how to measure the value of your internal audit group slides.pdf · how to measure the value of...
TRANSCRIPT
© 2012 MetricStream, Inc. All Rights Reserved.
How to Measure the Value of Your Internal Audit Group
May 17, 2012
Best practices to follow, pitfalls to avoid and success metrics to measure
© 2012 MetricStream, Inc. All Rights Reserved.
Agenda
� Strategic challenges: Implications for the
enterprise
� How to address challenges and add value
� How technology can help?
© 2012 MetricStream, Inc. All Rights Reserved.
Organizational Implications of the New Reality
IMPLICATIONS FOR THE ORGANIZATION
Increasing pace of regulatory changes
Stringent enforcement
New global and local regulations
Differing interpretations
Convergence in risk management
Need for greater assurance
Strategic Tactical
Generating business value
Increasing Volume – BIG DATA
Increasing complexity of information
Revealing the opaque
Need to rationalize
Simplify to improve facilitation
Operational Risk Management
The new centerpiece of Organizational Strategy
© 2012 MetricStream, Inc. All Rights Reserved.
Business Performance
≡
Operational Losses
≡
Divergent Path: Operational Losses & Business Performance
Internal Fraud
External Fraud
Employment Practices and
Workplace Safety
Clients, Products, & Business Practice
Damage to Physical Assets
Business Disruption & Systems Failures
Execution, Delivery, & Process
Management
Increasing
Cost of Investment
Increases Decreases
Return on Investment
Growth Prospects
Competitive Advantage
Reducing Operations
Market Goodwill
© 2012 MetricStream, Inc. All Rights Reserved.
Strategic Challenges for Internal Audit
• New product development: exposure to new risks
– Mobile banking and payments, multi-family lending,
residential lending and refinancing
• Convergence in risk management
– Operational, IT, vendor, regulatory, credit , market
• Increasing pace of regulatory changes and related risks
– Stringent enforcement means financial and strategic
impact
– Information overload and differing interpretations
• Need for greater risk assurance
– Rating agency, board, investor requirements
© 2012 MetricStream, Inc. All Rights Reserved.
The rising cost of Operational Risk
Compliance Costs
PoliticsLaw & RegulationsCorporate Governance
Financial Costs
Continuing InstabilityEconomic Volatility
Corporate Credit
Strategic Costs
Operational Costs
Concerned Customers Suspicious Investors
Aggressive Competitors
Scarcity of Resources Adapting TechnologyChanging Processes
RISKS*
THREATS
UDAAP
RISKS*
RISKS*
RISKS*
Fair Lending
National
Mortgage
Settlement
Enforcement
ActionsVendor
Management
Credit Losses
Incomplete
Documentation
Weak/anemic
loan demand
Late Projects
Information
asymmetry Information
Security
Social Media
© 2012 MetricStream, Inc. All Rights Reserved.
Implications for the Enterprise
Compliance
Costs
UDAAP
National Mortgage
Settlement Act
• Civil money penalties
• Headline news
Financial
Costs
THREATS RISKS IMPLICATIONS FORTHE ENTERPRISE
Fair
Lending
• Stock downgrades
• Re-classify loans to non-
accruing
Enforcement
Action
Information
Asymmetry
• Limits dividend payment
• Hold on M&A
Social
Media
• Consumer expectations
regarding real time responses
• Inconsistent data taxonomy
© 2012 MetricStream, Inc. All Rights Reserved.
Credit Losses
Late Projects
Weak/anemic
loan demand
Vendor
Management
Inadequate
documentation
Information
Security
THREATS RISKS
Operational
Costs
Strategic
Costs
IMPLICATIONS FORTHE ENTERPRISE
Implications for the Enterprise
• Insufficient tier one capital
• Loss of competitive edge
• De-risking the portfolio to re-set
the product portfolio
• Risk assessments, oversight
• Loan buy-backs, hold for
servicing
• Maintain trust
© 2012 MetricStream, Inc. All Rights Reserved.
Confluence of Operational Risk and Reputational Risk in a Social World
One reflects on the other
Marketing Sales Customer Service HR Risk
Management
Chief Communications Officer
Chief Marketing Officer Chief Risk officer
• convergence
• Integration
• Analysis
Social Media
© 2012 MetricStream, Inc. All Rights Reserved.
