applying risk assessment to your audit plan - rich reynolds
TRANSCRIPT
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
1/25
Applying Risk Assessment to Your Audit PlanBreak-out Session T3, Tuesday, October 26 2:00-2:50pm
Mike Brown
Senior Vice President, Corporate Audit
State Street Corporation
Rich Reynolds
Partner
PricewaterhouseCoopers
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
2/25
Presentation overview
Transforming your focus on the real risks
A practical framework for risk assessment
Open discussion
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
3/25
Transforming your focus on the real risks
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
4/25
Page 4
The Credit Crisis has surfaced new challenges for risk management and
challenged internal audit to reconsider its role Board oversight. Shareholders are demanding that Boards demonstrably strengthen their
oversight of risk management activities.
No Silver Bullets in terms of risk management design, methodology or technology.
Execution has been the clear differentiator. Timely and effective identification,communication and escalation of issues combined with clear roles and responsibilities, strongsupervisory oversight, and good judgment have separated the market causalities from the biglossers.
Change management is key to r isk management. In general, there has been an over-reliance among all firms on objective factors and historical data points. As a result, many firmswere on auto pilot and did not identify or appropriately react to changes in market conditions,increases in risk appetite and/or aggressive business strategies.
Operating style and culture are critical to execution effectiveness.
Accountability clear roles and responsibilities from top to bottom Full transparency rapid escalation of issues, quick to admit mistakes
Attention to detail applies to all levels
Continuous improvement emphasis on lessons learned from unexpected events (positive or
negative)
Collegial tension challenging others is the expected behavior of real partners
Leaders of support and control functions have equal stature to front office personnel no overrides
Transforming your focus on the real risks
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
5/25
Are you focused on the real risks?
How value is destroyed in companies reasons for decreases in shareholder value
However, a significant percentage of internal audit resources are focused on financial controls in
most organizations
Strategic & Business
68%
Operational
13%
Financial
12%
Compliance
6%
Page 5
Source: The Future of Internal Audit, Corporate Executive Board , 2010 (see Appendix for breakdown of value decline drivers)
Transforming your focus on the real risks
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
6/25
Transformed vs. traditional risk assessment approach
Page 6
Transforming your focus on the real risks
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
7/25
Strategic Alignment of Internal Audits Plan
The underlying logic is that Financial performance is a
result of delivering an attractive Customervalue
proposition
The combination ofValue Creating Activities and Core
Enablers deliver value for customers and shareholders
The value driver analysis allows Internal Audit to catalog
key value drivers and better link audit activities to
shareholder value
Focus should be on processes that are critical to shareholder value
Internal Audit scope should be directly linked to the organizations strategic
themes and critical processes
Prioritize Internal Audit resources to audits with potential for greatest impact
A value driver analysis can be a holistic way of capturing and
understanding company business strategy and shareholder value driving
activities.
Page 7
Transforming your focus on the real risks
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
8/25
Using a strategy map
Page 8
Transforming your focus on the real risks
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
9/25
Audit universe is constructed from these critical processes and
programs, and key change initiatives
Audit universe is prioritized based on impact on shareholder value drivers, and the current andtargeted maturity of the processes, programs and initiatives
Process, Programs and Initiatives
Targeted Improvement
Capital Management
1. Balance sheet management Significant
2. Liquidity risk management and reporting Limited
3. Global cash management Significant
4. Capital allocation and RAPM Limited
5. TARP compliance Major
Customer Service
6. Off-shored processes Limited
7. Client relationship management Significant
8. Lean initiative Limited
Innovation and Branding
9. Alliance development Limited
10. New product development and launch Limited
11. Research and Development Significant
Corporate and Social Responsibility
12. CSR reporting Significant
13. Labor compliance program Significant
14. Social responsibility program Significant
15. Diversity program Significant
Audit Priority Matrix
5 7,12 1
4 3 11 14, 15 5
3 2,6,9 4,8 13
2 10
1
5 4 3 2 1
Optimized Managed Defined Repeatable Ad-hoc
Current Process & Control Maturity
Insignificant
Low
Moderate
Major
Critical
Impac
tonShareholderValue
Page 9
Transforming your focus on the real risks
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
10/25
A practical framework for risk assessment
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
11/25
Key Considerations for Designing a Risk Assessment Process
There is no one size fits all solution and no two audit departments have identical processes.
