Case Study: United Overseas Bank Builds on Solid Assurance to Expand Internal Audit Into Strategic Advice and Risk Management

Case Study: United Overseas Bank Builds on Solid Assurance to Expand Internal Audit Into Strategic Advice and Risk Management

 United Overseas Bank Builds on Solid Assurance to Expand Internal Audit Into Strategic Advice and Risk Management

UOB

Company Headquarters — Singapore
Number of Countries Operates in — 19
Number of Employees in Company — 20,000+
Industry — Financial Services/Banking
Annual Revenues — S$7.5 billion
Number in IA Function — 200+
Number of Years IA Function Has Been in Place — 40+ 
IA Director/CAE Reports to — Chief Executive Officer and Audit Committee(As of December 31, 2014)

 
 
 
“You have to make sure the assurance function is sound before you can be trusted with additional responsibilities. … If the CAE focuses only on assurance, however, that person won’t recruit the right talent who can grow into business consultants to other departments within the Bank.”
Victor Ngo

United Overseas Bank Limited (UOB or “the Bank”) was incorporated in Singapore on August 6, 1935, as the United Chinese Bank. The Bank catered initially to the island’s Fujian population from mainland China. In the nearly 80 years since it was founded, UOB has grown organically and through a series of acquisitions. It is now a leading bank in Asia.

UOB owns four separate banking subsidiaries, including United Overseas Bank (Malaysia), United Overseas Bank (Thailand), PT Bank UOB Indonesia and United Overseas Bank (China). UOB Group has a network of more than 500 offices in 19 countries and territories in the Asia-Pacific region, Western Europe and North America.

UOB provides a wide range of financial services through its global network of branches, offices, sub- sidiaries and associates: personal financial services, private banking, commercial and corporate banking, investment banking, corporate finance, capital market activities, treasury services, futures trading, asset management, venture capital management, insurance, and stock brokerage services.

In Singapore, UOB is one of the market leaders for credit cards and private residential home loans. It has the largest market share for small business banking. In 2014, UOB was named the Best Retail Bank in Singapore, as well as the Best Retail Bank in Asia Pacific. The Bank’s asset management arm, UOB Asset Management, has a growing regional presence and is one of Singapore’s most-awarded fund managers. UOB is rated among the world’s top banks, with a rating of Aa1 from Moody’s and AA- from both Standard & Poor’s and Fitch Ratings.

As banking is a highly regulated business, UOB established an internal audit function in the 1970s. Each subsidiary bank maintains its own internal audit function with a chief audit executive (CAE) who reports to the group audit executive.

Victor Ngo was appointed as UOB Group’s chief audit executive in 2006. He holds a bachelor of applied science degree in computer science and operations management from the University of Technology, Sydney; a master of business administration from Deakin University, Australia; and an executive master of science degree in finance from Baruch College, City University, New York. While at Baruch College, Ngo was elected to the Beta Gamma Sigma Honor Society. He is a Fellow of the Australian Society of Certified Practising Accountants, a Fellow of the Institute of Singapore Chartered Accountants and a Certified Information Systems Auditor. Ngo has 23 years of experience in the banking industry, both within and outside of internal audit.

Evolution,  Not Revolution

Although the internal audit profession evolved primarily after World War II, banks have been perform- ing internal audits to comply with regulatory requirements since the 1930s. Given the essential need for confidence in the financial markets, it’s not surprising that banks would be the bellwether for changes in internal audit practices.

Ngo says that the internal audit profession used to be primarily focused on providing verification and assurance, and assessing the state of internal controls and satisfying regulatory requirements. His accounting background prepared him for those duties when he first joined the Bank. But given his diverse education and experience, and the extended time he spent as a management stakeholder prior to joining internal audit, he says it was natural for him to begin looking for ways to steer the department in a direction that would allow the function to do more than internal audit. He began with infrastructure.

Building a Platform

“There were a few things I wanted to change in our data collection to make sure we were looking at the right information,” Ngo says. “I told my team that we should not focus solely on the reporting, we should also focus on assessing the risks.”

That foundational change opened a world of possibilities. UOB’s internal audit function began using data analytics to improve auditor productivity and extract data for risk identification and audit scoping. Given that UOB is a financial services organization, stakeholders are particularly interested in credit risk, market risk, operations risks, technology, legal, compliance, and market operations and conduct.

Internal audit worked with each operating entity to determine whether appropriate controls were in place to address key risks, and brought in third-party consultants to validate their audit methodology. Internal audit developed risk profiles to assist them in the audit process and also served as a common body of knowledge to bring new internal audit staff up to speed. This helped the team avoid reinventing the wheel whenever audit assignments were rotated.

