2.3.2.2 Analysis of operational loss events. The OR loss events are those that have been caused by one or more types of OR, generally causing losses, although afterwards these events can have been mitigated or the losses recovered by different mechanisms, including internal controls and management, insurance, legal action or others methods.
In general, entities will have tools for the identification, assessment, control and mitigation of these events through the collection of losses and measurement models used by the managers of OR.
The internal auditors will design their audit plan, departmental objectives and their procedures to take account of the following considerations:
(1) Existence of a solid model of loss data collection: which provides information on the risk exposure by business line and types of risk as defined in the New Capital Accord and that allows appropriate management of the systems and processes of the Entity.
(2) Infrastructure of loss data collection: the entities will have appropriate and robust infrastructures to carry out a rigorous and systematic tracking and recording of events that produce operational losses in the entity. In this sense, the internal auditors will define their procedures to check the:
. Existence of a procedure for the automated capture of events, determining if the degree of automation corresponds to the management level responsible for the reporting and review of the OR losses originating in the entity. Anyway, in the case of events that are impossible to automate, the internal auditor will evaluate the procedure developed for the manual data capture.
. Existences of an appropriate infrastructure for the automated capture of data, reviewing if the applications used contain specifications for the capture of data losses (informative fields for the types of risk, business line, etc.); reviewing that sound instructions have been given to the personnel involved in recording the data and that these instructions have been well documented in internal reports, manuals, courses, etc. that the system assures that all the losses picked up are automated; and that enough control procedures have been established to detect and avoid the double counting of entered data and a lack of integrity in the registration of losses.
(3) Reporting of loss events. The internal auditors will verify that the processes established assure that all the events are being registered.
(4) Validation of the results. The internal auditors will assure the consistency of these results with the real situation in the entity.
(5) Action plans of improvement. The internal auditors will have to verify that after the analysis of the obtained results actions are taken to improve the risk control.
(6) Reporting of results to the business areas and senior management. The internal auditors will check that this reporting is made in timely manner and contains all the required information for an appropriate OR management process. Among this information will be the following: