Add to collection(s) Add to saved
  1. Business
  2. Finance
  3. Personal Finance

Credit Unions - National Supervisors Forum

advertisement 
W E LO O K AT TH I N G S D I F F E R E NTLY
Conducting an Operational Risk Audit
Kevin Loughnane, ILCU Training Department
National Supervisors Forum
Westport, Co. Mayo
5th November 2011
National Supervisors Forum
W E LO O K AT TH I N G S D I F F E R E NTLY
Purpose of Presentation
To provide supervisors with practical knowledge
to assist in conducting an operational risk audit
in their credit union.
National Supervisors Forum 2011
W E LO O K AT TH I N G S D I F F E R E NTLY
Overview
Topic
 Introduction
 Concept of internal control & operational risk
 Step 1: Identifying risks
 Step 2: Analysing risks
 Step 3: Determining residual risk
 Step 4: Reporting findings to the board
 Closing comments
National Supervisors Forum 2011
W E LO O K AT TH I N G S D I F F E R E NTLY
Categories of Financial Risk
Reputational
Operational
Credit
Liquidity
Market
National Supervisors Forum 2011
4
W E LO O K AT TH I N G S D I F F E R E NTLY
Risk Management
1. Identify
the risks
Role of Internal
Audit (Supervisors)
4.
Monitor
& Review
2. Analyse
Risks
3. Create
response
to risk
ISO, Defined Risk Management Process
National Supervisors Forum 2011
5
W E LO O K AT TH I N G S D I F F E R E NTLY
What are Internal Controls?
• Any deliberate measure or plan put in place by the
credit union to minimise and/or manage risk
• Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and
systems, or from external events.
National Supervisors Forum 2011
W E LO O K AT TH I N G S D I F F E R E NTLY
Discussion
Credit Union Operational Structures
1. The loan application form
2. A fire evacuation procedure
3. An employee’s contract of employment
4. Holding a data protection training session for the board
5. Having in place a cash handling procedure for all staff
6. The auditor verifying the annual accounts of the credit union
7. Directors being obliged to declare a conflict of interest
8. Virus protection software
9. A smoke alarm in the kitchen of the credit union
National Supervisors Forum 2011
Example of an
Internal Control?
W E LO O K AT TH I N G S D I F F E R E NTLY
Discussion
Credit Union Operational Structures
Example of an
Internal Control?
1. The loan application form
Yes
2. A fire evacuation procedure
Yes
3. An employee’s contract of employment
Yes
4. Holding a data protection training session for the board
Yes
5. Having in place a cash handling procedure for all staff
Yes
6. The auditor verifying the annual accounts of the credit union
Yes
7. Directors being obliged to declare a conflict of interest
Yes
8. Virus protection software
Yes
9. A smoke alarm in the kitchen of the credit union
Yes
National Supervisors Forum 2011
W E LO O K AT TH I N G S D I F F E R E NTLY
Why Conduct an Audit?
Rule: A credit union must establish, maintain and implement a
fully documented system of control.
Guidance: (i) It should be comprehensive
(ii) …the system should be cross referred so that the system can
be viewed as a whole.
(iii) It should identify risks, and the controls established to
manage those risks.
(v) It should state how the operation of the control is evidenced.
Extract from Section 4.3 of “CRED”, FSA guidelines for UK credit unions
National Supervisors Forum 2011
9
W E LO O K AT TH I N G S D I F F E R E NTLY
Benefit of Conducting an Audit
Micro
National Supervisors Forum 2011
Macro
10
W E LO O K AT TH I N G S D I F F E R E NTLY
Conducting an Audit of Operational Risk
Step 1
• Identify operational risk
Step 2
• Analyse risks
Step 3
• Determine “residual risk”
Step 4
• Report findings to board
National Supervisors Forum 2011
11
W E LO O K AT TH I N G S D I F F E R E NTLY
Step 1: Identifying Risks
• Must identify operational risks which could impact upon the
credit union
• Use the six categories of operational risk as a guide
• No need to analyse at this stage
• Wording of each risk is important
National Supervisors Forum 2011
W E LO O K AT TH I N G S D I F F E R E NTLY
Categories of Operational Risk
1. Internal and external fraud - (embezzlement)
2. Employment practices and workplace safety - (sued by
employee for breach of contract)
3. Damage to physical assets - (office damaged due to fire)
4. IT systems and software failures - (loss of records due to
database corruption)
5. Business practices & service delivery - (misinforming
members on insurance products)
6. Organisational processes - (incomplete documentation
relating to a member’s loan resulting in invalid loan contract)
National Supervisors Forum 2011
13
W E LO O K AT TH I N G S D I F F E R E NTLY
Example: Identifying Risks
1. Internal and External Fraud
An officer of the credit union defrauds the credit union of significant sums of money by
setting up false loans for fictitious members.
