Internal Audit of Banks
Date: April 2007 Produced by: Hans-Joerg Turtschi, Internal Audit Credit Suisse Group
�Objectives of the workshop
Stress the importance of Internal Audit a as part of the Corporate Governance Framework in a bank Present the role of the bank’s governing bodies regarding Internal Audit Detail the mission and responsibilities of Internal Audit Expand practical skills by discussing case studies and considering international best practice Provide guidance for conducting a self-assessment of the effectiveness of your Internal Audit department
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 2
�Speaker
Hans-Joerg Turtschi Deputy Head Internal Audit Credit Suisse Group Certified Public Accountant Managing Director 25 years of Internal Audit experience in the Banking and Insurance industry
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 3
�Content 1. 2. 3. 4. 5. 6. 7. 8. 9.
Introduction Corporate Governance Internal Control Environment Organization Human Resources Working Practices Communication and Reporting Performance Metrics and Knowledge Management Wrap-up
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 4
�1. Introduction
Warm-up What is Internal Audit Squaring the Cycle Fundamentals
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 5
�What is Internal Audit?
What is Internal Audit What is Internal Audit NOT
Preventive doctor Partner Facilitator Part of the Company Common Sense Solution Oriented Helicopter View Client Focused Thoughtful Consistent Independent
Police Enemy Executer Alien Wise Cookie Problem Oriented Tick Marker Technocrat Choleric Stubborn Opportunistic
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 6
�Squaring the Circle (1/2)
Regulator
Assurance Advisory Fire Brigade Reliability Quality/Best Practice Effectiveness Cost / Resources / Time Strategic Partnership No Breaches of Laws and Regulations
Mandate of Internal Audit
Key Stakeholders
Auditee
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 7
�Squaring the Circle (2/2)
The ongoing challenge for Internal Audit is to keep the right balance between:
– Consistently ensure quality in line with peers and best industry – –
practices; Provide audit services efficiently and timely; Meet regulatory requirements and stakeholders expectations.
Evaluate on a regular basis the sustained impacts of evolving regulatory trends and industry practices on the role of Internal Audit, audit approach and methods & tools.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 8
�Fundamentals
Basel Committee on Banking Supervision (BCBS) – Core Principles for Effective Banking Supervision – Framework for Internal Control Systems National Bank of Ukraine (NBU) – The Law of Ukraine on Banks and Banking The Institute of Internal Auditors (IIA) – Standards and Practices COSO – The Committee of Sponsoring Organizations of the Treadway Commission – Enterprise Risk Management Framework
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 9
�2. Corporate Governance
Corporate Governance Model Expectations Corporate Governance – Roles and Responsibilities Challenges for Individuals
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 10
�Corporate Governance Model
(an example)
Reg rs lato u
Compliance
Sha r
eh o
lde rs
Management Board
nal A udit
n Inter
Controlling
Corporation
Risk Management ‘
dit al Au
Exter
Accounting
Business Line Managers Employees
Bo a rd
Co mm itte es
Supporting Functions
Su
pe
ry iso rv
d oar B
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 11
�Expectations (1/2)
Key Internal Stakeholders
Key internal stakeholders (Audit Committee, Chairman, CEO) expect Internal Audit to:
– Be a strategic partner to them and be flexible in risk orientation to deal – – – –
with emerging trends; Support them in building trust in the market and within the Firm; Provide assurance regarding the adequacy and functioning of internal controls, risk management processes and corporate governance procedures in an effective and timely manner; Support the business in advancing the overall control environment and in determining appropriate measures to remedy deficiencies identified; Provide audit coverage in line with peers.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 12
�Expectations (2/2)
Key External Stakeholders
Key external stakeholders (the main regulator and the local subregulators, External Audit) also expect: Internal Audit to
– Provide assurance regarding compliance with regulatory requirements; – Develop and maintain best practice audit procedures.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 13
�Corporate Governance – Roles and Responsibilities (1/14)
Regulator Shareholders Supervisory Board Supervisory Board Committees Executive Board Risk Management Compliance Internal Audit External Audit Other Stakeholders
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 14
�Corporate Governance – Roles and Responsibilities (2/14)
Regulator
Oversee quality at entry (licensing, capital requirements, capital adequacy rules) Establish standards regarding shareholders, SB and MB members Provide guidelines on specific topics (risk management, internal audit) and related policies Establish public information disclosure requirements
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 15
�Corporate Governance – Roles and Responsibilities (3/14)
Shareholders
Play the key role in promoting good corporate governance by selecting experienced and qualified Supervisory Board members to be the “right policy makers” and to ensure proper conduct of business
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 16
�Corporate Governance – Roles and Responsibilities (4/14)
Supervisory Board
Accountable to shareholders and depositors for safeguarding their interests Select right management team Set tone and direction: oversee and support management efforts, ensure adequate controls and systems are in place Ensure adequate evaluation and remuneration of ExB Critically appraise and ultimately approve the strategic plan; Delegate to management the authority to implement strategies. Specify content and frequency of reporting
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 17
�Corporate Governance – Roles and Responsibilities (5/14)
Supervisory Board Committees
Audit Committee
Can be combined
Committees should be chaired by Independent SB members
Risk Committee Nomination Committee Remuneration Committee Corporate Governance Committee
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 18
�Corporate Governance – Roles and Responsibilities (6/14)
Supervisory Board Committees – Audit and Risk Management Committee
