FINANCIAL SERVICES VOLUNTEER CORPS

1
FINANCIAL SERVICES VOLUNTEER CORPS

• Developing Examiner Guidelines for Evaluating
• Commercial Bank Internal Control
• (Internal Audit Exam Review)
• Banque dAlgerie (BdA)
• June 14-18, 2009
• Presented by
• Robert Lyon, Retired Credit Risk Officer FRB

2
Internal Audit Examiner Review

• Review Audit Committee Charter
• Review Audit structure and Reporting
• Assess skills of Audit Committee and audit staff
• Assess independence of Committee and audit staff
• Review Audit Committee Activities
• Agenda
• Minutes
• Reports to Board

3
Examiner Review (continued)

• Review Internal Audit performance to plan
• Determine adequacy of audit coverage
• Review audit manuals and internal control
  questionaires
• Review risk assessments and audit plan
• Review a sample of audit reports and workpapers
• Review all internal audit reports since prior
  exam
• Management responses
• Significant open issues

4
Examiner Review - Audit Committee Guidance

• Majority should be independent of management
• Ensure that the internal audit function reports
  to the Governing Board
• Members should have appropriate backgrounds

5
Examiner Review - Audit Function Independence

• Functionally segregated from operations
• Board or Audit Committee should review salary and
  performance of internal audit
• Determine Committee review of audit findings and
  frequency
• Review minutes of Audit Committee and responses
  thereto
• Ensure appropriate limits or prohibitions on
  auditor borrowings

6
Examiner Review Is the Audit Department
adequately staffed?

• Qualifications of staff, education and experience
• Evaluate ability to communicate and relate
• Are staff experienced in specialized areas
• MIS, capital markets, trust, fiduciary
• Evaluation the audit training program
• Assess the level of turnover and vacancies

7
Examiner review of Internal Control Systems

• Evaluate Code of Conduct
• Evaluate Conflict of Interest
• Evaluate commitment to integrity and ethical
  values
• Evaluate reporting relationships
• Evaluate the provision of information
• Does it facilitate monitoring of objectives
• Detail financial position and operating results

8
Characteristics of a Strong Audit Committee

• Includes outside directors
• Packages allow it to monitor audit effectiveness
• Approves deviations from plan
• Can request additional or follow-up audits
• Approves any special projects requested by
  internal audit
• Meets with the internal audit without management
• Has authority and funding to engage consultants
• Reviews and approves risk assessments

9
Examination Red Flags related to Internal Audit
Activities

• Staffing is inadequate key skills missing
• Training is inadequate
• Audit Program scope and procedures incomplete
• Risk assessment coverage is are inadequate
• Process lacks completeness
• Rating system is unevenly applied
• Limited or no transaction testing
• Communication of issues is poor or incomplete
• Issues not ranked
• Accountability not established
• Focus is on technology versus people and
  processes

10
Examination Red Flags Related to Internal Controls

• Data integrity is poor or inconsistent
• Segregation of duties or dual control lacking
• Continuity planning is inadequate
• Systems access is excessive and beyond business
  needs
• Monitoring is weak, absent, or lacks independence
• Personnel issues
• Chronic staff shortages and vacancies in key
  areas
• Hiring and background checking processes weak
• Incentive pay not performance based

11
Traditional Process

• Point-in-time Surprise Entry
• No reliance on internal audit
• Revalidation of the balance sheet and income
  statement lots of tables and numbers
• Heavy Compliance emphasis with regulations
• Significant transaction testing
• Reviewed a large percentage of loans

11
12
Elements of Change occurred

• Still point in time, but
• More emphasis on internal controls
• Report format still rigid, but less tables
• Still heavy loan orientation, but added
• Liquidity analysis
• Interest rate sensitivity

13
Evolution of Examination Process

• Heavy reliance on banks internal controls/risk
  management systems
• Continuous supervision/risk assessment
• Customized examination plan
• Focused approach is
• More effective and efficient
• Reduces regulatory burden

13
14
Risk-focused Examination Principles

• Encourage strong risk management practices in
  banks
• Tailor supervisory plan to individual bank risks
• Early warning system
• Dont repeat what has already been performed by
  reliable sources

14
15
Risk-Focused Process

• Community Bank Supervision
• Annual on-site examinations and quarterly
  meetings with bank management
• Large Complex Bank Supervision
• Examiners assigned full time to institution with
  heavy emphasis on continuous monitoring plus a
  series of target examinations

15
16
Steps in the Process

• Develop an approach appropriate to the
  institution
• Develop a standard set of documents to describe
  the institution and document the examination
  approach

16
17
Examination Timeline
Off-Site
Individual Profile
Supervisory Plan
Risk Assessment
Off-Site
Scope Memo
Entry Letter
On-Site Review
Follow up Monitor
Transaction Testing
Analysis
Discussions
17
18
The Risk-Focused Exam Process

• Understanding the Institution and Information
  Gathering
• Assessing Institutional Risk by Evaluating Risks
  and Risk Control Systems
• Determining Supervisory Work
• Defining Examination Activities
• Customizing Information Requests for the On-site
  Examination

