Research various global financial services organizations (for example, UBS AG, E-Trade, Schwab, ING, Bank of America, HSBC, RBS) through their
Research various global financial services organizations (for example, UBS AG, E-Trade, Schwab, ING, Bank of America, HSBC, RBS) through their company websites and other publicly available information (annual report, 10-K, press releases, etc.). Pay particular attention to the regulatory environments that each organization operates within. Document each organization’s mission, vision, and strategy:
■How are BUS’s mission, vision, and strategy similar to other global financial services organizations?
■How are they different?
■What are the factors that drive the similarities and differences?
■How do you think these differences affect BUS’s ability to compete globally with other financial services organizations?
■How do you think these differences affect the growth-related change initiatives established by BUS?
Internal consulting engagements vary dramatically by internal audit function, environment, and organization. As chapter 15, “The Consulting Engagement,” makes clear, the internal audit function is uniquely positioned to add value and make an impact on the organization when performing consulting engagements. The current increased focus on an organization’s system of internal controls by regulators, independent outside auditors, and management means that internal audit functions are asked more frequently to provide advice, facilitate activities, and train managers on the effective design, implementation, and operation of governance, risk management, and internal control processes. This case study uses a fictional, multinational financial institution as the context within which to explore a number of those consulting opportunities that real-world organizations pursue as they address the issues they are struggling with today. Through these engagements, the internal audit function may provide the organization insight regarding significant events or provide additional assurance related to an area where additional assurance is desired. The case study scenarios can be performed separately and do not have to be assigned in a specific order.
Although each internal audit function approaches consulting engagements differently, this case study is designed to familiarize students with a wide spectrum of scenarios in which consulting engagements are applicable and the many ways that internal audit functions customize consulting engagements to the specific needs of an organization. Students will be presented with many opportunities in this case study to apply the material contained in chapter 15. Because consulting engagements are often done on a one-time basis and have not been performed before, they require extensive research and planning. And, just as internal auditors are required to have their research prepared in advance of a consulting engagement, the same is expected of students before they begin this case study. Because this case study simulates the environment of the financial services industry, students should do as much research as is required for them to have an understanding of the financial services industry and be able to quickly access the knowledge acquired as needed throughout the case study.
In today’s environment, many internal audit functions are increasing the priority of consulting engagements due to the added value they bring to an organization. This case study was developed to prepare students for the increased focus organizations are placing on consulting engagements and is intended for use by practitioners and academic instructors. This advanced case study
incorporates many of the concepts covered throughout the various chapters in the textbook. The authors recommend that it be completed in conjunction with chapter 15 and after chapter 3, “Governance,”, “Risk Management,” and chapter 5, “Business Processes and Risks.”
As indicated in chapter 15, many engagements can be considered blended consulting engagements since they contain both consulting and assurance elements. The authors believe this is so common that the examples and activities in this case study are designed to illustrate how engagements can contain both elements.
PERFORMING RISK ASSESSMENTS
Chapter 4 details the process by which senior management and the board of directors manage the risks inherent in an organization’s business model. The internal audit function is pivotal in this process and performs assurance and consulting activities designed to provide feedback and advice to management on the design adequacy and operating effectiveness of the system of internal controls in place to help an organization effectively carry out its strategy. These assurance and consulting activities assist management with the identification of potential weaknesses in the system of internal controls that are relied upon to mitigate risks that could prevent the achievement of key business objectives.
The board of directors is responsible for providing strategic direction and guidance, relative to the establishment of key business objectives, consistent with the organization’s business model. Directors bring varied and diverse business experience to the board and, thus, are in a position to provide the strategic direction and guidance that will help ensure the organization is successful. The board can also influence the organization’s risk-taking philosophy and establish broad boundaries of conduct based on the organization’s overall risk appetite and cultural values.
As discussed in chapter 3, the board of directors is also responsible for providing governance oversight. It is in this area of responsibility that the internal audit function has the most direct opportunity to add value. The board of directors provides direction to management, empowers them with the authority to take action, and oversees the overall results of operations. Both senior executives and line management play important, but different, roles in day-to-day governance through their respective risk management activities. The internal audit function provides management and the board with assurances regarding the effectiveness of governance activities.
In addition to providing assurance services to the organization, the internal audit function adds value by performing consulting services at the board’s or management’s request. Such consulting services often help the board and management make decisions regarding which activities designed to achieve strategic objectives align with management’s risk appetite.
