Presentation is loading. Please wait.

Presentation is loading. Please wait.

National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department.

Similar presentations


Presentation on theme: "National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department."— Presentation transcript:

1 National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department National Supervisors Forum Westport, Co. Mayo 5 th November 2011

2 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Purpose of Presentation To provide supervisors with practical knowledge to assist in conducting an operational risk audit in their credit union.

3 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Overview Topic  Introduction  Concept of internal control & operational risk  Step 1: Identifying risks  Step 2: Analysing risks  Step 3: Determining residual risk  Step 4: Reporting findings to the board  Closing comments

4 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 4 Categories of Financial Risk Operational Liquidity Market Credit Reputational

5 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 5 Risk Management ISO, Defined Risk Management Process Role of Internal Audit (Supervisors) 1. Identify the risks 2. Analyse Risks 3. Create response to risk 4. Monitor & Review

6 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y What are Internal Controls? Any deliberate measure or plan put in place by the credit union to minimise and/or manage risk Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

7 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Discussion Credit Union Operational StructuresExample of an Internal Control? 1. The loan application form 2. A fire evacuation procedure 3. An employee’s contract of employment 4. Holding a data protection training session for the board 5. Having in place a cash handling procedure for all staff 6. The auditor verifying the annual accounts of the credit union 7. Directors being obliged to declare a conflict of interest 8. Virus protection software 9. A smoke alarm in the kitchen of the credit union

8 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Discussion Credit Union Operational StructuresExample of an Internal Control? 1. The loan application formYes 2. A fire evacuation procedureYes 3. An employee’s contract of employmentYes 4. Holding a data protection training session for the boardYes 5. Having in place a cash handling procedure for all staffYes 6. The auditor verifying the annual accounts of the credit unionYes 7. Directors being obliged to declare a conflict of interestYes 8. Virus protection softwareYes 9. A smoke alarm in the kitchen of the credit unionYes

9 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 9 Why Conduct an Audit? Rule: A credit union must establish, maintain and implement a fully documented system of control. Guidance: (i) It should be comprehensive (ii) …the system should be cross referred so that the system can be viewed as a whole. (iii) It should identify risks, and the controls established to manage those risks. (v) It should state how the operation of the control is evidenced. Extract from Section 4.3 of “CRED”, FSA guidelines for UK credit unions

10 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 10 Benefit of Conducting an Audit Micro Macro

11 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 11 Conducting an Audit of Operational Risk Identify operational risk Step 1 Analyse risks Step 2 Determine “residual risk” Step 3 Report findings to board Step 4

12 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Step 1: Identifying Risks Must identify operational risks which could impact upon the credit union Use the six categories of operational risk as a guide No need to analyse at this stage Wording of each risk is important

13 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 13 Categories of Operational Risk 1.Internal and external fraud - (embezzlement) 2.Employment practices and workplace safety - (sued by employee for breach of contract) 3.Damage to physical assets - (office damaged due to fire) 4.IT systems and software failures - (loss of records due to database corruption) 5.Business practices & service delivery - (misinforming members on insurance products) 6.Organisational processes - (incomplete documentation relating to a member’s loan resulting in invalid loan contract)

14 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 14 Example: Identifying Risks 1.Internal and External Fraud An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members. An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union. An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account. A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss.

15 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 15 Step 2: Analysing Risks This step will highlight the risks which pose the biggest risk to the credit union. The impact of each risk is scored from 1 to 5 The prevalence (likelihood of occurrence) is score 1 to 4. Both scores are multiplied for each risk to get the risk ranking score. Some lower scoring risks may be excluded from the audit at this point.

16 National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y 16

17 National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y 17

18 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 18 Risk Ranking – Fraud RiskScore 1.2 An officer of the credit union grants several large connected loans to family members / friends which to not meet the requirements of the lending policy of the credit union. 12 1.5 A member cashes a number of fraudulent cheques through the credit union resulting in a significant financial loss. 12 1.4 An officer of the credit union has been transferring funds from dormant member accounts into his/her own credit union or bank account. 8 1.1 An officer of the credit union defrauds the credit union of significant sums of money by setting up false loans for fictitious members. 4 1.3An officer of the credit union steals a series of small sums of cash from the cash drawer over a period of months, resulting in a financial loss to the credit union. 4

19 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 19 Step 3: Determining Residual Risk This step will determine the threat posed by a risk once internal controls have been considered. Must identify all internal controls which correspond to each risk. Determine how effective these internal controls are – very poor to excellent. Risk ranking score is multiplied by the controls’ effectiveness to determine the residual risk.

