top priorities for internal audit in financial services ... top priorities for internal audit in...

Top Priorities for Internal Audit in Financial Services OrganizationsDiscussing the Key Financial Services Industry Results from the 2016 Internal Audit Capabilities and Needs Survey

1 Top Priorities for Internal Audit in Financial Services Organizations

IntroductionEach year, Protiviti conducts its Internal Audit Capabilities and Needs Survey to assess current skill levels of internal audit executives and professionals, identify areas in need of improvement, and help to stimulate the sharing of leading practices throughout the profession. The 2016 report that follows describes the outlook of internal audit leaders within the financial services industry. For the first time in many years, this survey reflects the views of internal audit professionals during a time when the global economy and its financial system were recovering from the global financial crisis. The risk landscape it paints therefore reflects people’s risk perceptions in a newly evolving world.

The findings discussed in our paper are based on responses from nearly 300 chief audit executives (CAEs) and internal audit professionals in the U.S. financial services industry. In the opinion of these respondents, cybersecurity represented the greatest area for internal audit functions to address. We have devoted one entire section of this report to the increasing attention that cybersecurity continues to garner. But this is far from the only area internal audit organizations seek to improve as they look forward to the coming year. A few areas that organizations prioritized as particularly acute challenges include:

• Agile Risk Management

• Model Risk Management & Data Analytics

• Mobile Applications

Michael Thor is a Managing Director with Protiviti and leads the firm’s North American Internal Audit practice.


It Is a near certaInty that fInancIal InstItutIons wIll suffer cyber-related outages In the next few

years; the key Issue Is how they respond and recover.

Cybercrime Concerns DominateChief among the issues identified this year is technology risk because of growing concerns about cybercrime and the vulnerability of outdated systems to outages and attack. Escalation in the frequency and sophistication of cyberattacks as well as the increased regulatory scrutiny around ensuring firms have adequate cyber-risk programs in place have driven this risk to the top of the list.1 Exacerbating this is a growing reliance on old and overly complicated IT systems, which are more susceptible to security breaches and unpredictable outages that can cause disruption. A major challenge is that financial services firms are playing catch-up in a technology environment that continues to evolve rapidly.

As financial institutions rely to an even greater extent on technology (see “Mobile Applications Challenge” on page 3) they also need to be concerned with risks arising from third-party outsourcing and off-shoring activities. Vendors’ different and possibly less stringent security standards could create the potential for data loss or leakage. This increases the risk of a firm losing control of parts of its operations as supply chains get longer and more complex.

As financial institutions grow even more reliant on digital technology, the severity of a potential cyber breach increases exponentially. Cybersecurity has traditionally been the responsibility of the chief security officer and/or the chief information officer; however, risk management and internal audit have a key role to play in securing the organization by working closely with senior management to ensure cybersecurity is embedded into the enterprise.

Agile Risk Management, Incorporating Risk Appetite and Risk Culture into the Third Line of DefenseIn the immediate aftermath of the financial crisis, financial institutions, especially banks, have invested a great deal of time, energy and money on developing more robust risk management functions focused on identifying and negating emerging risks. Although the perceived threat has fallen slightly, the responses we received suggest still more needs to be done to meet both the demands of the modern environment as well as the heightened expectations from regulators. Firms have recognized that they need to become more efficient in managing risk, compliance and internal audit requirements. Dealing with the myriad regulatory demands and changes in the operating environment requires firms to have agile and effective risk management and compliance functions that operate more like business functions, providing value through being agile, responsive and more forward-looking. Equally, firms need to maintain their focus on integrating risk appetite and risk culture into their organizations to create a risk-aware environment that allows an agile risk management philosophy to flourish. Even for those firms that have embraced the concept, integrating and embedding risk culture into the entire enterprise is a constant challenge. A greater challenge for internal audit is recognizing its role within an agile risk management philosophy and how it can assist in reinforcing and independently testing both risk appetite and risk culture in the organization.

1 The 2015 annual report by the Financial Stability Oversight Council said that although U.S. banks and financial businesses have been leaders in erecting barriers to hackers, cyberattacks still present a potential systemic danger, www.treasury.gov/initiatives/fsoc/studies-reports/Documents/2015%20FSOC%20Annual%20Report.pdf.


IncreasIng relIance and complexIty of models, especIally In the area of stress testIng, has drIven

Increased demand for resources wIth the knowledge and skIlls to address the rIsks assocIated wIth

the use of these same models.

Model Risk ManagementInternal auditors have ranked model risk management one of the top areas where they need to improve their technical knowledge – and for good reason. The internal audit function is tasked with verifying that financial institutions have a comprehensive model risk management practice, which includes governance, processes, policies, adherence to policies, and documentation.

Having internal audit staff with the competence and skillset to provide effective challenge to the first and second line functions, using and providing oversight of the models, and overall model risk management continue to be a challenge for financial institutions, especially those that do not have the scale to support an in-house team of model professionals within the internal audit function.

As organizations continue to increase the use and complexity of models, and with increasing regulatory focus on stress testing, already scarce modelling skillsets are in even greater demand.

mobIle Is lauded for Its abIlIty to connect organIzatIons wIth consumers but It brIngs Its own

unIque challenges and rIsks to the organIzatIon.

Mobile Applications ChallengeContinuing with the earlier technology trend, the survey shows a clear focus on auditing risks related to the development, management, and use of mobile applications within financial services institutions. Mobile banking and mobile payments are exploding in popularity as financial institutions are responding to demands from their customers to offer more convenience through mobile channels. The speed of change, the introduction of new third parties offering mobile services, as well as the myriad risks presented by such brand new technology, are presenting a wave of new challenges for financial services firms, as well as the internal audit functions that have to help the organization navigate the risks presented by these new channels, processes and technologies.

The Changing Internal Audit Environment

Three years ago, the financial services industry results from the 2013 Internal Audit Capabilities and Needs Survey showed that the focus of the entire industry was mainly on regulatory compliance – from stress test-ing requirements to the broader concerns over compliance with the various regulations being issued under the Dodd-Frank Act. Even though internal auditors are continuing to grapple with regulatory compliance, an increasing focus is being placed on ensuring programs that have already been implemented, such as risk appetite and risk culture, are being embedded into the organization as well as looking ahead to adopting a more agile risk management function to help drive efficiency. The additional scrutiny regulators are placing on firms’ cybersecurity controls is also reflected in cybersecurity being ranked third by internal auditors for improving their technical skills. Respondents specifically called out the NIST Cybersecurity Framework as an area for greater attention.


Unlocking the Power of Data to Help Manage RiskFinally, data analysis continues to be a topic that internal auditors across financial institutions wrestle with. The industry agrees that data analysis holds great promise; however, how to effectively deploy and utilize expanding data analysis capabilities to harness the power of advanced analytics remains a challenge to most internal audit organizations. That said, the use of analytics by internal audit functions is continuing to evolve, driven by internal audit functions’ desire to make informed decisions on data from key risk indicators in the various lines of business to help them dedicate their audit hours and testing more efficiently and effectively. The more advanced firms report that they are implementing the use of aids such as visualization tools and continuous monitoring, accessing enterprisewide data, as well as running analytics, to help them better understand where the biggest risks exist.

Impacts on Internal AuditThe role of internal audit – the third line of defense – is changing. Under the U.S. Office of the Comptroller of the Currency (OCC) Heightened Standards for Large Financial Institutions,2 the role of internal audit is to opine on the readiness and design of risk management systems’ corporate governance structures, including risk culture and risk appetite. Financial institutions are also facing a changing risk landscape, as highlighted within the topics above.

Internal audit functions face a growing list of priority areas for the next 12 months. The foremost of these are addressed in the following pages, with separate chapters exploring the impact of cybersecurity, mobile applications, model risk, and the challenge of integrating risk appetite and risk culture within an agile risk management philosophy.

2016 Internal Audit Concerns

Further areas of concern that firms need to consider in developing their 2016 audit plans include:

• Development of dynamic risk assessment and audit planning

• Talent management and acquisition

• Reliance across the three lines of defense

• Assessing effective risk management

• Vendor management

• Communication with stakeholders

2 www.occ.treas.gov/news-issuances/news-releases/2014/nr-occ-2014-4a.pdf.


About the Internal Audit Capabilities and Needs Survey

This year the 2016 Internal Audit Capabilities and Needs Survey consisted of questions grouped into four divisions: cybersecurity and the audit process, general technical knowledge, audit process knowledge, and personal skills and capabilities. Respondents from U.S. financial services companies were also asked to assess industry-specific skills.

