Segmenting the audit universe Janette Smith, Head of Audit,
18 Slides517.34 KB
Segmenting the audit universe Janette Smith, Head of Audit, Products, Sales and Servicing, Nationwide Building Society Ian Hersey, Head of Audit Methodology, Lloyds Banking Group
Introduction Key points to consider when preparing and segmenting the audit universe to support Internal Audit’s risk assessment; the prioritisation of audit activities, and monitoring of Internal Audit’s coverage of the audit universe.
Segmenting the Audit Universe The audit universe: comprises of auditable entities; is segmented to support audit prioritisation and coverage monitoring; Is structured to support the risk assessment and audit plan construction; and should be validated against other sources for completeness. Review the audit universe following material changes in the organisation, and at a minimum on an annual basis.
Segmenting the Audit Universe (Cont.) Customer Journey - Mortgages Mortgage Advice Customer take-on KYC Underwriting Fulfilment Servicing Arrears Management Options for auditable entities Mortgages New Lending / Servicing / Arrears Management Each element of customer journey Further segmentation e.g. segment underwriting into BTL / Residential, servicing into granular processes Etc. Number of auditable entities partly driven by preference for the size / scope of audits
Segmenting the Audit Universe (Cont.) Customer journeys Mortgages Current Accounts General Insurance Life Insurance Number of auditable entities also partly driven by complexity of organisation
Segmenting the Audit Universe (Cont.) Also segmentation depends on approach to auditing functions vs. business processes Finance Business Planning Financial Reporting Statutory financial reporting Regulatory reporting Liquidity reporting Capital reporting Capital planning Also judgment in auditing thematic risks – separate risk assessment / audit vs. coverage in business process. E.g. vulnerable customers – Separate auditable entity, or – Coverage in business processes e.g. arrears management, new lending
Annual Planning – Typical Process
Bottom-up Risk Assessment Internal Audit’s understanding of the organisation's business activities and the associated risks Applied to each Auditable Entity in the Audit Universe Will consider assessments of: Inherent risk Control environment Residual risk
Inherent Risk Typically considers the impact and likelihood of an event occurring overall inherent risk rating for each auditable entity Typically defined as “the probability of loss arising out of circumstances or existing in an environment, in the absence of any action to control or modify the circumstances.” Can assess in aggregate or at an individual sub-risk level New Mortgage Lending – options: Conduct Risk – Critical Credit Risk Critical Operational Risk – Moderate IT / Cyber Risk – High Calculation Overall Inherent Risk Or Overall Inherent Risk (impact on customers / regulators, financial impact)
Control Environment Assess control environment Data points: Previous audit reports Other independent data sources e.g. regulatory examinations / external audits Business / 2LOD assurance providers Risk events Management self assessment etc. Update following relevant audits / validation of management findings Benefit taken in respect of less coverage – AEs with a positive control environment
Residual Risk Potential for override no model is perfect, has to be scope for professional judgement Generally formulaic – depending on Inherent Risk and Control Environment Assessment Might look something like this:
Continuous Monitoring Continuous monitoring of key audit risk factors should help to inform decision making over changes to the audit plan and universe Updated to reflect changes in processes, controls, systems, changes in bus model, regulations, business environment etc. Annual / 6-monthly / quarterly plan
Coverage Model Consider the risk profile and complexity of the organisation Options include: Cyclical models Annual prioritised models Responsive models In all cases the coverage model should be confirmed with the audit committee.
Cyclical Model Cycle generally at the Auditable Entity level Move in FS for audit cycles at a risk level within AEs e.g.: Assess overall residual risk of the AE e.g. AE may be High Assess residual risk at the sub-risk level e.g. Credit Risk may have a residual risk of Critical Differential cycle depending on residual risk of the AE and residual risk of the sub-risk e.g. AE High / Sub-risk Critical cycle might be two years
Cyclical Model (Cont.) Audit cycles vary in practice Typical c.12 – 18 months, highest category. 4 – 5 years lowest UK guidance – principles based US FS guidance give indicative cycles NY Fed ‘common practice for institutions with defined audit cycles is to follow either a three- or four-year audit cycle; high-risk areas should be audited at least every twelve to eighteen months.’ OCC ‘Some banks follow a four-year audit cycle, with high-risk areas audited every 12 months and low-risk areas every 48 months.’
Top-down risk assessment Audit coverage of topics or themes identified from the ‘top-down’ assessment may include specific audit work covering the topic or theme and/or one or more audits identified from the ‘bottom-up’ assessment. Consider: Industry or regulatory hot topics Internal or external events Business strategy Senior management insights Third party challenge sessions
The Audit Plan Whichever model or combination of models is used, generally: higher risk elements of the audit universe are audited more frequently and to greater depth than lower risk elements risk-based decision as to which auditable entities should be included in the audit plan not necessary to cover all of the scope areas every year judgement as to which areas should be covered in the audit plan, and on the frequency and method of coverage of auditable entities (audit cycle) may determine that very low risk activities of the organisation will not be subject to any structured audit coverage don’t forget regulatory expectations or requirements for internal audit to undertake specific audit work Prioritised list of audits for the next planning period (often the next 12 months) Bring together the top down and bottom up analysis, set out common themes and risks Discuss with business stakeholders The final audit plan is presented to the Audit Committee.
Q&A ?