how Much is enough?

calculating the right audit coverage

I 2 3
Prioritizing rationalizing engaging stakeholders
diverse risk inputs audit activities in the audit Planning Process

Risk Theme Analysis Assurance Contribution Map Assurance Value Matrix

Risk Scenario Workshops ROI Challenge Sessions Executive Audit Planning Workshops

Targeted Risk Coverage Audit Engagement Sponsorships

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 23
 As the number of
possible audit activities
Seemingly Endless Possibilities
increases, so does the
number of possible audit Application of Permutations to Calculate Audit Plan Combinations
plan combinations.

■■ Permutations are the Audit Department Alpha

possible variations in which ■■ 50 risks identified in the risk universe
a set or number of things
can be ordered or arranged.
■■ Capacity to audit 10 risks

■■ In permutations, the order

of the arrangement matters,
much like in audit planning Q: How many different audit plan options can be formed in this situation?
where a high risk would be
prioritized over a low risk or
timing with the business is 50!
essential.
Total Permutations = = 37,276,043,023,296,000
(50-10)!

This number does not take

into account the many types
of audit activities, the length
of engagements, business
entities involved, and other
complicating factors.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 24
 Internal Audit can reduce
the numerous options
Prioritizing High-Value Work for the Audit
for the audit plan by
focusing on high-value
Department
work.
Solutions for Ensuring a High-Value Audit Plan

Leveraged Assess the effectiveness of other assurance groups

Assurance and determine the extent Internal Audit can rely on
Process group testing results.

Consider Other Focus on mapping conducted assurance activities

Lean Assurance
Control Functions from past quarters to identify areas not receiving
Integration
in Audit Work adequate attention.

Assurance Based on the risk assessment, notable sources of

Contribution assurance are assessed across each of the three lines
Map of defense to determine Audit’s most valuable role.

Proactive Risk- Proactively assess potential non-traditional project

Based Project opportunities rather than waiting for management to
Establish Selection solicit audit’s involvement.
Approaches for
Selecting Audit
Audit sessions pressure test business unit audit plans
Activities ROI Challenge
to ensure that the group plan will provide as much
Sessions
value to the business as possible.

Limited Site Apply a shorter, highly focused audit approach to

Reviews proactively spot potential control and risk issues.
Focus Audit
Engagements
Targeted audits cut out waste and allow for an
Targeted Risk
intensive, multi-perspective focus on the highest risk
Coverage
areas.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 25
 Assurance Contribution Map

OVERView

InterContinental Hotels Group’s combined assurance model uses an assessment of the appropriateness and
effectiveness of all existing assurance providers and their activities to best scope Internal Audit activities.

Solution highlights

Continuous Risk Assessment

Structured and continual interaction with key business stakeholders provides continuous information on prevailing risks
and the nature and effectiveness of all assurance activities.
Reliance Model for Assurance Partners
Based on information gathered through the risk assessment process, notable sources of assurance are identified and
assessed across each of the three lines of defense. This information is then used to determine Audit’s most valuable
role in certain risk areas.

Company Snapshot

Company Name
2011 Revenue: US$1.8 B InterContinental Hotels Group (IHG) is an international hotel company
whose goal is to create “Great Hotels Guests Love.” It is the world’s
2011 Total Employees: 7,956
largest hotel company by room count, with more than 658,000 rooms
Total Employees Across 345,000 in more than 4,480 hotels across nearly 100 countries. Guests make
Hotels with IHGs Brands:
more than 160 million stays in IHG hotels every year, in seven hotel
brands—InterContinental, Crowne Plaza, Hotel Indigo, Holiday Inn,
Holiday Inn Express, Staybridge Suites and Candlewood Suites.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 26
 Global Internal Audit
work is performed within
The Combined Assurance Framework
the context of a wider
assurance framework Overview of Assurance Providers at InterContinental Hotels Group
and considers where
alternative sources of
assurance may be relied
upon. Legal

■■ Global Internal Audit Health and

interacts with other Risk
Safety
assurance providers through:
–– Working groups Global
–– Committees Internal Audit

–– Audit engagements
Compliance Regulators
–– One-to-one meetings
–– Specialist presentations

External
SOX
Audit

Guiding Principles of the Combined Assurance Framework

1. Global Internal Audit is the ultimate provider and coordinator of assurance to the Board.

2. To the extent that the assurance provided by the functional assurance groups is
considered sufficiently independent and robust, Global Internal Audit will not normally
duplicate work covered by these functions.

