Internal Audit and the Compliance Function Slavko Rakocevic.
-
Upload
sabina-townsend -
Category
Documents
-
view
229 -
download
4
Transcript of Internal Audit and the Compliance Function Slavko Rakocevic.
Internal Audit and the Compliance Function
Slavko Rakocevic
INTERNAL AUDIT AND
COMPLIANCE FUNCTIONINTERACTION WITH THE AUDIT COMMITTEE
Dr. Slavko Rakočević, licenced auditorIIA MONTENEGRO Chairman
Member of the Auditing Committee-ECIIA Brussels
Head of Internal Audit at “Wiener Stadtische Insurance” Montenegro
Head of Compliance Function at “Hipotekarna Bank” Montenegro
Source: http://www.eciia.eu/
1st Line of Defence 2nd Line of Defence 3rd Line of DefenceIn
tern
al A
udit
Compliance
Others
Risk Management
Exte
rnal A
ud
it
OperationalManagement
I nternal Controls
Three Lines of Defence Model
Senior Management
Board / Audit Committee
INTERNATIONAL INITIATIVES
1. DIRECTIVE 2006/43/EC , of 17 May 2006, on statutory audits of annual accounts and consolidated accounts,
2. The European Parliament resolution on corporate governance in financial institutions and remuneration policies -2010/2303(INI) - 11/05/2011
3. Compliance and the compliance function in banks - April 2005
4. Fundamentals of GRC: The Connected roles of Internal Audit and Compliance (IIA & Thompson Reuters-2011)
5. The Audit Committee: Internal Audit Oversight (IIA -2011)
6. ecoDa -Audit Committee Guidance
for European Companies-Version 2011
EU DIRECTIVE 2006/43/EC on statutory audits of annual accounts and consolidated accounts
Article 41.- Each public-interest entity shall have an audit committee.
At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing.
Article 41(2b)...... monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems.
European Parliament resolution of 11 May 2011 on corporategovernance in financial institutions (2010/2303(INI))
Article 56.three-way dialogue between supervisors, auditors (both
internal and external) and institutions would improve the likelihood of substantial or systemic risk being detected at an early stage.
It is the Board and Internal Auditor's responsibility to ensure that necessary internal controls are in place to detect systemic risks and to establish a procedure for informing the board and supervisors of these risks in order to avoid negative consequences;
Izvor: http://www.europarl.europa.eu
ERM-ECIIA view and response
Izvor: http://www.coso.org/ The Role of Internal Audit in Enterprise-wide Risk Management.
Strategic
ComplianceReporting
Entity-LevelD
ivisionBusiness U
nitSubsidiary
Operations
Control Activities
Internal Environment
Objective Setting
Risk Identification,Assessment and
Response
Information & Comunication
Monitoring
Three Lines of Defense Model3rd Line of Defense Audit Committee
Internal Audit2 nd Line of Defense Chief Risk Officer, Compliance Officer,
CFO, Security, Quality1st Line of Defense
Business Management
Reporting goes beyond financial
reporting control : A system for
consistent reporting on risk and risk
management systemsA Recommendation to the European Commission
Increasing board responsibility by country legislation or
the comply or explain approach
Source: COSO (January 2012.) Enterprise Risk Management - Understanding and Communicating Risk Appetite
COMPLIANCE FUNCTION
Internal Control
External AuditInternal Audit
Compliance
Nature and purpose of the compliance function
compliance principles (code of conduct)
compliance policy
compliance charter
The compliance policy
This Compliance policy is laid down in writing and contains:
the main aspects of the compliance risk, explain the principles laid down by the board of
directors, establish the Compliance function and define its
goals and independence, require the drawing up of a charter, institute the implementation of a continuous
training programme. Note: The policy need not detail all the laws, regulations, circulars and other applicable codes, but it shall lay down the main principles to follow.
The compliance charter
The charter shall at least°:
- set forth the objectives of the Compliance function; - define its responsibilities and role; - establish its independence and permanence; - describe the relationship with other departments
and functions as well as any need of delegation and/or coordination;
- grant the Compliance function the access right to any information necessary to carry out its responsibilities;
°Note: Very similar to an audit charter
The compliance charter
The charter shall at least: - acknowledge its right to conduct investigations; - define the reporting lines; - establish the right to contact senior management,
and, where applicable, the Chairman of the board or the members of an audit committee or a Compliance committee;
- define the conditions in which the function can have recourse to external expert
Note: All changes to be approved by the board of directors.
