internal audit’s role in regulatory reform-the dodd frank act march 15, 2012
TRANSCRIPT
Internal Audit’s Role in Regulatory Reform-The Dodd Frank Act
March 15, 2012
www.pwc.com
PwC
Agenda
Regulatory Reform Landscape 3
Internal Audit’s Response to Date 7
Role of Internal Audit-
•Overview 9
•Key Factors to Consider 10
•Positioning 11
•Risk Assessment 12
•Coverage Plan 13
•Methodology & People 24
•Bringing it all together 27
23/15/2012
PwC
The Dodd-Frank Act will have a significant impact on the strategies and business operations of financial services firms
•Assessing the impact and managing the implementation of the Dodd-Frank Act (DFA) is not a routine regulatory project given the:
- Volume and complexity of rules;
- Number of federal agencies (e.g., SEC, Fed, CTFC, FDIC and others ) that are independently writing and releasing rules;
- Tight timelines associated with implementing financial reforms; and
- Scores of stand-alone and interdependent implementation projects (e.g., the "portfolio" of projects), at both the business and enterprise level, that must be initiated, funded, managed, and monitored over the next three to five years.
•As the financial services industry changes and institutions react and adjust to these new regulatory reforms, so too must internal audit
•Owing to the extensive nature of the regulatory reform and its global impact, internal audit must position itself as both a partner with management as it addresses the challenges, and as a independent monitor and assessor of the implementation efforts for both the audit committee and the regulators
33/15/2012
PwC
Dodd-Frank – U.S. element of global financial regulatory reform
4
Macro and Micro – Prudential Supervision
• Sharpened focus on mitigating systemic risk and maintaining financial stability through use of macro-prudential supervision tools
• Increased coordination among global supervisors
• Heightened examination scrutiny of large, complex financial institutions
Systemically Important Financial Institutions
• Recent designation of 29 global systemically important financial institutions (“G-SIFIs”)
• Nonbank “SIFI” designations still to be determined
• New requirements ranging from higher capital and liquidity buffers, recovery and resolution plans, and prudential risk management standards
Governance, Transparency, and Consumer Protection
• Renewed accountability at the Board and executive management levels – appropriately balancing risk and reward
• Increased reporting and data collection to benefit monitoring of risk
• Greater emphasis and scrutiny on the consumers’ interests
3/15/2012
PwC
Where are we now in the U.S. Status of the rule making process
5
Uncertain
Still just starting
Late
Many mandated rulemaking deadlines have been missed and regulators have pushed back the effective date of certain provisions.
Overwhelmed
Regulators have never gone through a period of such voluminous rulemaking.
With so many open rules and impending deadlines, financial institutions are having to manage through the uncertainty.
Fewer than 20% of rules required by Dodd-Frank has been finalized.
3/15/2012
PwC
How do organizations react?
As new regulations are enacted and as existing regulations evolve, organizations are tasked with:
• Evaluating the complexity and the interpreting the nuances of these changes
• Interpreting the rules and understanding the applicability to the various business(es) within the organization
• Assessing the impact of the rules on all areas of the enterprise
• Convening a steering committee to drive the necessary changes in process throughout the organization
• Organizing a Project Management Office to oversee the required changes
• Implement the required changes
As illustrated in the graphic below organizations are expending considerable resources to ensure compliance with the rapidly changing regulations in the financial services industry
6
Steering Committee
PMO
Working Group 1 Working Group 2
Working Group 3 Working Group 4
People
Operations/IT
Strategy
Risk/Compliance
3/15/2012
PwC
Internal Audit’s Response to Date
Large Institutions
•The new regulatory environment is front and center in everyone’s mind. Having said that, we see that some companies are responding differently than others.
•We have noted that, in general, the nation’s largest banks, investment banks and other financial institutions are out in front of the rule making by actively reviewing the proposals and commenting on the anticipated impact on their respective business lines.
•Many of these organizations have set aside multiple hundreds of resources, have created detailed structures and have developed an organized approach, getting business leaders, compliance and legal professionals, as well as other support functions, involved in the process in the earliest phase.
•In many of these cases, internal audit has made a concerted effort to be involved by engaging with Project Management Offices (PMOs) as the inevitable projects begin to take shape.
73/15/2012
PwC
Internal Audit’s Response to Date continued
Small to Mid-Sized Institutions
• The internal audit functions of small to mid-sized organizations are often challenged on the resource front and are attempting to respond often times without dedicated resources.
