stress testing conference - finrep 6.23.15

The Role of Internal Audit in Stress Testing

Financial Republic Stress Testing ConferenceMiami, FL – June 23, 2015

pg.

Disclaimer

This presentation is intended for educational and discussion purposes only and does

not replace independent professional judgment.

Statements of fact and opinions expressed are those of the presenter individually

and, unless expressly stated to the contrary, are not necessarily the opinion or

position of the Bank of the West, BancWest Corporation or BNP Paribas, S.A.,

Financial Republic, this conference, its cosponsors, or its committees.

The Bank of the West et. al. do not endorse or approve, and assumes no

responsibility for, the content, accuracy or completeness of the information presented.

2

pg.

Agenda

► Traditional Internal Audit Function and 2013 changes

► What the changes have meant for Internal Audit

► Desired regulatory feedback

3

pg.

The traditional audit function and 2013 changes

4

• While ‘auditing’ has been around for centuries, internal audit, as a profession, was not really established until 1941.

• Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

• The scope of internal auditing within an organization is broad and may involve topics such as an organization's governance, risk management and management controls over:

1. efficiency/effectiveness of operations, 2. the reliability of financial and management reporting, and 3. compliance with laws and regulations.

pg.


5

How is this done?

Simply put, it involves dividing up the enterprise into “auditable entities” then, for each entity, determine the risks encompassed by each, then prioritize the entities for the nature, depth and timing of the needed audit assignments.

Each assignment, or audit, will gain a thorough understanding of the processes of the selected areas undertaken for the entity by the assignment. The auditors then identify the specific risk(s) inherent to each process as well as the specific “controls” that can prevent the risk from materializing or, at least, detect that in a timely manner.

Once these controls are identified, they undergo a series of audit procedures to determine 1) whether they exist, 2) whether they are designed adequately to achieve their objective(s), and 3) whether they are performing/being performed effectively by the system or person responsible.

pg. 6


• How did this changed in 2013?

• In January 2013, the FRB issued Amended Interagency Guidance on the Internal Audit Function and its Outsourcing (SR 13-1). The guidance focuses on the characteristics, governance, and operational effectiveness of an institution’s internal audit function, and includes areas of improvement as a result of supervisory experience during and following the recent financial crisis.

• Enhanced Internal Audit Practices: Enhancements that should be incorporated to address lessons learned from the recent financial crisis

• Internal Audit Outsourcing Arrangements: Covers responsibilities of the board of• directors and senior management to provide oversight of internal audit outsourcing

arrangements.

• Independence Guidance for the Independent Public Accountant: Discusses restrictions on the services of the external auditor.

• Examination Guidance: Discusses the supervisory assessment of an institution’s internal audit function and the ability of examiners to rely on the work performed by internal audit

pg. 7



• Internal Audit Function: Addresses the characteristics, governance, and operation effectiveness of an institution’s internal audit function

• • Objectivity is best served when CAE reports to the CEO. If not, AC needs to document rationale• • Perform knowledge gap assessment at least annually• • Auditors generally receive forty hours of training• • Charter needs to define criteria for outsourcing work to external experts• • Focus elements for AC reporting• • Analysis of cross-institutional risk and thematic control issues• • Risk assessment to include inherent risk analysis, mitigating controls, and residual risk exposure• • Risk assessment to include written analysis and specific rationale for the overall auditable entity risk score• • Follow either a three or four year audit cycle; with high-risk areas audited every 12-18 months• • Written standards for continuous monitoring should be established and results should be documented• • Audit steps should test adequacy of design and operating effectiveness of control processes• • Work papers should document the sampling methodology and rationale• • Compliance with report issuance timeframes should be monitored and reported to AC• • Evaluation of adverse events – management and internal audit• • Annual internal quality assessment

pg. 8



• In September 2013, the Federal Reserve published “Capital Planning at Large Bank Holding Companies: Supervisory Expectations and Range of Current Practice”, which sets out seven principles that underlie an effective capital adequacy process (CAP), which can be translated to capital management capabilities institutions should consider when developing a robust CAP.

Table 1. Seven principles of an effective capital adequacy process Source: Federal Reserve « Rope » document

Principle 1: Sound foundational risk management

The BHC has a sound risk-measurement and risk-management infrastructure that supports the identification, measurement, assessment, and control of all material risks arising from its exposures and business activities.

Principle 2: Effective loss-estimation methodologies

The BHC has effective processes for translating risk measures into estimates of potential losses over a range of stressful scenarios and environments and for aggregating those estimated losses across the BHC.

Principle 3: Solid resource-estimation methodologies

The BHC has a clear definition of available capital resources and an effective process for estimating available capital resources (including any projected revenues) over the same range of stressful scenarios and environments used for estimating losses.