Members of the Audit and Risk Management Committee should be qualified, independent, objective and involved Monitoring and assessing the integrity of the financial statements as well as disclosures of the financial condition, results of operations and cash flows of the Group; Monitoring processes designed to ensure the Group’s compliance with legal and regulatory requirements; Monitoring the qualifications, independence and performance of the external auditors and of Internal Audit; and Monitoring the adequacy of financial reporting processes and systems of internal accounting and financial controls
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 19
�Corporate Governance – Roles and Responsibilities (7/14)
Supervisory Board Committees – Audit and Risk Management Committee
Review and assess the integrity and adequacy of the risk management function; Review and assess the adequacy of the liquidity and funding; Review and assess the credit risk including any large exposures; Review the adequacy of the capital (economic, regulatory, and rating agency) and its allocation to the businesses; Review and assess the Firm’s operational risk; Review and assess the adequacy of the risk measurement methodologies; Review and assess various internal limits such as market risk, country risk and other major risk concentration and make specific recommendations; Review periodically the policy regarding corporate responsibility and sustainable development; and, Report committee activities to the SB when and with such recommendations as deemed appropriate or required.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 20
�Corporate Governance – Roles and Responsibilities (8/14)
Executive Board
Accountable to SB Meets Fit and Proper criteria Regularly and thoroughly assessed and evaluated Responsible for implementing the Firm‘s strategy Run day-to-day operations in compliance with laws and regulations, SB’s policies and internal by-laws Provide SB with information needed to fulfill their responsibilities
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 21
�Corporate Governance – Roles and Responsibilities (9/14)
Executive Board
Establish sound systems of internal controls and risk management Appoint middle management and award with competitive performance incentives Establish personnel management procedures and staff training Establish adequate management information system that reflects business risks
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 22
�Corporate Governance – Roles and Responsibilities (10/14)
Risk Management
Establish a centralized Risk Management Department to be chaired by Chief Risk Officer Credit Committee and Asset/Liability Management Committee to be chaired by different individuals. Establish a counterparty limit system for corporate borrowers and introduce group ceilings Establish a clear policy and procedures for investing in securities Include in the Bank’s credit analysis process a set of criteria for assessment of corporate governance practices of borrowers
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 23
�Corporate Governance – Roles and Responsibilities (11/14)
Compliance
Provide assistance to Management with respect to compliance risks Provide advice, guidance and training to concerned staff Identification, prioritisation, managing and monitoring corresponding risks Establish Compliance monitoring programs and reporting
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 24
�Corporate Governance – Roles and Responsibilities (12/14)
Internal Audit
Test and report on proper performance of control systems and risk management processes Monitor the bank's financial and other risk profile and review management procedures Review compliance with internal, regulatory and legislative requirements Test operating effectiveness of controls and suggest improvements
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 25
�Corporate Governance – Roles and Responsibilities (13/14)
External Audit
Independent and qualified Evaluate risks inherent in the bank Analyze and evaluate information presented Understand business structure and transactions Review management’s adherence to SB’s policies and procedures Review the information supplied to the SB, shareholders, and regulators Review adherence to statutory requirements Report to the SB, shareholders, and regulators on the fair presentation of information submitted to them Report on adherence to Fit and Proper requirements
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 26
�Corporate Governance – Roles and Responsibilities (14/14)
Other Stakeholders
Lenders and depositors Prospective investors Competitors Financial media and analysts Rating agencies Employees General public Media
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 27
�Challenges for Individuals
Every individual involved in corporate governance activities must practice a spirit of transparency a culture of accountability individual integrity
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 28
�3. Internal Control Framework
Framework for Internal Control Systems in Banking Organizations COSO – Enterprise Risk Management Framework The role of Internal Audit within the integrated control framework Internal Control Framework - Roles and Responsibilities Internal Monitoring Maturity model of an Internal Control System
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 29
�Framework for Internal Control Systems in Banking Organizations (1/3)
Basle Committee on Banking Supervision, Framework for Internal Control Systems, 1998 A system of effective internal controls is a critical component of a company (bank or insurance) management and a foundation for the safe and sound operation of an organization. A system of strong internal controls can help to ensure that the goals and objectives of an organization will be met, that the organization will achieve longterm profitability targets, and maintain reliable financial and managerial reporting. Such a system can also help to ensure that the organization will comply with laws and regulations as well as policies, plans, internal rules and procedures, and decrease the risk of unexpected losses or damage to the organization’s reputation.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 30
�Framework for Internal Control Systems in Banking Organizations (2/3)
Efficiency and effectiveness of activities (performance objectives); Reliability, completeness and timeliness of financial and management information (information objectives); and Compliance with applicable laws and regulations (compliance objectives).
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 31
�Framework for Internal Control Systems in Banking Organizations (3/3)
Management oversight and the control culture Risk recognition and assessment Control activities and segregation of duties Information and communication Monitoring activities and correcting deficiencies Evaluation of Internal Control Systems by supervisory authorities
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 32
�COSO – Enterprise Risk Management Framework (1/3)
Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring
The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
Source: Ernst & Young
Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 33
�COSO – Enterprise Risk Management Framework (2/3)
Definition
Enterprise risk management is a process, effected by an entity’s supervisory board, executive management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 34
�COSO – Enterprise Risk Management Framework (3/3)
Definition
Enterprise risk management: Is a process – it's a means to an end, not an end in itself Is effected by people – it's not merely policies, surveys and forms, but involves people at every level of an organization Is applied in strategy setting Is applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risks Is designed to identify events potentially affecting the entity and manage risk within its risk appetite Provides reasonable assurance to an entity's management and board Is geared to the achievement of objectives in one or more separate but overlapping categories.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 35
�The Role of Internal Audit within the Integrated Control Framework
Internal Audit is an integral part of the Bank‘s corporate governance and risk management framework. Its main function is to assist the SB and Executive Management in their tasks to enforce, implement an monitor the Bank’s guiding principles, policies and directives by providing a systematic, objective and independent assessment of whether: Risks are appropriately identified and managed; The Bank’s internal control system is effective; Governance processes ensure compliance with regulations, policies and standards; Management performs efficient monitoring and oversight; and Assets are adequately safeguarded.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 36
�Internal Control Framework - Roles and Responsibilities
Strong management practices are the foundation of a robust control environment. Key principles of internal control framework philosophy include:
Executive Management: (e.g, ExB) involvement in establishing and enforcing framework (e.g., governance, policies, capital allocation & monitoring) Primary risk ownership resides with business line managers: Front Office should “own”, understand and take active role in front-to-back management of the risks of their business (leveraging support/control unit efforts) Responsibilities of every employee, department and division: each must own and control operational risks and understand/manage inter-dependencies Most operational risk issues are best handled “close to the ground”: to align skill set & ownership with issues Second line of defense: resides with core processing units (Operations) and control functions (e.g., Financial Accounting, Product Control), and Compliance and Risk Management functions
Line management (Risk ownership) 1st line of defence
Risk control functions 2nd line of defence
Risk assurance 3rd line of defence
Internal Audit: exists to perform intensive reviews & operates as an independent check on the effectiveness of internal controls, reporting directly to the CSG Chairman and Audit Committee External Auditors and Regulatory examinations: provides additional feedback on the control environment
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 37
�Internal Monitoring
(All the safeguards and security measures applied within the internal structure of a company)
Independent safeguards provided by Independent safeguards provided by organizational measures organizational measures
System Controls System Controls Implemented internally Implemented internally by functional and by functional and procedural procedural organizations in organizations in question: question: •Division of •Division of responsibility responsibility •Division of function •Division of function •Clear allocation of •Clear allocation of authorities authorities •Systematic integral •Systematic integral controls controls By means of technical By means of technical tools, documentation tools, documentation and reporting: and reporting: •Scales •Scales •Forms •Forms •IT, computing •IT, computing systems and systems and calculators calculators •Closure systems •Closure systems
Monitoring by line manager and Monitoring by line manager and mandatory mandatory
Management and Management and results monitoring by results monitoring by line manager and other line manager and other management management functions: functions: •Reconstructability of •Reconstructability of operational activities operational activities •Spot checks •Spot checks •Plausibility checks •Plausibility checks
Audits by processAudits by processindependent internal independent internal audit department, with audit department, with examination of: examination of: •Finance •Finance •Systems •Systems •Management •Management •Projects •Projects •Special areas •Special areas
Internal Control Internal Control Internal Control Internal Control System System
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 38
�Maturity Model of an Internal Control System (ICS)
Level 5:
OPTIMIZED
Integrated internal controls with real time monitoring by management and continuous improvement FINAL OBJECTIVE
Level 4:
MONITORED
Level 3:
STANDARDIZED
Level 2:
INFORMAL
Control activities are designed, in place and are adequately documented
Standardized controls with periodic testing for effective design and operation with reporting to management NOT SUFFICIENT
SOX 404
Level 1:
UNRELIABLE
Unpredictable environment where control activities are not designed or in place
Control activities are designed and in place but are not adequately documented
NOT SUFFICIENT
NOT TOLERABLE
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 39
�4. Organization
Authority and sponsorship Mission statement Remit Independence Organizational structure Roles and responsibilities
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 40
�Authority and Sponsorship (1/3)
The principle of independence entails that Internal Audit operates under the direct control of either the bank’s Supervisory Board Audit Committe of the SB Chief Executive Officer depending on the respective corporate governance framework and in accordance with the regulatory environment.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 41
�Authority and Sponsorship (2/3)
Audit Committee – Relation with Internal Audit
Regulations for Internal Audit approved by the AC Head of Internal Audit reports to the AC AC approves annual audit objectives of Internal Audit AC reviews individual audit reports and periodic activity reports Head of Internal Audit attends AC Meetings Presentation of significant audit findings, achievement of audit objectives and assessment of control environment are standard AC agenda items Regular meetings of AC Chairman with Head of Internal Audit
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 42
�Authority and Sponsorship (3/3)
Audit Committee – Assessment of Internal Audit
Clarity, risk-focus and substance of annual audit objectives, annual Activity Reports Key risks identified and reported to relevant levels of management Presentation of audit findings; relevance, clarity and objectivity of reports Education, training, experience of Internal Audit staff Development and use of IT audit tools Personality and management capabilities of Head of Internal Audit and senior Internal Audit management Annual assessment by External Audit Periodic benchmarking with peers
