applying risk assessment to your audit plan - rich reynolds

8/10/2019 Applying Risk Assessment to Your Audit Plan - Rich Reynolds

1/25

Applying Risk Assessment to Your Audit PlanBreak-out Session T3, Tuesday, October 26 2:00-2:50pm

Mike Brown

Senior Vice President, Corporate Audit

State Street Corporation

Rich Reynolds

Partner

PricewaterhouseCoopers


2/25

Presentation overview

Transforming your focus on the real risks

A practical framework for risk assessment

Open discussion


3/25



4/25

Page 4

The Credit Crisis has surfaced new challenges for risk management and

challenged internal audit to reconsider its role Board oversight. Shareholders are demanding that Boards demonstrably strengthen their

oversight of risk management activities.

No Silver Bullets in terms of risk management design, methodology or technology.

Execution has been the clear differentiator. Timely and effective identification,communication and escalation of issues combined with clear roles and responsibilities, strongsupervisory oversight, and good judgment have separated the market causalities from the biglossers.

Change management is key to r isk management. In general, there has been an over-reliance among all firms on objective factors and historical data points. As a result, many firmswere on auto pilot and did not identify or appropriately react to changes in market conditions,increases in risk appetite and/or aggressive business strategies.

Operating style and culture are critical to execution effectiveness.

Accountability clear roles and responsibilities from top to bottom Full transparency rapid escalation of issues, quick to admit mistakes

Attention to detail applies to all levels

Continuous improvement emphasis on lessons learned from unexpected events (positive or

negative)

Collegial tension challenging others is the expected behavior of real partners

Leaders of support and control functions have equal stature to front office personnel no overrides



5/25

Are you focused on the real risks?

How value is destroyed in companies reasons for decreases in shareholder value

However, a significant percentage of internal audit resources are focused on financial controls in

most organizations

Strategic & Business

68%

Operational

13%

Financial

12%

Compliance

6%

Page 5

Source: The Future of Internal Audit, Corporate Executive Board , 2010 (see Appendix for breakdown of value decline drivers)



6/25

Transformed vs. traditional risk assessment approach

Page 6



7/25

Strategic Alignment of Internal Audits Plan

The underlying logic is that Financial performance is a

result of delivering an attractive Customervalue

proposition

The combination ofValue Creating Activities and Core

Enablers deliver value for customers and shareholders

The value driver analysis allows Internal Audit to catalog

key value drivers and better link audit activities to

shareholder value

Focus should be on processes that are critical to shareholder value

Internal Audit scope should be directly linked to the organizations strategic

themes and critical processes

Prioritize Internal Audit resources to audits with potential for greatest impact

A value driver analysis can be a holistic way of capturing and

understanding company business strategy and shareholder value driving

activities.

Page 7



8/25

Using a strategy map

Page 8



9/25

Audit universe is constructed from these critical processes and

programs, and key change initiatives

Audit universe is prioritized based on impact on shareholder value drivers, and the current andtargeted maturity of the processes, programs and initiatives

Process, Programs and Initiatives

Targeted Improvement

Capital Management

1. Balance sheet management Significant

2. Liquidity risk management and reporting Limited

3. Global cash management Significant

4. Capital allocation and RAPM Limited

5. TARP compliance Major

Customer Service

6. Off-shored processes Limited

7. Client relationship management Significant

8. Lean initiative Limited

Innovation and Branding

9. Alliance development Limited

10. New product development and launch Limited

11. Research and Development Significant

Corporate and Social Responsibility

12. CSR reporting Significant

13. Labor compliance program Significant

14. Social responsibility program Significant

15. Diversity program Significant

Audit Priority Matrix

5 7,12 1

4 3 11 14, 15 5

3 2,6,9 4,8 13

2 10

1

5 4 3 2 1

Optimized Managed Defined Repeatable Ad-hoc

Current Process & Control Maturity

Insignificant

Low

Moderate

Major

Critical

Impac

tonShareholderValue

Page 9



10/25



11/25

Key Considerations for Designing a Risk Assessment Process

There is no one size fits all solution and no two audit departments have identical processes.