3. Global Internal Audit will draw on activities from other assurance providers to deliver an
integrated assurance opinion on IHG’s internal control framework to the Audit Committee.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 27
 Structured and continual
interaction with key
Stakeholder Mapping and Continuous
business stakeholders
provides continuous
Risk Assessment
information on prevailing
risks and the nature Global Internal Audit Relationship Map and Staff Responsibilities
and effectiveness of all
assurance activities. Global Internal Audit Relationship Map: Executive Committee and Direct Reports
Guidance Note:
The Executive Committee and Direct Reports Relationship Map defines the relationship owners and managers for executive management. Defining these
■■ These continual, one-on- relationships is the first priority in the stakeholder relationship initiative as they represent the senior layers of management.

one interactions are used to

Relationship Lead Title Title Name Location Coordinator
obtain information in relation
CEO CEO
to other assurance providers
EVP Chief Information Officer
and the effectiveness of their
EVP Chief Financial Officer and Head of Commercial Development
Executive Committee

activities.
President EMEA
EVP Global Human Resources
Head of Audit EVP Chief Marketing Officer
EVP General Counsel and Company Secretary
CEO CEO for AA
CEO CEO for GC
SVP Global Communications
President Americas
Comms

Director, Global
SVP Global Communications Officer
Internal Audit

Chief Audit Executive Senior Audit Staff All Audit Staff

Host conversations with Audit Liaise with regional and area Conduct a continuous scan of the
Committee and executive leadership on an ongoing basis to business environment and refresh
committee members. identify and uncover changes in risk assessments based on the
the risk profile. results of audit activities.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 28
 Based on information
gathered through the
Leveraging the Three Lines of Defense
risk assessment process,
notable sources of Overview of the Three Lines of Defense Model
assurance are identified
and assessed across
each of the three lines
of defense.
Global
Functions Third Line:
■■ The strength of each
Independent/
successive line of defense
External
will help determine Global
Assurance
Internal Audit’s scope of
First Line:
activities. Second Line:
Geographic Management
Functional
Regions Control
Assurance
Framework

Internal Audit
Hotel Assurance
Operations

A “Contribution to Assurance” score of significant/moderate/

minor is provided for each line of defense in every key risk
area, based on one or more of the following:

ȖȖ Examinationof breadth ȖȖ Interviewswith key

and depth of control
activities
ȖȖ Quality
of the
methodology and results
ȖȖ Evaluationof the results
of applicable testing
members of management
ȖȖ Responsiveness to audit
requests and action items
ȖȖ Strength of control
consciousness

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 29
Assurance Mapping
InterContinental Hotels Group’s Assurance Map
Illustrative

An assurance mapping exercise is conducted to help determine the audit plan and establishes Group Internal Audit as the ultimate provider
and coordinator of assurance.

1 Risk Category 3 Indicative Risk Trend 5 Coverage from Prior Audits

Through Audit’s dynamic risk assessment process, key Risks are assessed Previous Global Internal
strategic, project and operational risks are identified as: increasing, stable Audit activities related to
and categorized into six major auditable risk areas. or decreasing. the identified risk areas are
also mapped.

