Comprehensive Audit Plan Issues - Essay Example

Please replace the header with – your page number> COMPREHENSIVE AUDITING LLC INTERNAL MEMORANDUM 23 September 2008 Memo The Chairman, Green Banking Group Limited Memo from: Subject: Audit Planning Memorandum for Green Banking Group Limited Table of Contents: Introduction: The objective of this document is to propose an audit plan pertaining to Known and Emerging Risks in Green Banking Group Limited (GBG). Green Banking Group Limited has demonstrated a sustained performance in the market pertaining to their core area of cost effective services to small-to-medium enterprises and households. Overall, the Bank has demonstrated high quality of service commitments to their customers while successfully reducing their operating costs. In this Financial Year, the Bank has invested in technology enhancements such that the core operating system has been replaced by a new one that is expected to provide highly efficient and secured transactions from the following three points of sales of the Bank: 1. Electronic Funds Transfer at Point of Sale (EFTPOS) 2. Automatic Teller Machines (ATM) 3. Internet Banking (IB) The 500 bank tellers have been made redundant and hence shall be out of the scope of this audit. Assessment of Known and Emerging Risks in the Bank: Historically, the bank has faced the following impacts on the business: (a) Inherent Risk: The federal government withdrew funding from the sustainable living program that was launched by the bank on discounted lending rates. The impact of Bank business is not direct because the funding from government was directly to the borrowers (this is an assumption here!!). However the discounts offered by Bank now will not be adequate to reduce cost to consumers which means the applications of Home Loan will reduce once again. The withdrawal of its funding by the Government was a measure to cut expenses which was unexpected and hence the Risk is taken as Inherent. The risk, however, is proposed to be converted to an Empirical Risk and logged under the known Business Risks whereby the methodology will be addressed by the audit team. (b) Technology outage in one of the locations: This outage caused inconsistency in the bank transactions and unwarranted embarrassment to the Customers. A Technology Risk that directly impact Customers has cascaded effect on reputation loss and hence causing exposure to a business risk. The incident analysis, root cause analysis, corrective actions and preventive actions performed by the Bank pertaining to this incident is proposed to be assessed by the audit team. The Technology Risks will be assessed by the auditors to verify the proactive controls in place and the control effectiveness measurement shall be undertaken (Basel Committee on Banking Supervision, 2003). (c) Money Laundering by one of the employees and more cases of Money laundering suspected in the Bank: This event has brought to surface gaps in management of economic risks, business risks, & audit risks due to weakness in control & detection of risks due to fraudulent activities. The bank has lost money and lost reputation in market (can cause impact to business) due to weak controls of fraud detection & prevention. All the controls of Fraud detection and prevention are proposed to be analyzed along with the bank’s current internal auditing mechanisms (Basel Committee on Banking Supervision, 2003). (d) The overall Banking industry is facing a downturn due to Inflation and GBG is not an exception. Hence Non-Performing Assets (loans and credits facing re-payment defaults) are expected to expose the Bank to financial risks that can harm the Bank’s business. Given the current market dynamics, it is important for the Bank to focus on reducing the Non-Performing Assets. An analysis of Financial Risks pertaining to the NPAs is recommended to be carried out as a part of this auditing process. (How Healthy are big US banks, Business Week – 2008) (e) The Bank has deployed a new technology infrastructure that has been interfaced with the existing Point of Sales: The auditing team is proposed to assess the Tests, Change Management and Make-Live management carried out to implement the new technology in order to assess how the technology risks, data security risks and customer service risks (under operations risks) were taken care of. Also, it is proposed to assess the activity logging & internal auditing data generated by the new audit system to detect & prevent frauds proactively (Basel Committee on Banking Supervision, 2003). Special emphasis would be given to verify the compliance to the applicable regulations and legislations of the Government as applicable to the above mentioned areas. Assessment of Bank’s Risk Management and Governance procedure: Given the current challenges to sustain the reputation and current market dynamics, it is important for the Bank to have a Proactive Risk Management and Governance framework. A reactive approach in this area itself is viewed as a High Risk to the Bank. The Audit Team will comprise of a certified Assets and Information Risk Management professional. The procedure of Bank’s current Risk Management and Governance procedure shall be mapped with the ISO/IEC 27005:2008 standard (www.bsi-global.com) and the recommendations of the Risk Management Guides available on the Australian Standard 4360 Risk Management Portal (New Australian Standard for Risk Management, 1995). The Risk Management audit will be conducted to verify the Bank’s methodology to evaluate Asset Values, Threat Values, Impact Values, Probability Values, Vulnerability Values, Risk Values, application of controls and verification of effectiveness of the controls. (Gray, Stoneburner, Goguen, Alice et al, 2002) Assessment of Bank’s compliance to Payment Card Industry Data Security Standard (PCI DSS): This auditing standard is applicable to all organizations that process payments via electronically via points of sales (POS). The Bank has deployed a new technology operating system serving the point of sales. Hence, it is important to re-visit Bank’s compliance level to requirements 1 through 12 of Payment Card Industry Data Security Standard