• Institutional Profile
• Risk Matrix and Risk Assessment
• Supervisory Plan / Examination Program
• Scope Memorandum
• Entry Letter

18
19
The Risk-Focused Exam Process

• Performing On-site Examination
• Reporting Examination Findings
• Conducting Ongoing Off-Site Supervision

• Use of Examination Modules Work paper Program
• Examination report or other summary documents
  Exit Meetings with Management and/or Board
• Updating Risk-Focused Documents Surveillance and
  Monitoring Management meetings

19
20
Risk CategoriesInherent Risk

• Credit
• Market
• Liquidity
• Operational
• Legal
• Reputational

20
21
Inherent Risk

• The level of risk that is present in business
  activities conducted by a bank
• The inherent risk involved in that activity
  should be described as
• High
• Moderate, or
• Low

21
22
High Inherent Risk

• High inherent risk exists where the activity is
  significant or positions are large in relation to
  the institutions resources or to its peer group,
  where there are a substantial number of
  transactions, or where the nature of the activity
  is inherently more complex than normal. The
  activity potentially could result in a
  significant and harmful loss to the institution.

22
23
Moderate Inherent Risk

• Moderate inherent risk exists where positions are
  average in relation to the institutions
  resources or to its peer group, where the volume
  of transactions is average, and where the
  activity is more typical or traditional. While
  the activity could result in a loss to the
  organization, the loss could be absorbed by the
  organization in the normal course of business

23
24
Low Inherent Risk

• Low inherent risk exists where the volume, size,
  or nature of the activity is such that even if
  the internal controls have weaknesses, the risk
  of loss is remote or, if a loss were to occur, it
  would have little negative impact on the
  institutions overall financial condition

24
25
Risk Management

• Effective risk management is the ability to
  adequately identify, measure, monitor and control
  the risks that are involved in its various
  products and lines of business in a safe and
  sound manner.

25
26
Risk Management Components

• When assessing the adequacy of an institutions
  risk management systems, primary consideration on
  the following key elements is essential
• Active board and senior management oversight
• Adequate of policy and procedures
• Adequate risk management, monitoring, and
  management information system, and
• Comprehensive internal controls and audit

26
27
Relative Strength of Risk Management Processes

• Relative strength should be characterized as
• Strong
• Acceptable
• Weak

27
28
Relative Strength of Risk Management Processes

• Strong Risk Management indicates that management
  effectively identifies and controls all major
  types of risk posed by the relevant activity.
  Board and management participate in managing risk
  and ensure proper policies exist. Policies and
  limits are supported by monitoring procedures,
  reports and management information systems that
  are accurate and timely. Internal controls and
  audit are appropriate for the activities of the
  institution. There are few exceptions to
  established policies and none of these exceptions
  would lead to a significant loss to the
  organization.

28
29
Relative Strength of Risk Management Processes

• Acceptable Risk Management indicates that the
  institutions risk management systems, although
  largely effective, may be lacking to some modest
  degree. It reflects an ability to cope
  successfully with existing and foreseeable
  exposure that may arise in carrying out the
  institutions business plan. While the
  institution may have some minor risk management
  weaknesses, these problems have been recognized
  and addressed. Overall, the board and senior
  management oversight, policies, and limits, risk
  monitoring and information systems are considered
  effective. Risks are generally controlled in a
  manner that does not require more than normal
  supervisory attention.

29
30
Relative Strength of Risk Management Processes

• Weak Risk Management indicates risk management
  systems are lacking in important ways and
  therefore, are a cause for more than normal
  supervisory attention. The internal control
  system may be lacking in important aspects,
  particularly as indicated by continued control
  exceptions or by the failure to adhere to written
  policies and procedures. The deficiencies
  associated in these systems could have adverse
  effects on the safety and soundness of
  institution or could lead to a material
  misstatement of its financial statements if
  corrective actions are not taken.

30
31
Board and Senior Management Oversight Expectations

• The board of directors and senior management have
  identified and have a clear understanding and
  working knowledge of the types of risks inherent
  in the institutions activities and have made
  appropriate efforts to remain informed about
  these risks as financial markets, risk management
  practices, and the institutions activities
  evolve.

31
32
Board and Senior Management Oversight Expectations

• The board has reviewed and approved appropriate
  policies to limit risks inherent in the
  institutions lending, investing, trading, trust,
  fiduciary and other significant activities or
  products.

32
33
Board and Senior Management Oversight Expectations

• The board and management are sufficiently
  familiar with and are using adequate record
  keeping and reporting systems to measure and
  monitor the major sources of risk to the
  organization.

33
34
Board and Senior Management Oversight Expectations

• The board periodically reviews and approves risk
  exposure limits to conform with any changes in
  the institutions strategies, addresses new
  products, and reacts to changes in market
  conditions.

34
35
Board and Senior Management Oversight Expectations

• Management ensures that its lines of business are
  managed and staffed by personnel with knowledge,
  experience, and expertise consistent with the
  nature and scope of the banking organizations
  activities.

