Applying Risk Assessment to Your Audit Plan

Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Mike Brown
Senior Vice President, Corporate Audit
State Street Corporation
Rich Reynolds
Partner
PricewaterhouseCoopers

Presentation overview

Transforming your focus on the real risks

A practical framework for risk assessment
Open discussion

Transforming your focus on the real risks

Transforming your focus on the real risks

The Credit Crisis has surfaced new challenges for risk management and
challenged internal audit to reconsider its role
Board oversight. Shareholders are demanding that Boards demonstrably strengthen their
oversight of risk management activities.
No Silver Bullets in terms of risk management design, methodology or technology.
Execution has been the clear differentiator. Timely and effective identification,
communication and escalation of issues combined with clear roles and responsibilities, strong
supervisory oversight, and good judgment have separated the market causalities from the big
lossers.
Change management is key to risk management. In general, there has been an overreliance among all firms on objective factors and historical data points. As a result, many firms
were on auto pilot and did not identify or appropriately react to changes in market conditions,
increases in risk appetite and/or aggressive business strategies.
Operating style and culture are critical to execution effectiveness.

Accountability clear roles and responsibilities from top to bottom

Full transparency rapid escalation of issues, quick to admit mistakes
Attention to detail applies to all levels
Continuous improvement emphasis on lessons learned from unexpected events (positive or
negative)
Collegial tension challenging others is the expected behavior of real partners
Leaders of support and control functions have equal stature to front office personnel no overrides
Page 4

Transforming your focus on the real risks

Are you focused on the real risks?

Source: The Future of Internal Audit, Corporate Executive Board , 2010 (see Appendix for breakdown of value decline drivers)

How value is destroyed in companies reasons for decreases in shareholder value

Strategic & Business

Operational

68%

13%

Financial

Compliance

12%

6%

However, a significant percentage of internal audit resources are focused on financial controls in
most organizations

Page 5

Transforming your focus on the real risks

Transformed vs. traditional risk assessment approach

Page 6

Transforming your focus on the real risks

Strategic Alignment of Internal Audits Plan

Focus should be on processes that are critical to shareholder value

Internal Audit scope should be directly linked to the organizations strategic
themes and critical processes
Prioritize Internal Audit resources to audits with potential for greatest impact
A value driver analysis can be a holistic way of capturing and
understanding company business strategy and shareholder value driving
activities.

The underlying logic is that Financial performance is a

result of delivering an attractive Customer value
proposition
The combination of Value Creating Activities and Core
Enablers deliver value for customers and shareholders
The value driver analysis allows Internal Audit to catalog
key value drivers and better link audit activities to
shareholder value
Page 7

Transforming your focus on the real risks

Using a strategy map

Page 8

Transforming your focus on the real risks

Audit universe is constructed from these critical processes and

programs, and key change initiatives
Process, Programs and Initiatives

Balance sheet management

Significant

2.

Liquidity risk management and reporting

Limited

3.

Global cash management

Significant

4.

Capital allocation and RAPM

Limited

5.

TARP compliance

Major

Customer Service
6.

Off-shored processes

Limited

7.

Client relationship management

Significant

8.

Lean initiative

Limited

Innovation and Branding

9.

Alliance development

Limited

10. New product development and launch

Limited

11. Research and Development

Significant

Corporate and Social Responsibility

Impact on Shareholder Value

Low
Moderate
Major

1.

Insignificant

Targeted Improvement
Capital Management

Critical

Audit Priority Matrix

7,12

11

14, 15

2,6,9

4,8

13

10

12. CSR reporting

Significant

13. Labor compliance program

Significant

14. Social responsibility program

Significant

Optimized

15. Diversity program

Significant

Managed

Defined

Repeatable

Ad-hoc

Current Process & Control Maturity

Audit universe is prioritized based on impact on shareholder value drivers, and the current and
targeted maturity of the processes, programs and initiatives
Page 9

A practical framework for risk assessment

A practical framework for risk assessment

Key Considerations for Designing a Risk Assessment Process

There is no one size fits all solution and no two audit departments have identical processes.

Sample leading practice elements include

Top-down versus bottoms-up approach
Macro and micro plan
Continuous risk assessment and dynamic plan
Tiered audit scoping approach

The solution should focus on resolving known weaknesses without losing current strengths
High performing audit departments have approaches to address emerging risks and

incorporate them into their current audit plans

Regulatory and other stakeholder expectations must be considered but should not be the sole

driver of a solution
Technology is an enabler, not a solution
Ultimately, the risk assessment process must align with the companys strategic objectives

Page 11

A practical framework for risk assessment

Establishing the Overall Objectives of the Process

Since there are practical limitations to any approach to assessing risk and developing an audit plan, it is
important to establish and prioritize the primary objectives of the process. Some typical objectives
include:
Protecting and help focus resources appropriately (i.e., in areas of high risk)
Empowering auditors with the appropriate flexibility to decide the right product, at the right time
Rationalizing the audit universe while ensuring completeness and consistency
Ensuring convergence coordinate with other governance and control functions to the extent

practical
Creating a responsive, dynamic planning and risk assessment process
Promoting more effective relationship management / regular engagement with the business
Establishing clear linkage among risk assessment, continuous monitoring and audit plan to ensure

appropriate coverage
Increasing efficiency and effectiveness
Satisfying key parties (management, external clients, regulators, E&AC) in a manner that is

demonstrable

Page 12

A practical framework for risk assessment

Business
Risk Rating
Monitoring Methodology

Audit Universe

Banks differ in their approaches to risk assessment

Attribute*

Description

Basis

Objective view of organization taken from other sources

Audits view of the organization, no formal reconciliation to objective source

Audits view of organization, reconciliation to objective source

Audit entity audit

Basis for risk assessment

Formal scoring model with weighting of risk categories

Judgmental based on risk factor and/or category ratings

Inherent risk

Residual risk

Formal (established process and outputs)

Informal (process and outputs are ad-hoc or inconsistent)

No business monitoring process (or very light)

4-year risk based cycle

2-year risk based cycle

Dynamic audit plan

Annual but vary intensity based on risk

Dedicated portion of plan devoted to non-traditional products

Limited (or no) portion of plan devoted to non-traditional products

Purpose

Scoring

Basis of rating

Process

Audit Plan

Frequency

Products

# Institutions

* Attributes are mutually exclusive (e.g., formal scoring model and judgmental based on do not align within same approach)
Page 13

A practical framework for risk assessment

A Sample Risk Assessment Framework

Encourages changes to plan to focus

on emerging risks

6. Continuous Risk Assessment and Monitoring

Key Considerations

1. Define
Audit Universe

2. Conduct
Top-down
Analysis

Aligns to
organization not
audits

Uncovers issues
impacting
shareholder value

Ensures
completeness of
risk coverage

Links to strategic
objectives

Covers legal
entities and local
jurisdictions

Identifies most
critical risks
Leads to targeted
audits, horizontal
audits and special
projects

3. Conduct
Bottom-up
Risk Assessment

Risk unit priority

based on inherent
risk and control
environment ratings
Ratings based on
objective guidance
judgmentally
applied, not
mathematical model
Priority drives the
frequency and level
of intensity

Mandates regular engagement with the

business

4. Develop
Audit Plan

5. Audit Level
Planning

Based on prioritized
audit universe, topdown analysis, and
local regulatory
requirements

Considers output of
risk assessment

Multiple audit
products
Coverage will be
assessed against a
risk priority matrix
Analyzed
periodically

Leverages
documented
business profile and
cumulative
knowledge
Focuses on risks
assessed as high
Level of assurance
based on risk
category ratings

Page 14

A practical framework for risk assessment

6

Defining the Audit Universe

The audit universe will

Align to how management views the organization
Represent a complete and relatively static picture of the company with multiple levels

that can be aggregated and drilled down

Be defined based on Management Committee accountable units to ensure ownership

Be mapped to other elements (e.g., legal entities, jurisdiction, HR organizational

structure) periodically to ensure completeness

Audit entities (risk units)

Objectives
Rationalize universe while

Are defined at a level of granularity at which risk can be effectively

identified, rated and monitored

Do not necessarily map 1:1 to audits

ensuring completeness and

consistency
Satisfy key parties

(management, external
clients, regulators, E&AC) in
a manner that is
demonstrable

Page 15

A practical framework for risk assessment

6

Addressing Legal and Regulatory Requirements

Legal entities/jurisdictions requiring independent universe/risk assessment

Global Markets
International
Limited (England)

State Street
Management S.A.
(Luxembourg)

International Fund
Services Ireland
Limited (Ireland)

Medium

Not
Not
Applicable
Applicable

Not
Applicable

Medium

Medium

Low

High

Low

Medium

Risk unit
impact rating

Audit Universe
Securities
Finance

Global Human

High

Medium

Resources

Global
Security

Low

97 other risk
units

Page 16

A practical framework for risk assessment

6

Conducting a Top-Down Analysis

Perform Company Analysis

Develop Value Driver Analysis

Evaluate Enterprise Risk Themes

1. Gather information: A research template will be used as a tool to gather the required information.

The tool will highlight relevant points of information to use during the research process. Information
will be collected and retained in a central location.
a. Review External Data: External data points such as SSCs website, company press releases, industry-related

articles, and reports will be utilized.

b. Review Internal Data: Strategic plan, ERM output, compliance and regulatory reports, external auditor

management letter comments, and high risk SOX findings will be reviewed to extract significant risk themes.

