Internal-Audits-Role-in-Regulatory-Reform-The-Dodd-Frank

www.pwc.com
Internal Audit’s Role in
Regulatory Reform-The
Dodd Frank Act
March 15, 2012
Agenda
Regulatory Reform Landscape
3
Internal Audit’s Response to Date
7
Role of Internal Audit•Overview
PwC
9
•Key Factors to Consider
10
•Positioning
11
•Risk Assessment
12
•Coverage Plan
13
•Methodology & People
24
•Bringing it all together
27
3/15/2012
2
The Dodd-Frank Act will have a significant impact on
the strategies and business operations of financial
services firms
•Assessing the impact and managing the implementation of the Dodd-Frank Act (DFA) is not a routine regulatory
project given the:
- Volume and complexity of rules;
- Number of federal agencies (e.g., SEC, Fed, CTFC, FDIC and others ) that are independently writing
and releasing rules;
- Tight timelines associated with implementing financial reforms; and
- Scores of stand-alone and interdependent implementation projects (e.g., the "portfolio" of
projects), at both the business and enterprise level, that must be initiated, funded, managed, and monitored
over the next three to five years.
•As the financial services industry changes and institutions react and adjust to these new regulatory reforms, so
too must internal audit
•Owing to the extensive nature of the regulatory reform and its global impact, internal audit must position itself
as both a partner with management as it addresses the challenges, and as a independent monitor and assessor of
the implementation efforts for both the audit committee and the regulators
PwC
3/15/2012
3
Dodd-Frank – U.S. element of global financial
regulatory reform
Macro and Micro –
Prudential
Supervision
Systemically
Important Financial
Institutions
Governance,
Transparency, and
Consumer Protection
PwC
•
Sharpened focus on mitigating systemic risk and maintaining financial stability through use of
macro-prudential supervision tools
•
Increased coordination among global supervisors
•
Heightened examination scrutiny of large, complex financial institutions
•
Recent designation of 29 global systemically important financial institutions (“G-SIFIs”)
•
Nonbank “SIFI” designations still to be determined
•
New requirements ranging from higher capital and liquidity buffers, recovery and resolution plans,
and prudential risk management standards
•
Renewed accountability at the Board and executive management levels – appropriately balancing
risk and reward
•
Increased reporting and data collection to benefit monitoring of risk
•
Greater emphasis and scrutiny on the consumers’ interests
3/15/2012
4
Where are we now in the U.S.
Status of the rule making process
Fewer than 20% of rules required by Dodd-Frank has been finalized.
Still just starting
Late
Many mandated rulemaking deadlines have been missed and regulators have pushed back
the effective date of certain provisions.
Regulators have never gone through a period of such voluminous rulemaking.
Overwhelmed
Uncertain
With so many open rules and impending deadlines, financial institutions are
having to manage through the uncertainty.
PwC
3/15/2012
5
How do organizations react?
As new regulations are enacted and as existing
regulations evolve, organizations are tasked with:
•
Evaluating the complexity and the interpreting the
nuances of these changes
•
Interpreting the rules and understanding the
applicability to the various business(es) within the
organization
•
Assessing the impact of the rules on all areas of the
enterprise
•
Convening a steering committee to drive the
necessary changes in process throughout the
organization
•
•
Organizing a Project Management Office to oversee
the required changes
As illustrated in the graphic below organizations are
expending considerable resources to ensure
compliance with the rapidly changing regulations in
the financial services industry
Risk/Compliance
Steering Committee
PMO
People
Strategy
Working Group 1
Working Group 2
Working Group 3
Working Group 4
Implement the required changes
Operations/IT
PwC
3/15/2012
6
Internal Audit’s Response to Date
Large Institutions
The new regulatory environment is front and center in everyone’s mind. Having said that, we see that some
companies are responding differently than others.
We have noted that, in general, the nation’s largest banks, investment banks and other financial institutions are
out in front of the rule making by actively reviewing the proposals and commenting on the anticipated impact on
their respective business lines.
