Presentation is loading. Please wait.

Presentation is loading. Please wait.

Segmenting the audit universe

Published byRatna Muljana Modified over 6 years ago

Similar presentations

Presentation on theme: "Segmenting the audit universe"— Presentation transcript:

1 Segmenting the audit universe
Janette to open meeting Introduce ourselves – short bio / backgrounds Janette Smith, Head of Audit, Products, Sales and Servicing, Nationwide Building Society Ian Hersey, Head of Audit Methodology, Lloyds Banking Group

2 Internal Audit’s risk assessment;
Introduction Key points to consider when preparing and segmenting the audit universe to support Internal Audit’s risk assessment; the prioritisation of audit activities, and monitoring of Internal Audit’s coverage of the audit universe. Audit universe it is built of individual auditable entities (or segments) that make up everything within the organisation that may be subject to internal audit activity. Paragraph 4 of the Chartered IIA’s Guidance on Effective Internal Audit in the Financial Services Sector states ‘In setting its scope, Internal Audit should form its own judgement on how best to segment the audit universe given the structure and risk profile of the organisation.’ And ‘In setting out its priorities and deciding where to carry out more detailed work, Internal Audit should focus on the areas where it considers risks to be higher.’ The audit universe should enable the internal audit function, through the delivery of audit work, to form an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed. This guidance will explain key points to consider when preparing and segmenting the audit universe to support internal audit’s risk assessment, the prioritisation of audit activities and monitoring of Internal Audit’s coverage of the audit universe.

3 Segmenting the Audit Universe
comprises of auditable entities; is segmented to support audit prioritisation and coverage monitoring; Is structured to support the risk assessment and audit plan construction; and should be validated against other sources for completeness. Review the audit universe following material changes in the organisation, and at a minimum on an annual basis. legal entities, regulatory entities, jurisdictions, processes, business lines, products and functions that together comprise the set of auditable entities in an organisation. validate completeness against other sources for completeness, such as finance records, cost centres, HR organisation structures or other lists of the organisation’s departments. - may use an organisational model developed by other areas of the organisation. Must ensure that the organisational model is complete and is structured in such a way as to support its risk assessment and audit plan construction. - review the construction of the audit universe following material changes in the organisation such as new business areas or products, and at a minimum on an annual basis to ensure that the universe continues to reflect the organisation

4 Segmenting the Audit Universe (Cont.)
Customer Journey - Mortgages Options for auditable entities Mortgages New Lending / Servicing / Arrears Management Each element of customer journey Further segmentation e.g. segment underwriting into BTL / Residential, servicing into granular processes Etc. Number of auditable entities partly driven by preference for the size / scope of audits Mortgage Advice Customer take-on KYC Underwriting Fulfilment Servicing Arrears Management The internal audit function’s approach to audits will also help dictate the number of auditable entities, for example if there is a preference for larger scope audits then fewer auditable entities may be more appropriate, or if audits are usually smaller more focussed pieces of work – then more entities may be appropriate. Walk through example

5 Segmenting the Audit Universe (Cont.)
Customer journeys Number of auditable entities also partly driven by complexity of organisation Mortgages Current Accounts General Insurance Life Insurance A more complex organisation with, for example, multiple business lines or entities may require a higher number of auditable entities to cover the full extent of the organisation. A smaller, simpler organisation may require less auditable entities. Walk through example

6 Segmenting the Audit Universe (Cont.)
Also segmentation depends on approach to auditing functions vs. business processes Also judgment in auditing thematic risks – separate risk assessment / audit vs. coverage in business process. E.g. vulnerable customers Separate auditable entity, or Coverage in business processes e.g. arrears management, new lending Finance Financial Reporting Business Planning Statutory financial reporting Regulatory reporting Liquidity reporting Capital reporting Capital planning Potentially audit functions (with > 1 business process) vs. purist approach 1 audit = 1 business process Walk through example Thematic risks vs. embedded in business process audits – example of vulnerable customers FCA focus area, bank / BS response separate policy, workstreams – audit response to audit thematically. Now BAU audit as part of bus process.