35
36
Board and Senior Management Oversight Expectations

• Management ensures that the depth of staff
  resources is sufficient to operate and manage
  soundly the institutions activities and that its
  employees have the integrity, ethical values, and
  competence that are consistent with a prudent
  management philosophy and operating style.

36
37
Board and Senior Management Oversight Expectations

• Management at all levels provides adequate
  supervision of the daily activities of officers
  and employees, including management of senior
  officers or heads of business lines.

37
38
Board and Senior Management Oversight Expectations

• Management is able to respond to risks that may
  arise from changes in the competitive environment
  or from innovations in markets in which the
  organization is active.

38
39
Board and Senior Management Oversight Expectations

• Before embarking on new activities or introducing
  products new to the institution, management
  identifies and reviews all risks associated with
  the activity or product and ensures that the
  infrastructure and internal controls necessary to
  manage the related risks are in place.

39
40
Adequate Policies, Procedures, and Limits
41
Adequate Policies, Procedures, and Limits

• The institutions policies, procedures, and
  limits provide for adequate identification,
  measurement, monitoring, and control of the risks
  posed by its activities.

41
42
Adequate Policies, Procedures, and Limits

• The policies, procedures, and limits are
  consistent with managements experience level,
  the institutions stated goals and objectives,
  and the overall financial strength of the
  organization.

42
43
Adequate Policies, Procedures, and Limits

• Policies clearly delineate accountability and
  lines of authority across the institutions
  activities.
• Policies provide for the review of activities new
  to the financial institution to ensure that the
  infrastructures necessary to identify, monitor,
  and control risks associated with an activity are
  in place before the activity is initiated.

43
44
Adequate Risk Monitoring and Management
Information Systems
45
Adequate Risk Monitoring and Management
Information Systems

• The banks risk monitoring practices and reports
  address all of its material risks.
• Key assumptions, data sources and procedures used
  in measuring risk are appropriate, documented,
  and tested for reliability.

45
46
Adequate Risk Monitoring and Management
Information Systems

• Reports and other forms of communication are
  consistent with the banking organizations
  activities, are structure to monitor exposures
  and compliance with established limits, goals, or
  objectives, and as appropriate, compare actual
  versus expected performance.

46
47
Adequate Risk Monitoring and Management
Information Systems

• Reports to management or to the institutions
  directors are accurate and timely and contain
  sufficient information for decision-makers to
  identify an adverse trends and to evaluate
  adequately the level of risk faced by the
  institution.

47
48
Adequate Internal Controls
49
Adequate Internal Controls

• The system of internal controls is appropriate to
  the type and level of risks posed by the nature
  and scope of the organizations activities.
• The institutions organizational structure
  establishes clear lines of authority and
  responsibility for monitoring adherence to
  policies, procedures and limits.

49
50
Adequate Internal Controls

• Reporting lines provide sufficient independence
  of the control areas from the business lines and
  adequate separation of duties throughout the
  organizations activities.
• Official organization structures reflect actual
  operating practices.

50
51
Adequate Internal Controls

• Financial, operational, and regulatory reports
  are reliable, accurate, and timely wherever
  applicable, exceptions are noted and promptly
  investigated.
• Adequate procedure exist for ensuring compliance
  with applicable laws and regulations.

51
52
Audit

• Internal audit or other control review practices
  provide for independence and objectivity.
• The institutions audit committee or board of
  directors reviews the effectiveness of internal
  audits and control review activities on a regular
  basis.

52
53
Audit

• Internal controls and information systems are
  adequately tested and reviewed the coverage,
  procedures, findings, and responses to audits and
  review tests are adequately documented
  identified material weaknesses are given
  appropriate and timely high level attention and
  managements actions to address material
  weaknesses are objectively verified and reviewed.

53
54
Onsite Review

• From the off-site risk scoping process, the
  examiner needs to take the hypothesis of the
  banks condition and develop examination
  techniques for the on-site review to assess the
  level of risk.
• What are the trends?
• What functional exam areas will be targeted?

54
55
Pre Examination Meeting

• Central point of contact and staff
• Meets with bank management
• Requests information to review
• Minutes
• Policies
• Board and management reports
• Audit reports

56
Pre examination meeting -2

• Concentrate on shifts in strategy
• New products
• Management and senior staffing changes
• Current issues
• Operations and technology challenges

57
Onsite Review

• Review transactions/processes
• Evaluate Models
• Observe
• Discuss
• Finalize financial analysis
• Finalize analysis of risk management

57
58
Leveraging Internal Audit

• Eliminate duplicative efforts
• Ensure that the exam is focused, streamlined
• Reduction in regulatory burden
• Focus on reviewing areas of highest risk
• Greatest vulnerability

59
Reporting Examination Findings

• Meetings with bank management or board of
  directors at conclusion of examination
• Written report of examination
• Following-up monitoring, reporting and corrective
  action

59
60
Continuous Supervision

• Begin the risk-focused process by following up on
  examination findings and continuously reviewing
  changes in the banks financial condition and
  risk management practices

60
61
Questions
61