Sample leading practice elements include

Top-down versus bottoms-up approach

Macro and micro plan

Continuous risk assessment and dynamic plan

Tiered audit scoping approach

The solution should focus on resolving known weaknesses without losing current strengths

High performing audit departments have approaches to address emerging risks and

incorporate them into their current audit plans

Regulatory and other stakeholder expectations must be considered but should not be the sole

driver of a solution

Technology is an enabler, not a solution

Ultimately, the risk assessment process must align with the companys strategic objectives


Page 11


12/25

Establishing the Overall Objectives of the Process

Since there are practical limitations to any approach to assessing risk and developing an audit plan, it is

important to establish and prioritize the primary objectives of the process. Some typical objectives

include: Protecting and help focus resources appropriately (i.e., in areas of high risk)

Empowering auditors with the appropriate flexibility to decide the right product, at the right time

Rationalizing the audit universe while ensuring completeness and consistency

Ensuring convergence coordinate with other governance and control functions to the extentpractical

Creating a responsive, dynamic planning and risk assessment process

Promoting more effective relationship management / regular engagement with the business

Establishing clear linkage among risk assessment, continuous monitoring and audit plan to ensureappropriate coverage

Increasing efficiency and effectiveness

Satisfying key parties (management, external clients, regulators, E&AC) in a manner that is

demonstrable


Page 12


13/25

Banks differ in their approaches to risk assessment

At tr ibute* Descript ion # Insti tutions

Aud

itUniverse Basis Objective view of organization taken from other sources 6

Audits view of the organization, no formal reconciliation to objective source 2

Audits view of organization, reconciliation to objective source 2

Purpose Audit entity audit 6

Basis for risk assessment 4

R

iskRating

Methodology Scoring Formal scoring model with weighting of risk categories 3

Judgmental based on risk factor and/or category ratings 7

Basis of rating Inherent risk 2

Residual risk 8

Business

Monitoring Process Formal (established process and outputs) 5

Informal (process and outputs are ad-hoc or inconsistent) 3

No business monitoring process (or very light) 2

AuditPlan

Frequency 4-year risk based cycle 6 2-year risk based cycle 1

Dynamic audit plan 2

Annual but vary intensity based on risk 1

Products Dedicated portion of plan devoted to non-traditional products 5

Limited (or no) portion of plan devoted to non-traditional products 5

* Attributes are mutually exclusive (e.g., formal scoring model and judgmental based on do not align within same approach)


Page 13


14/25

A Sample Risk Assessment Framework

1. Define

Audi t Universe

2. Conduct

Top-down

Analysis

3. Conduct

Bottom-up

Risk Assessment

4. Develop

Audi t Plan

5. Audi t Level

Planning

6. Continuous Risk Assessment and Monitoring

KeyCons

iderations

Aligns to

organization not

audits

Ensures

completeness of

risk coverage

Covers legal

entities and local

jurisdictions

Uncovers issues

impacting

shareholder value

Links to strategic

objectives

Identifies most

critical risks

Leads to targeted

audits, horizontal

audits and special

projects

Risk unit priority

based on inherent

risk and control

environment ratings

Ratings based on

objective guidance

judgmentally

applied, not

mathematical model

Priority drives the

frequency and level

of intensity

Based on prioritized

audit universe, top-

down analysis, and

local regulatory

requirements

Multiple audit

products

Coverage will be

assessed against a

risk priority matrix

Analyzed

periodically

Considers output of

risk assessment

Leverages

documented

business profile and

cumulative

knowledge

Focuses on risks

assessed as high

Level of assurance

based on risk

category ratings

Encourages changes to plan to focus

on emerging risks

Mandates regular engagement with the

business


Page 14


15/25

Defining the Audit Universe

The audit universe will

Align to how management views the organization

Represent a complete and relatively static picture of the company with multiple levelsthat can be aggregated and drilled down

Be defined based on Management Committee accountable units to ensure ownership

Be mapped to other elements (e.g., legal entities, jurisdiction, HR organizationalstructure) periodically to ensure completeness

Audit entities (risk units)

Are defined at a level of granularity at which risk can be effectivelyidentified, rated and monitored

Do not necessarily map 1:1 to audits

Objectives

Rationalize universe whileensuring completeness and

consistency

Satisfy key parties

(management, external

clients, regulators, E&AC) in

a manner that is

demonstrable

1 2 3 54

6


Page 15


16/25

Addressing Legal and Regulatory Requirements 1 2 3 546

Audit Universe

Legal entities/jurisdictions requiring independent universe/risk assessment

Securities

Finance

Global Human

Resources

97 other risk

units

Global Markets

International

Limited (England)

Global

Security

State Street

Management S.A.

