Skip to main content
Close up female hands holding credit card and smartphone, young woman paying online, using banking service, entering information, shopping, ordering in internet store, doing secure payment; Shutterstock ID 1894395892; purchase_order: Deloitte – Fintech

Banking and capital markets

Financial Services Internal Audit: Planning Priorities 2024

Back to home page

Planning Priorities 2024

Our hot topics aims to put a laser focus on those areas likely to be of key concern to most businesses. For banking and capital markets, the usual focus on changing regulations remains, but the impact of the dynamic external environment, the increase in sustainability focused regulations (UK Corporate Governance Code being just one) and the need for technological and digital innovation present growing challenges. Generative AI is also making its debut and will present both opportunities and risks to many functions and organisations alike.

Regulatory

Why is it important?

Anti-Money Laundering (AML):

Money laundering remains a central concern for the Financial Conduct Authority (FCA) and is a key item on its agenda of actions for the forthcoming year. The FCA’s 2023-24 Business Plan (Business Plan 2023/24 | FCA) emphasises this ongoing commitment, introduces a strengthening of their direct supervision and ensures that supervision by other professional bodies remains effective. Additionally, the publication of a ‘Dear CEO’ letter to payment services firms highlights the FCA’s ongoing efforts around thematic reviews aimed at highlighting sector-specific AML risks and identified weaknesses.

As part of this continued focus on AML, key updates were made to the UK Money Laundering Regulations between 2022-23. With these changes, it is important that organisations continue to review and make appropriate enhancements to their AML frameworks to remain compliant with an ever-changing AML regulatory landscape.

Sanctions:

The past few years have been marked by the industry’s strengthening of sanctions screening and monitoring capabilities particularly as a direct result of Russia’s ongoing occupation of Ukrainian soil, which resulted in ongoing and intensified sanctions imposed by the UK and other countries. Firms now face a strong increase in the number of Special Designated Nationals and Blocked Persons.

These measures have had a significant impact on companies’ sanctions risk management frameworks, compounded by the introduction of a ‘strict liability civil offence’ for sanctions breaches under the Economic Crime Act 2022. Under these rules, there are significant fines for non-compliance and the possibility of companies being ‘named and shamed’ even when no penalty is imposed.

We see the present and immediate future characterised by a shift to supervision and enforcement. This is to ensure that the financial sector has made appropriate enhancements to its sanctions risk management frameworks in order to minimise breach or circumvention risk. In particular, data-led approaches are imparting a shift to the way the FCA’s supervisory work is performed.

What’s new?

Anti-Money Laundering (AML):

The Money Laundering and Terrorist Financing (Amendment) Regulations 2022 have instigated key changes to money laundering risk management in the financial sector:

 

  • Enhancements designed to assess and mitigate the proliferation of financing risks. Expected actions will include proliferation financing as an item in a firm’s annual risk assessment, as well as policies, procedures and controls designed to mitigate any identified or potential risks effectively;
  • Additional criteria needed when performing due diligence on trusts as customers;
  • Enhanced due diligence criteria for customers incorporated in higher risk third countries or with respect to relevant transactions where either of the involved parties is incorporated in a higher risk third country; and
  • Increase in the management of processes required for discrepancy reporting, in relation to both persons of significant control as recorded on the Companies House register, and beneficial owners recorded on the newly introduced register of overseas entities.

 

Additionally, the FCA issued two important fines in January 2023 in relation to AML failings. Both highlighted failures concerning risk assessment and the due diligence of higher risk customers, as well as failure to implement timely and effective enhancements to AML risk management frameworks.

Sanctions:

The FCA has introduced significant enhancements to its ability to detect weaknesses in firms’ sanctions risk management frameworks. This includes a new analytics-based tool rolled out in 2022, that can test firms screening systems more efficiently. The tool uses FCA-generated test data of circa 100,000 entities, which firms will be required to run through their systems. It is anticipated that this approach to sanctions compliance testing will be effective in identifying how well firms’ sanctions screening systems are operating.

This approach has been further strengthened through active collaboration with other agencies to support intelligence gathering and enforcement efforts against circumvention attempts. The other agencies the FCA is collaborating with are: the Office of Financial Sanctions Implementation (OFSI), the National Economic Crime Centre (NECC) and the Office for Professional Body Anti-Money Laundering Supervision (OPBAS). As with AML compliance, the FCA maintains a hardened stance against firms found to be non-compliant, whether wilfully or by not committing appropriate efforts and resources to the management of sanctions risk.

What should internal audit be doing?

Area of Focus

AML
Suggested steps

Internal audit should continue to focus on reviewing the keystone features of financial crime frameworks to ensure these are designed to maximise their firms’ management of financial crime risk while not interfering with important themes such as financial inclusion. This includes but is not limited to:

Enterprise-wide risk assessment (EWRA)
Design and implementation of the EWRA to ensure that a firm has captured the requirement on proliferation financing along with ensuring that the EWRA remains overall fit for purpose. This should include a consideration on how a firm uses the results of the EWRA as part of its overall AML risk management process. Internal audit should challenge a firm’s approach to the management of both new and challenging risks along with any control gaps identified.

Customer risk assessment (CRA)
Review and testing of the CRA methodology and modelling applied (if applicable) with a focus on how the CRA has been adapted to scenarios such as higher risk countries as an input.

Policies and procedure
Review and assessment of AML policies and associated procedures to ensure these remain fit for purpose, with particular emphasis on the need to better understand higher risk business relationships. This should be looked at both from an appropriateness of approach perspective, and with respect to ensuring the recent obligations are integrated in relevant policy and associated documentation and are operating effectively. Internal audit should challenge any gap analysis performed to ensure a firm has adequately assessed changing obligations and identified any remedial steps required to implement these.

Transaction monitoring
Ongoing monitoring of customers and their transactional activities continue to attract regulatory scrutiny. Internal audit should review and assess a firm’s solution, including applicable investigation process, to ensure a firm has the required systems and controls in place to enable them to identify any transactions of a suspicious or higher risk nature, including identification of all transactions to/from higher risk countries.

Record keeping
Internal audit should continue to review their firm’s approach to the documentation and retention of all relevant financial conduct policies, procedures, governance and decisioning to ensure these are properly recorded and maintained. This will then serve as robust evidence of the organisation’s position and approach at a point in time.
Sanctions Review approaches which leverage data analytics are proving to be extremely effective in helping highlight weaknesses in the sanctions screening process. Internal audit should continue to focus on the effectiveness of a sanction’s compliance programme, particularly looking at any data analytics employed as part of its sanctions risk management. The following areas will be crucial: including the following areas, through hybrid review approaches:

Appropriately calibrated screening solutions
In anticipation of the FCA sanctions testing, internal audit should review their firm’s screening solution on an end-to-end basis. This includes:

 

  • Ensuring testing has been conducted on the calibration of any sanction’s tools employed by the firm;
  • Review and testing of all scenarios and thresholds and that outcome testing has been conducted.

 

Internal audit should ensure that all decisions have been documented as part of this testing.

Know your customer integration
Sanctions screening is only as effective as the system designed to provide it with data. Internal audit should continue to place particular focus on how enhanced due diligence has been adapted to the current heightened risk of sanctions evasion, particularly where beneficial ownership is less transparent, and higher risk jurisdictions are involved in the ownership chain.

Customer and relevant party screening
Sanctions screening should be taken into careful consideration as a fundamental tool supporting due diligence measures. Internal audit should consider how a firm identifies and screens all relevant parties in a business relationship at onboarding and on an ongoing basis, to minimise the risk of breaching sanctions. This includes screening of all relevant parties such as intermediaries, agents, etc. who may act for or on behalf of a customer. This is particularly important for firms where a relationship may involve several parties other than the direct customer.

Authors: Katie Jackson, Angela Molloy 

Why is it important?

Fraud represents an important reputational and financial risk, with the average organisation losing an estimated 5% of their annual revenues to fraud, according to the Association of Certified Fraud Examiners (ACFE). Given the evolving threat landscape, we are seeing increasing requirements on organisations to prevent, detect and deter fraud. With new government legislation (e.g., UK corporate reforms and the failure to prevent fraud offence) on the immediate horizon, it is important that organisations and senior stakeholders oversee the implementation of robust fraud prevention measures, and strengthen their anti-fraud culture. For the incoming regulations, financial services organisations will need to especially focus on potential frauds that their employees and agents could commit for the benefit of the organisation.

What’s new?

As part of the (former) Department for Business, Energy & Industrial Strategy’s (BEIS) corporate reforms, organisations will need to take steps to enhance their fraud risk management framework, in particular:

 

  • Fraud risk assessment: “Actions may include undertaking an appropriate fraud risk assessment and responding appropriately to identified risks”.
  • Training and communication: “Promoting an appropriate corporate culture and corporate values”.
  • Implementing controls: “Ensuring appropriate controls are in place and operating effectively”.
  • Board-level reporting: “Require Directors to report on the steps they have taken to prevent and detect material fraud”.

 

In addition to the corporate reforms, the UK government has set out the new ‘Failure to Prevent Fraud’ legislation that will make it a criminal offence for large organisations to demonstrate sufficient prevention and detection activities (e.g., fraud risk assessments, assurance, monitoring, training, etc.) following a material fraud. Similar to the scope and application of the UK Bribery Act, the new legislation will make it easier to prosecute organisations where a fraud is committed by an employee or ‘agent’, for the organisation’s benefit. With the potential for unlimited fines, the expectation is that this legislative change will drive a major shift in corporate culture to help reduce fraud.