The results, based on information provided by all respondents (who numbered more than 1,300), are contained within the master report (available at www.protiviti.com/IASurvey). In addition to the overall findings, Protiviti collected and analyzed specific data from respondents in a number of different industries, including financial services. The intent of this report is to provide internal audit executives and professionals in the financial services industry with more focused insights about the unique issues within their domains.


Everyone, from individuals to large businesses, is at high risk of cybercrime – identity theft, account takeover, account cloning, fraudulent payments and/or transfers, the list goes on. But it is financial institutions that are battling against cyber criminals on the frontline.

Cyber risk is recognized around the world as the foremost risk for most financial services firms, which for the moment at least, remain liable for any losses. Financial institutions are also increasingly reliant on their technology and systems infrastructure, with many banks’ growth strategies shifting to digital models. Such a high degree of dependence on digital technology exponentially increases the risk, and the potential severity, of cyberattacks for financial services firms.

General Technical Knowledge (top 10 areas)

“Need to Improve”Rank

Areas Evaluated by RespondentsCompetency (5-pt. scale)

1 Agile risk and compliance 2.2

2 Internet of Things 2.7

3(tie)

NIST Cybersecurity Framework 2.3

GTAG 16 – Data Analysis Technologies 2.7

5 (tie)

ISO 14000 (environmental management) 2.1

ISO 27000 (information security) 2.7

7 Mobile applications 2.3

8(tie)

International Financial Reporting Standards (IFRS) 2.2

Country-specific enterprise risk management framework 2.9

10(tie)

Assurance around outsourced service providers 2.6

2013 COSO Internal Control Framework – Evaluation of “Presence, Functioning and Operating Together”

3.3

Cybersecurity and the Audit Process

an organIzatIon can have all of the audIt controls, checks and balances In place, but If It doesn’t know what It Is tryIng to protect, Its cybersecurIty program Is ultImately flawed.

– Cal Slemp, Managing Director

Cal Slemp is a Managing Director with Protiviti’s IT Consulting practice.

James Armetta is a Managing Director with Protiviti’s Internal Audit and Financial Advisory practice.


Audit Process Knowledge (top 10 areas)



1 Data analysis tools – statistical analysis 3.5

2 Auditing IT – program development 3.0

3 Auditing IT – security 3.1

4(tie)

Auditing IT – continuity 3.2

Quality Assurance and Improvement Program (IIA Standard 1300) – Ongoing Reviews (IIA Standard 1311)

3.2

6(tie)

Operational auditing – effectiveness, efficiency and economy of operations approach

3.2

Fraud – fraud detection/investigation 3.2

Assessing risk – emerging issues 2.2

9 Audit planning – process, location, transaction level 3.5

10 Operational auditing – risk-based approach 2.4

A flurry of high-profile breaches at banks, credit card and payment providers, as well as large retailers, has succeeded in embedding the message that every firm will be the target of a cyberattack at some point. The only unknown is when an attack will happen and if the firm is prepared for the counterattack with processes in place to deal with the aftermath.

The growing importance of cybersecurity at financial services firms is evident in the financial services industry findings from Protiviti’s 2016 Internal Audit Capabilities and Needs Survey. Many internal audit professionals at financial services firms stated that key priorities for improvement include leveraging the NIST Cybersecurity Framework3 as well as the Internet of Things. Understandably, respondents to the survey are also eager to improve their capabilities with auditing IT security.

Most companies are beyond thinking that it is not a matter of if they are attacked, it’s when. “The executive management and boards of most organizations recognize that it is probable, and perhaps inevitable, that they will be compromised,” says Cal Slemp, a Managing Director with Protiviti and a leader with the firm’s Security and Privacy practice. “This is the main driver for boards calling for more enhanced, robust incident response plans that are tested through tabletop exercises to determine potential gaps in responding to attacks on the key assets of their organizations. The real challenge is establishing enterprisewide security and breaking down the silos that have traditionally addressed IT security requirements and controls with technology and limited processes, if any. Many companies have adopted leading industry standards such as ISO 27001 or the NIST Cybersecurity Framework to guide them in assessing the strength of their security programs. Organizational governance needs to be established for these frameworks to be effective when organizations adopt them. This approach will ensure it is integrated into the culture of the organization. Firms need to have that top-down approach. The board should state that it knows breaches are inevitable but it needs to know when the firm has been compromised and that it has a robust response plan in place.”

One of the most important aspects to any firm’s cybersecurity plan is identifying its key assets – the proverbial crown jewels.4 “An organization can have all of the audit controls, checks and balances in place, but if it doesn’t know what it is trying to protect, its cybersecurity program is ultimately flawed,” says Slemp. “Firms need to identify what they are trying to protect, and then need to be able to detect when there is a potential compromise or an attack on those key assets. And when they are compromised, firms must be able to respond effectively.”

3 See Protiviti’s Flash Report: Cybersecurity Framework: Where Do We Go From Here? www.protiviti.com/en-US/Documents/Regulatory-Reports/Information-Technology/IT-FlashReport-NIST-Cybersecurity-Framework-Where-Do-We-Go-From-Here-022514-Protiviti.pdf.

4 See Protiviti’s Board Perspectives: Risk Oversight, Volume 1, Issue 66: “Managing Cyber Threats with Confidence,” www.protiviti.com/en-US/Documents/Newsletters/Board-Perspectives/Board-Perspectives-Risk-Oversight-Issue66-Managing-Cyber-Threats-Protiviti.pdf.


Having the right response plan in place is crucial to be able to mitigate the damage to the organization and restore the business quickly. Many companies may have an incident response process in place but many do not always have the appropriate personnel, tools and stakeholders on board to be able to respond effectively to a breach.

“If a company is breached, it is not exclusively the responsibility of IT security to respond and recover,” says Slemp. “Many stakeholders of the organization need to be involved, from legal to PR and communications. The board of directors and executive management also need to be involved as well as the crisis management team – the list goes on.”

Internal audit has a key role to play in ensuring the organization has an effective cybersecurity policy and response process in place, preferably taking a proactive role in helping the firm to develop its cybersecurity strategy and policy from the outset, then ensuring this strategy is maintained throughout the organization. Cybersecurity risk must be formally integrated into the audit plan, while auditors need to ensure they have the required knowledge to be able to evaluate the organization’s cybersecurity program against the NIST Cybersecurity Framework.

The NIST framework is not a regulation and therefore is not a requirement for firms. In many cases, firms already have many of the controls recommended by NIST but the degree of compliance varies between organizations. Firms that conduct business with the U.S. government or with regulators are required to demonstrate that they are following the framework and even though others may have a policy in place, the maturity level may still need to be developed.

One area of concern for firms has been the cybersecurity risk posed by third parties such as vendors. Financial institutions can spend millions securing their own infrastructure and systems from cyberattacks but all too often the threat comes from within, from their own employees or from their suppliers, which may not have such sophisticated defense systems.

Companies, including internal audit, need to evaluate the cyber risks associated with their vendors with the same rigor they evaluate their own internal risks. Protiviti’s 2015 Vendor Risk Management Benchmark Study showed that organizations are striving to make improvements in their third-party risk management programs and have a better understanding of the nature of vendor threats. It also shows that boards are seeking assurances from management that vendor risk is being assessed, managed and monitored appropriately, especially if it relates to the loss or exposure of sensitive data through cyberattacks or other compromises.

The improvement in understanding of vendor risk may be due to the release of new regulatory guidance over the past few years, including the NIST Cybersecurity Framework, as well as the 2013 update to ISO 27001.

The NIST framework is U.S.-centric – global banks often prefer an internationally recognized framework. “Traditionally these banks have used ISO 27001,” says Slemp. “They are not abandoning that standard but Protiviti is helping a lot of companies to leverage ISO and map it to the NIST control framework. Companies that have embraced this culturally are more able to understand it.”

The NIST framework was first published three years ago, so it is not a new development and chief information officers and chief security officers are familiar with it. It is new from an internal audit perspective, however, and as such it may not have been automatically included in annual audit plans. Companies that partner internal audit with IT and/or the security function to benefit from their guidance and insight are often more successful in understanding and implementing the NIST framework.


