Control

and testing
transformation
 Innovation and disruption
are providing incredible
opportunities and challenges
to the process, risk and
control environment in the
financial services industry,
impacting nearly every
facet of the value chain and
the risk profiles of financial
institutions.

1 | Control and testing transformation

1 Introduction — Current state

Change and disruption are providing incredible opportunities and

challenges to the financial services industry, impacting nearly every
facet of the value chain and the risk profiles of our organizations.
Disruption in financial services manifests itself from a variety of
internal and external factors and will require new risk and control
capabilities in order for firms to successfully harness the benefits and
avoid the pitfalls of innovation.

Evolving risk, control and testing strategy

• Limited integration between risk

• Regulatory focus (ring-fencing,
Risk governance framework governance with internal controls
transparency, sustainability)
and testing frameworks
• Cost pressure (falling ROE, pressure
• Multiple process, risk, internal
to reduce headcount)
control and testing frameworks
• Global megatrends (digital
• Inconsistent coverage of
everything)
Internal control framework nonfinancial risks across the three
• Emerging risks (cyber, conduct) lines of defense (3LoD)
• Market entrants (FinTech) • Manual controls and testing
• Scarce capital and liquidity • Limited availability of skilled controls
and testing resources
Testing and monitoring • Limited use of analytics and
automation in controls and testing

Key challenges

Achieve sustainability
Manage risk Drive Improve Drive growth
(coverage, cost,
and change accountability transparency and business value
competency)

Many firms are not satisfied with the effectiveness or efficiency of
their current operating models for control ownership and testing
activities. This comes as no surprise since, over the past decade,
various programs were constructed in reaction to specific issues
or regulatory mandates, rather than through consistent, strategic
design. Firms are confronted by overlapping testing frameworks
required by different stakeholders and disciplines (e.g., SOX,
regulatory reporting, operational risk programs and compliance
inspections). The result has been control and testing frameworks
that are fragmented, redundant, unreliable and difficult to maintain.
Firms are seeking the ability to provide an aggregate view and are
therefore evaluating their risks and controls. These drivers are forcing
firms to evaluate their risk governance, internal control and testing
frameworks, and to assess whether they have the right mix of control
testing between the first and the second lines of defense.

Control and testing transformation | 2

 1
Introduction — Current state (Cont.)

Determining the right mix of control testing between the first and
the second lines of defense and the shifting of activities from the
second line to the first line defense is leading firms to re-evaluate
their operating models. The IIF/EY (Institute of International
Finance) survey showed that the tide is turning away from simply
an increase in first-line resources to support first-line accountability.
The increase is also consistent with the Federal Reserve’s
proposed Large Financial Institution (LFI) Rating System where the
effectiveness of internal controls and testing frameworks will be
assessed and rated as part of the supervisory evaluation.
adding more headcount in risk and compliance and turning toward

Headcount changes in 2017

Risk management Compliance

2017 11% 48% 41% 2017 4% 51% 44%

First-line First-line
risk-control risk-control
units units
2016 5% 65% 30% 2016 5% 30% 65%

2017 21% 44% 35% 2017 6% 44% 51%

Second-line Second-line
risk-management risk-management
function function
2016 10% 33% 57% 2016 5% 30% 65%

Decrease No change Increase

Source: Institute of International Finance (IIF)/EY 2017 Risk Management Survey (n=77 banks).

As leaders of risk, control and testing functions look ahead to evaluate the impact of these forces on their organizations, they should
begin with two questions:

1
Are my firm’s control and testing capabilities agile and flexible enough to adapt and help our
organization achieve its desired goals and objectives within a defined range of acceptable variability?

2
How can we better leverage the drivers of disruption to better utilize scarce risk, control and
testing resources to be more effective and efficient at controls assurance?

In answering these questions, financial firms will find that there is significant opportunity to further optimize both controls
and their testing.

3 | Control and testing transformation

2
How do firms identify and implement enhanced
control and testing capabilities?

Institutions are seeking to evolve their risk and control strategy

from a tactical, regulatory-driven approach to a more cost-effective,
scalable and sustainable approach to meet both regulatory
and business drivers. We have observed institutions using
disproportionate amounts of their control and testing resources to
As firms evaluate their risk, control and testing frameworks, there
are opportunities to optimize control and testing programs. The
following image depicts a range of activities that organizations can
undertake to standardize, normalize and improve a firm’s control
and testing capabilities.
address tactical and regulatory requirements. We believe that firms
must mobilize attention and resources to standardize frameworks,
re-engineer capabilities utilizing emerging technologies and employ
alternative staffing models to drive efficiencies and improve
effectiveness.

Program evolution
(foundational to
optimized) Capabilities Benefits Objectives

Control Improve coverage of material and emerging risks

standards Enhance control effectiveness
Achieve
Framework Focus on key controls (~40% reduction in controls to be sustainability
standardization Control (coverage, cost
rationalization tested)
Enhance sustainability of testing programs and competency)

Improve quality of testing outcomes

Testing execution Increase reliance on testing activities Manage
risk and change

Improve quality of testing outcomes

Testing center of Develop testing competency and knowledge
excellence Reduce duplication and costs
Capability Drive
re-engineering accountability
Improve control effectiveness
Control automation Transition to monitoring vs. manual testing
Reduce cost of control assurance
Promote
transparency
Reduce cost of testing (~40%–50%)
Testing automation Improve testing quality
Enhance testing coverage
Operational Drive growth
efficiency and business value
Managed services Improve subject-matter knowledge
(external providers) Reduce internal cost (~30%–40%)
Improve testing outcomes

Control and testing transformation | 4

2
How do firms identify and implement enhanced
control and testing capabilities? (Cont.)

It’s important for firms to consider the interconnectedness of risk,

controls and testing and the interdependencies across frameworks,
activities and the supporting infrastructure. Firms can begin by
re‑evaluating their risk, control and testing frameworks to determine
whether they are providing adequate alignment and support
consistency and integration of the outputs across the lines of defense.
Companies should also consider technology enablement for their
testing processes and functions; existing and emerging technologies
should be considered to (1) create more trustworthy and optimized
testing solutions, and (2) develop a dashboard that includes key
control indicators or key performance indicators in hopes of reducing
sample- based testing or detective testing.

To maximize assurance and efficiencies in the risk governance framework, internal controls and testing space, firms should have a strategy that
integrates risk governance, controls and testing frameworks.

Risk governance framework Internal control framework Testing and monitoring

Board oversight Control standards Testing execution

Board and senior management oversight Standards for control design and operating Enterprise standards for testing
over risk governance framework effectiveness, including effective challenge (design/operations) and monitoring
and issue management of controls
Business strategy and change

Risk identification/appetite
Framework to identify and define thresholds
for material financial and nonfinancial risks
Process/risk/control taxonomies
Framework to establish consistent firmwide
process, risk, control taxonomies
Lines of defense
Roles and responsibilities across risk takers,
enablers, independent risk oversight and
Internal Audit
Risk reporting
Ongoing reporting of risk appetite and
related KRIs/KPIs
Control rationalization Testing center of excellence
Centralize testing function to develop
Identification of key controls to mitigate
specialized testing skill set and enhance
material financial and nonfinancial risks
testing execution
Control automation Testing automation
Automation of key controls to enhance the Framework, standards and strategy to
sustainability of the control environment automate testing
Delivery models
Strategy to outsource testing activities to
optimize costs
Strategic process and control transformation

Technology (automation, analytics, workflows)

In the next two sections, we will discuss two components of this integrated framework.

