«At a glance The near collapse of the world economy triggered Regulatory reform and the role regulatory reforms with the of internal audit power to ...»
At a glance
The near collapse of the
world economy triggered
Regulatory reform and the role
regulatory reforms with the
of internal audit
power to fundamentally
change how financial
services organizations do
As the financial services
industry responds to an
unprecedented level of
evolving regulatory reform,
internal audit functions
must adapt to meet the
presents internal audit with
a unique opportunity to
position itself as a trusted advisor to the audit committee and management while meeting the expanding expectations of regulators.
1 Internal audit functions have a unique opportunity. The last time the United States implemented financial regulatory reform on par with what's happening in this decade was in the 1930s, following the Great Depression. Today's sweeping changes are practically unprecedented and continue to evolve. They're creating myriad business challenges — as well as a chance for internal audit to enhance its value proposition.
What's at stake?
The financial services industry faces its most significant regulatory reforms since the Great Depression. The Dodd-Frank Wall Street Reform and Consumer Protection Act, Solvency II, Basel III, and other new regulations present challenges that transcend compliance. They are causing financial services companies to reconsider significant business and operating strategies.
To date, reaction varies among the companies most affected, with the largest financial services institutions taking the most active approach in addressing regulatory reform. The nation’s largest banks, investment banks, and other financial institutions are out in front of the rule making, actively reviewing the proposals, commenting on the anticipated effect on their respective business lines, and creating project plans to execute the required changes.
Many of the largest organizations have set aside hundreds of resources and have created detailed project governance structures with proactive involvement of business line leaders, compliance and legal professionals, and other support functions.
The graphic below shows a typical regulatory reform governance structure. It highlights the resources organizations are expending to comply with the rapidly changing regulations in the financial services industry.
Risk/Compliance Steering Committee PMO People Strategy Working Group 1 Working Group 2 Working Group 3 Working Group 4
As financial regulators begin to push out the final rules associated with Dodd-Frank and Basel III, among others, the business focus is changing from reviewing proposed rules and assessing the impact on the business to implementing the required changes by identifying and executing specific projects. Internal audit can play a significant role in enhancing management's action plans to increase the likelihood of success.
Role of internal audit As institutions begin executing their implementation plans, internal audit has a unique opportunity.
It may strengthen or even reposition its organizational relevance by providing timely, valuable, and meaningful insights and perspective as management works toward successful completion of the changes required by the new regulatory program. To capitalize on this opportunity, internal audit should take maximum advantage of its unique vantage point and unrestricted access across all aspects of the organization.
Playing an active part To help internal audit organizations avoid being surprised by the breadth of regulatory change, leading internal audit teams in large, midsize, and small institutions are becoming increasingly engaged in developments on the regulatory front. Based on input from a number of leading financial services clients, we've learned that most internal audit functions believe they are expected to and should play a role in understanding the changes that are being implemented throughout the organization. But there's no consensus regarding how active its role should be.
And while a majority of our clients say they should have a role in regulatory reforms, few acknowledge having a plan, the resources, or necessary knowledge to cover those regulatory reforms that will have the greatest effect on the financial services industry.
Seizing the opportunities of regulatory reform The size and business scope of an institution will dictate the degree to which regulatory reform affects it. Global institutions will face the full force of multiple regulatory regimes all flexing their muscles in response to the financial crisis. Smaller, domestic institutions will carry a lesser burden, but will still be subject to a myriad of new regulatory expectations.
Regardless of the scope of the regulatory reforms an institution faces, internal audit can position itself in several important roles. It will support multiple stakeholders as an objective monitor and assessor of the implementation efforts for the audit committee, executive management, and the regulators. In addition, through the development of a deep understanding of the changing environment and the organization's planned actions, internal audit can also serve as a trusted advisor to management.
Internal audit should also consider the following as it
establishes its role in regulatory reforms:
Positioning — Understand the expectations from Positioning internal audit's major stakeholders (i.e., board, management, and regulators).
Methodology and people — Determine and address the impact of the coverage plan on internal audit's methodology and people.
Positioning Internal audit functions have broad visibility and a mandate that cuts across the entire organization, enabling internal audit to provide insights and perspective which will aid management as they address significant challenges and risks. Considering the pervasive effects regulatory reform will have on financial institutions, internal audit has never had a better opportunity to demonstrate its true value. To do so, internal audit must use its understanding of the expectations of its stakeholders
and align its coverage plan to meet:
Board expectations The audit committee and other board members will naturally look to internal audit to be their eyes and ears to help assess the assertions made by management. They will be sought out to evaluate whether changes to the business and operations stemming from regulatory reforms are being implemented completely and accurately.
Management expectations Management will also look to internal audit for advice on internal control matters, especially as they relate to new businesses and new processes as they are rolled out. Internal audit can also provide objective assurance on the progress of the changes to processes that support compliance with regulatory reforms. And it can be an effective sounding board by challenging management’s approach to decisions and project management processes.