7 Annual Planning – Typical Process
Run through typical planning process. Briefly describe top down and bottom up… key is both internal / external review and challenge

8 Bottom-up Risk Assessment
Internal Audit’s understanding of the organisation's business activities and the associated risks Applied to each Auditable Entity in the Audit Universe Will consider assessments of: Inherent risk Control environment Residual risk A risk assessment – discuss methods – one assessment for each auditable entity // assess each risk associated with each entity // risk nodes analyse key risks applicable to each of the auditable entities and may also include an assessment of second line risk functions within the organisation. consider thematic control issues, risk tolerance, and governance within the organisation. Include third parties involved in a process or control which mitigates risk this is considered in the same amount of detail as if the process or control was internal to the organisation. identify thematic control issues which are common across different auditable entities Risk assessments should be documented and supported with an analysis of risks. include dates and results of previous audits, any open issues raised in previous audits. independent view should be informed, but not determined, by the views of management and the risk function. So, for example, the results of a review by a Second Line function may be considered as part of the risk assessment but should not be the only input to the risk assessment. - Risk assessments typically will be completed with regard to the impact and likelihood of an event occurring in order to produce an overall inherent risk rating for each auditable entity. The results of risk ratings should be summarised with consideration to business performance, risk indicators, control effectiveness and prior audit results and open audit issues to identify the residual risk for each auditable entity. - ‘live’ document, being updated on a regular basis (at least annually although more often is recommended) to reflect changes to processes, controls, systems, changes in the business model, laws and regulations. Further, changes in the business environment and/or market conditions may also require re-assessment of risks the business is exposed to. When the risk assessment shows a change in risk for an auditable entity, planned audit coverage should be reviewed to determine whether the current planned coverage should be increased or decreased to address the revised assessment of risk. Additional audit coverage would be expected in business activities that present the highest risk to the organisation. - continuous monitoring of key audit risk factors (as determined by the internal audit team) should help to inform decision making over changes to the audit plan and universe as they occur. Utilise data analytics where appropriate in order to provide information on key trends and metrics for larger data sets. May include management reporting, metrics, periodic audit summaries, and updated risk assessments to substantiate that the process is operating as designed. Critical issues identified through the monitoring process should be communicated to the audit committee.

9 Inherent Risk Typically considers the impact and likelihood of an event occurring = overall inherent risk rating for each auditable entity Typically defined as “the probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances.” Can assess in aggregate or at an individual sub-risk level New Mortgage Lending – options: Or Credit Risk - Critical Conduct Risk – Critical Operational Risk – Moderate IT / Cyber Risk – High Calculation Overall Inherent Risk A risk assessment – discuss methods – one assessment for each auditable entity // assess each risk associated with each entity Risk assessments typically will be completed with regard to the impact and likelihood of an event occurring in order to produce an overall inherent risk rating for each auditable entity. The results of risk ratings should be summarised with consideration to business performance, risk indicators, control effectiveness and prior audit results and open audit issues to identify the residual risk for each auditable entity. Walkthrough example – assessment at a sub-risk level vs. overall IR assessment Overall Inherent Risk (impact on customers / regulators, financial impact)

10 Control Environment Assess control environment Data points:
Previous audit reports Other independent data sources e.g. regulatory examinations / external audits Business / 2LOD assurance providers Risk events Management self assessment etc. Update following relevant audits / validation of management findings Benefit taken in respect of less coverage – AEs with a positive control environment analyse key risks applicable to each of the auditable entities and may also include an assessment of second line risk functions within the organisation. consider thematic control issues, risk tolerance, and governance within the organisation. Include third parties involved in a process or control which mitigates risk this is considered in the same amount of detail as if the process or control was internal to the organisation. identify thematic control issues which are common across different auditable entities Risk assessments should be documented and supported with an analysis of risks. include dates and results of previous audits, any open issues raised in previous audits. independent view should be informed, but not determined, by the views of management and the risk function. So, for example, the results of a review by a Second Line function may be considered as part of the risk assessment but should not be the only input to the risk assessment.

11 Residual Risk Potential for override… no model is perfect, has to be scope for professional judgement Generally formulaic – depending on Inherent Risk and Control Environment Assessment Might look something like this: Residual risk – typically formulaic – key concept is that for well controlled control environments reduction in criticality of inherent risk.. Allows benefit to be taken for positive control environment