Regulators Focus on CybersecurityThe FFIEC published its findings in March 2015 from a joint assessment conducted by U.S. banking agencies the year before to assess cybersecurity preparedness at more than 500 institutions. The paper contains key observations and questions that chief executive officers and boards of directors need to consider when assessing their institutions’ cybersecurity preparedness.5 This includes high-level guidance for firms to take appropriate risk mitigation steps, including: conducting ongoing information security risk assessments; performing security monitoring, prevention, and risk mitigation; protecting against unauthorized access; implementing and testing controls around critical systems regularly; enhancing information security awareness and training programs; and participating in industry information-sharing forums.

In June 2015, the FFIEC issued a Cybersecurity Assessment Tool for institutions to use to evaluate their risks and cybersecurity preparedness, which OCC examiners will gradually incorporate into examinations of national banks to benchmark and assess bank cybersecurity efforts.6

“The FFIEC’s Cybersecurity Assessment Tool was introduced with a mapping of its controls to those in the NIST Cybersecurity Framework, and also supports a risk-based approach to determine the target maturity level for an organization and whether the cybersecurity preparedness is aligned with its risk,” says Slemp. “However, it is worth noting that the maturity levels start at a ‘baseline’ level that ties back to the FFIEC’s IT Examination Handbook, so financial institutions should already operate at this level. Where there is additional perceived risk, the bar is higher, so it will be interesting to see what the examiners’ expectations are for security as they begin to assess organizations using the tool.”

The assessment tool incorporates concepts and principles contained in the FFIEC IT Examination Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and concepts from well-known industry standards, such as the NIST Cybersecurity Framework.

There are two parts to the assessment: an inherent risk profile and cybersecurity maturity.

The inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and complexity of the bank’s technologies and connections, delivery channels, products and services, organizational characteristics, and external threats – notwithstanding the bank’s risk-mitigating controls.

Cybersecurity maturity is evaluated in five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, and cyber incident management and resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and innovative. A bank’s appropriate cybersecurity maturity levels depend on its inherent risk profile.

Internal audit needs to be in tune with these regulatory guidelines, market developments and any cyber issues experienced by their peers to ensure they are prepared to handle those types of emerging risks.

With the OCC’s Heightened Standards, internal audit functions are expected to not only evaluate areas like cybersecurity in terms of how the IT department is addressing it, but also opine on what the IT compliance and/or IT risk functions are doing. Between the level of technical depth needed to look at the different aspects of cybersecurity to the need to examine the practice of both the first and second lines of defense, the bar has definitely been raised for financial services internal audit shops.

5 www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf.6 Understanding the FFIEC Cybersecurity Assessment Tool: An Internal Audit Perspective is available at www.protiviti.com/en-US/Documents/

White-Papers/Industries/FFIEC-cybersecurity-assessment-tool-IA-perspective-whitepaper-Protiviti.pdf.


Impacts on Internal AuditChief audit executives and the internal audit function need to raise their awareness and knowledge of the cybersecurity threat and relevant regulatory guidelines to be able to develop a robust cybersecurity strategy. Below are cybersecurity action items for CAEs and internal audit to consider in their annual audit plans.

Action Items for Chief Audit Executives and Internal Audit Functions to Consider

1. Strategy and Policy: Work with management and the board to develop a cybersecurity strategy and policy.

2. Cybersecurity Risk: Seek to have the organization become “very effective” in its ability to identify, assess and mitigate cybersecurity risk to an acceptable level.

3. Cybersecurity Breach: Recognize the threat of a cybersecurity breach resulting from the actions of an employee or business partner.

4. Board of Directors: Leverage board relationships to (a) heighten the board’s awareness and knowledge of cybersecurity risk; and (b) ensure that the board remains highly engaged with cybersecurity matters and is up-to-date on the changing nature and strategic importance of cybersecurity risk.

5. Audit Plan: Ensure cybersecurity risk is formally integrated into the audit universe and audit plan based on the risk it represents to your organization.

6. Emerging Technology: Develop, and keep current, an understanding of how emerging technologies and technological trends are affecting the company and its cybersecurity risk profile.

7. NIST Cybersecurity Framework: Evaluate the organization’s cybersecurity program against the NIST Cybersecurity Framework, while recognizing that the framework does not go to the control level and therefore may require additional valuations of ISO 27001 and 27002.

8. Preventative Capabilities: Recognize that with regard to cybersecurity, the strongest preventative capabilities require a combination of human and technology security – a complementary blend of education, awareness, vigilance and technology tools.

9. Clear Escalations Protocol: Make cybersecurity monitoring and cyber-incident response a top management priority – a clear escalation protocol can help make the case for (and sustain) this priority.

10. Staffing Shortages: Address any IT/audit staffing and resource shortages, which represents a top technology challenge in many organizations and can hamper efforts to address cybersecurity issues.


Improving Model Risk Management

the Internal audIt functIon Is tasked wIth ensurIng that fInancIal InstItutIons have a complete model rIsk management practIce, whIch Includes governance, processes, polIcIes, adherence to polIcIes, and documentatIon.

– Shaheen Dil, Ph.D., Managing Director

Charlie Anderson is a Managing Director and Practice Leader for Model Risk Services within Protiviti’s Data Management & Advanced Analytics Solutions practice.

Steve Lafrance is a Managing Director with Protiviti’s Internal Audit and Financial Advisory practice.

Shaheen Dil, Ph.D., is a Managing Director with Protiviti and Global Leader of the Data Management & Advanced Analytics Solutions practice.

Financial services industry internal auditors responding to Protiviti’s 2016 Internal Audit Capabilities and Needs Survey have ranked model risk management (MRM) as a major area where they need to improve their technical knowledge. And for good reason: The internal audit function is tasked with ensuring that banks have a complete model risk management practice, which includes governance, processes, policies, adherence to policies, and documentation.

Technical Knowledge – U.S. Financial Services Industry (top 10 areas)



1 (tie)

Basel guidance on internal audit 2.9

Basel III 2.2

3 Model risk management 2.7

4 Volcker Rule 2.2

5 Dynamic risk assessment 3.2

6 Interest rate/market risk 2.7

7 CFPB examination readiness 2.7

8 (tie)

Federal Reserve Guidance on Internal Audit (SR 13-1) 3.0

Vendor management 3.4

10 (tie)

Regulatory Compliance – Holding Company (Reg W) 2.7

UDAAP 2.8

Reliance on 1st and 2nd line monitoring 3.4


Although internal audit generally is well-equipped to perform these types of activities, the function confronts several significant challenges, including access to the quantitative expertise required to evaluate whether the model validations were conducted appropriately.

Basel III and the European Market Infrastructure Regulation (EMIR), along with guidance issued for U.S. institutions by the Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC), are driving the need for significant changes in the model governance infrastructures of affected financial institutions.7 This inevitably impacts the role of internal audit, since it has to review the effectiveness of the model governance infrastructure.

Among other needs, these requirements mandate that institutions hold more risk capital, the definition of which has narrowed. Additionally, this capital has to undergo periodic stress testing, which necessitates the need for various additional models within institutions. These issues will still monopolize the attention of affected financial institutions and their internal audit functions in 2016.

In the United States, regulatory bodies have been concentrating on model risk, model governance and stress testing. Regulators have been heavily testing compliance with SR 11-7 and OCC 2011-12 “Supervisory Guidance on Model Risk Management.” At the same time, regulators have been concentrating on Comprehensive Capital Analysis and Review (CCAR)8 and Dodd-Frank Act Stress Test (DFAST)9 results.

The Federal Reserve evaluates the stress testing and capital planning processes of U.S. banking organizations with assets greater than $10 billion through DFAST, and organizations with assets of $50 billion or more through CCAR. Note that many organizations must comply with both. The Federal Reserve reviews and assesses the results of both exercises on both a quantitative and qualitative basis.

These regulations require banks to create forward-looking projections of major balance sheet and income statement items under hypothetical economic scenarios. The items being projected include credit losses as well as Pre-Provision Net Revenues (PPNR). Some large banks are also required to conduct a Global Market Shock exercise, involving large changes in values and identification of key counterparty vulnerabilities.

Producing such calculations is a complex undertaking, which calls for extensive governance and new processes. Regulators have made it clear that data completeness and data quality are crucial, and banks are rapidly building their data capabilities in order to be ready to produce the periodic DFAST and CCAR reports.

In addition, banks are working quickly to develop models that can be used to create the necessary projections and calculations. The models are sophisticated and must be tested and shown to be capable of producing suitable results.

As with other models, the CCAR/DFAST models must be developed, implemented, governed and validated per SR 11-7 and OCC 2011-12 “Supervisory Guidance on Model Risk Management.” Each new model must be separately validated prior to being used. Midsize banks may have dozens of new models for stress testing purposes, and large banks may have hundreds.