Many of these organizations have set aside multiple hundreds of resources, have created detailed structures and
have developed an organized approach, getting business leaders, compliance and legal professionals, as well as
other support functions, involved in the process in the earliest phase.
In many of these cases, internal audit has made a concerted effort to be involved by engaging with Project
Management Offices (PMOs) as the inevitable projects begin to take shape.
PwC
3/15/2012
7
Internal Audit’s Response to Date continued
Small to Mid-Sized Institutions
•
The internal audit functions of small to mid-sized organizations are often challenged on the resource front
and are attempting to respond often times without dedicated resources.
•
Most internal audit functions believe the y should play an active role in understanding the changes that are
being implemented throughout the organization and monitoring their progress including pre-implementation
and post-implementation reviews
•
While a majority of respondents recognize a need to stay abreast of what is going on in their organizations
with respect to regulatory reform, only a minority acknowledge that it is their responsibility to update the
audit committee
•
At the current time, half of the internal audit functions surveyed do not believe they have sufficient resources
to address the changes in risk that are occurring throughout the organization as a result of regulatory reforms,
PwC
3/15/2012
8
Role of internal audit – Overview
•
The regulatory reforms have far reaching implications for financial services organizations regardless of their
size.
•
The regulatory reforms will go beyond compliance and will impact the business strategy of the organizations.
-
Existing products and services will be eliminated (e.g. proprietary trading) and new products/services will
be introduced.
•
Regulatory reforms present a significant opportunity for internal audit to demonstrate value over and above
its annual audit plan and should be a key focus area in 2012 and beyond
•
Internal audit has an opportunity to earn a seat at the table in the long run by assisting management in
the successful implementation of the regulatory program
•
Internal audit should take a proactive approach in determining and communicating its role in regulatory
reforms
PwC
3/15/2012
9
Role of internal audit – Key Factors to Consider
•
Internal Audit should consider the following as it establishes its role in regulatory reforms
-
Positioning: Understand the expectations from its major constituents (i.e., regulators, management and
board)
-
Risk Assessment and Coverage Plan: Adapt the risk assessment process with a goal of developing a
coverage plan to address its stakeholders' expectations and internal audit’s mandate
-
People & Methodology: Identify and address the impact on internal audit’s people and methodology to
effect its regulatory reform coverage plan and meet stakeholder expectations
Positioning
Risk
Assessment
and Coverage
Plan
PwC
People &
Methodology
3/15/2012
10
Role of Internal Audit-Positioning
•
Internal audit’s assessments of vertical processes (work stream specific) , horizontal processes (across work
streams) and the program and project management can be critical to its stakeholders
•
Internal audit needs to consider the expectations of all its constituents while developing its coverage plan with
respect to the regulatory reforms
•
Regulatory expectations
•
•
PwC
-
Regulator’s expectations will not be prescriptive but they will expect to see coverage of the regulatory
reform program
-
Comprehensive coverage of the regulatory reform program will be critical in internal audit function’s
progression from “satisfactory” to “strong” OCC rating
-
Regulators expect to be able to rely on the work of internal audit
Management expectations
-
Provide independent assurance on the progress of the changes in processes to support compliance with
regulatory reforms
-
Act as a sounding board by challenging management’s approach to decisions
Board expectations
-
Be the eyes and ears of the board
-
Provide assurance that regulatory reforms are being implemented completely and accurately
3/15/2012
11
Role of Internal Audit-Risk Assessment
Internal Audit should perform the following:
•
Revisit its risk assessment framework to determine the adequacy of regulatory risk coverage and whether
enhancements are needed.
•
Engage in proactive discussions with the audit committee and management to understand their concerns and
priorities .
•
Develop a risk based coverage plan that addresses the most pressing challenges of the organization and aligns
with the expectations of its stakeholders.
•
Set aside extra time for unexpected events and special requests in 2012 and 2013 as a result of the anticipated
impacts of regulatory reforms.
•
Recognize that temporary changes to the risk assessment framework may be required to cover enhanced risk
during reform implementation. The new realities of doing business in the current regulatory regime may
require more permanent changes.