Global Internal Audit

Corporate and Regional Functions Assurance Map Key: Indicative Significant Movement Increase
March 2012 contribution to during 2011
assurance Moderate Stable

Minor Decrease

Sources of Assurance—Three Lines of Defense

Indicative First Line Second Line Third Line

Planned GIA 2012
Risk Category Component Risk Risk Trend Management Independent/ GIA Coverage—
Functional Assurance Assurance Activities
During 2011 Control Framework External Assurance 2011 Audits

2 Component Risk 4 First Line/Second Line/Third Line of Defence 6 Planned Global Internal Audit Assurance
Risks are further broken down into Areas of assurance that mitigate the identified risks Having considered all risk information
specific, identifiable and auditable across the organization are mapped and assessed and the level/quality of the related
areas. based on the relative level and effectiveness known assurance activities across the
of assurance provided (i.e., Minor, Moderate, organization, the final column represents
Significant), color coded from light to dark. the Global Internal Audit Plan.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 30
Sample Assurance Map
Illustrative, Not Actual Data

Global Internal Audit Key: Indicative Significant Movement Increase

Corporate and Regional Functions Assurance Map contribution to during 2011
Moderate Stable
March 2012 assurance
Minor Decrease

 

 
&






 
 

!


%
#


 



"  
  
!
&
)'((



)'()

 

$ 
 )'((    
!
8#
'

!&
+,*,1
'.*
0,*&$
'*('*,
'%%-&!,!'&+
'-$
$
,'
!&,!.
%++!&
,'

+,# '$*+
8!$-*
'
00
(*'",
,'
%,
-**&,
&
-,-*
-+!&++
*)-!*%&,+
8
&!$!,1
,'
,!.$1
0-,
00
,'
$!.*
+,,
*&
0(,,!'&+
8
&!$!,1
,'
,!.$1
0-,
00
,'
$!.*
+,,
*&
0(,,!'&+ "'*
0(&!,-*
'%%!,,


!$!&
,'
.$'(2
8!$-*
,'
0-,
00
*('+!,!'&!&
+,*,1
&
%,
%*#,
0(,,!'&+ '%%'&
*#,!&
,!.&++
,*!
%!&,!&
&
'&+!+,&,$1
8!$-*
,'
00
,'
.$'(
&/
*&+
&
+-++-$$1
$-&
, +
&/
*&+ !'&$
'%($!&
'%%!,,+
&
)-$!,1

0,*&$
*.!/
'

,*,1
.!/
*'++
4
-+!&++
.!/
*'++
&
<5*
$&&!&
*'+++
$!.*
+,*'&
*&+
, ,
8 ',$+
'(&!&
(*'++2
!&!$!,1
,'
(*'(*$1
'(&
',$+
'%($!&,
/!,
*&
+,&*+ +,*-,-* $'$
*-
*',,!'&
&!,  
%"'*


(*'",+
-+,+
$'.
&
'/&*+
8!$-*
,'
%'&!,'*
&
'&+!+,&,$1
(($1
*&
+,&*+ -+,
0(*!&
'%%!,,
.$-3 8
&!$!,1
,'
.$'(
&
%!&,!&

+,*'&
*&
!%
/!,
!&,*&$
&
0,*&$
(*,!+ $'$
1+,%
-&+
!&&
8
&)-,
*-*!+ %&,
4
'/&*
*$-,&
,'
!&.+,
+

*+-$,
'
$'$
'&'%!
*!+!+ *&
,&*+

&*+,*-,-*
*'",
8
&!$!,1
,'
%+-*
&
 !.
*)-!*
*,-*&
'&
!&.+,%&,
'*
%"'*
%*#,!&
0(&!,-*+
8!$-*
,'
%'&!,'*
&
$.*
, 
!%(,
'
+'!$
%!
'-$
&,!.$1
!%(,
+,# '$*+
(*(,!'&
!&

, 
%*#,($

*'*%%
!
*'",
$, 5 #+

!+#
&%&,
"'*
!+#
.!/
8
&!$!,1
,'
!&$-&
*& !+
',$
'(*,!'&+
'-$
*
'-*
*&
('+!,!'&
8(&&1
'&
$1
1+,%+
, ,
*
,
:&
'
(*'-,
$!:2
!%(,!&
'%(,!,!.
('+!,!'&
8!$-*
,'
00
,'
%,
-**&,
&
-,-*
-+!&++
*)-!*%&,+
8!&!!&,
'*
(*(,-$
$'++
'
.!$!$!,1
'
+1+,%+
&
*.&-
&*,!&
($,'*%+
4
+1+,%