What should internal audit be doing?

Area of Focus

Fraud risk management assessment
Suggested steps

To manage the risk posed by fraud, we expect that firms have implemented fraud risk management frameworks to address the nature of their fraud risks (e.g., application, customer, claims, etc.) that encapsulates the following six key elements. This framework sets out a high-level approach to delivering focused activity holistically across each segment, which internal audit should assess their organisation against.

Enterprise-wide fraud risk assessment
Has the organisation undertaken an assessment to identify the key fraud risks faced across the organisation? A process should be in place to regularly refresh the assessment to account for changes in working practices and business environments. The assessment should incorporate specialist expertise, data analysis and engagement from key stakeholders. All key fraud risks faced by the business should be identified and prioritised accordingly.

Controls identification and mapping
For those fraud risks deemed to be the most material to the organisation, the corresponding counter fraud controls should be identified, documented, and mapped. The key counter fraud controls should be captured and maintained for example, within process maps, a Risk and Control Matrix (RACM) and/or Governance, Risk and Control (GRC) systems.

Monitoring and assurance
The key anti-fraud controls identified need to be subject to regular design and operational effectiveness testing. This programme of assurance should be coordinated across the lines of defence and any gaps or weaknesses should be remediated and the corresponding actions tracked through to completion. Further, periodic, consistent and robust reporting on the progress of the implementation of the fraud risk management framework and the assurance delivered, should be provided to the Board/Audit Committee.

Training and awareness
Regular organisation-wide anti-fraud training should be provided, including specific targeted training for higher risk positions (e.g., HR, finance, procurement etc.), supported by communications to increase awareness of the risks and individual responsibilities relating to the prevention, detection and deterrence of fraud.

Policies and procedures
A documented fraud risk methodology should be in place, informed by the risk assessment process and supported by detailed policies and procedures covering the key elements outlined in the fraud risk framework, as well as a dedicated fraud response plan. Roles and responsibilities should be clear and transparent.

Leadership and tone
A strong and consistent ‘tone from the top’ is required to emphasise the importance of fraud awareness and the fact that fraud will not be tolerated. Leadership should provide strong and consistent support across all aspects of the fraud risk management framework and ensure that clear ownership and responsibilities are established over the delivery of each aspect.

Authors: James Meadowcroft, Andreas Kozis

Why is it important?

No organisation operates in isolation, and we are seeing a trend where there is increasing reliance on third and fourth parties. By outsourcing or buying third-party services, firms benefit from leveraging specialist expertise, reduced operational overhead costs and greater assurance over delivery through defined SLAs. This enables them to focus on their core business activities. However, when these relationships and dependencies are not managed proactively and effectively, they can bring undue risks to the organisation.

The financial impact of a failure in this ecosystem through operational losses, fines or reputational damage is costly. In addition, increased regulatory scrutiny and prescriptive requirements (part of third-party and operational resilience regulations) have rapidly increased focus on third-party risk, especially as firms are seeing an acceleration of digitisation across entire operations. This has meant traditional services and operating models require unprecedented changes to meet new ways of working in a short space of time.

Regulators are providing more clarity and greater harmonisation of third-party risk regulations in 2023 and beyond. They have strengthened the linkage between third-party management and operational resilience and heightened data security requirements, including the use of cloud and Information Communication Technology (ICT) providers. In our experience, firms that acknowledge the cross-functional nature of third-party risks, that implement third-party oversight in a holistic manner and are enabled through technology, achieve far greater clarity and consistency compared to firms that assess individual third-party risks in siloed teams.

What’s new?

While financial services internal audit functions will be aware of some regulatory requirements, there have been significant regulatory developments in 2022/23 on third-party risk that have broadened requirements for most firms. Since 31 March 2022, Prudential Regulation Authority (PRA) regulated firms are required to comply with the PRA’s Supervisory Statement (SS) 2/21, ‘Outsourcing and third-party risk management’ which makes it more explicit that firms are expected to assess the risks and materiality of all third-party arrangements, including those that do not fall within the definition of ‘outsourcing’. It clearly articulates that materiality, outsourcing and risk must be independently assessed and considered as part of a proportionate and risk-based approach and it also implements the European Banking Authority’s (EBA) guidelines on outsourcing arrangements and expands on certain sections such as data security, business continuity and exit plans.

In July 2022, HM Treasury introduced a discussion paper articulating a new regulatory oversight regime for supervisory authorities to set resilience standards, a testing approach, and enforcement powers for critical third-parties, which are non-regulated firms that pose a systemic concentration risk to the financial services sector.

The Digital Operations Resilience Act (DORA) was published in the EU’s Official Journal on 27th December 2022 and entered into force on 16th January 2023 and affects all EU-based financial services firms. A 24-month implementation period will precede the full application in 2025. The DORA introduces a unified regulatory and supervisory rulebook for ICT operational resilience in the financial sector, pushing financial services (FS) firms to make substantial investments to improve their resilience to digital and cyber risk disruptions. One of its main objectives is to harmonise FS firms’ management of ICT third-party risks. This is through mandatory contractual terms for outsourcing and the requirement to assess concentration risks when outsourcing affects Critical or Important Functions (CIFs).

For Financial Market Infrastructures (FMIs), supervisory statements were issued on the topic of outsourcing and third-party risk management to provide guidance as to how the Bank of England expects FMIs to meet their regulatory obligations. The Code of Practice sets out more specific requirements and expectations compared to the Principles for Financial Market Infrastructures (PFMI). There are separate supervisory statements for Recognised Payment System Operators (PRSO) and Specified Service Providers (SSPs), Central Counterparties (CCPs) and Central Securities Depositories (CSDs).

What should internal audit be doing?

For internal audit functions considering performing an audit in the area of outsourcing or third-party risk management, we recommend the following topics are considered for inclusion in the scope:

Area of Focus

Proportionality
Suggested steps

  • How the firm has applied the regulatory expectations around proportionality, materiality, complexity and the risk associated with their outsourced or third-party non-outsourcing services.
  • How the firm approaches intra-group outsourcing. The PRA does not consider intragroup outsourcing to carrying less risk compared to external outsourcing services, but they acknowledge that firms may adjust due diligence requirements and adapt contractual clauses depending on the level of ‘control and influence’ it has over the intragroup entity.
Governance and record-keeping
  • How the firm’s governance supports ultimate responsibility sitting with the board, for example through the setting of the risk appetite or approval of relevant policies.
  • How the firm has approached roles and responsibilities relating to outsourcing including allocation of Senior Manager Function (SMF) responsibility.
Sub-outsourcing Whether the firm maintains an up-to-date register of information in line with regulatory expectations and the content and detail of this register.
Pre-outsourcing phase
  • How the firm assesses a third-party’s materiality and the requirements around ongoing monitoring and periodic re-assessments.
  • How the firm has assessed any sub-outsourcing risk and the capacity and ability of the outsource provider to appropriately oversee any material sub-outsourcing on a continued basis.
  • Whether the firm understands and adheres to regulatory notification requirements.
  • How the firm assesses concentration risk including consideration of third and fourth parties and/or geographies.
Outsourcing agreements
  • Has the firm met minimum requirements in terms of contractual safeguards and audit arrangements to be included in written agreements.
  • Do the agreements provide firms, firms’ auditors, the PRA and the Bank of England with full and unrestricted access to information and to audit.
  • How the firm audits outsource arrangements.
Data security Whether there is clear consideration for data security where a third-party agreement involves the transfer of data, including the recognition of different classes of data and a risk-based approach to managing these.
Business continuity and exit plans Whether the firm has developed, documented, maintains and routinely tests a business continuity plan and exit strategy for each material outsourcer. This should also be included as part of the risk assessment conducted before they enter into an outsourcing agreement with clear roles and responsibilities in the event of both stressed and unstressed exits.
Environmental and Social Considerations How environmental and social considerations of the business are reflected in their third-party risk management policy and its application of their sustainability ambitions to their supply chain.

Authors: Sonia Verbeeck

Why is it important?

The crypto and digital asset landscape has continued to expand over the last 18 months, as more banks are further exploring the use of distributed ledger technologies. Some are partnering with established crypto natives to build their own solutions, or have begun investing in native crypto-custodians to gain exposure to, or build a product or service offering in this market.

A number of firms are looking to onboard new virtual asset service providers (VASPs) in order to begin their offering into the digital asset space, as well as existing firms with a presence in the market looking for new virtual asset service providers.

Onboarding any new third party comes with inherent third-party risks. With digital assets the perceived level of risk is increased due to:

 

  • The limited number of third-party options available that are fully compliant with local laws and regulations; and
  • The technology is quickly evolving, and global regulatory regimes are still catching up.

 

As the ecosystem continues to grow, clients will turn to professional service providers to support them with the onboarding of VASPs as well as the evaluation of providers and risk management. Deloitte can support in a suite of areas especially risk identification, risk management and controls.

What’s new?

  • Emerging clarity of regulatory requirements is leading to greater interest around digital assets.
  • There are no specific UK regulatory requirements on operational resilience and third-party risk management for digital assets, but broader regulatory requirements do apply. The Prudential Regulation Authority (PRA) has made it explicit that banks should fully understand the impact that offering digital assets products could have on their operational resilience.
  • The EU’s Digital Operational Resilience Act (DORA) has entered its two-year implementation period. DORA is an ambitious European regulatory initiative on operational resilience, cyber security and third-party risk management of financial services firms. Firms will have to comply with all its requirements by 17 January 2025. DORA introduces new rules on: (1) information and communications technology (ICT) risk management and operational resilience strategy; (2) ICT incident reporting and cyber threat identification; (3) resilience testing and advanced threat-led penetration testing; and (4) third-party risk management. Where relevant, in-scope firms – including banks – will need to ensure their digital assets activities meet the DORA’s requirements. A key area of focus across the industry will likely be reviewing and enhancing capabilities to manage the risks of third-party relationships that support their services.