Principle 4: Sufficient capital adequacy impact assessment

The BHC has processes for bringing together estimates of losses and capital resources to assess the combined impact on capital adequacy in relation to the BHC’s stated goals for the level and composition of capital.

Principle 5: Comprehensive capital policy and capital planning

The BHC has a comprehensive capital policy and robust capital planning practices for establishing capital goals, determining appropriate capital levels and composition of capital, making decisions about capital actions, and maintaining capital contingency plans.

Principle 6: Robust internal controls

The BHC has robust internal controls governing capital adequacy process components, including policies and procedures; change control; model validation and independent review; comprehensive documentation; and review by internal audit.

Principle 7: Effective governance

The BHC has effective board and senior management oversight of the CAP, including periodic review of the BHC’s risk infrastructure and loss- and resource-estimation methodologies; evaluation of capital goals; assessment of the appropriateness of stressful scenarios considered; regular review of any limitations and uncertainties in all aspects of the CAP; and approval of capital decisions.

pg.



9

Specifically:

Internal audit should play a key role in evaluating internal capital planning and its various components. Audit should perform a review of the full process, not just of the individual components, periodically to ensure that the entire end-to-end process is functioning in accordance with supervisory expectations and with a BHC’s Board's expectations as detailed in approved policies and procedures.

Internal audit should review the manner in which deficiencies are identified, tracked, and remediated. Audit staff should have the appropriate competence and influence to identify and escalate key issues, and the internal audit function should report regularly on the status of all aspects of the capital planning process—including any identified deficiencies related to the BHC’s capital plan—to senior management and the board of directors.

pg.


Also in September 2014, the Office of the Comptroller of the Currency (“OCC”) established heightened standards for risk governance frameworks for large national banks. The standards include risk management roles and responsibilities for the internal audit function as noted below:

1. Maintain a complete and current inventory of inventory of material processes, product lines, services and functions and assess the risks associated with each, including emerging risks.

2. Establish and adhere to an audit plan that is periodically reviewed and updated to take into account the risk profile, emerging risks, issues, and the frequency with which activities should be audited.

3. Establish and adhere to processes to independently assess the design and effectiveness of the Framework and include a conclusion on compliance with Heightened Standards on at least an annual basis.

4. Establish a quality assurance department that ensures internal audit policies, procedures, and processes comply with applicable regulatory and industry guidance and are updated to reflect emerging risks.

5. Report audit conclusions, material issues, and recommendations carried out under the required audit plan, with the reports identifying root causes of any material issues.

6. Determine the effectiveness of front line units and independent risk management in (self-) identifying and resolving issues in a timely manner.

10

pg. 11

What the changes have meant to Internal Audit

– ► Greater emphasis on the Three Lines of Defense operating model

– ► Evidence end-to-end coverage of the Capital Planning process, understand key process linkages and sustainability of the capital planning process, controls and infrastructure

– ► Establish continuous monitoring of the Capital Planning process including project and issue management

– ► Review and challenge the MRA remediation and closure process

– ► Year-end roll-up report to the Board which provides IA’s aggregate opinion on the effectiveness of controls in the CAP

– ► Implement an audit staffing strategy to demonstrate effective challenge and influence

pg. 12

End-to-End Coverage

pg. 13

End-to-End Coverage

• A few key focus areas:

• Models: when is enough, enough?– Should IA re-validate the models? – Does IA need its own quants/modeling tools? – Should IA build challenger models?

• Data:– Should IA look at/test the governance process and stop there?

• Internal Controls:– Is IA the tester of the internal controls?– What’s the difference between testing the internal controls and having an internal controls

framework?– When speaking of internal controls, are the expectations solely around processes?

pg. 14

Other expectations of IA

• CONTINUOUS MONITORING– Establish continuous monitoring of the Capital Planning processes includes:

• project Management, and

• issue management.

• MRA REVIEW AND CHALLENGE– As noted in SR 13-1, the “reliance” calculus on IA was pre-ordained to place IA into this position – it was

not without forethought;– Be sure to understand completely management’s mitigation steps and milestones and, if possible, the

regulators’ key points for closure;

• YEAR END ROLL-UP– Don’t save everything for the last; you will drown.– This is the only way to audit, a necessarily point-in-time activity, to a continually developing set of

processes and tools.

• STAFFING STRATEGY– Be prepared to explain yourself & support your position, identify your gaps and your plans to address

these..

pg. 15

Desired regulatory feedback

– ► Internal Audit has allocated sufficient time within the audit plan to provide coverage over the end-to-end capital adequacy process.