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 43
�Mission Statement
The Internal Audit mission is clearly defined and its remit meets stakeholders’ expectations in relation to independent and objective assessments. In June 1999, the Board of Directors of the Institute of Internal Auditors approved the following definition of internal audit: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 44
�Remit (1/3)
Internal audit is part of the ongoing monitoring of the bank's system of internal controls and of its internal capital assessment procedure, because internal audit provides an independent assessment of the adequacy of, and compliance with, the bank’s established policies and procedures. As such, the internal audit function assists senior management and the board of directors in the efficient and effective discharge of their responsibilities as described above. Each bank should have an internal audit charter that enhances the standing and authority of the internal audit function within the bank. Every activity and every entity of the bank should fall within the scope of the internal audit.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 45
�Remit (2/3) The scope of Internal Audit includes:
The examination and evaluation of the adequacy and effectiveness of the internal control systems; The review of the application and effectiveness of risk management procedures and risk assessment methodologies; The review of the management and financial information systems, including the electronic information system and electronic banking services; The review of the accuracy and reliability of the accounting records and financial reports; The review of the means of safeguarding assets; The review of the bank’s system of assessing its capital in relation to its estimate of risk;
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 46
�Remit (3/3) The scope of Internal Audit includes:
The appraisal of the economy and efficiency of the operations; The testing of both transactions and the functioning of specific internal control procedures; The review of the systems established to ensure compliance with legal and regulatory requirements, codes of conduct and implementation of policies and procedures; The testing of the reliability and timeliness of the regulatory reporting; The carrying-out of special investigations; Effective performance of core assurance role; and, Handling of conflicting expectations regarding internal Audit‘s role.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 47
�Independence
The bank’s internal audit function must be independent of the activities audited and must also be independent from the every day internal control process. This means that internal audit is given an appropriate standing within the bank and carries out its assignments with integrity, objectivity and impartiality. The principle of independence entails that the internal audit department operates under the direct control of those company bodies detailed under section ‘Authorities and Sponsorship‘ depending on the corporate governance framework and regulatory environment.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 48
�Organizational Structure
Organization aligned to business, regions and support functions Consistent objectives and methodologies Strive for stability and continuity and openness to change Close coordination with Chief Risk Officer, Group Compliance, Chief Operating Officer and Chief Financial Officer Centralized control and guidance from Head of Internal Audit
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 49
�Roles and Responsibilities (1/2)
Internal Audit is an integral part of the Bank’s corporate governance and risk management framework. Its main function is to assist the SB, the AC and the Executive Management in their task to enforce, implement and monitor the Group’s guiding principles, policies and directives by providing a systematic objective and independent assessment of whether: – Risks are appropriately identified and managed; – The Group’s internal control systems are effective; – Governance processes ensure compliance with policies, standards, – –
procedures and applicable laws and regulations; Management performs efficient monitoring and oversight of processes and activities; and Assets are adequately safeguarded.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 50
�Roles and Responsibilities (2/2)
In addition to the above-mentioned assurance functions, Internal Audit may also perform special audits, or take other appropriate action, when requested so by the Supervisory Board or members of the Executive Board. Internal Audit co-ordinates its activities with those of the AC, the external auditors, and other relevant functions, if appropriate, to ensure adequate audit coverage and to minimize duplicate efforts.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 51
�5. Human Resources
Manpower planning Internal audit staff resources concept Professional development and training
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 52
�Manpower Planning
Adequate resource levels Experienced staff Continuity Qualifications Feedback from management Access to specialists Joiners and leavers Succession planning
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 53
�Internal Audit Staff Resources Concept
Apply IIA standards following core business activities of the Bank institute (average 4.5 to 9 internal auditors per 1’000 banking staff depending on business profile) Develop proprietary risk assessment and planning model to determine staff requirements Base on average audit plan following experience and regulatory requirements Optimal resource allocation will be a combination of above approaches Approach to be submitted to and approved by AC
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 54
�Development and Training
Development and progression framework for Internal Audit staff Minimum promotion criteria are defined Individual objectives as well as training and development needs are defined on an annual basis Performance is measured against consistent and pre-defined criteria Bank internal training External training and professional certification courses (e.g. CIA)
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 55
�6. Working Practices
Risk assessment methodology Annual planning process Audit approach Audit issue tracking Technology
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 56
�Risk Assessment Methodology (1/13)
Principles
Risk focused Tailored to the bank Simple Transparent Consistent Reflecting regulatory requirements History Regular validation Communicated to key stakeholders
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 57
�Risk Assessment Methodology (2/13)
Conceptual approach: Risk Assessment
Identify audit universe Split audit universe into auditable units Ensure completeness of auditable units (AU: audit unit) Define risk categories relevant for the bank Define risk levels applicable for each risk category Assess risks of each AU and determine overall risk score Establish ranking of all AU and validate result Consistent risk decomposition and assessment of all Audit Units to obtain a population of comparable risk scores
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 58
�Risk Assessment Methodology (3/13)
Conceptual approach: Materiality
Define materiality levels for core businesses / activities of the bank Allocate materialtiy level to each AU Establish ranking of all AU and validate result Consistent decomposition of all Audit Units by materiality to obtain a comparable population
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 59
�Risk Assessment Methodology (4/13)
Conceptual approach: Audit Rotation
Define audit rotation standards following the defined risk level and /or the materiality level Establish respective ranking by AU by combining risk and materiality Define maximum audit rotation in accordance with regulatory requirements Consistent decomposition of all Audit Units by audit rotation to prioritize the AU to be covered in the annual audit plan