Operational Losses: Bigger than your calculations
1
Operational Loss Incident
5.6 Bn
Personal Communication
Devices
2 Bn
People Connected to
the Internet
3 Tr
Interconnected intelligent devices
2.9 Mn
Emails every second
20 Hrs
Youtube Video
Upload/min
50 Mn
Tweets per
day
700
Bn
Mins on
facebook/month
375
MB
Household data
consumption/day
IMPLIES
Word will spread – Organizations can no longer hide
Losses will spill over - Reputational impact on future business
Incidents will be forever - Loss incidents will live on forever
© 2012 MetricStream, Inc. All Rights Reserved.
How Well Organizations Manage These Risks?
Source: PWC Survey Report – 2012
State of Internal Audit
© 2012 MetricStream, Inc. All Rights Reserved.
Importance of IA’s contribution to monitoring risks
Source: PWC Survey Report – 2012
State of Internal Audit
© 2012 MetricStream, Inc. All Rights Reserved.
Risks that receive less attention from internal audit
Source: PWC Survey Report – 2012
State of Internal Audit
© 2012 MetricStream, Inc. All Rights Reserved.
Risk areas in which stakeholders and CAEs want/plan to add internal audit capabilities
Source: PWC Survey Report – 2012
State of Internal Audit
© 2012 MetricStream, Inc. All Rights Reserved.
Risk-driven Internal Audit System• Helps align audits with risks and organizational goals
• Helps in identifying critical areas
• Helps align audits with risks and organizational goals
• Helps in identifying critical areas
© 2012 MetricStream, Inc. All Rights Reserved.
Integrate Activities with Others
• Transcend organizational silos, and establishes an integrated audit
management
• Help align audits with risks and organizational goals
• Help identify all issues, internal as well as external such as issues
related to compliance reporting, regulations, self-assessments etc.
• Enhance collaboration with other assurance functions and senior
management
© 2012 MetricStream, Inc. All Rights Reserved.
Cross-Organizational GRC Platform
• Develop common risk & business framework for cross-organizational alignment
• Leverage cross-organization governance, risk & compliance activities
• Identify & mitigate issues across the organization (regulatory, compliance etc. )
• Develop common risk & business framework for cross-organizational alignment
• Leverage cross-organization governance, risk & compliance activities
• Identify & mitigate issues across the organization (regulatory, compliance etc. )
Enterprise Risk
Internal Audits
Operational Risk
IT Audits
Policy Management
Fraud
Corporate Compliance
SOX
… others …
Issue Tracking & Resolution
LibraryOrganizations
Processes
ControlsRisksTests
© 2012 MetricStream, Inc. All Rights Reserved.
Communicate Clearly – Specify & Simplify the Facts
Adopt a highly structured & standardized method of reporting audit results
•Report should highlight critical information across the organization
•Should provide valuable risk insights and intelligence
•Should provide top-level visibility for CAEs, highlighting key risk areas
•Decision making process should be streamlined and real-time, based on
hard facts and data
© 2012 MetricStream, Inc. All Rights Reserved.
Technology Strategy
Technolo
gy
Risk Effectiveness
Centralized Visibility
Decentralized Point Solutions
Centralized Repository
Workflow-Based Solutions
Unified Risk Program Reusable library
of risks and Controls
Broad Communication of
Company
© 2012 MetricStream, Inc. All Rights Reserved.
Universal and Consistent Information Model
• Process 1
• Process 2
• Process 3
………
• Process 1
• Process 2
• Process 3
………
Processes
• Op Risk
• IT Risk
• Reputation
………
• Op Risk
• IT Risk
• Reputation
………
Risks
• FSA
• FIRNA
• PCI
• ISO
• SOX
…
• FSA
• FIRNA
• PCI
• ISO
• SOX
…
Areas of
Compliance
• IT
• Treasury
• Lending
• Sales
• Marketing
…
• IT
• Treasury
• Lending
• Sales
• Marketing
…
Functions
• Control 1
• Control 2
• Control 3
………
• Control 1
• Control 2
• Control 3
………
Controls
• Risk-Based
• Requirement-Based
• Business Unit-Based
• Risk-Based
• Requirement-Based
• Business Unit-Based
Risk Assessments
• Action Plan
• Implement
• Monitor
• Action Plan
• Implement
• Monitor
Issues
• Growth
• Profitability
• Market Share
• Services
• Quality
• Growth
• Profitability
• Market Share
• Services
• Quality
Business
Objectives
• Regulation 1
• Regulation 2
• Standard 1
• Standard 2
…
…
• Regulation 1
• Regulation 2
• Standard 1
• Standard 2
…
…
References
• Policy 1
• Procedure 1
• Work Instruction 1
………
• Policy 1
• Procedure 1
• Work Instruction 1
………
Policies/Documents
Board Directives | Corporate Governance | Organizational Structure
Comprehensive Definition of Risk Relating it to Business Growth and Profitability Comprehensive Definition of Risk Relating it to Business Growth and Profitability
© 2012 MetricStream, Inc. All Rights Reserved.