Sample leading practice elements include
Top-down versus bottoms-up approach
Macro and micro plan
Continuous risk assessment and dynamic plan
Tiered audit scoping approach
The solution should focus on resolving known weaknesses without losing current strengths
High performing audit departments have approaches to address emerging risks and
incorporate them into their current audit plans
Regulatory and other stakeholder expectations must be considered but should not be the sole
driver of a solution
Technology is an enabler, not a solution
Ultimately, the risk assessment process must align with the companys strategic objectives
A practical framework for risk assessment
Page 11
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
12/25
Establishing the Overall Objectives of the Process
Since there are practical limitations to any approach to assessing risk and developing an audit plan, it is
important to establish and prioritize the primary objectives of the process. Some typical objectives
include: Protecting and help focus resources appropriately (i.e., in areas of high risk)
Empowering auditors with the appropriate flexibility to decide the right product, at the right time
Rationalizing the audit universe while ensuring completeness and consistency
Ensuring convergence coordinate with other governance and control functions to the extentpractical
Creating a responsive, dynamic planning and risk assessment process
Promoting more effective relationship management / regular engagement with the business
Establishing clear linkage among risk assessment, continuous monitoring and audit plan to ensureappropriate coverage
Increasing efficiency and effectiveness
Satisfying key parties (management, external clients, regulators, E&AC) in a manner that is
demonstrable
A practical framework for risk assessment
Page 12
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
13/25
Banks differ in their approaches to risk assessment
At tr ibute* Descript ion # Insti tutions
Aud
itUniverse Basis Objective view of organization taken from other sources 6
Audits view of the organization, no formal reconciliation to objective source 2
Audits view of organization, reconciliation to objective source 2
Purpose Audit entity audit 6
Basis for risk assessment 4
R
iskRating
Methodology Scoring Formal scoring model with weighting of risk categories 3
Judgmental based on risk factor and/or category ratings 7
Basis of rating Inherent risk 2
Residual risk 8
Business
Monitoring Process Formal (established process and outputs) 5
Informal (process and outputs are ad-hoc or inconsistent) 3
No business monitoring process (or very light) 2
AuditPlan
Frequency 4-year risk based cycle 6 2-year risk based cycle 1
Dynamic audit plan 2
Annual but vary intensity based on risk 1
Products Dedicated portion of plan devoted to non-traditional products 5
Limited (or no) portion of plan devoted to non-traditional products 5
* Attributes are mutually exclusive (e.g., formal scoring model and judgmental based on do not align within same approach)
A practical framework for risk assessment
Page 13
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
14/25
A Sample Risk Assessment Framework
1. Define
Audi t Universe
2. Conduct
Top-down
Analysis
3. Conduct
Bottom-up
Risk Assessment
4. Develop
Audi t Plan
5. Audi t Level
Planning
6. Continuous Risk Assessment and Monitoring
KeyCons
iderations
Aligns to
organization not
audits
Ensures
completeness of
risk coverage
Covers legal
entities and local
jurisdictions
Uncovers issues
impacting
shareholder value
Links to strategic
objectives
Identifies most
critical risks
Leads to targeted
audits, horizontal
audits and special
projects
Risk unit priority
based on inherent
risk and control
environment ratings
Ratings based on
objective guidance
judgmentally
applied, not
mathematical model
Priority drives the
frequency and level
of intensity
Based on prioritized
audit universe, top-
down analysis, and
local regulatory
requirements
Multiple audit
products
Coverage will be
assessed against a
risk priority matrix
Analyzed
periodically
Considers output of
risk assessment
Leverages
documented
business profile and
cumulative
knowledge
Focuses on risks
assessed as high
Level of assurance
based on risk
category ratings
Encourages changes to plan to focus
on emerging risks
Mandates regular engagement with the
business
A practical framework for risk assessment
Page 14
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
15/25
Defining the Audit Universe
The audit universe will
Align to how management views the organization
Represent a complete and relatively static picture of the company with multiple levelsthat can be aggregated and drilled down
Be defined based on Management Committee accountable units to ensure ownership
Be mapped to other elements (e.g., legal entities, jurisdiction, HR organizationalstructure) periodically to ensure completeness
Audit entities (risk units)
Are defined at a level of granularity at which risk can be effectivelyidentified, rated and monitored
Do not necessarily map 1:1 to audits
Objectives
Rationalize universe whileensuring completeness and
consistency
Satisfy key parties
(management, external
clients, regulators, E&AC) in
a manner that is
demonstrable
1 2 3 54
6
A practical framework for risk assessment
Page 15
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
16/25
Addressing Legal and Regulatory Requirements 1 2 3 546
Audit Universe
Legal entities/jurisdictions requiring independent universe/risk assessment
Securities
Finance
Global Human
Resources
97 other risk
units
Global Markets
International
Limited (England)
Global
Security
State Street
Management S.A.
