Aucun résultat trouvé
Nos sujets d'actualité mettent l'accent sur les domaines susceptibles d'être une préoccupation majeure et d'intéresser la plupart des acteurs. La protection de la clientèle reste en tête de l'agenda réglementaire avec les facteurs ESG, tandis que la résilience opérationnelle et le besoin d'innovation technologique et numérique présentent des défis croissants. L'IA générative fait également ses débuts et présentera à la fois des opportunités et des risques pour de nombreuses fonctions et organisations.
Why is it important?
Anti-Money Laundering (AML):
Money laundering remains a central concern for European (EU) Regulators and is a key item on their agenda for the forthcoming year.
As part of this continued focus on AML, key updates were made to the EU Money Laundering Regulations. With these changes, it is important that organisations continue to review and make appropriate enhancements to their AML frameworks to remain compliant with an ever-changing AML regulatory landscape.
Sanctions:
The past few years have been marked by the industry’s strengthening of sanctions screening and monitoring capabilities particularly as a direct result of Russia’s ongoing occupation of Ukrainian soil, which resulted in ongoing and intensified sanctions imposed by many countries. Firms now face a strong increase in the number of Special Designated Nationals and Blocked Persons.
These measures have had a significant impact on companies’ sanctions risk management frameworks. Under these rules, there are significant fines for non-compliance and the possibility of companies being ‘named and shamed’ even when no penalty is imposed.
We see the present and immediate future characterised by a shift to supervision and enforcement. This is to ensure that the financial sector has made appropriate enhancements to its sanctions risk management frameworks in order to minimise breach or circumvention risk.
What’s new?
Anti-Money Laundering (AML):
EU Regulators have instigated key changes to money laundering risk management in the financial sector:
Sanctions:
EU Regulators have introduced significant enhancements to its ability to detect weaknesses in firms’ sanctions risk management frameworks.
As with AML compliance, EU Regulators maintain a hardened stance against firms found to be non-compliant, whether wilfully or by not committing appropriate efforts and resources to the management of sanctions risk.
What should internal audit be doing?
Area of Focus AML |
Suggested steps Internal audit should continue to focus on reviewing the keystone features of financial crime frameworks to ensure these are designed to maximise their firms’ management of financial crime risk while not interfering with important themes such as financial inclusion. This includes but is not limited to: Enterprise-wide risk assessment (EWRA) Design and implementation of the EWRA to ensure that a firm has captured the requirement on proliferation financing along with ensuring that the EWRA remains overall fit for purpose. This should include a consideration on how a firm uses the results of the EWRA as part of its overall AML risk management process. Internal audit should challenge a firm’s approach to the management of both new and challenging risks along with any control gaps identified. Customer risk assessment (CRA) Review and testing of the CRA methodology and modelling applied (if applicable) with a focus on how the CRA has been adapted to scenarios such as higher risk countries as an input. Policies and procedure Review and assessment of AML policies and associated procedures to ensure these remain fit for purpose, with particular emphasis on the need to better understand higher risk business relationships. This should be looked at both from an appropriateness of approach perspective, and with respect to ensuring the recent obligations are integrated in relevant policy and associated documentation and are operating effectively. Internal audit should challenge any gap analysis performed to ensure a firm has adequately assessed changing obligations and identified any remedial steps required to implement these. Transaction monitoring Ongoing monitoring of customers and their transactional activities continue to attract regulatory scrutiny. Internal audit should review and assess a firm’s solution, including applicable investigation process, to ensure a firm has the required systems and controls in place to enable them to identify any transactions of a suspicious or higher risk nature, including identification of all transactions to/from higher risk countries. Record keeping Internal audit should continue to review their firm’s approach to the documentation and retention of all relevant financial conduct policies, procedures, governance and decisioning to ensure these are properly recorded and maintained. This will then serve as robust evidence of the organisation’s position and approach at a point in time. |
Sanctions | Review approaches which leverage data analytics are proving to be extremely effective in helping highlight weaknesses in the sanctions screening process. Internal audit should continue to focus on the effectiveness of a sanction’s compliance programme, particularly looking at any data analytics employed as part of its sanctions risk management. The following areas will be crucial: including the following areas, through hybrid review approaches: Appropriately calibrated screening solutions Internal audit should review their firm’s screening solution on an end-to-end basis. This includes:
Internal audit should ensure that all decisions have been documented as part of this testing. Know your customer integration Sanctions screening is only as effective as the system designed to provide it with data. Internal audit should continue to place particular focus on how enhanced due diligence has been adapted to the current heightened risk of sanctions evasion, particularly where beneficial ownership is less transparent, and higher risk jurisdictions are involved in the ownership chain. Customer and relevant party screening Sanctions screening should be taken into careful consideration as a fundamental tool supporting due diligence measures. Internal audit should consider how a firm identifies and screens all relevant parties in a business relationship at onboarding and on an ongoing basis, to minimise the risk of breaching sanctions. This includes screening of all relevant parties such as intermediaries, agents, etc. who may act for or on behalf of a customer. This is particularly important for firms where a relationship may involve several parties other than the direct customer. |
Why is it important?
Fraud represents an important reputational and financial risk, with the average organisation losing an estimated 5% of their annual revenues to fraud, according to the Association of Certified Fraud Examiners (ACFE). Given the evolving threat landscape, we are seeing increasing requirements on organisations to prevent, detect and deter fraud. With new legislations on the immediate horizon, it is important that organisations and senior stakeholders oversee the implementation of robust fraud prevention measures, and strengthen their anti-fraud culture. For the incoming regulations, financial services organisations will need to especially focus on potential frauds that their employees and agents could commit for the benefit of the organisation.
What’s new?
Organisations will need to take steps to enhance their fraud risk management framework, in particular:
What should internal audit be doing?
Area of Focus Fraud risk management assessment |
Suggested steps To manage the risk posed by fraud, we expect that firms have implemented fraud risk management frameworks to address the nature of their fraud risks (e.g., application, customer, claims, etc.) that encapsulates the following six key elements. This framework sets out a high-level approach to delivering focused activity holistically across each segment, which internal audit should assess their organisation against. Enterprise-wide fraud risk assessment Has the organisation undertaken an assessment to identify the key fraud risks faced across the organisation? A process should be in place to regularly refresh the assessment to account for changes in working practices and business environments. The assessment should incorporate specialist expertise, data analysis and engagement from key stakeholders. All key fraud risks faced by the business should be identified and prioritised accordingly. Controls identification and mapping For those fraud risks deemed to be the most material to the organisation, the corresponding counter fraud controls should be identified, documented, and mapped. The key counter fraud controls should be captured and maintained for example, within process maps, a Risk and Control Matrix (RACM) and/or Governance, Risk and Control (GRC) systems. Monitoring and assurance The key anti-fraud controls identified need to be subject to regular design and operational effectiveness testing. This programme of assurance should be coordinated across the lines of defence and any gaps or weaknesses should be remediated and the corresponding actions tracked through to completion. Further, periodic, consistent and robust reporting on the progress of the implementation of the fraud risk management framework and the assurance delivered, should be provided to the Board/Audit Committee. Training and awareness Regular organisation-wide anti-fraud training should be provided, including specific targeted training for higher risk positions (e.g., HR, finance, procurement etc.), supported by communications to increase awareness of the risks and individual responsibilities relating to the prevention, detection and deterrence of fraud. Policies and procedures A documented fraud risk methodology should be in place, informed by the risk assessment process and supported by detailed policies and procedures covering the key elements outlined in the fraud risk framework, as well as a dedicated fraud response plan. Roles and responsibilities should be clear and transparent. Leadership and tone A strong and consistent ‘tone from the top’ is required to emphasise the importance of fraud awareness and the fact that fraud will not be tolerated. Leadership should provide strong and consistent support across all aspects of the fraud risk management framework and ensure that clear ownership and responsibilities are established over the delivery of each aspect. |
Why is it important?