12 Continuous Monitoring
Continuous monitoring of key audit risk factors should help to inform decision making over changes to the audit plan and universe Updated to reflect changes in processes, controls, systems, changes in bus model, regulations, business environment etc. Annual / 6-monthly / quarterly plan - ‘live’ document, being updated on a regular basis (at least annually although more often is recommended) to reflect changes to processes, controls, systems, changes in the business model, laws and regulations. Further, changes in the business environment and/or market conditions may also require re-assessment of risks the business is exposed to. When the risk assessment shows a change in risk for an auditable entity, planned audit coverage should be reviewed to determine whether the current planned coverage should be increased or decreased to address the revised assessment of risk. Additional audit coverage would be expected in business activities that present the highest risk to the organisation. - continuous monitoring of key audit risk factors (as determined by the internal audit team) should help to inform decision making over changes to the audit plan and universe as they occur. Utilise data analytics where appropriate in order to provide information on key trends and metrics for larger data sets. May include management reporting, metrics, periodic audit summaries, and updated risk assessments to substantiate that the process is operating as designed. Critical issues identified through the monitoring process should be communicated to the audit committee.

13 Coverage Model Consider the risk profile and complexity of the organisation Options include: Cyclical models Annual prioritised models Responsive models In all cases the coverage model should be confirmed with the audit committee. The internal audit function should determine its coverage strategy suitable to the risk profile and complexity of the organisation it audits. The coverage model should be documented and presented to the audit committee. Internal audit functions will generally operate coverage models including some or all of the following coverage model types: Cyclical models that establish an audit cycle based on an assessment of the inherent risk and control environment of the auditable entities or its constituent elements (e.g. processes or risks). So for example, higher risk-rated auditable entities may be subject to an annual audit, medium risk-rates entities may be subject to an audit every two or three years and lower risk-rated entities may be subject to an audit every four years. Annual prioritised models that assess the highest audit need, incorporating time since last audit. In this scenario, only those entities with the highest residual risk would be covered each year. Responsive models that assess audit need and adapt planned coverage on a frequent/ongoing basis. There is no defined audit cycle, judgement is used to determine audit coverage. In all cases the coverage model should be confirmed with the audit committee.

14 Cyclical Model Cycle generally at the Auditable Entity level
Move in FS for audit cycles at a risk level within AEs e.g.: Assess overall residual risk of the AE e.g. AE may be High Assess residual risk at the sub-risk level e.g. Credit Risk may have a residual risk of Critical Differential cycle depending on residual risk of the AE and residual risk of the sub-risk e.g. AE High / Sub-risk Critical cycle might be two years Cycles typically at an AE level Don’t name but UK bank cycles determined by overall residual risk and risk of the sub-risk within that. Assess residual risk at risk level – can be a challenge to get level of data to enable a meaningful assessment

15 Cyclical Model (Cont.) Audit cycles vary in practice
Typical c.12 – 18 months, highest category. 4 – 5 years lowest… UK guidance – principles based US FS guidance give indicative cycles NY Fed ‘common practice for institutions with defined audit cycles is to follow either a three- or four-year audit cycle; high-risk areas should be audited at least every twelve to eighteen months.’ OCC ‘Some banks follow a four-year audit cycle, with high-risk areas audited every 12 months and low-risk areas every 48 months.’ Key point is that areas of highest risk audited more frequently.

16 Top-down risk assessment
Audit coverage of topics or themes identified from the ‘top-down’ assessment may include specific audit work covering the topic or theme and/or one or more audits identified from the ‘bottom-up’ assessment. Consider: Industry or regulatory hot topics Internal or external events Business strategy Senior management insights Third party challenge sessions In addition to using the results of the audit universe risk assessment to determine its audit plan, consideration should be given to using a ‘top-down’ assessment to ensure that, at a high level, the audit plan focuses on, and is aligned to, the organisation’s objectives, key risks, external business and regulatory challenges and recognises emerging risks. identifying potential risks, themes and topics that present the highest risk to the organisation based on industry or regulatory hot topics; internal or external events, and other information that is available. Audit coverage of topics or themes identified from the ‘top-down’ assessment may include specific audit work covering the topic or theme and/or one or more audits identified from the ‘bottom-up’ assessment.

