Internal Audit and the Compliance Function

Slavko Rakocevic

INTERNAL AUDIT AND

COMPLIANCE FUNCTIONINTERACTION WITH THE AUDIT COMMITTEE

Dr. Slavko Rakočević, licenced auditorIIA MONTENEGRO Chairman

Member of the Auditing Committee-ECIIA Brussels

Head of Internal Audit at “Wiener Stadtische Insurance” Montenegro

Head of Compliance Function at “Hipotekarna Bank” Montenegro

Source: http://www.eciia.eu/

1st Line of Defence 2nd Line of Defence 3rd Line of DefenceIn

tern

al A

udit

Compliance

Others

Risk Management

Exte

rnal A

ud

it

OperationalManagement

I nternal Controls

Three Lines of Defence Model

Senior Management

Board / Audit Committee

INTERNATIONAL INITIATIVES

1. DIRECTIVE 2006/43/EC , of 17 May 2006, on statutory audits of annual accounts and consolidated accounts,

2. The European Parliament resolution on corporate governance in financial institutions and remuneration policies -2010/2303(INI) - 11/05/2011

3. Compliance and the compliance function in banks - April 2005

4. Fundamentals of GRC: The Connected roles of Internal Audit and Compliance (IIA & Thompson Reuters-2011)

5. The Audit Committee: Internal Audit Oversight (IIA -2011)

6. ecoDa -Audit Committee Guidance

for European Companies-Version 2011

EU DIRECTIVE 2006/43/EC on statutory audits of annual accounts and consolidated accounts

Article 41.- Each public-interest entity shall have an audit committee.

At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing.

Article 41(2b)...... monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems.

European Parliament resolution of 11 May 2011 on corporategovernance in financial institutions (2010/2303(INI))

Article 56.three-way dialogue between supervisors, auditors (both

internal and external) and institutions would improve the likelihood of substantial or systemic risk being detected at an early stage.

It is the Board and Internal Auditor's responsibility to ensure that necessary internal controls are in place to detect systemic risks and to establish a procedure for informing the board and supervisors of these risks in order to avoid negative consequences;

Izvor: http://www.europarl.europa.eu

ERM-ECIIA view and response

Izvor: http://www.coso.org/ The Role of Internal Audit in Enterprise-wide Risk Management.

Strategic

ComplianceReporting

Entity-LevelD

ivisionBusiness U

nitSubsidiary

Operations

Control Activities

Internal Environment

Objective Setting

Risk Identification,Assessment and

Response

Information & Comunication

Monitoring

Three Lines of Defense Model3rd Line of Defense Audit Committee

Internal Audit2 nd Line of Defense Chief Risk Officer, Compliance Officer,

CFO, Security, Quality1st Line of Defense

Business Management

Reporting goes beyond financial

reporting control : A system for

consistent reporting on risk and risk

management systemsA Recommendation to the European Commission

Increasing board responsibility by country legislation or

the comply or explain approach

Source: COSO (January 2012.) Enterprise Risk Management - Understanding and Communicating Risk Appetite

COMPLIANCE FUNCTION

Internal Control

External AuditInternal Audit

Compliance

Nature and purpose of the compliance function

compliance principles (code of conduct)

compliance policy

compliance charter

The compliance policy

This Compliance policy is laid down in writing and contains:

the main aspects of the compliance risk, explain the principles laid down by the board of

directors, establish the Compliance function and define its

goals and independence, require the drawing up of a charter, institute the implementation of a continuous

training programme. Note: The policy need not detail all the laws, regulations, circulars and other applicable codes, but it shall lay down the main principles to follow.

The compliance charter

The charter shall at least°:

- set forth the objectives of the Compliance function; - define its responsibilities and role; - establish its independence and permanence; - describe the relationship with other departments

and functions as well as any need of delegation and/or coordination;

- grant the Compliance function the access right to any information necessary to carry out its responsibilities;

°Note: Very similar to an audit charter

The compliance charter

The charter shall at least: - acknowledge its right to conduct investigations; - define the reporting lines; - establish the right to contact senior management,

and, where applicable, the Chairman of the board or the members of an audit committee or a Compliance committee;

- define the conditions in which the function can have recourse to external expert

Note: All changes to be approved by the board of directors.