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 60
�Risk Assessment Methodology (5/13)
Input
Internal sources and documents
– Management interviews – Internal reporting documents – Previous audit reports
External information
– Regulatory focus / developments – Industry trends (banking and auditing) – External auditor
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 61
�Risk Assessment Methodology (6/13)
Overview
Environmental / Corporate Risk Assessment of key developments
Audit Unit Risk Risk Assessment Model
Key Risks and Control Considerations Areas of Audit Concentration
Selection of Audit Units Allocation of Audit Days
Top-Down Approach
Bottom-Up Approach
Annual Objectives
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 62
�Risk Assessment Methodology (7/13)
Top Down Audit Planning Process - Assessment of key developments
In addition to the RAM, which is principally a ‘bottom up’ approach to audit planning, the Audit Department has developed a ‘top down’ approach based on the paper “Internal Controls – An Integrated Framework” – developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This approach serves Internal Audit to assess the overall control environment of the firm and industry and regulatory developments to identify key risks and control consideration in order to define the areas of audit concentration.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 63
�Risk Assessment Methodology (8/13)
Bottom-Up Audit Planning Process - Audit Unit Definition
Audit Unit (AU) is the basis of risk assessment and planning procedures. All the activities, functions, entities and systems of the Bank are analyzed and broken down into AUs. Taken together the population of all the AUs reflects all business units of the Bank. The AU can be characterized by the different type of the AU (product line, function, entity, technology, project) and the geographical reach (global, regional). AUs are allocated a budget for financial and IT audit days for planning and resource monitoring purposes. An audit may cover more than one AU at a time.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 64
�Risk Assessment Methodology (9/13)
Bottom-Up Audit Planning Process - Completeness Review
The Audit Unit completeness exercise is a critical first step in the planning process:
– Ongoing assessment of business activities and relationships; – Review and mapping of the Bank’s organizational structure, new – – – –
projects and key management reports to the existing AUs; Legal entities are mapped to the population of AUs; Front office headcount is mapped to product line AUs (e.g. will ensure the capture of all implant traders); Trading books are mapped to product line AUs; Application and infrastructure mapping.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 65
�Risk Assessment Methodology (10/13)
Overview of Risks
The Bank
Strategy Risk Market Risk Credit Risk Expense Risk Liquidity & Funding Risk Operational Risk Reputation / Brand Risk
BIS
Credit Risk Country Risk Market Risk Interest Rate Risk Liquidity Risk Operational Risk Legal Risk Reputational Risk
Internal Audit
Management & Strategy Risk Market Risk Credit Risk Operational Risk Technology Risk Regulatory, Legal & Reputational Risk Financial Accounting & Reporting Risk
Capital Adequacy
Capital Adequacy / Internal Controls
Internal Controls
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 66
�Risk Assessment Methodology (11/13)
Risk Assessment Model (RAM)
The Risk Assessment Model is used to assess the risk of an individual Audit Unit by assessing and scoring the defined risk categories. The risk score of each risk category (weighted) is aggregated and translated into the overall risk rating of the AU between 1 (low risk) and 4 (high risk). The assessment of the risk factors is a judgmental process. The rationale and conclusions for each risk assessment need to be documented for future reference The risk assessment of each AU requires sign-off by audit management RAMs are completed after each audit and updated in conjunction with the annual planning process based on information gained from our ongoing monitoring of business developments.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 67
�Risk Assessment Methodology (12/13)
Materiality Assessment
The materiality reflects the relative significance of an AU in the global context. The materiality assessment is based on a grid of standardized materiality factors and materiality ranges within these factors. The materiality factors applicable to an AU are assessed on a scale from 1 (low) to 4 (high). The highest materiality is relevant if more than one materiality factor applies. The materiality factors are periodically validated with business responsibles and Risk Management.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 68
�Risk Assessment Methodology (13/13)
Determination of Audit Rotation for Audit Units
The risk score of an AU and the materiality determine the audit rotation based on the following grid:
Materiality Level 4 Risk Rating 4 1 Year 1 Year 2 Years 3 Years Materiality Level 3 1 Year 2 Years 3 Years 3 Years Materiality Level 2 2 Years 3 Years 4 Years 4 Years Materiality Level 1 3 Years 3 Years 4 Years 5 Years
Risk Rating 3 Risk Rating 2 Risk Rating 1
Audits required by local or global regulators overrule the outcome of this rotation process.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 69
�Annual Planning Process (1/3)
Key Processes
Audit management develops the annual audit objectives basing on the RAM generated proposed rotations and the overall assessment of key developments and internal control framework to ensure an integrated view of inherent AU risks and business related risks. Senior business management, Risk Committees and External Auditor as well as other stakeholders are consulted to obtain further input for consideration to include in the annual audit objectives. The audit objectives are submitted to the Audit Committee (AC) for approval. The audit objectives constitute the overall framework for the annual audit plan.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 70
�Annual Planning Process (2/3)
Key Processes (continued)
The annual audit plan is translated into a quarterly audit schedule based on risk considerations, business developments and available resources. The scheduling of the audit plan is closely coordinated with the External Auditor for timing and reliance purposes Business developments are continually monitored to assess whether changes to risk assessments and audit plan are required. Significant changes require approval by the Chairman of the AC. Progress under the audit plan is monitored based on the monthly timesheets prepared by each member of the Internal Audit Department (progress tracking).
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 71
�Annual Planning Process (3/3)
Required Flexibility
Flexibility to change annual audit plan, in particular for audits in areas with lower risk and lower materiality.
Materiality
4 3 2 1 1 2 3 4
= Key Audits = Area of highest flexibility
Risk Rating
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 72
�Audit Approach (1/10)
General
The primary audit approach is product-line oriented (i.e., an integrated ‘Cradle to Grave’ assessment of businesses across all relevant functions and departments). Separate audits are performed of key functions and certain legal entities. Technology reviews cover key functional IT areas, for example: infrastructure, critical applications, development teams, business contingency planning. Additional assignments may include: – New businesses are generally reviewed within 12 months; and – Special projects and investigations as requested by Senior Management (all projects > 10 days require approval by the Chairman of the AC).