7 For more comprehensive analysis on these changes, Protiviti has published several articles, including “Reducing Risk Through Model Validation,” “Model Governance and Effective Risk Management” and “Building Confidence in ALLL Models – a Timely Practice” (available at www.protiviti.com).

8 www.federalreserve.gov/bankinforeg/bcreg20130819a1.pdf.9 www.federalreserve.gov/bankinforeg/srletters/sr1403.pdf.


10 For more comprehensive guidance on model risk management compliance challenges, see Shaheen Dil’s article, “Complying with the New Supervisory Guidance on Model Risk,” in the February 2012 issue of The RMA Journal.

Size Makes a Difference

The model risk management challenges financial services companies and their internal audit functions face generally vary by the size of the institution:

• Large institutions – The 20 or so largest U.S. banks already have varying degrees of mature model governance infrastructure in place; their focus tends to be on upgrading the quality of their model documentation and model validation processes. Although a number of large institutions have model risk functions, most still have difficulty obtaining specialized skills and completing large model building (or model validations) in a timely manner.

• Midsize institutions – These companies may face the most formidable model risk management challenges. Many of these firms are just beginning to build their model risk infrastructure. This process typically begins with a model risk oversight committee or the equivalent, consisting of members of risk management, modelers and business owners. Internal audit frequently serves in a nonvoting capacity on these committees. Since many of these efforts are starting from scratch, finding the talent and specific skill sets necessary to fuel these efforts represents a major challenge for midsize financial services institutions. “Many medium-size banks do not have the skills on board necessary to build or validate models,” Dil observes. “For many midsize banks, it has been a struggle to embed these skills and this capability into their cultures.”

• Small institutions – Few smaller banks can afford to hire full-time personnel with the skills necessary to fulfill new model risk management requirements. Instead, these companies are competing for external experts to come in and provide assistance.

Finally, there are several model risk management challenges all internal audit functions must contend with, regardless of the size of their organizations. These include data quality and availability; maintaining independence between model developers and model validators; and access to specific technical (e.g., quantitative) expertise and talent.10

By addressing these challenges, internal audit functions will help management and boards of directors understand the limitations of their models so they can make confident business decisions, which could help advance business strategies and achieve regulatory compliance.


Internal audit teams are challenged with having quantitative expertise to assess whether the models meet the regulatory requirements. Significant needs include:

• Assessing the model governance program (under SR11-7/OCC 2011-12);

• Assessing each model validation for consistency with those rules;

• Assessing model development, implementation and use; and

• Assessing compliance with CCAR and DFAST regulations.

The banking organizations that are subject to either the Federal Reserve’s CCAR or DFAST exercise are expected to have sound model risk management practices that are consistent with existing supervisory guidance on model risk management.11 As such, model risk management practice extends beyond model validation and requires input from the business and the second line of defense, while the internal audit function reviews the effectiveness of the overall capital planning/CCAR process, including the relevant models. Notably, while CCAR banks largely have established overarching model risk management functions, DFAST banks tend to operate in more flexible ways, ranging from pockets of model validation and model risk expertise in various risk functions and business lines, all the way to outsourcing the entire function to external vendors.

Incorporating the regulatory expectations set forth in SR 11-7 into the banking organization’s stress testing and capital planning exercise presents specific and unique challenges.

The nature and requirements of the stress testing and capital planning exercises necessitate participation, collaboration, and transparency between all model risk stakeholders, including model developers, users, validators, internal audit, and bank management and the board of directors, to manage model risk and apply mitigating controls12 or overlays where applicable. These mitigating controls and overlays can be identified or quantified by any model stakeholders during every stage of the stress testing and capital planning exercises. For instance, if the strict timelines of the stress testing and capital planning exercise do not allow the validation team to perform a validation of a complete set of models, the validation team should make the validation results transparent to all stakeholders. This allows the other stakeholders to apply controls and overlays to mitigate any model risk.

Although internal audit, as an independent oversight function, will not participate in such a process, it is essential that such a process is understood in relation to model risk management.

Firms need to ensure they have sufficient skill sets in the internal audit team – as well as sufficient staffing levels – to assess model risk components. The difficulty is compounded by the scarcity of qualified resources. Some banks have started to staff quantitative expertise directly in their internal audit teams but many are relying chiefly upon outside resources to assist the bank’s audit team.

11 SR 11-7 Supervisory Guidance on Model Risk Management.12 Mitigating controls may include the following: (a) restriction of use, (b) limited scope validation.


Audit Process Knowledge – U.S. Financial Services Industry (top 10 areas)



1 Current Expected Credit Loss (CECL) 2.2

2 Stress testing (CCAR/DFAST) 2.4

3 Derivatives and securities 2.4

4 Derivatives and hedging 2.4

5 Mergers and acquisitions due diligence 2.7

6(tie)

Wholesale products 2.3

International regulation 2.2

Capital markets planning 2.4

9(tie)

Other Than Temporary Impairment (OTTI) 2.6

Criticized asset management 2.4

Financial services industry internal auditors responding to Protiviti’s 2016 Internal Audit Capabilities and Needs Survey, in a section specific to financial institutions, ranked the new Current Expected Credit Loss (CECL) rules as the main area where they need to improve their audit process knowledge.

CECL is a proposed credit impairment accounting standard, which is expected to be adopted shortly. The new standard is intended to address concerns that loss reserves were insufficient during the recent stress period.

The proposed CECL standard would require financial services institutions to generate forward-looking and lifetime loss estimates to support their loss reserve decisions. Generating such estimates will entail more sophisticated models, which in turn will require more historical data, incorporating more types of information. The loss reserve estimation process would also involve multiple management judgements to be made using sufficient supporting information. Furthermore, institutions would need to review and reclassify their portfolios as required for the revised loss reserve standard and estimation models. Accommodating these changes will entail significant changes in data governance, data sourcing, and related areas.

As institutions conform to the new accounting standard, internal audit would need to update the audit program for the loss reserve process. The updated audit program should assess the quality of the collected data, the consistency of asset classification, the information supporting management judgements, the accuracy of reserve calculation and reporting, the robustness of the loss reserve model, and other areas.

For example, under the new accounting standard, it is expected that troubled debt restructuring (TDR) and available-for-sale (AFS) assets will need to have reserves consistent with CECL methodology. Therefore, internal audit would need to verify that the supporting systems have updated filters and codes as required to assign these assets to CECL-conforming models. Under the proposed CECL methodology, institutions would also need to determine the lifetime for each type of asset. Internal audit should also design controls and tests to determine whether the lifetime estimation and methodology conform to the requirements and are correctly applied to the loss reserve models.

Internal audit will also need to review several more areas that are not applicable to the current loss reserve accounting rule, including: the long-term and possibly quantifiable economic and market scenarios applied to the lifetime model; the decision of the supportive forecast window; and the support of the lifetime of different types of assets.


Impacts on Internal AuditInternal audit has a key role to play in ensuring the organization has an effective model risk management (MRM) policy in place, which should also be formally integrated into the annual audit plan.

Action Items for Chief Audit Executives and Internal Audit Functions to Consider in Their Annual Audit Plans

1. Ensure MRM is included within the audit universe.

2. Review the overall MRM process governance, design, resources, and adequacy to manage risk within the appetite and tolerances set by the board of directors.

3. Address the functional adequacy of models within the business processes the models are supporting (e.g., the Allowance for Loan and Lease Losses (ALLL) validation).

4. Ensure the organization has the resources and capabilities, internally or externally, necessary to both challenge the effectiveness of models and review a validation for adequacy.

5. Conduct regular model governance audits, and ensure audit tests of CCAR and audit conceptual soundness review of models and adjustments/overlays are completed.

6. Evaluate data integrity controls and testing, and evaluate source data quality and data completeness.

7. Conduct audit review of policies for board and senior management governance over CCAR, as well as audit testing of board and management committee meetings for credible challenge.

8. Review that all material risks are covered in stress testing and CCAR, and that all risks are modeled appropriately.


Barbi Goldstein is a Managing Director with Protiviti’s Internal Audit and Financial Advisory practice.

Shaheen Dil, Ph.D., is a Managing Director with Protiviti and Global Leader of the Data Management & Advanced Analytics Solutions practice.