Source: Banks active in the UK: 2023 priorities (bankofengland.co.uk)

What should internal audit be doing?

Area of Focus

Third-party due diligence
Suggested steps

  • Internal audit can play a key role in reviewing the firm’s risk assessment processes to understand the implications and risks of relying on digital assets third-party providers.
Third-party oversight capabilities

As part of any review of the firm’s oversight framework, internal audit should include consideration of:

 

  • Definition, responsibility and capabilities to oversee digital assets of third-party providers. Included within this is how firms oversee how such assets support the quality of services provided, and what assurances are obtained.
  • Key components of a third-party oversight programme should include:

    • vendor’s risk management practices
    • ongoing financial and operational resilience; and
    • controls and reporting including that the outsourcing firm documents and addresses any identified weaknesses, and that these are monitored.

 

Third-party risk framework review
  • Risk frameworks form a core part of internal audit’s work. Teams should consider whether digital asset risks have been defined and whether any unmitigated risks need to be addressed, especially where gaps may be noted from wider work within this area.
Digital assets controls review
  • Review controls in place to ensure they adequately mitigate risks from digital asset related activity. Suggested controls for a review in this space could be around the prevention of fraud and theft, smart contract adequacy, resilience and recovery, and firm reputation.
Education
  • Beyond controls reviews, internal audit teams are often including consideration of how firms engage with and educate wider stakeholders within its client base on its digital asset’s framework, including:

    • Coverage – how are firms assessing who should be included in such guidance and are there any gaps?
    • Content – who is responsible for developing, approving, and delivering the content and does this appear appropriate?
    • Outcomes – how are firms assessing the impact and outcomes of the work they are doing? How is this driving future activity?
    • Oversight – how is the approach being monitored and reported?

Authors: Alex Dawson, Ben Thornhill, Maria Morales

Why is it important?

A “booking model” describes the product mix, client base, risk management and operating practices across a bank’s legal entity structure. Trades are “booked” into particular legal entities which then manage the risk. A booking model is an overall framework which describes what should be done (with a rationale), where it should be done (booked in which legal entity), how it should be done (to manage risk), and who should do it.

Remote booking is a type of booking model in which the trading desk within one legal entity is taking positions or managing risk in other legal entities under different jurisdictions. This is more prevalent in global and international banks undertaking trading business in different locations: they manage risk centrally by transferring individual legal entity risks to other jurisdictions and derive several benefits relating to capital efficiency, staffing and operations.

Regulators are conducting thematic reviews of banks’ booking arrangements. Banks often find challenges in meeting the following expectations:

  • providing regulators/internal stakeholders with transparency over booking arrangements;
  • establishing effective governance and oversight for cross-border activities;
  • ensuring there is management information and appropriate escalation across the suite of financial and non-financial risks; and
  • calibrating preventative and detective controls over permissible booking arrangements.

What’s new?

  • Booking models and remote bookings have been on supervisors’ agendas for a long time. Regulators have published their supervisory expectations around booking models in the EU, US and UK in 2018, 2019 and 2021 respectively. However, recent scrutiny and the complexities of Brexit have forced some banks to improve their approaches around booking arrangements to focus on simplicity and transparency.
  • The Prudential Regulatory Authority (PRA) in Supervisory Statement (SS) 5/21 clearly stated that for large-sized global investment banks which have global risk management hubs, such as in the UK, it is essential to provide visibility to regulators of remote booking risks in the relevant global business and demonstrate how these affect the risk profile of the UK operations.
  • Regulators expect to understand the risk profile of an entity in the context of the global business lines which that entity is a part of.
  • In PRA SS5/21, the UK regulator expects international banks operating in the UK as a ‘Subsidiary’ or ‘Branch’ to clearly document their UK booking arrangements, demonstrating sufficient coverage and detail so that the role of the international bank within the group’s booking arrangement is clear. The regulator also expects the policies and procedures to be subject to an internal audit assessment (PRA SS5/21, chapter 4 para 4.24 Box 2: The PRA’s expectations for booking arrangements).

What should internal audit be doing?

Area of Focus

Management information Governance
Suggested steps

  • Review the overall governance and framework related to booking models and remote bookings. Assess whether there is a clearly documented rationale for booking arrangements, including a detailed risk assessment and whether this has been approved by an appropriate governance body.
  • Assess whether there are clearly established governance forums to discuss, challenge and approve the booking model considerations, including remote bookings.
Management information
  • Assess whether Management Information (MI) has clear reporting of incoming and outgoing remotely booked trades, especially in and out of UK entities, and whether details are captured i.e. product details, the legal entity in which it is booked and whether the booking is as per trader mandates and approved locations.
  • Review whether MI is comprehensive and captures adequate information associated with these bookings, such as financial performance, risk profiles, breaches and actions undertaken for any exceptions.
  • Review whether MI is shared with appropriate committees on an ongoing basis and whether appropriate actions are taken and monitored.
Senior Manager oversight
  • Assess if there are adequate supervisory controls (senior manager) over managing booking arrangements. Also, evaluate whether accountability is explicitly set out in the statement of responsibilities of the responsible senior manager function, which falls within the Senior Managers and Certification Regime (SM&CR).
Control framework
  • Evaluate the design of both preventative (pre-trade) and detective (post-trade) controls around booking arrangements.
  • Using data analytics, evaluate whether trades have been booked as per the approved booking model and whether authorised product, counterparty, person, location and entity are considered.

Authors: Vidushi Thirani 

Why is it important?

In the UK, the Prudential Regulation Authority (PRA) published its consultation (CP) on the UK implementation of Basel 3.1 in late 2022. Initially anticipated to be implemented by 1 January 2025, the PRA recently delayed the implementation of Basel 3.1 by six months to 1 July 2025, to align with proposals in the US. The PRA has also announced that it will publish its near-final rules in two tranches, in Q4 2023 and Q2 2024.

In the EU, the European Parliament and the Council of the European Union are nearing the finishing line in finalising CRD6/CRR3, the EU’s banking package that implements the revised Basel 3 framework. In early March 2023, both institutions began trialogue negotiations to produce final versions of the new directive and regulation.

What’s new?

As expected, the UK PRA’s proposed approach adheres more closely to the Basel Committee on Banking Supervision (BCBS) final framework document than the equivalent EU proposals. This will result in considerable divergence between the UK and EU rulebooks. Key elements of the PRA’s approach include:

  • disapplying some supporting factors that are currently in the capital requirements regulation;
  • requiring the use of a non-granular risk weighting approach for dependent (buy to let) mortgages, which will result in stepped risk weights that change significantly when crossing boundaries in loan to valuation ratios for Standardised approach risk weight calculations;
  • withdrawing the ability to use internal rating models for sovereigns and income producing real estate exposures and imposing new floors and caps on the parameters used in calculating capital using internal models;
  • easing the qualifying criteria for the “simpler regime” for smaller firms and allowing a transitional regime that will ensure qualifying firms that opt into it do not have to implement Basel 3.1 before the simpler regime is finalised;
  • setting a more prescriptive trading book/banking book boundary;
  • applying the output floor at the highest level of consolidation for UK-headquartered groups, although ring-fenced banks will have to apply the output floor on a sub-consolidated basis;
  • setting the internal loss multiplier for the operational risk regime to one for all UK firms;
  • disapplying the Credit Valuation Adjustment (CVA) exemptions for sovereigns, non-financial corporates and pension fund exposures, although the value of “alpha” for these exposures is set to one; and
  • re-casting existing EUR and USD thresholds into GBP.

Although the PRA has sought input from numerous areas throughout the CP it is still finalising its approach. The intended 1 July 2025 implementation date means that firms should use the PRA’s CP as the basis for the design and implementation of their Basel programmes in order for them to be ready in time.

Within the EU, we expect negotiations to run until the latter part of 2023. Provided that the final package is adopted by the end of 2023, banks are likely to have roughly one year to implement the new rules ahead of an expected 1 January 2025 implementation deadline.

  • The positions of the EU Council and the European Parliament both largely maintain the European Commission’s original “EU specific adjustments” approach of including several long transitional periods and other Basel framework deviations that cumulatively will have a substantial mitigating effect on the package’s overall capital impact.
  • There are, nevertheless, many important differences between the two positions that will have to be addressed in the upcoming negotiations. The application of the Basel Standardised Output Floor (OF) remains a key open issue, as well as the design of several transitional periods including the one for exposures to unrated corporate entities. The treatment of specialised lending, exemptions to the large exposure regime, and the prudential treatment of exposures to cryptoassets will also receive attention. Agreements reached on these issues could have implications for the capital impact on certain business lines in banks when they are implemented.

Banks should make careful use of the rest of 2023 to enhance their risk-weighted asset (RWA) calculation and risk modelling capabilities. The final details of the regulations will have limited specific impact on the enhancements required to operational capabilities. This means that there is little reason for banks to delay the enhancement programme. Taking early action will put banks in a better position to be ready for a short implementation period.

What should internal audit be doing?

Area of Focus

Basel change programme
Suggested steps

Following the finalisation of the rulebook in late 2023 and early 2024, internal audit’s primary focus in advance of the effective date (expected to be January 2025) should be to assess the firm’s readiness to meet the new requirements set out by their regulator.

