implementing audit management software - a...

Click to edit Master title styleClick to add unit of measure

Implementing

Audit Management Software

- A Practical Approach -

5th Annual Internal Audit Forum, Berlin


Agenda

T O P I C S

About Erste Bank

Audit Management Software - Our History

Targets and Scaling

Software Selection – review approach

Design Issues

Challenges and Pitfalls

Checkpoints


About Erste Bank

Erste Group at a glanceCustomer banking in the eastern part of the EU

CET 1 ratio (Basel 3, phased-in)

Total assets

Net profit

Key financials YE 2016

13.4%

EUR 208.2 bn

EUR 1.26 bn• Founded in 1819 as the first Austrian savings bank

• Today, Erste Group is one of the largest financial services

providers in the eastern part of the EU in terms of clients and

total assets. Its core activities – besides the traditional

strength in serving private individuals and SMEs – include

advisory services and support for corporate clients in

financing, investment and access to international capital

markets, public sector funding and interbank market

operations

• Erste Group is strongly committed to offering

a comprehensive range of financial products to meet its

customer needs

Total equity EUR 16.6 bn

Loan to deposit ratio 94.7%

Operating result EUR 2.66 bn


About Erste Bank

Erste Group at a glanceCustomer banking in the eastern part of the EU

• 47,000 employees serve 15.9 million

customers with over 2,600 branches

in 7 countries in the eastern part of

the EU

• One of the leading financial providers

in the eastern part of the EU

• Among the TOP 3 banks in our core

markets in AT, CZ, SK, RO, HU and

HR


Erste Group Audit Function

Group Audit

Holding

Ceska

Sporitelna

Slovenska

Sporitelna

Erste Bank

Hungary

Banca

Comerciala

Romana

Erste Bank

Croatia

Erste Bank

Serbia

Erste Bank

Austria

Savings Banks

46 Savings Banks

Other Core Subsidiaries

20 +

Scope of application of Audit Management Software

300 + core users 80+ banks and subsidiaries 1.000 + business users Co-use of software by risk

and compliance functions


Audit Management Solution

• Until 2011 – scattered local solutions supporting Audit Management based on Access, Excel and Mainframe

• 2011 - introduction of dedicated Audit Management Software integrating all major subsidiaries (currently 60 +)

• 2016 – decision to implement integrated software for audit, risk and compliance functions, implementation until YE 2017

Our History with Audit Software

Current Audit Solution Going forward – INTEGRATED solution

• Audit specific• Interfacing all major subsidiaries• Covers full audit process, but little workflow

involvement of business

• Extended use by Audit, Risk Management functions and Regulatory Affairs

• Full involvement of Business Users in the Action Tracking Process

• Project is currently ongoing

SCOPE:Audit Universe, Risk Assessment, Audit Planning, Audit/Audit Workpaper Management, Findings/Action Tracking, Time Reporting


TARGETS SCALING

What do you want to achieve ?

• Just supporting the audit process, internally ?• Workflow for Tracking Actions ?• Integrate with units doing similar activities ?• Keep full control within audit or establishing a

bankwide solution ?• Single bank or group ?• Not only audit management but also analytical

tools included ?• Common reporting beyond audit ?

Who shall participate in the Solution ?

• Audit• Audit and other Control Functions• Tracking overall (Regulatory Tracking)• Business Users• Which subsidiaries

• It is commonplace to develop a good understanding on targets and scope of a project involving IT infrastructure.

• Executing this, it quickly shows that complexity, cost and time pressure increases (almost) exponentially with scope extension and number of user groups.

• A useful opportunity not to just audit but to run a project.

TARGETS and SCALING


Software Review and Decision

• Still an emerging product family, especially forthe European market

• „Gartner“ (and other) assessments helporientation

• Market will most likely further consolidate

• Many products appear to have „corefunctionality“ (audit; operational risk; tracking) adding on other functions

• Newcomers appear to have a more flexible architecture and modern interfaces, but maylack specific implementation experience and business knowledge

HOW DID WE DO IT:

• Request for Information

• Selection of Long List

• Request for Proposal

• Presentation of Vendors (1 – 2 days)

• Selection of Short List

• Extended Vendor Presentation• Includes tailored data• Approximate expected solution as much as

feasible (cost; time …..)• Detailed technical review• This may require compensation

• Proof of Concept

• Decision

SOFTWARE SELECTION – APPROACH


STRUCTURE

• Core Data Structure• Almost an industry standard• Interfacing Organisation, Users, other data

not in the GRC system (op Risk; HR; etc)

• User Authorization Design• Among the most challenging tasks in a

multi-entity environment• Avoid need to authorize on field level• Confidentiality vs. Information requirements

• Archiving and Export• Make sure that adequate solution is

available to „mass“ export as well as allowfor a comprehensive export of „one audit“

• Carefully review archive function, accountfor customization impact

DESIGN ISSUES


The Known Issues

MULTI ENTITY ENVIRONMENT• Ensure that data are only available at a “Legal Entity” level, while Group Audit can use all data for related reporting – take

specific effort to create an effective solution.

SECURITY/CONFIDENTIALITY• Complex user rights set up• Assure restricted access to highly confidential content• Data protection issue (audit workpaper may include customer details etc)

OUTSOURCING IMPACT• Even intragroup services require compliance with outsourcing regulations and policies – technical as well as methodological

topics

CROSS BORDER• Consider local regulatory requirements – reporting, outsourcing, archiving etc

MIGRATION• The issue is not with “Core Objects” – Audit Universe, Risk Assessment, Audit, Finding/Action – but Audit Programs and

Workpapers. There, software design approach differs significantly which makes it cumbersome to map and transfer data.

WORKFLOW• Complex multistep workflows increase controls and audit trail but there is a cost:

• Project effort• Impact in case of “unexpected” events

USEABILITY• Especially consider Users not working daily in the application (e.g. “Business Users” in tracking process)

SPECIFIC CHALLENGES


A non-comprehensive list

PROJECT• Audit is not immune against all sorts of project risk – but do not try to be the “best” in project methodology• “Nice to have’s” may have a large impact on maintenance effort and cease to be “nice”

ORGANIZATION• Maintain and update organization – the system will not “know” the impact on your audits, findings and actions. This requires a

well balanced cooperation and mix of automated and manual activities

SCALING• Use by small and large organizations – the latter will struggle with increased complexity, background knowledge requirements

etc.

COMMON CATEGORIES• Common use of data requires to align certain categories (findings) – complexity vs. intuition.

INTERFACES• Any interface increases technical effort at inception and for maintenance – make a very educated decision what you really need.

SOFTWARE• Configuration vs. software change – consider impact on version updates !

PROJECT ISSUES AND PITFALLS


STEPS

1Thorough Business Design – describe processes in detail – preferably as Use Cases - make sure

vendor understands

2 Well prepared criteria for vendor selection process

3 Invest time in vendor presentations, early investment is worth it

4 Critically review workflows you want embedded

5 Migration – start mapping as early as possible

6 Include broader user groups – more project effort, but higher acceptance

7 User Interface – the better the less training

8Infrastructure – you will (at least) need user and organisation data, establish data quality and

responsibilities

9 IT Security – involve at early stage as audit content is encompassing „everything“

Checkpoints

A project introducing „audit software“ is just another project, but there are a few general

observations that specifically apply.

implementing audit management software - a...

Documents