Survey respondents indicated that the number one area where they need to improve their audit process knowledge is data analysis tools and statistical analysis. This interest in advanced analytics capabilities is being driven by several factors, including:

• Internal audit’s increasing role in supporting regulatory compliance needs and monitoring, and a growing need to apply continuous monitoring on a broader scale to increase efficiency and add value to the organi-zation through better insights into risks.

• External guidance calling for internal audit departments to better leverage data analytics to increase sam-ple size and analysis of information for the organization.

• A growing focus on data quality and data governance, driven by organizations’ growing reliance on big data and big data tools, increasing the need for sophisticated data analysis within internal audit.

• Rapid adoption of data analytics in other functions and groups throughout the enterprise (enterprise risk management, data governance, compliance), leading to a similar expectation for the internal audit function.

Protiviti developed a second quantitative benchmarking study in 2015 that was distributed to a select group of the largest U.S. financial institutions.13 The study showed that internal audit functions were seeking to achieve several strategic goals in data analytics, chiefly to: increase more robust testing, increase efficiency, achieve continuous auditing, raise visibility of risk indicators, and meet the heightened expectations of regulators.

Dealing with Data Analysis Tools

[Internal audItors] are ImplementIng the use of vIsualIzatIon tools and contInuous monItorIng, they are accessIng data wIthout a tradItIonal “request” of It, and they are runnIng analytIcs to help them understand where the bIggest rIsks exIst.

– Barbi Goldstein, Managing Director

13 Changing Trends in Internal Audit and Advanced Analytics is available at www.protiviti.com/en-US/Documents/White-Papers/Industries/Internal-Audit-Data-Analytics-whitepaper-Protiviti.pdf.

Charlie Anderson is a Managing Director and Practice Leader for Model Risk Services within Protiviti’s Data Management & Advanced Analytics Solutions practice.





1 Data Analysis Tools – Statistical Analysis 3.5



4(tie)



3.2

6(tie)


3.2





It was clear from the benchmarking study that analytics is treated as a high priority for large financial institutions’ internal audit functions since the majority of participants reported an increase in demand for data analytics within their audits. Most internal audit functions (87 percent) reported that they had a dedicated data analytics/information management group within their function, while these groups indicated that they needed to ensure they had immediate access to business data within their own data warehouse or similar environment. The survey also showed that the vast majority of firms’ internal audit analytics functions are continuing to evolve toward a risk-based approach with the goal of providing continuous monitoring to some degree to be able to plan individual audits, monitor key risk indicators (KRIs) and support risk assessments. Continuous auditing is also being pushed out to new areas within the enterprise since, at the moment, the survey showed that firms now only monitor areas where there are known risk issues.

Although there is clearly more work to be done, the findings of this benchmarking study show that internal auditors are committed to developing a forward-looking internal audit analytics capability that allows for deeper business insights via the monitoring of KRIs, rather than just analyzing data in support of individual audits.

“The use of analytics by internal audit functions has definitely evolved and continues to do so,” says Protiviti Managing Director Barbi Goldstein. “Historically, data analysis for internal auditors has consisted of performing population testing in support of specific audits. Today, internal audit functions want to have a view of the business lines’ key risk indicators based on current data and use that knowledge to make informed decisions about where to dedicate their audit hours and testing. They are implementing the use of visualization tools and continuous monitoring, they are accessing data without a traditional ‘request’ of IT, and they are running analytics to help them understand where the biggest risks exist. This allows them to take a truly risk-based approach to creating their audit plan.”

Building an internal audit analytics function requires time and more resources, however. The financial services industry results from Protiviti’s 2016 Internal Audit Capabilities and Needs Survey show that larger financial services firms intend to hire more data analytics specialists this year, but talent is scarce, which means firms have been retaining outside help to support the internal audit team.

Chief audit executives and the internal audit function need to raise their awareness and knowledge of data analytics tools to be able to improve efficiencies and capabilities by adding more advanced techniques, such as continuous monitoring and other indicators.


Adopting Agile Risk and Compliance

rIsk Is movIng away from beIng a control checker and referee, to an enabler of busIness performance, drIvIng a sIngle approach for rIsk management and Is fully takIng responsIbIlIty for ImprovIng the rIsk culture of the organIzatIon.

– Cory Gunderson, Managing Director

Cory Gunderson leads Protiviti’s Global Financial Services Industry practice.

Matthew Moore leads Protiviti’s Risk & Compliance practice.

Organizations are realizing that their risk and compliance capabilities need to be agile, flexible and nimble in order to respond more efficiently to the changing operating environment.






3(tie)



5 (tie)




8(tie)



10(tie)



3.3

Managing risk and compliance has become increasingly complex and expensive for financial services organizations post-financial crisis. The increased regulatory expectations, the ever-changing risk landscape and rise of inherent risk represent a new and permanent operating paradigm for the industry. To adapt, firms are expending significant time, money and resources to implement required changes and prioritize risk management and compliance.


As costs continue to increase, it is becoming clear that the overly manual, reactive and siloed approach to risk management and compliance is unsustainable.

“Many organizations are beginning to change their vision for risk management,” says Cory Gunderson, who leads Protiviti’s Global Financial Services Industry practice. “Risk is moving away from being a control checker and referee, to an enabler of business performance, driving a single approach for risk management and is fully taking responsibility for improving the risk culture of the organization. Leading practices in risk management suggest creating a mantra – a simple and repeatable slogan that can be repeated in frameworks, policies and corporate messaging to help frame culture.”

Responding to Risk and Compliance Gaps Over the Years Has Left the Financial Services Industry in an Unsustainable Situation

Growth and innovation have been forced to take a back seat given risk and compliance challenges.

Large bank fines have topped $100B over the past five years.

Operating costs have become unsustainable as quick-fix solutions and increasing headcount are the norm to improve risk management practices.

Inherent risk continues to rise given the underlying business complexity and increased pace of change.

Unsustainable Costs

Significant Fines$100B

Inherent RiskGrowth and

InnovationRisk and

Compliance

A better risk and compliance model is one that is technology-enabled, proactive, aligned across all three lines of defense and embedded into business processes. Business, risk, compliance and internal audit groups need to work within an integrated framework with clear accountabilities to create an aligned organization that can make sound decisions, while also driving efficiencies. This is the solution we refer to as Agile Risk Management, where internal audit has a major role to play in proving independent assurance. Firms are becoming more aware of the benefits of adopting such a program, and agile risk and compliance was ranked as the top area where internal auditors would like to improve their general technical knowledge, according to Protiviti’s 2016 Top Priorities for Internal Audit in Financial Services Organizations survey.


What Is Protiviti’s Agile Risk Management Philosophy?

Protiviti Agile Risk Management Philosophy

Operational�Excellence

Risk Management

AlignedOrganization

Customer�Satisfaction

At the foundation of the Agile Risk Management philosophy is the central premise that business management and risk management should create a unified operating model with clear first, second and third line accountabilities.

• Agile Risk Management enables successful anticipation and response to a rapidly changing environment resulting in informed executive decisions through an aligned organization, operational excellence and customer satisfaction.

• An Aligned Organization of proactive collaboration and engagement is achieved by converging business and risk processes, while risk and business acumen is enhanced throughout the organization.

• Operational Excellence is sustained by the successful execution of business strategy supported by efficient processes, optimized technology and risk agility.

• Customer Satisfaction is improved by risk management and controls driving consistent customer experiences and ensuring the needs of customers are considered in the design of processes, products and services.

Creating an organization that can respond to change more easily is central to the Agile Risk Management concept. Forward-looking organizations have designed components of their business model to be more configurable. Applying a more flexible business model allows firms to plug in new requirements and strategic changes smoothly, eliminating the current model of approaching change on a piecemeal basis, which only serves to increase costs and complexity.


Bringing risk management and compliance closer to the first line and integrating them more fully with the business creates a model that can automatically respond to changing business strategies as well as regulatory change.

Embedding agile risk management throughout the organization requires the front-line business units to still be accountable for risks while also being supported in a proactive way by independent risk management. A meaningful and well-understood risk appetite is used to make business decisions, while risk identification and monitoring are integrated within business processes.

By more effectively aligning the business and the risk and compliance functions, firms benefit in a number of different ways. They are able to leverage integrated and coordinated business, IT, risk and compliance monitoring. The organization has agile risk skills and common tools and methodologies to act efficiently, while reporting is used jointly to measure business goals and risk limits.

In all this, risk management enables the business, which leads to respected risk and compliance functions that add value to the organization.