Anti-Money Laundering (AML):
Money laundering remains a central concern for European (EU) Regulators and is a key item on their agenda for the forthcoming year.
As part of this continued focus on AML, key updates were made to the EU Money Laundering Regulations. With these changes, it is important that organisations continue to review and make appropriate enhancements to their AML frameworks to remain compliant with an ever-changing AML regulatory landscape.
Sanctions:
The past few years have been marked by the industry’s strengthening of sanctions screening and monitoring capabilities particularly as a direct result of Russia’s ongoing occupation of Ukrainian soil, which resulted in ongoing and intensified sanctions imposed by many countries. Firms now face a strong increase in the number of Special Designated Nationals and Blocked Persons.
These measures have had a significant impact on companies’ sanctions risk management frameworks. Under these rules, there are significant fines for non-compliance and the possibility of companies being ‘named and shamed’ even when no penalty is imposed.
We see the present and immediate future characterised by a shift to supervision and enforcement. This is to ensure that the financial sector has made appropriate enhancements to its sanctions risk management frameworks in order to minimise breach or circumvention risk.
What’s new?
Anti-Money Laundering (AML):
EU Regulators have instigated key changes to money laundering risk management in the financial sector:
Sanctions:
EU Regulators have introduced significant enhancements to its ability to detect weaknesses in firms’ sanctions risk management frameworks.
As with AML compliance, EU Regulators maintain a hardened stance against firms found to be non-compliant, whether wilfully or by not committing appropriate efforts and resources to the management of sanctions risk.
What should internal audit be doing?
Area of Focus AML |
Suggested steps Internal audit should continue to focus on reviewing the keystone features of financial crime frameworks to ensure these are designed to maximise their firms’ management of financial crime risk while not interfering with important themes such as financial inclusion. This includes but is not limited to: Enterprise-wide risk assessment (EWRA) Design and implementation of the EWRA to ensure that a firm has captured the requirement on proliferation financing along with ensuring that the EWRA remains overall fit for purpose. This should include a consideration on how a firm uses the results of the EWRA as part of its overall AML risk management process. Internal audit should challenge a firm’s approach to the management of both new and challenging risks along with any control gaps identified. Customer risk assessment (CRA) Review and testing of the CRA methodology and modelling applied (if applicable) with a focus on how the CRA has been adapted to scenarios such as higher risk countries as an input. Policies and procedure Review and assessment of AML policies and associated procedures to ensure these remain fit for purpose, with particular emphasis on the need to better understand higher risk business relationships. This should be looked at both from an appropriateness of approach perspective, and with respect to ensuring the recent obligations are integrated in relevant policy and associated documentation and are operating effectively. Internal audit should challenge any gap analysis performed to ensure a firm has adequately assessed changing obligations and identified any remedial steps required to implement these. Transaction monitoring Ongoing monitoring of customers and their transactional activities continue to attract regulatory scrutiny. Internal audit should review and assess a firm’s solution, including applicable investigation process, to ensure a firm has the required systems and controls in place to enable them to identify any transactions of a suspicious or higher risk nature, including identification of all transactions to/from higher risk countries. Record keeping Internal audit should continue to review their firm’s approach to the documentation and retention of all relevant financial conduct policies, procedures, governance and decisioning to ensure these are properly recorded and maintained. This will then serve as robust evidence of the organisation’s position and approach at a point in time. |
Sanctions | Review approaches which leverage data analytics are proving to be extremely effective in helping highlight weaknesses in the sanctions screening process. Internal audit should continue to focus on the effectiveness of a sanction’s compliance programme, particularly looking at any data analytics employed as part of its sanctions risk management. The following areas will be crucial: including the following areas, through hybrid review approaches: Appropriately calibrated screening solutions Internal audit should review their firm’s screening solution on an end-to-end basis. This includes:
Internal audit should ensure that all decisions have been documented as part of this testing. Know your customer integration Sanctions screening is only as effective as the system designed to provide it with data. Internal audit should continue to place particular focus on how enhanced due diligence has been adapted to the current heightened risk of sanctions evasion, particularly where beneficial ownership is less transparent, and higher risk jurisdictions are involved in the ownership chain. Customer and relevant party screening Sanctions screening should be taken into careful consideration as a fundamental tool supporting due diligence measures. Internal audit should consider how a firm identifies and screens all relevant parties in a business relationship at onboarding and on an ongoing basis, to minimise the risk of breaching sanctions. This includes screening of all relevant parties such as intermediaries, agents, etc. who may act for or on behalf of a customer. This is particularly important for firms where a relationship may involve several parties other than the direct customer. |
Why is it important?
No organisation operates in isolation, and we are seeing a trend where there is increasing reliance on third and fourth parties. By outsourcing or buying third-party services, firms benefit from leveraging specialist expertise, reduced operational overhead costs and greater assurance over delivery through defined SLAs. This enables them to focus on their core business activities. However, when these relationships and dependencies are not managed proactively and effectively, they can bring undue risks to the organisation.
The financial impact of a failure in this ecosystem through operational losses, fines or reputational damage is costly. In addition, increased regulatory scrutiny and prescriptive requirements (part of third-party and operational resilience regulations) have rapidly increased focus on third-party risk, especially as firms are seeing an acceleration of digitisation across entire operations. This has meant traditional services and operating models require unprecedented changes to meet new ways of working in a short space of time.
Regulators are providing more clarity and greater harmonisation of third-party risk regulations. They have strengthened the linkage between third-party management and operational resilience and heightened data security requirements, including the use of cloud and Information Communication Technology (ICT) providers. In our experience, firms that acknowledge the cross-functional nature of third-party risks, that implement third-party oversight in a holistic manner and are enabled through technology, achieve far greater clarity and consistency compared to firms that assess individual third-party risks in siloed teams.
What’s new?
While financial services internal audit functions will be aware of some regulatory requirements, there have been significant regulatory developments on third-party risk that have broadened requirements for most firms. Materiality, outsourcing and risk must be independently assessed and considered as part of a proportionate and risk-based approach and it also implements the European Banking Authority’s (EBA) guidelines on outsourcing arrangements and expands on certain sections such as data security, business continuity and exit plans.
The Digital Operations Resilience Act (DORA) was published in the EU’s Official Journal on 27th December 2022 and entered into force on 16th January 2023 and affects all EU-based financial services firms. A 24-month implementation period will precede the full application in 2025. The DORA introduces a unified regulatory and supervisory rulebook for ICT operational resilience in the financial sector, pushing financial services (FS) firms to make substantial investments to improve their resilience to digital and cyber risk disruptions. One of its main objectives is to harmonise FS firms’ management of ICT third-party risks. This is through mandatory contractual terms for outsourcing and the requirement to assess concentration risks when outsourcing affects Critical or Important Functions (CIFs).