20 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 20 Mapping Internal Controls Paperwork Practices People Policy / Plan

21 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 21 Example of IT System Internal Controls Policy / Plan IT Security Policy Business Continuity Plan Electronic Services Policy People Appointed IT officer, IT committee IT System providers Website Developers Staff training on IT system Data protection training for CU officers Practices Password security Virus protection software Website encryption Off-site system back-up Hot site location Computer encryption Paperwork Managers report – misuse of CU computers, operational issues IT committee report – Security threats, upgrade requirements IT system suppliers – new system requirements, regulatory changes

22 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 22 Example: Evaluating Internal Controls Risk: Sudden power failure results in IT system being down for 48 hours Existing Internal ControlsGaps / Weaknesses Identified Policy / PlanNothingNeed for business continuity plan PeopleIT Committee, IT system supplier, Board of Directors BOD & IT Committee : training on business continuity and implications for CU operations. PracticesIT system backed up (off-site) every 24 hours. No procedures for dealing with PaperworkIT Committee report 6 times a year to the BOD. Manager’s report IT Committee report must include reference to business continuity measures

23 Risk Code Risk Ranking score Corresponding int. controls Findings of supervisory committee Effectivene ss of internal controls Residual Risk 1.Internal & external fraud 1.212 Section in lending policy dealing with loans to friends / family members. Last year 3 staff members attending training on loan assessment. Loan approval procedure which requires one officer to sign off application and issue loan. No specific section of lending policy dealing with connected loans. Lending policy not updated since 2009. No monitoring of approved loans for connected loans / connected individuals. Loan approval procedure only requires one signature of manager or treasurer for loans up to €30,000. Weak 0.8 9.6

24 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 24 Step 4: Reporting findings to the board Crucial that findings are clearly communicated to the board. Committee should include risk analysis, evaluation of internal controls and residual risk. Not the responsibility of the committee to make the changes – responsibility of the board. Encourage the board / risk management committee to maintain the documented system of control.

25 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y 25 Summary of Key Points Must have understanding of prevailing risks before internal controls can be assessed An operational risk audit is a key tool for the credit union Use checklists to identify gaps and weaknesses against prevailing risks An evidence-based written report to the board should be compiled Encourage CU to maintain a documented system of control

26 National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y 26 Part II: Developments in the Regulatory Supervision and Auditing of Credit Unions

27 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Evidence of movement towards a risk-based approach in credit unions “Our risk-based supervision model will mean that our level of engagement will vary depending on the size and impact of each credit union…. The biggest credit unions can expect more engagement from us as a result. Our risk-based approach also means that you can “earn” a less intense level of supervisory engagement by having a well governed and well run credit union that scores low in terms of risk.” Matthew Elderfield, Financial Regulator Extract from Speech at ILCU AGM 2010.

28 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Evidence of movement towards a risk-based approach in credit unions “The Monitoring Department scores credit unions on various risk areas (e.g. PEARLS ratios, financials) and these scores are used as part of a risk-based approach to monitoring credit unions, and assigning Monitoring resources (e.g scheduling of visits by Field Officers and Business Unit Managers).” Dave Hewson, ILCU Monitoring Department

29 National Supervisors Forum 2011 W E L O O K A T T H I N G S D I F F E R E N T L Y Role of Supervisory Committee in Monitoring Internal Controls Principle 5: (Credit Unions) should implement a process to regularly monitor operational risk profiles and material exposures to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk. Sound Practices for the Management and Supervision of Operational Risk, 2003, BIS


Download ppt "National Supervisors Forum W E L O O K A T T H I N G S D I F F E R E N T L Y Conducting an Operational Risk Audit Kevin Loughnane, ILCU Training Department."

Similar presentations


Ads by Google