 

  • Has effective governance been established to oversee and challenge progress and is this reported to an appropriately senior level within the firm?
  • How is the programme resourced and is this sufficient to achieve the capacity of work required to deliver any identified changes?
  • How has the firm interpreted the rules and established actions in response?
  • How have 2nd line compliance teams reviewed and documented a suitable gap analysis to understand the activities (including technology changes as noted below) required to achieve compliance with the new rules?
  • Has full stakeholder mapping been completed including an assessment of any customer outcomes?
  • How have the Financial Conduct Authority (FCA) Consumer Duty rules been captured within the programme scope and do any reporting outputs fully consider how good customer outcomes will be demonstrated?
  • Where services are outsourced, has an assessment been made of the ability of the firm to oversee the effectiveness of any change activity required at a third-party provider?

 

Some firms seek to utilise internal audit in an independent advisory capacity through a steering committee (or equivalent), providing opportunity for functions to contribute directly in real-time to support robust levels of control through change.

We would expect that in 12 months’ time when internal audit teams come to consider planning for 2025, focus will shift to implementation and effectiveness of controls to support underlying processes in both 1st and 2nd line functions.

Technical enhancements

Based on the outcome of any gap analysis completed, internal audit should consider coverage of any technical enhancements required to achieve compliance. The new rules will create a situation where capital becomes more volatile, due to the increased risk sensitivity and granularity of risk weights under the standardised approach for standardised firms, and the implementation of the output floor for banks using internal models. These could be considered within the scope of any project review (see above) or as a standalone review to consider:

 

  • An inventory of the upgrades and changes required, and tracking any actions
  • Prioritisation, budgeting, resource management and appropriateness of planned timescales
  • Supplier selection including criteria, capacity, contracting and oversight
  • Deep dive review into a specific area (e.g. application testing, capital modelling, model risk management)

 

Internal/ external reporting
  • Based on the new rules, firms will be required to enhance existing reporting processes in order to demonstrate alignment with any new requirements either from regulators or internally. Alongside development of new reporting, the FCA’s Consumer Duty rules are now live and therefore reporting suites will be under review to enable demonstration of good outcomes by banks. Internal audit should seek to understand which plans need updating, and enhance and automate such reporting to take into account the new regulatory requirements.
Role of monitoring teams
  • 1st line assurance functions and 2nd line compliance teams including monitoring functions will be critical stakeholders in leading banks’ responses and preparation for the new rules. Internal audit should consider how such functions are themselves ready to undertake the work required to support their bank’s response, including a review of resourcing, planning and proposed coverage.

Authors: Rod Hardcastle

Why is it important?

As part of the Woolard review (in February 2021), the Financial Conduct Authority (FCA) highlighted a number of areas of concern in respect to potential customer detriment in the un-regulated interest free Buy Now Pay Later (BNPL) market. This specifically related to the FCA’s concerns in respect of; how these products are advertised and promoted, customer understanding of the product, lack of affordability and creditworthiness assessments being undertaken and the treatment of customers in financial difficulty. Further, in August 2022, the FCA issued a ‘Dear CEO’ letter to firms and merchants offering BNPL agreements confirming that despite these agreements being currently unregulated, firms are still required to take actions to ensure that their financial promotions meet applicable regulatory requirements.

In October 2022, and in response to the Woolard review, His Majesty’s Treasury (HMT) announced its intentions to bring BNPL products within the scope of the Consumer Credit Act (CCA) 1974 and regulation by the FCA. In doing so, HMT outlined expectations for the regulatory regime applicable to BNPL providers to cover requirements in a number of areas, including:

  • Advertising and financial promotions of BNPL agreements being subject to the financial promotions regime;
  • Pre-Contract credit Information requirements;
  • Form and content of credit agreements;
  • Improper execution and enforceability of credit agreements;
  • Creditworthiness assessments;
  • The treatment of customers in financial difficulty;
  • Consumer Protection under Section 75 of the CCA 1974; and
  • BNPL customers having the right to make complaints to the Financial Ombudsman Service (FOS).

What’s new?

HMT released the draft legislation for BNPL agreements on 14 February 2023, seeking industry views on the proposed draft legislation that will bring BNPL products into FCA regulation. The draft legislation reconfirms the applicable regulatory requirements that will fall within the scope of BNPL agreements, as outlined within the October 2022 consultation. HMT’s draft legislation also confirms the following additional expectations:

  • BNPL agreements will fall into the scope of the Consumer Duty rules and requirements. This means that BNPL providers will need to demonstrate that they are delivering good outcomes for their customers on an ongoing basis and throughout the customer journey; and
  • HMT is proposing the introduction of a Temporary Permissions Regime (TPR). Firms that are currently unauthorised and providing an un-regulated BNPL product, the TPR will allow these firms to continue to operate while they apply for FCA authorisation. These firms will need to register for the TPR within a set time period, provide the required information to the FCA and pay a non-refundable registration fee. Firms in the TPR will be deemed authorised under Part 4a of the Financial Services and Markets Act 2000 (FSMA) and will need to comply with relevant FCA rules, requirements and expectations. For firms that are already authorised for regulated lending but currently provide an unregulated BNPL product, these firms will not need to apply for authorisation, however, will need to transition their existing arrangements over this product offering to ensure compliance with the FCA’s regulatory requirements and expectations.

The HMT consultation period on the draft legislation closed on 11 April 2023. Once HMT has digested stakeholder feedback and published a consultation response, it estimates to publish final legislation at the end of 2023 towards early 2024. Following the publication of the final legislation and as outlined by the FCA in its 2023/24 Business Plan, the regulator intends to start consulting on its rules for the sector, including its plans for authorisation, supervision and enforcement.

In light of the above considerations and in preparation of BNPL agreements coming into the FCA perimeter, it is important for firms (both regulated and un-regulated) to consider their business model / proposition offering in this area. They should determine if an application for authorisation is required and undertake a detailed assessment of how the FCA’s existing Consumer Credit rules and regulatory requirements apply, together with the level of actions required to demonstrate regulatory compliance and the delivery of good customer outcomes in this area.

What should internal audit be doing?

Area of Focus

Transition arrangements for firms with existing FCA consumer credit permissions
Suggested steps

  • Provide assurance over the appropriateness of actions outlined to be taken in order to plan for and demonstrate regulatory compliance in readiness of BNPL falling into FCA regulation. This may include assurance over the completeness of the businesses regulatory gap analysis capturing FCA requirements for BNPL products.
  • Plan phased internal audit reviews focussed on the design of new processes for regulated BNPL products.
  • Plan phased internal audit reviews that are aligned to and challenge the future Go / No Go decision milestones to transition unregulated BNPL processes to regulated processes.
  • Review and challenge strategy and governance around the treatment of existing BNPL customers, for example, decision making, transition strategy for existing customers and their treatment.
FCA application readiness / operations build for firms with no existing FCA consumer credit permissions
  • Review and challenge the governance arrangements in place to oversee the application for TPR and the Regulatory Business Plan (RBP) development and submission to the FCA.
  • Review and challenge the governance, control framework and regulatory rules gap analysis included within the RBP that will support meeting relevant regulatory requirements. This should also include coverage of the skills, experience and knowledge available to the firm within the Three Lines of Defence Governance Model to support leadership and oversight within a regulated business.
  • Align critical phased internal audit activity that will support, review and challenge over the design of regulated BNPL processes. For example, but not limited to:

 

    - Financial promotions

    - Pre-contract credit information and credit reporting

    - Affordability and creditworthiness

    - Treatment of customers in financial difficulty (including vulnerable customers)

    - Debt disputes

    - Complaints

    - Consumer duty rules and requirements

 

 

  • Plan assurance activity around key Go / No Go decision milestones per the RBP for the launch of regulated processes in line with the FCA approval timeline.

 

Authors: Sarn Saundh, Priyesh Kotadia 

Why is it important?

Consumer habits continue to increase the use of digital payments. This has resulted in further innovation in the payments sector with new and existing businesses, as well as an influx of ‘big tech’, as consumer sector organisations move towards offering payments services. In addition to this, banks providing payment services continue to face challenges in adopting and complying with complex regulatory requirements. ISO20022 for example, which will update SWIFT messaging, transitioning to the New Payments Architecture (NPA), and continued compliance with Payment Services Directive 2 (PSD 2) requirements (such as Strong Customer Authentication (SCA)), consumer duty and operational resilience requirements.

There is increased regulatory focus on Payments Institutions (PIs), E-Money Institutions (EMIs) and Registered Account Information Service providers (RAISPs). In particular, the Financial Conduct Authority (FCA) has expressed concern around the adequacy of controls in place that support how firms manage the risk of harm to their customers and how they support the integrity of financial systems. The FCA has re-emphasised the need for existing firms, and those operating under the temporary permissions regime (TPR) whilst undergoing the FCA application process, to put in place appropriate governance arrangements. This includes an operational Three Lines of Defence model, and where issues are identified, the FCA has committed to act earlier in dealing with firms and redacting licenses or issuing sanctions where standards are not met.

What’s new?

