National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department.

Slides:



Advertisements
Similar presentations
Emergency Preparedness and Response
Advertisements

The Compliance & Risk Functions In Credit Unions What Supervisors need to know? Michael Mullen ILCU Learning Advisor.
Basel Committee Guidance on Corporate Governance for Banks
Child Safeguarding Standards
David Hewson – ILCU, Monitoring Dept National Supervisors Forum 2011
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management - The Supervisor’s Perspective National Supervisors’
Corporate Governance Reform Professor Blanaid Clarke Trinity College Dublin Law Reform Commission Annual Conference 11th December 2012.
FACILITY SAFETY: Creating a Safe and Secure Environment in the Community Health Center Presented by Steve Wilder, BA, CHSP, STS Sorensen, Wilder & Associates.
Managed Funds Association’s Sound Practices for Hedge Fund Managers 2009 Edition.
Development of internal control: methodology and responsibility
WORKING ON WORK PLANS. Supervisory Committee Work Plans “The better the planning, the better the result!” Work plans provide an organized, systematic.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Areti Moularas, Senior Manager
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Risk Management at ANZ Banking Group Jun 18, 2008 Patrick Zhu Head of Retail Risk China Partnerships.
Training.
Understanding Budgets RSLNSW 23 May 2011 Presented by: Kirsten Forrester.
1 Operational Risk Management Member Education Series Seminar Indian Institute of Banking & Finance Nagpur November 2005.
Systemise your compliance management Peter Scott Consulting
Session 3 – Information Security Policies
SAS 112: The New Auditing Standard Jim Corkill Controller Accounting Services & Controls.
USC Health and Safety Supervisor Training November 24 th and 25 th, 2011 Health & Safety Refresher PART 3.
Welcome ISO9001:2000 Foundation Workshop.
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management - Principles & Process UCC Summer School May 2013.
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.
INTRODUCTION TO PUBLIC FINANCE MANAGEMENT Module 3.2 -Internal Control & Audit.
1 CHCOHS312A Follow safety procedures for direct care work.
W E L O O K A T T H I N G S D I F F E R E N T L Y Finance & Financial Examinations for Supervisors Dave Matthews, ILCU National Supervisors Forum 2011.
Governance of the Treasury Function CIPFA Scottish Treasury Management Forum Alan George, Regional Director 23rd February 2012.
Loss Control Program Compliance Audits An overview of the purpose and procedures of program auditing.
An Educational Computer Based Training Program CBTCBT.
By: 1. Kenneth A. Kim John R. Nofsinger And 2. A. C. Fernando.
Chapter 3 Internal Controls.
SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.
CORPORATE GOVERNANCE Regulatory expectations and current good practice Charles Cattell The Cattellyst Consultancy.
AGM 2013 W E L O O K A T T H I N G S D I F F E R E N T L Y Monitoring Presentation January 2015 David Hewson W E L O O K A T T H I N G S D I F F E R E.
Fatigue Management Rule Russell Smith Nuclear Energy Institute (NEI)
Principles and Practices For Nonprofit Excellence.
From Findings over KRIs to Process Control
Workshop on Implementing Audit Quality Practices March 2006 Building Quality into the Financial Audit Process The NAO’s experience Gareth Caller.
ISO27001 Introduction to Information Security. Who has day-to-day responsibility? All of us! Why Information Security? Control risk, limit liability What.
ALEX STEWART INTERNATIONAL’S CODE OF PROFESSIONAL CONDUCT.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
CIA Annual Meeting LOOKING BACK…focused on the future.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Developing a Sustainable Procurement Policy and Strategy EAUC – EAF Programme.
Key Terms Business Continuity Plan (BCP) – A comprehensive written plan to maintain or resume business in the event of a disruption Critical Process –
Internal Auditing ISO 9001:2015
Legal framework Look at the legal compliance and framework a business is subject to.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
LATVENERGO GROUP COMPLIANCE AND FRAUD RISK MANAGEMENT Kristine Arensone Compliance officer
MINE SAFETY MANAGEMENT PLAN. DIRECTORATE GENERAL OF MINES SAFETY DGMS n It is recommended that mines be required to put in place Mine Safety Management.
Chapter 3-Auditing Computer-based Information Systems.
Understanding Workwell Workplace Health & Safety Audit Adapted from TMG Connections Forum March 1, 2007 Wanda McKenna, Manager Employee Work-Life Support.
Governance, Risk and Ethics. 2 Section A: Governance and responsibility Section B: Internal control and review Section C: Identifying and assessing risk.
Best Practices in Finance for Volunteers Brandy Vannoy, CPA Tim Rodgers, CPA July 26, 2008.
NCUA Update Alaska Credit Union League 42 nd Annual Meeting Elizabeth A. Whitehead, Region V Director National Credit Union Administration.
1 Vereniging van Compliance Officers The Compliance Function in Banks Amsterdam, 10 June 2004 Marc Pickeur CBFA CBFA.
Oregon DMV Fraud Prevention Program Tom McClellan, DMV Administrator.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Session objectives After completing this session you will:
Learn Your Information Security Management System
Unit 7 – Organisational Systems Security
Red Flags Rule An Introduction County College of Morris
CAYMAN ISLANDS MONETARY AUTHORITY
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Presentation transcript:

National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department National Supervisors Forum Westport, Co. Mayo 5 th November 2011

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Purpose of Presentation To provide supervisors with practical knowledge to assist in conducting an operational risk audit in their credit union.

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Overview Topic  Introduction  Concept of internal control & operational risk  Step 1: Identifying risks  Step 2: Analysing risks  Step 3: Determining residual risk  Step 4: Reporting findings to the board  Closing comments

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 4 Categories of Financial Risk Operational Liquidity Market Credit Reputational

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 5 Risk Management ISO, Defined Risk Management Process Role of Internal Audit (Supervisors) 1. Identify the risks 2. Analyse Risks 3. Create response to risk 4. Monitor & Review

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y What are Internal Controls? Any deliberate measure or plan put in place by the credit union to minimise and/or manage risk Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Discussion Credit Union Operational StructuresExample of an Internal Control? 1. The loan application form 2. A fire evacuation procedure 3. An employee’s contract of employment 4. Holding a data protection training session for the board 5. Having in place a cash handling procedure for all staff 6. The auditor verifying the annual accounts of the credit union 7. Directors being obliged to declare a conflict of interest 8. Virus protection software 9. A smoke alarm in the kitchen of the credit union

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Discussion Credit Union Operational StructuresExample of an Internal Control? 1. The loan application formYes 2. A fire evacuation procedureYes 3. An employee’s contract of employmentYes 4. Holding a data protection training session for the boardYes 5. Having in place a cash handling procedure for all staffYes 6. The auditor verifying the annual accounts of the credit unionYes 7. Directors being obliged to declare a conflict of interestYes 8. Virus protection softwareYes 9. A smoke alarm in the kitchen of the credit unionYes

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 9 Why Conduct an Audit? Rule: A credit union must establish, maintain and implement a fully documented system of control. Guidance: (i) It should be comprehensive (ii) …the system should be cross referred so that the system can be viewed as a whole. (iii) It should identify risks, and the controls established to manage those risks. (v) It should state how the operation of the control is evidenced. Extract from Section 4.3 of “CRED”, FSA guidelines for UK credit unions

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 10 Benefit of Conducting an Audit Micro Macro

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 11 Conducting an Audit of Operational Risk Identify operational risk Step 1 Analyse risks Step 2 Determine “residual risk” Step 3 Report findings to board Step 4

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Step 1: Identifying Risks Must identify operational risks which could impact upon the credit union Use the six categories of operational risk as a guide No need to analyse at this stage Wording of each risk is important

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 13 Categories of Operational Risk 1.Internal and external fraud - (embezzlement) 2.Employment practices and workplace safety - (sued by employee for breach of contract) 3.Damage to physical assets - (office damaged due to fire) 4.IT systems and software failures - (loss of records due to database corruption) 5.Business practices & service delivery - (misinforming members on insurance products) 6.Organisational processes - (incomplete documentation relating to a member’s loan resulting in invalid loan contract)

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 14 Example: Identifying Risks 1.Internal and External Fraud An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members. An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union. An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account. A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss.