• Most internal audit functions believe the y should play an active role in understanding the changes that are being implemented throughout the organization and monitoring their progress including pre-implementation and post-implementation reviews
• While a majority of respondents recognize a need to stay abreast of what is going on in their organizations with respect to regulatory reform, only a minority acknowledge that it is their responsibility to update the audit committee
• At the current time, half of the internal audit functions surveyed do not believe they have sufficient resources to address the changes in risk that are occurring throughout the organization as a result of regulatory reforms,
83/15/2012
PwC
Role of internal audit – Overview
• The regulatory reforms have far reaching implications for financial services organizations regardless of their size.
• The regulatory reforms will go beyond compliance and will impact the business strategy of the organizations.
- Existing products and services will be eliminated (e.g. proprietary trading) and new products/services will be introduced.
• Regulatory reforms present a significant opportunity for internal audit to demonstrate value over and above its annual audit plan and should be a key focus area in 2012 and beyond
• Internal audit has an opportunity to earn a seat at the table in the long run by assisting management in the successful implementation of the regulatory program
• Internal audit should take a proactive approach in determining and communicating its role in regulatory reforms
93/15/2012
PwC
Role of internal audit – Key Factors to Consider
• Internal Audit should consider the following as it establishes its role in regulatory reforms
- Positioning: Understand the expectations from its major constituents (i.e., regulators, management and board)
- Risk Assessment and Coverage Plan: Adapt the risk assessment process with a goal of developing a coverage plan to address its stakeholders' expectations and internal audit’s mandate
- People & Methodology: Identify and address the impact on internal audit’s people and methodology to effect its regulatory reform coverage plan and meet stakeholder expectations
103/15/2012
Positioning
People & Methodology
Risk Assessment and Coverage Plan
PwC
Role of Internal Audit-Positioning
• Internal audit’s assessments of vertical processes (work stream specific) , horizontal processes (across work streams) and the program and project management can be critical to its stakeholders
• Internal audit needs to consider the expectations of all its constituents while developing its coverage plan with respect to the regulatory reforms
• Regulatory expectations
- Regulator’s expectations will not be prescriptive but they will expect to see coverage of the regulatory reform program
- Comprehensive coverage of the regulatory reform program will be critical in internal audit function’s progression from “satisfactory” to “strong” OCC rating
- Regulators expect to be able to rely on the work of internal audit
• Management expectations
- Provide independent assurance on the progress of the changes in processes to support compliance with regulatory reforms
- Act as a sounding board by challenging management’s approach to decisions
• Board expectations
- Be the eyes and ears of the board
- Provide assurance that regulatory reforms are being implemented completely and accurately
113/15/2012
PwC
Role of Internal Audit-Risk Assessment
Internal Audit should perform the following:
• Revisit its risk assessment framework to determine the adequacy of regulatory risk coverage and whether enhancements are needed.
• Engage in proactive discussions with the audit committee and management to understand their concerns and priorities .
• Develop a risk based coverage plan that addresses the most pressing challenges of the organization and aligns with the expectations of its stakeholders.
• Set aside extra time for unexpected events and special requests in 2012 and 2013 as a result of the anticipated impacts of regulatory reforms.
• Recognize that temporary changes to the risk assessment framework may be required to cover enhanced risk during reform implementation. The new realities of doing business in the current regulatory regime may require more permanent changes.
• Ensure changes to the risk assessment framework consider regulatory reforms on a global basis and address the extra-territorial nature of regulatory regimes (e.g., the affect the of Volcker rule on foreign banking entities).
123/15/2012
PwC
Role of Internal Audit-Coverage Plan Overview
Internal Audit can play a significant role in ensuring that the regulatory reform strategy and execution is being managed effectively across the organization.
• Strategy & Governance: Review of the organizational strategy and governance structure to identify, assess , interpret and implement regulatory reforms across the organization. Assess the effectiveness of the program management office in managing change across the entity.
• Rule Based Coverage: Pre-implementation and parallel reviews should be performed focusing on assessing the effectiveness of the process and system implementation plans in addressing the critical rules and requirements. Internal audit should consider building rule-specific Coverage Plans (e.g., Volcker, OTC derivatives, Recovery and Resolution) to assess the changes being implemented in the business areas.
13
Strategy & Governance
Business as Usual Audits
OTC Derivatives
Volcker Rule
Recovery & Resolution
Stress Testing
Compliance
CFPB
IT/Operations
3/15/2012
PwC
Coverage Plan Overview continued…
• Functional /Process Based Coverage: Reviews of function/process preparedness to respond to the various regulatory changes affecting the business area (e.g., effectiveness of the risk management function in ensuring compliance with the business conduct standards established for the major swap participants, mock Consumer Financial Protection Bureau (CFPB) examination to assess preparedness of the business unit to withstand CFPB examination standards). Periodic reviews should also be conducted to make sure that PMO management reporting of implementation progress is complete and accurate.