Due to the increased activity in the sector, the continued risk of consumer harm and the risk of compromising the integrity of the financial system, several FCA communications have been issued to the sector detailing expectations for firms to strengthen their risk and control frameworks. Below we note some of the key publications by the FCA over the last year:

  • Dear CEO letter on priorities for Payments firms (March 2023) - The growing numbers and types of non-bank payment firms, complexity of the payments transaction chain, and reliance on outsourcing have resulted in an increased regulatory focus on PIs, EMIs and RAISPs. The FCA’s Dear CEO letter raises three key outcomes, requiring firms to i) ensure consumer money is safe, ii) ensure firms do not compromise financial system integrity, and iii) deliver high quality and innovative products through a focus on implementing consumer duty requirements. The letter highlights a few focus areas specifically around: the need for ongoing adequacy of internal controls, leadership and governance arrangements for firms in a fast paced and innovative environment; how firms ensure safeguarding of customer funds; Prudential risk management practices; operational resilience considerations for business models; Anti-Money Laundering (AML) / Fraud considerations; wind-down planning; and the implementation of Consumer Duty. The focus on these areas demonstrates regulatory expectations to prevent consumer harm (in line with the FCA strategy released during April 2023), and the FCA expects firms to be able to demonstrate how they are managing and controlling these risks.
  • Dear CEO letter on implementing Consumer Duty in Payments firms (February 2023; implementation date – July 2023) - The FCA has set out higher expectations for the standard of care that PIs, EMIs and RAISPs provide to their customers. The letter focuses on the application of the Duty across all products offered to retail customers along with considerations for firms having a material influence over customer outcomes (including firms selling products via distributors) and not just those with a direct customer relationship. The FCA is currently developing a strategy to embed the Consumer Duty in their supervision work and expects PIs, EMIs, and RAISPs of all sizes to be ready for FCA to include them in engagement.
  • Discussion paper on impacts of Big Tech entry and expansion in financial services (October 2022) - The FCA published a discussion paper (DP 22/5) focussing on the potential impact on competition arising from the expansion of Big Tech firms in the payments, deposit taking, consumer credit and insurance sectors. The paper forms part of a broader set of policy initiatives relevant to digital markets that the FCA is developing with other financial services and cross-sector regulators. These include the proposed oversight regime for critical third parties and the FCA's joint work with the Digital Regulation Cooperation Forum on online and algorithmic harms. A feedback statement from FCA was issued in July 2023 with the actions including a timeline to review the regulatory supervisory approach for Big Tech firms.
  • Other continuing key focus areas for Payments firms:
  • - Swift Customer Security Programme (CSP) – An annual independent assessment against the Customer Security Controls Framework (CSCF) triggered by a series of security breaches at banks via SWIFT messaging networks, continues to be a key focus area. The set of mandatory security controls required by firms have been expanded in 2023 to now also include customer environment protection.

    - Strong customer authentication - The PSD 2 Regulatory Technical Standard (RTS) for SCA mandates that the implementation of the security measures be documented, periodically tested, evaluated, and audited by operationally independent auditors with expertise in IT security and payments. Unless there are other external assurance arrangements in place, the regulators expect that such reviews are conducted by internal audit functions.

    - ISO 20022 migration – This is inherently complex, posing significant challenges for impacted firms. The impact on banks will be very significant across business, operations and technology, requiring careful and comprehensive consideration, including significant impact to bank technology stacks. It is expected that significant pressure will be placed on technical resources. With an overall migration timeline of 2025, firms should ensure a smooth transition to business as usual (BAU) process.

What should internal audit be doing?

Area of Focus

Non-bank payments firms


(PIs, EMIs and RAISPs across all sectors including big tech and consumer)
Suggested steps

The FCA expects businesses to perform an assessment of how the key risks they highlight in the recent Dear CEO letter for Payments firms are being managed, and whether appropriate controls exist to support ongoing risk mitigation. Internal audit has a key role to play in providing independent assurance around the design and effectiveness of key controls and should support the business in giving confidence to the FCA that an appropriate governance and control framework is in place. Specifically, internal audit should:

 

  • Assess the function’s availability of core and specialist skills to support and appropriately challenge the 1st line of defence in strengthening its risk and control framework in the areas of relevance that the Dear CEO letter specifies. Obtain specialist input where needed to support an appropriate blend of core and specialist internal audit skills where in-house team skills are required to be supplemented to support impactful assurance activity.
  • Assess audit universe and internal audit’s risk-based coverage in the context of the growing focus of the FCA on the proportionality and maturity of control frameworks it expects PIs, EMIs and RAISPs to have in place. Mandatory review coverage only is no longer enough. Plan internal audit coverage in line with the key topics highlighted in the FCA’s Dear CEO letter (such as Consumer Duty implementation, safeguarding, wind-down planning and AML / sanctions).
  • Assess the design of change management frameworks in place. The pace of growth, innovation and mergers and acquisition activity in this sector drives continued large-scale change and transformation activity. Internal audit has a key role to play by assuring the robustness and effectiveness of the approach it takes.
  • Where businesses (including across sectors such as ‘big tech’ or consumer) are undergoing the licensing application process with the FCA to offer Payment services:
  • - review and challenge the governance, control framework and regulatory rules gap analysis included within the Regulatory Business Plan (RBP) that will support meeting relevant regulatory requirements. This should also include coverage of the skills, experience and knowledge available to the firm within the three Lines of defence governance model to support leadership and oversight within a regulated business; and

    - support the Executive and the Board with real-time and aligned assurance activity around key Go / No Go decision milestones per the RBP for the launch of regulated processes in line with the FCA approval timeline.

 

Bank payments firms

(including card networks)
  • Review of E2E payment controls to reduce payment errors:
  • - Firms should review the end-to-end payment control framework and embeddedness of the payments risk and control model framework that defines expected minimum standard controls to mitigate key payment risks and incidents.

 

  • ISO 2022 Transition:
  • - Perform a review of ISO 20022 programme activities and transition to business as usual (BAU) processes to assess whether regulatory deadlines were met and how changes to adopt the new messaging standard were implemented and tested.

    - Determine how enriched messaging data may provide key benefits and how these are realised including upgraded messaging interfaces to new standards; testing of in-flow transactions and multi-format messages.

    - Understand whether appropriate training standards are in place for the new messaging standard, given ISO 20022 migration is inherently complex and poses significant challenges.

 

 

  • PSD2 including Regulatory Technical Standard (RTS) Strong Customer Authentication (SCA:
  • - PSD2 including RTS SCA requirements continue to be focus areas for firms providing payment services. SCA and Transaction Risk Analysis (TRA), if applicable to your firm, must be audited annually by operationally independent internal or external parties. Where internal audit supports management with annual reviews, they should consider a risk based and cyclical review of the requirements for different channels, products and RTS SCA articles and plan to cover all controls in a period of two to three years based on its risk assessment.

    - Internal audit should perform a thematic review of the regulatory reporting process as per the PSD2 requirements (including major incident reporting, fraud statistics reporting REP017, operational and security risk reporting REP018) with a focus on controls in place to facilitate generation and submission of reports to the relevant local authority.

 

 

  • Swift Customer Security Programme (CSP):
  • - Since 2021, SWIFT assessments have been required on an annual basis and need to be conducted independently by the 1st line of defence function that submits the attestation as a completion letter to SWIFT. Internal audit should assess how the 1st line of defence has met this requirement since 2021, if they not been involved in undertaking the assessment on management’s request.

 

 

Authors: Sarn Saundh, Nikhil Kulkarni, Disha Thakkar

Finance and credit

Why is it important?

Models serve many important strategic purposes for financial services firms, in the UK and beyond, which are relied upon as part of the regulatory framework. However, they can pose risks for both financial services firms and the regulators monitoring them. In a policy environment that is broadly supportive of model use, firms must seek to build supervisory confidence in their models amid increasing regulatory scrutiny.

Firms need to demonstrate to supervisors that model risk is being managed across all stages of the model lifecycle. Overall, we expect supervisors to attach most importance to;

 

  • the board’s oversight and challenge of the model;
  • effective, independent model validation; and
  • the organisation’s model risk management framework which enable these.

 

Firms that implement model risk management frameworks that satisfy both regulatory requirements and supervisors’ practical concerns, and operate at a commercially viable cost, are, in our view, well-positioned to find a supportive policy environment for the use of models.

What’s new?

The Prudential Regulation Authority (PRA) has published its policy statement (PS6/23) on model risk management (MRM). The policy and accompanying supervisory statement (SS1/23) come into force on 17 May 2024. Initially this policy statement relates specifically to the banking sector, but we would encourage all sectors using models to take note of the content and to align their frameworks accordingly, with a view to any future requirements being imposed by regulators.

The definition of a model and the high-level principles have not changed from the consultation paper (CP6/22). Changes to the detailed content of the principles generally reduce prescriptiveness and increase the proportionality of requirements, although there is one significant change: the policy will only initially apply to banks with an internal model approval for regulatory capital purposes. Once it has progressed its policy on simpler-regime firms, the PRA will clarify how the policy on MRM will apply to banks without internal model approvals, although it notes that all firms, regardless of size, are expected to manage the risks associated with models where they are used.

Implementing the changes required to comply with the supervisory statement will be a challenge for modelling teams and model governance processes that are already under considerable pressure. Firms that are able to identify common requirements that can be delivered across multiple modelling workstreams will be best placed to implement the MRM principles as well as the wide range of modelling work already under way.

Banks with existing internal model permissions already have significant ongoing effort in their modelling teams, with work underway in several areas, including:

 

  • implementing remaining model changes from the IRB roadmap;
  • reviewing and revising IFRS 9 models;
  • incorporating climate into modelling approaches for risk management and stress testing;
  • preparing for the implementation of Basel 3.1; and
  • assessing the model risk implications of the Consumer Duty.