•
Ensure changes to the risk assessment framework consider regulatory reforms on a global basis and address
the extra-territorial nature of regulatory regimes (e.g., the affect the of Volcker rule on foreign banking
entities).
PwC
3/15/2012
12
Role of Internal Audit-Coverage Plan Overview
Internal Audit can play a significant role in ensuring that the
regulatory reform strategy and execution is being managed
effectively across the organization.
Rule Based Coverage: Pre-implementation and parallel
reviews should be performed focusing on assessing the
effectiveness of the process and system implementation plans in
addressing the critical rules and requirements. Internal audit
should consider building rule-specific Coverage Plans (e.g.,
Volcker, OTC derivatives, Recovery and Resolution) to assess the
changes being implemented in the business areas.
OTC
Derivatives
Volcker Rule
Recovery &
Resolution
Stress Testing
Compliance
CFPB
Functional / Process Based
Coverage
•
Strategy & Governance: Review of the organizational strategy
and governance structure to identify, assess , interpret and
implement regulatory reforms across the organization. Assess
the effectiveness of the program management office in managing
change across the entity.
Rule Based Coverage
•
Strategy &
Governance
IT/Operations
Business as Usual Audits
PwC
3/15/2012
13
Coverage Plan Overview continued…
Business as Usual Audits: Assessing the impact of regulatory
reforms on the business-as-usual audits for critical processes
(e.g., market, operational, and risk management, trading and
settlement, annual stress testing) and performing additional
procedures as necessary. This assessment should include
measuring the impact on the business strategy, systems and
procedural changes that will result from the regulatory reforms.
Strategy &
Governance
OTC
Derivatives
Volcker Rule
Recovery &
Resolution
Stress Testing
Compliance
CFPB
Functional / Process Based
Coverage
•
Functional /Process Based Coverage: Reviews of
function/process preparedness to respond to the various
regulatory changes affecting the business area (e.g., effectiveness
of the risk management function in ensuring compliance with the
business conduct standards established for the major swap
participants, mock Consumer Financial Protection Bureau
(CFPB) examination to assess preparedness of the business unit
to withstand CFPB examination standards). Periodic reviews
should also be conducted to make sure that PMO management
reporting of implementation progress is complete and accurate.
Rule Based Coverage
•
IT/Operations
Business as Usual Audits
PwC
3/15/2012
14
Coverage Plan
Strategy & governance
•
A key focus area for internal audit should be the review of the organization’s strategy & governance of the
regulatory reform program efforts.
-
-
PwC
Regulatory reform strategy and business direction: A
successful response to regulatory reform begins with understanding
and aligning the regulatory reform strategy and the business direction.
Internal audit should understand the following:
◦
Impact of regulatory reforms on business strategies and services
◦
Impact of new products / services on the compliance regime
◦
Coordination of regulatory reform activities across business
areas and geographic locations
Regulatory reform
strategy and
business direction
Tracking and
assessing proposed
rules
Program
management
effectiveness
Tracking and assessing proposed rules: As a first step,
organizations need to establish processes to track and assess proposed rules so as to formulate the
response and implementation program. Internal audit’s should understand the following:
◦
Systemic process to identify, interpret, track and assess proposed rules
◦
Determination of the need to respond to the proposed rule; and if responding ensure that it a well
coordinated effort (legal, compliance, business, operations, IT, etc.)
◦
Process for business line impact assessment and development of the implementation programs
3/15/2012
15
Coverage plan
Strategy & Governance continued
•
Program management effectiveness:
The success of an organization’s implementation program will require a robust and effective program
management office. Internal Audit plan should assess the design (initial set up) and operating (on-going)
effectiveness of the program management office for the following:
-Board and executive sponsorship
-Clear roles and responsibilities (i.e.,
steering committee, PMO, working groups)
-Cross functional approach to reform rules
implementation that integrates all key functional areas
into program management
-Process to validate and link the implementation to the applicable rules
-Regular and effective reporting of program status (progress, issues, risks, decisions, resource
requirements and constraints) at every level (working group, PMO, Steering committee etc)
-Milestones and timeline management
-Process to identify interdependencies between projects, rules etc
-Process to prioritize implementation projects based on the rule making process
-End to end program quality management program
PwC
3/15/2012
16
Coverage plan
Rule based coverage
•
Until now, the main focus of organizations’ regulatory reform program has been on tracking, assessing and
responding to the proposed rules
•
While certain implementation projects are already in progress (e.g. clearing platforms, OTC Derivatives
reporting and record keeping) the implementation programs will gain more momentum in 2012 as more rules
are finalized
•
In many cases, the implementation deadlines will be tight and organizations will need to move fast to ensure
compliance
•
Internal audit should consider pre and parallel implementation reviews that focus on end to end coverage of
the implementation of the proposed rules (vertical coverage). The first wave of internal audit reviews may
focus on OTC Derivatives, Volcker Rule, Recovery and Resolution Planning .