– ► Core audits are done at least annually with quarterly updates and continuous monitoring of activities, audit findings and regulatory feedback.

– ► Scope/depth of audits and monitoring is adjusted based on regulatory feedback. – ► Internal Audit has a strong process to demonstrate the coverage obtained through the core and non-

core audits and how observations within the non-core audits impact its overall opinion for the capital planning process

– ► Internal Audit performs a detailed review of all capital adequacy process components and accounts for key process linkages.

– ► The timing of audits that is aligned with the completion of capital planning activities. – ► Internal Audit has robust audit programs which provide guidance to the audit team on test steps. – ► These audit programs are refreshed and maintained current based on the regulatory expectations

and feedback.

pg. 16

Desired regulatory feedback

– ► Internal audit attends key committee and effective challenge meetings (as an observer), and reviews meeting minutes and reports used by oversight bodies to evaluate the effective challenge provided.

– ► The Internal Audit review assesses the sustainability and effectiveness of the capital planning process, controls, data and infrastructure.

– ► Internal Audit is independent from business units, Risk and Finance and has significant influence within the organization.

– ► Audits are planned so as to closely follow the key capital planning activities and provide meaningful and timely feedback to process owners.

– ► Management and employees who are responsible for or influence Internal Audit reviews and findings have the knowledge, skills, and abilities to effectively review the end-to-end capital adequacy process.

– ► Training and succession programs are fully developed and processes are clearly documented so that key man risk is minimal, if existent.

– ► Internal Audit procedures and findings are clearly documented and a highly-automated process is in place for monitoring and reporting on identified issues.

– ► Internal Audit provides timely feedback on the activities carried out by the management to close-out MRIA/MRAs.

– ► Senior management and the Board are routinely informed of the status of all aspects of the capital planning process (including any identified deficiencies related to the capital plan).

pg. 17

In closing…

• ► If you are an Internal Auditor:– Be sure to know what the regulatory expectations are – of both the business and of you;– This work, more than any other, must be fair and balanced – the stakes are too high, intense

scrutiny waits for each line of defense;– Many moving parts – be prepared; know them all – and how they relate to each other;– Real-time auditing – start early; break-up into blocks; follow processes in development before

finished;– Identify your SME needs early; contracting can be long and competition for resources great;– Expectations expand each year – don’t rest on laurels;– In reporting, be clear and upfront about limitations, make sure what you cannot do are the right

things and they are planned for future coverage. (see also last point below)

• ► If you are in the Lines of Business or the Supporting or Coordinating groups, – Work with your audit team early and often – especially for new and re-developed processes;– It’s not a “got ya” exercise; we all fail together;– Be open about your year-on-year improvements and your limitations; everyone expects this to

be a gradually maturing program – the gaps are, today, what they are; regulatory concern increases if management isn’t aware of them or, worse, hides them.

pg.

Questions

18

pg.

Biographical Data

19

Robert Fournier

• Robert is currently an SVP and the Audit Director for the Inspection Group Enterprise Risk Management team at one of BNP Paribas Group’s North American banks, Bank of the West and its parent, BancWest Corporation.

• As a prior bank examiner with the Office of the Comptroller of the Currency (OCC), this experience helps Inspection ERM understand the regulatory perspective and the experience needed to appropriately frame and supportively challenge the Company’s most senior executives. Robert’s time at the OCC was rewarded with praise from the Deputy Comptroller for his contributions to the agency’s transition to a “Supervision By Risk” approach.

• Time as the Senior Risk Manager for the Americas Regional Treasury at RBS Americas assists in bringing the needed insights into market and liquidity risks, operational processes, and risk and control self-assessments over complex processes and systems.

• Time as the Director, Model Risk Governance at RBS Americas brings the needed insights into model risk management, especially in areas of challenge to the industry – namely model risk quantification for use in the capital adequacy determination, cushions, and buffers as well as an adequate assumption framework, both for modeling itself and well as larger processes that use modeled data, i.e. CCAR.

• Special projects for the CRO at RBS Citizens included transitioning to the OCC’s heightened standards as well as a key member in the Bank’s CCAR, risk appetite and Basel working groups now assist Inspection ERM stay focused on the key components of auditing risk management.

• Audit and consulting experiences at Deloitte give Inspection ERM the foundations in quality auditing methods augmented with the consultant’s polish, work ethic and flexibility.

• Robert is a Certified Financial Services Auditor and a member of Global Association of Risk Professionals, Professional Risk Managers International Assoc., Institute of Internal Auditors and the ABA Model Risk Working Group. He may be contacted at (925) 548-8532 or by emailing [email protected].

stress testing conference - finrep 6.23.15

Documents