Implementing Audit Management Software - A...
Transcript of Implementing Audit Management Software - A...
Page 1
Click to edit Master title styleClick to add unit of measure
Implementing
Audit Management Software
- A Practical Approach -
5th Annual Internal Audit Forum, Berlin
Page 2
Click to edit Master title styleClick to add unit of measure
Agenda
T O P I C S
About Erste Bank
Audit Management Software - Our History
Targets and Scaling
Software Selection – review approach
Design Issues
Challenges and Pitfalls
Checkpoints
Page 3
Click to edit Master title styleClick to add unit of measure
About Erste Bank
Erste Group at a glanceCustomer banking in the eastern part of the EU
CET 1 ratio (Basel 3, phased-in)
Total assets
Net profit
Key financials YE 2016
13.4%
EUR 208.2 bn
EUR 1.26 bn• Founded in 1819 as the first Austrian savings bank
• Today, Erste Group is one of the largest financial services
providers in the eastern part of the EU in terms of clients and
total assets. Its core activities – besides the traditional
strength in serving private individuals and SMEs – include
advisory services and support for corporate clients in
financing, investment and access to international capital
markets, public sector funding and interbank market
operations
• Erste Group is strongly committed to offering
a comprehensive range of financial products to meet its
customer needs
Total equity EUR 16.6 bn
Loan to deposit ratio 94.7%
Operating result EUR 2.66 bn
Page 4
Click to edit Master title styleClick to add unit of measure
About Erste Bank
Erste Group at a glanceCustomer banking in the eastern part of the EU
• 47,000 employees serve 15.9 million
customers with over 2,600 branches
in 7 countries in the eastern part of
the EU
• One of the leading financial providers
in the eastern part of the EU
• Among the TOP 3 banks in our core
markets in AT, CZ, SK, RO, HU and
HR
Page 5
Click to edit Master title styleClick to add unit of measure
Erste Group Audit Function
Group Audit
Holding
Ceska
Sporitelna
Slovenska
Sporitelna
Erste Bank
Hungary
Banca
Comerciala
Romana
Erste Bank
Croatia
Erste Bank
Serbia
Erste Bank
Austria
Savings Banks
46 Savings Banks
Other Core Subsidiaries
20 +
Scope of application of Audit Management Software
300 + core users 80+ banks and subsidiaries 1.000 + business users Co-use of software by risk
and compliance functions
Page 6
Click to edit Master title styleClick to add unit of measure
Audit Management Solution
• Until 2011 – scattered local solutions supporting Audit Management based on Access, Excel and Mainframe
• 2011 - introduction of dedicated Audit Management Software integrating all major subsidiaries (currently 60 +)
• 2016 – decision to implement integrated software for audit, risk and compliance functions, implementation until YE 2017
Our History with Audit Software
Current Audit Solution Going forward – INTEGRATED solution
• Audit specific• Interfacing all major subsidiaries• Covers full audit process, but little workflow
involvement of business
• Extended use by Audit, Risk Management functions and Regulatory Affairs
• Full involvement of Business Users in the Action Tracking Process
• Project is currently ongoing
SCOPE:Audit Universe, Risk Assessment, Audit Planning, Audit/Audit Workpaper Management, Findings/Action Tracking, Time Reporting
Page 7
Click to edit Master title styleClick to add unit of measure
TARGETS SCALING
What do you want to achieve ?
• Just supporting the audit process, internally ?• Workflow for Tracking Actions ?• Integrate with units doing similar activities ?• Keep full control within audit or establishing a
bankwide solution ?• Single bank or group ?• Not only audit management but also analytical
tools included ?• Common reporting beyond audit ?
Who shall participate in the Solution ?
• Audit• Audit and other Control Functions• Tracking overall (Regulatory Tracking)• Business Users• Which subsidiaries
• It is commonplace to develop a good understanding on targets and scope of a project involving IT infrastructure.
• Executing this, it quickly shows that complexity, cost and time pressure increases (almost) exponentially with scope extension and number of user groups.
• A useful opportunity not to just audit but to run a project.