An officer of the credit union grants several large connected loans to family members /
friends which to not meet the requirements of the lending policy of the credit union.
An officer of the credit union steals a series of small sums of cash from the cash drawer
over a period of months, resulting in a financial loss to the credit union.
An officer of the credit union has been transferring funds from dormant member
accounts into his/her own credit union or bank account.
A member cashes a number of fraudulent cheques through the credit union resulting in a
significant financial loss.
National Supervisors Forum 2011
14
W E LO O K AT TH I N G S D I F F E R E NTLY
Step 2: Analysing Risks
• This step will highlight the risks which pose the biggest risk to
the credit union.
• The impact of each risk is scored from 1 to 5
• The prevalence (likelihood of occurrence) is score 1 to 4.
• Both scores are multiplied for each risk to get the risk ranking
score.
• Some lower scoring risks may be excluded from the audit at
this point.
National Supervisors Forum 2011
15
Prevale Impact
W E L O O K A T T H I N G S D I F F E R E nce
NTLY
1. Internal and External Fraud
Risk
1.1
An officer of the credit union defrauds the credit union of
significant sums of money by setting up false loans for
fictitious members.
1.2
An officer of the credit union grants several large connected
loans to family members / friends which to not meet the
requirements of the lending policy of the credit union.
1.3
An officer of the credit union steals a series of small sums of
cash from the cash drawer over a period of months,
resulting in a financial loss to the credit union.
1.4
An officer of the credit union has been transferring funds
from dormant member accounts into his/her own credit
union or bank account.
1.5
A member cashes a number of fraudulent cheques through
the credit union resulting in a significant financial loss.
National Supervisors Forum
Risk
Ranking
16
Prevale Impact
W E L O O K A T T H I N G S D I F F E R E nce
NTLY
1. Internal and External Fraud
Risk
Risk
Ranking
1.1
An officer of the credit union defrauds the credit union of
significant sums of money by setting up false loans for
fictitious members.
2
2
4
1.2
An officer of the credit union grants several large connected
loans to family members / friends which to not meet the
requirements of the lending policy of the credit union.
3
4
12
1.3
An officer of the credit union steals a series of small sums of
cash from the cash drawer over a period of months,
resulting in a financial loss to the credit union.
2
2
4
1.4
An officer of the credit union has been transferring funds
from dormant member accounts into his/her own credit
union or bank account.
2
4
8
1.5
A member cashes a number of fraudulent cheques through
the credit union resulting in a significant financial loss.
4
3
12
National Supervisors Forum
17
W E LO O K AT TH I N G S D I F F E R E NTLY
Risk Ranking – Fraud
Risk
1.2
1.5
1.4
Score
An officer of the credit union grants several large connected loans to family
members / friends which to not meet the requirements of the lending policy
of the credit union.
12
A member cashes a number of fraudulent cheques through the credit union
resulting in a significant financial loss.
12
An officer of the credit union has been transferring funds from dormant
member accounts into his/her own credit union or bank account.
8
1.1
An officer of the credit union defrauds the credit union of significant sums of
money by setting up false loans for fictitious members.
4
1.3
An officer of the credit union steals a series of small sums of cash from the
cash drawer over a period of months, resulting in a financial loss to the credit
union.
4
National Supervisors Forum 2011
18
W E LO O K AT TH I N G S D I F F E R E NTLY
Step 3: Determining Residual Risk
• This step will determine the threat posed by a risk once
internal controls have been considered.