General theory of compliance

COMPLIANCE ASPECTS

Starts at the TOP

Promotion of a compliance culture …

…. everyone is concerned

scope of topics to be

covered by compliance fonction

Compliance and the compliance functionBASEL COMMITTEE PRINCIPLES

10 PRINCIPLES - April 2005 Responsibilities of the board of directors for compliance:

Principle 1

Responsibilities of senior management for compliance:

Principles 2, 3, 4

Compliance Function principles:

Principles 5, 6, 7, 8

Other matters : cross-border issues,

outsourcing - Principles 9, 10

BASEL COMMITTEE PRINCIPLES

Responsibilities of the board of directors for compliance:

Principle 1 :- Oversight management of the bank’s

compliance risk- Approve compliance policy - Assessment

BASEL COMMITTEE PRINCIPLES

Responsibilities of senior management for compliance:

Principle 2 :- Responsible for effective management of the

bank ’s compliance riskPrinciple 3 :

- Compliance policy - Reporting to the board of directors

Principle 4 : - Permanent and effective compliance function

BASEL COMMITTEE PRINCIPLES

Compliance Function principles:

Principle 5 :

- Independence

> Status

> Head of Compliance

> Conflicts of interest

> Access to Information

> Personnel

BASEL COMMITTEE PRINCIPLESCompliance Function principles:

Principle 6 :-Resources

Principle 7 :- Responsibilities

> Advise senior management > Guidance & education > Identification, measurement & assessment of

compliance risk > Monitoring, testing & reporting > Statutory responsibilities and liaison> Compliance programme

BASEL COMMITTEE PRINCIPLESPrinciple 8 :- Relationship with Internal Audit

> Periodic review of the compliance activities> Separate functions

Principle 9 :- Cross border issues > all jurisdictions when subsidiaries & branches abroad> legal & regulatory requirements of the host jurisdiction> procedures to assess increased reputational risk

Principle 10 :- Outsourcing > Core activity Specific tasks may be outsourced but appropriate oversight

Manage the compliance function

IMPLEMENT A REGULATORY WATCH

> Reasons :

Non compliant with the laws, regulations,

authorities instructions, professional standards

> Consequences :- Judicial, administrative sanction - Financial loss - Reputation damage

Implementation of the compliance principles August 2008 - Basel Committee on Banking Supervision

Manage the compliance function

Expected profits

Solvencyrisk

Creditrisk

Operatingrisk

Interestrate risk

Liquidity andfunding risk

Technologyrisk

Foreigncurrency risk

Overheadrisk

Marketrisk

Settlements/payments risk

Regulatoryrisk

Inflationrisk

Manage the compliance function

WHO IS IN CHARGE OF THE COMPLIANCE FUNCTION ?

Compliance function = staff with compliance responsibilities

Approach « tone from the top» , but everyone is involved !

BOARD OF DIRECTORS :

Promote a compliance CULTURE Determine the compliance PRINCIPLES Approve the POLICY and the CHARTER

Manage the compliance function

WHO IS IN CHARGE OF THE COMPLIANCE FUNCTION ?

Approach « tone from the top» , but everyone is involved !

BOARD OF DIRECTORS:

Ensure, on a regular basis, that the institution has an adequate Compliance Function

Assess on yearly basis the management of the Compliance risk Ensure that the Compliance function has a right to directly contact the

Chairman of the Board of directors Ensure that the Compliance Function has a right to recourse to the services of external experts

Manage the compliance function

WHO IS IN CHARGE OF THE COMPLIANCE FUNCTION ?

Approach « tone from the top» , but everyone is involved !

SENIOR MANAGEMENT :

Set-up of a Compliance function in accordance with the applicable regulations

Designate a person of the senior management in charge of the Compliance function

Manage the compliance function

WHO IS IN CHARGE OF THE COMPLIANCE FUNCTION ?

SENIOR MANAGEMENT :

Implement the Compliance POLICY

Ensure, on a regular basis, the implementation and respect of the Compliance POLICY

Inform, at least once a year, the board of directors on the status of Compliance

Manage the compliance functionPRINCIPLES TO ADOPT & RESPECT

> Independence

> Resources : . Respect of the principle of proportionality :

size, nature & complexity of the activities of the institution

> Competence Heads of Compliance should :

have substantial business experience able to communicate, to deliver training be familiar with laws, regulations & relevant compliance standards be familiar with research in business ethics and compliance understand the risk management process understand the auditing process

Manage the compliance function

PRINCIPLES TO ADOPT & RESPECT

Heads of Compliance should :

have project management skills have substantial management experience be able to motivate people be connected to company operations be able to network, establish positive & effective relationships with

other key functions

have the authority to have decisions & recommendations taken seriously at all levels of the organisation

source : Ethics resource center, 08/2007

Manage the compliance function

RESPONSABILITIES OF THE COMPLIANCE FUNCTION (1)