 

Banks will have to address a number of challenges in meeting their obligations around MRM:

 

  • Designing and implementing a revised model governance process that retains existing capabilities and adds the capacity and expertise to oversee the significant expansion of models subject to oversight.
  • Designing a multi-tiered validation process that provides a review and validation regime that is fit-for-purpose for a significantly broader model population.
  • Ensuring that appropriate reporting on the breadth of the model inventory is available and shared with executive management and the board (or a board sub-committee).
  • Identifying similarities and/or commonalities across the streams of model work underway.

 

The PRA sees model risk as a risk that should be treated in the same way as other material risks in firms: it should be part of risk appetite and should be monitored and managed as seriously as any other material risk. The PRA’s intent in putting the principles for MRM into the supervisory framework is to drive a change in culture around MRM.

More detail on this can be found in in the following article:

From Principle to Practice: Model Risk Management takes effect, Rod Hardcastle, David Strachan, Ian Wilson, Richard Tedder (deloitte.com)

What should internal audit be doing?

Area of Focus

Model identification and classification
Suggested steps

As a starting point, internal audit teams must understand the model population to confirm that all such tools are properly defined and included in any broader oversight framework:

 

  • Consideration around the definitions and process to identify, oversee and escalate where a model exists or is created that may fall into an oversight regime.
  • Identification of opportunities for work that delivers common benefits across Internal Ratings repair, IFRS9 and Basel 3.1. Internal audit could play a key role in providing a holistic view across teams to identify any commonalities. More widely, opportunities exist across climate, MRM and Consumer Duty. Firms that identify similarities and exploit them to reduce the workload for their scarce model resource will reap benefits.

 

Model governance Understanding the firm’s governance around how models are developed and overseen is key within any review in this space. Areas for consideration:

 

  • Focus on models that are not constructed in a similar way to “traditional” credit or market risk models but are still material – such as anti-money laundering models – and are appropriately challenged through model governance processes. This includes identifying any material ‘deterministic quantitative methods’ that exist in the business, even if these do not meet the firm’s definition of a model, in which case MRM-type controls should be applied in order to mitigate their associated risks.
  • Model reporting should focus on issues with the most material models and allow the executive and board to answer questions from supervisors about the implications of poor model performance for business decisions and explain remedial or mitigating activities underway. Internal audit should confirm this through understanding how such “material” models have been identified and that these continue to be the main focus, whilst not forgetting about others within the wider model portfolio.
  • Where needed to support the process, additional training is provided to modelling and validation teams, as well as for members of model governance forum. This should be appropriately approved and overseen to confirm that relevant stakeholders have received such training.

 

Model development, implementation and use Development and deployment of models must be supported by a robust governance framework by which firms understand and oversee the introduction of new and existing models and how they are used:

 

  • Development approval matrix or similar – who is permitted to agree new or changes to existing models. Are such stakeholders at the requisite level of seniority and competence? Are approval thresholds and escalation criteria defined?
  • Deployment testing – are success factor criteria defined and can firms demonstrate these are achieved prior to any deployment to a live environment. What impact testing is undertaken pre and post implementation to understand that the model operates as intended?
  • Outcomes – is the use of the model overseen to understand that it is performing as intended and driving good outcomes for the firm and customer?
  • Committee structure and on-going oversight – how frequently are models reviewed, who by and how are any actions tracked to completion?

 

Model validation Where internal audit teams possess or have access to the requisite level of capability and tooling, some assurance around validation of models could be included in work programmes. Consideration should be given to:

 

  • The size and scale of the model(s) under review – not all validation efforts will require the same validation process or expertise as a “traditional” credit or market risk model. Firms will need to think creatively about how to meet the requirement for oversight of different types and sizes of models.
  • There will be opportunities for internal audit to apply technology to this process, particularly for models that are at the lowest levels of materiality and complexity.

 

Authors: Rod Hardcastle 

Why is it important?

Businesses have negotiated a series of major challenges in the last four years, including the UK’s departure from the EU, the COVID-19 pandemic and supply shortages. The legacy of those earlier shocks, in the form of inflation and high interest rates, is now the central challenge. We are noting that the burst of business optimism seen by firms in spring 2023 has begun to fade under the weight of inflation and rising interest rates. Firms across the financial services sector have responded with an increasing focus on cost reduction and cash control.

This continued gloomy credit outlook presents serious challenges for both consumers and firms. Borrowers face high inflation (although there are some early signs that this may be beginning to level off), higher interest rates and associated cost-of-living challenges. Supervisors will expect firms to have the capacity, skills and resources in place to deal with rising insolvencies and distressed borrowers, whilst managing balance sheet impacts proactively.

 

  • Lenders face considerable risk of increased impairments in the rest of 2023 and beyond. Whilst UK insolvency figures for July 2023 were 6% lower than the same period in 2022, this remains higher than levels seen while government support measures were in place in response to the pandemic, and higher than pre-pandemic numbers.
  • Borrowers are facing significant pressure: retail borrowers primarily from increased interest rates and the cost-of-living crisis; commercial borrowers from increased input costs, higher interest rates and demand side challenges due to purchasers trying to trim their budgets as much as possible.
  • If lenders restrict borrowing as a result of economic conditions, rather than using their capital buffers, we expect regulators to press for review of the buffer framework.

 

It has been clear for some time that rising credit risk is a significant issue, albeit one where the oft-threatened wave of defaults has yet to break. But the credit outlook now appears increasingly bleak owing to a combination of economic supply and demand-side challenges for businesses.

Retail customers face increasing or high levels of inflation, higher interest rates and the associated cost-of-living and debt service challenges, and pent-up credit pressure (including latent credit risk developed during COVID-19). This may start to translate into increased impairments for firms.

What’s new?

Rising interest rates
The UK’s interest rate has continued to increase across 2023 as the Bank of England sought to stem the rising rate of inflation. As inflation rises show early signs of tailing off, the expectation is that interest rates will remain high and could increase further before declining. Whilst nominal rates are nowhere near the levels of the 1990s, many borrowers are taking on mortgages at high income multiples, with the result that mortgage payments represent a significant portion of household incomes.

Notwithstanding the requirement for lenders and insurers to undertake affordability assessments, significant increases in interest rates, when combined with other inflationary pressures, are leaving households with limited or no surplus income. Firms will need to ensure that their affordability assessments keep pace with changes in the economy. In lenders’ residential mortgage portfolios, the prospect of material falls in house prices implies the potential challenge of dealing with customers in negative equity.

Dealing with increased risk of defaults
Lenders, as well as other firms that are significant holders of issued debt or other assets with elements of credit risk, face a period of considerably increased risk of defaults and non-payment. This could manifest in an increase in the base level of IFRS 9 impairment allowances (expected credit losses) in stages one and two. Increased flow into stage three (default), a traditional measure of credit risk, will likely follow in subsequent years, but the financial impact on balance sheets will start earlier, reflecting the forward-looking nature of the accounting standards.

All this will happen as firms seek to bring back into their capital positions the deferred impairments arising from the COVID-19 related International Financial Reporting Standards (IFRS) 9 transitional arrangements. Firms will need to ensure that they can demonstrate to supervisors and auditors that the underlying parameters in their IFRS 9 models accurately reflect the risk in their balance sheets.

Credit concerns exist in many sectors. Deloitte’s July 2023 CFO survey shows UK CFOs seeing tight monetary policy as posing the greatest threat to their businesses. Credit is seen as being more costly than at any time since 2009, during the credit crunch, with a resultant increase in expectations that cost control – including reducing hiring expectations – will be a key business priority in 2023 and beyond. As commercial and corporate customers face reduced revenues and profits, the likelihood of layoffs is considerable, and increased unemployment will exacerbate the pressures on retail customers.

Insurers and investment funds
Insurers and investment funds hold significant volumes of issued debt instruments, as well as investments in property and other assets, as part of their management of premiums and client investments. Changes in asset values have already led to challenges to some business models, and insurers and investment funds may face further asset price and credit-related pressures in their existing portfolios.

Insurers and investment managers are increasingly seen as potential investors for Environmental, Social and Governance (ESG) and infrastructure projects, given the longevity of cashflows those projects generate. Some insurers and investment managers may need to strengthen their credit teams to ensure that any investments made during a recessionary period meet long-term expectations. For UK insurers, as part of Solvency II reform, we expect the Prudential Regulation Authority (PRA) to adopt a more granular approach to credit risk within the matching adjustment (MA) calculation for life insurers that use it to reflect the increased sensitivity of long-term productive asset classes that are more long dated and illiquid.

What should internal audit be doing?

