Office of the Superintendent of Financial Institutions

Similar documents
Office of the Superintendent of Financial Institutions. Internal Audit Report on Supervision Sector: Deposit Taking Group - Conglomerates

Assessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive

Follow-up Audit of the CNSC Performance Measurement and Reporting Frameworks, November 2011

INTERNAL AUDIT OF PROCUREMENT AND CONTRACTING

Audit Report. Audit of Contracting and Procurement Activities

Internal Audit of Compensation and Benefits

ARCHIVED Audit of Risk Management

Audit of Public Participation and Consultation Activities. The Audit and Evaluation Branch

Internal Controls. June-20-17

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Audit of Travel and Hospitality

Indigenous and Northern Affairs Canada. Internal Audit Report. Audit of Performance Measurement. Prepared by: Audit and Assurance Services Branch

Audit of Staffing and Classification

Self Assessment Workbook

Risk management. Risk management system

SENIOR MANAGEMENT ASSESSMENT CRITERIA1

Audit of the Movable Cultural Property Program

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

Performance Measurement Audit

Internal Audit. Audit of Procurement and Contracting

International Standard on Auditing (Ireland) 315

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Procurement and Contracting Operations Audit

Internal Oversight Division. Audit Report. Audit of Enterprise Risk Management

Self Assessment Workbook

Main points Background Our audit objective and conclusions Managing for results key findings...243

Charter for Group Internal Audit. Approved by the Chairman on behalf of the Board of Directors on 18 January 2018.

Justice Canada. Audit of Cost Recovery Process Improvement (CRPI) Initiative Phase 1. Audit Report. Internal Audit Services.

Review of the management of data quality in the My Government of Canada Human Resources system. Office of Audit and Evaluation

Implementation Tool for Auditors

These are the primary functions of the Board, and should be the main focus of the Board s attention and activities.

Audit of Entity Level Controls

REPORT 2016/033 INTERNAL AUDIT DIVISION

AUDIT COMMITTEE HANDBOOK

Director s Draft Report

APPENDIX 3 LOCAL CODE OF GOVERNANCE

International Standard on Auditing (UK) 315 (Revised June 2016)

SP v1 INTERNAL CONTROL POLICY

IAASB Main Agenda (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

Auditor General s Office APPENDIX 1 REVIEW OF INFORMATION TECHNOLOGY TRAINING. October 30, 2009

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

2013 New COSO 2013 Framework and Current Trends in Risk Management

Final May Corporate Governance Guideline

International Standard on Auditing (UK) 220 (Revised June 2016)

Statement on Risk Management and Internal Control

Sample Corporate Risk Management Policy

STATE OF INTERNAL AUDIT 2013

Audit and Advisory Services Integrity, Innovation and Quality

COMPLIANCE MANAGEMENT FRAMEWORK FOR VICTORIA UNIVERSITY

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

20 Years in the Making. Meet the New ICIF: Revisions to COSO s Internal Control Integrated Framework. Dr. Sandra Richtermeyer COSO Board Member

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Integrated Business Planning Audit

Customer Support Group (CSG) Invoicing and Monitoring Arrangements. April 2016

Monetary Appraisal of Acquisitions

Horizontal audit of the Public Services and Procurement Canada investigation management accountability framework

Audit and Risk Committee Charter

Audit of Weighing Services. Audit and Evaluation Services Final Report Canadian Grain Commission

Audit of the Initiation Phase of the New Bridge for the St. Lawrence Corridor (NBSLC) Project

Audit of Business Continuity Planning (BCP) Audit and Evaluation Branch

Practice Advisory : Quality Assurance and Improvement Program

AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF THE TORONTO-DOMINION BANK CHARTER

Risk management framework: compliance risk policy

SRI LANKA AUDITING STANDARD 315 (REVISED)

Toyota Financial Services (South Africa) Limited: King III Principles

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Boards and internal audit: Working together to strengthen risk management

Audit of the Management of Projects within Employment and Social Development Canada

NOT PROTECTIVELY MARKED. Item Number 5.10 Gary Devlin, Partner, Scott- Moncrieff Recommendation to Members Members are requested to note the report.

