Public Information

“A Process and Not An Event”

Continuous Monitoring

VP IT/Security Audit Services

VP Bank Audit Services

Jeff Rowland Pauline Saunders

October 28, 2019

Audit Services

Public Information 2

Agenda

USAA – Who We AreContinuous Monitoring – Defined What is the Difference Between Continuous Monitoring and Continuous Auditing? Do You Really Need Continuous Monitoring?

Continuous Monitoring – Our Journey A Walk-through of Our Journey Definitions Program Design, Development, and Deployment

Discussion What Worked? What Did NOT Work? Resources Required Lessons Learned / Key Success Factors

Q&A Session

Public Information 3

Our MissionThe mission of the association is to facilitate the financial security of its members, associates, and their families through provision of a full range of highly competitive financial products and services; in so doing, USAA seeks to be the provider of choice for the military community.

Our Core ValuesService Loyalty Honesty Integrity

PassionateMember

Advocacy

FinancialStrength

& Wisdom

SharedMilitary Values

Our Brand Pillars

GOING ABOVEOur Brand Promise

FOR THOSE WHO HAVE GONE BEYOND

Who We Are

As of Oct. 2014

USAA

Public Information 4

(As of 2018 )

USAAWho We Are

Bank

Investments Advice

Insurance

Images by rawpixel from Pixabay

USAA’s financial strength allowed us to pay out over

$2 BILLIONin disaster-related claims –

while still returning

$1.8 BILLIONto our members in distributions, dividends,

bank rebates and rewards –

and standing strong at over

$31 BILLIONin Net Worth.

Public Information 5

USAA Our Primary Regulators

Federal Reserve

Banking Investments InsuranceOCC

Office of the Comptroller of the Currency

CFPBConsumer Financial Protection

Bureau

FDICFederal Deposit Insurance

Corporation

SECU.S. Securities and Exchange

Commission

FINRAFinancial Industry Regulatory

Authority

TDITexas Department of Insurance + U.S. States and Territories

Departments of Insurance

USDTU.S. Department of the Treasury

PRABank of England Prudential

Regulation Authority

FCAFinancial Conduct Authority

Public Information 6

Continuous MonitoringDefined

Per the Institute of Internal Auditors (IIA) – GTAG 3

Continuous Monitoring: A management process that monitors on an ongoing basis whether internal controls are operating effectively (PA 2320-4: Continuous Assurance).

vs.

Continuous Auditing: The combination of technology enabled ongoing risk and control assessments. Continuous auditing is designed to enable the internal auditor to report on subject matter within a much shorter timeframe than under the traditional retrospective approach.

Public Information 7

3 Primary Differences 1. Who 'owns' the activity? Auditing is an independent function – meaning “management” does not

oversee it. The auditor reports to the company board of directors to help identify opportunities for improvement. Continuous monitoring, however, is managed by the company or organization. Managers are responsible for implementing the monitoring process, ensuring it provides the information they expect, and using it to address inefficiencies and weaknesses in whatever process is being monitored. Ownership is the first important difference between continuous auditing and continuous monitoring.

2. The 'continuous' nature of these functions. Continuous auditing is really just auditing, but on a more frequent, regular basis than the standard auditing engagement. Continuous auditing is often made possible by technology that can collect and analyze data quickly. The auditor simply has to assess the data and reporting and perform whatever tests are part of the audit program. Continuous monitoring, however, is more direct and immediate - often generating reports every day, hour, or even minute. Management looks at this data to ensure whatever metric they are looking at stays within the tolerable range, and if it does not, that it is appropriately managed.

3. What happens when anomalies or exceptions are identified in the data. If an exception or an anomaly is seen in continuous monitoring, management needs to address the problem. The existence of an exception or anomaly is, itself, an issue that needs to be resolved. But, with continuous auditing, the auditor still uses their professional judgment to decide if an exception is something that needs to be looked at in more detail.

Continuous MonitoringVs. Continuous Auditing

Public Information 8

YES!

Continuous MonitoringDo I Really Need It?

But Why?

Public Information 9

Continuous MonitoringA Walk-through of Our Journey

USAA Audit Services DefinitionContinuous monitoring is the process of gathering and aggregating information to evaluate changing risk and control profiles and determine the resulting impact on audit risk assessments and coverage.

Public Information 10

Continuous Monitoring Selling the Benefits

Public Information 11

Continuous MonitoringCreating the Framework

Public Information 12

Continuous MonitoringSources of Information

Public Information 13

Continuous MonitoringReporting

CAE

Audit Team 1

Biz Unit / Process 1

Biz Unit / Process 2

Biz Unit / Process 3

Audit Team 2

Biz Unit / Process 4

Biz Unit / Process 5

Biz Unit / Process 6

Biz Unit / Process 7

Audit Team 3

Biz Unit / Process 8

Biz Unit / Process 9

Biz Unit / Process 10

RepositoryDocumentation

TeamReports

DepartmentReport

Continuous Monitoring Team Reports Team-level summary of continuous monitoring activities

documented in the centralized repository Executive-owned deliverable – created quarterly through

collaboration with senior internal audit managers

Continuous Monitoring Department Report Department-level aggregation of continuous monitoring team

reports. Created by internal audit technology support team – delivered

quarterly to the senior audit leadership team Report also includes: Dashboards of risk profile changes, audit plan additions and

subtractions, etc. Key insights from continuous analytics performed in the most

recent quarter Regulatory and first, second, and third line issue trends

Public Information 14

Subject to your company-specific standards / audit issue requirements.

Our issue definition: An "issue" exists when the risk(s) associated with the condition or event has materialized or has the potential of materializing and there is either an absence of a control or a design or operating deficiency in the control structure to mitigate the associated risk(s).

Reported and distributed as a continuous monitoring issue (follow the requirements outlined in accordance with your company-specific standards for an audit issue)

Entered into issue tracking tool, subject to follow-up and closure

Continuous MonitoringWhat Do We Do With The Issues We Identify?

Public Information 15

5%-10%Of Audit Plan Hours

Resource allocation is initially assessed during the annual planning exercise and monitored through monthly ‘manage the plan’ meetings. For 2019, our initial allocation was 5% of audit plan hours to be dedicated to

Continuous Monitoring activities; however, our experience rate was closer to 8% that is needed to adequately cover requirements.

Continuous MonitoringWhat Kind of Resources are Needed?

16

Be clear on defining what constitutes continuous monitoring Recent question: Do my interviews with our Audit clients for Annual Universe

Planning get categorized as Continuous Monitoring or Annual Planning? Track your time If you cannot demonstrate a “return on investment”, support for the function will

diminish. Document, Document, Document The ability to do trending analysis is only as good as the documentation created, so

having good disciplines, supported by metrics and routines is key. You DO need a tool There are a number of data capture tools available. We use a popular cloud based

solution that is widely used for our specialized needs. The data is exported into a data visualization tool for Analysis. Not having this approach will hinder your ability to be successful.

Continuous MonitoringLessons Learned / Key Success Factors

17

Jeff Rowland, Vice President, USAA IT / Security Audit Servicesjeff.rowland@usaa.com

LinkedInTM

Pauline Saunders, Vice President, USAA Bank Audit Servicespauline.saunders@usaa.com

LinkedInTM

LinkedIn, the LinkedIn logo, the IN logo and InMail are registered trademarks or trademarks of LinkedIn Corporation and its affiliates in the United States and/or other countries.

Questions?

Image by rawpixel from Pixabay

Public