Segmenting the audit universe Janette Smith Head of

  • Slides: 18
Download presentation
Segmenting the audit universe Janette Smith, Head of Audit, Products, Sales and Servicing, Nationwide

Segmenting the audit universe Janette Smith, Head of Audit, Products, Sales and Servicing, Nationwide Building Society Ian Hersey, Head of Audit Methodology, Lloyds Banking Group

Introduction Ø Key points to consider when preparing and segmenting the audit universe to

Introduction Ø Key points to consider when preparing and segmenting the audit universe to support • Internal Audit’s risk assessment; • the prioritisation of audit activities, and • monitoring of Internal Audit’s coverage of the audit universe.

Segmenting the Audit Universe Ø The audit universe: • comprises of auditable entities; •

Segmenting the Audit Universe Ø The audit universe: • comprises of auditable entities; • is segmented to support audit prioritisation and coverage monitoring; • Is structured to support the risk assessment and audit plan construction; and • should be validated against other sources for completeness. Ø Review the audit universe following material changes in the organisation, and at a minimum on an annual basis.

Segmenting the Audit Universe (Cont. ) Ø Customer Journey - Mortgages Mortgage Advice Customer

Segmenting the Audit Universe (Cont. ) Ø Customer Journey - Mortgages Mortgage Advice Customer take-on KYC Underwriting Fulfilment Servicing Arrears Management Ø Options for auditable entities Ø Mortgages Ø New Lending / Servicing / Arrears Management Ø Each element of customer journey Ø Further segmentation e. g. segment underwriting into BTL / Residential, servicing into granular processes Ø Etc. Ø Number of auditable entities partly driven by preference for the size / scope of audits

Segmenting the Audit Universe (Cont. ) Ø Customer journeys Mortgages Current Accounts General Insurance

Segmenting the Audit Universe (Cont. ) Ø Customer journeys Mortgages Current Accounts General Insurance Life Insurance Ø Number of auditable entities also partly driven by complexity of organisation

Segmenting the Audit Universe (Cont. ) Ø Also segmentation depends on approach to auditing

Segmenting the Audit Universe (Cont. ) Ø Also segmentation depends on approach to auditing functions vs. business processes Finance Business Planning Financial Reporting Regulatory reporting Statutory financial reporting Liquidity reporting Capital planning Ø Also judgment in auditing thematic risks – separate risk assessment / audit vs. coverage in business process. E. g. vulnerable customers – Separate auditable entity, or – Coverage in business processes e. g. arrears management, new lending

Annual Planning – Typical Process

Annual Planning – Typical Process

Bottom-up Risk Assessment Ø Internal Audit’s understanding of the organisation's business activities and the

Bottom-up Risk Assessment Ø Internal Audit’s understanding of the organisation's business activities and the associated risks Ø Applied to each Auditable Entity in the Audit Universe Ø Will consider assessments of: • Inherent risk • Control environment • Residual risk

Inherent Risk Ø Typically considers the impact and likelihood of an event occurring =

Inherent Risk Ø Typically considers the impact and likelihood of an event occurring = overall inherent risk rating for each auditable entity Ø Typically defined as “the probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances. ” Ø Can assess in aggregate or at an individual sub-risk level Ø New Mortgage Lending – options: Conduct Risk – Critical Credit Risk Critical Operational Risk – Moderate IT / Cyber Risk – High Calculation Overall Inherent Risk • Or Overall Inherent Risk (impact on customers / regulators, financial impact)

Control Environment Ø Assess control environment Ø Data points: • Previous audit reports •

Control Environment Ø Assess control environment Ø Data points: • Previous audit reports • Other independent data sources e. g. regulatory examinations / external audits • Business / 2 LOD assurance providers • Risk events • Management self assessment etc. Ø Update following relevant audits / validation of management findings Ø Benefit taken in respect of less coverage – AEs with a positive control environment

Residual Risk Ø Potential for override… no model is perfect, has to be scope

Residual Risk Ø Potential for override… no model is perfect, has to be scope for professional judgement Ø Generally formulaic – depending on Inherent Risk and Control Environment Assessment Ø Might look something like this:

Continuous Monitoring Ø Continuous monitoring of key audit risk factors should help to inform

Continuous Monitoring Ø Continuous monitoring of key audit risk factors should help to inform decision making over changes to the audit plan and universe Ø Updated to reflect changes in processes, controls, systems, changes in bus model, regulations, business environment etc. Ø Annual / 6 -monthly / quarterly plan

Coverage Model Ø Consider the risk profile and complexity of the organisation Ø Options

Coverage Model Ø Consider the risk profile and complexity of the organisation Ø Options include: • Cyclical models • Annual prioritised models • Responsive models Ø In all cases the coverage model should be confirmed with the audit committee.