Area of Focus

Capacity, skills and resources
Suggested steps

  • Ensure capacity, skills and resource planning are in place and trained to deal with rising insolvencies, distressed borrowers, and borrowers transitioning to leveraged or highly leveraged status.
Dealing with risks and impairments
  • As part of any review focussed on the Financial Conduct Authority’s (FCA) new UK Consumer Duty or more broadly around customer outcomes, understand how the firm’s plan is clear around the process for dealing with credit-impaired customers that have repayment challenges.
  • Consider how the firm reviews its sector-level portfolio and responds to market analysis to ensure supervisory concerns around exposures to high-risk sectors (including real estate, hospitality, energy and leveraged exposures) are addressed. Understand the role of 2nd line teams in supporting the business in such analysis and providing challenge through any monitoring programme.
  • Through any impairment internal audit work (and where applicable to internal audit work over models, capital or regulatory reporting), consider potential future scenarios, to understand how any impairment overlays could be clearly explained; and controls to monitor and manage balance sheet impacts proactively. Review the process to confirm that stress testing assumptions are adjusted to reflect updated impairment expectations.
Models and indicators
  • Through any model oversight review, internal audit should understand how such models incorporate early warning indicators in order to undertake proactive sector-, region- and customer specific credit analysis and risk management as necessary.
  • Where models are reviewed, internal audit can consider how affordability and income and expenditure validation models reflect cost-of-living movements; and understand the control process to respond to such movements.
Affordability framework
  • Given the cost-of-living situation in the UK as well as the enhanced focus on customer outcomes, internal audit should consider how firms are responding to this through affordability frameworks adopted. Elements for consideration could be: policy, accountability, application of any thresholds and customer treatment, complaints handling and response, oversight and monitoring.
Treatment of vulnerable customers
  • The theme of dealing appropriately with vulnerable customers is not new, however it has come into sharper focus given the context of increases in the cost-of-living and the FCA’s new Consumer Duty. Internal audit could consider the framework from a governance and oversight perspective, or focus more specific reviews on, for example, account penalties, claims or complaints.

Authors: Ben Thornhill, Melanie Purdie and David Strachan 

Why is it important?

The UK Corporate Governance reform (the Code) represents the biggest shake-up of the UK’s corporate governance and audit framework in years and is evolving at a rapid pace. The government and the Financial Reporting Council (FRC) are continuously evaluating the opportunities to strengthen corporate governance through the introduction of enhanced rules and regulations around risk management and internal controls.

There are two key aspects to the reforms:

 

  • Measures to be introduced through changes to the Corporate Governance Code applicable to Premium Listed Entities (PLE) and entities that voluntarily apply the UK Corporate Governance Code. These include the following proposed requirements:

     

    • Board declaration on the effectiveness of risk management and internal controls: a declaration of whether the board can reasonably conclude that the company’s risk management and internal control systems have been effective throughout the reporting period and up to the date of the annual report. It should include an explanation of the basis for the declaration, a description of any material weaknesses identified, and remedial actions taken.
    • Regulatory framework for Audit Committees: Audit, Reporting and Governance Authority (ARGA) will be established to replace the FRC and will be given the power to set minimum requirements on audit committees in relation to the appointment and oversight of auditors.
    • Audit market opening measures: managed shared audits will be introduced on a phased basis, exemptions regime will operate and powers will also be available for ARGA to operate a ‘market share cap’.
    • Malus and clawback: a focus on greater transparency about malus and clawback arrangements in the Code so remuneration can be withheld or recovered from directors for misconduct, misstatements, and other serious failings, including:

       

      • the minimum circumstances in which malus and clawback provisions could be used;
      • a description of the minimum period for malus and clawback and why the selected period is best suited to the organisation;
      • whether the provisions have been used in the last reporting period and, if provisions have been used, a clear explanation of the reason;
      • and the use of malus and clawback provisions in the last five years.

       

     

  • New reporting measures to be implemented through legislation which would be applicable to Large Public Interest Entities (Large PIEs). These have been defined as UK Corporates with greater than 750 employees and greater than £750m turnover at the UK Company or Group level. These measures include the following new disclosure requirements:

     

    • Audit and Assurance Policy (AAP): a policy is to be developed covering key reporting data and information and explaining the nature of assurance to be obtained and the rationale for this determination.
    • Resilience statement: a statement to report on matters which could materially challenge resilience over the short, medium and long term.
    • Material fraud reporting: directors will have to disclose and explain activities taken to prevent and detect material fraud. Fraud is as per definition in the Fraud Act 2006, and it is considered “material” when it could reasonably be expected to influence shareholder investment decisions.
    • Distribution policy and distributable reserves: directors will be required to disclose distributable reserves and provide narrative explaining the board’s long-term approach to the amount and timing of returns to shareholders, and how this policy has been applied in the year. Additional information about distributable profits, distributions and purchase of own shares should also be disclosed.

     

 

The proposed measures are indicated to come into force from 1st January 2025 for PLEs and a year after for other Large PIEs. Many of the changes require early dialogue with key stakeholders within the organisation. For each proposal, firms must decide whether to track in line with proposed timelines or accelerate to become early adopters. We are expecting additional guidance on some of the key aspects, however given the volume of upcoming change, there are some ‘no regrets’ activities that the organisations in-scope would benefit from starting now.

Internal audit has a role to play in providing assurance to the Board in respect of their organisation’s governance, risk and controls as well as programme assurance in respect of their firm’s compliance projects. In addition, internal audit functions can play an integral role in the programme steercos by providing real time challenge but also driving assurance related workstreams such as the AAP.

What’s new?

In July 2022, the FRC released its Position Paper on the UK Corporate Governance Code. This followed the Government’s response to the Department for Business, Energy and Industrial Strategy (BEIS) White Paper on strengthening the UK’s Corporate Governance, Corporate Reporting and Audit systems (UK Corporate Reform) published in March 2021.

In May 2023, the FRC launched a consultation paper on changes to the UK Corporate Governance Code in which it reconfirmed that the revised Corporate Governance Code will apply to accounting years commencing on or after 1st January 2025 to allow sufficient time for implementation.

In July 2023, the Department for Business and Trade (DBT) published the draft regulation on the new reporting measures to be implemented through secondary legislation following a debate in parliament.

The key next steps are summarised as follows:

 

  • Draft bill to establish ARGA, change PIE definition and introduce new enforcement regime – King’s Speech Autumn 2023
  • Measures come into force from 1st January 2025 for PLEs and a year after for other Large PIEs.

 

Whilst the proposed measures are not likely to come into effect until 2025 at the earliest, the emerging requirements are now becoming increasingly clear, and the impact on organisations is likely to be felt across the enterprise due to the pervasive nature of the requirements. It is therefore important that organisations begin to consider their responses and readiness plans as soon as possible.

What should internal audit be doing?

The UK Corporate Governance reforms present internal audit with an exciting opportunity to support their organisations to further develop and embed enhanced governance, effective risk management and internal controls. Whilst the new reforms will not be effective until 2025, much of the required readiness activity will need collaboration and alignment across the organisation and, as a result, will take time to co-ordinate and deliver. Internal audit should engage executive leadership on these factors as soon as possible.

Area of Focus

Directors’ declaration on internal controls
Suggested steps

Internal audit will have the opportunity to deliver a significant component of the assurance activity that will underpin the annual attestations, building on its existing assurance. There will be clear business advantage to ensuring there is clear alignment between assurance work and the attestations, and for internal audit functions to be able to clearly articulate holistic themes and insights which are generated by individual audit reviews for potential inclusion in the attestation.

Audit and Assurance Policy

The Audit and Assurance Policy Statement will likely be supported by a robust assurance map. Internal audit is in a unique position to support the business to develop the assurance map and support the assessment of assurance outcomes. With specialist knowledge of governance, risk and controls, internal audit is well placed to serve as a trusted advisor to non-financial areas of the business looking to implement a defined control framework for the first time.

Directors’ obligations in relation to fraud

Directors will be required to report on the steps they have taken to prevent and detect material fraud. Internal audit is well placed to assess the current fraud risk framework and complete fraud risk assessments if these are not yet in place.

Resilience statement

Companies will be required to report on matters that they consider a material challenge to resilience over the short and medium term. Internal audit will have valuable insights relevant to key components of the Resilience statement, including known vulnerabilities highlighted through assurance work.

Read our blog on the UK Corporate governance reform which outlines specific activities which Internal audit can support or deliver to aid the organisation to prepare for the upcoming reforms, as well as then deliver the ongoing business-as-usual requirements resulting from the reforms.

Authors: Ololade Adesanya

ESG

Why is it important?

As net zero remains high on governments’ agendas, regulators expect the financial services sector to play a significant role in tackling climate change. Several sustainability reporting requirements, both in the UK and EU, are due to be rolled out over the coming months and years. These aim to increase transparency with the underlying objective of preventing greenwashing in the industry. This is not limited to sustainable products but will cover a range of matters such as an organisations’ approach to diversity and inclusion and sustainability initiatives reflected in public reporting. As such, it is imperative for internal audit functions to challenge their firms’ readiness and responses to ensure accurate reporting against mandatory requirements. In doing so, internal audit can help firms to prevent adverse environmental effects; retain a customer base that is more and more climate-conscious; and gain confidence in an area of increasing regulatory and governmental focus. Firms need to be aware of associated risks and opportunities and internal audit functions should work with their businesses so that they are ready for the raft of regulatory changes we expect to come into force soon.

What’s new?

There are several recent and upcoming changes to the regulatory landscape regarding sustainability disclosures. They include:

Corporate Sustainability Reporting Directive (CSRD):

  • In November 2022, the EU adopted the Corporate Sustainability Reporting Directive (CSRD), replacing the Non-Financial Reporting Directive (NFRD). The requirements cover many financial services firms with rollout expected to begin from January 2024.
  • Whilst the regulation requires firms to publish information that is needed to understand their wider business performance, there is a focus on mandatory reporting on firms’ sustainability strategies, as well as wider Environmental, Social and Governance (ESG) factors.
  • Furthermore, the CSRD will bring an obligation for external verification of published sustainability information, with penalties in scope for firms that do not comply.