General theory of compliance
COMPLIANCE ASPECTS
Starts at the TOP
Promotion of a compliance culture …
…. everyone is concerned
scope of topics to be
covered by compliance fonction
Compliance and the compliance functionBASEL COMMITTEE PRINCIPLES
10 PRINCIPLES - April 2005 Responsibilities of the board of directors for compliance:
Principle 1
Responsibilities of senior management for compliance:
Principles 2, 3, 4
Compliance Function principles:
Principles 5, 6, 7, 8
Other matters : cross-border issues,
outsourcing - Principles 9, 10
BASEL COMMITTEE PRINCIPLES
Responsibilities of the board of directors for compliance:
Principle 1 :- Oversight management of the bank’s
compliance risk- Approve compliance policy - Assessment
BASEL COMMITTEE PRINCIPLES
Responsibilities of senior management for compliance:
Principle 2 :- Responsible for effective management of the
bank ’s compliance riskPrinciple 3 :
- Compliance policy - Reporting to the board of directors
Principle 4 : - Permanent and effective compliance function
BASEL COMMITTEE PRINCIPLES
Compliance Function principles:
Principle 5 :
- Independence
> Status
> Head of Compliance
> Conflicts of interest
> Access to Information
> Personnel
BASEL COMMITTEE PRINCIPLESCompliance Function principles:
Principle 6 :-Resources
Principle 7 :- Responsibilities
> Advise senior management > Guidance & education > Identification, measurement & assessment of
compliance risk > Monitoring, testing & reporting > Statutory responsibilities and liaison> Compliance programme
BASEL COMMITTEE PRINCIPLESPrinciple 8 :- Relationship with Internal Audit
> Periodic review of the compliance activities> Separate functions
Principle 9 :- Cross border issues > all jurisdictions when subsidiaries & branches abroad> legal & regulatory requirements of the host jurisdiction> procedures to assess increased reputational risk
Principle 10 :- Outsourcing > Core activity Specific tasks may be outsourced but appropriate oversight
Manage the compliance function
IMPLEMENT A REGULATORY WATCH
> Reasons :
Non compliant with the laws, regulations,
authorities instructions, professional standards
> Consequences :- Judicial, administrative sanction - Financial loss - Reputation damage
Implementation of the compliance principles August 2008 - Basel Committee on Banking Supervision
Manage the compliance function
Expected profits
Solvencyrisk
Creditrisk
Operatingrisk
Interestrate risk
Liquidity andfunding risk
Technologyrisk
Foreigncurrency risk
Overheadrisk
Marketrisk
Settlements/payments risk
Regulatoryrisk
Inflationrisk
Manage the compliance function
WHO IS IN CHARGE OF THE COMPLIANCE FUNCTION ?
Compliance function = staff with compliance responsibilities
Approach « tone from the top» , but everyone is involved !
BOARD OF DIRECTORS :
Promote a compliance CULTURE Determine the compliance PRINCIPLES Approve the POLICY and the CHARTER
Manage the compliance function
WHO IS IN CHARGE OF THE COMPLIANCE FUNCTION ?
Approach « tone from the top» , but everyone is involved !
BOARD OF DIRECTORS:
Ensure, on a regular basis, that the institution has an adequate Compliance Function
Assess on yearly basis the management of the Compliance risk Ensure that the Compliance function has a right to directly contact the
Chairman of the Board of directors Ensure that the Compliance Function has a right to recourse to the services of external experts
Manage the compliance function
WHO IS IN CHARGE OF THE COMPLIANCE FUNCTION ?
Approach « tone from the top» , but everyone is involved !
SENIOR MANAGEMENT :
Set-up of a Compliance function in accordance with the applicable regulations
Designate a person of the senior management in charge of the Compliance function
Manage the compliance function
WHO IS IN CHARGE OF THE COMPLIANCE FUNCTION ?