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 73
�Audit Approach (2/10)
Product Line Audit
Evaluation of the adequacy and effectiveness of the control environment surrounding the activities of a product line such as Asset Management, Listed Derivatives, Structuring and Structured Interest Rate Derivatives, and IR Derivatives: Front Office procedures and conduct Supervision by local and regional management Trade surveillance and control room procedures Controls regarding legal and regulatory requirements and regulatory reporting Compliance with Firm policies Transaction processing and settlement Product related financial and MIS reporting Market and credit risk monitoring Information technology environment
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 74
�Audit Approach (3/10)
Entity Audit
Evaluation of the adequacy and effectiveness of the corporate governance and the internal control environment surrounding the entity, including, but not limited to, a review of the following: Entity level management controls and supervision Corporate Governance License registration for both entity and individuals Controls regarding legal or regulatory requirements and reporting Compliance with Firm policies Account opening and anti-money laundering procedures Entity related support functions Entity related aspects of product related support functions
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 75
�Audit Approach (4/10)
Functional / IT Audit
Evaluation of the adequacy and effectiveness of the control environment surrounding a particular function and/or application, including, but not limited to, a review of the following:
Functional procedures and controls Management supervision and reporting Legal and regulatory compliance Adherence to Firm policies and standards Information technology environment
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 76
�Audit Approach (5/10)
Performing Audits
Endeavors to perform "Joint Audits" (Operational and IT Auditors): – Reports show the "whole picture" of an audit unit; – Supports knowledge transfer between Operational and IT Auditors; – International exchange of competencies and knowledge. Standardized Audit process: – Using standardized and consistent procedure for all audit phases; – Using of audit program modules. Quality Assurance – Audit Management involvement during audit phases incl. phase approval; – Checklists for all audit phases.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 77
�Audit Approach (6/10)
Audit Phases of a Regular Audit
Audit Planning & Preparation Audit Fieldwork Audit Clearing Audit Completion Audit Issue Tracking
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 78
�Audit Approach (7/10)
Audit Cycle Phases
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 79
�Audit Approach (8/10)
Audit Programs
Methodology:
Modules for all business areas within a firm: Retail Banking, Private Banking, Mortgages, Sales/Trading, Market Risk Mgmt, Credit Risk Mgmt, Operations, Financial Control, Legal&Compliance, etc. General section which covers areas applicable to all functions: Organization, Supervisory Controls, Management Information, etc. Generic risks applicable to each scope point are also provided Base-line controls provided and linked to applicable risks and scope points Includes conclusion and referencing columns
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 80
�Audit Approach (9/10)
Audit Programs
Example:
Functional Area: General Section Scope Point: Organizational Structure Risk: The organizational structure does not provide for an adequate segregation of incompatible functions Controls: e.g.: No single individual is responsible for or controls an entire process or operation. Procedures: Through performance of procedural walkthroughs, reviews of policies and procedure manuals, observation and testing, assess whether key functions are adequately segregated. Results Recommendations
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 81
�Audit Approach (11/11)
Areas of Focus with Respect to the Lending Business Audits of the lending businesses and entities generally include a risk-based assessment of the adequacy and effectiveness of the control environment in the following areas:
Corporate governance, management organization and supervision Organization and segregation of business and support functions Account opening, client identification and anti-money laundering procedures Marketing conduct and client communications Loan application, credit analysis and approval process Loan processing, documentation and disbursement (Re)paymnet of interests and loan principal Safeguarding of loan collaterals Loan monitoring processes (credit worthiness; collateral valuation; adherence to loan terms) Client statement preparation and distribution Compliance with legal and regulatory requirements and Firm policies Procedures to prevent and detect fraud Information systems infrastructure, security and support activities Financial accounting and reporting Business continuity planning
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 82
�Audit Issue Tracking (1/3)
Issue implementation is the responsibility of management Management uses the Audit Tracking System (ATS) operated by line management to track the implementation of issues Management captures all issues in ATS. Upon their capture in ATS, Internal Audit to the relevant entities and applies a risk rating to each issue based on its impact in a global context audit issues tracking Management periodically updates ATS with respect to progress made in addressing the relevant audit recommendations
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 83
�Audit Issue Tracking (2/3)
Issue Follow Up – Quarterly Reviews
Qualitative Follow Up: Each quarter, Internal Audit verifies for a sample of actions marked “fully implemented” or “phase complete” by management whether the underlying deficiency had been addressed. Results are reported to Executive Mgt, the Audit Committee, line and entity management Verification issues are also tracked in Audit Tracking System based on its impact in a global context audit issues tracking Quantitative Follow Up Each quarter, Internal Audit highlights to the Audit Committee long overdue management actions based on an ATS statistics focused on past due items.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 84
�Audit Issue Tracking (3/3)
Issue Follow Up – Next Audit
Internal Audit further follows up on all issues in the next regular audit Repeat findings are highlighted to management in a dedicated section of the Audit Report Findings raised in ‘high risk’ rated Audit Reports are generally followed up in the following year
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 85
�Technology (1/2)
Use of technology and tools faciltates the audit work in many areas, specifically for: Risk assessment Planning Support of audit scoping and performance of fieldwork Monitor progress of audits by using metrics Scheduling and time reporting Audit issue tracking
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 86
�Technology (2/2)
Standard Software and Applications MS Office Software – Word, Excel, Access, Visio Audit Analysis Tools (e.g. ACL) Automated Working Paper Software (e.g. TeamMate) Built-in Audit Analysis Modules (e.g. SAP, Peoplesoft) Self developed audit tools (SQL, Microsoft-net)
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 87
�7. Communication and Reporting
Annual Audit Cycle Drives Reporting of Internal Audit Principles for Communication and Reporting External Communication and Audit Reporting Department Internal Communication
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 88
�Annual Audit Cycle
AC 4 Annual Plan Q3 Review Quarterly Report Annual Objectives 9 Risk Assessment AC 3 Q2 Review Quarterly Report
12
Q4 Review Activity Report (past year)
AC 1
3
Q1 Review Quarterly Report AC 2
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 89
