by Alex Movchan
We recently spoke to a special woman, Alkistis Gkiosi, BAcc, ACCA, CIA, CFE, who is known as a Compliance Expert and Internal Controls and Regulatory Affairs Professional. She has gained a lot of international experience, thanks to the various positions she fulfilled initially in the field of external audit and later in internal audit. From internal audit, Alkistis ended up in Cyprus where she is in charge of the compliance department of an international financial services company.
From your experience, what’s the best model of cooperation between internal audit and compliance functions within a company in the financial services sector? What’s the core focus for each of these functions? And where might the potential synergies be found to maximize value for the organisation?
Alkistis Gkiosi : “Hi Alex, I would like to thank you for your appreciation and your interview invitation. It is always a pleasure to be speaking with you. We can start by identifying compliance and internal audit as key control functions in the financial services sector. Both internal audit and compliance are committing in serving the Board of Directors and the Key Stakeholders of the organisation. They are also aiming to achieve adherence to efficient and effective policies and procedures, which are complying with the regulatory requirements and are safeguarding the position of the organisation towards the achievement of its strategic objectives.
Compliance is widely identified as the second line of defence while internal audit as the third line of defence. What I have identified as the primary facilitator in the cooperation between the two functions is the substantive contribution of the compliance team throughout the internal audit process. This shall not though compromise the independence in the role and the objective assessment of the two functions. When it comes to internal processes and controls, the compliance team maintains duties and responsibilities in ensuring that appropriate policies and procedures are in place. Compliance is also monitoring the relative awareness and oversight that exists across the organisation, from the process owners, to the committees and the Board of Directors.
Compliance is using a structured methodology to achieve this purpose:
• It is conducting risk assessments, which is a very important tool for the establishment of a proper monitoring program and an accountability framework within the organisation.
• It is reviewing the resources allocated to the implementation of policies, procedures and sound controls and is communicating to the Senior Management and the Board of, the relevant needs, which are varying between the devotion of human capital, appointment of experts, training, outsourcing, IT development and infrastructure.
• Where corporate governance is flourishing, and prevention is among the key principles that are guiding people’s actions, the participation of compliance is key in the adequate implementation of business strategies. Those, are responding to the risk appetite of the organisation and its strategic objectives without though compromising the regulatory mandates and the client’s protection rules.
So, strategically, compliance is bringing awareness to the business and is facilitating sustainable business structures.
On another similar note, the internal audit function is independently conducting risk assessments and is building its own audit plan. These are the cornerstones for an effective fieldwork that is aiming to add value to the audited entity, ending up to valuable recommendations and remediation planning.
The compliance function can provide valuable information and insight to the Internal Auditor at the planning stage. The contribution can be paramount in establishing the right understanding of the key risks of the organisation, the prioritisation needed in terms of fieldwork and allocation of resources and the mandate to provide independent assurance on the effectiveness of policies and procedures. It is key though to always keep in mind the exercise of independent professional judgement by both teams. A value adding audit is translated to valuable recommendations and feasible remediation planning that is taking into consideration the specific characteristics of each entity. The compliance function being an integral part of the corporate governance of the organisation will also cooperate and provide valuable contribution to the internal auditor in terms of “deficiencies recovery planning”. Taking into consideration that a key criterion to define an internal audit as effective, is its conversion to value adding and feasible recommendations, we conclude that many of the subsequent action plans are involving compliance either at its role to facilitate and monitor progress or as an accountable function to implement the change needed. So, the word “Synergies” can be translated to the need for “Engagement”. The one function having a sound understanding of the role and contribution of the other, shall be able to engage and openly communicate towards the other, for both to effectively exercise their roles and serve the organisation as a whole.”
You gained a certificate from Cyprus Securities and Exchange Commission proving brilliant experience and in-depth knowledge of international financial services sector. Companies in this sector usually use a number of IT systems and have heavy reliance on data analytics, thus reliability and quality of data is of crucial importance. What is the core focus of compliance and of internal auditing in financial service companies given these circumstances? How could these functions use IT systems and data analytics tools to enhance efficiency of their work?
Alkistis Gkiosi : “This is a great and wide topic that can be analysed from various perspectives, all leading to the fact that the digitisation of the internal Audit and compliance is becoming a reality. The entities operating in the financial services sector are constantly seeking, progressing and developing new or improved digital products and disruptive technologies. Many of these entities are operating business models that are relying on innovative technology arrangements. Most of the organisations are progressively embedding software and other IT Controls to key operational processes as well as control functions.
On another note, Competent Authorities, are progressively recognising the need of “systems audit” to be embedded in the Financial Services Regulation. Also, the enhanced Regulatory Reporting obligations, have turned the use of Regtech and in general the digitisation of manual reporting processes to a necessity. As we are exploring the aforementioned dynamics and key stakeholders in the industry, we acknowledge the need of their alignment in terms of digital innovation and utilisation of IT Tools and capabilities.
From the perspective of compliance, the use of software tools, RegTech, data analysis, artificial intelligence, is a mandate since they are significantly contributing to the effectiveness, efficiency, reliability and organisation of the compliance monitoring program. In practical terms, the requirement of continuous compliance monitoring is increasing the need of constant data availability, data filtering and enhanced records keeping. The use of data analytics and IT systems is mandatory to provide real time data and automate repetitive processes such as the reconciliation of data, the identification of transactions with certain risk parameters, the identification of red flags and suspicious patterns, etc…
A good example to mention is the regulatory framework around suspicious financial transactions, which requires the timely identification of suspicious transactions as well as efficiency in terms of investigation and reporting to the regulator. The timely screening of financial transactions and the cumulative collection and assessment of relevant data for further investigation and decision making is a process which requires the use of IT systems and data analytics in order to become efficient and effective.
Also, the business environment imposes high risks to the implementation of monitoring programs, through merely manual processes. Among the key risks, are:
* human error;
* non-sufficient compliance with the laws and regulations;
* incomplete or inaccurate data;
* non-timely identification or investigation of data;
* risk of lacking appropriate records keeping.
On another note, the internal audit and the extent of the audit universe requires the careful consideration of the resources needed to achieve an effective audit. The need of resources includes the specialised skills and tools that enable the understanding and actual testing of the emerging technologies and systems used by the audited entity to pursue its business and operational objectives. The internal audit plan and subsequently the identification of the resources and the expertise required are leading to the exploration of tools that are assisting internal auditors to test the controls that are mitigating technology and compliance risks.
On the one hand, it is important that the internal auditors are training themselves in being able evaluate the impact of the technology, examining risk scenarios and potential exposures. On the other hand, the appointment of technology experts, business intelligence and IT tools are an important asset that is enabling this evaluation and subsequently the testing process.
What is becoming essential, is the ability and competency of the internal audit team to:
* recognise the necessity and appoint the right experts;
* accommodate additional and suitable IT resources;
* evaluate the feedback and output that is derived through the utilisation of these resources, in a value adding and meaningful manner.
It is important also to mention the need for the internal auditors to follow a preventive approach and identify risks and gaps in the control system before this is resulting to high impact incidents. In circumstances that areas such as data security, completeness, accuracy and transparency or system functionality and reliability, are examined the use of automated processes and software tools is more effective in comparison to a periodic, sample testing approach.”
The concept that is recently trending among the experts in Internal auditing globally is “agile internal auditing”. I know you had some experience with it. Please shed some light for the readers of our magazine on how it works and what benefits and maybe also what challenges does implementation of agile internal auditing bring to the organisation ?
Alkistis Gkiosi : “The concept of the Agile Internal Audit interrelates with the topics discussed above. Agile means progressively stepping out from the traditional audit approach and stepping in to a more interactive, focused on “adding value” and “adaptable to change” approach. Agile internal audit, where there is the appropriate skillset and will, can be a valuable bridge in the gap between the business and the control functions.
Agile internal audit in financial services entities heavily reflects the need to respond to the volatility and rapid change of the environment, the key stakeholders’ expectations and the resources available, to provide meaningful recommendations and add value to the business. Adding value to the business incorporates further the need to balance the demands of other stakeholders (such as clients and regulators). In financial services, we observe a constant effort to balance the profit-oriented and technology focused nature of the business with the Investors protections rules, the quality of the service provided to the clients and the regulatory framework overall. To achieve that, is important that the internal auditors realise the principles of an agile approach and the key role that they are able to play in building some bridges and facilitate change.
The following can serve as key pillars for every audit and relevant decision making:
* the identification of the key stakeholders;
* the careful examination and understanding of their needs and expectations;
* the focused communications among different stakeholders, during all stages of the audit;
* the constant evaluation and reconsideration of the impact and the value that is derived from the audit;
* the importance of priority and timing. This demonstrates the ability to think what is important and relevant each time. It is not merely about sticking to a plan, is mainly how the plan is reflecting and is serving the environment and is simultaneously leading to the right direction.
The agile audit planning is translated to an ongoing risk-based approach, clarity in terms of target setting and level of assurance needed as well as feedback from the business and the key stakeholders. Effective fieldwork is also matter of effective and efficient use of the right resources, directed towards well defined tasks and clear objectives. Finally, the audit output is characterised as effective based on its practicability, clarity, and ability to facilitate change and prevent quantitative and qualitative losses. Agile audit represents a big shift from lengthy reports which are concentrating on the explanation of processes and audit deficiencies to substantive reports which do not merely provide assurance but facilitate change to the right directions.”
The author, Alex Movchan CIA CICA CFE is the President of the Institute for Internal Controls (Ukraine and Belarus chapter) and Alex is currently Head of Internal Controls in a global medical company.