Beruflich Dokumente
Kultur Dokumente
Mike Brown
Senior Vice President, Corporate Audit
State Street Corporation
Rich Reynolds
Partner
PricewaterhouseCoopers
Presentation overview
The Credit Crisis has surfaced new challenges for risk management and
challenged internal audit to reconsider its role
Board oversight. Shareholders are demanding that Boards demonstrably strengthen their
oversight of risk management activities.
No Silver Bullets in terms of risk management design, methodology or technology.
Execution has been the clear differentiator. Timely and effective identification,
communication and escalation of issues combined with clear roles and responsibilities, strong
supervisory oversight, and good judgment have separated the market causalities from the big
lossers.
Change management is key to risk management. In general, there has been an overreliance among all firms on objective factors and historical data points. As a result, many firms
were on auto pilot and did not identify or appropriately react to changes in market conditions,
increases in risk appetite and/or aggressive business strategies.
Operating style and culture are critical to execution effectiveness.
Operational
68%
13%
Financial
Compliance
12%
6%
However, a significant percentage of internal audit resources are focused on financial controls in
most organizations
Page 5
Page 6
Page 8
Significant
2.
Limited
3.
Significant
4.
Limited
5.
TARP compliance
Major
Customer Service
6.
Off-shored processes
Limited
7.
Significant
8.
Lean initiative
Limited
Alliance development
Limited
Limited
Significant
1.
Insignificant
Targeted Improvement
Capital Management
Critical
7,12
11
14, 15
2,6,9
4,8
13
10
Significant
Significant
Significant
Optimized
Significant
Managed
Defined
Repeatable
Ad-hoc
Audit universe is prioritized based on impact on shareholder value drivers, and the current and
targeted maturity of the processes, programs and initiatives
Page 9
There is no one size fits all solution and no two audit departments have identical processes.
The solution should focus on resolving known weaknesses without losing current strengths
High performing audit departments have approaches to address emerging risks and
driver of a solution
Technology is an enabler, not a solution
Ultimately, the risk assessment process must align with the companys strategic objectives
Page 11
Since there are practical limitations to any approach to assessing risk and developing an audit plan, it is
important to establish and prioritize the primary objectives of the process. Some typical objectives
include:
Protecting and help focus resources appropriately (i.e., in areas of high risk)
Empowering auditors with the appropriate flexibility to decide the right product, at the right time
Rationalizing the audit universe while ensuring completeness and consistency
Ensuring convergence coordinate with other governance and control functions to the extent
practical
Creating a responsive, dynamic planning and risk assessment process
Promoting more effective relationship management / regular engagement with the business
Establishing clear linkage among risk assessment, continuous monitoring and audit plan to ensure
appropriate coverage
Increasing efficiency and effectiveness
Satisfying key parties (management, external clients, regulators, E&AC) in a manner that is
demonstrable
Page 12
Business
Risk Rating
Monitoring Methodology
Audit Universe
Description
Basis
Inherent risk
Residual risk
Purpose
Scoring
Basis of rating
Process
Audit Plan
Frequency
Products
# Institutions
* Attributes are mutually exclusive (e.g., formal scoring model and judgmental based on do not align within same approach)
Page 13
on emerging risks
Key Considerations
1. Define
Audit Universe
2. Conduct
Top-down
Analysis
Aligns to
organization not
audits
Uncovers issues
impacting
shareholder value
Ensures
completeness of
risk coverage
Links to strategic
objectives
Covers legal
entities and local
jurisdictions
Identifies most
critical risks
Leads to targeted
audits, horizontal
audits and special
projects
3. Conduct
Bottom-up
Risk Assessment
business
4. Develop
Audit Plan
5. Audit Level
Planning
Based on prioritized
audit universe, topdown analysis, and
local regulatory
requirements
Considers output of
risk assessment
Multiple audit
products
Coverage will be
assessed against a
risk priority matrix
Analyzed
periodically
Leverages
documented
business profile and
cumulative
knowledge
Focuses on risks
assessed as high
Level of assurance
based on risk
category ratings
Page 14
Objectives
Rationalize universe while
(management, external
clients, regulators, E&AC) in
a manner that is
demonstrable
Page 15
State Street
Management S.A.
(Luxembourg)
International Fund
Services Ireland
Limited (Ireland)
Medium
Not
Not
Applicable
Applicable
Not
Applicable
Medium
Medium
Low
High
Low
Medium
Risk unit
impact rating
Audit Universe
Securities
Finance
Global Human
High
Medium
Resources
Global
Security
Low
97 other risk
units
Page 16
1. Gather information: A research template will be used as a tool to gather the required information.
The tool will highlight relevant points of information to use during the research process. Information
will be collected and retained in a central location.
a. Review External Data: External data points such as SSCs website, company press releases, industry-related
management letter comments, and high risk SOX findings will be reviewed to extract significant risk themes.
2. Develop value-driver analysis: Once information has been gathered, the cross-functional team will
be able to review relevant information and collectively discuss themes and trends within the
organization and industry. This information will be used to complete and update the Value Driver
Analysis.
3. Understand and evaluate enterprise risk themes: Meet with key stakeholders to collaboratively
discuss key themes and start to form assumptions around the risks associated with the key company
initiatives/strategies/etc. Brainstorm potential audit activities considering the risk themes identified
and the overall management of risks.
Page 17
This SAMPLE value driver analysis depicts how a large bank creates value by
demonstrating the connection of strategic objectives to underlying activities in causeand-effect relationships.
Page 18
1.
b.
c.
Risk categories will be rated relative to each other within that risk unit on a 0-5 scale
Risk category ratings will be determined judgmentally by considering (not rating) a series of
risk factors for each category
Taking into account each risk units rated risk categories, the units impact to the entire
corporation will be assessed considering three dimensions (financial, reputation/brand,
regulatory) on a three-point scale (high, medium, low)
Assess control environment: Each risk units control environment will be assessed by
considering the control effectiveness and culture of the risk unit
a.
3.
Assess inherent risk: Each risk units potential impact on the corporation will be
assessed by considering the risk units inherent risk across risk categories
a.
2.
Assess Control
Environment
Page 19
6
1
Page 20
6
1
Guidance
Leverage documented business profile and cumulative knowledge of risk units business
Objectives
Page 21
Key attributes:
Frequency and focus of
Continuous
risk assessment
Continuous monitoring
audit
Can detect control deficiencies
Continuous auditing
procedures
Involves independent automated testing (e.g.,
use of CAATs)
Findings require management response and
remediation
Linkage to audit plan - Business/risk monitoring as required in the audit frequency and intensity matrix
ideally entails a well-developed continuous risk assessment and monitoring process for each risk unit
Page 22
Open discussion
Mike Brown
Senior Vice President
Rich Reynolds
Internal Audit Partner
PricewaterhouseCoopers LLP
646-471-8559
richard.reynolds@us.pwc.com
Page 24
Page 25