Internal Audit within the Financial Services Authority James

Internal Audit within the Financial Services Authority James Glass Director, Business Review and Audit Division

Financial Services Authority • Financial Services and Markets Act • FSA vision: – “The FSA aims to be a world-leading regulator, respected for its effectiveness, integrity and expertise” • Statutory objectives – maintaining confidence in the financial system – promoting public understanding of the financial system – securing the appropriate degree of protection for consumers – reducing the risks of financial crime

Which must be pursued in line with a set of ‘principles of good regulation’ • economy and efficiency in the use of resources • recognising the responsibilities of management • acting proportionately • recognising – the value of innovation and competition – the international character of the UK’s financial markets

Statutory objectives fulfilled by strategic aims • Maintaining efficient, orderly and clean financial markets • Helping retail consumers achieve a fair deal • Making the FSA a more efficient organisation

To whom are we accountable? Parliament H M Treasury Select Committee FSA BOARD Practitioner Panel 11 Non-Executives Consumer Panel 4 Executives

Organisational structure to achieve objectives Chairman Business Review & Audit Chief Executive Officer Transformation Finance, Strategy & Risk People & Communications General Counsel Enforcement Regulatory Services Retail Markets Cross FSA sector leaders Wholesale & Institutional Markets

Organisational structure to achieve objectives • Key features of structure – 3 main strategic business units – Direct reporting divisions of specific services – Sector leader focus • Matrix structure

Business Review & Audit in the structure Audit Committee Chairman Business Review & Audit CEO

BRAD Mission • Use independent reviews: – to provide an objective opinion to the Audit Committee and FSA Board – on whether robust, fit for purpose risk management frameworks are being maintained and operated by management – whether these comply with the corporate governance requirements of Turnbull • Adopting a risk based approach to establishing a sound system of internal control and reviewing its effectiveness).

BRAD Structure and Skills Mix ERNST & YOUNG Strategic Partners KAREN DIGNAN Manager JAMES GLASS Director KAREN BARNETT Director's PA PAUL FROST Manager Senior Audit Consultants and Audit Consultants 50% professionally qualified 2 external secondees 2 currently seconded to other parts of the FSA Use of specialist skills from Strategic Partners Increasing range of high potential staff and supervision experience

Corporate Governance • Combined Code UK – Sets out principles and provisions • Listed companies have to make statements : – How it applies the principles • statements are not prescribed and companies have a free hand to explain their governance policies – That the company has complied with the provision of the code or where it does not to provide an explanation • “Comply or explain” approach in operation for more than 10 years and its flexibility is welcomed by Boards and investors • The FSA is not a listed company but sets out to comply with best practice where possible

Risk Assessment Framework Board Approval Consolidated Risk Map Divisional and Business Unit Risk Assessment Tables

How we do this in practice

Risk Assessment

Overall BRAD framework for providing independent assurance FSA OBJECTIVES RISK PROFILE AUDIT PLAN AUDIT COMMITTEE P R O J E C T PLANNING RISK EVALUATION DIRECTOR DISCUSSIONS CORPORATE GOVERNANCE BRAD OBJECTIVES TERMS OF REFERENCE FIELDWORK REPORT FINDINGS FOLLOW UP FEEDBACK MONITORING MEASURES MONTHLY REPORTS R E V I REPORTS TO CHAIRCO E W INDEPENDENT ASSURANCE A U D I T C O M M I T T E E

Risk Based Approach - Planning BRAD view: - Relationship - Management information Consolidated Risk Map & Risk Assessment Tables Consolidated Risk Map prepared from director and divisional input Risk Profile Director input 6 monthly audit plans Executive Director input Audit Committee Approval Circulated to directors External Audit Activity Rolling quarterly plans Assess priorities and experience Allocate staff or use E&Y Delivery of plan Reporting

Example: Arrow Review • Definition: – Advanced Responsive Risk Operating frame. Work – Used to assess a firm’s risk to the FSA’s objectives • The Arrow Approach: – Review against business and control risk – Focus business and control risks and on statutory objectives – Producing impact and probability score and an overall score • BRAD objectives: – Provide independent assurance to the Chairman and the Board of the operation of the Arrow firm specific framework and its effectiveness and fit for purpose.

Arrow Review - The BRAD approach • 3 stage process – Arrow roll out • Review of how Arrow had been applied to individual firms – Risk Mitigation Plans • Review of approach and implementation to risk mitigation programmes – Feedback to firms • Interview of firm’s senior contacts to establish their views on the Arrow approach in practice • Summary of findings from all reviews

Arrow Review – outcomes and recommendations • Overall findings cross FSA and individual division level – FSA programme of change to ARROW underway incorporating BRAD results • Preliminary assessments – More focus and added value • Discovery – Focus and use of information. Close out • Scoring – No one size fits all. Impact vs probability • Validation panels – Standards and good practice • Risk Mitigation Programmes – SMART actions and outcomes and better monitoring • Communication – Accuracy and transparency

Action Tracking and Follow ups BRAD final report Monthly tracking reports Monthly reports to Ex. Co High and Medium High risks into Tracking system Monthly tracking of agree actions Directors asked to confirm either completion of actions or explanations for any delays with revised dates Monthly report of actions to Executive Committee Explanations for all overdue actions Chief Executive discusses with MDs responsible Quarterly reports Audit Committee Quarterly report of actions to Audit Committee Explanations for all overdue actions Regular Follow up & testing when actions “completed” Report on implementation and re-instate on tracking & reports if not complete

Trends in the BRAD approach • Increasing request for review of new processes and for ad-hoc advice and guidance • More specialist and in depth reviews being undertaken • Role in special investigations • Projects and Programmes for change • More challenging plans • Greater focus on skills and development of BRAD

The challenge for BRAD • BRAD role in adding value and achieving objectives of the FSA • Obligation to provide independent assurance • Need to add value without stepping outside independent assurance role • Must not take on line management responsibilities that will dilute our ability to audit or to provide independent comment Delicate balancing act

BRAD Strategic Plan • Business – Add value • Relationships – Work in Partnership • Assurance – Independence & Objectivity • Delivery – Dynamic & Influential

Questions