Vishal Kapoor, Head of Group Finance Audit and Risk Audit, DBS Bank
Transitions Affecting Banking Industry:
Internal audit of banks is going through a major rethink as a result of two main leading transitions affecting the industry – regulations and digitization. The first involves enhanced risk management, and the second, leading to redesign of products and business models. Though changes in risk management have been caused through gradual introduction of Basel regulations over the last decade, the increased digitization of business models and product design have been more recent. This is due to the growth of hand held devices and increased global social connectivity.
Traditional Approach of Auditors:
Auditors traditionally follow a cycle covering all units within the organization over two to three years. The circumstances or risk implied to these units may shift over time, thereby not capturing the urgency of the audit. Plus, the overall monitoring of these units is fragmented and distributed across different intervals. A few years ago, internal auditors were conducting checks on selected samples, either random or stratified, to perform a battery of prescribed substantive tests. Though it played a key role in deriving an audit conclusion, it may not have been effective in capturing the idiosyncrasies in the data, especially when the population is dynamic and the relationship between vintage data and the new data is significantly different. This is played on a key assumption that the sample represents the population. As this may sound statistically viable, the idiosyncrasies of ever-changing data, or changes in the population stability, which develop over time may not have been captured. In cases where it was not captured in the sample, the audit conclusions reached might be flawed.
"Over the last few decades, following the development of Basel regulations, the banks have increased the usage of statistical models for predicting probability of default and risk ranking of borrowers"
Recent Developments in Risk Management:
Over the last few decades, following the development of Basel regulations, the banks have increased the usage of statistical models for predicting probability of default and risk ranking of borrowers. Banks are now using that model output as a key input into the disbursement of loans and the resulting risk capital calculation. The statistical model not only allows for forward-looking prediction of default at the portfolio level, it is also able to calculate both regulatory and internal capital increasingly linked to overall economic conditions of the industry or geography.
Recent Developments in Banking Product Design: On the other hand, traditional banking products have evolved into banking services available on smartphones
Change in Approach for Internal Auditors
Possible Approach for Basel Models:
In these conditions, the internal audit team needs to enhance its approach with respect to coverage and providing assurance on developing trends including risk management and digital banking. Also, there needs to be a vision on how such an assurance is achieved, and marrying different data elements from different systems. In risk management, the auditors need to be able to answer the following questions:
• Does the model fulfill business intuition?
• Does the evolving data fit the model?
• Does the model perform and is it calibrated correctly?
• Are the data and its respective segmentations reviewed regularly?
• How does the model perform in comparison to the benchmarked model and data?
• Is there a significant number of overrides that may undermine the usage of the model?
• Is there proactive engagement by the model owners in enhancing their model by using variables?
If auditors were to follow a cyclical approach to audit each model, it might be quite late to pick out anomalies and target remediation actions. A continuous audit might be more effective, where the internal audit team develops a more strategic approach to monitoring the unit. Continuous audit allows auditors to have complete coverage of the population while running a different battery of tests on the entire population. This can help spot anomalies in the data and review proactively before the scheduled audit. If model logic could be coded within an application and across the repository of current data, this can help provide assurance from a point in time and long term trend analysis. The increasing trend of overrides may suggest revisiting the overall model design as well. This type of approach also reduces the dependency on stakeholders for their data and the internal audit team is able to work directly on the data transformation to generate information relating to trends, and with good infographics can provide deeper insights to senior management.
Possible Approach for Digitization:
As part of the second development where products are digitized, it becomes imperative auditors map how internal controls are embedded in the digital space either as part of coding or as part of the workflow. The partnership between IT and the business auditors will be crucial to decipher whether the controls are programmed correctly without compromising internal controls that may increase the residual risks.
As we look deeper, the times ahead require auditors to increasingly arrive at data analytics framework within its own function. Such analysis should allow for data preparation and warehousing strategy, platform to consolidate basic codes and scripting, connectivity to different systems within the organization, deep knowledge of automation within the bank and a consistent data dictionary. These are few of the elements that will set the ground for auditors to provide a more proactive, preventive and productive assurance.
Operating since 1968, DBS Bank [SGX: D05] confers financial services in Asia. Headquartered in Singapore, the bank meets personal and business needs of its customers over 280 branches across 18 markets of Asia.