Business development companies

Audit and Advisory Services Integrity, Innovation and Quality. Audit of Internal Controls over Financial Reporting

Internal Control Policy of IDGC of Centre, JSC

Hiring and Staff: An Effective Internal Department

SANTAM GROUP RISK COMMITTEE CHARTER

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

Compliance Monitoring and Enforcement Program Implementation Plan. Version 1.7

The Corporation of the City of London Building Permit Review Internal Audit Report

FDICIA Reporting for Financial Institutions. Reporting Changes Under Part 363 and SAS 130

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

PRIVY COUNCIL OFFICE. Audit of PCO s Accounts Payable Function. Final Report

BOM / BSD 7 /April 2001 BANK OF MAURITIUS. Guideline on Corporate Governance

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

Audit of Human Resources Planning

Canadian Insurance Accountants Association

Risk Management 23RD SESSION OF THE STANDING COMMITTEE ON PROGRAMMES AND FINANCE AGENDA ITEM 7

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION TO THE COMMISSION

Beyond compliance. Gaining competitive advantage through risk data excellence

Audit and Advisory Services Integrity, Innovation and Quality

Chapter 13 Prairie South School Division No. 210 Equipping the Board with Knowledge and Competencies to Govern 1.0 MAIN POINTS

A guide to assessing your risk data aggregation strategies. How effectively are you complying with BCBS 239?

IAASB CAG Public Session (March 2016) Agenda Item. Initial Discussion on the IAASB s Future Project Related to ISA 315 (Revised) 1

International Standard on Auditing (Ireland) 300. Planning an Audit of Financial Statements

PERFORMANCE REVIEW INTERNAL CONTROL REVIEW OF THE PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD S OFFICE OF CHIEF AUDITOR (IOPA )

Guideline. Operational Risk Management. Category: Sound Business and Financial Practices. No: E-21 Date: June 2016

ANNUAL GOVERNANCE STATEMENT 2016/17 AUDIT AND RISK COMMITTEE. 28 March Report by Chief Executive

Quality Assurance in Internal Audit. Standard on Internal Audit (SIA) 7

Canada. Internal Audit Charter 1+1. Canadian Nuclear Safety Commission. Office of Audit and Ethics. April 18, 2011

AUDITING. Auditing PAGE 1

Transcription:

Office of the Superintendent of Financial Institutions Internal Audit Report on Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) February 2013

Table of Contents 1. Background... 3 2. Audit Objective, Scope and Approach... 5 3. Conclusion... 7 4. Management Response... 8 5. Observations and Recommendations... 9 Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 2 of 12

1. Background Introduction Internal Audit conducts assurance work to determine whether the Office of the Superintendent of Financial Institutions Canada s (OSFI s) risk management, control, and governance processes, as designed and represented by management, are adequate and functioning in a manner to ensure risks are appropriately identified and managed, and to ensure compliance with such requirements as policies, plans, procedures and applicable laws and regulations. The audit of the Supervision Support Group - Capital Markets & Risk Assessment Services (SSG - CMRAS) was approved by the OSFI Audit Committee and the Superintendent for inclusion in the OSFI 2012 to 2013 Internal Audit Plan. This report presents the results of that audit based on audit work completed at the end of December 2012. The audit recommendations will support the CMRAS group to continuously improve their control framework for identifying and assessing market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs). This report was presented to the OSFI Audit Committee and approved by the Superintendent on February 20, 2013. The Deputy Superintendent, Supervision Sector; the Senior Director - Supervision Support Group (SSG); and CMRAS Senior Management, who have provided their management comments within this report, have also reviewed it. Context Overview Why this is important CMRAS is one of the six teams within the Supervision Support Group (SSG) that supports the Relationship Management (RM) teams in the Supervision Sector. In conjunction with the RM teams for the Federally Regulated Financial Institutions (FRFIs), CMRAS supports OSFI s mandate of protecting depositors and policyholders from undue loss by carrying out regular monitoring, on-site reviews, and early intervention activities at the FRFIs, with respect to market and liquidity risks and the associated capital requirements. Objectives of CMRAS Capital Markets & Risk Assessment Services (CMRAS) mandate and activities directly support OSFI s legislative mandate of a. supervising Federally Regulated Financial Institutions (FRFIs); and b. monitoring and evaluating system-wide or sectoral events that may impact FRFIs. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 3 of 12

