Skip to main content


Financial Services Internal Audit Planning Priorities 2022

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.

Why is it important?

Growing investor and regulatory awareness and concern over the need to address social and environmental issues is driving the rapidly increasing interest in Environmental, Social and Governance (ESG) factors and sustainable finance. As Regulators set out their expectations for how financial institutions should manage climate related financial risk, including modification of governance and risk management frameworks, development of scenario analysis and stress testing, and disclosure of climate change related issues, it is vital that the Internal Audit function challenges the firm’s response to this. As a society, customers are now aware of the growing urgency to build relationships with those businesses who can demonstrate that their practices are aligned with society’s goals and ambitions. Reputational risk has become key as it flows from firms’ responses to embedding climate risk within their business, therefore Internal Audit should challenge whether firms have suitably assessed their related exposure to reputational risk and whether the impact of handling these issues poorly has been considered.

What's new?

Regulatory Expectations:

  • In November 2020, the European Central Bank (ECB) published their supervisory expectations with respect to the risk management and disclosure of climate and environmental risk, applicable with immediate effect. Illustrating that a firm must treat climate and environmental risk holistically, the supervisory expectations are cross-cutting across an entire firm. Most importantly, the ECB has defined how the Third Line should respond in relation to emerging risk, stating: “IA functions should review the internal control and risk management framework, by considering external developments, changes in the risk profile and in products and/or business lines, to establish the extent to which the institution is equipped to manage climate-related and environmental risks.”
  • The ECB contacted specific firms at the beginning of 2021, highlighting their expectation for firms to complete their self-assessment against the ECB requirements together with defined suitable action plans for implementation of the framework with deadlines of February 2021 and May 2021 respectively.
  • The expectation of the European regulators for firms is to fully embed their approach to managing climate-related financial risk by the end of 2021.
  • The Sustainable Finance Disclosure Regulation (SFDR) introduced various disclosure-related requirements for financial market participants and financial advisors at entity and product level, applicable as at 10 March 2021.

Political Influence:

  • As investors demand for green bonds increases, the EU Governments have confirmed their intend to fully implement a ‘Green Taxonomy’ to provide a common standard for measuring firms’ environmental impact, building on the scientific metrics in the European Union taxonomy as its basis.

ESG Wider Considerations:

  • Diversity and inclusion matters. The Regulators should commit to explore whether diversity requirements should be made part of premium listing rules.

What should Internal Audit be doing?

Area of Focus

ECB Guide on Climate Related Risk

When designing and developing the Internal Audit Plan, Internal Audit should consider whether there is suitable coverage to incorporate the assessment of the firms response to all focus areas set out in the climate related regulatory expectation and supervisory guidance. Considering individual focus areas such as risk management or strategy, Internal Audit must ascertain how the firm has incorporated climate risk and ESG into existing control frameworks.

Where the business has provided self-assessments against regulatory expectations, Internal Audit are well placed to ensure there is an appropriate level of input and review; ascertain whether supporting action plans suitably address gaps identified; and incorporate well-defined road-maps that demonstrate to the Regulator how the firm intends to meet regulatory requirements.

Reputational Risk

Internal Audit should identify and challenge Management in areas that could be perceived as ‘Greenwashing’ by both the general public and the Regulator. In doing so, Internal Audit must ascertain how the firm’s financing activities, both direct and indirect, are reflective of the ESG strategy.

There are a number of globally recognised voluntary initiatives across the industry to which a firm may sign up in order to enhance their positive contribution to society as a whole, for example, ‘The Principles for Responsible Banking’ ensures that signatory Banks commit to aligning their business with ambitious targets that contribute to global and national sustainability goals. Internal Audit can challenge the firm’s commitment to addressing global social, economic and environmental issues through assessment of engagement with such initiatives, addressing the culture and tone of the firm.

Diversity and Inclusion and wider ESG

Whilst much of the European regulation in this space so far has been climate focussed, industry direction and regulatory guidance could be expected to incorporate wider ESG issues in the future. Internal A are well placed to challenge the firm’s readiness and current infrastructure and business model for measuring and reporting on a wide range of ESG topics.


Why is it important?