2. Develop value-driver analysis: Once information has been gathered, the cross-functional team will

be able to review relevant information and collectively discuss themes and trends within the
organization and industry. This information will be used to complete and update the Value Driver
Analysis.
3. Understand and evaluate enterprise risk themes: Meet with key stakeholders to collaboratively

discuss key themes and start to form assumptions around the risks associated with the key company
initiatives/strategies/etc. Brainstorm potential audit activities considering the risk themes identified
and the overall management of risks.

Page 17

A practical framework for risk assessment

6

Sample Value Driver Analysis

This SAMPLE value driver analysis depicts how a large bank creates value by
demonstrating the connection of strategic objectives to underlying activities in causeand-effect relationships.

Page 18

A practical framework for risk assessment

6

Evaluating Risk Unit Priority

Assess Inherent Risk

1.

b.
c.

Determine Risk Unit

Priority

Risk categories will be rated relative to each other within that risk unit on a 0-5 scale
Risk category ratings will be determined judgmentally by considering (not rating) a series of
risk factors for each category
Taking into account each risk units rated risk categories, the units impact to the entire
corporation will be assessed considering three dimensions (financial, reputation/brand,
regulatory) on a three-point scale (high, medium, low)

Assess control environment: Each risk units control environment will be assessed by
considering the control effectiveness and culture of the risk unit
a.

3.

Assess inherent risk: Each risk units potential impact on the corporation will be
assessed by considering the risk units inherent risk across risk categories
a.

2.

Assess Control
Environment

Taking into account each risk units control effectiveness

and culture, the units control environment will be assessed
on a three-point scale (light, sound, robust)

Determine risk unit priority: Risk unit priority will

be derived from a matrix of inherent risk and control
environment

Page 19

A practical framework for risk assessment

Developing the Audit Plan

6
1

Page 20

A practical framework for risk assessment

Audit Level Planning

6
1

Audit planning and scoping will

Consider output of risk assessment as outlined in SSCAs Audit Methodology and

Guidance

Leverage documented business profile and cumulative knowledge of risk units business

strategies, objectives, and risks

Objectives

Focus on risks assessed as high per applicable risk unit

Create a responsive, dynamic

planning and risk assessment

process

Involve application of the three levels of assurance (testing,

assessment, validation) based on risk category ratings

Establish clear linkage among

risk assessment, continuous

monitoring and audit plan to
ensure appropriate coverage
Empower auditors with the

appropriate flexibility to decide

the right product, at the right
time
Satisfy key parties (management,

external clients, regulators,

E&AC) in a manner that is
demonstrable

Page 21

A practical framework for risk assessment

Continuous Risk Assessment and Monitoring

Benefits/Attributes

Key attributes:
Frequency and focus of

all three processes will

be based on the priority
and risks identified for
each risk unit.
Formal process for

elevating and reporting

output from all three
processes.

Periodic update of bottom-up and top-down risk assessment

Continuous
risk assessment

Provides early warning of high risk activities

Can trigger changes to risk assessment and/or audit plan

Involves monitoring of KRIs and KPIs

Continuous monitoring

Provides insights into current performance,

changes, emerging risks, etc.

Can trigger changes to risk assessment and/or an

audit
Can detect control deficiencies

Continuous auditing

Can trigger and/or direct additional audit

procedures
Involves independent automated testing (e.g.,

use of CAATs)
Findings require management response and

remediation

Linkage to audit plan - Business/risk monitoring as required in the audit frequency and intensity matrix
ideally entails a well-developed continuous risk assessment and monitoring process for each risk unit

Page 22

Open discussion

For more information contact

Mike Brown
Senior Vice President

State Street Corporation

617-662-4626
mfbrown@statestreet.com

Rich Reynolds
Internal Audit Partner

PricewaterhouseCoopers LLP
646-471-8559
richard.reynolds@us.pwc.com

Page 24

Appendix Root Cause Analysis of Large Market Declines

Source: The Future of Internal Audit, Corporate Executive Board , 2010

Page 25