usaa today, san antonio, tomorrow · process 2. biz unit / process 3. audit team 2. biz unit /...
Post on 05-Oct-2020
5 Views
Preview:
TRANSCRIPT
Public Information
“A Process and Not An Event”
Continuous Monitoring
VP IT/Security Audit Services
VP Bank Audit Services
Jeff Rowland Pauline Saunders
October 28, 2019
Audit Services
Public Information 2
Agenda
USAA – Who We AreContinuous Monitoring – Defined What is the Difference Between Continuous Monitoring and Continuous Auditing? Do You Really Need Continuous Monitoring?
Continuous Monitoring – Our Journey A Walk-through of Our Journey Definitions Program Design, Development, and Deployment
Discussion What Worked? What Did NOT Work? Resources Required Lessons Learned / Key Success Factors
Q&A Session
Public Information 3
Our MissionThe mission of the association is to facilitate the financial security of its members, associates, and their families through provision of a full range of highly competitive financial products and services; in so doing, USAA seeks to be the provider of choice for the military community.
Our Core ValuesService Loyalty Honesty Integrity
PassionateMember
Advocacy
FinancialStrength
& Wisdom
SharedMilitary Values
Our Brand Pillars
GOING ABOVEOur Brand Promise
FOR THOSE WHO HAVE GONE BEYOND
Who We Are
As of Oct. 2014
USAA
Public Information 4
(As of 2018 )
USAAWho We Are
Bank
Investments Advice
Insurance
Images by rawpixel from Pixabay
USAA’s financial strength allowed us to pay out over
$2 BILLIONin disaster-related claims –
while still returning
$1.8 BILLIONto our members in distributions, dividends,
bank rebates and rewards –
and standing strong at over
$31 BILLIONin Net Worth.
Public Information 5
USAA Our Primary Regulators
Federal Reserve
Banking Investments InsuranceOCC
Office of the Comptroller of the Currency
CFPBConsumer Financial Protection
Bureau
FDICFederal Deposit Insurance
Corporation
SECU.S. Securities and Exchange
Commission
FINRAFinancial Industry Regulatory
Authority
TDITexas Department of Insurance + U.S. States and Territories
Departments of Insurance
USDTU.S. Department of the Treasury
PRABank of England Prudential
Regulation Authority
FCAFinancial Conduct Authority
Public Information 6
Continuous MonitoringDefined
Per the Institute of Internal Auditors (IIA) – GTAG 3
Continuous Monitoring: A management process that monitors on an ongoing basis whether internal controls are operating effectively (PA 2320-4: Continuous Assurance).
vs.
Continuous Auditing: The combination of technology enabled ongoing risk and control assessments. Continuous auditing is designed to enable the internal auditor to report on subject matter within a much shorter timeframe than under the traditional retrospective approach.
Public Information 7
3 Primary Differences 1. Who 'owns' the activity? Auditing is an independent function – meaning “management” does not
oversee it. The auditor reports to the company board of directors to help identify opportunities for improvement. Continuous monitoring, however, is managed by the company or organization. Managers are responsible for implementing the monitoring process, ensuring it provides the information they expect, and using it to address inefficiencies and weaknesses in whatever process is being monitored. Ownership is the first important difference between continuous auditing and continuous monitoring.
2. The 'continuous' nature of these functions. Continuous auditing is really just auditing, but on a more frequent, regular basis than the standard auditing engagement. Continuous auditing is often made possible by technology that can collect and analyze data quickly. The auditor simply has to assess the data and reporting and perform whatever tests are part of the audit program. Continuous monitoring, however, is more direct and immediate - often generating reports every day, hour, or even minute. Management looks at this data to ensure whatever metric they are looking at stays within the tolerable range, and if it does not, that it is appropriately managed.
3. What happens when anomalies or exceptions are identified in the data. If an exception or an anomaly is seen in continuous monitoring, management needs to address the problem. The existence of an exception or anomaly is, itself, an issue that needs to be resolved. But, with continuous auditing, the auditor still uses their professional judgment to decide if an exception is something that needs to be looked at in more detail.
Continuous MonitoringVs. Continuous Auditing
Public Information 8
YES!
Continuous MonitoringDo I Really Need It?
But Why?
Public Information 9
Continuous MonitoringA Walk-through of Our Journey
USAA Audit Services DefinitionContinuous monitoring is the process of gathering and aggregating information to evaluate changing risk and control profiles and determine the resulting impact on audit risk assessments and coverage.
Public Information 10
Continuous Monitoring Selling the Benefits
Public Information 11
Continuous MonitoringCreating the Framework
Public Information 12
Continuous MonitoringSources of Information
Public Information 13
Continuous MonitoringReporting
CAE
Audit Team 1
Biz Unit / Process 1
Biz Unit / Process 2
Biz Unit / Process 3
Audit Team 2
Biz Unit / Process 4
Biz Unit / Process 5
Biz Unit / Process 6
Biz Unit / Process 7
Audit Team 3
Biz Unit / Process 8
Biz Unit / Process 9
Biz Unit / Process 10
RepositoryDocumentation
TeamReports
DepartmentReport
Continuous Monitoring Team Reports Team-level summary of continuous monitoring activities
documented in the centralized repository Executive-owned deliverable – created quarterly through
collaboration with senior internal audit managers
Continuous Monitoring Department Report Department-level aggregation of continuous monitoring team
reports. Created by internal audit technology support team – delivered
quarterly to the senior audit leadership team Report also includes: Dashboards of risk profile changes, audit plan additions and
subtractions, etc. Key insights from continuous analytics performed in the most
recent quarter Regulatory and first, second, and third line issue trends
Public Information 14
Subject to your company-specific standards / audit issue requirements.
Our issue definition: An "issue" exists when the risk(s) associated with the condition or event has materialized or has the potential of materializing and there is either an absence of a control or a design or operating deficiency in the control structure to mitigate the associated risk(s).
Reported and distributed as a continuous monitoring issue (follow the requirements outlined in accordance with your company-specific standards for an audit issue)
Entered into issue tracking tool, subject to follow-up and closure
Continuous MonitoringWhat Do We Do With The Issues We Identify?
Public Information 15
5%-10%Of Audit Plan Hours
Resource allocation is initially assessed during the annual planning exercise and monitored through monthly ‘manage the plan’ meetings. For 2019, our initial allocation was 5% of audit plan hours to be dedicated to
Continuous Monitoring activities; however, our experience rate was closer to 8% that is needed to adequately cover requirements.
Continuous MonitoringWhat Kind of Resources are Needed?
16
Be clear on defining what constitutes continuous monitoring Recent question: Do my interviews with our Audit clients for Annual Universe
Planning get categorized as Continuous Monitoring or Annual Planning? Track your time If you cannot demonstrate a “return on investment”, support for the function will
diminish. Document, Document, Document The ability to do trending analysis is only as good as the documentation created, so
having good disciplines, supported by metrics and routines is key. You DO need a tool There are a number of data capture tools available. We use a popular cloud based
solution that is widely used for our specialized needs. The data is exported into a data visualization tool for Analysis. Not having this approach will hinder your ability to be successful.
Continuous MonitoringLessons Learned / Key Success Factors
17
Jeff Rowland, Vice President, USAA IT / Security Audit Servicesjeff.rowland@usaa.com
LinkedInTM
Pauline Saunders, Vice President, USAA Bank Audit Servicespauline.saunders@usaa.com
LinkedInTM
LinkedIn, the LinkedIn logo, the IN logo and InMail are registered trademarks or trademarks of LinkedIn Corporation and its affiliates in the United States and/or other countries.
Questions?
Image by rawpixel from Pixabay
Public
top related