Cyclical Model Ø Cycle generally at the Auditable Entity level Ø Move in FS

Cyclical Model Ø Cycle generally at the Auditable Entity level Ø Move in FS for audit cycles at a risk level within AEs e. g. : • Assess overall residual risk of the AE e. g. AE may be High • Assess residual risk at the sub-risk level e. g. Credit Risk may have a residual risk of Critical • Differential cycle depending on residual risk of the AE and residual risk of the sub-risk e. g. AE High / Sub-risk Critical cycle might be two years

Cyclical Model (Cont. ) Ø Ø Ø Audit cycles vary in practice Typical c.

Cyclical Model (Cont. ) Ø Ø Ø Audit cycles vary in practice Typical c. 12 – 18 months, highest category. 4 – 5 years lowest… UK guidance – principles based US FS guidance give indicative cycles NY Fed ‘common practice for institutions with defined audit cycles is to follow either a three- or four-year audit cycle; high-risk areas should be audited at least every twelve to eighteen months. ’ Ø OCC ‘Some banks follow a four-year audit cycle, with high-risk areas audited every 12 months and low-risk areas every 48 months. ’

Top-down risk assessment Ø Audit coverage of topics or themes identified from the ‘top-down’

Top-down risk assessment Ø Audit coverage of topics or themes identified from the ‘top-down’ assessment may include specific audit work covering the topic or theme and/or one or more audits identified from the ‘bottom-up’ assessment. Ø Consider: • Industry or regulatory hot topics • Internal or external events • Business strategy • Senior management insights • Third party challenge sessions

The Audit Plan Ø Whichever model or combination of models is used, generally: •

The Audit Plan Ø Whichever model or combination of models is used, generally: • higher risk elements of the audit universe are audited more frequently and to greater depth than lower risk elements • risk-based decision as to which auditable entities should be included in the audit plan • not necessary to cover all of the scope areas every year • judgement as to which areas should be covered in the audit plan, and on the frequency and method of coverage of auditable entities (audit cycle) • may determine that very low risk activities of the organisation will not be subject to any structured audit coverage • don’t forget regulatory expectations or requirements for internal audit to undertake specific audit work Ø Prioritised list of audits for the next planning period (often the next 12 months) Ø Bring together the top down and bottom up analysis, set out common themes and risks Ø Discuss with business stakeholders Ø The final audit plan is presented to the Audit Committee.

Q&A ?

Q&A ?

SEGMENTING TARGETING DAN POSITIONING SEGMENTING Indosat Perkuat SegmenSEGMENTING TARGETING DAN POSITIONING SEGMENTING Indosat Perkuat Segmen
AUDIT PLAN AUDIT PROGRAM PROSEDUR AUDIT PERENCANAAN AUDITAUDIT PLAN AUDIT PROGRAM PROSEDUR AUDIT PERENCANAAN AUDIT
AUDIT PLAN AUDIT PROGRAM PROSEDUR AUDIT PERENCANAAN AUDITAUDIT PLAN AUDIT PROGRAM PROSEDUR AUDIT PERENCANAAN AUDIT
The Universe Basic Terms Universe The Universe meansThe Universe Basic Terms Universe The Universe means
HEAD DAT A HEAD 1 DATA 1 HEADHEAD DAT A HEAD 1 DATA 1 HEAD
Head injuries KS 2 Head Injuries Head injuriesHead injuries KS 2 Head Injuries Head injuries
HTML HTML HEAD TITLETITLE HEAD HTML HEAD METAHTML HTML HEAD TITLETITLE HEAD HTML HEAD META
Transformational Leadership HEAD DEPUTY HEAD PASTORAL HEAD OFTransformational Leadership HEAD DEPUTY HEAD PASTORAL HEAD OF
Transformational Leadership HEAD DEPUTY HEAD PASTORAL HEAD OFTransformational Leadership HEAD DEPUTY HEAD PASTORAL HEAD OF
Head Injuries KS 3 Head Injuries Head injuriesHead Injuries KS 3 Head Injuries Head injuries
Managing head lice What are head lice HeadManaging head lice What are head lice Head
Head Injury Head Injury Head injury is aHead Injury Head Injury Head injury is a
Audit Planning Memorandum Audit Planning Memorandum n AuditAudit Planning Memorandum Audit Planning Memorandum n Audit
AUDIT TESTS Audit evidence through Audit Procedures AuditorAUDIT TESTS Audit evidence through Audit Procedures Auditor
Topik 7 Audit Plan Audit Program Audit ProceduresTopik 7 Audit Plan Audit Program Audit Procedures
AUDIT LINGKUNGAN Ardaniah Abbas DEFINISI AUDIT LINGKUNGAN AuditAUDIT LINGKUNGAN Ardaniah Abbas DEFINISI AUDIT LINGKUNGAN Audit
Audit Operasional Pengertian Audit Operasional Audit Operasional adalahAudit Operasional Pengertian Audit Operasional Audit Operasional adalah