&'*%,!'&
-*!,1
'-&!$
8'++
'
+&+!,!.
-+,'%*
,
&
&'&5'%($!&
,'



!&
',$+

&'*%,!'&
-*!,1
(*,%&, 0,*&$
*.!/
'



 &'$'1
+'$'-,!'&+
8-*!,1
!&
, 
'*('*,
+#,'(
&.!*'&%&,
6(*',,!'&
'
$(,'(+2
%%'*1
+,!#+
,7
,
-*!,1
+#
'* +1+,%+
!$!&
,'
+-(('*,

9+
8

+-(($!*
!&+'$.&1
'*
 &
!&
!*,!'&
*+-$,!&
!&
!&!$!,1
,'
(*'.!
*)-!*
+*.!+
/!,
!&+-!!&,



-*!,1
'$!1
&
-*!,1
,&*+ 
+,!&

<=
+,!&  
'(*,!'&$
*)-!*%&,+
&',!
(*!'
1+,%
&
,/'*#
'&!,'*!& 


'%($!&

&
+,*,!
'",!.+3 8
&+-!!&,
'%(-,!&
!&*+,*-,-*
!&
',$+
',$


*'-*+
&
,&*+ .!/
8!$-*
'
, 
-+!&++
,'
'(,
&
 !.
, 
&!,+
'$$'/!&
, 
!&,*'-,!'&
'
&/


+1,%+
$'$
+#,'(
8-,+'-*!&
+,*,1
!+
&',
+-(('*,
1
)-,
+$,!'&
*!,*!2
+*.!
$.$
*%&,+2
%'&!,'*!&

&
&'*%&,
8
&)-,
'&,*'$+
&
%&%&,
'
, !*
(*,1
-+
'
+&+!,!.
,
'*%,!'&
'
!'&$
(*,!'&+
'*-%+
4

(*,!'&+
-(('*,
%+
!+(*
 &+
,'
%&%&,
+,*-,-*+
8!$-*
,'
+-(('*,
, 

!&
,!.$1
(*!'*!,!+!&
#1
*'-(

&!,!,!.+ .$'(,%&,
'
, 
9

/19
*'",+
&',
,!.$1
8!$-*
,'
$!.*

$*$1
!&
&
+$$
(*'*%%
%&%&,
%, ''$'1
(*!'*!,!+2
%&
'*
8#
'
%,*!+
&
, 
!$!,1
,'
$$',
*+'-*
$0!!$!,1
*'++
, 
'*&!+,!'& 1+
'
'*#!&
'(*,!'&$$1
0-,
,'
8!$-*
,'
$!.*

(*'",
%'&!,'*!&
%, ''$'1
,'
&$
, 
-*,
,*#!&
&
*('*,!&
'
(*'",
5,*!&
 $ '&
&',
4
 ' '&
&',
4
 '  
$!.*
, 


!+!'&
'*
(*'*++
&
!&&!$
%&%&, 5(*,!'&+
'-&!$
*& *,
,*,13 8
&!$!,1
,'
,!.$1
$!.*
, 
*&
,&*+

&*+,*-,-*
,'
*'*%

9+
((*'
,'
*&
+,&*+ 5&!)-
-+,
0(*!&
5 *!&
*&!&
5 ',$
1
5*'-*%&,
5-+!&++
*'++
&%&,

,*,1
.!/
*'++
4
-+!&++
.!/
*'++
&
<5*
$&&!&
*'
$'$
!&&
*&+'*%,!'&
*'*%%
"'*
&
(!,$
0(&!,-*
&
((*'.$

'*('*,
!&&
&
/&4+
',$+ '%%!,,+
4!&&!$
'.*&&
8!$-*
,'
)-,$1
'*+
&
*+('&
,'
 &!&
'&'%!
'&!,!'&+ +,*-,-*
'
'%%*!$
&
.$'(%&,
-&*

