Internal audit strategic risk assessment and audit planning process Monday, 27th October 2014 Roberto Russo Internal Audit Director – BANCA DEL MEZZOGIORNO – MEDIOCREDITO CENTRALE S.p.A.
Agenda Introduction Audit planning Audit strategy Audit universe Audit coverage
Definition of Internal Auditing Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Audit Mandate MISSION Ensure a constant, independent and objective evaluation of the functionality of internal controls system in order to guarantee: effectiveness and efficiency of business operations, control processes, policies and processes of risk management safeguard the value of the Bank reliability and integrity of financial and operational information Compliance to policies established by the Board/Senior management and external regulations Timely and accurate reporting to the Board/Senior management on adeguacy of the Internal Control System and on the outcomes of audit activities
Audit Mandate MISSION Ensure a constant, independent and objective evaluation of the functionality of internal controls system in order to guarantee: effectiveness and efficiency of business operations, control processes, policies and processes of risk management safeguard the value of the Bank reliability and integrity of financial and operational information Compliance to policies established by the Board/Senior management and external regulations Timely and accurate reporting to the Board/Senior management on adeguacy of the Internal Control System and on the outcomes of audit activities
Audit Cycle Planning Execution Reporting
Audit Planning Strategic plannig Annual Planning Operational planning
Internal Control System Evolution Fraud prevention Internal and ext compliance Risk evaluation and management Governance of change Environment change Strategic complexity
Audit strategy Which is the audit focus? Where the audit activity should be addressed? Where first? Where never? Where sistematically?
Audit Universe Processes Organizational structures IT systems Outsourcers
Audit Universe Business Governance Corporate resources Support Marketing Sales Core business process Governance Risk management Compliance management Budgeting Financial reporting Corporate resources HR IT Procurement Real estate Support Back office Communicationa Legal affairs
«Risk based» approach How risk rise? How risks the are spread through the organization? How and where could they hit ? Are we managing them properly?
Which risks? financial operational market conterparty reputational liquidity interest rate / exchange rate legal/complaince strategic ………
Which risk factors / sources? external regulation economic/financial impact special regulation 231/262 impact outsourced process it complexity / obsolescence claims probability of losses effectiveness of 1° and 2° level controls audit experience audit evalutation …..
Effectiveness of Internal Control system Audit Plan guidelines Risk level Audit priority Number of procesess Very high 1 High 5 Medium/ high 15 Medium 25 low 7 Effectiveness of Internal Control system
Coverage strategy Audit resouces Time elapsed Mandatory constraints Monitoring tools (KRI, data analysis, dashboards…) Effectiveness of compliance and risk management controls