Founded in 1807, JohnWiley & Sons is the oldest independent publishing company in

Download 5,45 Mb.

Pdf ko'rish

bet	55/114
Sana	23.07.2022
Hajmi	5,45 Mb.
	#845333

1 ... 51 52 53 54 55 56 57 58 ... 114

Bog'liq
chapelle a operational risk management best practices in the

Risk Mitigation
107
There is a large body of literature on internal control design, setup and testing.
Interested readers can refer to publications from the IIA and COSO, among others.
The impact of Sarbanes–Oxley (SOX) regulations on internal controls for financial
and accounting information has played an important role in maturing the organization
of processes, internal controls and control testing in financial firms. Operational risk
managers subject to SOX can take inspiration from these regulations when assessing
or advising on internal controls in their firms.
C O N T R O L T E S T I N G
Control testing is traditionally the responsibility of internal audit. In addition, the first
line of defense (the risk owners) will routinely test, or should test, internal controls. In
most firms, the risk function does not test controls, except during thematic risk reviews,
“deep dives” constituting detailed assessments of a given risk type across the firm or in
a department – for instance, information security, third-party management or project
risk management. Risk managers should understand the essentials of control-testing
specialists, without necessarily being topic specialists themselves. Increasingly, the
focus of risk management in the financial industry is moving toward controls and con-
trol assessment rather than risk assessment. Indeed, controls and control effectiveness
are observable and, to a large extent, measurable, whereas risks are not.
2
Controls can be tested with various levels of scrutiny. PRMIA,
3
in line with the
related literature and practice, recognizes four types of control testing, which I sum-
marize here:
■
Self-certification or inquiry: not exactly a type of testing but the results of an inter-
view with the owner of the control processes. Given the lack of evidence involved,
this type of assessment should be limited to secondary controls or to control related
to low inherent risk environments.
■
Examination: requires supporting evidence and documentation of the controls,
both in the form of written process and in written evidence of results. The effec-
tiveness of this testing method depends on the relevance and adequacy of the
documentation. It provides moderate assurance and is better suited for automated
controls.
■
Observation: this involves real-time oversight of the execution of the control pro-
cess to judge its design and effectiveness in practice. It is a more stringent type of
testing, suitable for key controls.
2
For more discussions on these issues, please read
Antifragile
, N. Taleb, Penguin Books, 2012.
3
Operational Risk Management Handbook, pp138-139, Professional Risk Managers Interna-
tional Association (PRMIA), 2015.

108
RISK MITIGATION
■
Reperformance (also called reproduction or parallel testing): the strongest form
of testing, where the tester reproduces the control process on a sample of trans-
actions and compares the results with those previously obtained by the process.
Mystery shopping to assess the quality of customer service or the effectiveness
of call centers is a form of reperformance testing. So are the fake transactions
inserted in trading systems to assess the effectiveness of the controls in middle
office and back office, or in accounting and treasury in financial markets activities.
Reperformance provides the highest level of assurance of control effectiveness; it
is recommended for high inherent risk environments.
Table 10.1, inspired by the PRMIA handbook,
4
illustrates the principle of
risk-based control testing. Risk-based control testing is commonplace in internal audit
methodology. However, in my experience, this is still news to many operational risk
managers. I believe that the operational risk function would benefit from exploring the
methods and practices in internal control departments and internal audit departments.
It could gain useful insights and identify synergies to improve risk and control
self-assessment workshops or to challenge the results of the RCSAs performed by
the first line. Internal control is a fairly well-established discipline and should closely
complement the risk function.
Several elements influence the effectiveness of control testing:
■
Independence of the tester: obviously, to avoid conflict of interest and biases, the
tester should be independent from the owner of the control process.
■
Frequency of testing: the frequency of control assessment will ideally be aligned
with other control testing programs in the organization (such as SOX) and
prescribed in company policies. Like everything else in risk management,
T A B L E 1 0 . 1
Risk-based control testing

Download 5,45 Mb.

Do'stlaringiz bilan baham:

1 ... 51 52 53 54 55 56 57 58 ... 114