Clyde Rogers 1 Continuous Monitoring Continuous Auditing Organizational Readiness What Needs To Be Done Making It Happen

2 Research & Information Sources Professional Experience – Senior Director, Continuous Auditing at Major Bank Professional Experience – Senior Director, Continuous Auditing at Major Bank Industry – Barclay’s, RBS, Wells Fargo, Citigroup, RBC, Fleet Industry – Barclay’s, RBS, Wells Fargo, Citigroup, RBC, Fleet Organizations – IIA & ADR Organizations – IIA & ADR External Firms – Deloitte, KPMG, E&Y External Firms – Deloitte, KPMG, E&Y Academic – Centre for Continuous Auditing – Rutgers, U of Waterloo Academic – Centre for Continuous Auditing – Rutgers, U of Waterloo

3 Guiding Principles - Mindset Improve Efficiency and/or Effectiveness – Needs to Business Case, Be Important, $’s, Benefits Improve Efficiency and/or Effectiveness – Needs to Business Case, Be Important, $’s, Benefits COSO/COCO Frameworks, Enterprise Wide Risk Management, Control Self- Assessment COSO/COCO Frameworks, Enterprise Wide Risk Management, Control Self- Assessment Changing Regulatory Requirements – SOX, Basel Changing Regulatory Requirements – SOX, Basel Partner with Client & Governance Groups Partner with Client & Governance Groups Validate - Cross Organization Roles & Responsibilities & Acceptance Validate - Cross Organization Roles & Responsibilities & Acceptance

4 Guiding Principles – Mindset Client Monitors & Manages Risk and Compliance Client Monitors & Manages Risk and Compliance Audit Gets Assurance From Client & Partner Processes as well as Independent Testing Audit Gets Assurance From Client & Partner Processes as well as Independent Testing Information Technology is an Enabler – Larger Than That Information Technology is an Enabler – Larger Than That Staged and Incremental Implementation – Business Line & Phases Staged and Incremental Implementation – Business Line & Phases

5 Success Drivers Promoted/Championed by Senior Executive – Chief Auditor & Business Line Executive Promoted/Championed by Senior Executive – Chief Auditor & Business Line Executive Focus On a “Quick Win” – Business Line Readiness – Operating Models Focus On a “Quick Win” – Business Line Readiness – Operating Models Business Line Buy-In also Influences Governance and Support Groups Business Line Buy-In also Influences Governance and Support Groups Leverage/Benchmark to Industry & Non- Industry Leaders and Best Practices Leverage/Benchmark to Industry & Non- Industry Leaders and Best Practices

6 CM – CA Model/Processes Traditional Auditing Risk and Frequency Model Continuous Auditing Warehouse Traditional Auditing Risk and Frequency Model Continuous Auditing Warehouse Proceed with audit As scheduled Suggested Action External/ Regulatory Early Warning Systems Staffing Issues Whistle Blower Operational Losses Key Performance Risk Teams NIAP Advisory Support Lines Prior Audit Results Operational Risk Inherent Risk Strong or Satisfactory Requires Improvement Accelerate audit activity Unsatisfactory Quarterly Audit Planning and Reporting No Action

7 Business Line Profile Standard Operating Environment – 1,000 locations – National – 4 Segmented Client Offers Standard Operating Environment – 1,000 locations – National – 4 Segmented Client Offers Confusion/Duplication Between Functions in Roles & Responsibilities – 4 Major Risk Teams Confusion/Duplication Between Functions in Roles & Responsibilities – 4 Major Risk Teams Quick Win – Risk Teams – Duplication & Costs Quick Win – Risk Teams – Duplication & Costs Conflicting Reporting to Clients & Stakeholders Conflicting Reporting to Clients & Stakeholders

8 Benefits – Phase I – Risk Teams Align Risk Teams Coverage to Meet the Needs of all Groups – 1 Group – Audit Leverages (QA) Align Risk Teams Coverage to Meet the Needs of all Groups – 1 Group – Audit Leverages (QA) Roles & Responsibilities Defined and Aligned to Changing and Emerging Regulatory Requirements – SOX, Basel Roles & Responsibilities Defined and Aligned to Changing and Emerging Regulatory Requirements – SOX, Basel Improve Effectiveness & Efficiency – Less Branch Disruption – Also $2 million Savings Improve Effectiveness & Efficiency – Less Branch Disruption – Also $2 million Savings Move to Continuous Monitoring/Auditing Model – Foundational to Phase II – Further Benefits Move to Continuous Monitoring/Auditing Model – Foundational to Phase II – Further Benefits

9 Phase I Q Q1 2006Q Reduced On-site Testing Through: Inventorying current on-site testing activities Changing/adding/deleting tested activities Identifying duplication Migrating duplicated testing to FRS Eliminating migrated testing from groups Developing process to audit FRS Focusing on routine activities Processes review with product groups Basel Compliance Internal Audit Business Risk SOX On-site testing SOX Basel Compliance Business Risk W/M Internal Audit

10 Benefits – Phase II - EWS Leverage Information Technology - Consists of Data Mining and Analytics Leverage Information Technology - Consists of Data Mining and Analytics Whole Portfolios – Holistic View – Real Time Whole Portfolios – Holistic View – Real Time Additional Efficiencies - $5 million Additional Efficiencies - $5 million Major Step Towards Continuous Monitoring/Auditing Model Major Step Towards Continuous Monitoring/Auditing Model Monitoring Capability Enhanced: Monitoring Capability Enhanced: - Reduces Onsite Testing - Risk Indicators/Trends To Support On-site Testing - Improves Earlier Identification – More Predictive

11 Phase II Q1 ‘07 On-site testing SOX Basel W/M Business Risk Compliance SOX Basel W/M Compliance Internal Audit Business Risk Reduced On-site Testing Through: Develop central monitoring capability Enhanced technology platform Leverage existing knowledge (NRM/EWS/CRS) Central monitoring for select activities Further on-site testing eliminated Majority of on-site testing migrated to FRS Internal Audit Internal Audit/Basel

12