“Internal audit plays a critical role in agile risk management by providing independent assurance on the design and effectiveness of risk management systems,” says Matthew Moore, who leads Protiviti’s Risk & Compliance practice. “This includes reinforcing the firm’s risk culture and holding front-line and risk management units accountable for fulfilling their responsibilities within the agile risk management framework. Internal audit has the unique perspective of being able to observe risk management activities across lines of defense and business units, which allows it to add value by providing important feedback on the extent to which there is alignment across the organization and the agile risk management philosophy is operating as intended.”

The time has come for proactive organizations to take the lead and adopt an agile risk management framework to better meet the challenges of today’s customers, shareholders, employees, and the risk and regulatory environment.


Understanding and Integrating Risk Culture

when the leadershIp team takes audIt fIndIngs serIously and ImmedIately puts pressure on the lIne of busIness where the Issues were IdentIfIed to resolve the problem, It tells you a lot about the rIsk culture of that fIrm.

– Michael Brauneis, Managing Director

Risk culture remains a key concern for internal auditors. Although the subject is not specifically flagged in the 2016 survey results, it was singled out as an area for auditors to improve their technical knowledge in last year’s results. The concept of risk culture has been a hot topic for the industry and global regulatory bodies in the wake of the global financial crisis, but it remains an enigma for many financial institutions. Regulators around the world have been encouraging financial institutions to articulate and formalize their risk culture. On July 8, 2015, the Basel Committee on Banking Supervision (BCBS) released a set of revised guidelines for enhancing corporate governance at banks, which includes the importance of a sound risk culture to drive risk management within a bank.14 The Financial Stability Board (FSB) also has been very active in providing guidance to financial services firms on the subject of risk culture. In April 2014, the FSB published Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture, to assist firms in identifying the foundational elements that contribute to a sound risk culture, as well as core practices and dynamics that may be indicators of the effectiveness of an enterprise’s risk culture.15

The FSB’s view is that the soundness of an institution’s risk culture is based on the extent to which it governs its risk/reward decision-making process, successfully executes its agreed upon strategy within its defined risk appetite on a day-to-day basis, and structures its compensation practices to take into consideration prospective risks and risk outcomes that are already realized. The FSB recognizes that risk culture has to be embedded in the overall corporate culture, which will evolve over time.

14 www.bis.org/bcbs/publ/d328.pdf.15 Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture,

www.financialstabilityboard.org/2014/04/140407/.

James McDonald is a Managing Director with Protiviti’s Risk & Compliance Solutions practice.

Dolores Atallo is a Managing Director with Protiviti’s Risk & Compliance Solutions practice.

Michael Brauneis is a Managing Director with Protiviti’s Risk & Compliance Solutions practice.


In a survey conducted by Protiviti and the Risk Management Association (RMA) in 2013, only 37 percent of respondents noted that they evaluated risk culture, while only 28 percent said that they believed risk culture is fully integrated into their respective organizations.16

“Through internal employee surveys, some firms are trying to analyze today how their risk culture is being embedded in the organization to see how well their employees understand the risk culture,” says Protiviti Managing Director James McDonald. “The fact that firms need to do so shows it is a challenge. The CEO can state that the company is going to do the right things and live within its risk appetite but that message needs to be continually reinforced. Firms need to empower employees and provide them with examples of what good behavior looks like, such as instances where an employee raises their hand and identifies an issue early on, so the problem can be resolved before it becomes a larger issue.”

Another impediment to integrating risk culture can be pushback from employees who are resistant to change. Firms often build incentive plans to reinforce risk culture that are focused on punishing bad behavior – taking compensation from people who misbehave or break limits – rather than rewarding employees that are beacons of good culture. That is a backward-looking behavior modification, more so than incentivizing proper future behavior. “Those employees who raise their hands when they have an issue, with the issue then being debated and escalated and addressed as appropriate, need to be rewarded,” adds McDonald.

Maintaining the consistency of risk culture messaging throughout the enterprise in all locations is a major barrier to the effectiveness of risk culture in large financial services firms. Organizations can stage all-hands town hall staff meetings to reinforce this messaging but it has to have the support of the board and executive management, who need to work to ensure risk culture is integrated with the growth objectives and strategy of the firm. Risk culture also needs to grow and change with the organization as it evolves, providing an additional challenge for firms to maintain consistency in their risk culture messaging.

The BCBS guidelines on risk governance also recognize that compensation systems are a key component for a financial institution to convey acceptable risk-taking behavior and reinforce its operating and risk culture. It states that remuneration programs “should encourage a sound risk culture in which risk-taking behavior is appropriate and which encourages employees to act in the interest of the company as a whole rather than for themselves or only their business lines.”

16 Risk Culture: From Theory to Evolving Practice, RMA and Protiviti, 2013: www.protiviti.com/en-US/Documents/RMA-Journal-From-Theory-to-Evolving-Practice.pdf.


Risk Culture is the Keystone

Culture is the keystone that holds things together, providing a source of strength or weakness for the organization. An actionable risk culture helps balance the inevitable tension between (a) creating enterprise value through the strategy and driving performance on the one hand, and (b) protecting enterprise value through risk appetite and managing risk on the other hand. In effect, it balances the push between strategy and risk appetite.

Source: Establishing and Nurturing an Effective Risk Culture – Enabling the Chief Risk Officer’s Success (Fourth in a Series) (www.protiviti.com/cro-series).

Per

form

ance

Management c

ulture Risk Management

Bus

ines

sS

trat

egy R

iskA

ppetite

Impacts on Internal AuditChief audit executives and the internal audit function have a pivotal role in fostering a strong risk culture, which is the keystone of an organization’s risk management framework.

Compensation and incentive schemes are one obvious area for internal audit functions to review for their alignment with the company’s intended risk culture but there are other areas that warrant internal audit’s focus. Although the intangible nature of risk culture makes it difficult for firms to conduct specific standalone audits to determine the level of cultural integration in the organization, several topics that internal audit reviews in the daily course of business can provide insights into this area. Examples of these include evaluating the percentage of known issues that were first identified by a business process owner (versus internal audit, a regulatory agency, or another independent source) and the status of remediation of issues (issues that take too long to address or are in “past due” status often are indicators of a firm’s risk culture).


Internal audit certainly has a greater role to play in reinforcing risk culture within the organization. An effective internal audit department could and should have a role in reporting risk culture, but few audit functions at financial institutions currently have the capabilities to perform a standalone audit of risk culture. Firms can, however, include risk culture aspects in their existing audit processes: “This is almost a continual process where audit can pick up on where risk culture has been embedded particularly successfully or not at all,” says Protiviti’s Director Mathew Perconte. “Internal audit can reinforce some of the firm’s risk culture messaging through their existing audits.”

Under the OCC’s Heightened Standards, internal audit’s role is to opine on the readiness and design of risk management systems, corporate governance structures and risk appetite statements. “If internal auditors are truly acting as independent practitioners inside a firm, they can drive culture because they are going to report issues that are outside of boundaries,” says Timothy Long, a Managing Director with Protiviti’s Risk & Compliance Solutions practice.

Indeed, a good measure of the risk culture of any firm is how audit findings are viewed in the organization and how seriously their recommendations are taken. “When the leadership team takes audit findings seriously and immediately puts pressure on the line of business where the issues were identified to resolve the problem, it tells you a lot about the risk culture of that firm,” says Protiviti Managing Director Michael Brauneis. “The same is true for firms where audit exceptions are not considered to be a significant problem and where there are many repeat findings.”

Effective root cause analyses are key to this effort. Beyond simply identifying a control breakdown and recommending an immediate fix, audit can go a step further in evaluating the origin of the breakdown to consider whether a risk appetite breach or incentives problem (e.g., pressure to cut control corners in order to speed cycle time) might have contributed to the issue. Encouraging process owners to confront and respond to these considerations can help the organization’s thinking and actions on risk culture evolve past tone at the top to become a more practical consideration in day-to-day business activities.

Weaving risk culture audits into existing audit plans could also help when seeking to align the firm to the OCC’s Heightened Standards, which require firms to show they have a strong risk management framework, an engaged board, a risk appetite framework and a strong risk culture. “Regulators are requiring firms to show their assessments on how their company is aligned with the heightened standards,” says McDonald. “We are being asked by audit departments how they can show this. Our response is that they should, throughout the year, have a number of audits of lines of businesses and support functions to gauge how the company’s risk framework, risk appetite and risk culture are being followed. Audit needs to assess how well they are aligned to the OCC Heightened Standards and a big part of that is risk culture.”