Regulatory expectations Internal audit will be expected to provide coverage of the regulatory reform program. As regulators are stretched because of their own organizational changes and expanded mandates, they are frequently expecting to rely on the work of internal audit to assist them in making assessments of the organization's adherence with the new requirements.
unexpected events and special requests in 2012 and 2013 as a result of the anticipated impacts of regulatory reforms.
Some factors to consider when developing a risk assessment and coverage plan include the following:
Risk assessment Internal audit should revisit its risk assessment framework to determine the adequacy of regulatory risk coverage and whether enhancements are needed.
Temporary changes may be needed in the risk assessment framework to cover greater risk during reform implementation. The new realities of doing business in the regulatory regime may require more permanent changes.
Changes to the risk assessment framework must consider regulatory reforms on a global basis and address the extraterritorial nature of regulatory regimes (e.g., the effect of the Volcker Rule on foreign banking entities).
Internal audit should consider updating the risk and controls matrices (if used) for regulatory reform-driven changes in processes, risks, and controls.
Assess the impact of regulatory reforms on the business-as-usual audits for critical processes (e.g., market, operational, and risk management; trading and settlement; annual stress testing) and perform additional procedures as necessary. This assessment should include measuring the effect on the business strategy, systems, and procedural changes that will result from the regulatory reforms.
Regulatory rule making is a fluid process. Internal audit’s plan should allow for flexibility to respond to changes in the rule-making process and ultimately the implementation timeline. The timeline that follows represents example audit areas to consider while developing the risk-based coverage plan.
Methodology and people Internal audit should also consider the impact of the regulatory reforms on its core processes, methodology, and people. Key areas for consideration follow.
Methodology An internal audit team's methodology considers the risks the institution faces and the way management controls these risks. Flexibility in the methodology allows for changes to meet the demands of regulatory reform.
Given the extensive nature of the regulatory reforms, internal audit may consider adapting its continuous monitoring process to identify the effect of regulatory risk and consider it while periodically updating the audit plan.
Continuous monitoring efforts also can be tuned to identify additional stresses in existing processes as resources are redirected to address the regulatory reforms.
Continuous auditing As internal audit is assessing new risks associated with regulatory reforms, it will be considering how best to audit these new risks. Using data analytics and continuous audit techniques should be a prime consideration. Now more than ever, this use of technology in the audit process may allow internal audit to address the new risks in a more efficient way.
Internal audit reporting Critically assess whether current reporting channels to the audit committee and management are adequate and provide a consolidated view of regulatory reform activities based on the audit coverage.
Internal audit may also consider sharing through its reports leading practices across workstreams, issues noted in its reviews, and follow-up on the implementation of management action plans. In addition, internal audit may consider enhancing its reporting on issues to include not just its own action plans, but also the plans associated with regulatory examinations, SOX, and risk and control self-assessment.
Internal audit can request regulatory reform-focused meetings with the audit committee to establish clarity regarding expectations and provide a thorough assessment of the organization’s reform program.
Clear documentation of internal audit's work on regulatory reform-related areas can improve the likelihood of reliance by regulators.
Performing a skill set assessment and gap analysis can help to identify the skills and training
required to execute the enhanced coverage plan. Internal audit should focus on:
Audit teams affected by the reform activities — In the short term, risk, corporate, and capital markets audit teams are expected to face the most stringent demand for resources. Internal audit should consider short-term staffing solutions, which may include guest auditors and co-sourcing, and a long-term staffing plan to address resource needs.
Knowledge management program — Develop a program so internal audit staff members are knowledgeable about the aspects of regulatory reform that affect the institution. This may include additional training, where necessary, to improve audit's ability to provide value-added audit coverage. Also, keep staff members current on the status of the institution's remediation program, and encourage enhanced communications among team members to identify company issues.
7 Bringing it all together The following graphic shows a summary of short-term take-aways and action items for internal audit as it establishes its role in regulatory reform and creates its coverage plan.
How PwC can help with positioning, risk assessment and coverage plan, and methodology and people As regulatory reforms develop and take shape, internal audit teams have an opportunity to elevate their value and relevancy to management and the audit committee. To remain relevant, internal audit must stay abreast of the changes from a regulatory perspective and be aware of how peer organizations interpret the regulatory reforms and implement the processes and controls necessary to comply. As discussed, internal audit will need to focus on positioning, the risk assessment and
coverage plan as well as methodology and people. PwC can assist internal audit functions by:
Assisting chief audit executives (CAEs) in establishing and messaging the role of internal audit in the regulatory reforms within the organization Assisting the CAE in enhancing internal audit reporting to its stakeholders (audit committee, management and regulators) to highlight internal audit's regulatory reform coverage