• Business as Usual Audits: Assessing the impact of regulatory reforms on the business-as-usual audits for critical processes (e.g., market, operational, and risk management, trading and settlement, annual stress testing) and performing additional procedures as necessary. This assessment should include measuring the impact on the business strategy, systems and procedural changes that will result from the regulatory reforms.
14
Strategy & Governance
Business as Usual Audits
OTC Derivatives
Volcker Rule
Recovery & Resolution
Stress Testing
Compliance
CFPB
IT/Operations
3/15/2012
PwC
Coverage PlanStrategy & governance
• A key focus area for internal audit should be the review of the organization’s strategy & governance of the regulatory reform program efforts.
- Regulatory reform strategy and business direction: A successful response to regulatory reform begins with understandingand aligning the regulatory reform strategy and the business direction. Internal audit should understand the following:
◦ Impact of regulatory reforms on business strategies and services
◦ Impact of new products / services on the compliance regime
◦ Coordination of regulatory reform activities across business areas and geographic locations
- Tracking and assessing proposed rules: As a first step, organizations need to establish processes to track and assess proposed rules so as to formulate the response and implementation program. Internal audit’s should understand the following:
◦ Systemic process to identify, interpret, track and assess proposed rules
◦ Determination of the need to respond to the proposed rule; and if responding ensure that it a well coordinated effort (legal, compliance, business, operations, IT, etc.)
◦ Process for business line impact assessment and development of the implementation programs
15
Regulatory reform strategy and business direction
Tracking and assessing proposed rules
Program management effectiveness
3/15/2012
PwC
Coverage planStrategy & Governance continued
• Program management effectiveness:
The success of an organization’s implementation program will require a robust and effective program management office. Internal Audit plan should assess the design (initial set up) and operating (on-going) effectiveness of the program management office for the following:
-Board and executive sponsorship
-Clear roles and responsibilities (i.e., steering committee, PMO, working groups)
-Cross functional approach to reform rules implementation that integrates all key functional areas into program management
-Process to validate and link the implementation to the applicable rules
-Regular and effective reporting of program status (progress, issues, risks, decisions, resource requirements and constraints) at every level (working group, PMO, Steering committee etc)
-Milestones and timeline management
-Process to identify interdependencies between projects, rules etc
-Process to prioritize implementation projects based on the rule making process
-End to end program quality management program
163/15/2012
PwC
Coverage planRule based coverage
• Until now, the main focus of organizations’ regulatory reform program has been on tracking, assessing and responding to the proposed rules
• While certain implementation projects are already in progress (e.g. clearing platforms, OTC Derivatives reporting and record keeping) the implementation programs will gain more momentum in 2012 as more rules are finalized
• In many cases, the implementation deadlines will be tight and organizations will need to move fast to ensure compliance
• Internal audit should consider pre and parallel implementation reviews that focus on end to end coverage of the implementation of the proposed rules (vertical coverage). The first wave of internal audit reviews may focus on OTC Derivatives, Volcker Rule, Recovery and Resolution Planning .
• Although the extent of audit coverage will differ based on the applicable rule, it should focus on providing assurance on the following:
- Complete population of rules applicable to the business unit, product or service have been identified
- All change requirements resulting from the rules have been identified completely and accurately
- Downstream projects scope and objectives address all relevant change requirements
- Project deliverables are in accordance with the project scope and approach and meet the applicable change and business requirements
- All risk and control implications as a result of process and technology changes have been identified and addressed
173/15/2012
PwC
Sample Coverage planRule based coverage –Volcker rule
183/15/2012
Critical Requirement Related Risk Expected Control Audit Procedures
Compliance with permitted market-making activities
Trading could take on proprietary nature
Analysis of revenue strategies
Review Supervision; Market Risk review process
Adherence with approved trading strategies
Trades may not be authorized
Segregation of duties and trading delegation and supervision
Review of Supervision; trade delegations; trade amendments; and reporting
Adherence with established trading limits and restrictions
Limits could be violated
Limits are approved and monitored for adherence
Review limit governance, trading supervision, trade support and market risk processes
Establishment of strong support, risk and operations functions
Trading may not be independently checked
Adequate policies and procedures and responsibilities
Review effectiveness of policies and procedures and appropriateness of responsibilities
Implementation of proper technology and reporting
Technology and reporting may not be adequate
Quality tools and information
Assessment of adequacy of systems and reporting
PwC
Sample Coverage planRule based coverage – OTC derivatives
193/15/2012
Critical Requirement Related Risk Expected Control Audit Step
Compliance with registration requirements
Timely registration is not performed or retained where required
Trading entities cannot execute trades prior to proper registration
Review and reconcile registration documents to trading activities
Adherence with central clearing requirements
Trades may not be properly cleared
Segregation of duties and trading delegation and supervision
Review of supervision; trade delegations; trade amendments; and reporting
Qualified swaps are traded through the SEF (swap execution facility)
Trades could be executed over the counter in lieu of the appropriate facility
Trades are monitored for adherence with requirements
Review of trade monitoring processes
Establishment of strong record keeping and reporting processes
Records are not maintained in compliance with requirements
Adequate policies and procedures and responsibilities for reporting
Review effectiveness of policies and procedures and appropriateness of reporting
Implementation of proper technology and data storage
Technology is not in place to appropriately monitor trades and capture data
Quality tools and information
Assessment of adequacy of technological monitoring and data storage
PwC
Sample Coverage planRule based coverage –Recovery & resolution (“R&R”) planning
203/15/2012
Critical Requirement Related Risk Expected Control Audit Procedures
Each covered entity must submit the R&R Plan to the FDIC and the Federal Reserve by the due date*
The entity may miss the deadline for submitting the plan
The unit or person responsible for creation of the R&R Plan, creates and monitors a project plan, a calendar of deliverables and communicates those adequately
Independently determine the “due date”, review and evaluate the project plan and calendar of deliverables and the monitoring of progress
Each covered entity must submit a revised R&R Plan within 45 days following a “material event”
There may not be a mechanism for alerting the plan owner or the person(s) responsible for the plan that a material event is imminent or has occurred
Detailed definition of what would be considered to be a material event exists. The unit or person responsible for creation of the R&R Plan is made aware of all such events
Review effectiveness of policies and procedures, reporting and communication lines. Determine appropriateness of decision making process
Each plan must address and include information relative to the entirety of the 0rganization (e.g. ownership structure, assets, liabilities, contractual obligations, major counterparties, cross guarantees and pledged collateral)
A current, complete and accurate accounting of all of these various aspects related to the entity may not exist
Reconciliations to the financial statements are performed regularly. Inventories of contracts and other business alliances are regularly executed.
Review effectiveness of policies and procedures. Test the operating effectiveness of controlsRe-perform the reconciliations and inventories.
3/15/2012
PwC
Functional / Process based coverage
• Another component of the internal audit coverage plan should be functional and process coverage to assess the impact of regulatory reform on functions, processes and/or services.
• These reviews should take a horizontal approach and assess the impact of various regulatory reforms on a particular function and/or process
- For example, almost all key Dodd-Frank reforms (OTC Derivatives, Volcker, etc) establish new responsibilities for the compliance functions and a horizontal review of the compliance function would look at its ability to identify and comply all such cross rules requirements.
• These reviews should address:
- The impact of various regulatory reforms / rules on key processes, risks and controls
- The impact on existing people, processes and technology and balance between reform activities and existing responsibilities
- Management’s approach to identify, assess and address interdependencies within the rules on key processes
- Management’s preparedness and change management agility as a result of regulatory reforms
- Management’s plan to transition from project to business as usual
• Such reviews would provide assurance to the organization’s board and senior leadership that businesses are well prepared and positioned to respond to the regulatory reforms while executing their existing responsibilities (see Appendix E for further detail)
213/15/2012
PwC
Functional / Process based coverage
• Examples of such reviews may include:
- Compliance functional assessment: There is a considerable impact on compliance processes as a result of the regulatory reforms (OTC Derivatives, Volcker, Recovery and Resolution). Internal audit should review Compliance’s preparedness to respond to such new regulatory requirements, identify interdependencies between compliance requirements while developing new processes, process for training compliance and business professionals on new requirements, enable timely and accurate regulatory reporting
- IT Governance: Internal audit should review IT’s governance and project management processes to ensure timely implementation of changes as a result of the regulatory reform. The review should also focus on the IT resource and budget allocation process and its impact on overall business strategy as compromises/prioritization will be necessary given competing project necessities
- New product development process: As new products are being developed, it is critical for internal audit to review the new product development and approval process to ensure that there is a systemic process to identify and address key risks (strategic, business, financial, operational, IT, regulatory and compliance) while approving new products
- Regulatory reporting: There will be a considerable increase in the regulatory reporting as a result of the regulatory reforms. Internal audit should review the regulatory reporting processes to ensure processes are being established requirements, adequate resources are being devoted and system enhancements are being made to identify and comply with all reporting requirements in a timely manner
- Mock regulatory examinations: The internal audit may also add considerable value by performing mock regulatory examinations to assess business/function’s preparedness to withstand regulatory scrutiny
223/15/2012
PwC
Business as usual audits (BAU)
Existing business as usual audits
• There are few functions/processes that will not be impacted by the length and breadth of the regulatory reforms
• As audit undertakes business as usual audits in its existing audit plan, it should consider implementing a formal process to assess the impact of regulatory reform on the in-scope processes and risks for the purpose of determining the need for performing additional procedures
Future business as usual audits
• In addition, a number of transformational and special projects undertaken by internal audit will become business as usual audits in years 2012 and beyond. For example,
- Independent testing of compliance function (Volcker rule requirement)
- Annual testing of the recovery and resolution planning
• Audit should ensure there is a formal process to identify all such business as usual audit’s requirements and incorporate them in the audit plan
233/15/2012
PwC
Role of Internal Audit – Methodology & People
• The impending regulatory reforms go beyond compliance and their impact will be felt at the heart of organization’s business strategy. Internal audit should review its methodology to determine changes needed to its core audit processes.