Understanding and Integrating Risk Appetite

most of the focus has been around settIng a rIsk appetIte statement at the board level but at some poInt regulators are goIng to start pushIng rIsk appetIte down Into the IndIvIdual lInes of busIness, whIch Is exactly where It needs to be.

– Timothy Long, Managing Director

Scott Jones is a Managing Director with Protiviti’s Internal Audit and Financial Advisory practice.

Timothy Long is a Managing Director with Protiviti’s Risk & Compliance Solutions practice.

A financial institution’s risk culture and its risk appetite are explicitly interlinked. Risk culture should inform a bank’s risk appetite statement (RAS) and in turn the risk appetite statement should inform the bank’s risk culture.

Guidelines from regulators around the world state that formal written risk frameworks should be maintained that cover all applicable risk categories, as well as any other material risk types to which an institution may be exposed. Until now, driven by regulatory demands, the focus has been on establishing a high-level risk appetite statement at the board level. However, firms need to push the risk appetite framework into the lines of business (LOB) for it to achieve its ultimate goal of aligning the enterprise’s risks with the stakeholders’ priorities in the most effective and efficient manner. The highest levels of management, up to and including the board of directors, must sponsor the initiative, but involvement of LOB leadership and independent risk management are crucial to ensure that all stakeholders embrace the overall approach.

Many financial services regulators around the world have stated that driving a risk culture throughout an organization, resulting in a shared understanding and compliance with the risk appetite, is equally as important as having a written RAS. Especially in large organizations, consistency in understanding and realizing risk appetite throughout business lines is critical, as stated by Thomas J. Curry, Comptroller of the Currency, in a speech on May 8, 2014: “[Over] the years we found instances in which large, complex, and highly interconnected banks allowed operational units to define risk appetite in terms of their own needs and priorities. At best, this resulted in organizational confusion. At worst, it contributed to major breakdowns in risk management. And for banks with such broad impact on the financial system and the economy, that is simply unacceptable.”17

17 Remarks by Thomas J. Curry, Comptroller of the Currency, before RMA’s Governance, Compliance and Operational Risk Conference in Cambridge, Massachusetts, May 8, 2014: www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-69a.pdf.

Matthew Perconte is a Director with Protiviti’s Risk & Compliance Solutions practice.





1 Data analysis tools – statistical analysis 3.5



4(tie)



3.2

6(tie)


3.2





“Most of the focus has been around setting a risk appetite statement at the board level but at some point regulators are going to start pushing risk appetite down into the individual lines of business, which is exactly where it needs to be,” says Timothy Long, a Managing Director with Protiviti’s Risk & Compliance Solutions practice. “A risk appetite statement for a $100 billion bank written at the board level is almost meaningless because the practices in the various divisions from real estate to mortgages are completely unrelated and separate; they need their own framework, defense lines and understanding of their own risk appetite. Until risk appetite statements are pushed down to the lines of business, they don’t add value.”

Integration of risk appetite was an area that internal auditors identified as requiring increased knowledge, skills, and capabilities. Integrating risk appetite is a difficult task for the organization as a whole and one which many internal audit functions are also struggling to determine their role in providing assurance to management and the board.

According to the Financial Stability Board’s Principles for an Effective Risk Framework, published in November 2013,18 the RAS must include measurable, frequency-based, understandable and comparable metrics that can be translated into risk limits applicable to business lines, legal entities and group levels, and linked to the enterprisewide RAS. The RAS needs to include qualitative statements that articulate motivations for taking on or avoiding certain types of risks, as well as a reasonable number of appropriately selected risk metrics. The RAS then has to be supported by appropriate controls and stress tests. Putting the RAS into action requires the creation of a risk appetite framework (RAF), which pushes the RAS down into the LOBs and the various support functions. The RAF proposed by the FSB comprises key aspects for the internal audit function to consider when auditing risk appetite.

Key components of the RAF are risk appetite metrics, enterprise key risk indicators (KRIs) and business unit KRIs, which all have defined tolerances and thresholds that are monitored frequently.

18 Available at www.financialstabilityboard.org/wp-content/uploads/r_131118.pdf.


Risk appetite metrics cannot be developed by the board and senior management to be pushed down into the LOBs since there is significant risk that the risk appetite measurement and management process will become a check-the-box exercise. The development process needs to be collaborative among top management, independent risk management and front-line units to avoid a disconnect at the front-line level.

“Risk appetite metrics are designed to measure risk across the enterprise, encompassing all LOBs, regions, products and services,” says Matthew Perconte, Director at Protiviti. “Some LOBs are struggling with designing these metrics, which need to evolve as the organization evolves. The creation of these metrics could be one area where internal audit focuses efforts to ensure the risk department and the business continually update and improve risk appetite metrics.”

To drive risk appetite effectively, organizations need to be consistent in promoting good risk culture with ongoing education and dialogue. A well-operating risk management framework should enable an ongoing, enterprisewide conversation about risk, while maintaining focus on how risk management objectives are achieved.

“Another area where internal audit can test to see if the RAS is being implemented properly throughout the organization is by monitoring communication channels, such as town hall and staff meetings and LOB committees, to check if the RAS is being discussed widely in the company rather than being limited to the risk committees. LOBs need to show they are actively considering the risk appetite when making business decisions. Another good test is whether the organization’s risk appetite is being discussed in mandatory internal training at all levels,” adds Perconte.

Impacts on Internal AuditChief audit executives and the internal audit function need to first ensure that they fully understand the firms’ risk appetite statement and framework. From such a solid grounding, the internal audit department forms an integral part of the risk appetite framework by providing oversight to ensure the framework is being embedded into the lines of business. Auditors need to ensure they audit the strategic planning process to check if the three- and five-year plans are informed by the organization’s risk appetite and risk capacity. This then needs to be linked to the company’s capital stress tests to show that in a stressed environment the firm will have the capacity to keep its set risk appetite and be able to hold the correct amount of capital. Regulators will be looking for that linkage.

Internal audItors almost need to become rIsk managers. they need to understand where rIsks are

beIng generated and how they are supposed to be controlled. they are requIred to opIne on the

rIsk management systems the busIness has In place In order to control those rIsks. that Is not what

Internal audIt has tradItIonally done and In a lot of cases they are not equIpped to do It.

– Timothy Long, Managing Director


The graphic below shows the key areas internal audit needs to consider when auditing risk appetite.

Key Aspects to Consider When Auditing Risk Appetite

The Financial Stability Board noted specific components of a strong risk appetite statement in the November 2013 report entitled Principles for An Effective Risk Appetite Framework.

The RAS includes key background information and assumptions that

informed the strategic and business plans at the time they were approved.

The RAS includes qualitative statements that articulate the

motivations for taking on or avoiding certain types of risks and includes a reasonable number of appropriately

selected risk metrics.

The RAS has strong linkages with the short- and long-term corporate strategy, capital and financial plans. Risk metrics are aligned to

the incentive compensation plan and employees are

appropriately incented to support prudent risk taking in

line with corporate goals.

The RAS allows the financial institution to view the desired risk profile under a variety of

scenarios.

The RAS expresses the maximum level of risk

(material and overall) the organization is willing to

operate within under normal and stressed conditions.

The RAS includes measurable, frequency-

based, understandable and comparable risk metrics that

can be translated into risk limits applicable to business

lines, legal entities and group level, and linked to the

enterprisewide RAS.

The RAS clearly establishes the type and amount of risk the organization is

prepared to accept in pursuit of its strategic

objectives and business plan.

The RAS is supported by appropriate

controls and stress tests.

Effective Risk

Appetite Statement

Informed

Qualitative

Linked to Corporate

Goals

Defines Risks

Supported

Material Risk-Focused

Quantitative

Forward-Looking


Coping With the Pace of Change in Mobile Applications

fIrms need to desIgn theIr programs and control structures around much faster cycle

tImes, whIch Is where agIle software delIvery and devops ... can help. audItors need to

embrace the fact that contInuous change Is comIng and they need to buIld theIr control

programs around It.

– Ed Page, Managing Director

Jason Goldberg is a Director with Protiviti’s Business Performance Improvement practice.

Ed Page leads Protiviti’s U.S. Financial Services Industry IT Consulting practice.