5 | Control and testing transformation

3
Back to basics and prerequisites for control
transformation

Firms seeking to evolve and innovate within their risk, control

and testing capabilities are realizing that, in order to move ahead,
they need to revisit some of the foundational elements of their
frameworks. Many firms are re-evaluating their internal control
standards, process, risk and control taxonomies (including
approaches for risk and control identification), and three lines of
defense responsibilities; establishing new enterprise-wide control
standards; and then executing control rationalization prior to
embarking on investments in automation, labor pool transitions and
testing execution enhancements.

1 Define and develop risk and control

• Develop a single process, risk and control taxonomy suitable for multiple disciplines
taxonomy, key control and documentation
• Define standards for business-specific process, risk and control documentation
standards

2 • Gather existing control inventories used by business lines and functions

Gather control inventories and compare • Examine control inventories, aided by data analysis tools (e.g., text analytics)
them with defined standards • Compare existing inventories against defined standards to identify areas for remediation
(e.g., blank fields, inconsistent/incomplete control documentation)

3 • Assess, rationalize and prioritize deficiencies for remediation

Prioritize areas for remediation • Leverage data quality scorecards and dashboards to guide the remediation effort and provide
reporting

4 • Assess, rationalize and prioritize deficiencies for remediation

Remediate/address deficiencies identified • Establish a quality assurance process to drive consistency in processes and to provide an input into
the maintenance of standards

Firms are investing time and energy in developing or emerging to identify opportunities for improvement, perform data enrichment
technologies to facilitate the adoption and maintenance of new and create linkages that previously were cumbersome and judgment
taxonomies, standards and linkages across frameworks and based.
disciplines. Some firms are exploring natural language processing

Control and testing transformation | 6

4
Industry trends with respect to testing
operating models

The fact that many of the testing activities and resources are
overlapping and not delivering the desired value has left business,
risk and control leaders searching for opportunities to move toward
a model that is effective and cost efficient. One recent approach
increasingly gaining traction is the standardization and centralization
of first-line testing activities through operating models that are
tailored to the originations or disciplines. Organizations are evaluating
opportunities to gain these efficiencies, with 52% stating that their
testing utilizes “higher-cost business analysts” and 61% of banks
evaluating where automation can be used in testing.
Source: IIF/EY 2017 Risk Management Survey (n=77 banks).

A testing center of excellence can be implemented across one or more key risk domains.

Risk domains

Operational Compliance Reputational Interest rate

Key risks

Strategic risk Liquidity risk Price risk Credit risk

risk risk risk risk

Employment Business Execution,

Clients, Damage to
Sub-risks

Internal External practices and disruption delivery and Regulatory

products and physical compliance
fraud fraud workplace and systems process
business practices assets
safety failures management
Key design principles

Competency (single domain

First-line accountability
vs. cross-domain)
Testing COE
Second-line review and challenge Sustainability of COE

Firms that are establishing testing centers of excellence (COEs)
are seeking to standardize test execution, improve test outcomes,
build testing competency knowledge and effectively manage costs.
In many examples we are observing in the industry, testing COEs
generally cover controls testing and substantive testing. There is a
range of practice depending upon the risk domain and whether the
COE is established in the first or second line of defense. Most of the
testing COEs are being established in the second line of defense
across compliance, operational risk and SOX. In limited instances,
some testing COEs are being established in the first line, given the
decentralized nature of business processes and controls and the
requirement for specific product and business knowledge. Even
with a wide range of practices across the industry, testing COEs are
emerging, given the push to enhance testing reliability, consistency
and cost efficiency.

7 | Control and testing transformation

4
Industry trends with respect to testing
operating models (Cont.)

Areas where testing is centralized

Compliance 66%
Size of testing function
71%
Use of automation in testing

Risk
59% Not planned yet
Compliance
Internal audit 52%

17%

Operational risk 51%

33% 22%
Piloting 61%
Technology risk 38% in some
19% areas

Evaluating
14% All first-line testing 7% 8% where it can
2% 2% be used

<50 50–200 201–500 >500

Types of resources:
Higher-cost business analysts (52%)
Low-cost local resources (48%)
Low-cost offshore resources (19%)

Source: IIF/EY 2017 Risk Management Survey (n=77 banks).

In this transition, questions abound:

• W
► ho should test — first line, second line or both?
• How does testing fit with second-line oversight — are we
testing the controls or testing the testers?
• How should we test — which skill sets and techniques are
needed for meaningful tests of different risk types?
• Can we afford it — how can reliance, risk ordering and
technology make our testing effort efficient?

Control and testing transformation | 8

5
How we can help: EY Diagnostic — a rapid
assessment of the current state with a road map
to the future state
Many firms are looking for a road map to achieve their desired end state. We have a seasoned group of control testing and risk
professionals who can help evaluate your firm’s current state and recommend the actions required to arrive at the desired outcome.

We have supported our clients by performing diagnostic reviews of their control testing practices across the components of an
optimized testing program. We have helped control testing functions enhance their testing standards, methods, procedures and
templates. We also help control testing functions identify redundancies in testing programs and have developed control testing
playbooks for broader organizations.

To implement an optimized testing program, organizations are recommended to perform a current state assessment that includes the
steps listed below.

1 2 3

Step 1: Inventory Step 2: Evaluate Step 3: Prioritize

Identify areas of control testing Evaluate testing for efficiency
across the organization and the Based on evaluation results:
and effectiveness opportunity:
lines of defense Summarize opportunity
Standardization of risk and
for centralization
control taxonomies, risk
Classify testing into respective Develop an optimization
assessment, methodology,
lines of defense plan:
testing execution,
Prioritization
documentation, reporting
Control
and issue management
rationalization
Automation

Benefits of dIagnostic reviews

Provide Identify the opportunities Also assist in

Low-cost, Are normally strong for centralization and Highlight documenting the
short- short-term projects foundation associated benefits before the current current state of
term with low budgets for the designing the future state
project target state operating model operations

Efficiency opportunities
We work with our clients to deliver custom
solutions after analyzing and understanding
their specific control and testing needs and
goals. Our cross-functional team has worked
with clients to develop plans and solutions
for optimizing the control and testing
capabilities, taking into consideration the
idiosyncratic challenges and priorities.
Key takeaways for further consideration:
• Organizations are defining their
target-state risk, control and testing
strategy, including strategic process and
control transformation, to implement a
sustainable and cost-effective framework.
• Risk, control and testing strategy will
continue to evolve to address emerging
challenges from disruptive technologies
and digital transformation in addition to
cost pressure.
• R
► egulatory requirements and feedback
continue to be the biggest business
drivers for implementing internal
controls, conducting testing activities
and implementing remediation efforts.

9 | Control and testing transformation

Ernst & Young LLP contacts
Tom Campanile Jessica H. Rodgers
Partner Partner
+1 212 773 8461 +1 212 773 0736
[email protected] [email protected]
Gagan Agarwala Patrick D. Pfeil
Principal Executive Director
+1 212 773 2646 +1 860 725 3873
[email protected] [email protected]
Mary Lou Peters Dan Costa
Executive Director Principal
+1 212 773 2941 +1 212 773 5877
[email protected] [email protected]
Adam Rosenthal Rushabh Mehta
Executive Director Senior Manager
+1 215 448 5155 +1 212 773 5355
[email protected] [email protected]

Control and testing transformation | 10

EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital markets
and in economies the world over. We develop outstanding
leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a
better working world for our people, for our clients and for
our communities.

EY refers to the global organization, and may refer to one or

more, of the member firms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not
provide services to clients. For more information about our
organization, please visit ey.com.

© 2018 EYGM Limited.

All Rights Reserved.

EYG no. 011149-18Gbl

1806-2726629

ED None
This material has been prepared for general informational purposes only and is not
intended to be relied upon as accounting, tax or other professional advice. Please
refer to your advisors for specific advice.

ey.com