• Must identify all internal controls which correspond to each
risk.
• Determine how effective these internal controls are – very
poor to excellent.
• Risk ranking score is multiplied by the controls’ effectiveness
to determine the residual risk.
National Supervisors Forum 2011
19
W E LO O K AT TH I N G S D I F F E R E NTLY
Mapping Internal Controls
Policy / Plan
People
Practices
Paperwork
National Supervisors Forum 2011
20
Risk
Code
Risk
Ranking Corresponding int.
score
controls
Findings of supervisory
committee
Effectivene
ss of
internal
Residual
controls
Risk
1. Internal & external fraud
1.2
12
Section in lending policy
dealing with loans to
friends / family
members.
Last year 3 staff
members attending
training on loan
assessment.
Loan approval
procedure which
requires one officer to
sign off application and
issue loan.
No specific section of
lending policy dealing with
connected loans. Lending
policy not updated since
2009.
No monitoring of approved
loans for connected loans /
connected individuals.
Loan approval procedure
only requires one signature
of manager or treasurer for
loans up to €30,000.
Weak
9.6
0.8
W E LO O K AT TH I N G S D I F F E R E NTLY
Step 4: Reporting findings to the board
• Crucial that findings are clearly communicated to the board.
• Committee should include risk analysis, evaluation of internal
controls and residual risk.
• Not the responsibility of the committee to make the changes
– responsibility of the board.
• Encourage the board / risk management committee to
maintain the documented system of control.
National Supervisors Forum 2011
24
W E LO O K AT TH I N G S D I F F E R E NTLY
Summary of Key Points
• Must have understanding of prevailing risks before internal
controls can be assessed
• An operational risk audit is a key tool for the credit union
• Use checklists to identify gaps and weaknesses against
prevailing risks
• An evidence-based written report to the board should be
compiled
• Encourage CU to maintain a documented system of control
National Supervisors Forum 2011
25
W E LO O K AT TH I N G S D I F F E R E NTLY
Part II: Developments in the
Regulatory Supervision and
Auditing of Credit Unions
National Supervisors Forum
26
W E LO O K AT TH I N G S D I F F E R E NTLY
Evidence of movement towards a risk-based
approach in credit unions
“Our risk-based supervision model will mean that our level of
engagement will vary depending on the size and impact of each
credit union…. The biggest credit unions can expect more
engagement from us as a result. Our risk-based approach also
means that you can “earn” a less intense level of supervisory
engagement by having a well governed and well run credit union
that scores low in terms of risk.”
Matthew Elderfield, Financial Regulator
Extract from Speech at ILCU AGM 2010.
National Supervisors Forum 2011
W E LO O K AT TH I N G S D I F F E R E NTLY
Evidence of movement towards a risk-based
approach in credit unions
“The Monitoring Department scores credit unions on
various risk areas (e.g. PEARLS ratios, financials) and
these scores are used as part of a risk-based approach
to monitoring credit unions, and assigning Monitoring
resources (e.g scheduling of visits by Field Officers and
Business Unit Managers).”
Dave Hewson, ILCU Monitoring Department
National Supervisors Forum 2011
W E LO O K AT TH I N G S D I F F E R E NTLY
Role of Supervisory Committee in
Monitoring Internal Controls
Principle 5: (Credit Unions) should implement a process to regularly
monitor operational risk profiles and material exposures to losses.
There should be regular reporting of pertinent information to senior
management and the board of directors that supports the
proactive management of operational risk.
Sound Practices for the Management and Supervision of Operational Risk, 2003, BIS
National Supervisors Forum 2011
Related documents
Status of uThungulu District LED Forum
Status of uThungulu District LED Forum
What are we doing
What are we doing
Why do Children`s Centres need Advisory Boards?
Why do Children`s Centres need Advisory Boards?
Activity Who Due Date - IPMA-HR
Activity Who Due Date - IPMA-HR
The student/supervisor relationship
The student/supervisor relationship
BE RESPECTFUL
BE RESPECTFUL
Download
advertisement