Information Model supports Audit Planning Process
•Risk 1
•Risk 2
•Risk 3…
•Risk 1
•Risk 2
•Risk 3…
Risk Library
•Business Unit 1
•Business Unit 2
•Process 1
•Process 2
•Policy 1
•Policy 2
•…
•Business Unit 1
•Business Unit 2
•Process 1
•Process 2
•Policy 1
•Policy 2
•…
Auditable Entities Annual Audit Plan
Process 1• Audit Project 1
• Audit Project 2
• Audit Project 3…
Audit Projects
Audit Project
Tasks &Milestones
Work Paper
Documents
Draft & Final
Reports
Workflows, Emails & Alerts
Audit Universe
Process 2
Site 1
Site 2
• Risk 1• Risk 3• …
Key Risks
Work Program Template
Checklists
Questionnaires
Control Test Plans…
Work Program Template
Checklists
Questionnaires
Control Test Plans…
Template Repository
© 2012 MetricStream, Inc. All Rights Reserved.
Manage the Complete Audit LifecycleP
roje
ct
Ma
na
ge
men
t
Activ
e R
esou
rce
Mana
gem
ent
Mile
sto
ne
Tra
ckin
gC
ale
nd
ar
Contro
l
� Enable a targeted, risk-based audit with consistent analysis & assessment of risks
� Eliminate errors & inconsistencies through standardized data collection
� Powerful reporting and analytics for real-time visibility
� Improve the overall efficiency and productivity
� Enable a targeted, risk-based audit with consistent analysis & assessment of risks
� Eliminate errors & inconsistencies through standardized data collection
� Powerful reporting and analytics for real-time visibility
� Improve the overall efficiency and productivity
Perform all types of audit-related activity on a single integrated platformPerform all types of audit-related activity on a single integrated platform
© 2012 MetricStream, Inc. All Rights Reserved.
Things To Look After For…
• Align business focus on the right set of business risks
• Provide an integrated framework to collate crucial information
• Ensure optimal resource utilization and effectiveness
• Simplify compliance with embedded regulatory content & standards
• Provide real-time business intelligence and risk insights
• Increase collaboration across the enterprise
• Respond to change quickly
• Better justify & manage costs
Your Audit Infrastructure must…
© 2012 MetricStream, Inc. All Rights Reserved.
Succeeding in a Risk-Focused Environment
• Common information model leverages business line risk
assessments• Multiple sites, regulations, functions
• Collaboration driven
• Standardized data collection to eliminate errors and inconsistencies
• Manage compliance, risk and audits as a central function
• Integrated and real-time information flow• Leveraging internal and external sources
• Decision making and performance management • Easy access to analytics - with minimal manual work
• Tied to a closed-loop remediation, corrective actions processes
• Seamless integration between compliance, risk and audit process
© 2012 MetricStream, Inc. All Rights Reserved.
Risk Monitoring and Reporting at Sterling Bank*
Executive Credit
&
Risk Committee
•Monitors Legal risk
Governance and Compensation
Committee
Audit Committee
Credit and Risk
Committee
Committees review their risks and KRIs according to a defined review schedule and report on actions taken to mitigate high residual risks
ECER reviews key residual risks and actions plans
Board committee receives business risk reports
*Used with permission
© 2012 MetricStream, Inc. All Rights Reserved.
About MetricStream
Integrated Governance, Risk & Compliance (GRC) for Better Business PerformanceVision
Solutions
• Audit Management
• Risk Management
• Corporate and Supplier Governance
• Regulatory and Operational Compliance• Quality Management
Partners
Differentiators
• Technology - Enterprise GRC Platform• Breadth of Solutions – Single Vendor for all GRC needs
• Cross-industry Best Practices and Domain Knowledge
• ComplianceOnline.com - Largest GRC Portal on the Web
• GRC Consulting & Advisory Services
Governance• Kleiner Perkins Caufield & Byers (Google, Amazon, Cisco, Genentech)• Integral Capital Partners
• 650+ employees with strong-growth (60% year-on-year)
• Big 4 – KPMG, PWC, Deloitte, E&Y• System Integration Firms like Tata Consultancy, TBD Networks
• Associations – SIFMA, IIA, GARP, RMA, NACD, Policy Makers
© 2012 MetricStream, Inc. All Rights Reserved.
Thank You
Susan PalmVice President,
Industry Solutions
MetricStream, Inc.