17 The Audit Plan Whichever model or combination of models is used, generally: higher risk elements of the audit universe are audited more frequently and to greater depth than lower risk elements risk-based decision as to which auditable entities should be included in the audit plan not necessary to cover all of the scope areas every year judgement as to which areas should be covered in the audit plan, and on the frequency and method of coverage of auditable entities (audit cycle) may determine that very low risk activities of the organisation will not be subject to any structured audit coverage don’t forget regulatory expectations or requirements for internal audit to undertake specific audit work Prioritised list of audits for the next planning period (often the next 12 months) Bring together the top down and bottom up analysis, set out common themes and risks Discuss with business stakeholders The final audit plan is presented to the Audit Committee. Expect that higher risk elements of the audit universe are audited more frequently and to greater depth than lower risk elements. Risk-based decision as to which auditable entities within its scope should be included in the audit plan – it does not necessarily have to cover all of the scope areas every year. Judgement on which areas should be covered in the audit plan, and on the frequency and method of coverage of auditable entities (audit cycle). Those auditable entities that have the highest risk, and those that have not been subject to audit activity for a pre-determined period, should be included in the audit plan. Certain internal audit functions may determine that very low risk activities of the organisation will not be subject to any structured audit coverage. Regulatory expectations or requirements for internal audit to undertake specific audit work. These topics would typically be included in the audit plan regardless of the results of the risk assessment. Output is a prioritised list of audits for the next planning period (often the next 12 months, but some audit functions use different timelines) bringing together the top down and bottom up analysis and setting out common themes and risks and internal audit’s proposed audit coverage in response. Discuss with business stakeholders with the purpose of obtaining their feedback on the plan and providing a check as to its alignment with management’s view of major risks. While the final approval of the plan lies with the audit committee, internal audit should ensure that management’s views are understood and any differences in viewpoints as to priorities are clearly explained. A final audit plan is then produced for presentation to the audit committee.

18 Q&A ?

Download ppt "Segmenting the audit universe"

Similar presentations

1 Global Real Estate Valuation Policy Update: the European Perspective The principle: the EU Treaty does not provide the European institutions with direct.

1 Global Real Estate Valuation Policy Update: the European Perspective The principle: the EU Treaty does not provide the European institutions with direct.
Role of actuarial function supporting the FLAOR leading to the ORSA Ian Morris June 2014.

Role of actuarial function supporting the FLAOR leading to the ORSA Ian Morris June 2014.
© Grant Thornton UK LLP. All rights reserved. Review of Sickness Absence Vale of Glamorgan Council Final Report- November 2009.

© Grant Thornton UK LLP. All rights reserved. Review of Sickness Absence Vale of Glamorgan Council Final Report- November 2009.
Risk-Focused Examinations David Vacca, Assistant Director – Insurance Analysis & Information Services, NAIC Welcome to the © 2009 The National Association.

Risk-Focused Examinations David Vacca, Assistant Director – Insurance Analysis & Information Services, NAIC Welcome to the © 2009 The National Association.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
ASPEC Internal Auditor Training Version 1.0 2013.

ASPEC Internal Auditor Training Version
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8
1.  The views expressed are those of the speaker and do not necessarily reflect the views of the Federal Reserve Board of Governors, or the Federal Reserve.

1.  The views expressed are those of the speaker and do not necessarily reflect the views of the Federal Reserve Board of Governors, or the Federal Reserve.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.

Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
8 – 12 December 2008 Bruce Le Bransky MAFC / APEC / AFDC Shanghai Conference: Session 7.2: Challenges to Governance Structures.

8 – 12 December 2008 Bruce Le Bransky MAFC / APEC / AFDC Shanghai Conference: Session 7.2: Challenges to Governance Structures.
Auditor's report Document prepared by the auditors appointed to examine and certify the accounting records and financial position of a firm. It must be.

Auditor's report Document prepared by the auditors appointed to examine and certify the accounting records and financial position of a firm. It must be.
RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.

RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.
Audit objectives, Planning The Audit

Audit objectives, Planning The Audit
Professional Certificate – Managing Public Accounts Committees Ian “Ren” Rennie.

Professional Certificate – Managing Public Accounts Committees Ian “Ren” Rennie.
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,

PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.

CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
S7: Audit Planning. Session Objectives To explain the need for planning To explain the need for planning To outline the essential elements of planning.

S7: Audit Planning. Session Objectives To explain the need for planning To explain the need for planning To outline the essential elements of planning.
1 Unit 1 Information for management. 2 Introduction Decision-making is the primary role of the management function. The manager’s decision will depend.

1 Unit 1 Information for management. 2 Introduction Decision-making is the primary role of the management function. The manager’s decision will depend.
Audit Planning. Session Objectives To explain the need for planning To outline the essential elements of planning process To finalise the audit approach.

Audit Planning. Session Objectives To explain the need for planning To outline the essential elements of planning process To finalise the audit approach.

Similar presentations

Ads by Google