•
Although the extent of audit coverage will differ based on the applicable rule, it should focus on providing
assurance on the following:
PwC
-
Complete population of rules applicable to the business unit, product or service have been identified
-
All change requirements resulting from the rules have been identified completely and accurately
-
Downstream projects scope and objectives address all relevant change requirements
-
Project deliverables are in accordance with the project scope and approach and meet the applicable
change and business requirements
-
All risk and control implications as a result of process and technology changes have been identified and
addressed
3/15/2012
17
Sample Coverage plan
Rule based coverage –Volcker rule
Critical Requirement
Related Risk
Expected Control
Audit Procedures
Compliance with
Trading could take on
permitted market-making proprietary nature
activities
Analysis of revenue
strategies
Review Supervision;
Market Risk review
process
Adherence with approved
trading strategies
Trades may not be
authorized
Segregation of duties and
trading delegation and
supervision
Review of Supervision;
trade delegations; trade
amendments; and
reporting
Adherence with
established trading limits
and restrictions
Limits could be violated
Limits are approved and
monitored for adherence
Review limit governance,
trading supervision, trade
support and market risk
processes
Establishment of strong
support, risk and
operations functions
Trading may not be
independently checked
Adequate policies and
procedures and
responsibilities
Review effectiveness of
policies and procedures
and appropriateness of
responsibilities
Quality tools and
information
Assessment of adequacy of
systems and reporting
Implementation of proper Technology and reporting
technology and reporting may not be adequate
PwC
3/15/2012
18
Sample Coverage plan
Rule based coverage – OTC derivatives
Critical Requirement
Related Risk
Expected Control
Audit Step
Compliance with
registration requirements
Timely registration is not
performed or retained
where required
Trading entities cannot
execute trades prior to
proper registration
Review and reconcile
registration documents to
trading activities
Adherence with central
clearing requirements
Trades may not be
properly cleared
Segregation of duties and
trading delegation and
supervision
Review of supervision;
trade delegations; trade
amendments; and
reporting
Qualified swaps are traded Trades could be executed
through the SEF (swap
over the counter in lieu of
execution facility)
the appropriate facility
Trades are monitored for
adherence with
requirements
Review of trade
monitoring processes
Establishment of strong
record keeping and
reporting processes
Adequate policies and
procedures and
responsibilities for
reporting
Review effectiveness of
policies and procedures
and appropriateness of
reporting
Quality tools and
information
Assessment of adequacy of
technological monitoring
and data storage
Records are not
maintained in compliance
with requirements
Implementation of proper Technology is not in place
technology and data
to appropriately monitor
storage
trades and capture data
PwC
3/15/2012
19
Sample Coverage plan
Rule based coverage –Recovery & resolution (“R&R”) planning
Critical Requirement
Related Risk
Expected Control
Audit Procedures
Each covered entity must
submit the R&R Plan to
the FDIC and the Federal
Reserve by the due date*
The entity may miss the
deadline for submitting
the plan
The unit or person
responsible for creation of
the R&R Plan, creates and
monitors a project plan, a
calendar of deliverables
and communicates those
adequately
Independently determine
the “due date”, review and
evaluate the project plan
and calendar of
deliverables and the
monitoring of progress
Each covered entity must
submit a revised R&R Plan
within 45 days following a
“material event”
There may not be a
mechanism for alerting the
plan owner or the
person(s) responsible for
the plan that a material
event is imminent or has
occurred
Detailed definition of what
would be considered to be
a material event exists.
The unit or person
responsible for creation of
the R&R Plan is made
aware of all such events
Review effectiveness of
policies and procedures,
reporting and
communication lines.
Determine
appropriateness of
decision making process
Each plan must address
and include information
relative to the entirety of
the 0rganization (e.g.
ownership structure,
assets, liabilities,
contractual obligations,
major counterparties,
cross guarantees and
pledged collateral)
A current, complete and
accurate accounting of all
of these various aspects
related to the entity may
not exist
Reconciliations to the
financial statements are
performed regularly.
Inventories of contracts
and other business
alliances are regularly
executed.
Review effectiveness of
policies and procedures.
Test the operating
effectiveness of controls
Re-perform the
reconciliations and
inventories.
PwC
3/15/2012
3/15/2012
20
Functional / Process based coverage
•
Another component of the internal audit coverage plan should be functional and process coverage to assess
the impact of regulatory reform on functions, processes and/or services.
•
These reviews should take a horizontal approach and assess the impact of various regulatory reforms on a
particular function and/or process
-
•
•
PwC
For example, almost all key Dodd-Frank reforms (OTC Derivatives, Volcker, etc) establish new
responsibilities for the compliance functions and a horizontal review of the compliance function would
look at its ability to identify and comply all such cross rules requirements.
These reviews should address:
-
The impact of various regulatory reforms / rules on key processes, risks and controls
-
The impact on existing people, processes and technology and balance between reform activities and
existing responsibilities
-
Management’s approach to identify, assess and address interdependencies within the rules on key
processes
-
Management’s preparedness and change management agility as a result of regulatory reforms
-
Management’s plan to transition from project to business as usual
Such reviews would provide assurance to the organization’s board and senior leadership that businesses are
well prepared and positioned to respond to the regulatory reforms while executing their existing
responsibilities (see Appendix E for further detail)
3/15/2012
21
Functional / Process based coverage
•
PwC
Examples of such reviews may include:
-
Compliance functional assessment: There is a considerable impact on compliance processes as a
result of the regulatory reforms (OTC Derivatives, Volcker, Recovery and Resolution). Internal audit
should review Compliance’s preparedness to respond to such new regulatory requirements, identify
interdependencies between compliance requirements while developing new processes, process for training
compliance and business professionals on new requirements, enable timely and accurate regulatory
reporting
-
IT Governance: Internal audit should review IT’s governance and project management processes to
ensure timely implementation of changes as a result of the regulatory reform. The review should also focus
on the IT resource and budget allocation process and its impact on overall business strategy as
compromises/prioritization will be necessary given competing project necessities
-
New product development process: As new products are being developed, it is critical for internal
audit to review the new product development and approval process to ensure that there is a systemic
process to identify and address key risks (strategic, business, financial, operational, IT, regulatory and
compliance) while approving new products
-
Regulatory reporting: There will be a considerable increase in the regulatory reporting as a result of
the regulatory reforms. Internal audit should review the regulatory reporting processes to ensure
processes are being established requirements, adequate resources are being devoted and system
enhancements are being made to identify and comply with all reporting requirements in a timely manner
-
Mock regulatory examinations: The internal audit may also add considerable value by performing
mock regulatory examinations to assess business/function’s preparedness to withstand regulatory scrutiny
3/15/2012
22
Business as usual audits (BAU)
Existing business as usual audits
•
There are few functions/processes that will not be impacted by the length and breadth of the regulatory
reforms
•
As audit undertakes business as usual audits in its existing audit plan, it should consider implementing a
formal process to assess the impact of regulatory reform on the in-scope processes and risks for the purpose
of determining the need for performing additional procedures
Future business as usual audits
•
•
PwC
In addition, a number of transformational and special projects undertaken by internal audit will become
business as usual audits in years 2012 and beyond. For example,
-
Independent testing of compliance function (Volcker rule requirement)
-
Annual testing of the recovery and resolution planning
Audit should ensure there is a formal process to identify all such business as usual audit’s requirements and
incorporate them in the audit plan
3/15/2012
23
Role of Internal Audit – Methodology & People
•
The impending regulatory reforms go beyond compliance and their impact will be felt at the heart of
organization’s business strategy. Internal audit should review its methodology to determine changes needed
to its core audit processes.
•
Audit Universe
-
Some existing products/services will be discontinued and replaced with new business strategies.
-
Business strategy changes will result in front office, support function, system, process and legal entity
changes.
-
Similar to annual AML audits, additional statutory/compliance audits will emerge.
-
Systems will change resulting in more pre-implementation and post-implementation reviews.
Rule making area
Example audit universe additions / updates
OTC Derivatives
•
•
•
•
•
•
Registration
Centralized clearing
Business conduct requirements
Compliance program
Finance – Capital & Liquidity
Counterparty fund protection
Volcker Rule
•
•
•
•
Compliance program
Proprietary trading
Covered fund activities
Reporting & record keeping
Recovery & Resolution
Planning
• Recovery plans
• Resolution plans
• Compliance testing
PwC
3/15/2012
24
Role of Internal Audit – Methodology & People
•
•
PwC
Continuous Monitoring
-
Many internal audit functions have continuous monitoring processes in place to monitor the emerging
risks in the organizations and their impact on the audit plan.
-
Given the extensive nature of the regulatory reforms, internal audit should consider enhancing its
continuous monitoring process to ensure the impact of regulatory risk is identified and considered while
periodically updating the audit plan
Internal Audit Reporting
-
Internal audit should consider providing a consolidated view of the organization’s regulatory reform
activities based on its audit coverage
-
The reporting should be based on the aggregate results of the:
◦
PMO and governance reviews
◦
Rule based coverage
◦
Functional coverage
◦
Business as usual audits for processes impacted by regulatory reforms
-
Internal audit reporting should also consider the process to share best practices across work streams,
report any issues noted in its reviews, and follow up on the implementation of management action plans
-
Internal audit may also need to schedule regulatory reform focused meetings with the Audit Committee to
ensure it can provide its comprehensive assessment of organization’s reform program
-
Internal audit should ensure that its reform coverage is adequately documented to enable regulators to
place reliance on its work
3/15/2012
25
Role of Internal Audit – Methodology & People
•
People: Last but certainly not least, internal audit should perform skill sets assessment to identify the skill
sets required to execute its new coverage plan. Internal audit should focus on:
-
Audit teams impacted by the reform activities
◦
-
PwC
In the short term, risk, corporate and capital markets audit teams are expected to face the most
stringent demand for resources.
Knowledge management program
◦
Internal audit should develop a plan to ensure that the internal audit is up to date on organization’s
reform program and its progress
◦
Internal audit should ensure that its staff is adequately trained on the reform program and the
organization’s response in order to provide value added audit coverage
3/15/2012
26
Bringing it all together
What is the extent of internal audit involvement?
In the short term, internal audit should focus on…..
Get started
now
Get a seat at the table
– get involved
• Establish and
communicate
expectations
• Understand and
assess organization’s
strategy
• Provide real time
advice and counsel
on control matters
PwC
Create internal audit
response team
• Set up liaison teams
in each business and
functional area
• Develop knowledge
management program
for internal audit
Develop the coverage
plan
• Build internal audit
coverage plan
• Execute PMO and
governance reviews
• Begin rule based
coverage that
coincides with the rule
making timeline
Assess impact on
internal audit
methodology and
people model
• Update audit universe
• Revisit risk
assessment process
for changes in
organizational risk
profile
• Update risk and
control libraries
• Assess skill set gap
and develop plan
• Audit Committee
reporting
3/15/2012
27
PwC contacts
Richard Reynolds
Partner – Financial Services
Internal Audit Services
+ 1 646 471 8559
richard.reynolds@us.pwc.com
Christina Patilis
Senior Managing Director-Financial Services
Internal Audit Services
+ 1 646 471 2013
christina.patilis@us.pwc.com
f
© 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each
member firm of which is a separate legal entity.
PwC
3/15/2012
28