SENIOR MANAGEMENT :
Implement the Compliance POLICY
Ensure, on a regular basis, the implementation and respect of the Compliance POLICY
Inform, at least once a year, the board of directors on the status of Compliance
Manage the compliance functionPRINCIPLES TO ADOPT & RESPECT
> Independence
> Resources : . Respect of the principle of proportionality :
size, nature & complexity of the activities of the institution
> Competence Heads of Compliance should :
have substantial business experience able to communicate, to deliver training be familiar with laws, regulations & relevant compliance standards be familiar with research in business ethics and compliance understand the risk management process understand the auditing process
Manage the compliance function
PRINCIPLES TO ADOPT & RESPECT
Heads of Compliance should :
have project management skills have substantial management experience be able to motivate people be connected to company operations be able to network, establish positive & effective relationships with
other key functions
have the authority to have decisions & recommendations taken seriously at all levels of the organisation
source : Ethics resource center, 08/2007
Manage the compliance function
RESPONSABILITIES OF THE COMPLIANCE FUNCTION (1)
Identify and assess the compliance risk
Identify the applicable rules / regulatory watch
Set-up of procedures and instructions to implement the Compliance policy
Be involved and consulted when internal control proceduresare implemented
Manage the compliance functionRESPONSABILITIES OF THE COMPLIANCE FUNCTION (2)
Monitor regularly the respect of the Compliance policy (cooperation with Internal Audit)
Centralise the information on compliance issues
Analyse the Compliance issues, recommend corrective measures to address failures and deficiencies
Ensure the follow up of detected issues : action plan
Assist and advise senior management
Manage the compliance functionRESPONSABILITIES OF THE COMPLIANCE FUNCTION (3)
Raise awareness of staff to Compliance & develop a training programme
Communicate with the authorities re. AML/ CFT, MAD, fraud,...
Document the work carried out in order to track the interventions and the conclusions
Report to senior management and as the case may be to the board of directors of the institution
IMPLEMENT A COMPLIANCE PROGRAMME
FOCUS ON COMPLIANCE RISK FOCUS ON REGULATORY WATCH FOCUS ON MANUAL OF COMPLIANCE
Other key compliance issues
Prevention of money laundering
Corruption
Insider trading & market manipulation
Financial market regulations
Data protection
Some practitioner views on the interrelationship of Audit Committee with Internal Audit and Compliance
Principles of setting up Audit CommitteesAdopting the AC chart / inspiration from CG principles.
Main variables:
Committee of the board: principles of equality of duties of all board members and collectivity of responsibilities
Duties: examine the effectiveness of financial reporting, internal control and risk management. Approve tall he audit plan/budget. Monitor its execution.
Composition: Independent / non-executive only. accounting background / Skills map.
Chairman: independent only / accouting competence
Secretariat: usually provided by the Corporate Secretariat
ecoDa -Audit Committee Guidance for European Companies-Version 2011
Principles of setting up Audit Committees
Other main variables of AC Chart
Attendance
Frequency [See below]
Agenda [see below]
Evaluation: Frequency: usually yearly. Methodology: forms vs substance / external vs self-assessment
Hierarchy: Reporting to the board / Disclosure in annual report [CG section]
Relationship management with:
Group audit [if applicable]
External auditors
Internal audit
Legal and compliance
Risk Management
Role of the Chairman: Preparation of AC meetings
Physical meeting 2-3 weeks in advance of AC meeting.
Attendance: internal audit head, plus external audit senior partner, plus corporate secretary, plus on demand experts.
Scope: verify minutes of previous AC meetings, verify action points of previous AC meetings, review the AC meeting agenda, overview existing tabled documents, convene experts in attendance and specify other required documentation. Plus logistics.
Time required: 1-2 hours
Role of the Chairman: Preparation of AC meetingsAgenda item C.Secr..
&ChairCFO External
AuditInternal Audit
ChiefRisk
Officer
ChiefCompli-ance
Internal audit report including management letter, review of latest audit missions, status of unsatisfactory rated missions, review of current audit plan, adequacy of audit resources, approval of next year audit plan, etc.
X
Compliance quarterly report including follow up of previous period, incident reports, relations with authorities and regulators; regulatory news.
X
Process of Audit Committees: Holding AC meetings
Agenda item C.Secr..&Chair
CFO External Audit
Internal Audit
ChiefRisk
Officer
ChiefCompli-ance
Global Risk Management reports including evolutions in RM organization and structure, review of RM charter as well as specific reports on financial risks committees [ALM; counterparty; pricing and valuation of assets] and as reports and statistics on operational risks [including Basel II dimension].
X
Process of Audit Committees: Holding AC meetings
Agenda item Chairman CFO External Audit
Internal Audit
ChiefRisk
Officer
ChiefCompli-ance
Report on self-assement of AC members; proposals for review of the principles/chart of AC
X
Any other business
x
Audit Committee in practicesPractical lessons that may have to be learned
On the « Plus » side
Bring to management expert views and judgment.
Independent review: « checks and balances »
Delegation: take load from the board shoulders
Create corporate self-discipline Facilitate communication and
authority between all experts Contribute to harmonize audit
processes within a group
On the « Minus » side
• AC did not prevent occurrence of significant financial, counterparty and fraud risks.
• Board delegation to AC may create loss of ownership on accounting , audit and risk issues at level of board.
• Expensive process better tailored for larger industrial and financial groups. Models for SME to be developped.
• Audit competence gap among board members. Continuing education need in most countries.