Identify and assess the compliance risk

Identify the applicable rules / regulatory watch

Set-up of procedures and instructions to implement the Compliance policy

Be involved and consulted when internal control proceduresare implemented

Manage the compliance functionRESPONSABILITIES OF THE COMPLIANCE FUNCTION (2)

Monitor regularly the respect of the Compliance policy (cooperation with Internal Audit)

Centralise the information on compliance issues

Analyse the Compliance issues, recommend corrective measures to address failures and deficiencies

Ensure the follow up of detected issues : action plan

Assist and advise senior management

Manage the compliance functionRESPONSABILITIES OF THE COMPLIANCE FUNCTION (3)

Raise awareness of staff to Compliance & develop a training programme

Communicate with the authorities re. AML/ CFT, MAD, fraud,...

Document the work carried out in order to track the interventions and the conclusions

Report to senior management and as the case may be to the board of directors of the institution

IMPLEMENT A COMPLIANCE PROGRAMME

FOCUS ON COMPLIANCE RISK FOCUS ON REGULATORY WATCH FOCUS ON MANUAL OF COMPLIANCE

Other key compliance issues

Prevention of money laundering

Corruption

Insider trading & market manipulation

Financial market regulations

Data protection

Some practitioner views on the interrelationship of Audit Committee with Internal Audit and Compliance

Principles of setting up Audit CommitteesAdopting the AC chart / inspiration from CG principles.

Main variables:

Committee of the board: principles of equality of duties of all board members and collectivity of responsibilities

Duties: examine the effectiveness of financial reporting, internal control and risk management. Approve tall he audit plan/budget. Monitor its execution.

Composition: Independent / non-executive only. accounting background / Skills map.

Chairman: independent only / accouting competence

Secretariat: usually provided by the Corporate Secretariat

ecoDa -Audit Committee Guidance for European Companies-Version 2011

Principles of setting up Audit Committees

Other main variables of AC Chart

Attendance

Frequency [See below]

Agenda [see below]

Evaluation: Frequency: usually yearly. Methodology: forms vs substance / external vs self-assessment

Hierarchy: Reporting to the board / Disclosure in annual report [CG section]

Relationship management with:

Group audit [if applicable]

External auditors

Internal audit

Legal and compliance

Risk Management

Role of the Chairman: Preparation of AC meetings

Physical meeting 2-3 weeks in advance of AC meeting.

Attendance: internal audit head, plus external audit senior partner, plus corporate secretary, plus on demand experts.

Scope: verify minutes of previous AC meetings, verify action points of previous AC meetings, review the AC meeting agenda, overview existing tabled documents, convene experts in attendance and specify other required documentation. Plus logistics.

Time required: 1-2 hours

Role of the Chairman: Preparation of AC meetingsAgenda item C.Secr..

&ChairCFO External

AuditInternal Audit

ChiefRisk

Officer

ChiefCompli-ance

Internal audit report including management letter, review of latest audit missions, status of unsatisfactory rated missions, review of current audit plan, adequacy of audit resources, approval of next year audit plan, etc.

X

Compliance quarterly report including follow up of previous period, incident reports, relations with authorities and regulators; regulatory news.

X

Process of Audit Committees: Holding AC meetings

Agenda item C.Secr..&Chair

CFO External Audit

Internal Audit

ChiefRisk

Officer

ChiefCompli-ance

Global Risk Management reports including evolutions in RM organization and structure, review of RM charter as well as specific reports on financial risks committees [ALM; counterparty; pricing and valuation of assets] and as reports and statistics on operational risks [including Basel II dimension].

X

Process of Audit Committees: Holding AC meetings

Agenda item Chairman CFO External Audit

Internal Audit

ChiefRisk

Officer

ChiefCompli-ance

Report on self-assement of AC members; proposals for review of the principles/chart of AC

X

Any other business

x

Audit Committee in practicesPractical lessons that may have to be learned

On the « Plus » side

Bring to management expert views and judgment.

Independent review: « checks and balances »

Delegation: take load from the board shoulders

Create corporate self-discipline Facilitate communication and

authority between all experts Contribute to harmonize audit

processes within a group

On the « Minus » side

• AC did not prevent occurrence of significant financial, counterparty and fraud risks.

• Board delegation to AC may create loss of ownership on accounting , audit and risk issues at level of board.

• Expensive process better tailored for larger industrial and financial groups. Models for SME to be developped.

• Audit competence gap among board members. Continuing education need in most countries.

Thank you for your attention!!

QUESTIONS ???

E-mail: revizija@t-com.me