(Luxembourg)
International Fund
Services Ireland
Limi ted (Ireland)Risk unit
impact rating
Medium
Medium High
Medium LowMedium
Not
App licab leNot
Appl icableNot
Appl icable
LowLow MediumHigh
A practical framework for risk assessment
Page 16
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
17/25
1. Gather information: A research template will be used as a tool to gather the required information.
The tool will highlight relevant points of information to use during the research process. Informationwill be collected and retained in a central location.
a. Review External Data: External data points such as SSCs website, company press releases, industry-related
articles, and reports will be utilized.
b. Review Internal Data: Strategic plan, ERM output, compliance and regulatory reports, external auditor
management letter comments, and high risk SOX findings will be reviewed to extract significant risk themes.
2. Develop value-driver analysis: Once information has been gathered, the cross-functional team will
be able to review relevant information and collectively discuss themes and trends within the
organization and industry. This information will be used to complete and update the Value Driver
Analysis.
3. Understand and evaluate enterprise risk themes: Meet with key stakeholders to collaboratively
discuss key themes and start to form assumptions around the risks associated with the key company
initiatives/strategies/etc. Brainstorm potential audit activities considering the risk themes identified
and the overall management of risks.
Conducting a Top-Down Analysis
Develop Value Driver Analysis Evaluate Enterprise Risk ThemesPerform Company Analysis
1 2 3 54
6
A practical framework for risk assessment
Page 17
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
18/25
Sample Value Driver Analysis
This SAMPLE value driver analysis depicts how a large bank creates value bydemonstrating the connection of strategic objectives to underlying activities in cause-
and-effect relationships.
1 2 3 54
6
A practical framework for risk assessment
Page 18
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
19/25
Evaluating Risk Unit Priority
1. Assess inherent risk: Each risk units potential impact on the corporation will beassessed by considering the risk units inherent risk across risk categories
a. Risk categories will be rated relative to each other within that risk unit on a 0-5 scale
b. Risk category ratings will be determined judgmentally by considering (not rating) a series ofrisk factors for each category
c. Taking into account each risk units rated risk categories, the units impact to the entirecorporation will be assessed considering three dimensions (financial, reputation/brand,regulatory) on a three-point scale (high, medium, low)
2. Assess control environment: Each risk units control environment will be assessed byconsidering the control effectiveness and culture of the risk unit
a. Taking into account each risk units control effectivenessand culture, the units control environment will be assessedon a three-point scale (light, sound, robust)
3. Determine risk unit priority: Risk unit priority willbe derived from a matrix of inherent risk and controlenvironment
Assess Inherent Risk Assess ControlEnvironment
Determine Risk UnitPriority
1 2 3 54
6
A practical framework for risk assessment
Page 19
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
20/25
Developing the Audit Plan 1 2 3 546
A practical framework for risk assessment
Page 20
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
21/25
Audit Level Planning
Audit planning and scoping will
Consider output of risk assessment as outlined in SSCAs Audit Methodology andGuidance
Leverage documented business profile and cumulative knowledge of risk units businessstrategies, objectives, and risks
Focus on risks assessed as high per applicable risk unit
Involve application of the three levels of assurance (testing,
assessment, validation) based on risk category ratings
Objectives
Create a responsive, dynamic
planning and risk assessmentprocess
Establish clear linkage among
risk assessment, continuous
monitoring and audit plan to
ensure appropriate coverage
Empower auditors with theappropriate flexibility to decide
the right product, at the right
time
Satisfy key parties (management,
external clients, regulators,
E&AC) in a manner that isdemonstrable
1 2 3 54
6
A practical framework for risk assessment
Page 21
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
22/25
Key attributes:
Frequency and focus of
all three processes will
be based on the priority
and risks identified for
each risk unit.
Formal process for
elevating and reporting
output from all three
processes.
Continuous Risk Assessment and Monitoring
Continuous auditing
Continuous monitoring
Continuous
risk assessment
Benefits/Attributes
Can detect control deficiencies
Can trigger and/or direct additional audit
procedures
Involves independent automated testing (e.g.,
use of CAATs)
Findings require management response and
remediation
Involves monitoring of KRIs and KPIs
Provides insights into current performance,
changes, emerging risks, etc.
Can trigger changes to risk assessment and/or an
audit
Periodic update of bottom-up and top-down risk assessment
Provides early warning of high risk activities
Can trigger changes to risk assessment and/or audit plan
Linkage to audit plan - Business/risk monitoring as required in the audit frequency and intensity matrix
ideally entails a well-developed continuous risk assessment and monitoring process for each risk unit
A practical framework for risk assessment
Page 22
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
23/25
Open discussion
-
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
24/25
For more information contact
Mike Brown
Senior Vice President
State Street Corporation
617-662-4626
Rich Reynolds
Internal Audit Partner
PricewaterhouseCoopers LLP
646-471-8559
Page 24
mailto:[email protected]:[email protected]:[email protected]:[email protected] -
8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds
25/25