1. Background, Continued Objectives of CMRAS (Continued) CMRAS mandate includes: Identifying emerging market and liquidity risks and communicating them internally within OSFI (e.g. to the Emerging Risks Committee; or to the Supervision Sector s RM teams) and externally to OSFI s Financial Institutions Supervisory Committee (FISC) partners and/ or directly to the FRFIs. Identifying acceptable practices for market and liquidity risk mitigation, and, in conjunction with the RM teams, encouraging their adoption by the FRFIs. Working with other (international and domestic) regulators to share and to harmonize supervisory and regulatory practices, with respect to market and liquidity risk issues. Working with OSFI s Regulation Sector to develop effective rules, guidelines and frameworks with respect to the oversight and effectiveness of controls over market and liquidity risks at the FRFIs. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 4 of 12

2. Audit Objective, Scope and Approach Audit Objective The objective of the audit was to provide reasonable assurance that CMRAS control framework for identifying and assessing market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs) is adequately designed and operating as intended: to support the Relationship Management (RM) teams in their supervision of the FRFIs; and to monitor and to evaluate system-wide or sectoral issues relating to market and/ or liquidity risks. Audit Scope The scope of the audit is for the period October 01, 2011 to June 30, 2012. One of the key principles of OSFI s Supervisory Framework is a risk-based approach to supervision, focusing on material risks to a FRFI. CMRAS adherence to this principle results in them spending approximately 50% of their time on the monitoring reviews, of which a significant proportion of that time is spent for the RM teams in the Deposit Taking Group - Conglomerates (DTG-C) and the Life Insurance Group - Conglomerates (Lifeco). As a result, our audit focused on the monitoring reviews that CMRAS performed for the DTG-C and Lifeco groups over the three quarter-ends during the audit period. The scope of the audit included: a) The institution-specific, quarterly reviews that result in the section notes on the FRFIs Quarterly Executive Reports (QERs); b) The deposit-taking industry-wide, monthly Liquidity Summary Reviews (LSRs); and c) The industry-wide, Quarterly Monitoring Interim Reviews (QMIRs). For the above CMRAS reviews, IA assessed that 1. the flow of the documentation clearly support the analysis, rationale, conclusions and key messages delivered by CMRAS; and 2. quality control (QC) reviews on the work, analyses and reports are effectively performed at the appropriate levels on a timely basis. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 5 of 12

2. Audit Objective, Scope and Approach, Continued Audit Approach The audit was conducted in accordance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing, consistent with the Treasury Board s Policy on Internal Audit. The SSG CMRAS audit was predominantly conducted by leveraging the internationally recognized Enterprise Risk Management Integrated Framework recommended by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The approach to conducting the audit included: walkthrough of the processes used by CMRAS during their reviews (from the data inputs, to the analysis, to the QC reviews and eventual communication to the appropriate stakeholders); detailed testing of selected documentation supporting CMRAS processes; and discussions/ interviews with key personnel and stakeholders. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 6 of 12