(Luxembourg)

International Fund

Services Ireland

Limi ted (Ireland)Risk unit

impact rating

Medium

Medium High

Medium LowMedium

Not

App licab leNot

Appl icableNot

Appl icable

LowLow MediumHigh


Page 16


17/25

1. Gather information: A research template will be used as a tool to gather the required information.

The tool will highlight relevant points of information to use during the research process. Informationwill be collected and retained in a central location.

a. Review External Data: External data points such as SSCs website, company press releases, industry-related

articles, and reports will be utilized.

b. Review Internal Data: Strategic plan, ERM output, compliance and regulatory reports, external auditor

management letter comments, and high risk SOX findings will be reviewed to extract significant risk themes.

2. Develop value-driver analysis: Once information has been gathered, the cross-functional team will

be able to review relevant information and collectively discuss themes and trends within the

organization and industry. This information will be used to complete and update the Value Driver

Analysis.

3. Understand and evaluate enterprise risk themes: Meet with key stakeholders to collaboratively

discuss key themes and start to form assumptions around the risks associated with the key company

initiatives/strategies/etc. Brainstorm potential audit activities considering the risk themes identified

and the overall management of risks.

Conducting a Top-Down Analysis

Develop Value Driver Analysis Evaluate Enterprise Risk ThemesPerform Company Analysis

1 2 3 54

6


Page 17


18/25

Sample Value Driver Analysis

This SAMPLE value driver analysis depicts how a large bank creates value bydemonstrating the connection of strategic objectives to underlying activities in cause-

and-effect relationships.

1 2 3 54

6


Page 18


19/25

Evaluating Risk Unit Priority

1. Assess inherent risk: Each risk units potential impact on the corporation will beassessed by considering the risk units inherent risk across risk categories

a. Risk categories will be rated relative to each other within that risk unit on a 0-5 scale

b. Risk category ratings will be determined judgmentally by considering (not rating) a series ofrisk factors for each category

c. Taking into account each risk units rated risk categories, the units impact to the entirecorporation will be assessed considering three dimensions (financial, reputation/brand,regulatory) on a three-point scale (high, medium, low)

2. Assess control environment: Each risk units control environment will be assessed byconsidering the control effectiveness and culture of the risk unit

a. Taking into account each risk units control effectivenessand culture, the units control environment will be assessedon a three-point scale (light, sound, robust)

3. Determine risk unit priority: Risk unit priority willbe derived from a matrix of inherent risk and controlenvironment

Assess Inherent Risk Assess ControlEnvironment

Determine Risk UnitPriority

1 2 3 54

6


Page 19


20/25

Developing the Audit Plan 1 2 3 546


Page 20


21/25

Audit Level Planning

Audit planning and scoping will

Consider output of risk assessment as outlined in SSCAs Audit Methodology andGuidance

Leverage documented business profile and cumulative knowledge of risk units businessstrategies, objectives, and risks

Focus on risks assessed as high per applicable risk unit

Involve application of the three levels of assurance (testing,

assessment, validation) based on risk category ratings

Objectives

Create a responsive, dynamic

planning and risk assessmentprocess

Establish clear linkage among

risk assessment, continuous

monitoring and audit plan to

ensure appropriate coverage

Empower auditors with theappropriate flexibility to decide

the right product, at the right

time

Satisfy key parties (management,

external clients, regulators,

E&AC) in a manner that isdemonstrable

1 2 3 54

6


Page 21


22/25

Key attributes:

Frequency and focus of

all three processes will

be based on the priority

and risks identified for

each risk unit.

Formal process for

elevating and reporting

output from all three

processes.

Continuous Risk Assessment and Monitoring

Continuous auditing

Continuous monitoring

Continuous

risk assessment

Benefits/Attributes

Can detect control deficiencies

Can trigger and/or direct additional audit

procedures

Involves independent automated testing (e.g.,

use of CAATs)

Findings require management response and

remediation

Involves monitoring of KRIs and KPIs

Provides insights into current performance,

changes, emerging risks, etc.

Can trigger changes to risk assessment and/or an

audit

Periodic update of bottom-up and top-down risk assessment

Provides early warning of high risk activities

Can trigger changes to risk assessment and/or audit plan

Linkage to audit plan - Business/risk monitoring as required in the audit frequency and intensity matrix

ideally entails a well-developed continuous risk assessment and monitoring process for each risk unit


Page 22


23/25

Open discussion


24/25

For more information contact

Mike Brown

Senior Vice President

State Street Corporation

617-662-4626

[email protected]

Rich Reynolds

Internal Audit Partner

PricewaterhouseCoopers LLP

646-471-8559

[email protected]

Page 24
mailto:[email protected]:[email protected]:[email protected]:[email protected]


25/25

applying risk assessment to your audit plan - rich reynolds

Documents