Mobile banking and mobile payments are growing in popularity as financial institutions are responding to demand from their customers to offer more convenience and more products through mobile channels. Just as smartphones are evolving, mobile payment technologies are being developed just as quickly, with many different participants in a burgeoning ecosystem of traditional and non-traditional players, including the likes of Apple, Samsung, Google, and PayPal, among others. The speed of change, the introduction of new third parties as well as the myriad risks presented by such brand new technology are presenting a wave of new challenges for financial services firms. It is unsurprising, therefore, that internal auditors in the financial services industry have pinpointed mobile applications as an area where they need to improve their technical knowledge in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey (mobile banking was ranked second by internal auditors in the same survey conducted in 2015).







3(tie)



5 (tie)




8(tie)



10(tie)



3.3

“New technologies are appearing at a very rapid pace,” says Ed Page, Managing Director and Leader of Protiviti’s U.S. Financial Services Industry IT Consulting practice. “Keeping up with such a rapidly changing environment is a challenge for everyone from risk managers to IT practitioners and auditors. That bleeds into all kinds of change management and control considerations that we probably didn’t have to deal with before, at least at the rate of change that exists now.”

The old model of branch-based banking, and even online services, was protected by the fact that financial institutions owned the infrastructure on which those services were being provided. In the mobile world, there are many more variables: the devices are owned by the customer; there are dozens of variations of smart phones, with varying operating systems; and there has also been an influx of new third-party service providers, which are offering services such as in-app payments or mobile wallets.

All of these different factors create a complex, disparate mobile environment. Page advises professionals in all financial services departments to: “Embrace the pace of change and the fact that there are so many variables in the environment as the new norm.”

Page adds, “Firms need to design their programs and control structures around much faster cycle times, which is where Agile software delivery and DevOps, which is about continuous change management, can help. Auditors need to embrace the fact that continuous change is coming and they need to build their control programs around it.”

The traditional Waterfall method of delivering software is giving way to Agile software delivery methods. Controls that IT auditors have become familiar with over time are largely based on a Waterfall methodology. To cope with the rapidly changing environment of mobile banking and mobile payments, auditors need to adapt.

“Rather than fight this change, auditors need to become part of the team that develops the new software services from the beginning, using the Agile method to ensure it is delivered in a method that still has the necessary controls around it,” says Page.

There are many risks associated with mobile applications – security being the most obvious. Although the cybersecurity regulatory framework is dealt with in other chapters of this paper, financial institutions that are considering offering mobile payment services also have issues to consider around account provisioning, data management, vendor management, and complex systems integration, as well as other operational and reputational risks. The fragmented nature of the legacy technology and operations environment is only compounded by the emerging technology overlay, making these challenges particularly acute.


Account ProvisioningThe main risk of mobile applications for firms is around user authentication – making sure the user is who they say they are. When using any type of mobile payment application – Apple Pay and LoopPay are just two examples – the customer is required to provision their credit or debit card account onto their device. Banks have experienced relatively high levels of fraud related to Apple Pay, specifically related to the organization of its account provisioning system, where the issuer has been contacted to verify their identity and card information.

“This is where all of the fraud was occurring,” says Jason Goldberg, Director at Protiviti. “Fraudsters are incredibly sophisticated. In cases where financial institutions were using personal data to verify an account prior to provisioning, the fraudsters were socially engineering that information. Auditors need to think about the user authentication process and account provisioning process to ensure they are doing all they can to identify fraud. Auditors need to ask questions such as: What is the appropriate amount of time to allow users to remain logged in without re-authentication. What levels of authentication should be required? Is there a need for multi-factor authentication of a device?”

Firms also need to make use of intelligent monitoring of transactions and intelligent alerting, which is based on all of the data they have related to account past behavior. Working with geo-location information with mobile applications is one way to help reduce fraud as it can be used to match customers’ past transaction history. Banks should be working with their core banking platform provider or third parties to look at all of the data going through their networks.

There are additional challenges for firms now that the liability has shifted from the credit card issuers to the weakest link in the transaction, which came into force in October 2015. There is an added complication in the United States as it continues to transition from magnetic strip cards to EMV, or chip-and-pin enabled cards, that pose a potential problem for retailers because the liability during a LoopPay transition shifts to them since the technology bypasses the need for the customer to enter their pin number.

As well as the fraud liability issues, these payment services are relatively new technology with glitches that can impact the consumer experience. These services are also not clearly understood by consumers or retailers, who often blame the bank when payments fail, impacting their reputation.

Additionally, when the technology fails or there are issues with account provisioning, customers are increasingly contacting their banks for technical support. Banks have to be prepared to train their customer service teams or put in place new servicing teams that have more technical expertise.

With all of these new entrants into the payments space, financial institutions need to have robust vendor management policies and procedures in place. Increasingly, firms are outsourcing mobile payment functions to third parties and are also using core banking platforms that are also managed by third parties. These functions, or modules, often don’t integrate well. Auditors need to take a close look at the end-to-end customer experience on every path to make sure that it is controlled from module to module, and controlled in a way that makes sense.


Impacts on Internal AuditMobile applications and mobile banking will continue to evolve rapidly. Internal audit must ensure that it is up-to-date with the latest technology which will be adopted by their organizations and that their firms are considering all potential risk exposures.

Action Items Chief Audit Executives and Internal Audit Functions Need to Consider

1. Ensure mobile applications and banking are covered in the audit universe completely (all products/services, platforms, vendors, etc.).

2. Ensure that third parties are addressed in vendor management policies and procedures.

3. Consider fraud risk related to mobile transactions within customer-facing processes (originations and servicing).

4. Understand the security approach to having a mobile presence.

5. Consider the end-to-end process for servicing. Mobile is typically a gateway to other services and platforms.

6. Understand mobile application change management plans and controls.

7. Consider all applicable mobile platforms supported (iOS, Android, Windows, etc.) in audit plans.

8. If applicable, consider the controls necessary to support an Agile software delivery model.

9. Consider cross-platform service management, including third-party components.

10. Consider the firms’ liabilities, policies and procedures in relation to account provisioning on mobile devices.


In ClosingChief audit executives and internal audit departments will continue to be challenged by regulatory requirements and advances in technology that subject organizations to a continually changing risk profile. As this paper has shown, the list of internal audit priorities for financial services firms continues to grow and with it the need for internal auditors to improve their knowledge in key areas, specifically cybersecurity and model risk.

Advances have been made by internal audit to connect more with the lines of business and management as part of collaborative efforts to improve oversight and to help the organization understand its risks and achieve its strategic objectives. Such collaboration improves communication between the three lines of defense while also helping organizations become more efficient and work to optimize existing resources as difficulties in hiring and retaining talent become ever more acute.

In light of the lack of talent, firms need to consider additional investment in technology-enabled auditing approaches and tools to help them meet their growing list of priorities, especially since emerging technologies will continue to be adopted by banks eager to remain competitive in a changing marketplace.

Through enhancing efficiencies, knowledge and effectiveness, internal audit functions will be able to focus on improving their skills in order to assist organizations in their continued growth, while at the same time ensuring internal audit becomes a key strategic partner in the broader enterprise.


About ProtivitiProtiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Ranked 57 on the 2016 Fortune 100 Best Companies to Work For® list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

Contacts

Scott JonesManaging Director, Internal Audit and Financial Advisory [email protected]

Cal SlempManaging Director, IT [email protected]

Ed PageManaging Director, IT [email protected]

Cory GundersonManaging Director, Global Leader FinancialServices [email protected]

Michael ThorManaging Director, Internal Audit and Financial Advisory [email protected]

Barbi GoldsteinManaging Director, Internal Audit and Financial Advisory [email protected]

Matthew MooreManaging Director, Risk & [email protected]

Timothy LongManaging Director, Risk & [email protected]

Michael BrauneisManaging Director, Risk & Compliance [email protected]

Matthew PerconteDirector, Risk & [email protected]

James McDonaldManaging Director, Risk & [email protected]

Dolores AtalloManaging Director, Risk & [email protected]

Shaheen DilManaging Director, Data and [email protected]

Jason GoldbergDirector, Business Performance [email protected]

Charlie AndersonManaging Director, Data and [email protected]

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0516-101079Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

* Protiviti Member Firm

THE AMERICAS

UNITED STATES

AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro São Paulo

CANADA

Kitchener-WaterlooToronto

ASIA-PACIFIC

AUSTRALIA

BrisbaneCanberraMelbourneSydney

CHINA

BeijingHong KongShanghaiShenzhen

INDIA*

BangaloreHyderabadKolkata MumbaiNew Delhi

JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE*

Santiago

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE/MIDDLE EAST/AFRICA

FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

SOUTH AFRICA*

Johannesburg

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi Dubai