by Helen Cunningham
DTCC’s Internal Audit Department has undergone a significant transformation over the past two years to better address the priorities of its stakeholders, including a highly engaged Board of Directors, a management team looking for earlier and more proactive advice, risk-conscious customers and DTCC’s regulators, which have heightened their expectations of the company.
@dtcc recently met with Robert Peiffer, DTCC managing director and general auditor, Internal Audit, to discuss these changes at DTCC.
Could you talk about how DTCC’s Internal Audit Department ultimately serves our customers, even though its work occurs behind the scenes?
Customers want DTCC to provide high-quality, risk-managed, cost-efficient services, backed by systems reliability and security.
Internal Audit specifically focuses on these business objectives when designing and conducting our audits. We become involved in new initiatives very early on to help ensure key risks are properly managed even before a new product or process is launched. We frequently reevaluate the design of current processes and test adherence to existing controls. We also work closely with other areas of the company to evaluate any problems that arise and help prevent a recurrence.
What is an example of where Internal Audit identified a risk and spearheaded the implementation of stronger controls?
DTCC’s new billing system is one example. As part of our audit of the system before it went live, we reviewed the controls related to the accuracy of data input. We identified opportunities within the technology itself that could help prevent or detect billing errors so that the controls were in place when we launched the system.
Our goal is to get out ahead of issues. We want to identify potential problems before they occur, and put the right controls in place to help prevent or quickly detect them.
Who are Internal Audit’s key stakeholders and how do you respond to their needs?
Internal Audit has three primary stakeholders: the Board of Directors, the senior management team and our regulators.
The Board’s Audit Committee is responsible for oversight of four areas: legal and compliance risks, financial reporting, Internal Audit and the quality of DTCC’s internal control environment. Internal Audit works to provide members of the Audit Committee with the information they need to execute their oversight responsibilities. To help keep our work independent and objective, we have a direct reporting line to the chairman of the Audit Committee.
The senior management team continually looks for ways to strengthen DTCC’s risk and control environment, and we help it fulfill this obligation by providing assurance and advisory services. Assurance services are the periodic audits we perform across the organization to evaluate and strengthen the control framework. Advisory services entail providing proactive advice. For instance, we participate in the approval process for new initiatives, providing our perspective so that, on day one, new projects are already operating in a well-controlled environment.
The regulators expect DTCC to maintain a robust control environment and Internal Audit partners with them to achieve this objective.
[Note: The U.S. regulators for DTCC and certain subsidiaries are the U.S. Securities and Exchange Commission (SEC), the Federal Reserve Bank of New York and the New York State Banking Department. The U.K. Financial Services Authority regulates DTCC’s European subsidiary, EuroCCP.]
Could you expand on how Internal Audit works with its regulators?
I meet monthly with each of our regulators to ask questions, understand their perspectives and give them insight into Internal Audit’s work. They receive copies of every audit report we issue, and periodically ask us to audit specific areas. We also meet quarterly with them to review in detail recent key audit reports and any methodology changes.
Essentially, the regulators expect companies to self-identify problems, and DTCC’s regulators rely on Internal Audit to work with our business areas to monitor and test the company’s risks and controls, and to strengthen controls where needed. They expect us to ask the right questions and to report our views up through the highest levels of DTCC.
When the regulators conduct their own examinations of a given business area, one of their first stops is Internal Audit so that they can leverage the work we have already done in that area. Occasionally, regulators ask us to do specific work on their behalf, as well.
How does Internal Audit interface with other risk and control areas of DTCC?
Every week we are working closely with the company’s control groups, including Enterprise Risk Management, Operational Risk, Corporate Information Security, Compliance and our external auditors, to discuss key risks, track actions being taken and coordinate our testing. We also work closely with the staff of our regulators, who generally speak to Internal Audit at the beginning of any examination they undertake in order to get a better understanding of the work already performed in each area.
Our goals are to improve the quality of our work through information sharing and to reduce overlap and the resulting "assessment fatigue" that may occur in the areas being reviewed.
Because DTCC is sensitive to the "fatigue" issue, we are working to achieve a higher level of coordination among our control groups. The control groups have formed an internal Risk Harmonization working group to help advance these goals. We look for opportunities to conduct joint reviews and to leverage work across groups. We have created a common framework and terminology that all the control groups use to talk about risk. The goal is to facilitate information sharing and to make DTCC’s risk-mitigation initiatives as robust and efficient as possible.
How has the Internal Audit function changed in the wake of the 2008 financial crisis?
Best practices in the audit profession have changed significantly in the past two years.
Today, the profession faces increased expectations from regulators, and the focus is on dedicating a greater proportion of internal audit departments’ resources to top risks. The work of our Internal Audit Department aligns with this trend. Within DTCC’s large and complex audit universe, we have identified the top risks and made them a priority. So we work from the top down rather than bottom up.
We are also encouraging the business areas to be more proactive in taking ownership for their control environments, and to self-disclose weaknesses. They have responded positively to these new programs and we are impressed with the results.
In addition, many internal audit departments are building their data-mining capabilities. At DTCC, we analyze how the data from our systems can help us prioritize and better manage risk. We also use data mining and technology to help automate some of our control testing
Last question: who audits the auditors?
The regulators regularly review Internal Audit’s effectiveness in detail. We were examined by the SEC in 2010 and by the Federal Reserve and the New York State Banking Department in both 2010 and 2011.
In addition, the internal audit profession requires an independent review at least every five years, and DTCC has had reviews in 2008 and 2011. We also have an internal quality assurance program that tests our own processes on a sample basis every year. @