;
5
'&+'$!,
8!$-*
,'
)-,$1
'*+
&
*+('&
,'
/
&
'+,
!&$,!'& !&&
*'-*%&,
&!,+

8!$-*
'


&
'/&*+
,'
+-*
(!,$
!&.+,%&,
-
,'
$'$
'&'%!
'&!,!'&+ ;
&
!'&$
*.!/
'
(!($!&
(*',''$+

*'*%%
!
*'",
$, 5 #+

*#!&

!+#
&%&,
"'*
!+#
.!/

8
&!$!,1
,'
0-,

$*$12
'&,*'$$
%++
,'
, 
&1+,4!&.+,'*
'%%-&!,1
'-$
!$-,
*&  &
!&
!'&$
!&&
+,*-,-*+
*& !+
-!,
%
8!$-*
,'
%!&,!&
((*'(*!,
!&&!$
(*'+++
&
'&,*'$+
/ !$
'(*,!&
!&

 *
*.!+
$'$
*'-*%&,
-&,!'&

-$!,1
%

$'$
(*,!'&+
'-&!$
&.!*'&%&, !'&$
!&&!$
&$1+!+ 0,*&$
-!,
67  
$'$
!&&!$
('*,!&
8!$-*
,'
$.*
, 
 *
*.!
&,*
,'
.$'(
'&'%!+
'
+$ '&+'$!,
!$$!&
-&,!'&
!&&!$
*,-*&+
&',
-,+'-*
-&,!'&+
633

8!$-*
,'
(*'.!
,!%$1
&
-*,
!&&!$
*('*,!&
',
0,*&$$1
&
!&,*&$$1 "'*
0(&!,-*
'%%!,,
,!.$1
'*
!!&,$1
(1*'$$2
,0
'%($!&7
8!$-*
,'
%0!%!+
/'*#!&
(!,$
&
%
'(,!%$
+
%&%&,
(*'+++ *#,!&
,!.&++
,*!
'(,!%!+
, *'-
$'$
*-
*',,!'&

8!$-*
,'
((*'(*!,$1
%'&!,'*
&
'&,*'$
%"'*
(!,$
0(&!,-*
(*'",+ !'&$
'%($!&
'%%!,,+
&
)-$!,1

'&,*'$+
'.*
#1
&!,
6$,
#
!,1
4

8!$-*
,'
.$'(
&
-,!$!+
&$1,!$
,''$+
&
(*'-*+2
,'
&$
*'-+,
!&&!$
&$1+!+
'
'%(&1
+,*-,-*
'*&!+,!'&$
(*'+++3 &!$
+7
(*'*%&
&
%"'*
(*'",+

-+,
0(*!&
'%%!,
© 2012 The Corporate Executive Board Company.
!
*'*%%
6
*($%&,7
All Rights Reserved. ADR3638212SYN

&
',$+ *4!'&$
!&&

8!$-*
'
',$
%&%&,
,'
(*'(*$1
%&
',$+2
$!&
,'
$!,!,!'&
&
&'&*&/$
'
'&,*,+ *4!'&$
(*,!'&+
8!$-*
'
',$
%&%&,
,'
(*'(*$1
'(*,
',$+2
$!&
,'
$!,!,!'&
&
&'&*&/$
'
'&,*,+ ',$
!&& '&,*'$
$
++++%&,+
',$
/&*
('&+'*

 31
8!$-*
'
',$
%&%&,
,'
(*'(*$1
%&
, 
!&&+
!&
, 
',$+2
$!&
,'
$!,!,!'&
&
',$
(*,!'&+ &,*$
-&,!'&
'.*+! ,
 
0,*&$
-!,+
&'&*&/$
'
'&,*,+ '&,*'$
$
++++%&,
('*,!& '

2
1*'$$4 2
.&-2

8!$-*
'
*
'*
*!'&$
%&%&,
,'
(*'.!
'.*+! ,
,'
++!&
',$+ !+#
&%&,2
-$!,12

'-&,+
1$
 Global Internal Audit
plays a key role in
Benefits of the Combined Assurance
determining the quality
and effectiveness of all
Framework
assurance provided to the
Audit Committee through Early Benefits Realized Through the Combined Assurance Framework
the Combined Assurance
model. 1. Comprehensive Evaluation of Functional Assurance Providers
Through the Assurance Mapping process, Global Internal Audit can
evaluate the quality and effectiveness of all assurance provided across the
organization, against identified areas of risk.