Internal Ratings-Based (IRB) firms are required to apply a suite of ‘IRB roadmap’ model changes by 1 January 2022 in order to remain compliant in their calculation of regulatory capital. These regulatory changes can have a profound impact on probability of default (PD), exposure at default (EAD) and loss given default (LGD) risk parameter estimates, and hence capital estimation for a firm’s banking book. Failure to evidence compliance with this new regulation can ultimately threaten a firm’s IRB status as well as increase the ‘margin of conservatism’ required for estimates, leading to higher capital charges. Ultimately this is also coupled with reputational risks from Regulators if the model development programme is perceived to be low quality. As a result, many Banks are conducting significant IRB enhancement programmes over the next few years, in order to ensure the required process changes, model redevelopments and regulatory submissions are all delivered effectively. These programmes are often high risk, with tight timelines exacerbated by the volume of model changes required and extensive submission requirements. Across the banking industry, from Tier 1s with established IRB rating systems to challenger firms applying for IRB status, there is an increased onus for successful submission for IRB approval. As a result, assurance from Internal Audit on the effectiveness of delivery from these programmes is critical. Please also refer to our IFRS 9 ECL Estimation topic given its relevance to IRB Delivery Programmes.

What's new?

A number of new IRB regulatory requirements require implementation, including:

  • Updated conditions for the definition of default (DoD), such as addition of unlikeliness-to-pay (UTP) criteria, conditions for curing, and materiality threshold for credit obligations past due;
  • Inclusion of new requirements to model LGD for ‘in-default’ exposures, including calibration to downturn and ‘point-in-time’ (as the ‘best estimate of expected loss’);
  • Introduction of extensive requirements for downturn LGD calibration, including regarding the identification of a downturn period; and
  • Requirement of cyclicality measurement of PD rating systems, for quantification of long run average (LRA) PD, for calibration purposes.

As liquidity risk management capabilities and processes evolve, it is important that firms continue to assess and address aspects of their liquidity risk management that improves transparency and agility in line with the expectations from the Boards and the Regulators and to support increased focus on strategic liquidity management.

What should Internal Audit be doing?

Area of Focus

Regulatory compliance

Verify that model development and validation controls are operating in line with regulatory requirements. Due to the technical nature of IRB regulation, often this requires input from subject matter expert’s (SME’s) in order to appropriately challenge the relevant model development, validation and approval controls. Areas of technical review include model methodology, performance testing and assessment of data quality. Furthermore, SME support is often necessary to provide assurance that regulatory self-assessments are sufficiently complete and accurate.

Processes and controls

Review of the relevant processes and controls across the model lifecycle, with assurance that these have been sufficiently followed prior to regulatory submission. This includes assessment of:

  • Evidence that standards on model development, validation and monitoring have been adhered to in the model change processes; and
  • Evidence of sign-off on submission of models/material model changes from the necessary functions (such as Model Governance Committees).

Programme assurance

Assess and provide assurance that the regulatory change programme has been effectively managed, in order to ensure successful submission to Regulators. This includes assurances on:

  • A clear vision of the IRB model change landscape, such as identification of objectives of delivery and the relevant portfolios under IRB scope;
  • Effective programme governance (such as project plans, Risks, Assumptions, Issues and Dependencies (RAID) logs etc.); and
  • Clear identification of relevant stakeholder groups and functions, alongside definitions of roles and responsibilities in the delivery programme. 

Why is it important?

Internal Audit functions in the EU are at different stages with regard to IFRS 17 assurance planning and are currently reassessing and adjusting their holistic assurance timelines. For many insurers the effort and cost has grown significantly from initial expectations and may continue to do so through to programme completion, as solutions are embedded, tested and re-worked. Also, in some organisations programmes have not yet been far enough progressed to enable meaningful audit activity to take place so Internal Audit may be planning its first real look at the detail in the current year. IFRS 17 has a number of areas of complexity and challenge and prioritising these can be difficult. Below we consider some of the key methodology decisions, highlighting common high-risk areas and Internal Audit's approach for providing assurance that informs governance around methodology.

What's new?

Internal Audit functions are reconsidering their assurance timelines for two reasons—first, the impact of COVID-19 has changed the plans of Internal Audit and the wider organisation for 2021, and during March 2021, it was announced that the effective date of IFRS 17 will be deferred to 1 January 2023, prompting project teams to consider refreshing their own timelines. With many programmes on the cusp of transition from implementing IFRS 17 solutions into testing, assurance over the controls design and their operating effectiveness over the IFRS 17 new financial processes is an important milestone to identify and remediate any control weaknesses in advance of external audits.

Certain key decisions, the working assumptions, are made early and drive downstream effects of the implementation programme. For example, adopting the General Measurement Model (GM) will require many organisations to modify existing systems and databases to capture additional contract or portfolio level data; whereas the Premium Allocation Approach (PAA) may not require such a significant change to the organisation’s existing infrastructure (but may introduce different risks). The cost associated with identifying and correcting inappropriate accounting policy or methodology choices during the implementation programme can be substantial and may put key deadlines at risk.

What should Internal Audit be doing?

Internal Audit has a key role to provide assurance over the IFRS 17 programme between now and completion of implementation in 2023. The nature of audit work that can be performed will be driven by the progress the business has made.

In 2020, with affected insurers having completed their impact assessments and moving into the solution implementation phase, the natural scope for Internal Audit appeared to be project assurance.

In 2021, Internal Audit scope could include methodology, as the business designs/implements solutions following conclusion of the gap assessments. Internal Audit will need to be mindful of the role of the external auditor, who will ultimately need to sign-off on the chosen technical methodology and remain connected on any technical points being raised and the management of their impact on the wider project.

In the final year of 2022 before go live, companies will be focussed on producing comparative period financial results ready for publishing externally in their financial statements in the following year. This will be the first time the entire financial reporting process is run end to end. At this stage, Internal Audit can provide assurance over the design and operating effectiveness of controls over the reporting process, in advance of external audit to identify and remediate any weaknesses.

Internal Audit should consider assurance activity in the following areas during 2022:

  • Governance, program benefits and change management;
  • Technology solutions including general IT controls (GITCs);
  • Controls over dry runs/parallel runs;
  • Data migration, transformation and security;
  • Controls over modelling governance;
  • Financial planning, budgeting and reporting processes; and
  • Actuarial and risk management processes. 

Why is it important?

During the initial stages of the COVID-19 pandemic, estimation of Expected Credit Loss (ECL) for calculation of loan impairment became more challenging for firms, due to sudden changes in economic activity coupled with unprecedented levels of Government support, which caused the classical relationships between economic activity and credit behaviour to break down. With core modelling and data assumptions becoming invalid under these new conditions, many firms were forced to apply expert-based Post Model Adjustments (PMA) to their model estimates in order to generate ECL estimates as accurately as possible.

A year later and firms are now facing a new challenge; ahead of improved economic baseline forecasts, these incumbent PMAs are in some instances becoming overtly optimistic, leading to a risk of “see-saw” estimation, with impairment swinging well below the acceptable range. Furthermore, as COVID-19 era information starts to crystallise into Banks’ risk data warehouses, firms will need to consider whether this data is usable for BAU-type activities such as model monitoring and redevelopment. Internal Audit’s assurance regarding the accuracy of IFRS 9 ECL estimates is therefore critical, due to the significance of the impairment calculation as well as its volatile and subjective nature. Please also refer to our IRB Delivery Programmes topic given its relevance to IFRS 9 ECL Estimation.

What's new?

PMAs applied to SICR (Significant Increase in Credit Risk) and ECL model estimates will need to be revised as conditions change in the credit and economic environment. The timing and methodology of PMA unwinding is critical, in order to mitigate inappropriate volatility in ECL estimates, whilst ensuring provision levels are kept accurate and up-to-date.

Intrinsic modelling assumptions must be addressed, particularly regarding the association between loss estimates and economic forecasts, ahead of prospective conditions changing and potentially new external effects (such as withdrawal of Government support schemes).

COVID-19 era outcome data is starting to become available in firms’ risk datasets, this needs to be effectively incorporated into business as usual (BAU) type activities such as model performance monitoring and re-development. This will force firms to face a number of questions, such as:

  • Should COVID-19 era data be included when developing new macro-models, despite the likely implausible relationships observed in this period (for example reducing Gross Domestic Product (GDP) with unemployment stable due to Government support schemes)?
  • Should COVID-19 era data be considered as a potential downturn candidate, for example, in use of downturn Loss Given Default (LGD) calibration or economic cycle definition?
  • Whether a firm’s IFRS 9 default definition should be adapted, for example, to incorporate extenuating initiatives on customer credit, such as payment holidays and the large-scale forbearance activities that resulted from COVID-19?

What should Internal Audit be doing?

Area of Focus

PMA unwinding


Review the appropriateness of current PMAs applied to SICR and ECL estimation, assessing the degree to which PMAs should be adapted based on current (and prospective) economic and credit conditions. Timing of PMA unwinding should be considered, in order to mitigate potential volatility or inaccurate estimation.

ECL models

Assess the core modelling assumptions and limitations of current ECL models, particularly where assumptions were breached, and subsequently have led to introduction of short-term PMAs. Any model changes should pass through the necessary processes and controls, including review and model approval from the appropriate governance functions.

Forward-looking scenarios and weightings

Assess the process where forward-looking economic scenarios are forecast in order to inform probability-weighted lifetime ECL estimates. The selection of these possible future scenarios and their weighting is one of the most material aspects of the ECL calculation. Particular consideration should be given to potential volatility of forecasts arising from uncertainty in predicting economic conditions in post-COVID-19 scenarios.

COVID-19 area data

Assess whether necessary processes, controls and governance have been followed in the application of new COVID-19 data in BAU activities. For example, inclusion of COVID-19 data in model development should be assessed and sufficiently justified, alongside sign-off from the relevant governance functions. 

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey