practice Co-Director Angela Canda, Office Manager 32

How to Reach Us Northern office: 408-980-8099 Southern office: 562-802-3581 jeremy.taylor@auditonellc.com, 949-981-0420 kevin.watson@auditonellc.com, 562-455-6979 bud.genovese@auditonellc.com, 408-691-6844 33

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback