how to measure the value of your internal audit group slides.pdf · how to measure the value of...

© 2012 MetricStream, Inc. All Rights Reserved.

How to Measure the Value of Your Internal Audit Group

May 17, 2012

Best practices to follow, pitfalls to avoid and success metrics to measure


Agenda

� Strategic challenges: Implications for the

enterprise

� How to address challenges and add value

� How technology can help?


Organizational Implications of the New Reality

IMPLICATIONS FOR THE ORGANIZATION

Increasing pace of regulatory changes

Stringent enforcement

New global and local regulations

Differing interpretations

Convergence in risk management

Need for greater assurance

Strategic Tactical

Generating business value

Increasing Volume – BIG DATA

Increasing complexity of information

Revealing the opaque

Need to rationalize

Simplify to improve facilitation

Operational Risk Management

The new centerpiece of Organizational Strategy


Business Performance

≡

Operational Losses

≡

Divergent Path: Operational Losses & Business Performance

Internal Fraud

External Fraud

Employment Practices and

Workplace Safety

Clients, Products, & Business Practice

Damage to Physical Assets

Business Disruption & Systems Failures

Execution, Delivery, & Process

Management

Increasing

Cost of Investment

Increases Decreases

Return on Investment

Growth Prospects

Competitive Advantage

Reducing Operations

Market Goodwill


Strategic Challenges for Internal Audit

• New product development: exposure to new risks

– Mobile banking and payments, multi-family lending,

residential lending and refinancing

• Convergence in risk management

– Operational, IT, vendor, regulatory, credit , market

• Increasing pace of regulatory changes and related risks

– Stringent enforcement means financial and strategic

impact

– Information overload and differing interpretations

• Need for greater risk assurance

– Rating agency, board, investor requirements


The rising cost of Operational Risk

Compliance Costs

PoliticsLaw & RegulationsCorporate Governance

Financial Costs

Continuing InstabilityEconomic Volatility

Corporate Credit

Strategic Costs

Operational Costs

Concerned Customers Suspicious Investors

Aggressive Competitors

Scarcity of Resources Adapting TechnologyChanging Processes

RISKS*

THREATS

UDAAP

RISKS*

RISKS*

RISKS*

Fair Lending

National

Mortgage

Settlement

Enforcement

ActionsVendor

Management

Credit Losses

Incomplete

Documentation

Weak/anemic

loan demand

Late Projects

Information

asymmetry Information

Security

Social Media


Implications for the Enterprise

Compliance

Costs

UDAAP

National Mortgage

Settlement Act

• Civil money penalties

• Headline news

Financial

Costs

THREATS RISKS IMPLICATIONS FORTHE ENTERPRISE

Fair

Lending

• Stock downgrades

• Re-classify loans to non-

accruing

Enforcement

Action

Information

Asymmetry

• Limits dividend payment

• Hold on M&A

Social

Media

• Consumer expectations

regarding real time responses

• Inconsistent data taxonomy


Credit Losses

Late Projects

Weak/anemic

loan demand

Vendor

Management

Inadequate

documentation

Information

Security

THREATS RISKS

Operational

Costs

Strategic

Costs

IMPLICATIONS FORTHE ENTERPRISE

Implications for the Enterprise

• Insufficient tier one capital

• Loss of competitive edge

• De-risking the portfolio to re-set

the product portfolio

• Risk assessments, oversight

• Loan buy-backs, hold for

servicing

• Maintain trust


Confluence of Operational Risk and Reputational Risk in a Social World

One reflects on the other

Marketing Sales Customer Service HR Risk

Management

Chief Communications Officer

Chief Marketing Officer Chief Risk officer

• convergence

• Integration

• Analysis

Social Media


Operational Losses: Bigger than your calculations

1

Operational Loss Incident

5.6 Bn

Personal Communication

Devices

2 Bn

People Connected to

the Internet

3 Tr

Interconnected intelligent devices

2.9 Mn

Emails every second

20 Hrs

Youtube Video

Upload/min

50 Mn

Tweets per

day

700

Bn

Mins on

facebook/month

375

MB

Household data

consumption/day

IMPLIES

Word will spread – Organizations can no longer hide

Losses will spill over - Reputational impact on future business

Incidents will be forever - Loss incidents will live on forever


How Well Organizations Manage These Risks?

Source: PWC Survey Report – 2012

State of Internal Audit


How to address challenges and add value?


Importance of IA’s contribution to monitoring risks




Risks that receive less attention from internal audit




Risk areas in which stakeholders and CAEs want/plan to add internal audit capabilities




Risk-driven Internal Audit System• Helps align audits with risks and organizational goals

• Helps in identifying critical areas

• Helps align audits with risks and organizational goals

• Helps in identifying critical areas


Integrate Activities with Others

• Transcend organizational silos, and establishes an integrated audit

management

• Help align audits with risks and organizational goals

• Help identify all issues, internal as well as external such as issues

related to compliance reporting, regulations, self-assessments etc.

• Enhance collaboration with other assurance functions and senior

management


Cross-Organizational GRC Platform

• Develop common risk & business framework for cross-organizational alignment

• Leverage cross-organization governance, risk & compliance activities

• Identify & mitigate issues across the organization (regulatory, compliance etc. )

• Develop common risk & business framework for cross-organizational alignment

• Leverage cross-organization governance, risk & compliance activities

• Identify & mitigate issues across the organization (regulatory, compliance etc. )

Enterprise Risk

Internal Audits

Operational Risk

IT Audits

Policy Management

Fraud

Corporate Compliance

SOX

… others …

Issue Tracking & Resolution

LibraryOrganizations

Processes

ControlsRisksTests


Communicate Clearly – Specify & Simplify the Facts

Adopt a highly structured & standardized method of reporting audit results

•Report should highlight critical information across the organization

•Should provide valuable risk insights and intelligence

•Should provide top-level visibility for CAEs, highlighting key risk areas

•Decision making process should be streamlined and real-time, based on

hard facts and data


How Technology Can Help?


Technology Strategy

Technolo

gy

Risk Effectiveness

Centralized Visibility

Decentralized Point Solutions

Centralized Repository

Workflow-Based Solutions

Unified Risk Program Reusable library

of risks and Controls

Broad Communication of

Company


Universal and Consistent Information Model

• Process 1

• Process 2

• Process 3

………

• Process 1

• Process 2

• Process 3

………

Processes

• Op Risk

• IT Risk

• Reputation

………

• Op Risk

• IT Risk

• Reputation

………

Risks

• FSA

• FIRNA

• PCI

• ISO

• SOX

…

• FSA

• FIRNA

• PCI

• ISO

• SOX

…

Areas of

Compliance

• IT

• Treasury

• Lending

• Sales

• Marketing

…

• IT

• Treasury

• Lending

• Sales

• Marketing

…

Functions

• Control 1

• Control 2

• Control 3

………

• Control 1

• Control 2

• Control 3

………

Controls

• Risk-Based

• Requirement-Based

• Business Unit-Based

• Risk-Based

• Requirement-Based

• Business Unit-Based

Risk Assessments

• Action Plan

• Implement

• Monitor

• Action Plan

• Implement

• Monitor

Issues

• Growth

• Profitability

• Market Share

• Services

• Quality

• Growth

• Profitability

• Market Share

• Services

• Quality

Business

Objectives

• Regulation 1

• Regulation 2

• Standard 1

• Standard 2

…

…

• Regulation 1

• Regulation 2

• Standard 1

• Standard 2

…

…

References

• Policy 1

• Procedure 1

• Work Instruction 1

………

• Policy 1

• Procedure 1

• Work Instruction 1

………

Policies/Documents

Board Directives | Corporate Governance | Organizational Structure

Comprehensive Definition of Risk Relating it to Business Growth and Profitability Comprehensive Definition of Risk Relating it to Business Growth and Profitability