Bridging the Talent Gap

With a new technology platform and risk profiles in place, Ngo next shifted his focus to diversifying the talent pool in the department. He recruited auditors with experience in functional areas across the Bank, including global markets, wholesale and retail banking, and technology. This move augmented the department’s progress from generalist to specialist.

“Internal audit was traditionally perceived as being more about providing assurance and satisfying compli- ance requirements, playing the role of a policeman,” Ngo says.

As banking is a highly regulated business, UOB established an internal audit function in the 1970s. Each subsidiary bank maintains its own internal audit function with a chief audit executive (CAE) who reports to the group audit executive.

Victor Ngo was appointed as UOB Group’s chief audit executive in 2006. He holds a bachelor of applied science degree in computer science and operations management from the University of Technology, Sydney; a master of business administration from Deakin University, Australia; and an executive master of science degree in finance from Baruch College, City University, New York. While at Baruch College, Ngo was elected to the Beta Gamma Sigma Honor Society. He is a Fellow of the Australian Society of Certified Practising Accountants, a Fellow of the Institute of Singapore Chartered Accountants and a Certified Information Systems Auditor. Ngo has 23 years of experience in the banking industry, both within and outside of internal audit.

Evolution,  Not Revolution

Although the internal audit profession evolved primarily after World War II, banks have been perform- ing internal audits to comply with regulatory requirements since the 1930s. Given the essential need for confidence in the financial markets, it’s not surprising that banks would be the bellwether for changes in internal audit practices.

Ngo says that the internal audit profession used to be primarily focused on providing verification and assurance, and assessing the state of internal controls and satisfying regulatory requirements. His accounting background prepared him for those duties when he first joined the Bank. But given his diverse education and experience, and the extended time he spent as a management stakeholder prior to joining internal audit, he says it was natural for him to begin looking for ways to steer the department in a direction that would allow the function to do more than internal audit. He began with infrastructure.

Building a Platform

“There were a few things I wanted to change in our data collection to make sure we were looking at the right information,” Ngo says. “I told my team that we should not focus solely on the reporting, we should also focus on assessing the risks.”

That foundational change opened a world of possibilities. UOB’s internal audit function began using data analytics to improve auditor productivity and extract data for risk identification and audit scoping. Given that UOB is a financial services organization, stakeholders are particularly interested in credit risk, market risk, operations risks, technology, legal, compliance, and market operations and conduct.

Internal audit worked with each operating entity to determine whether appropriate controls were in place to address key risks, and brought in third-party consultants to validate their audit methodology. Internal audit developed risk profiles to assist them in the audit process and also served as a common body of knowledge to bring new internal audit staff up to speed. This helped the team avoid reinventing the wheel whenever audit assignments were rotated.

Bridging the Talent Gap

With a new technology platform and risk profiles in place, Ngo next shifted his focus to diversifying the talent pool in the department. He recruited auditors with experience in functional areas across the Bank, including global markets, wholesale and retail banking, and technology. This move augmented the department’s progress from generalist to specialist.

“Internal audit was traditionally perceived as being more about providing assurance and satisfying compli- ance requirements, playing the role of a policeman,” Ngo says.

He adds that audits, though independent and objective, have become more consultative. Auditors now meet with business units outside the audit cycle to identify line management concerns and offer practical solutions, including bringing in outside consultative help.

This new view is incorporated into each auditor’s key performance indicators, with emphasis shifted from the number of projects completed to the type of work performed and the value added to the busi- ness. Ngo says auditors are encouraged to look outside the business to stay abreast of industry events, new risks, and new products and services.

An Aligned Approach

Ngo says that his team looks to expand internal audit’s traditional role with a more collaborative approach to working with senior management and directors. The team does this by helping senior management fulfill their responsibility for assurance, effective governance, risk management and internal controls.


“When we present a risk, it’s not a singular view of one particular department,” Ngo says. “It is representative across the organization. As a result, the board and management see a bigger picture of the Bank, as a whole, rather than a specific department.”


“Our consulting and advisory services are designed to strengthen the Bank,” Ngo says. “Basically, our charter is intended to help the group complete its objectives through a systematic and disciplined approach to evaluate the adequacy of internal financial controls, operational controls and compliance controls. More importantly, we want to improve the effectiveness of risk management and governance processes.”

Like many organizations, UOB measures internal audit performance with stakeholder evaluations and post-audit assessments. But the real measure of the function’s success, according to Ngo, is in the way his team is now regularly called on to be an active and valued participant in key business decisions.

“When we present a risk, it’s not a singular view of one particular department,” Ngo says. “It is represen- tative across the organization. As a result, the board and management see a bigger picture of the Bank, as a whole, rather than a specific department.”