What should internal audit be doing?
For internal audit functions considering performing an audit in the area of outsourcing or third-party risk management, we recommend the following topics are considered for inclusion in the scope:
Area of Focus Proportionality |
Suggested steps
|
Governance and record-keeping |
|
Sub-outsourcing | Whether the firm maintains an up-to-date register of information in line with regulatory expectations and the content and detail of this register. |
Pre-outsourcing phase |
|
Outsourcing agreements |
|
Data security | Whether there is clear consideration for data security where a third-party agreement involves the transfer of data, including the recognition of different classes of data and a risk-based approach to managing these. |
Business continuity and exit plans | Whether the firm has developed, documented, maintains and routinely tests a business continuity plan and exit strategy for each material outsourcer. This should also be included as part of the risk assessment conducted before they enter into an outsourcing agreement with clear roles and responsibilities in the event of both stressed and unstressed exits. |
Environmental and Social Considerations | How environmental and social considerations of the business are reflected in their third-party risk management policy and its application of their sustainability ambitions to their supply chain. |
Why is it important?
The crypto and digital asset landscape has continued to expand over the last 18 months, as more banks are further exploring the use of distributed ledger technologies. Some are partnering with established crypto natives to build their own solutions, or have begun investing in native crypto-custodians to gain exposure to, or build a product or service offering in this market.
A number of firms are looking to onboard new virtual asset service providers (VASPs) in order to begin their offering into the digital asset space, as well as existing firms with a presence in the market looking for new virtual asset service providers.
Onboarding any new third party comes with inherent third-party risks. With digital assets the perceived level of risk is increased due to:
As the ecosystem continues to grow, clients will turn to professional service providers to support them with the onboarding of VASPs as well as the evaluation of providers and risk management. Deloitte can support in a suite of areas especially risk identification, risk management and controls.
What’s new?
What should internal audit be doing?
Area of Focus Third-party due diligence |
Suggested steps
|
Third-party oversight capabilities | As part of any review of the firm’s oversight framework, internal audit should include consideration of:
|
Third-party risk framework review |
|
Digital assets controls review |
|
Education |
|
Why is it important?
Digital asset custody is the safe keeping of digital assets. Digital asset custody providers are often third parties who provide safekeeping of assets for institutions, who in turn offer digital asset services to their clients.
Distributed ledger technology (DLT) has the power to re-platform financial services across the value chain, transform capital markets and impact traditional market structure in custody. There is wide variance of custody offerings across jurisdictions owing to technological, regulatory and legal standards, and each different offer might be better for a particular use case.
The use of DLT is not limited to cryptocurrencies, it also includes a wide variety of assets that are being represented on-chain in the tokenization of existing asset classes and digitally native assets such as equity and debt instruments, tokenized real estate, tokenized commodities, tokenized deposits, stablecoins and other representations of tokenized real-world assets.
Custody is important as private keys which are used to conduct transactions or access crypto holdings are complex and thus difficult to remember and can be hacked or stolen. For individual holders of digital assets, the risk lies in losing one’s own assets, but for institutions, the risk is losing client’s assets.
When entering the world of custody of digital assets, the new technology continues to affect existing risk domains. In parallel, many existing risk domains will undergo fundamental changes as DLT comes into play, and new risks will emerge.
What’s new?
Key crypto custody regulatory framework developments:
What should internal audit be doing?
Area of Focus Digital assets custodian due diligence |
Suggested steps Internal audit can play a key role in reviewing the firm’s risk assessment processes to understand the implications of relying on digital assets third-party custody providers and the third-party’s risk. |
Third-party oversight capabilities | As part of any review of the firm’s oversight framework, internal audit should include consideration of:
|
Digital assets controls review | Review controls in place to ensure they adequately mitigate risks from digital asset custody related activity. Suggested controls for a review in this space could be around storage of digital assets in wallets, reconciliation of digital assets on-chain vs off-chain records, proof of reserves assurance where applicable, amongst others. |
Why is it important?
Models serve many important strategic purposes for financial services firms, in the EU and beyond, which are relied upon as part of the regulatory framework. However, they can pose risks for both financial services firms and the regulators monitoring them. In a policy environment that is broadly supportive of model use, firms must seek to build supervisory confidence in their models amid increasing regulatory scrutiny.
Firms need to demonstrate to supervisors that model risk is being managed across all stages of the model lifecycle. Overall, we expect supervisors to attach most importance to;
Firms that implement model risk management frameworks that satisfy both regulatory requirements and supervisors’ practical concerns, and operate at a commercially viable cost, are, in our view, well-positioned to find a supportive policy environment for the use of models.
What’s new?
Banks with existing internal model permissions already have significant ongoing effort in their modelling teams, with work underway in several areas, including:
Banks will have to address a number of challenges in meeting their obligations around Model Risk Management (MRM):
EU Regulators see model risk as a risk that should be treated in the same way as other material risks in firms: it should be part of risk appetite and should be monitored and managed as seriously as any other material risk. The EU Regulators intent in putting the principles for MRM into the supervisory framework is to drive a change in culture around MRM.
What should internal audit be doing?
Area of Focus Model identification and classification |
Suggested steps As a starting point, internal audit teams must understand the model population to confirm that all such tools are properly defined and included in any broader oversight framework:
|
Model governance | Understanding the firm’s governance around how models are developed and overseen is key within any review in this space. Areas for consideration:
|
Model development, implementation and use | Development and deployment of models must be supported by a robust governance framework by which firms understand and oversee the introduction of new and existing models and how they are used:
|
Model validation | Where internal audit teams possess or have access to the requisite level of capability and tooling, some assurance around validation of models could be included in work programmes. Consideration should be given to:
|
Why is it important?
Identification of opportunities for work that delivers common benefits across Internal Ratings repair, IFRS9 and Basel 3.1. Internal audit could play a key role in providing a holistic view across teams to identify any commonalities. More widely, opportunities exist across climate and MRM. Firms that identify similarities and exploit them to reduce the workload for their scarce model resource will reap benefits.
This continued gloomy credit outlook presents serious challenges for both consumers and firms. Borrowers face high inflation (although there are some early signs that this may be beginning to level off), higher interest rates and associated cost-of-living challenges. Supervisors will expect firms to have the capacity, skills and resources in place to deal with rising insolvencies and distressed borrowers, whilst managing balance sheet impacts proactively.
It has been clear for some time that rising credit risk is a significant issue, albeit one where the oft-threatened wave of defaults has yet to break. But the credit outlook now appears increasingly bleak owing to a combination of economic supply and demand-side challenges for businesses.
Retail customers face increasing or high levels of inflation, higher interest rates and the associated cost-of-living and debt service challenges, and pent-up credit pressure (including latent credit risk developed during COVID-19). This may start to translate into increased impairments for firms.
What’s new?
Rising interest rates
Interest rates have continued to increase throughout 2023, with the European Central Bank taking measures to stem the increasing rate of inflation. As inflation rises show early signs of tailing off, the expectation is that interest rates will remain high and could increase further before declining. Whilst nominal rates are nowhere near the levels of the 1990s, many borrowers are taking on mortgages at high income multiples, with the result that mortgage payments represent a significant portion of household incomes.
Notwithstanding the requirement for lenders and insurers to undertake affordability assessments, significant increases in interest rates, when combined with other inflationary pressures, are leaving households with limited or no surplus income. Firms will need to ensure that their affordability assessments keep pace with changes in the economy. In lenders’ residential mortgage portfolios, the prospect of material falls in house prices implies the potential challenge of dealing with customers in negative equity.
Dealing with increased risk of defaults
Lenders, as well as other firms that are significant holders of issued debt or other assets with elements of credit risk, face a period of considerably increased risk of defaults and non-payment. This could manifest in an increase in the base level of IFRS 9 impairment allowances (expected credit losses) in stages one and two. Increased flow into stage three (default), a traditional measure of credit risk, will likely follow in subsequent years, but the financial impact on balance sheets will start earlier, reflecting the forward-looking nature of the accounting standards.
All this will happen as firms seek to bring back into their capital positions the deferred impairments arising from the COVID-19 related International Financial Reporting Standards (IFRS) 9 transitional arrangements. Firms will need to ensure that they can demonstrate to supervisors and auditors that the underlying parameters in their IFRS 9 models accurately reflect the risk in their balance sheets.
Credit concerns exist in many sectors. This is seen as being more costly than at any time since 2009, during the credit crunch, with a resultant increase in expectations that cost control – including reducing hiring expectations – will be a key business priority in 2023 and beyond. As commercial and corporate customers face reduced revenues and profits, the likelihood of layoffs is considerable, and increased unemployment will exacerbate the pressures on retail customers.
Insurers and investment funds
Insurers and investment funds hold significant volumes of issued debt instruments, as well as investments in property and other assets, as part of their management of premiums and client investments. Changes in asset values have already led to challenges to some business models, and insurers and investment funds may face further asset price and credit-related pressures in their existing portfolios.
Insurers and investment managers are increasingly seen as potential investors for Environmental, Social and Governance (ESG) and infrastructure projects, given the longevity of cashflows those projects generate. Some insurers and investment managers may need to strengthen their credit teams to ensure that any investments made during a recessionary period meet long-term expectations. For EU insurers, as part of Solvency II reform, we expect EU Regulators to adopt a more granular approach to credit risk within the matching adjustment (MA) calculation for life insurers that use it to reflect the increased sensitivity of long-term productive asset classes that are more long dated and illiquid.
What should internal audit be doing?
Area of Focus Capacity, skills and resources |
Suggested steps
|
Dealing with risks and impairments |
|
Models and indicators |
|
Affordability framework |
|
Treatment of vulnerable customers |
|
Why is it important?
As net zero remains high on governments’ agendas, regulators expect the financial services sector to play a significant role in tackling climate change. Several sustainability reporting requirements in the EU are due to be rolled out over the coming months and years. These aim to increase transparency with the underlying objective of preventing greenwashing in the industry. This is not limited to sustainable products but will cover a range of matters such as an organisations’ approach to diversity and inclusion and sustainability initiatives reflected in public reporting. As such, it is imperative for internal audit functions to challenge their firms’ readiness and responses to ensure accurate reporting against mandatory requirements. In doing so, internal audit can help firms to prevent adverse environmental effects; retain a customer base that is more and more climate-conscious; and gain confidence in an area of increasing regulatory and governmental focus. Firms need to be aware of associated risks and opportunities and internal audit functions should work with their businesses so that they are ready for the raft of regulatory changes we expect to come into force soon.
What’s new?
There are several recent and upcoming changes to the regulatory landscape regarding sustainability disclosures. They include:
Corporate Sustainability Reporting Directive (CSRD):
Sustainable Finance Disclosure Regulation (SFDR):
Controls on data:
What should internal audit be doing?
Area of Focus Controls on data |
Suggested steps Internal audit functions play a key role in assuring boards that commitments and outcomes are robust. As well as the more specific topics covered below, a foundational approach can be important especially where such areas have not been previously covered by internal audit. Such coverage could include:
|
Third-party risk - data | To prevent the risk of incorrect data being disclosed, firms should have robust controls in place to ensure that their third-party data providers are fit for purpose. Internal audit should assess the controls surrounding the use of third-party data in public disclosures. |
Reputational risk - greenwashing | With the general public and regulators becoming ever more climate-conscious, the risks of greenwashing, either accidental or intentional, continue to be significant. Internal audit should confirm that effective controls are in place to ensure the information reported is factual and a fair reflection of the firms’ business in order to prevent reputational damage. |
Reputational risk – greenbleaching | In response to the growing volume of reporting requirements, particularly related to financial products, firms may purposefully label their products incorrectly to avoid more stringent criteria associated with sustainable products, for example when labelling financial products under SFDR. Internal audit should be wary of this practice, known as “greenbleaching” and challenge whether controls are operating effectively to ensure that sustainability reporting accurately represents the nature of products. This will help to prevent against accusations of greenbleaching. |
Why is it important?
EU Regulators view effective governance as key to enable sound decision making in firms to achieve desired outcomes, with both increasingly focusing on diversity and inclusion. Diversity, when part of an inclusive culture, enables different perspectives and views to be shared, resulting in better judgements and decision making, mitigating against the risks of groupthink, and promoting innovation. There has been some progress in improving diversity and inclusion in financial services over the past decade, however the pace of change has been slow. Overall, the ability to assess the problem and track progress is limited by poor quality data on many aspects of diversity, with most data focused on gender, some on ethnicity, and very little on other protected or diversity characteristics.
What’s new?
What should internal audit be doing?
Area of Focus Diversity data |
Suggested steps There is a wide variation in diversity data quality, but better data enables firms to assess their current situation and ensure actions are appropriately targeted. Poor diversity data quality, limits analysis, reduces the ability to spot trends or patterns, and reduces the ability to design and implement targeted interventions. Internal audit should review the adequacy of current diversity data and the effectiveness of the design of any plans to improve this, including those focusing on increasing staff self-declaration. |
Diversity strategies and initiatives | Across financial services, diversity strategies and initiatives are in their infancy, and so are yet to reach a level of cohesion and maturity. Internal audit should review diversity strategies and initiatives, taking into consideration the following aspects:
|
Meeting the diverse needs of customers | As well as considering diversity and inclusion from an internal perspective, firms should also focus on ensuring that diverse consumer needs are met. Internal audit should review how the design process for products and services considers the range of needs in the target market, including characteristics of vulnerability, and how these are factored into the end design. |
Why is it important?
Regulatory bodies continue to drive the need to prioritise the embedding of a strong internal control framework in the 1st line of defence and to demonstrate effective management of key risks. A strong internal control framework, underpinned by a risk-based controls testing capability, provides the basis for accountable leaders to attest to the effective design, implementation, and operation of controls.
The basic foundations of a strong internal control environment are:
Without clarity on these components, it is often difficult to define and communicate who is responsible for what across 1st line management teams, internal control teams, and the 2nd line.
What’s new?
There is one primary driver behind the renewed focus we’re seeing organisations have on getting the internal control model right:
As a result of this driver, organisations are actively reviewing their current levels of maturity in relation to internal control. They are having to understand their current level of maturity at a more detailed level, and in cases of rapid growth, focus on defining the path to a maturity level that is in line with their wider strategic ambitions.
What should internal audit be doing?
Area of Focus Reviewing the maturity of the foundations of internal control |
Suggested steps The foundations of internal control have a direct impact on the effectives of downstream control management processes such as control testing. Internal audit should consider incorporating a thematic review of the maturity of internal control foundations in the annual audit plan. As part of this, internal audit should also look at whether sufficient evidence is available to support disclosures on internal control made within the annual report. |
Drive alignment and integration across the three lines of defence | An indicator of internal control maturity is when there is alignment of control terminology and integrated control management processes across the lines of defence. Internal audit should continue to play an influential role in aligning and integrating the role of each line of defence on the topic of internal control. |
Educate internal audit practitioners on what’s possible with technology | Internal audit functions should proactively educate their teams on the latest techniques to design and implement controls enabled by technology. Where possible, internal audit recommendations should include insights on how to streamline the control environment and highlight where technology could be deployed to implement more robust controls. |
Why is it important?
The number of ‘green’ and ‘sustainability-related’ financial products has increased exponentially over the last couple of years as firms grapple with rising demand from consumers and regulators to demonstrate how they positively contribute to the planet and its people. However, with varying definitions of what is considered ‘green’, universal regulations and labelling systems such as the Sustainable Finance Disclosure Regulation (SFDR) have become more important.
There is a growing concern that consumers may be misled as firms rush to promote green products in order to strengthen their perception in the market, without robust governance and understanding over the product lifecycle. Ensuring that financial products meet and continue to meet advertised Environmental, Social and Governance (ESG) criteria will be a key focus area for regulators going forward, with renewed emphasis on positive consumer outcomes.
What’s new?
Regulators are focussing more and more on the compliance of ‘green’ and ‘sustainability-related’ financial products, using green taxonomies and green labels, to ensure customers are able to understand the sustainability of products they may buy.
What should internal audit be doing?
Area of Focus Greenwashing |
Suggested steps
|
Good customer outcomes |
|
Product governance |
|
Product marketing and labelling |
|
Why is it important?
Enterprise recovery refers to an organisation’s ability to successfully prepare for, respond to, and recover from a catastrophic cyber event. Any financial services organisation could suffer significant enterprise-wide impacts because of such an event. With digitisation continuing to drive technology into the core of all business processes, the unavailability of critical technologies can prevent delivery of critical business services, severely impacting key areas or the entirety of the organisation. To keep pace, most financial institutions are strengthening their security controls and looking for ways to uplift their cyber maturity.
What’s new?
We have continued to see an increase in high-profile major cyber incidents across 2023, which, when coupled with the following cyber trends, creates an increased risk of an enterprise-wide event.
What should internal audit be doing?
Internal audit functions continue to play a key role in ensuring their organisations have a robust approach to cyber risk. We have set out below the topics internal audit may wish to consider when scoping an audit in this area. Functions will also want to consider whether they have access to the necessary skills to perform such assurance.
Area of Focus Digital Operational Resilience Act (DORA) |
Suggested steps Review the organisation’s ICT risk management framework, a key requirement within the EU’s DORA. This should include a risk management framework, systems deployed to detect anomalous activities, and appropriate response and recovery strategies. |
Cyber incident response | Review incident response capabilities of the organisation. This includes the ability to prevent, detect, mitigate, and respond to major incidents, and exercising such processes. |
Ransomware readiness | Understand the organisation’s preparedness for catastrophic ransomware attacks, working together with the Cyber Incident Response (CIR) team. |
Backup of critical data | Understand the data that is critical to the organisation and review the backup and archiving policies that are being implemented. This should consider the classification of data and its criticality to the business and should include the requirements and capabilities of data vaulting and recovery. |
Third-party risk | Review the management of and relationships with third-parties. Given the increasing complex nature of supply chains and use of third-parties, understanding, and managing the risks posed by third-party organisations is crucial. This evaluation should include take-on, contracts, and ongoing relationship management. |
Why is it important?
The post-pandemic era has seen a rebound in the investment of digital transformation and strategic change across all financial services industry sectors. Management at organisations of all shapes and sizes see new digital services as key in attracting new customers and in engaging more meaningfully with existing ones. By making investments into new digital services, management intend to deliver long term value and generate additional revenue opportunities.
Organisations, therefore, see the creation of a common, strategically linked language and methodology for digital transformation as a commercial imperative. For many organisations to deliver swiftly on change, the approach needs to be internally led with minimal external dependencies because of continued competition for talent and the evolving skills landscape. This in-house approach creates new areas of risk and opportunity to streamline governance and control processes. Internal audit should engage with the business early in the lifecycle and, in turn, manage risks proactively.
What’s new?
What should internal audit be doing?
Area of Focus Digital transformation strategy and approach |
Suggested steps Internal audit functions need to proactively assess the organisation’s innovation and digital transformation strategy and approach to ensure it will benefit the business long term. The key is not to penalise for single product or delivery failures but to look at the overall programme potential. |
Governance for agile delivery | Internal audit should assess the appropriateness of the levels of governance for agile delivery. They should also review the organisation’s control environment to ensure that the right level of controls are in place for agile programme delivery, leveraging continuous monitoring solutions to minimise delay. |
First and second line risk and control functions | Internal audit should work more closely with 1st and 2nd line risk and control functions to support the organisation in its transformation journey. They should also get involved early and should be continuously involved throughout the programme lifecycle. |
Effective management information (MI) and reporting | It is critical that effective MI and adequate reporting is in place to allow relevant senior stakeholders to provide the right level of governance and oversight. Effective stakeholder management and governance at senior levels can help foster an operationally effective environment throughout a programme lifecycle. We see a lot of organisations moving into a variety of “business partnering” models to embed risk management skills directly into programme delivery teams or product delivery pipelines. |
Review of analytical tools | As organisations adopt new analytical tools, there is a danger that the business has too many systems in play to accelerate digitalisation without proper assessment of performance and benefits. Internal audit should plan an assurance review of how these tools are embedded across the organisation to ensure they deliver value for money. A holistic approach is needed where the reviews include systems, structures, skills, and capabilities. |
Why is it important?
With the anticipated integration of Generative Artificial Intelligence (GenAI) into business functions, artifical intelligence (AI), and GenAI risk management will continue to be a hot topic for internal audit teams throughout 2023, into 2024 and onward. GenAI is a subset of AI in which machines create new content in the form of text, code, voice, images, videos, or processes. It has been the Large Language Model (LLM) powering an easily accessible chat interface that enabled GenAI to have its breakthrough moment and surprise even specialists in the field.
There are performance and operational risks that enterprises should keep in mind as they pursue the use Gen AI models – with a summary of pertinent risks in the context of LLMs summarised as:
To mitigate and minimise these risks, organisations are actively investing in developing controls to innovate with confidence. Control considerations include regulatory and principle-based guidance to ensure responsible development and use – such as considerations for embedding controls and mitigations through the GenAI development lifecycle. Reference considerations include AI specific regulatory developments, other principle-based approaches such as Deloitte’s Technology Trust Ethics (TTE) Framework or industry risk frameworks.
