Primarily as a result of Basel III, there has been a radical overhaul in recent years in the risk management department. The result of this is a number of significant risk change projects, including IFRS9 credit risk modelling, the FRTB, BCBS239, ICAAP, ILAAP amongst others; which have led to a major challenge for internal audit. Coupled with the greater complexity of models and processes of the major risk change projects, internal audit is a key area and ultimately essential to the success of a bank, particularly at a time where many of these major projects are nearing implementation and consequently auditing is required to prevent a bank falling at the last hurdle. Along with these major projects are the other key focuses for risk audit, whether that be operational risk issues such as anti-money laundering, or the issue of risk culture, and the need to effectively manage the resources between risk and risk audit, where the expertise required is the same.
Ahead of the 3rd Edition Risk Audit in Banking conference, we spoke with Dr Michael Schiwietz, Senior Vice President – Internal Audit at UniCredit Bank AG, about continuous auditing and risk audit in banking.
What are the similarities and differences of continuous auditing and continuous monitoring?
To answer this question let us recall the three lines of defence model and the individual roles of the control layers. Internal audit, as the third line of defence, by its nature is a not an ongoing process related control function. Though, particular ongoing activities may support effective auditing, continuous auditing should never end up in assuming responsibility for operational controls. This is the aim of continuous monitoring as part of the controls conducted by risk management, compliance, security, or other second line control functions. Clearly, there might be overlaps and there is no sharp and doctrinaire segregation between continuous auditing and monitoring. Ultimately, it is the purpose behind that makes the difference. Continuous auditing is and remains auditing with the primary aim of identifying relevant control breakdowns rather than single isolated exceptions. Auditors should therefore be careful in keeping this basic understanding in their minds.
Can the concept of continuous auditing be seen as a planning tool or as a new audit type?
Actually, I see the power of continuous auditing in facilitating both audit planning and execution. When it comes to audit planning, both annual and short term, continuous auditing unfolds its potential to facilitate early identification of topical themes, risks, or anomalies. As a result, continuous auditing is an instrument that fosters and hollows effective risk-based planning. At the same time, a rightly calibrated continuous auditing approach founded on an analysis of data and other types of information on an ongoing basis may substantially support, and for some audit fields, even substitute audit fieldwork. This may justify naming it also a new audit type.
In your opinion, how should the results of continuous auditing approaches be disclosed?
Disclosure follows the actual intention continuous auditing is applied for and a spectrum of approaches can be considered. In its role as a planning tool, continuous auditing results won’t directly show up in an audit report in general, but indirectly by means of individual reports of the audit engagements driven by its results and indications. In its occurrence, for example as a data supported audit approach that evaluates individual audit elements on a continuous basis based on data analytics, an audit report may be issued that provides transparency about the outcomes of such analysis. However, audit in this regard should be careful not to cross the line towards continuous monitoring and operational controls.
As a general aspect of applied audit methodologies, techniques and key outcomes of continuous auditing approaches should be elucidated in the annual audit report.
From an audit perspective, how can model risk be reduced?
Firstly, we need to consider what the nature of model risk actually is and what are the drivers that make it happen to become material. In my opinion, the key element of model risk is the risk of placing too much reliance on models and their outcomes. This is more a matter of culture rather than one of quantitative model development and validation. Those using a model often tend to reduce their mindset about reality to what the model provides to them (to be reality). In this regard, setting the right ‘model culture’ would be a strong and effective mitigant.
Secondly, a model is only as good as the processes and controls around its parameter setting and application that, inter alia, make sure the model is applied in the right way and within its designated context. Those need to be controlled and validated as well as the right functioning of the model’s core methodology.
What do you think is the role of culture in risk management?
The past clearly demonstrated that risk management organisation, processes, and methodologies are only as good and reliable as the people dealing with them. Not only its technical and procedural elements, but also the way risk management is being conducted is utmost crucial. This starts with the Board and Senior Management’s attitude, approach, and behaviour relating to risk and cascades down to middle management that influences the behaviour of each single individual in an organisation. A sound risk culture may even compensate model weaknesses while the effectiveness of utmost sophisticated risk methodologies may be limited in a failing cultural environment.
What would you like to achieve by attending the 3rd Edition Risk Audit in Banking conference?
In a financial industry that undergoes rapid and partly disruptive changes, attending the Risk Audit in Banking conference is an appreciated opportunity to learn more about new thoughts and ideas, and discuss alternative approaches and methodologies of effective auditing. The conference also gives me the chance to meet with peers and to respectively enlarge my network.
About Dr Michael Schiwietz
Michael has more than 20 years’ experience in internal auditing and is currently Senior Vice President at UniCredit Bank AG. He will be participating in the 3rd Edition Risk Audit in Banking conference taking place in London on September 18-19