www.pwc.com Internal Audit’s Role in Regulatory Reform-The Dodd Frank Act March 15, 2012 Agenda Regulatory Reform Landscape 3 Internal Audit’s Response to Date 7 Role of Internal Audit•Overview PwC 9 •Key Factors to Consider 10 •Positioning 11 •Risk Assessment 12 •Coverage Plan 13 •Methodology & People 24 •Bringing it all together 27 3/15/2012 2 The Dodd-Frank Act will have a significant impact on the strategies and business operations of financial services firms •Assessing the impact and managing the implementation of the Dodd-Frank Act (DFA) is not a routine regulatory project given the: - Volume and complexity of rules; - Number of federal agencies (e.g., SEC, Fed, CTFC, FDIC and others ) that are independently writing and releasing rules; - Tight timelines associated with implementing financial reforms; and - Scores of stand-alone and interdependent implementation projects (e.g., the "portfolio" of projects), at both the business and enterprise level, that must be initiated, funded, managed, and monitored over the next three to five years. •As the financial services industry changes and institutions react and adjust to these new regulatory reforms, so too must internal audit •Owing to the extensive nature of the regulatory reform and its global impact, internal audit must position itself as both a partner with management as it addresses the challenges, and as a independent monitor and assessor of the implementation efforts for both the audit committee and the regulators PwC 3/15/2012 3 Dodd-Frank – U.S. element of global financial regulatory reform Macro and Micro – Prudential Supervision Systemically Important Financial Institutions Governance, Transparency, and Consumer Protection PwC • Sharpened focus on mitigating systemic risk and maintaining financial stability through use of macro-prudential supervision tools • Increased coordination among global supervisors • Heightened examination scrutiny of large, complex financial institutions • Recent designation of 29 global systemically important financial institutions (“G-SIFIs”) • Nonbank “SIFI” designations still to be determined • New requirements ranging from higher capital and liquidity buffers, recovery and resolution plans, and prudential risk management standards • Renewed accountability at the Board and executive management levels – appropriately balancing risk and reward • Increased reporting and data collection to benefit monitoring of risk • Greater emphasis and scrutiny on the consumers’ interests 3/15/2012 4 Where are we now in the U.S. Status of the rule making process Fewer than 20% of rules required by Dodd-Frank has been finalized. Still just starting Late Many mandated rulemaking deadlines have been missed and regulators have pushed back the effective date of certain provisions. Regulators have never gone through a period of such voluminous rulemaking. Overwhelmed Uncertain With so many open rules and impending deadlines, financial institutions are having to manage through the uncertainty. PwC 3/15/2012 5 How do organizations react? As new regulations are enacted and as existing regulations evolve, organizations are tasked with: • Evaluating the complexity and the interpreting the nuances of these changes • Interpreting the rules and understanding the applicability to the various business(es) within the organization • Assessing the impact of the rules on all areas of the enterprise • Convening a steering committee to drive the necessary changes in process throughout the organization • • Organizing a Project Management Office to oversee the required changes As illustrated in the graphic below organizations are expending considerable resources to ensure compliance with the rapidly changing regulations in the financial services industry Risk/Compliance Steering Committee PMO People Strategy Working Group 1 Working Group 2 Working Group 3 Working Group 4 Implement the required changes Operations/IT PwC 3/15/2012 6 Internal Audit’s Response to Date Large Institutions The new regulatory environment is front and center in everyone’s mind. Having said that, we see that some companies are responding differently than others. We have noted that, in general, the nation’s largest banks, investment banks and other financial institutions are out in front of the rule making by actively reviewing the proposals and commenting on the anticipated impact on their respective business lines. Many of these organizations have set aside multiple hundreds of resources, have created detailed structures and have developed an organized approach, getting business leaders, compliance and legal professionals, as well as other support functions, involved in the process in the earliest phase. In many of these cases, internal audit has made a concerted effort to be involved by engaging with Project Management Offices (PMOs) as the inevitable projects begin to take shape. PwC 3/15/2012 7 Internal Audit’s Response to Date continued Small to Mid-Sized Institutions • The internal audit functions of small to mid-sized organizations are often challenged on the resource front and are attempting to respond often times without dedicated resources. • Most internal audit functions believe the y should play an active role in understanding the changes that are being implemented throughout the organization and monitoring their progress including pre-implementation and post-implementation reviews • While a majority of respondents recognize a need to stay abreast of what is going on in their organizations with respect to regulatory reform, only a minority acknowledge that it is their responsibility to update the audit committee • At the current time, half of the internal audit functions surveyed do not believe they have sufficient resources to address the changes in risk that are occurring throughout the organization as a