Chapter 5 outlines how organizations structure their business activities and initiatives designed to implement their strategy and achieve their business (organizational) objectives. As organizations plan these activities, they also must identify the potential risks that are introduced and manage those risks to acceptable levels. The internal audit function can be integral in this process by performing risk-based assurance and consulting engagements that are aligned with the organization’s business risk profile.
Internal audit functions often participate in, or even facilitate management’s performance of, a risk assessment in which risks are assessed in terms of impact and likelihood at an organizational level. Both impact and likelihood are determined using a scale. These scales often are expressed using three or five categories. A three-category scale for impact might include high, medium, and low, whereas a five-category scale might include extreme and negligible in addition to the categories mentioned above. Whether three or five categories are used, they are typically defined in greater detail. If they are defined in terms of financial impact, each category delineates the range of dollars (an example is shown in exhibit CS3-1, which is taken from exhibit 5-8 in chapter 5). The categories of impact also might reflect degrees of injury, impact on reputation, etc. Similarly, likelihood, which is evaluated by assessing the probability of an event happening, is also broken into three or five categories. For likelihood, a three-category scale might include unlikely, possible, and probable with a five-category scale including remote and certain in addition to the categories in a three-category scale. As with impact, the categories for likelihood are often defined more specifically. For example, likelihood might be expressed in percentages as shown in exhibit CS3-1.
Regardless of how an organization chooses to define the categories for impact and likelihood, this process allows risks at an organizational level to be plotted on a matrix and assessed in terms of both impact and likelihood, providing a truer picture of the risk events the organization faces than if they were evaluated only in terms of one or the other. Exhibit CS3-1 is a visual depiction of this risk assessment model.
As stated in chapter 5, once the major risks have been identified, management can then consider their importance and link risk events to the business activities and initiatives identified to achieve the organization’s strategic business objectives. Once the risks facing the organization have been linked to the strategic business activities and initiatives, the members of senior management prioritize the initiatives and provide direction to line management on efforts necessary to achieve the short-term, intermediate, and long-term business objectives.
Once management has prioritized the business activities and initiatives they believe carry the greatest impact on the achievement of the business objectives, the internal audit function will evaluate these activities to determine the initiatives on which their participation will have the greatest impact. The internal audit evaluation (risk assessment) will leverage management’s assessment and prioritization process and is designed to accomplish several purposes, including but not limited to:
● Prioritizing business activities and initiatives subject to internal audit involvement. Such involvement may be through assurance engagements, consulting engagements, or blended engagements.
● Forming a basis for allocating scarce internal audit resources.
● Providing guidance as to the type and timing of internal audit communications.
● Providing management (the engagement customer) with agreed upon input and feedback consistent with engagement expectations.
While the internal audit function’s risk assessment process is similar to management’s assessment and prioritization process, more often than not it evaluates risks based on many more factors than just impact and likelihood. Commonly, the internal audit function’s risk assessment process evaluates each activity or initiative using risk factor models that identify anywhere from seven to 15 factors. Regardless of the number of factors included in a given model, each factor is more precisely defined by assigning scores according to a scale. This scale can be expressed in three, five, or seven categories that are defined according to the risk factor subject to rating. In addition to rating each activity according to degree within each risk factor, internal audit functions often have another component that allows them to more finely prioritize risks. This is done so that the relative importance (or weight) of one factor can be compared to the relative importance of another. For example, weighting may be done by assigning numbers between zero and 100 to each risk factor according to its relative importance such that, when summed, the total equals 100 even though each risk factor is weighted differently according to the importance placed on it. If each of the risk factors is considered to be of equal importance, they would be given the same numeric weighting. Exhibit CS3-2, which is taken from exhibit 5-12 in chapter 5, shows a 10-factor risk model using a three-point scale. It also shows the weights that an internal audit function might apply to the risk factors.
In addition to assigning an overall risk score to each business activity/initiative (potential consulting engagement), some internal audit functions add a subjective priority rating that is applied to each potential consulting engagement according to the importance the internal audit function places on it. The internal audit function will consider management’s assessment and prioritization process results when determining their subjective priority rating. Additionally, the internal audit function will consider the amount of resources required and the skills necessary to perform the consulting engagement, as well as the engagement customer’s needs and expectations.
This subjective priority rating is often expressed in a three-point scale with one as low, two as moderate, and three as high. By applying this subjective priority rating, internal audit functions are able to take both the overall risk score and the subjective priority rating for a given potential consulting engagement and plug it into a rubric that provides guidance on the scope, resource allocations, and reporting requirements for the potential consulting engagement.
Exhibit CS3-3 depicts an illustrative risk model applied to a list of potential consulting and blended consulting engagements with overall risk scores and subjective priority ratings assigned.
PERFORMING CONSULTING ENGAGEMENTS
Based on the prioritization performed above, the internal audit function determines the business activities and initiatives for which consulting engagements will be performed. The internal audit function will attempt to maximize the value provided to management relative to resources committed, perceived risk mitigated, and timeliness of services provided. The goal is to provide management with the information they need to mitigate the risks inherent in the business activities and initiatives intended to carry out the organization’s strategic objectives. Once those consulting engagements have been determined, the internal audit function must act quickly to schedule them and assign resources.
Resources for consulting engagements are allocated in much the same way they are for assurance engagements. Practice Advisory 2230-1 advises that when determining the appropriateness and sufficiency of resources, internal auditors should consider “the number and experience level of the internal audit staff” as well as the “knowledge, skills, and other competencies of the internal audit staff.” While the specific skills and experience may differ somewhat from assurance engagements, the thought process for determining appropriate resources must be equally rigorous.
Once the consulting engagements are scheduled and the appropriate resources have been allocated, the internal audit team assigned to each specific consulting engagement must meet with the parties involved to gain a detailed understanding of the engagement customer’s expectations. Standard 2300 states that the internal audit function “must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.” The success of consulting engagements is highly dependent on the internal audit function’s ability to understand and document the engagement customer’s objectives.
Understanding and documenting the customer’s objectives allows the internal audit function to create an effective and efficient work program. The work program will include the detailed procedures to be performed by the internal audit team that are necessary to accumulate the evidence and documentation required to validate assumptions or test hypotheses discussed with the engagement customer when gaining an understanding of the engagement expectations.
Once the work program has been established, the internal audit team will perform the work outlined in the program. In many cases, the steps and audit procedures may be modified based on additional information or previous work. This is due to the fluid nature of these assignments. As the work is performed, the results should be documented as they become known. This is important for two reasons. First, there needs to be a record of the work performed that will be available to parties who might have an interest at some future point. These parties may include the customer, board of directors, independent outside auditors, regulatory bodies, etc. Second, the internal audit team will rely on the documented results to support advice given in response to the consulting elements of the engagement, and the overall conclusions and recommendations provided to address the assurance elements. Without an accurate record of the work performed, internal auditors have a difficult time substantiating engagement advice and conclusions and formulating meaningful recommendations that add value.
Exhibit CS3-4 illustrates a work program for an engagement that has both a consulting objective and an assurance objective (that is, a blended engagement).
Exhibit CS3-4 Engagement Work Program: Client Data Conversion
Engagement Objectives: As agreed to with management, our objectives are to:
1. Provide advice to the Client Data Conversion Project team on current leading practices for managing data conversion projects.
2. Assess whether the project team completed all steps required by the revised data conversion methodology to support an accurate, effective, and efficient data conversion.
Engagement Customer Objective: The Client Data Conversion Project sponsor stated that his objective is to ensure that systems and processes appropriately support an accurate and timely conversion of client data. This includes:
• The data conversion process must be designed and conducted in a manner consistent with leading practices. This includes documentation of all key judgments and decisions.
• Functional gaps between legacy BUS and Bank of China systems must be identified and addressed.
• Systems and processes must support an accurate and timely conversion of client data (including accounts, assets, and web experience).
• Required regulatory approvals must be obtained to proceed with the Client Data Conversion Project.
• Project, technology, and operational risks must be identified and managed.
Overall Business Risk: Failure to manage effectively the Client Data Conversion Project may result in client data that is not complete and/or accurate, which could adversely impact servicing those clients in the future and result in regulatory fines or sanctions.
Steps to Perform:
• Engagement Objective #1
o Research leading project management and data conversion practices.
o Based on discussions and observations, identify differences between the current data conversion methodology and leading practices. Specifically evaluate planned steps, communications, monitoring, and documentation activities.
o Meet weekly with project management to provide observations and identified gaps between leading practices and the current methodology. Facilitate discussion, as appropriate, to help project management determine which new practices they would like to implement.
• Engagement Objective #2
o Validate that the project team has tested the reliability of automated data conversion routines for mapping of conversion data.
o Assess whether the quality assurance (QA) function has appropriately completed their testing, validation, and documentation to support their signoff.
o Observe mock runs for the conversion projects. Determine whether the project team has initiated appropriate actions to address any issues identified during the mock runs.
o Observe Integration Steering Committee updates on the conversion status and determine whether all key steps are being completed timely.
Record of Work Done:
• Confirmed existing methodology (procedures and controls) with project management team (see working paper (w/p) E.2.20).
• Documented identified gaps between leading data conversion practices and the current data conversion methodology. Also documented discussions about these gaps as part of the weekly meetings with the project team, and their planned implementation actions (see w/p E.2.21- E.2.29).
• Reviewed the automated data conversion routines, noting that they were fully tested and signed off as complete and accurate by the project team (see w/p E.2.40).
• Reviewed the QA test plan for the asset conversion (see w/p E.2.50) and sample documentation used by QA for testing, including balances worksheets (see w/p E.2.51) and file conversion status (see w/p E.2.52). Worked with QA associates while conducting the demographic testing and observed the testing they performed with the source systems. No exceptions noted.
• Observed mock data conversion runs conducted by the project team as part of the conversion simulation for completeness and accuracy (see w/p E.2.60 and E.2.61). Noted with each simulation that errors were identified, tracked, and corrected, and that changes to the timing of key milestones are reasonable. No exceptions noted.
• Confirmed through participation on the Integration Steering Committee that conversion updates were provided and acted upon timely (see w/p E.2.70). No exceptions noted.
Because of the time urgency associated with many consulting engagements, communication to the customer should be frequent during the execution of the engagement. This communication can take many forms, but in the interim stages of the engagement, it is often done orally or through conference calls and/or email. Often, consulting engagement communication is tied to specific dates of importance throughout the engagement (milestones) and key decision points. The type of communications will also be influenced by the scope of the consulting engagement (for example, full-scope, limited-scope, pre-conversion, or post-conversion review).
Communicating final consulting engagement results to the customer is the last step in a consulting engagement. As with the interim communication, the final communication can take on many forms. Often, communicating final engagement results is less formal than it is for assurance engagement results and is often documented in a memorandum rather than in a formal report. The format and formality of the final communication will be driven by what was agreed upon with the customer. In some cases, the customer may require a verbal sign-off, for example, prior to a system conversion or major initiative. This verbal signoff indicates that the internal audit function has completed its engagement steps, adequately reviewed the risks and corresponding controls, and is satisfied that the project should move forward. Representatives from the internal audit function may be included with representatives from a number of other groups required to sign off on a major project. The final communication should include the details of monitoring or follow-up required or agreed upon with the customer. Exhibits CS3-5 and CS3-6 are examples of interim and final communications for a consulting engagement.
Client Data Conversion Project
Review Status and Next Steps
• Data Conversion Methodology
• Completed assessment of data conversion methodology and discussed gaps between the current methodology and leading practices with project team members during weekly meetings.
• Provided advice to project team on actions that will help to address the identified gaps. Based on follow-up discussions, it is our understanding that all contemplated actions have been implemented.
• Data Conversion Project
• Reviewed the automated data conversion routines, noting that they were fully tested and signed off as complete and accurate by the project team.
• Reviewed the QA test plan for the asset conversion and sample documentation used by QA for testing, including balances worksheets and file conversion status. Worked with QA associates while conducting the demographic testing and observed the testing they performed with the source systems. No exceptions noted.
• Participated in first mock run and provided suggestions on ways to address issues that arose during that run.
• The following steps are planned:
• Monitor whether the conversion weekend execution plan is executed in accordance with the plan, including critical path tasks, adequate communications, and timely issue resolution.
• Evaluate the steps performed by the project team to ensure the accuracy and completeness of the account data conversion.
• Monitor the actions carried out relating to position custody conversion (stock, bonds, mutual funds, options, etc.), including physical custody transition and secure, authorized movement of the securities.
• Monitor the steps to ensure an accurate cash management conversion, including cash account ownership transition and secure, authorized movement of cash.
• Obtain evidence of regulatory compliance, including the requirements with respect to net capital calculations.
• Validate that key balancing and reconciliation controls are operating post conversion (such as depository reconciliations).
• Fieldwork to occur over and after conversion weekend.
• We expect to issue our report on or about May 20, 20XX.
Internal audit completed a project agreed to with management in connection with the Bank of China Client Data Conversion Project. The objectives of this project were to (1) provide advice to the Client Data Conversion Project team on current leading practices for managing data conversion projects, and (2) assess whether the project team completed all steps required by the revised data conversion methodology to support an accurate, effective, and efficient data conversion
Given that management’s objective for the data conversion project was to ensure that systems and processes appropriately support an accurate and timely conversion of client data, we designed our procedures to assess whether:
• The data conversion process was designed and conducted in a manner consistent with leading practices. This includes documentation of all key judgments and decisions.
• Functional gaps between legacy BUS and Bank of China systems were identified and addressed.
• Systems and processes supported an accurate and timely conversion of client data (including accounts, assets, and web experience).
• Required regulatory approvals were obtained to proceed with the data conversion project.
• Project, technology, and operational risks were identified and managed.
Overall, the project was conducted in a manner that is consistent with leading practices. Over the course of the project, we identified several gaps between the current data conversion methodology and leading practices. The project team addressed all identified gaps on a timely basis. Based on the results of the verification procedures we performed, and assuming timely resolution of the significant concerns discussed below, we believe the project team followed all appropriate steps in accordance with their methodology to support an accurate, effective, and efficient data conversion. Therefore, we believe management can prudently move forward with the Bank of China Client Data Conversion scheduled for May 31, 20XX.
CAT Testing – Validation testing for the CAT application has not been completed and there are outstanding defects related to the system. Management has high confidence that testing will be completed and all critical defects will be resolved prior to the conversion of client data.
Functional Gap Completion – Several functional gap items remain open which have been deemed “showstoppers” for the Client Data Conversion Project. Management is actively tracking these items and has high confidence they will be completed prior to conversion weekend.
Regulatory Approval – Regulatory approval to proceed with the Client Data Conversion Project has not been received from FINRA. Approval is anticipated the week of May 24th and management is confident approval will be granted prior to conversion weekend.
The exercise and scenarios in this case study focus on a fictional global financial institution, BUS and subsidiaries (BUS). The financial institution was founded in 1862 and is based in Zurich, Switzerland. BUS recently completed an initiative to reevaluate its business model and corporate directive. As part of this initiative, BUS has updated its corporate mission, vision, and strategy.
In conjunction with this cultural shift, management has recently completed an extensive employee education and awareness program on the new corporate directives and began a marketing effort to make the new mission and vision a part of the organization’s branding and image. See exhibit CS3-7 for BUS’s new corporate mission, vision, and strategy.
BUS’S CORPORATE MISSION, VISION, AND STRATEGY
We are determined to become the bank of choice for our existing and future customers. We will provide our customers with easy access to financial services and products across time zones and continents on a 24/7 basis. Whether our customers want to walk into one of our facilities or access our services online, we’ll be there for them. Whether they want to manage their retirement savings or calculate their net worth, we’ll be there for them. We will combine our sophisticated network systems and our dedicated associates to create a banking experience that is fast, convenient, and productive. Our collaborative work environment will allow us to recruit and retain knowledgeable, committed associates who will continue to create cutting edge financial tools and provide customers with award-winning service. Our commitment to both our customers and our associates will result in dynamic shareholder value.
BUS is committed to providing integrated, one-stop banking products and services to our customers worldwide.
We intend to leverage our one-stop banking approach to significantly increase our customer base by enhancing and expanding our network of retail banking operations worldwide and, specifically, in China and the U.S. We intend to gain a larger share of customer assets by providing them with comprehensive financial services and products through our one-stop banking system that allows for global mobility. We will maintain our low customer attrition by continuing to provide award-winning customer service. Finally, we will increase customer awareness and enhance our global corporate image through a comprehensive branding and advertising campaign that will promote our retail banking offerings and showcase our award-winning customer service and sterling reputation. We will achieve our corporate strategy, in part, through the successful completion of our growth-related change initiatives.
BUS is also in the process of implementing major growth-related initiatives designed to strengthen and expand their new brand and existing client base. See exhibit CS3-8 for BUS’s growth-related change initiatives.
Change the name of the organization to “Bank of the United Globe” to reflect our global focus.
• Launch an advertising and branding campaign to promote the organization’s new mission, vision, and strategy.
• Educate employees and customers on the new corporate product and service offerings.
• Significantly increase our retail offerings by acquiring existing retail banking operations and physical locations in Asia and the U.S.
• Provide a comprehensive package of financial products and services to meet the needs of individual customers globally.
• Leverage our systems, infrastructure, and global back office operations to provide one-on-one financial advice and account oversight through an expanded retail banking infrastructure.
• Provide a fully integrated online banking environment (one-stop) that includes all retail financial services and products under a single system access login.