3. Conclusion Conclusion The Capital Markets & Risk Assessment Services (CMRAS) group has a control framework that is adequately designed and operating to enable OSFI to identify and to assess market and liquidity risks at the Federally Regulated Financial Institutions (FRFIs). Opportunities for improvements exist to enhance the effectiveness of CMRAS control framework and should be undertaken for its continued assurance. Roles/ responsibilities; authorities; and a structure for monitoring, managing and reporting risks/issues are generally defined and are operational. Process and control activities exist for engaging key stakeholders, with decision and control points being in place to identify, assess and communicate key messages and potentially emerging industry-wide or institution-specific risks. Internal Audit has identified opportunities for improvement, where CMRAS can further strengthen its processes and controls framework as follows: Enhance its quarterly monitoring process to demonstrate that CMRAS has discussed with the Relationship Management (RM) team and has reached agreement on the applicable FRFI risk assessments. Consult with the Practices Division to determine the best practices for Quality Control (QC) reviews, including an understanding of the requirements to demonstrate that the QC reviews have been effectively performed. In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of the opinion provided and contained in this report. The opinion is based on a comparison of the conditions, as they existed at the time, against pre-established audit criteria that were agreed on with management. The opinion is applicable only to the entity examined. The evidence was gathered in compliance with Treasury Board policy, directives and standards on internal audit, and the procedures used meet the professional standards of the Institute of Internal Auditors. The evidence has been gathered to be sufficient to provide senior management with the proof of the opinion derived from the internal audit. We wish to recognize the excellent rapport and exchange of views with all involved in the audit. The depth of the review and focusing on what matters would not have been possible without the support received throughout the audit. Chief Audit Executive, IA Date Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 7 of 12

4. Management Response Overview This report has been reviewed by the Managing Director, Capital Markets Risk Assessment Services (CMRAS), the Senior Director, Capital Markets and Model Analytics, and the Senior Director, SSG, who acknowledge its observations and recommendations. The recommendations will support CMRAS in continuing efforts to enhance and improve documentation and process as needed. Responses / Comments We thank the audit team for their detailed review of the supervisory work of CMRAS. We are in agreement with the findings of the audit. We note significant work was in progress to address the audit findings prior to the commencement of the audit. CMRAS is committed to addressing the recommendations outlined in this report, and has made substantial progress to date in improving the quality assurance processes, and data management/integrity controls and processes. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 8 of 12

5. Observations and Recommendations Governance, roles and responsibilities a. CMRAS has a Governance framework, outlining key roles and responsibilities. b. CMRAS has established a management oversight structure over their monitoring reviews of a Federally Regulated Financial Institution (FRFI). Processes and Controls a. CMRAS has a process for performing their periodic monitoring reviews of the FRFIs. b. CMRAS has a reasonable approach for performing environmental scans to identify potentially emerging issues related to their areas of technical expertise. c. CMRAS has a process for monitoring potentially emerging industry-wide or institution-specific risks related to their areas of technical expertise. Information and communication, including reporting a. The appropriate stakeholders are generally engaged when information is gathered, analyzed and followed-up. b. CMRAS is appropriately represented during the key internal quarterly meetings with the Relationship Management (RM) teams, other Supervision Support Groups (SSGs) and the Executive. c. Open and timely channels of communication exist among staff within the CMRAS team. d. IA noted significant positive feedback from some of CMRAS key stakeholders with respect to their accessibility, open communications style and timeliness of delivery of their outputs. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 9 of 12

5. Observations and Recommendations, Continued Observation #1: Quarterly Monitoring Reviews of the FRFIs OSFI s Supervisory Framework states: Supervision involves assessing the safety and soundness of FRFIs, providing feedback as appropriate, and using powers for timely intervention where necessary. The supervision of Canadian financial institutions is conducted on a consolidated basis, which involves an assessment of all of a FRFI s material entities (including all subsidiaries, branches and joint ventures), both in Canada and internationally. OSFI designates a relationship manager (RM) for each FRFI. The RM is responsible for maintaining an up-to-date risk assessment of the FRFI. Specialists and other staff within OSFI help support this work. The RM is the main point of contact for the FRFI. In support of the RM s risk assessment of the FRFIs, CMRAS conducts monitoring reviews of the FRFI s market and liquidity risks. At the end of their monitoring process, CMRAS will prepare and submit a Quarterly Monitoring Note to the Relationship Management (RM) Supervisory team. This Monitoring Note includes CMRAS recommended market risk ratings for a particular business activity in the FRFI; and key conclusions or messages arising from CMRAS monitoring review of the FRFI for the quarter. CMRAS then meets with the relevant RM team to discuss both groups perspectives on the risk ratings and conclusions. If there are any unresolved differences in professional opinions for the market risk ratings between CMRAS and the RM team, then further consultation is to be held with Senior and/ or Executive management, as appropriate. Once CMRAS and the RM team agree on the market risk ratings, the RM team updates their risk matrix for the FRFI and their supervisory documentation supporting the risk ratings, with CMRAS inputs. OSFI s Supervisory Framework: The purpose of the risk matrix is to facilitate a holistic risk assessment of a FRFI, resulting in a Composite Risk Rating (CRR). The CRR is OSFI s assessment of the safety and soundness of the FRFI, with respect to its depositors and policyholders. IA noted instances where CMRAS recommended market risk rating for a particular business activity in the FRFI was different (i.e. worse) from the rating used by the RM Supervisory team on their risk matrix for the FRFI. It was not clear if CMRAS had discussed their rationale and agreed their recommended market risk rating for this specific business activity with the RM team. For the instances noted, the overall assessment and resultant supervisory strategy for the FRFI s business activity was not impacted. If the risk assessments on the matrix are incomplete or inaccurate, then the supervisory strategy for the FRFI s business activity may not be appropriate and emerging issues evolving from that activity could therefore be potentially overlooked. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 10 of 12