What’s new?
With the recent release of GenAI systems such as ChatGPT in November 2022, Bard by Google in March 2023, and Amazon’s release of its open source LLM called Falcon in June 2023, the interest around GenAI has increased, with both organisations and individuals exploring how they can utilise the tools. Further, there have been changes this year to the AI regulatory landscape, with guidance being published to aid organisations in navigating the use of all forms of AI, including GenAI.
EU AI act (latest development from June 2023) – The AI Act uses a risk-based approach and classifies AI systems as either prohibited, high-risk, or low risk based on their potential for harms to society and individuals’ health, safety or fundamental rights.
ISO AI risk management framework (published in February 2023) – ISO published this document to provide guidance for organisations that are developing and deploying AI products but also to support with the risk management of these products.
In conjunction with the publication of the regulations and guidance above, the pace of AI development and deployment for the EU may become rapid.
NIST framework (published in January 2023) - The National Institute of Standards and Technology (NIST) has collaborated with organisations from both public and private sectors to develop the NIST AI risk management framework. The guidance is voluntary and aims to help organisations understand the considerations that should be made during the design, development, use, and evaluation of AI systems.
What should internal audit be doing?
As AI technology advances, internal audit teams must stay abreast of the developments and ensure they have the required skills and capabilities to provide the necessary insight to senior leadership teams.
Area of Focus Understand the organisation’s AI strategy |
Suggested steps Internal audit should consider their organisation’s approach to governance of AI. This should include a review of the organisation’s strategy that defines the road map for AI adoption, detailing desired research areas, mapping the development process, and the business areas which will pilot developing systems. |
Review internal policy, standards, and guidelines | Similarly, internal audit should consider whether a policy has been developed that defines parameters of AI system development and deployment, as well as how this policy would be embedded and communicated. The policy should include specific standards and guidelines on the use of GenAI tools and should be reviewed and updated regularly due to the fast-moving pace of this emerging landscape. The organisation should ensure that the user community is aware of this policy and trained on do’s and dont’s of the effective deployment of the AI. |
Determine whether an AI Inventory exists | Internal audit will want to consider whether an AI Inventory has been developed. The development of an AI inventory records active and developing AI projects with details on their status, and risk management considerations so they can be monitored or managed effectively. |
Determine which external regulations or industry guidance applies to the organisation | As with many new areas, internal audit will want to understand how the organisation is staying up-to-date with new and changing regulations and the processes and controls in place to assess how a regulation will impact AI development or current deployment of AI systems, which is vital to prepare actions to ensure future compliance. |
Assess extent to which AI risk management practices and cultural behaviours considers AI risks | Internal audit should also consider AI in the context of risk management. AI should be integrated with the current risk management processes and procedures to ensure systems utilising AI are effectively managed, governed, and monitored. Current risk management processes may need to be amended to ensure that risks associated with AI are proficiently covered. Risk appetite statements may need to be updated as well to cover this new risk. |
Why is it important?
Investment in strategic change rebounded rapidly in 2022 and 2023 after the impact of COVID-19.
Many organisations are now investing in long-term growth, digital strategies and attracting new business again rather than reacting to short term operational challenges.
The prevailing industry response indicates that now is the right time to invest in technology, risk reduction, and digital solutions to enable future services, increase efficiency and attract the workforce of the future.
The next logical step for decision-makers considering how to invest in change and transformation is to assess how they deliver transformation and change.
The blockers are not always financial, as businesses often have financial resources available to invest in transformational change. What we see is programmes failing to deliver on their stated intentions due to inadequate planning, communication, and decision-making processes.
What’s new?
From working across the financial services landscape, we have identified trends that are driving change and transformation that we believe should be on internal audit’s radar.
Talent and skills
Evolving operating environment
Digital transformation
Regulation and market activity
What should internal audit be doing?
Auditing change delivery capability and change activities is not new, and such reviews are common across most audit plans. We would encourage teams to overlay any traditional approach to project auditing by taking a strategic view across the change landscape and business demand, including the investment case and overall strategic intent of the change. The success or failure of any one project can have a significant impact on the organisation's reputation and stakeholder, however by looking at the whole picture, internal audit can determine if risk lies in delivery, or in the direction of travel.
Area of Focus Investment case and change strategy |
Suggested steps
|
Portfolio and project governance |
|
Major programme audit and thematic reviews |
|
Agile delivery health checks |
|
Use of appropriate technologies and tools |
|
Why is it important?
Internal audit functions are frequently constrained by the number of auditors at their disposal, who are still using predominately manual and time-consuming ways of working. Whilst many leaders have recognised the need for digital fluency, resulting in analytics and visualisation training becoming a staple on the learning and development menu, very few have seen it as an opportunity to rethink the status quo and truly innovate.
Through the use of technology, internal audit has an opportunity to reimagine their ways of working, not just to gain efficiencies but to increase agility and enhance the quality of issues identified. For example, are cyclical coverage strategies, audits that provide a ‘point in time’ assessment, or the use of limited non-statistical sampling methods sufficient in today’s world? Is it right that teams frequently spend more time on discovering issues than understanding root cause and helping management think through solutions? Should it really take weeks and sometimes months to issue and finalise reports? Are functions leveraging their collective knowledge, or are they still reliant on retained knowledge within key individuals?
Digitalisation of the internal audit function offers both hope and new possibilities.
What's new?
There have been significant improvements in the quality and functionality of audit management systems, many of which now have high levels of integration and Application Programming Interface (API) capabilities to connect with other applications. This allows internal audit functions to create customised technology environments within their organisational context, and tailored visualisation layers. The software has also evolved to suit functions of a broader range of sizes, meaning it is no longer the reserve of only the largest functions.
Organisations themselves are also providing more opportunities for internal audit through greater investment in data and technology, and by taking a more strategic approach to information management. As the quality, reliability and availability of data in organisations improves, so does the opportunity for internal audit to leverage this through their assurance.
Over recent years automation technologies have become more accessible through low and no-code solutions, and over the past year, the potential for artificial intelligence (AI) has been observed through the release of large language models and other generative AI tools into the mainstream population. For example, some functions are using AI and machine learning to mine data in audit reports to identify themes and commonly reported issues across thousands of reports; others have applied a similar approach to risk assessment and used AI to highlight common areas of risk using minutes from stakeholder meetings. Other examples include automated audit committee reporting, the use of AI to generate the first draft of an audit report, automated working papers, predictive text for descriptions of risk and controls and QA chatbots. The opportunities are vast.
Whilst generative AI technologies are still in their proof-of-concept phase for a small number of functions, their potential to increase the productivity, quality, and impact of internal audit is clear.
Whether this is driven by growing stakeholder demand, cost reduction, productivity, or to help attract top talent (by enabling people to focus on more purpose driven and meaningful work), functions that do not engage with the digitalisation agenda now will quickly find themselves left behind. They will be lacking in agility to; respond to emerging risks; redirect resources; delivery efficiency; and in improve the quality of their insights.
What should internal audit be doing?
Be clear on your purpose - Digitalisation of internal audit is not the goal, but a means to help the function achieve its purpose through more intelligent ways of working that yield higher impact and value. By having clarity on the function’s purpose and vision, internal audit leaders can better identify, define, and prioritise their investment in digitalisation.
Make a start - Perhaps you have limited data sources and only a handful of tools. Consider what you can do with what you have and build from there. We’ve found that taking the first step helps functions gain momentum and start building a culture of innovation.
Set a digital strategy – Once the function’s digitalisation priorities have been set around deliberate outcomes, be clear on your roadmap to achieve the strategy and how you will measure progress.
Collaborate – Whilst many functions now have capable data analytics teams, some with data scientists, internal audit teams don’t typically have the full breadth of technology skills and capabilities required to digitalise all aspects of the lifecycle within their teams. In our experience, those functions who work closely with technology teams have been able to accelerate their digital strategies.
Create an innovation culture to drive digital – Taking a leaf from agile development approaches can benefit functions in a digital environment which is often dynamic and quick to change. Creating an innovation culture where leaders encourage teams to challenge the status quo and explore new ways of working, is key to identifying opportunities and addressing any issues that emerge from digitalisation.
Get tech savvy – Internal audit functions do not need to have large teams of technologists and data scientists who understand the inner workings of the latest generative artificial intelligence or be experts in technology architecture. However, having digital fluency and a basic understanding of technologies can help both leaders and their teams consider the art of the possible, spot potential use cases and translate their requirements to specialist teams who can help functions digitalise.
Why is it important?
The application of ‘Agile’ in internal audit has come about from a recognition that it can evolve and upgrade the profession, and deliver better insights, more efficiently and with greater employee engagement. In doing so internal audit can have a greater impact and be more proactive in responding to change. Agile in internal audit is centred around intentional engagement with audit stakeholders, which in turn, strengthens relationships.
Looking ahead, the breadth of demand on internal audit and the pace and scale of innovation in the profession, means there is a need to consider leading with agility to enable functions to be purpose driven, leverage automation, and embrace digital technologies.
What do we mean by leading with agility? It’s about getting deeper into the agile mindset, culture, and behaviours and applying these across audit delivery, as well as the operations of the entire internal audit function. This will enable learning, prioritisation, and the ability to pivot in increasingly complex and interrelated risk environments.
While some organisations have considered Agile and may have developed a framework, rarely do we see this fully implemented in terms of the shift in mindset, culture and behaviour and as such the benefits of agile are not yet being realised.
Embedding agile is also dependent on having the right support network, such as experienced scrum masters, agile champions, an agile centre of excellence (COE), etc. Without this it’s very difficult for an organisation to progress from “Doing” agile, to inhabiting the agile mindset, culture, and the behaviours associated with “Being” agile.
There is no one-size-fits-all approach for Agile, and here we provide the opportunity for you to reflect on your existing agile practices and identify ways to take these to the next level.
What’s new?
With regards to agile in internal audit, it is not so much about what is new or what has changed but how it is evolving. The profession has made a great start and achieved marked progress, but there are some common observations which can contribute to functions progressing to the next level in their agile journey – and this will be by leading with agility.
Go back to your why
Functions experience challenges when they are not clear about why they are applying agile and ignore the notion of aligning to its organisation’s purpose, vision, and strategy. This prevents them from developing a purpose driven approach, which in turn results in having the application of agile frameworks as the end goal, which will not always realise all the potential benefits.
Where functions are clear on the outcomes that they want to realise from embedding agile, they can appropriately tailor the agile framework in a way that works for their specific function. Tailoring the framework should be a collaborative exercise based on the lived experiences on those applying it together with your agile support network.
Evolving agile in internal audit
There is a common misconception that the implementation of agile is complete once the “agile framework” has been rolled out. Agile is intentionally designed to be incomplete and to be further tailored to your function and stakeholder environment as it grows and matures. The recognition of this enables functions to continuously customise their agile ways of working though assessing and adapting against specific measurable outcomes on an ongoing basis.
In addition, functions have taken the approach of classifying support structures (such as experienced scrum masters, agile champions, an agile centre of excellence (COE), etc.) as activities of transformation projects. Where support networks are dissolved for example post project completion, it negates their importance in maintaining and sustaining a new business as usual (BAU), resulting in functions having stalled or regressed in their ways of working
Leading with agility everywhere
Functions who have applied agile ways of working may have initially started with audit delivery, but few functions have progressed beyond this point. Agile is rarely applied across the whole audit function (such as portfolio activities, annual planning process, quality assurance, learning and development, etc.). There has also been a lack of focus on leadership training and live coaching, to support leaders to create the environment for the new BAU to emerge or be sustained.
What should internal audit be doing?
Area of Focus Go back to your why |
Suggested steps
|
Evolving agile in internal audit |
|
Leading with agility everywhere |
|
Why is it important?
Expanding stakeholder demands, and the increasing breadth and scope of risks continue to challenge internal audit functions. Leading functions have developed a clear vision and strategy, setting out how they will respond to these demands to maintain relevance and maximise their impact. The real leaders amongst these functions are those that are purpose-driven.
What’s new?
The revised draft Institute of Internal Auditors (IIA) Global Standards call for internal audit functions to develop a vision and strategy that support the organisation’s strategic objectives and meet the expectations of key stakeholders. A purpose statement that articulates internal audit’s value in supporting the organisation’s success is also required.
Purpose has become increasingly important for organisations and their stakeholders. Purpose-driven organisations have reaped benefits over the last 12 months in the form of strengthened brand recognition, faster growth and return on equity, increased employee engagement and the ability to attract top talent.
There is an opportunity to align internal audit’s role and remit with the organisation’s purpose, and a need to articulate the value the function creates for the organisation. This is a new orientation for many functions.
The need for functions to deliver more with less, whilst continuing to innovate and stretch themselves, continues to present a challenge. Functions need to be selective over their investments and define return on investment criteria to help assess whether existing and proposed strategic initiatives will drive achievement of internal audit’s purpose and vision. Those that don’t should not be taken forwards.
What should internal audit be doing?
Area of Focus Revisit and challenge – are existing visions and strategies fit for the future? |
Suggested steps Revisit and challenge whether internal audit’s existing vision and strategy are aligned to what the organisation will need from the function in future. Seek feedback from key stakeholders and bring the team together offsite to collate views and generate ideas in a focused environment. Consider the benefits of utilising an independent facilitator to challenge the team and bring fresh perspectives. |
Start with purpose - why the function exists and value it creates for the organisation | Review the organisation’s purpose statement and consider whether internal audit’s current purpose is aligned to this, or whether a refresh is needed. When defining or refining internal audit’s purpose, consider the impact the function wants to have and the value it wants to create for the organisation – focus on why the function exists rather than what it does. |
Set a clear vision - what the function will deliver over the medium to long term (three – five years) | Clarify what key stakeholders need and expect from internal audit. Ask yourself how they would describe the function in three to five years’ time if it was delivering on these expectations and creating the value articulated in its purpose statement. Would stakeholders see it as a function that looks to continuously improve and add value through a stretching remit of assure, advise, anticipate and accelerate? |
Develop a strategy - how the function will deliver its purpose and vision | Consider what the vision will look like in practice through the lenses of skills and capabilities, toolsets and mindset, to identify strategic priorities that will drive achievement and embedding of the function’s purpose and vision. Be specific in defining outcome statements for each priority and the actions that will be required to deliver against these outcomes and to navigate any potential barriers to success. Start small, identify quick wins, prioritise, assign owners and hold them to account. |
Experiment and iterate - keep it live and under review | Pursue incremental improvements that generate lasting change, rather than big bang changes which tend not to work. Adopt a mindset of continuous learning – experiment through pilots, measure the impact, learn and adapt before adopting scaled change. |
Why is it important?
In March 2023, the Institute of Internal Auditors launched a public consultation on the proposed International Professional Practices Framework (IPPF), specifically seeking feedback on the revised Global Internal Audit Standards (“the Standards”) that will apply to all internal audit professionals and functions across all industries and sectors. Additional ‘Guidance’ to support the Standards and ‘Topical Requirements’ (i.e., practice aides for auditing specific risk domains) have been outlined and are planned to be released at a later date. The new Standards are expected to be finalised in Q1 2024 with a 12 month grace period for functions to demonstrate conformance.
The proposed structure of the new Standards is organised around five domains, comprising 15 Principles and 56 Standards. Each Standard includes requirements, considerations, and suggested evidence to demonstrate conformance.
The proposal represents an update and consolidation of existing Standards and supplementary guidance, rather than a drastic overhaul. However, as drafted there is a trend to a more rules-based approach indicated by a significant increase in the number of mandatory requirements (moving from 126 to 304 ‘musts’) for Chief Audit Executives (CAE), their functions and stakeholders.
Internal audit functions will need to incorporate the new requirements as well as approaches to capture evidence to demonstrate conformance within existing quality assurance and improvement programmes.
Whilst the IPPF is yet to be finalised there are a number of ‘no regret’ decisions and activities that functions should consider and where necessary factor into team delivery plans across the course of 2024 to help ensure they are compliant with the new Standards in good time.
What’s new?
Many new requirements aim to codify what is already recognized as best practices within the industry. Notwithstanding this, demonstrating conformance to the new requirements has the potential to be demanding for all functions and may be a stretch for many, particularly smaller functions and those who are already heavily constrained by existing resourcing levels. Some of the key changes are outlined below:
What should internal audit be doing?
Area of Focus Understand the new requirements and perform a gap analysis |
Key considerations to help functions achieve compliance to the IPPF As an initial step, review the draft publication and understand what the new requirements are and how this will impact your function. As soon as the new Standards are finalised and published, perform a gap analysis to understand where you need enhance ways of working to strengthen conformance to the new Standards. This should be revisited post any revisions to the draft standards if applicable. |
Action plan | Develop an action plan to address current gaps and ensure that where no professional practices team exists, appropriate steps are factored into team delivery plans during 2024 and taken to ensure a satisfactory level of conformance is achieved / being demonstrated when the new Standards become effective (expected late 2024 / early 2025). This will likely result in a need to update and introduce new ways of working into the internal audit methodology and approaches. |
Raise awareness and provide training to your team | Provide awareness training to teams on the new requirements within the Standards, particularly where there is a need to adjust ways of working. Confirm that a mechanism is in place to ensure that the team is undertaking the required continued professional development training hours each year. |
Quality assurance and performance measurement | Once new ways of working have been established in 2024, review existing internal quality assurance activities to ensure they are aligned with the new requirements and that appropriate practices are in place to agree, measure and report on performance objectives for the function. This may require amending audit management system controls to automate / capture data. |
Stakeholder communications | With added focus on Board responsibilities, take appropriate steps to communicate the new requirements to key stakeholders. |
Consider the timing of your EQA | During the transitional period following release of the new standards the IIA recommends that EQAs are undertaken with a focus on conformance to the existing IPPF. As ever, functions should aim to get maximum benefit from their EQA to help stretch them to the next EQA cycle. Undertaking an EQA during the transitional period may benefit from gaining a forward-looking view on existing performance to new requirements to understand where existing gaps may be. While performing an EQA after the transitional period may enable the function added time to introduce new ways of working to demonstrate and gain assurance over the function conformance to new requirements. |
Use as a catalyst for impactful change | We would encourage functions to use this period as an opportunity to revisit their purpose, vision, strategy and innovation priorities to ensure that they maximise value and insight to their organisations. These all being key features that our market leading framework for the function of the future, Internal audit 4.0, has been championing and can help to realise. |
Why is it important?
Internal audit functions need to be thinking now about what skills they might need for the future to meet ever growing demands from stakeholders. In an increasingly uncertain risk landscape, internal audit teams are now expected to bring more business-oriented, enterprise-wide skills and perspectives to managing organisational risks, whilst at the same time being up to date with the latest regulation and industry practice. These skills of the future need to be considered whilst operating in an environment of constant change where resourcing and retention is becoming increasingly challenging. To support the organisation, internal audit needs to evolve and upskill at pace.
What’s new?
Key changes since 2022/23 include:
1. Focus on Purpose and Agility
The focus of purpose is not new, but the emphasis has become increasingly important with the release of the draft International Professional Practices Framework (IPPF) for consultation by the Institute of Internal Auditors (IIA). Within this draft purpose features as the focus of an entire domain. Increasing the emphasis on purpose is shifting the mindset of internal audit who now need to be more agile in their approach and mindset to auditing, adapting to the continuously changing landscape that their organisations operate in.
2. New proposed IPPF principles drive a focus on skills
The draft IPPF also raises the bar by requiring functions to perform a skills-needs-analysis to assess adequacy of their resources to deliver their plan. The draft standards tell us that there will be more focus on internal auditors demonstrating the knowledge, skills, and abilities to fulfil their roles and responsibilities successfully to drive quality in internal audit products.
3. Accelerating management of the more informed stakeholder
Increasingly informed stakeholders, with a deeper understanding of internal audit are seeking more value and quality from functions. Auditees too are more informed, invested and accountable. Strong communication and presentation skills and the ability to manage and negotiate with stakeholders are now not just skills for internal audit management, but the whole team. Internal audit also needs to be able to respond to Auditees' expectations for feedback on issues quickly and with deeper insights and practical opportunities for improvement.
4. Digitalisation
The internal audit function of the future will need to equip themselves digitally throughout the audit life cycle to demonstrate efficiencies, expand coverage, improve quality and share knowledge. They will need to make use of digital technologies, channels and ways of working to transform existing operational processes, and increase the value offered to stakeholders.
When it comes to the skills required by individual internal auditors, a basic understanding of IT general controls is now a pre-requisite, alongside data fluency.
5. Competitive labour market
Global events over the last three years have shifted the priorities of individuals and created challenges for recruiting and retaining the right talent for internal audit functions:
What should internal audit be doing?
Area of Focus Strategy |
Suggested steps Determine what is the overall internal audit people strategy including:
|
Needs analysis | Understand the:
|
Pathway/Delivery method |
|
Avez-vous trouvé cela utile ?
Si vous souhaitez nous aider à améliorer Deloitte.com, veuillez remplir ce formulaire de 3 minutes
Pour nous partager votre avis, vous devez accepter les cookies d'analyse et de performance.