- Slides: 18
Segmenting the audit universe Janette Smith, Head of Audit, Products, Sales and Servicing, Nationwide Building Society Ian Hersey, Head of Audit Methodology, Lloyds Banking Group
Introduction Ø Key points to consider when preparing and segmenting the audit universe to support • Internal Audit’s risk assessment; • the prioritisation of audit activities, and • monitoring of Internal Audit’s coverage of the audit universe.
Segmenting the Audit Universe Ø The audit universe: • comprises of auditable entities; • is segmented to support audit prioritisation and coverage monitoring; • Is structured to support the risk assessment and audit plan construction; and • should be validated against other sources for completeness. Ø Review the audit universe following material changes in the organisation, and at a minimum on an annual basis.
Segmenting the Audit Universe (Cont. ) Ø Customer Journey - Mortgages Mortgage Advice Customer take-on KYC Underwriting Fulfilment Servicing Arrears Management Ø Options for auditable entities Ø Mortgages Ø New Lending / Servicing / Arrears Management Ø Each element of customer journey Ø Further segmentation e. g. segment underwriting into BTL / Residential, servicing into granular processes Ø Etc. Ø Number of auditable entities partly driven by preference for the size / scope of audits
Segmenting the Audit Universe (Cont. ) Ø Customer journeys Mortgages Current Accounts General Insurance Life Insurance Ø Number of auditable entities also partly driven by complexity of organisation
Segmenting the Audit Universe (Cont. ) Ø Also segmentation depends on approach to auditing functions vs. business processes Finance Business Planning Financial Reporting Regulatory reporting Statutory financial reporting Liquidity reporting Capital planning Ø Also judgment in auditing thematic risks – separate risk assessment / audit vs. coverage in business process. E. g. vulnerable customers – Separate auditable entity, or – Coverage in business processes e. g. arrears management, new lending
Annual Planning – Typical Process
Bottom-up Risk Assessment Ø Internal Audit’s understanding of the organisation's business activities and the associated risks Ø Applied to each Auditable Entity in the Audit Universe Ø Will consider assessments of: • Inherent risk • Control environment • Residual risk
Inherent Risk Ø Typically considers the impact and likelihood of an event occurring = overall inherent risk rating for each auditable entity Ø Typically defined as “the probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances. ” Ø Can assess in aggregate or at an individual sub-risk level Ø New Mortgage Lending – options: Conduct Risk – Critical Credit Risk Critical Operational Risk – Moderate IT / Cyber Risk – High Calculation Overall Inherent Risk • Or Overall Inherent Risk (impact on customers / regulators, financial impact)
Control Environment Ø Assess control environment Ø Data points: • Previous audit reports • Other independent data sources e. g. regulatory examinations / external audits • Business / 2 LOD assurance providers • Risk events • Management self assessment etc. Ø Update following relevant audits / validation of management findings Ø Benefit taken in respect of less coverage – AEs with a positive control environment
Residual Risk Ø Potential for override… no model is perfect, has to be scope for professional judgement Ø Generally formulaic – depending on Inherent Risk and Control Environment Assessment Ø Might look something like this:
Continuous Monitoring Ø Continuous monitoring of key audit risk factors should help to inform decision making over changes to the audit plan and universe Ø Updated to reflect changes in processes, controls, systems, changes in bus model, regulations, business environment etc. Ø Annual / 6 -monthly / quarterly plan
Coverage Model Ø Consider the risk profile and complexity of the organisation Ø Options include: • Cyclical models • Annual prioritised models • Responsive models Ø In all cases the coverage model should be confirmed with the audit committee.
Cyclical Model Ø Cycle generally at the Auditable Entity level Ø Move in FS for audit cycles at a risk level within AEs e. g. : • Assess overall residual risk of the AE e. g. AE may be High • Assess residual risk at the sub-risk level e. g. Credit Risk may have a residual risk of Critical • Differential cycle depending on residual risk of the AE and residual risk of the sub-risk e. g. AE High / Sub-risk Critical cycle might be two years
Cyclical Model (Cont. ) Ø Ø Ø Audit cycles vary in practice Typical c. 12 – 18 months, highest category. 4 – 5 years lowest… UK guidance – principles based US FS guidance give indicative cycles NY Fed ‘common practice for institutions with defined audit cycles is to follow either a three- or four-year audit cycle; high-risk areas should be audited at least every twelve to eighteen months. ’ Ø OCC ‘Some banks follow a four-year audit cycle, with high-risk areas audited every 12 months and low-risk areas every 48 months. ’
Top-down risk assessment Ø Audit coverage of topics or themes identified from the ‘top-down’ assessment may include specific audit work covering the topic or theme and/or one or more audits identified from the ‘bottom-up’ assessment. Ø Consider: • Industry or regulatory hot topics • Internal or external events • Business strategy • Senior management insights • Third party challenge sessions
The Audit Plan Ø Whichever model or combination of models is used, generally: • higher risk elements of the audit universe are audited more frequently and to greater depth than lower risk elements • risk-based decision as to which auditable entities should be included in the audit plan • not necessary to cover all of the scope areas every year • judgement as to which areas should be covered in the audit plan, and on the frequency and method of coverage of auditable entities (audit cycle) • may determine that very low risk activities of the organisation will not be subject to any structured audit coverage • don’t forget regulatory expectations or requirements for internal audit to undertake specific audit work Ø Prioritised list of audits for the next planning period (often the next 12 months) Ø Bring together the top down and bottom up analysis, set out common themes and risks Ø Discuss with business stakeholders Ø The final audit plan is presented to the Audit Committee.