Information Model supports Audit Planning Process

•Risk 1

•Risk 2

•Risk 3…

•Risk 1

•Risk 2

•Risk 3…

Risk Library

•Business Unit 1

•Business Unit 2

•Process 1

•Process 2

•Policy 1

•Policy 2

•…

•Business Unit 1

•Business Unit 2

•Process 1

•Process 2

•Policy 1

•Policy 2

•…

Auditable Entities Annual Audit Plan

Process 1• Audit Project 1

• Audit Project 2

• Audit Project 3…

Audit Projects

Audit Project

Tasks &Milestones

Work Paper

Documents

Draft & Final

Reports

Workflows, Emails & Alerts

Audit Universe

Process 2

Site 1

Site 2

• Risk 1• Risk 3• …

Key Risks

Work Program Template

Checklists

Questionnaires

Control Test Plans…

Work Program Template

Checklists

Questionnaires

Control Test Plans…

Template Repository


Manage the Complete Audit LifecycleP

roje

ct

Ma

na

ge

men

t

Activ

e R

esou

rce

Mana

gem

ent

Mile

sto

ne

Tra

ckin

gC

ale

nd

ar

Contro

l

� Enable a targeted, risk-based audit with consistent analysis & assessment of risks

� Eliminate errors & inconsistencies through standardized data collection

� Powerful reporting and analytics for real-time visibility

� Improve the overall efficiency and productivity

� Enable a targeted, risk-based audit with consistent analysis & assessment of risks

� Eliminate errors & inconsistencies through standardized data collection

� Powerful reporting and analytics for real-time visibility

� Improve the overall efficiency and productivity

Perform all types of audit-related activity on a single integrated platformPerform all types of audit-related activity on a single integrated platform


Things To Look After For…

• Align business focus on the right set of business risks

• Provide an integrated framework to collate crucial information

• Ensure optimal resource utilization and effectiveness

• Simplify compliance with embedded regulatory content & standards

• Provide real-time business intelligence and risk insights

• Increase collaboration across the enterprise

• Respond to change quickly

• Better justify & manage costs

Your Audit Infrastructure must…


Succeeding in a Risk-Focused Environment

• Common information model leverages business line risk

assessments• Multiple sites, regulations, functions

• Collaboration driven

• Standardized data collection to eliminate errors and inconsistencies

• Manage compliance, risk and audits as a central function

• Integrated and real-time information flow• Leveraging internal and external sources

• Decision making and performance management • Easy access to analytics - with minimal manual work

• Tied to a closed-loop remediation, corrective actions processes

• Seamless integration between compliance, risk and audit process


Risk Monitoring and Reporting at Sterling Bank*

Executive Credit

&

Risk Committee

•Monitors Legal risk

Governance and Compensation

Committee

Audit Committee

Credit and Risk

Committee

Committees review their risks and KRIs according to a defined review schedule and report on actions taken to mitigate high residual risks

ECER reviews key residual risks and actions plans

Board committee receives business risk reports

*Used with permission


About MetricStream

Integrated Governance, Risk & Compliance (GRC) for Better Business PerformanceVision

Solutions

• Audit Management

• Risk Management

• Corporate and Supplier Governance

• Regulatory and Operational Compliance• Quality Management

Partners

Differentiators

• Technology - Enterprise GRC Platform• Breadth of Solutions – Single Vendor for all GRC needs

• Cross-industry Best Practices and Domain Knowledge

• ComplianceOnline.com - Largest GRC Portal on the Web

• GRC Consulting & Advisory Services

Governance• Kleiner Perkins Caufield & Byers (Google, Amazon, Cisco, Genentech)• Integral Capital Partners

• 650+ employees with strong-growth (60% year-on-year)

• Big 4 – KPMG, PWC, Deloitte, E&Y• System Integration Firms like Tata Consultancy, TBD Networks

• Associations – SIFMA, IIA, GARP, RMA, NACD, Policy Makers


Thank You

Susan PalmVice President,

Industry Solutions

MetricStream, Inc.

[email protected]