2. Targeted Application of Global Internal Audit Assurance Activities

By effectively leveraging the assurance activities throughout the company,
resources can be applied to focus and target assurance over areas of risk
with insufficient or ineffective assurance.

3. Effective Assurance Leadership Established

Through positioning as the ultimate provider and coordinator of assurance
and having mapped and assessed the quality and effectiveness of the
assurance provided, Global Internal Audit can seek to influence and improve
the overall organizational assurance framework.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 32
 ROI Challenge Sessions

Overview

Old Mutual Group needed to increase the value provided to the business by focusing their audit resources on ROI
activities. The internal audit department used challenge sessions, regulator engagement and executive buy-in to ensure
that the audit plan aligned to stakeholders’ needs and provided the greatest possible value to the business.
By doing this they were able to conduct fewer, more targeted audits.

Solution highlights

Challenge Sessions
The audit department held sessions to challenge and pressure test business unit audit plans to ensure that the Group
plan would provide as much value to the business as possible.

Company Snapshot

Old Mutual Group

2011 Revenue: £9.8 B Old Mutual provides banking, insurance, and asset management
2011 Total 57,430 services in more than 30 nations in southern Africa, Europe, Asia,
Employees: and the Americas. Old Mutual owns a majority stake of South
Africa’s Nedbank Group, which provides commercial banking, finance,
investment banking, and other services. It also owns Old Mutual (US)
Holdings, also known as Old Mutual Asset Management (US), or OMAM
(US). Skandia Insurance offers insurance products and mutual funds,
primarily in the UK. Old Mutual has some £267 billion (some $434
billion) in funds under management.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 33
 “Challenge sessions”
pressure test business
unit audit plans and
ensure the master
Group plan provides the
greatest value to the
business.
■■ Challenge sessions are
conducted every quarter as
the department solidifies the
audit plan for the upcoming
quarter and builds out the
pipeline for an additional
three quarters.
© 2012 The Corporate Executive Board Company.
All Rights Reserved. ADR3638212SYN
TESTING FOR HIGH ROI ACTIVITIES
Key Characteristics of Old Mutual’s Audit Planning Challenge Sessions
Test for High ROI Impact
1. Defense of the Plan Ensures focus on the highest risk areas by
pressure testing the “risk reason” behind each
Heads of Audit at the business unit level
audit activity.
present and defend against challenges to
their audit planning decisions.
2. Above/Below the Line Resource Exercise By forcing teams to identify true “must have”
audits, the group avoids building a plan directly
Heads of Audit are asked how the plan
to resource capacity.
would change if they had 5% more or fewer
resources.
3. Searching for Risk and Control Themes Identifies potential group-wide audit activities
to be handled by the Centers of Excellence or
Representatives from the Centers of
conducted by audit teams across the entire
Excellence participate in the challenge
organization.
sessions to identify themes for cross-
business unit audits.
 34
 Old Mutual now
conducts fewer, but more
RESULTS: DOING BETTER WITH LESS
impactful audits to the
organization. Number of Audits Conducted per Calendar Average Hours for an Audit Engagement
Year

By cutting low value activities

out of the plan and concentrating
953 audit resources in key areas, Old 600
Mutual is ensuring high ROI on its
chosen audit activities.

731

473 300
423

2008 2009 2010 2011 2008 2011

“It has been a tough,





but rewarding,
transition. We had to
stop doing things that people
depended on so we could really
focus on new areas and issues
that had never been addressed. In
the end we found a balance that
works for us.”
Paul Marshall
Group Internal Audit Director

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 35
 Targeted Risk Coverage

Overview

The Depository Trust & Clearing Corporation (DTCC) needed to ensure that the highest risks facing the company were
addressed appropriately through the audit plan. The internal audit department facilitated risk scenario workshops to
identify high impact risk events and subsequently redefined how these risk events were covered in the audit plan.

Solution highlights

Targeted Audits
Targeted audits cut out waste and allow for an intensive, multi-perspective focus on the highest risk areas. Through this
approach DTCC decreased the number of hours per audit and increased number of audits they conducted.
Calculating Audit Coverage
Overlapping coverage on high priority risks is encouraged by calculating how each risk is covered in the audit plan.

Company Snapshot

The Depository Trust & Clearing Corporation

2011 Revenue: US$1.1 B The Depository Trust & Clearing Corporation (DTCC) provides
2011 Total Employees: 2,800 securities clearing, settlement, custody, and information services.
Dealing in equities, bonds, government and mortgage-backed
securities, money market instruments, and over-the-counter
derivatives, the company typically processes 90 million securities
transactions each day (more than 20 billion securities transactions per
year). Its depository business provides custody and asset servicing for
approximately $34 trillion worth of securities globally.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 36
 DTCC’s audit plan
covered the high risks,
Trying to Find the Right Time
but audit time spend
didn’t reflect the relative
for the Right Risks
importance of each
risk’s impact. Three Obstacles to Covering Top Risks

1. Underperforming Risk 2. Scoping Audits Too Broadly 3. M

Assessment
The risk assessment doesn’t
sufficiently differentiate the
most severe risks from more
moderate risks.
End-to-end audits force the team
to spend time reviewing low risk,
low impact areas of the business.
 isleading Indicators
of Coverage
Audit coverage emphasized how
many of the risks were covered,
not the proportional time spent
on each top risk.

Case in Point: High Impact but No Special Treatment

■■ Key Risk Area

Business Continuity Planning (BCP)

■■ Impact
An outage could have a devastating impact on both DTCC and financial markets as a whole.

■■ Audit Coverage
An annual audit review of Disaster Recovery tests, using a standard audit program.

■■ Time Spent
800 hours, representing just 1.2% of total available audit resources.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 37
 A variety of audit
activities are used to test
Tying Audit Activities to Hypothetical
the control environment
surrounding each
Risk Events
hypothetical risk event.
Example Audit Plan Spreadsheet

■■ Each risk event will have Hypothetical Risk Event Impact of Risk, If Realized Description of Work Type of Review
at least one audit activity

Reputational
associated with it. Some risk

Regulatory
Systematic

Monitoring
Horizontal
Proactive
Financial

Targeted
Business
events may have more than

Review

Review

Review
Impact

Impact

Impact

Impact

Cycled
a dozen activities link to it.

Cyber attack disables ■■ Cycled reviews of: DMZ, SMART, UNIX,

key production systems VMS, and Windows Active Directory
■■ Cycle-based audits assess
■■ Vontu/web proxy monitoring
the design and effectiveness (targeted review)
of an auditable unit’s control
■■ Messaging perimeter (targeted review)
environment on a risk-based
■■ Threat and vulnerability assessment
cycle, driven by the audit (business monitoring)
universe risk assessment. Restricted or ■■ Restricted data (horizontal review)
■■ Proactive audits focus on future confidential information ■■ Developer and privileged access
changes to the business such is intentionally or (horizontal review)
as the implementation of a new accidentally disclosed ■■ Mainframe databases (cycled review)
application, business process, ■■ Technology testing methodologies
or infrastructure component. (horizontal review)
■■ User access (horizontal review)
■■ Horizontal audits are focused
reviews that assess specific Malicious act by an ■■ User access to settlement systems
risks or areas of interest across insider to alter data, (targeted review)
multiple auditable entities. applications, or ■■ Developer and privileged access
infrastructure (horizontal review)
■■ Business monitoring activities ■■ Entitlements with toxic combinations
compromise of ongoing
(horizontal review)
relationship meetings, monitoring ■■ Server positioning/rogue devices
KPIs and participation in project
(targeted review)
management teams. ■■ CISO exception reporting (business
■■ Targeted reviews are focused on monitoring)
a limited set of control activities ■■ Also as part of every infrastructure audit,
with an auditable unit. They seek entitlements, and activity monitoring are
to test a small number of critical included within scope of the review
controls. (cycled review)

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 38
 Targeted audits cut
out waste and allow
Targeting Risk Two Ways
for an intensive, multi-
perspective focus on the Demonstration of Change in Coverage Due to the Use of Targeted Audits
highest risk areas. Illustrative

■■ Through this approach DTCC 2010 Approach to Covering Business 2011–2012 Approach to Covering Business
decreased the number of Continuity Planning Continuity Planning
hours per audit and as a
result increased number Technology Nontechnology Third
of audits they conducted. People Premises Systems Parties
Process 2010 2010
Prevent 2011 2011 Future 2011
■■ BCP elements covered as part of each Detect Future 2011 2011 and 2011
cycled end-to-end audit and 2012
Diagnose
■■ Primary focus on Disaster Recovery Testing
Escalate 2012 2011 Future 2011
and overall Business Continuity (covering
process as well as technology and non Recover 2011 and 2011 2011 and 2011
and 2012 2012
technology components)
Resume

■■ In line with key risk statements, BCP broken into:

–– Process related elements: Prevent, Detect and
Diagnose, Escalate, and Recover and Resume
–– Individual components: People, Premises,
Systems and Third Parties
■■ Audit coverage changed to targeted reviews that
“An auditor’s natural attack the risk from multiple perspectives
tendency is to look at
■■ Move to business monitoring instead of
everything end-to-end.
participation in tests
But we are willing to take some
audit risk in order to ensure we
are covering the areas our
stakeholders really care about.”
Rob Peiffer
Managing Director and General
Auditor

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 39
 Overlapping coverage
on high priority risks is
Redefining Coverage to Maximize Impact
encouraged by showing
how each risk is covered. Typical Risk Coverage Approach
Illustrative

Standard practice for evaluating risk

■■ A simple, visual depiction coverage assumes that risks one and
of risk coverage (standard three are receiving similar coverage.
practice) may provide a Audit Activities Risk 1 Risk 2 Risk 3 Risk 4
false sense of security that a 1. Process Audit X X
high risk is being adequately
2. Process Audit X X
covered.
3. BU Audit X X
■■ The time spend is calculated 4. Process Audit X X X
for the top risks and 5. Process Audit X
evaluated in aggregate.
6. Special Project X X X
7. Process Audit X X

DTCC’s Calculation of Risk Coverage

Illustrative

Audit Activities Risk 1 Audit Activities Risk 3

1. Target Review 500 1. Target Review 200
hrs hrs
2. Target Review 150 2. Targeted Review 250
hrs hrs
3. Horizontal Review 600 3. Targeted Review 150
hrs hrs
4. Targeted Review 800 4. Targeted Review 150
hrs hrs

Total Hours 8,700 Total Hours 1,740

hrs hrs
Percentage Percentage
15% 3% Calculating the percent of available
of Dept. Time of Dept. Time audit hours spent in a particular risk
area provides a much more accurate
© 2012 The Corporate Executive Board Company.
picture of risk coverage.
All Rights Reserved. ADR3638212SYN

 40
 DTCC dramatically shifted
where and how it spent
Results: Targeting High-Impact Work
its time by emphasizing
targeted coverage on the Percent of Total Project Resources Spent in High Risk Areas
most severe risks.

∆ = 71% 70%

41%

2009 2012

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 41
Rationalizing Audit Activities
Key Takeaways

1. Assess the degree of and quality of assurance provided by other functions to determine
opportunities to provide the highest value assurance.

2. Challenge the audit team to articulate the value of audit activities as part of the audit planning
process to ensure high ROI activities are included in the plan.

3. Cut waste from audits by targeting only the highest risk parts of a process, location, business unit
or issue area.

4. Redefine audit coverage by calculating time spent in high risk areas, instead of blanket coverage
of a risk or area of the business.

© 2012 The Corporate Executive Board Company.

All Rights Reserved. ADR3638212SYN

 42