�Principles for Communication and Reporting
Raise Top Management’s awareness for key audit and control issues Establish an increasingly strategic partnership with the Audit Committee and with Top Management Ensure that audit issues are communicated in a targeted way to the relevant level of management Enhance communication with a customized reporting, balancing on the broad scale between high-level overview/big picture and granular information on specific issues Establish appropriate distribution channels to ensure effective/timely reporting
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 90
�Principles for Reporting
Create persuasive audit-reporting documents that elicit management action. Gain an understanding of the users and readers of audit reports. Know the elements of an observation that shape writing : conditions, criteria, causes, effects, conclusions, and recommendations or action plans. Practice writing for logic, clarity, impact, tone, conciseness, and readability.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 91
�External Communication and Audit Reporting (1/17)
Reporting Cycle
Activity reporting to AC / executive management Audit Objectives submission to AC / executive management Regular updates to AC / executive management Reporting of plan deviations Individual audit reports to executive / senior management
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 92
�External Communication and Audit Reporting (2/17)
Content of the individual audit report
Audit unit audited Background Information Scope of the Audit Summary of audit observations and recommendations (including summery comment by responsible management) Individual audit observations and recommendations (including comment by responsible management) Report rating Audit specific information: Audit team, audit period, audit days, audit contacts Distribution list Definitions of rating criteria and materiality levels
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 93
�External Communication and Audit Reporting (3/17)
Audit Report: Background Information
Short and concise Critical background information (i.e. significant business activities, organization, key developments, etc…). Key risks and size of the audit unit Significant subsequent events
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 94
�External Communication and Audit Reporting (4/17)
Audit Report: Summary of audit observations and recommendations
High level summary enabling senior management to view the audit unit and associated issues in context Results of audit (exception-only style) and state of the internal control environment Summarized significant findings; in selected cases, balance with positive comments to the extent applicable Significant repeat items will be noted (and box checked in sidebar) Rational for report rating (specific audit findings that have contributed to the rating, volume and/ or magnitude of findings)
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 95
�External Communication and Audit Reporting (5/17)
Audit Report: Summary of audit observations and recommendations
Recurrent themes for issues that have been identified across various audit units Issues that expose the Firm to significant reputational risk Areas highlighted already identified by management, corrective measures taken and projects initiated to address the control weaknesses noted Summary Comments by Senior Management
– Brief response to the overall key findings of the audit – Not aimed at providing a detailed response to individual audit issues in
appendix
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 96
�External Communication and Audit Reporting (6/17)
Audit Report: Individual Observations and Recommendations
Audit observations to be presented in the audit report should consist of the following elements: Criteria Conditions Cause Effect Conclusion Recommendation Comment by responsible line management (including due date)
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 97
�External Communication and Audit Reporting (7/17)
Audit Report: Other Information
Audit contacts – Responsible Audit Management Audit team – Audit Supervisor – Audit Manager – Auditors Audit period – E.g. period of the fieldwork phase (December 2006 to March 2007) Audit days – Actual audit day needed to perform the audit Audit scope (as outlined in part Working Practices – Audit Approach)
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 98
�External Communication and Audit Reporting (8/17)
Audit Report Rating The AU’s overall control environment was found to be operating effectively. The AU’s overall control environment was generally found to be operating adequately. The audit identified issues that could expose the AU to an inappropriate level of risks. The audit identified critical issues that expose the AU to a significant and/or unacceptable level of risks.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 99
A B C D
�External Communication and Audit Reporting (9/17)
Audit Report: Rating and Materiality
Ratings convey to the reader Internal Audit’s assessment of the overall control environment and the significance of the issues raised in relation to the Audit Unit under review The rating is solely assigned by Internal Audit based on its independent and professional judgement Materiality Rankings can been added to provide management with information on the significance of the audit unit relative to the firm or business unit utilizing the materiality ratings (1 to 4) from the Risk Assessment Methodology
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 100
�External Communication and Audit Reporting (10/17)
Audit Report: Rating and Materiality
Management actions taken subsequent to the completion of fieldwork generally will not be considered when making a rating assessment Use of letters (‘A’, ‘B’, ‘C’ and ‘D’, with ‘A’ being the best rating): they are unbiased and independent from regional/cultural differences Rating definitions published to the business to increase transparency
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 101
�External Communication and Audit Reporting (11/17)
Audit Report: Distribution
Paper or electronic distribution (e.g. as pdf attachment in email) Definition of receiver of audit report summary only or full audit report Distribution list – Members of Supervisory Board (e.g. Chairman) – Members of the Audit Committee (e.g. Chairman of the AC) – Member of the Executive Board (e.g. CEO, CFO and for relevant AU
responsible Member of the Executive Board)
– Line Management responsible for the relevant AU) – Head of supporting functions (e.g. Compliance, Risk Management, IT) – Other key persons concerning that audit unit (e.g. Project Managers)
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 102
�External Communication and Audit Reporting (12/17)
Supplemental Memorandum
In addition to the audit report, a supplemental memorandum can be issued to report: Minor weaknesses not included in the Audit Report because the associated risk is inherently low or mitigated by compensating controls or materiality considerations Less significant deficiency not relevant to the auditee’s Senior Management (e.g.: a small number of findings identified during a sample; small deficiency noted in internal controls) Detail of findings supporting audit issues included in the Appendix of the audit report
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 103
�External Communication and Audit Reporting (13/17)
Annual Activity Report
Achievement of the audit objectives Assessment of the Bank’s control environment. Summary of significant audit issues and other key information related to reports issued during the year. Assessment of the control environment. High Level (“helicopter view”) comments regarding recurring themes. Key audit issues (not included in themes) with significance for the Bank (in particular issues with undesirable levels of reputational risk).
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 104
�External Communication and Audit Reporting (14/17)
Annual Activity Report
Other non-audit specific issues with significance for the Bank (e.g., special projects, concerns regarding issues that may not have been specifically identified in our reports). High level recommendations to Audit Committee and Executive Management where appropriate. Distributed to key stakeholders and regulators and External Auditor in a spirit of openess and transparency (if requested).
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 105
�External Communication and Audit Reporting (15/17)
Periodical Reporting
High level reporting where deemed appropriate on a periodical basis summarizing the results and conclusions of individual audit reports. Distributed to the Audit Committee and Executive Management.
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 106
�External Communication and Audit Reporting (16/17)
Interaction with Management
Internal Audit management participate in regular company meetings in all key locations to keep informed of all key issues and developments of the organization. Regular conversation with key business and functional heads are also held which provide useful information on developments and issues. Ongoing communication with representatives from the business and control functions enable Internal Audit to adapt the audit plan to recent developments and evolving risks
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 107
�External Communication and Audit Reporting (17/17)
Quality Assurance
Senior audit management to ensure
High quality of content Formal correctness Timely report issuance Transparency and consistency of report rating Information to stakeholders about reporting procedures Regular feedback from stakeholders Timely adaptation of reporting concept to evolving needs
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 108
�Department Internal Communication
To ensure knowhow and information exchange, achieve consistency in procedures and foster team spirit within Internal Audit regular communication within the department is essential, specifically by means of Corporate Intranet Periodic Newsletters by mail Periodic meetings Specific workshops
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 109
�8. Performance Metrics and Knowledge Management
Knowledge management Quality assurance Performance metrics Compliance with the IIA standards
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 110
�Knowledge Management
Information archive Information sharing
– Within Internal Audit – Within the Bank – With Peer Audit Departments (interest groups as e.g. local IIA
subgroub Bank)
– With professional associations
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 111
�Quality Assurance
Disciplined and documented approach covering all relevant processes Establishment of quality standards to monitor compliance and status Internal peer reviews and follow-up of respective issues Periodic quality assurance reviews by external professionals
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 112
�Performance Metrics
Progress tracking
– Monitoring of ongoing audits
Performance Metrics
– – – –
Achievement of Audit Objectives Adherence to audit budget Duration of reporting period Staffing (budget vs. effectiv)
Management information in times of change management
– To be defined according to individual objectives / needs
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 113
�Compliance with the IIA Standards
Code of Ethics IIA Standards for the Professional Practice of Internal Auditing – 1000 Purpose, Authority, and Responsibility – 1100 Independence and Qbjectivity – 1200 Proficiency and Due Professional Care – 2000 Managing the Internal Audit Acitivity – 2100 Nature of Work – 2200 Engagement Planning – 2300 Performing the Engagement – 2400 Communicating Results – 2500 Monitoring Progress – 2600 Management‘s Acceptance of Risks
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 114
�9. Wrap-up and Questions
�Internal Audit’s Core Principle
Audit (audire lat.) means listen to
Key stakeholders Auditees Company and its representatives as a whole Environment
Competitors /Banking Industry Regulators Research and Doctrine Professional Associations Media / Publications
…and derive conclusions with common sense and integrity
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 116
�Internal Audit Focus
What you do? How you do it? Perception Impact Risk Orientation! Prioritize! Mobilize! Doing the right things. Doing the things the right way. Communication / Reporting. Mobilize Stakeholders.
Flexibility
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 117
�What is the Value Added of Internal Audit?
Internal Audit adds value by helping to: Achieve corporate goals Protect reputation Protect firm’s and client’s assets Pro-actively identify and monitor risks / emerging themes Make internal processes more efficient and effective Provide assurance to the Board of Directors re adequacy/ effectiveness of internal control, including SOX 404 compliance Improve quality of financial data Provide know-how transfer by deploying resources to the Firm
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 118
�Evolving Role of Internal Audit
IA in the Past (Traditional Values)
Size as the key competitive factor Value Management Mechanists of capitalism Capital Market (Financial Analysts, Investors) kept management alert Compliance to the letter of the law (rules based accounting) Audit = Commodity (cost factor) Independence as moral obligation
IA today (Additional Values)
Size and quality as competitive factors Value and risk management Good corporate citizens Opinion Market (Media, NGO’s, Employees) keeps management alert Compliance to the spirit of the law (principles based accounting) Audit = Key to public trust Independence as legal obligation
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 119
�Links to Relevant Organizations
The Institute of Internal Auditors http://www.theiia.org Bank for International Settlements Basel Committee on Banking Supervision National Bank of Ukraine http://www.bis.org
http://www.bis.org/bcbs/index.htm
http://www.bank.gov.ua
The Committee of Sponsoring http://www.coso.org Organizations of the Treadway Commission Credit Suisse http://www.credit-suisse.com
Produced by: Hans-Joerg Turtschi Date: April 2007 Slide 120