5. Observations and Recommendations, Continued Recommendation #1 The Supervision Working Agreement & Principles (SWAP) outlines guidelines with roles and responsibilities for better coordination of work and more effective communications between the Supervisory Relationship Management (RM) teams for the Deposit Taking Group - Conglomerates (DTG-C) and the SSG groups. Roles and responsibilities of the RM team and SSG are outlined in Appendix A of the SWAP. Section B.2 requires a virtual sign off by both the RM team and SSG on the monitoring note, with respect to the issues and topics relating to the SSG s area of expertise for the risk being assessed. In keeping with the spirit of the SWAP, CMRAS should demonstrate that they have fulfilled their roles and responsibilities by improving their process for quarterly monitoring reviews as follows: implement a consistent process to demonstrate agreement with the RM supervisory teams on the risk assessments, ratings and conclusions for the FRFI, relating to their areas of technical expertise; and perform quality control checks at the end of the quarterly monitoring review period to ensure that their judgments and recommended risk ratings are aligned with the final key messages for their areas of technical expertise, which the RM teams summarize for all of the Supervision Support Groups (SSGs). Observation #2: Quality Control (QC) reviews Quality Control (QC) is a key component of the supervisory process and active oversight is required at each step in the supervisory process to ensure: the completeness and accuracy of the work performed; that the supervisory documentation is sufficiently clear to support any final conclusions, judgments or professional opinions that may result from the underlying detailed analytical work. The QC reviews such as peer reviews and the one-up line reviews of CMRAS work and reports were not always effective at ensuring the completeness and accuracy of the data used by CMRAS during their analyses. During the audit, IA noted a number of immaterial instances where the wrong data was used by CMRAS in their detailed analytical work. Although the impact of these specific errors, both individually and cumulatively were immaterial, going forward these types of errors can, individually and cumulatively, be potentially material and hence can potentially result in the wrong conclusions being reached from CMRAS assessments, with the wrong key messages being identified and communicated. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 11 of 12

5. Observations and Recommendations, Continued Observation #2: Quality Control (QC) reviews (Continued) Over the course of the audit fieldwork, IA noted that CMRAS made an effort to preserve data integrity by making their analytical tool more user-friendly and providing more instructions to assist with the data entry. Recommendation #2 Typical controls to mitigate data errors on analytical tools include a combination of preventative controls at the front end during data entry and detective controls at the back end, as part of a quality control or peer review of the data inputs. For CMRAS overall QC process, IA recommends that CMRAS: consult with the Supervision Sector s Practices Division to determine the best practices on effective QC reviews for the nature of the work, documentation and reports that CMRAS produces, including an understanding of the requirements to demonstrate that the QC reviews have been performed; roll out training within the team to ensure that QC standards and expectations are understood; and consider further improvements in data entry to minimize the need for manual intervention. Audit Report on: Supervision Support Group Capital Markets & Risk Assessment Services (SSG-CMRAS) Page 12 of 12

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback