2021 FS Assurance Forum - takeaways

Thanks to the IIA-Australia for hosting the Financial Services Forum across two days (25th and 26th November 2021). Speaking to a number of you in the profession since then, I understand how busy many of you have been. This article is for those of you who may not have been able to attend part or all of the event. By way of support, I'm sharing my own takeaways for your convenience.

Day 1 – IIA FS IA Forum

The theme of the conference on day 1 centered around, “Understanding our customer’s needs, the importance of new technologies such as blockchain and cybersecurity within the Financial Services Sector”

Corinne Glasby, EGM, Product, Pricing & Governance, Direct Insurance, IAG delivered the first Keynote of the day – “Customer first – Business of the future”, where she discussed some of the practicalities in operating in a new business paradigm due to operational changes within the financial services sector.

My key takeaways from the session were:

1.??????Though very easily forgotten, it appears that firms haven’t been listening to their customers, which is vital as “Customers are key to our Businesses”

2.??????The focus of all firms is regulatory change, but change in customer behavior and its impact is being overlooked

3.??????Internal Auditors can be key in identifying pain points related to consumer behavior within an organisation and help assess the impacts.

Sean Hughes, Commissioner at ASIC delivered the second Keynote on Pursuing the best outcomes for customers - ASIC’s approach and the work of internal audit in pursuing best outcomes for customers. The full speech can be found here: Pursuing the best outcomes for customers: ASIC’s approach and the work of internal auditors

My key takeaways were:

1.??????ASIC noted a rapid rise in investment scams in early 2020 at the beginning of the pandemic.?Sean Hughes shared the following statistic, which made for sober reading:?In the 2020 calendar year, Australians lost a record $851 million to scams, according to the ACCC.?ASIC’s strategic priority for 2022 includes continuing work on reducing the risk of harm to consumers exposed to poor product governance and design.

2.??????Practical steps to ensure good customer outcomes were suggested, to help ensure organisations are well-positioned to achieve good customer outcomes:

a.??????Ensure that the risk of consumer harm is at the forefront of audit planning. Internal audit plans, coverage, charters and methodologies should include specific references to identifying consumer harm and improving consumer outcomes. They should also cover specific topics such as vulnerable consumers.

b.??????Invest in training internal audit staff members, and the first and second lines of assurance. Ensure your employees have the necessary tools and skills to identify consumer risks and develop adequate action plans to mitigate or escalate those risks.

c.??????Develop good data points and techniques to assess the effectiveness of the business in managing conduct risk and driving better customer outcomes. For example, to test whether there is a decrease in the number and the severity of customer complaints as a result of an action being put in place.

d.??????Follow the IIA-Australia - Internal Audit Better Practice Guide for Financial Services in Australia, which specifically addresses customer harm.

3.??????To play that key role in helping to successfully implement and apply the DDO, breach reporting and IDR reforms, Sean encouraged us to follow five lines of questioning during our internal audits:

a.??????How did your internal audit team assess whether the preparation for – and implementation of – these reforms was on the right track? How good were the end-products? What difference or improvements did you observe?

b.??????Now that the DDO, breach reporting and IDR regimes are in place, how effectively are they being applied? How are you measuring and testing this?

c.??????What are the impacts on customers, for example using DDO – have distribution practices changed?

d.??????Are your customers enjoying better outcomes? Have the number of customer complaints changed? What metrics are there to measure these outcomes? How are they being reported to the board? How fresh is the data?

e.??????Are there other things your organisation could be doing to implement the regimes more effectively?

4.??????What skills do internal audit professionals need to influence and steer their Boards and executives towards successful implementation of law reforms, through a customer lens??Sean suggested four attributes as follows:

a.??????A competent understanding of our organisation’s business strategies, as well as of external factors such as new law reforms.

b.??????An agile mindset and attitude to adapt to the fast-evolving nature and needs of the business, including digital transformation.

c. Confidence to challenge the status quo and provide an objective, independent voice to leadership; especially when that voice might result in uncomfortable discussions.

d. A deep-seated conviction that customers who buy your products and services should be better off, and ultimately receive outcomes that are good for them. And a sense of self?recognition and acknowledgment that you played a part in that success, and that your efforts made a difference, for the better.

Financial services organizations are constantly required to meet a multitude of compliance requirements, including various Prudential Standards, ISO27001, PCI-DSS, and IT General Controls Audits. Paras Shah, Practice Lead in Strategic Advisory of Vital Advisory gave us Keynote 3 on “How to move from ‘compliance fatigue’ to compliance-driven opportunities”

My key takeaway from the session was:

1.??????To build and implement a holistic and integrated Technology Risk and Cyber Security Assurance Program we need to establish an overarching Cyber Security Capability framework, holistic IT and Cyber Security Assurance program and change the complexity of security compliance activities to opportunities

The final keynote of the day was delivered by Anya Nova, Crypto Economist at Power Ledger on an exciting emerging topic – “Digital currency”. The session provided insights into the rise of digital currencies and explored the potential impact of such currencies on the financial services system.

My key takeaways were:

1.??????Ethereum and its multiple uses – It has a market cap of nearly $506 billion and can be used for trading, staking, minting NFTs and much more...

2.??????Understanding the key trends of this sector such as:

a.??????Faster Blockchains – Layer 2 vs Sidechains, Solana, Avalanche

b.??????Stable Coins – USDT, USDC and DAI

c.??????DEX (Index) – UniSwap, PancakeSwap, SushiSwap and much more

d.??????NFTs

e.??????Staking and yield

Day 1 of the program also included several Concurrent Sessions:

1A - Complying with Design and Distribution Obligations under RG274 presented by Nathan?Hodge, Partner and Dale Rayner, Partner at King & Wood Mallesons – The session covered an ???overview of the RG274 requirements, while focusing on the obligations such as Target Market ??Determination (TMD), record keeping requirements in relation to DDOs and much more.

1B - Agile auditing – Delivering value in the new world was presented by Marcelo Pinheiro de?Oliveira PMIIA CIA, Country Manager Australia - Internal Audit, Zurich Financial Services. Through this lecture he described the difference between Agile and Waterfall IA methodologies and how Agile IA is sustainable.

Some of the main goals of Agile IA that I came across in the session were:

1.??????Add value by addressing current and emerging business and technology concerns as well as adapting to changing external developments

2.??????Focus on the core risks

3.??????Provide pragmatic findings and recommendations in short intervals while preventing over analysis of findings.

2A - Understanding breach reporting requirements presented by Geoff Rooney, Partner at BDO?– who spoke about the changes in RG 78, defining a reportable situation as well as focusing on?the breach reporting cycle and the role of assurance while managing breach reporting.

2B - Auditing the risk and control framework presented by Stuart Knight, Audit Director,?Corporate Centre, ANZ. This session was focused on the need to be proactive in identifying and?responding to changes in business prioritization and how to strengthen oversight and monitoring by raising awareness of risk management value chains across audit staff.

?

Day 2 – IIA FS IA Forum

The second day of the IIA Financial Services IA Forum offer lots of interesting presentations, primarily around understanding risk culture, better governance and digitization of Internal Audit.

Helen Rowell, Deputy Chair of APRA started the day with her keynote presentation on Transforming governance, risk culture and accountability practices - APRA’s Governance, Risk Culture, Remuneration and Accountability (GCRA) strategy. This session covered insights on APRA’s focus areas for the sector. The key areas discussed were APRA’s key GCRA areas of focus in 2022 and beyond, and APRA’s enhanced supervisory toolkit for transforming GCRA. The full speech can be found here: APRA Deputy Chair Helen Rowell - Speech to the Financial Services Assurance Forum | APRA

My key takeaways from the session were:

1.??????It’s important that organisations understand whether the various streams of GCRA are aligned and working together.?IA can see all aspects of an organisation’s activities and therefore play a key role in helping boards and management do that.

2.??????IA better practices - high calibre people are needed in IA to provide relevant insights on the control framework across Financial Service organisations. IA needs to provide a small number of meaningful recommendations and look for the indicators that help to drive the insights that the board and management needs, including regarding risk culture.

3.??????IA needs to be brave, bold, and innovative. The landscape is changing and evolving.?Think about how we can do things better – and enjoy what you do too.

The second session of the day, stuck with the theme of risk culture and was presented by Elizabeth Arazdon, Director at Kiel Advisory on “Auditing risk culture”. The session was insightful and primarily highlighted key information about understanding the practical aspects of undertaking a cultural assessment in a dynamic and highly regulated environment.

My key takeaways from the session were:

1.??????The importance of performing internal audits of Risk Culture, which can help identify key problems, whether one-offs or systemic issues.

2.??????The impact of human behavior on control effectiveness and wider risk culture.

3.??????Understanding and identifying the type of audit approach to help understand the risk and identify the root cause(s).

The concurrent session - Is cybersecurity really a Board issue? presented by Garry Barnes, Practice Lead, Governance Advisory of Vital Advisory.

Key takeaways from this session were:

1.??????Cyber risk is simply operational risk seen through a ‘cyber lens’.

2.??????Management needs to harness technology appropriately to mitigate cyber related risks.

3.??????The internal control environment needs to align with risk appetite. Moreover, acceptable risks should be taken and should be tracked and reported in the business risk profile.

4.??????With proper security and infrastructure, cyber threats can be mitigated effectively.

5.??????A thorough understand of your business is a prerequisite for effective internal audit engagements.

The next session on Digitising the internal audit function was presented by Amo Tauialo, Head of Global Internal Audit and Assurance, Commonwealth Bank of Australia. During the session, Amo told us a really engaging story of how technology has transformed how children with diabetes can better manage their condition, as follows:

1.??????Technology can now continuously monitor blood sugar levels in real time (line 1).

2.??????Monitoring information is also sent to their parents (line 2)

3.??????Medics (line 3), also review the trends and themes, and provide specialist guidance.

The key takeaway from the session was that technology has a huge role to play in business. It can help controls move to be more preventative and less detective.

Hung Doan, Audit Portfolio Manager Technology & Transformation, Suncorp and Joscha Frischherz, Data & Analytics Portfolio Manager, Suncorp presented the session on Auditing Artificial Intelligence. The session focused on understanding Artificial Intelligence (AI) and how do firms audit AI risk.

My key takeaways from the session were:

1.??????AI as a concept is not new but has been in focus around the world since 1956 with the 1st AI workshop that was conducted at Darthmouth College.

2.??????Audit programs for AI processes must focus on a number of key factors and take into account the environment, input and output of data, the process of implementation, monitoring and governance.

3.??????Fundamentally AI Audits must not be considered different from other audits, but auditors must focus on how AI works, understanding its key risks and opportunities and firm s must be capable of recommending or taking corrective action if needed.

Embedding DA into your audit program was presented by Gavin Steinberg MIIA(Aust), Chief Executive Officer, Satori Group. A good session that focused on use of data analytics for Internal Audit.

A few key takeaways from the session were:

1.??????Before undertaking an audit, focus on understanding the different kinds of data, how different data can be presented and the potential use of different analytical tools that can aid in the audits performed.

2.??????The usage of dashboards, charts and diagrams for the purpose of reporting helps portray the data as a story and an organised way.

Thanks for reading my article. If you would like to discuss, please just add a comment and I'll be delighted to respond.