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 15 Step 2: Analysing Risks This step will highlight the risks which pose the biggest risk to the credit union. The impact of each risk is scored from 1 to 5 The prevalence (likelihood of occurrence) is score 1 to 4. Both scores are multiplied for each risk to get the risk ranking score. Some lower scoring risks may be excluded from the audit at this point.

National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y 16

National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y 17

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 18 Risk Ranking – Fraud RiskScore 1.2 An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. 4

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 19 Step 3: Determining Residual Risk This step will determine the threat posed by a risk once internal controls have been considered. Must identify all internal controls which correspond to each risk. Determine how effective these internal controls are – very poor to excellent. Risk ranking score is multiplied by the controls’ effectiveness to determine the residual risk.

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 20 Mapping Internal Controls Paperwork Practices People Policy / Plan

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 21 Example of IT System Internal Controls Policy / Plan IT Security Policy Business Continuity Plan Electronic Services Policy People Appointed IT officer, IT committee IT System providers Website Developers Staff training on IT system Data protection training for CU officers Practices Password security Virus protection software Website encryption Off-site system back-up Hot site location Computer encryption Paperwork Managers report – misuse of CU computers, operational issues IT committee report – Security threats, upgrade requirements IT system suppliers – new system requirements, regulatory changes

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 22 Example: Evaluating Internal Controls Risk: Sudden power failure results in IT system being down for 48 hours Existing Internal ControlsGaps / Weaknesses Identified Policy / PlanNothingNeed for business continuity plan PeopleIT Committee, IT system supplier, Board of Directors BOD & IT Committee : training on business continuity and implications for CU operations. PracticesIT system backed up (off-site) every 24 hours. No procedures for dealing with PaperworkIT Committee report 6 times a year to the BOD. Manager’s report IT Committee report must include reference to business continuity measures

Risk Code Risk Ranking score Corresponding int. controls Findings of supervisory committee Effectivene ss of internal controls Residual Risk 1.Internal & external fraud Section in lending policy dealing with loans to friends / family members. Last year 3 staff members attending training on loan assessment. Loan approval procedure which requires one officer to sign off application and issue loan. No specific section of lending policy dealing with connected loans. Lending policy not updated since No monitoring of approved loans for connected loans / connected individuals. Loan approval procedure only requires one signature of manager or treasurer for loans up to €30,000. Weak

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 24 Step 4: Reporting findings to the board Crucial that findings are clearly communicated to the board. Committee should include risk analysis, evaluation of internal controls and residual risk. Not the responsibility of the committee to make the changes – responsibility of the board. Encourage the board / risk management committee to maintain the documented system of control.

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 25 Summary of Key Points Must have understanding of prevailing risks before internal controls can be assessed An operational risk audit is a key tool for the credit union Use checklists to identify gaps and weaknesses against prevailing risks An evidence-based written report to the board should be compiled Encourage CU to maintain a documented system of control

National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y 26 Part II: Developments in the Regulatory Supervision and Auditing of Credit Unions

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Evidence of movement towards a risk-based approach in credit unions “Our risk-based supervision model will mean that our level of engagement will vary depending on the size and impact of each credit union…. The biggest credit unions can expect more engagement from us as a result. Our risk-based approach also means that you can “earn” a less intense level of supervisory engagement by having a well governed and well run credit union that scores low in terms of risk.” Matthew Elderfield, Financial Regulator Extract from Speech at ILCU AGM 2010.

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Evidence of movement towards a risk-based approach in credit unions “The Monitoring Department scores credit unions on various risk areas (e.g. PEARLS ratios, financials) and these scores are used as part of a risk-based approach to monitoring credit unions, and assigning Monitoring resources (e.g scheduling of visits by Field Officers and Business Unit Managers).” Dave Hewson, ILCU Monitoring Department

National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Role of Supervisory Committee in Monitoring Internal Controls Principle 5: (Credit Unions) should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk. Sound Practices for the Management and Supervision of Operational Risk, 2003, BIS

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.