version 1-1. The audit team shall comprise of a certified and experienced PCI auditor who shall use the recommended checklist by the PCI Council. The compliance to the standard shall be verified pertaining to all Points of Sales offered by the Bank viz., EFTPOS, ATM and IB. The version 1-1 of the standard is enclosed along with this Audit Proposal. (PCI Security Standards Council, 2008; Mastercard International, 2005) Assessment of Bank’s Fraud and Money Laundering detection & prevention: The audit team shall have an anti-Fraud expert who has dealt with Money Laundering cases in the past. With the help of this expert, the policies and procedures implemented in the Anti-Fraud and Anti-Money laundering department will be analyzed thoroughly and global best practices in these areas shall be recommended. The practices in these departments would be linked back to the Internal Auditing Framework (on-line activity logging & monitoring), Risk Management and Governance system to verify the proactive controls implemented by this department. Assessment of Bank’s existing Non-Performing Assets: Given the current market dynamics, the audit team shall verify the Non-Performing Assets (Loans in which the repayments have stopped coming from the borrower) very closely and map with the existing Finance Risk Appetite of the Bank. A specialist in this area is proposed to be included in the Audit Team. The Audit Controller has already been provided details of the transactions and Customer accounts which are required to be verified thoroughly to estimate the current Risk Appetite of the Bank. Based on the analysis, the Bank will be advised to reduce the NPAs if required. Proposed Audit Plan: The Audit shall be managed by a designated Audit Controller who shall lead a team of subject matter experts pertaining to Risk Management, PCI DSS, Fraud & Money Laundering prevention and NPA analysis. The Audit plan is proposed as under: Audit Area Auditees Required Audit Records Proposed time to Audit Risk Management and Governance Risk and Compliance Manager, Internal Audit Team, randomly selected Risk Management team members. Risk management Governance, Risk Review by Management, Risk Approval process, Risk Mitigation Process, Control Effectiveness Measurement process, Internal Audit process, Corrective Action process, and Preventive Actions process. 6 Man-Days Technology Risks, Business Risks, Finance Risks, Economic Risks, Audit Risks, Customer Service Risks (under Operations Risks) and Business Risks Risk and Compliance Manager, Internal Audit Team, randomly selected Risk Management team members. Risk assessment & management procedure in all these areas, Risk Analysis sheets, Approved Risk Acceptance documents, Risk Mitigation Plan, Control Effectiveness Measurement sheets, Internal Audit reports, Corrective Actions taken, Preventive Actions Taken. 6 Man Days Compliance to PCI DSS Chief Technology Officer, All Technology Heads, randomly selected IT team members. IT Policy Document, Design documents, Standard Operating Procedures, Process Maps, Logsheets, Internal Audit reports, Corrective Actions taken, Preventive Actions Taken. 10 Man-Days Fraud and Money Laundering detection and prevention Fraud Control Manager, Money Laundering Control Management, randomly selected team members Standard Operating Procedures, Process Maps, Logsheets, Checkpoints, Incident Management system, Internal Audit reports, Corrective Actions taken, Preventive Actions Taken. 6 Man-Days Non-Performing Assets Chief Financial Officer, randomly selected Financial Controllers. NPA reports being submitted to government, existing P&L, Future Hypothecations based on trend analysis and current scenarios, Internal Audit reports, Corrective Actions taken, Preventive Actions Taken. 4 Man-Days Total proposed time to Audit 32 Man-Days The Audit methodology would involve on-site sampling, physical visits, verification of papers and interviewing. If the internal Risk Management has detected more serious risks, they would be included in the scope and request for increase of Man-days shall be put forward. The final report would be submitted within 15 working days from the last day of the audit. Conclusion: Given the changing economic & political scenarios and known & emerging risks to the Bank due to external as well as internal factors, the audit team hereby presents a detailed assessment of Bank’s internal governance model, auditing system, the risks proposed in the scope such that the Bank can be appropriately advised on the mitigations, corrective actions & preventive actions. Compliance to PCI DSS and ISO 27005 standards would be assessed to ensure that the risk governance framework is covered end to end in line with the Global Standards and best practices. The Audit team shall comprise of industry experts in these areas thus ensuring very high quality of results as an outcome of this auditing process. Sincerely The Audit Controller and the Audit Team References: Harvard – A Guide to referencing, Victoria University 2002, A new school of thought, Australia New Australian Standard for Risk Management. 15 September 2008. < http://www.riskmanagement.com.au/News/NewAustralianStandardforRiskManagement/tabid/152/Default.aspx> 1995. Risk Management and Governance, ISO/IEC 27005:2008, released in year 2008. < http://www.bsiglobal.com> Payment Card Industry (PCI) Data Security Standard (DSS). PCI Security Standards Council, 2008. Payment Card Industry (PCI) Data Security Standard (DSS). MasterCard International, 2005. Risk Management Principles of Electronic banking. Basel Committee on Banking Supervision. Bank for International settlements. 2003. Gray, Stoneburner, Goguen, Alice et al. Risk Management Guide for Information Technology Systems. Recommendations of National Institute of Standards and Technology. US Department of Commerce. 2002. How Healthy and Big US Banks, Business Week, McGraw-Hill Company, 2008 In addition to the cited references, I would like to extend my special thanks to all those who extended to me knowledge and information that helped me to put together this paper. On their request, their names have not been published herewith. End of Document Read More