Internal Audit Thematic Reporting
October 2011
October
2011
SIFMA Conference
Jack McNamara, Managing Director
What is Thematic Reporting?
• A tool to identify significant issue themes based on issues identified • A method to identify trends year over year
• A vehicle to allow management to focus on themes that are recurring and high risk
dh h k
Thematic Reporting Process
Thematic Reporting Process
• Identify the years that will be reviewed; this will help facilitate a trend analysis
• Issues within each year are individually reviewed and reclassified Issues within each year are individually reviewed and reclassified
into the appropriate finding type (ensuring that there is proper type classification)
• Based on the finding types, create relevant issue themes (i.e., Based on the finding types create relevant issue themes (i e
Basel II issue type into a Operational Risk issue theme)
• All issues (including the ones reclassified) are assigned to an i
issue theme based on the assigned finding type
th
b d
th
i d fi di t
• Charts are created to display the variance in issues noted during the years selected as well as common issues identified within each issue theme BNY MELLON
Benefits of Thematic Reporting
• Expectation of Global Regulators (FRB, FSA, etc)
• Provides excellent transparency and ease‐of‐use messaging
• Facilitates strategic discussion at the very top‐of‐
the‐house
• Allows for a targeted discussion to be held related t i
to investments being made in the control t
t b i
d i th
t l
environment, resources being allocated, and remediation efforts underway
• Utilized by the Internal Audit Division senior Utilized by the Internal Audit Division senior
management team (assess risk, establish the annual strategy, determine coverage, etc)
Benefits of Thematic Reporting
Benefits of Thematic Reporting
• Provides trend analysis to see the increase/decrease in types of issues noted and the effects of Internal Audit’s presence
• Ability to implement a process/provide detailed explanations Ability to implement a process/provide detailed explanations
to staff to select finding types reflective of the issue
• Allows creation of additional/relevant finding types for finding groups
• Ensures consistency among internal audit groups in y g
yp /
g y
identifying issue type/category
BNY MELLON
Challenges of Thematic Reporting
• Inconsistencies between the nature of the issue vs. the assigned finding type
• Lack of options for finding types as related to the issue
• Issues within finding types needed to be Issues within finding types needed to be
reclassified into relevant themes
• Misinterpretations of the finding types
Solutions
•
•
•
•
Provide explanations for the finding types/finding groups
Create additional/relevant finding types for
Create additional/relevant finding types for finding groups
Implement a process/reiterate the necessity to choose finding types reflective of the issue
h
fi di
fl i
f h i
Ensure consistency of type/category in multiple audit systems
Presenting the Analysis
Presenting the Analysis
•
•
•
•
Top Control Themes Reported
Year over Year
Common Issues
By Control Theme
Top Control Themes Reported
Top Control Themes Reported
June 2011
Management Initiative
1 Anti
1.
Anti‐Money
Money Laundering Training
Laundering Training
1 Remediation/Memo
1.
Remediation/Memo to reiterate
to reiterate
training requirements
2. Operational Risk
p
2. TBD
3. Information Technology
3. Steering and Initiative committee formed
4. Policies and Procedures
4. Gap analysis on new acquisition for policies and procedure comparison
i
BNY MELLON
Year over Year Analysis
Year over Year Analysis
BNY MELLON
Common Issues Analysis
Common Issues Analysis
Common Issues:
•Application access not terminated timely
•Access not appropriate to job function
Common Issues:
•Employees did not attend AML/SAR training
classes
•Non-adherence to the AML policy
•Lack of controls over KYC documentation
BNY MELLON
Common Issues Analysis
Common Issues Analysis
Common Issues:
•Lack of policies and
procedures
•Outdated policies and
procedures
•Non-adherence to policies and
procedures
Common Issues:
•Inadequate estimation of
operational risk
•Lack of operational risk event
capture, notification and reporting
BNY MELLON
By Control Theme Analysis
By Control Theme Analysis
AML
Information Technology
10
10
8
Business Access Controls
6
KYC
8
Monitoring/ Surveillance
6
Protecting HCI/NPPI
4
OFAC/ Economic Sanctions
4
4
2
3
2
2
0
0
2
2
1
Training
BNY MELLON
By Control Theme Analysis
By Control Theme Analysis
Operational Risk
Policies and Procedures
4
Management Review
8
6
Service Provider Management
3
4
Financial/ Management Reporting
2
2
Credit Risk ‐ Wholesale Exposures
Credit Risk ‐ Retail Exposures
2
2
4
0
Control, Oversight & V lid ti M h i
Validation Mechanisms
4
10
Market Risk
1
1
1
0
1
1
Operational Risk – Risk Management Processes
g
BNY MELLON
Questions
BNY MELLON