result of regulatory reforms, PwC 3/15/2012 8 Role of internal audit – Overview • The regulatory reforms have far reaching implications for financial services organizations regardless of their size. • The regulatory reforms will go beyond compliance and will impact the business strategy of the organizations. - Existing products and services will be eliminated (e.g. proprietary trading) and new products/services will be introduced. • Regulatory reforms present a significant opportunity for internal audit to demonstrate value over and above its annual audit plan and should be a key focus area in 2012 and beyond • Internal audit has an opportunity to earn a seat at the table in the long run by assisting management in the successful implementation of the regulatory program • Internal audit should take a proactive approach in determining and communicating its role in regulatory reforms PwC 3/15/2012 9 Role of internal audit – Key Factors to Consider • Internal Audit should consider the following as it establishes its role in regulatory reforms - Positioning: Understand the expectations from its major constituents (i.e., regulators, management and board) - Risk Assessment and Coverage Plan: Adapt the risk assessment process with a goal of developing a coverage plan to address its stakeholders' expectations and internal audit’s mandate - People & Methodology: Identify and address the impact on internal audit’s people and methodology to effect its regulatory reform coverage plan and meet stakeholder expectations Positioning Risk Assessment and Coverage Plan PwC People & Methodology 3/15/2012 10 Role of Internal Audit-Positioning • Internal audit’s assessments of vertical processes (work stream specific) , horizontal processes (across work streams) and the program and project management can be critical to its stakeholders • Internal audit needs to consider the expectations of all its constituents while developing its coverage plan with respect to the regulatory reforms • Regulatory expectations • • PwC - Regulator’s expectations will not be prescriptive but they will expect to see coverage of the regulatory reform program - Comprehensive coverage of the regulatory reform program will be critical in internal audit function’s progression from “satisfactory” to “strong” OCC rating - Regulators expect to be able to rely on the work of internal audit Management expectations - Provide independent assurance on the progress of the changes in processes to support compliance with regulatory reforms - Act as a sounding board by challenging management’s approach to decisions Board expectations - Be the eyes and ears of the board - Provide assurance that regulatory reforms are being implemented completely and accurately 3/15/2012 11 Role of Internal Audit-Risk Assessment Internal Audit should perform the following: • Revisit its risk assessment framework to determine the adequacy of regulatory risk coverage and whether enhancements are needed. • Engage in proactive discussions with the audit committee and management to understand their concerns and priorities . • Develop a risk based coverage plan that addresses the most pressing challenges of the organization and aligns with the expectations of its stakeholders. • Set aside extra time for unexpected events and special requests in 2012 and 2013 as a result of the anticipated impacts of regulatory reforms. • Recognize that temporary changes to the risk assessment framework may be required to cover enhanced risk during reform implementation. The new realities of doing business in the current regulatory regime may require more permanent changes. • Ensure changes to the risk assessment framework consider regulatory reforms on a global basis and address the extra-territorial nature of regulatory regimes (e.g., the affect the of Volcker rule on foreign banking entities). PwC 3/15/2012 12 Role of Internal Audit-Coverage Plan Overview Internal Audit can play a significant role in ensuring that the regulatory reform strategy and execution is being managed effectively across the organization. Rule Based Coverage: Pre-implementation and parallel reviews should be performed focusing on assessing the effectiveness of the process and system implementation plans in addressing the critical rules and requirements. Internal audit should consider building rule-specific Coverage Plans (e.g., Volcker, OTC derivatives, Recovery and Resolution) to assess the changes being implemented in the business areas. OTC Derivatives Volcker Rule Recovery & Resolution Stress Testing Compliance CFPB Functional / Process Based Coverage • Strategy & Governance: Review of the organizational strategy and governance structure to identify, assess , interpret and implement regulatory reforms across the organization. Assess the effectiveness of the program management office in managing change across the entity. Rule Based Coverage • Strategy & Governance IT/Operations Business as Usual Audits PwC 3/15/2012 13 Coverage Plan Overview continued… Business as Usual Audits: Assessing the impact of regulatory reforms on the business-as-usual audits for critical processes (e.g., market, operational, and risk management, trading and settlement, annual stress testing) and performing additional procedures as necessary. This assessment should include measuring the impact on the business strategy, systems and procedural changes that will result from the regulatory reforms. Strategy & Governance OTC Derivatives Volcker Rule Recovery & Resolution Stress Testing Compliance CFPB Functional / Process Based Coverage • Functional /Process Based Coverage: Reviews of function/process preparedness to respond to the various regulatory changes affecting the business area (e.g., effectiveness of the risk management function in ensuring compliance with the business conduct standards established for the major swap participants, mock Consumer Financial Protection Bureau (CFPB) examination to assess preparedness of the business unit to withstand CFPB examination standards). Periodic reviews should also be conducted to make sure that PMO management reporting of implementation progress is complete and accurate. Rule Based Coverage • IT/Operations Business as Usual Audits PwC 3/15/2012 14 Coverage Plan Strategy & governance • A key focus area for internal audit should be the review of the organization’s strategy & governance of the regulatory reform program efforts. - - PwC Regulatory reform strategy and business direction: A successful response to regulatory reform begins with understanding and aligning the regulatory reform strategy and the business direction. Internal audit should understand the following: ◦ Impact of regulatory reforms on business strategies and services ◦ Impact of new products / services on the compliance regime ◦ Coordination of regulatory reform activities across business areas and geographic locations Regulatory reform strategy and business direction Tracking and assessing proposed rules Program management effectiveness Tracking and assessing proposed rules: As a first step, organizations need to establish processes to track and assess proposed rules so as to formulate the response and implementation program. Internal audit’s should understand the following: ◦ Systemic process to identify, interpret, track and assess proposed rules ◦ Determination of the need to respond to the proposed rule; and if responding ensure that it a well coordinated effort (legal, compliance, business, operations, IT, etc.) ◦ Process for business line impact assessment and development of the implementation programs 3/15/2012 15 Coverage plan Strategy & Governance continued • Program management effectiveness: The success of an organization’s implementation program will require a robust and effective program management office. Internal Audit plan should assess the design (initial set up) and operating (on-going) effectiveness of the program management office for the following: -Board and executive sponsorship -Clear roles and responsibilities (i.e., steering committee, PMO, working groups) -Cross functional approach to reform rules implementation that integrates all key functional areas into program management -Process to validate and link the implementation to the applicable rules -Regular and effective reporting of program status (progress, issues, risks, decisions, resource requirements and constraints) at every level (working group, PMO, Steering committee etc) -Milestones and timeline management -Process to identify interdependencies between projects, rules etc -Process to prioritize implementation projects based on the rule making process -End to end program quality management program PwC 3/15/2012 16 Coverage plan Rule based coverage • Until now, the main focus of organizations’ regulatory reform program has been on tracking, assessing and responding to the proposed rules • While certain implementation projects are already in progress (e.g. clearing platforms, OTC Derivatives reporting and record keeping) the implementation programs will gain more momentum in 2012 as more rules are finalized • In many cases, the implementation deadlines will be tight and organizations will need to move fast to ensure compliance • Internal audit should consider pre and parallel implementation reviews that focus on end to end coverage of the implementation of the proposed rules (vertical coverage). The first wave of internal audit reviews may focus on OTC Derivatives, Volcker Rule, Recovery and Resolution Planning . • Although the extent of audit coverage will differ based on the applicable rule, it should focus on providing assurance on the following: PwC - Complete population of rules applicable to the business unit, product or service have been identified - All change requirements resulting from the rules have been identified completely and accurately - Downstream projects scope and objectives address all relevant change requirements - Project deliverables are in accordance with the project scope and approach and meet the applicable change and business requirements - All risk and control implications as a result of process and technology changes have been identified and addressed 3/15/2012 17 Sample Coverage plan Rule based coverage –Volcker rule Critical Requirement Related Risk Expected Control Audit Procedures Compliance with Trading could take on permitted market-making proprietary nature activities Analysis of revenue strategies Review Supervision; Market Risk review process Adherence with approved trading strategies Trades may not be authorized Segregation of duties and trading delegation and supervision Review of Supervision; trade delegations; trade amendments; and reporting Adherence with established trading limits and restrictions Limits could be violated Limits are approved and monitored for adherence Review limit governance, trading supervision, trade support and market risk processes Establishment of strong support, risk and operations functions Trading may not be independently checked Adequate policies and procedures and responsibilities Review effectiveness of policies and procedures and appropriateness of responsibilities Quality tools and information Assessment of adequacy of systems and reporting Implementation of proper Technology and reporting technology and reporting may not be adequate PwC 3/15/2012 18 Sample Coverage plan Rule based coverage – OTC derivatives Critical Requirement Related Risk Expected Control Audit Step Compliance with registration requirements Timely registration is not performed or retained where required Trading entities cannot execute trades prior to proper registration Review and reconcile registration documents to trading activities Adherence with central clearing requirements Trades may not be properly cleared Segregation of duties and trading delegation and supervision Review of supervision; trade delegations; trade amendments; and reporting Qualified swaps are traded Trades could be executed through the SEF (swap over the counter in lieu of execution facility) the appropriate facility Trades are monitored for adherence with requirements Review of trade monitoring processes Establishment of strong record keeping and reporting processes Adequate policies and procedures and responsibilities for reporting Review effectiveness of policies and procedures and appropriateness of reporting Quality tools and information Assessment of adequacy of technological monitoring and data storage Records are not maintained in compliance with requirements Implementation of proper Technology is not in place technology and data to appropriately monitor storage trades and capture data PwC 3/15/2012 19 Sample Coverage plan Rule based coverage –Recovery & resolution (“R&R”) planning Critical Requirement Related Risk Expected Control Audit Procedures Each covered entity must submit the R&R Plan to the FDIC and the Federal Reserve by the due date* The entity may miss the deadline for submitting the plan The unit or person responsible for creation of the R&R Plan, creates and monitors a project plan, a calendar of deliverables and communicates those adequately Independently determine the “due date”, review and evaluate the project plan and calendar of deliverables and the monitoring of progress Each covered entity must submit a revised R&R Plan within 45 days following a “material event” There may not be a mechanism for alerting the plan owner or the person(s) responsible for the plan that a material event is imminent or has occurred Detailed definition of what would be considered to be a material event exists. The unit or person responsible for creation of the R&R Plan is made aware of all such events Review effectiveness of policies and procedures, reporting and communication lines. Determine appropriateness of decision making process Each plan must address and include information relative to the entirety of the 0rganization (e.g. ownership structure, assets, liabilities, contractual obligations, major counterparties, cross guarantees and pledged collateral) A current, complete and accurate accounting of all of these various aspects related to the entity may not exist Reconciliations to the financial statements are performed regularly. Inventories of contracts and other business alliances are regularly executed. Review effectiveness of policies and procedures. Test the operating effectiveness of controls Re-perform the reconciliations and inventories. PwC 3/15/2012 3/15/2012 20 Functional / Process based coverage • Another component of the internal audit coverage plan should be functional and process coverage to assess the impact of regulatory reform on functions, processes and/or services. • These reviews should take a horizontal approach and assess the impact of various regulatory reforms on a particular function and/or process - • • PwC For example, almost all key Dodd-Frank reforms (OTC Derivatives, Volcker, etc) establish new responsibilities for the compliance functions and a horizontal review of the compliance function would look at its ability to identify and comply all such cross rules requirements. These reviews should address: - The impact of various regulatory reforms / rules on key processes, risks and controls - The impact on existing people, processes and technology and balance between reform activities and existing responsibilities - Management’s approach to identify, assess and address interdependencies within the rules on key processes - Management’s preparedness and change management agility as a result of regulatory reforms - Management’s plan to transition from project to business as usual Such reviews would provide assurance to the organization’s board and senior leadership that businesses are well prepared and positioned to respond to the regulatory reforms while executing their existing responsibilities (see Appendix E for further detail) 3/15/2012 21 Functional / Process based coverage • PwC Examples of such reviews may include: - Compliance functional assessment: There is a considerable impact on compliance processes as a result of the regulatory reforms (OTC Derivatives, Volcker, Recovery and Resolution). Internal audit should review Compliance’s preparedness to respond to such new regulatory requirements, identify interdependencies between compliance requirements while developing new processes, process for training compliance and business professionals on new requirements, enable timely and accurate regulatory reporting - IT Governance: Internal audit should review IT’s governance and project management processes to ensure timely implementation of changes as a result of the regulatory reform. The review should also focus on the IT resource and budget allocation process and its impact on overall business strategy as compromises/prioritization will be necessary given competing project necessities - New product development process: As new products are being developed, it is critical for internal audit to review the new product development and approval process to ensure that there is a systemic process to identify and address key risks (strategic, business, financial, operational, IT, regulatory and compliance) while approving new products - Regulatory reporting: There will be a considerable increase in the regulatory reporting as a result of the regulatory reforms. Internal audit should review the regulatory reporting processes to ensure processes are being established requirements, adequate resources are being devoted and system enhancements are being made to identify and comply with all reporting requirements in a timely manner - Mock regulatory examinations: The internal audit may also add considerable value by performing mock regulatory examinations to assess business/function’s preparedness to withstand regulatory scrutiny 3/15/2012 22 Business as usual audits (BAU) Existing business as usual audits • There are few functions/processes that will not be impacted by the length and breadth of the regulatory reforms • As audit undertakes business as usual audits in its existing audit plan, it should consider implementing a formal process to assess the impact of regulatory reform on the in-scope processes and risks for the purpose of determining the need for performing additional procedures Future business as usual audits • • PwC In addition, a number of transformational and special projects undertaken by internal audit will become business as usual audits in years 2012 and beyond. For example, - Independent testing of compliance function (Volcker rule requirement) - Annual testing of the recovery and resolution planning Audit should ensure there is a formal process to identify all such business as usual audit’s requirements and incorporate them in the audit plan 3/15/2012 23 Role of Internal Audit – Methodology & People • The impending regulatory reforms go beyond compliance and their impact will be felt at the heart of organization’s business strategy. Internal audit should review its methodology to determine changes needed to its core audit processes. • Audit Universe - Some existing products/services will be discontinued and replaced with new business strategies. - Business strategy changes will result in front office, support function, system, process and legal entity changes. - Similar to annual AML audits, additional statutory/compliance audits will emerge. - Systems will change resulting in more pre-implementation and post-implementation reviews. Rule making area Example audit universe additions / updates OTC Derivatives • • • • • • Registration Centralized clearing Business conduct requirements Compliance program Finance – Capital & Liquidity Counterparty fund protection Volcker Rule • • • • Compliance program Proprietary trading Covered fund activities Reporting & record keeping Recovery & Resolution Planning • Recovery plans • Resolution plans • Compliance testing PwC 3/15/2012 24 Role of Internal Audit – Methodology & People • • PwC Continuous Monitoring - Many internal audit functions have continuous monitoring processes in place to monitor the emerging risks in the organizations and their impact on the audit plan. - Given the extensive nature of the regulatory reforms, internal audit should consider enhancing its continuous monitoring process to ensure the impact of regulatory risk is identified and considered while periodically updating the audit plan Internal Audit Reporting - Internal audit should consider providing a consolidated view of the organization’s regulatory reform activities based on its audit coverage - The reporting should be based on the aggregate results of the: ◦ PMO and governance reviews ◦ Rule based coverage ◦ Functional coverage ◦ Business as usual audits for processes impacted by regulatory reforms - Internal audit reporting should also consider the process to share best practices across work streams, report any issues noted in its reviews, and follow up on the implementation of management action plans - Internal audit may also need to schedule regulatory reform focused meetings with the Audit Committee to ensure it can provide its comprehensive assessment of organization’s reform program - Internal audit should ensure that its reform coverage is adequately documented to enable regulators to place reliance on its work 3/15/2012 25 Role of Internal Audit – Methodology & People • People: Last but certainly not least, internal audit should perform skill sets assessment to identify the skill sets required to execute its new coverage plan. Internal audit should focus on: - Audit teams impacted by the reform activities ◦ - PwC In the short term, risk, corporate and capital markets audit teams are expected to face the most stringent demand for resources. Knowledge management program ◦ Internal audit should develop a plan to ensure that the internal audit is up to date on organization’s reform program and its progress ◦ Internal audit should ensure that its staff is adequately trained on the reform program and the organization’s response in order to provide value added audit coverage 3/15/2012 26 Bringing it all together What is the extent of internal audit involvement? In the short term, internal audit should focus on….. Get started now Get a seat at the table – get involved • Establish and communicate expectations • Understand and assess organization’s strategy • Provide real time advice and counsel on control matters PwC Create internal audit response team • Set up liaison teams in each business and functional area • Develop knowledge management program for internal audit Develop the coverage plan • Build internal audit coverage plan • Execute PMO and governance reviews • Begin rule based coverage that coincides with the rule making timeline Assess impact on internal audit methodology and people model • Update audit universe • Revisit risk assessment process for changes in organizational risk profile • Update risk and control libraries • Assess skill set gap and develop plan • Audit Committee reporting 3/15/2012 27 PwC contacts Richard Reynolds Partner – Financial Services Internal Audit Services + 1 646 471 8559 richard.reynolds@us.pwc.com Christina Patilis Senior Managing Director-Financial Services Internal Audit Services + 1 646 471 2013 christina.patilis@us.pwc.com f © 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. PwC 3/15/2012 28