• Audit Universe
- Some existing products/services will be discontinued and replaced with new business strategies.
- Business strategy changes will result in front office, support function, system, process and legal entity changes.
- Similar to annual AML audits, additional statutory/compliance audits will emerge.
- Systems will change resulting in more pre-implementation and post-implementation reviews.
24
Rule making area Example audit universe additions / updates
OTC Derivatives • Registration• Centralized clearing• Business conduct requirements• Compliance program• Finance – Capital & Liquidity• Counterparty fund protection
Volcker Rule • Compliance program• Proprietary trading• Covered fund activities• Reporting & record keeping
Recovery & Resolution Planning
• Recovery plans• Resolution plans• Compliance testing
3/15/2012
PwC
Role of Internal Audit – Methodology & People• Continuous Monitoring
- Many internal audit functions have continuous monitoring processes in place to monitor the emerging risks in the organizations and their impact on the audit plan.
- Given the extensive nature of the regulatory reforms, internal audit should consider enhancing its continuous monitoring process to ensure the impact of regulatory risk is identified and considered while periodically updating the audit plan
• Internal Audit Reporting
- Internal audit should consider providing a consolidated view of the organization’s regulatory reform activities based on its audit coverage
- The reporting should be based on the aggregate results of the:
◦ PMO and governance reviews
◦ Rule based coverage
◦ Functional coverage
◦ Business as usual audits for processes impacted by regulatory reforms
- Internal audit reporting should also consider the process to share best practices across work streams, report any issues noted in its reviews, and follow up on the implementation of management action plans
- Internal audit may also need to schedule regulatory reform focused meetings with the Audit Committee to ensure it can provide its comprehensive assessment of organization’s reform program
- Internal audit should ensure that its reform coverage is adequately documented to enable regulators to place reliance on its work
253/15/2012
PwC
Role of Internal Audit – Methodology & People
• People: Last but certainly not least, internal audit should perform skill sets assessment to identify the skill sets required to execute its new coverage plan. Internal audit should focus on:
- Audit teams impacted by the reform activities
◦ In the short term, risk, corporate and capital markets audit teams are expected to face the most stringent demand for resources.
- Knowledge management program
◦ Internal audit should develop a plan to ensure that the internal audit is up to date on organization’s reform program and its progress
◦ Internal audit should ensure that its staff is adequately trained on the reform program and the organization’s response in order to provide value added audit coverage
263/15/2012
PwC
Bringing it all together
What is the extent of internal audit involvement?
273/15/2012
Get a seat at the table – get involved
• Establish and communicate expectations
• Understand and assess organization’s strategy
• Provide real time advice and counsel on control matters
Create internal audit response team
• Set up liaison teams in each business and functional area
• Develop knowledge management program for internal audit
Develop the coverage plan
• Build internal audit coverage plan
• Execute PMO and governance reviews
• Begin rule based coverage that coincides with the rule making timeline
Assess impact on internal audit methodology and people model
• Update audit universe• Revisit risk
assessment process for changes in organizational risk profile
• Update risk and control libraries
• Assess skill set gap and develop plan
• Audit Committeereporting
In the short term, internal audit should focus on…..
Get started now
PwC
PwC contacts
Richard ReynoldsPartner – Financial ServicesInternal Audit Services+ 1 646 471 [email protected]
Christina PatilisSenior Managing Director-Financial ServicesInternal Audit Services+ 1 646 471 [email protected]
283/15/2012
f
© 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.