TARGETS and SCALING
Page 8
Click to edit Master title styleClick to add unit of measure
Software Review and Decision
• Still an emerging product family, especially forthe European market
• „Gartner“ (and other) assessments helporientation
• Market will most likely further consolidate
• Many products appear to have „corefunctionality“ (audit; operational risk; tracking) adding on other functions
• Newcomers appear to have a more flexible architecture and modern interfaces, but maylack specific implementation experience and business knowledge
HOW DID WE DO IT:
• Request for Information
• Selection of Long List
• Request for Proposal
• Presentation of Vendors (1 – 2 days)
• Selection of Short List
• Extended Vendor Presentation• Includes tailored data• Approximate expected solution as much as
feasible (cost; time …..)• Detailed technical review• This may require compensation
• Proof of Concept
• Decision
SOFTWARE SELECTION – APPROACH
Page 9
Click to edit Master title styleClick to add unit of measure
STRUCTURE
• Core Data Structure• Almost an industry standard• Interfacing Organisation, Users, other data
not in the GRC system (op Risk; HR; etc)
• User Authorization Design• Among the most challenging tasks in a
multi-entity environment• Avoid need to authorize on field level• Confidentiality vs. Information requirements
• Archiving and Export• Make sure that adequate solution is
available to „mass“ export as well as allowfor a comprehensive export of „one audit“
• Carefully review archive function, accountfor customization impact
DESIGN ISSUES
Page 10
Click to edit Master title styleClick to add unit of measure
The Known Issues
MULTI ENTITY ENVIRONMENT• Ensure that data are only available at a “Legal Entity” level, while Group Audit can use all data for related reporting – take
specific effort to create an effective solution.
SECURITY/CONFIDENTIALITY• Complex user rights set up• Assure restricted access to highly confidential content• Data protection issue (audit workpaper may include customer details etc)
OUTSOURCING IMPACT• Even intragroup services require compliance with outsourcing regulations and policies – technical as well as methodological
topics
CROSS BORDER• Consider local regulatory requirements – reporting, outsourcing, archiving etc
MIGRATION• The issue is not with “Core Objects” – Audit Universe, Risk Assessment, Audit, Finding/Action – but Audit Programs and
Workpapers. There, software design approach differs significantly which makes it cumbersome to map and transfer data.
WORKFLOW• Complex multistep workflows increase controls and audit trail but there is a cost:
• Project effort• Impact in case of “unexpected” events
USEABILITY• Especially consider Users not working daily in the application (e.g. “Business Users” in tracking process)
SPECIFIC CHALLENGES
Page 11
Click to edit Master title styleClick to add unit of measure
A non-comprehensive list
PROJECT• Audit is not immune against all sorts of project risk – but do not try to be the “best” in project methodology• “Nice to have’s” may have a large impact on maintenance effort and cease to be “nice”
ORGANIZATION• Maintain and update organization – the system will not “know” the impact on your audits, findings and actions. This requires a
well balanced cooperation and mix of automated and manual activities
SCALING• Use by small and large organizations – the latter will struggle with increased complexity, background knowledge requirements
etc.
COMMON CATEGORIES• Common use of data requires to align certain categories (findings) – complexity vs. intuition.
INTERFACES• Any interface increases technical effort at inception and for maintenance – make a very educated decision what you really need.
SOFTWARE• Configuration vs. software change – consider impact on version updates !
PROJECT ISSUES AND PITFALLS
Page 12
Click to edit Master title styleClick to add unit of measure
STEPS
1Thorough Business Design – describe processes in detail – preferably as Use Cases - make sure
vendor understands
2 Well prepared criteria for vendor selection process
3 Invest time in vendor presentations, early investment is worth it
4 Critically review workflows you want embedded
5 Migration – start mapping as early as possible
6 Include broader user groups – more project effort, but higher acceptance
7 User Interface – the better the less training
8Infrastructure – you will (at least) need user and organisation data, establish data quality and
responsibilities
9 IT Security – involve at early stage as audit content is encompassing „everything“
Checkpoints
A project introducing „audit software“ is just another project, but there are a few general
observations that specifically apply.