 

Sustainable Finance Disclosure Regulation (SFDR):

  • In March 2021, the Sustainable Finance Disclosure Regulation (SFDR) became applicable in the EU for financial services firms. The aim of this regulation is to ensure firms provide greater transparency for the makeup of financial products, especially the factors that make them ESG aligned. Broadly, it requires firms to label their financial products as article 6,8 or 9, depending on how ESG friendly they are. Disclosures are based under which article firms decide to label their products.
  • The SFDR requires two levels of disclosure: level 1, was applicable from March 2021 and focussed on principles-based disclosures. In January 2023, level 2 became applicable, bringing additional specific mandatory disclosures for firms selling financial products in the EU. The deadline for reporting the level 2 disclosures for the first time was 30th June 2023.

 

UK Sustainability Disclosure Requirement (SDR):

  • The Financial Conduct Authority (FCA) is finalising its consultation period on a set of regulations which will aim to provide comparable reporting requirements for UK asset managers as SFDR does for the EU.
  • The FCA intends to publish a policy paper on its new Sustainability Disclosure Requirement (SDR) in Q3 2023, with an expectation that most of its rules come into force throughout 2024, and with entity-level disclosure requirements being rolled out from 2025 onwards.

 

Annual FCA diversity and inclusion on firms’ boards and executive management (PS22/3):
For the financial year starting on or after 1 April 2022 firms must seek to meet the new diversity targets and include a statement in their annual financial report stating whether they have satisfied the following:

  • At least 40% of the individuals on its board of directors are women;
  • At least one of the senior positions on the board of directors is held by a woman – the Chair, the Chief Executive, the Senior Independent Director, or the Chief Financial Officer; and
  • At least one individual on the board of directors is from a minority ethnic background. In cases where a firm has not met all these targets, it should state the targets it has not met and the reasons for not meeting those targets (comply or explain basis).


Firms are also expected to publish numerical data on the sex or gender identity and ethnic diversity of the board, senior positions, and executive management.

Controls on data:

  • Based on findings from the SS3/19 responses obtained from banks and insurers regarding embeddedness of climate-related financial risks, the Prudential Regulation Authority (PRA) has noted that several firms had significant data gaps related to ESG reporting.
  • The PRA expects firms to explain how they identify such significant data gaps and how they plan on closing them. Firms should expect continued assessments on the effective management of climate risks, including the accurate and complete use of data in ESG disclosures.

 

What should internal audit be doing?

Area of Focus

Controls on data
Suggested steps

Internal audit functions play a key role in assuring boards that commitments and outcomes are robust. As well as the more specific topics covered below, a foundational approach can be important especially where such areas have not been previously covered by internal audit. Such coverage could include:

 

  • Determine the relevant sustainability reporting commitments for the business (some are optional – e.g. specific codes / strategic aims to which the business “signs up”, and some are mandatory depending on what products the firm is offering or markets in which they are operating). Internal audit should then evaluate the governance and controls in place to ensure these reporting commitments are met in a timely and accurate manner.
  • Consider whether sufficient controls are in place to ensure that data used in public disclosures is both accurate and complete. Where estimations are used, robust governance and assessment over methodology assumptions should be in place.

 

Third-party risk - data To prevent the risk of incorrect data being disclosed, firms should have robust controls in place to ensure that their third-party data providers are fit for purpose. Internal audit should assess the controls surrounding the use of third-party data in public disclosures.
Reputational risk - greenwashing With the general public and regulators becoming ever more climate-conscious, the risks of greenwashing, either accidental or intentional, continue to be significant.
Internal audit should confirm that effective controls are in place to ensure the information reported is factual and a fair reflection of the firms’ business in order to prevent reputational damage.
Reputational risk – greenbleaching In response to the growing volume of reporting requirements, particularly related to financial products, firms may purposefully label their products incorrectly to avoid more stringent criteria associated with sustainable products, for example when labelling financial products under SFDR. Internal audit should be wary of this practice, known as “greenbleaching” and challenge whether controls are operating effectively to ensure that sustainability reporting accurately represents the nature of products. This will help to prevent against accusations of greenbleaching.

Authors: Hetty van der Wal, Sarah Cook and Phillip Holt 

Why is it important?

The Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) view effective governance as key to enable sound decision making in firms to achieve desired outcomes, with both increasingly focusing on diversity and inclusion. Diversity, when part of an inclusive culture, enables different perspectives and views to be shared, resulting in better judgements and decision making, mitigating against the risks of groupthink, and promoting innovation. There has been some progress in improving diversity and inclusion in financial services over the past decade, however the pace of change has been slow. Overall, the ability to assess the problem and track progress is limited by poor quality data on many aspects of diversity, with most data focused on gender, some on ethnicity, and very little on other protected or diversity characteristics. On 25th September 2023 both the PRA and FCA issued consultation papers on their plans for regulation and oversight of diversity and inclusion for regulated businesses.

What’s new?

 

  • Firms should now be incorporating a statement in their annual financial report on whether they have satisfied the FCAs diversity targets as set out in Policy Statement 22/3.
  • Following on from the joint Bank, PRA, and FCA diversity and inclusion discussion paper published in 2021 (DP2/21), the FCA completed a data survey on a sample of 12 firms across multiple sectors to understand approaches to diversity and inclusion in firms. The FCA published its findings to provide visibility of the current state of diversity and inclusion in financial services and to encourage further action and used these to help the development of its future supervisory approach.
  • It is important that firms scrutinise the consultation papers from 25th September 2023 to identify which areas require improvement within their own approach to diversity and inclusion, so that early action can be taken. The regulations will require many firms to revisit their approach to diversity and inclusion, the quality and breadth of the metrics they use to measure progress as well as their activities to change the underlying numbers.
  • For further information on the consultation papers please refer to our latest blog.
  • Once the final policies are published in 2024, firms are likely to have 12 months to comply.
  • The PRA and FCA have issued a discussion paper (DP1/23) to review the Senior Managers and Certification Regime (SMCR) and separately the Government has launched a Call for Evidence on the regime in the same timeframe. These reviews will collect information on the regime's effectiveness, scope, and proportionality, and seek views on potential improvements and reforms to assess the need for further policy proposals.
  • The Financial Reporting Council has launched a public consultation on its proposed revisions to the Corporate Governance Code. The proposed changes are focused on internal control, assurance, and resilience, although also include changes related to diversity and inclusion.

 

What should internal audit be doing?

Area of Focus

Diversity data
Suggested steps

There is a wide variation in diversity data quality, but better data enables firms to assess their current situation and ensure actions are appropriately targeted. Poor diversity data quality, limits analysis, reduces the ability to spot trends or patterns, and reduces the ability to design and implement targeted interventions. Internal audit should review the adequacy of current diversity data and the effectiveness of the design of any plans to improve this, including those focusing on increasing staff self-declaration.
Diversity strategies and initiatives Across financial services, diversity strategies and initiatives are in their infancy, and so are yet to reach a level of cohesion and maturity. Informed by the consultation papers, internal audit should review diversity strategies and initiatives, taking into consideration the following aspects:

 

  • The adequacy and depth of any diagnosis of the firm’s situation and challenges
  • How the design of any diversity strategies and initiatives are linked to addressing the firm’s situation and challenges
  • Processes in place to track the effectiveness of initiatives
  • The design and prominence of any strategies and associated initiatives in place to improve the pipeline of diversity, below senior management levels
  • The overall coverage and weighting of diversity strategies across all protected characteristics
  • The tailoring of diversity strategies to the UK organisation and the UK, and the extent these are supported by UK data

 

Meeting the diverse needs of customers As well as considering diversity and inclusion from an internal perspective, firms should also focus on ensuring that diverse consumer needs are met. Internal audit should review how the design process for products and services considers the range of needs in the target market, including characteristics of vulnerability, and how these are factored into the end design.
Input into ongoing consultations Firms should review and input into the ongoing consultations:

 

  • Firms in scope of UK Corporate Governance Code should review the FRC’s proposed changes to the Code being consulted on.
  • Firms in scope of SMCR should provide inputs into the PRA/FCA discussion paper on SMCR and the Government Call for Evidence for SMCR.
  • Firms should input into the PRA/FCA Diversity & Inclusion consultation papers.

 

Authors: Lauren Underwood and Stuart Batigan

Why is it important?

Regulatory bodies continue to drive the need to prioritise the embedding of a strong internal control framework in the 1st line of defence and to demonstrate effective management of key risks. A strong internal control framework, underpinned by a risk-based controls testing capability, provides the basis for accountable leaders to attest to the effective design, implementation, and operation of controls.

The basic foundations of a strong internal control environment are:

 

  • A clear definition of what a ‘control’ is in the context of managing the organisation’s most material risks;
  • Adoption of common terminology across the organisation for key control management processes;
  • An education and stakeholder engagement programme so that everyone understands the roles played by controls in the management of material risks;
  • Clarity on the level at which risks are assessed according to the organisation’s risk management framework, so controls can be defined at the right level of granularity;
  • A control library made up of the minimum expected controls required to mitigate the risks defined with an organisation’s taxonomy of the most material risks; and
  • A simple accountability model for key roles across the control lifecycle.

 

Without clarity on these components, it is often difficult to define and communicate who is responsible for what across 1st line management teams, internal control teams, and the 2nd line.

What’s new?

There are two primary drivers behind the renewed focus we’re seeing organisations have on getting the internal control model right:

 

  • Cost reduction is a key focus area for organisations across all sectors. Manual, time intensive tasks are being assessed based on the value they create and streamlining the control environment is a key use case for the identification of efficiency savings. Organisations are having to be creative in how they strengthen their control environment and deliver cost savings at the same time.
  • UK Corporate Governance Reform: Organisations caught by the latest UK Corporate Governance proposals will need to comply with a number of new requirements, including an explicit declaration by Directors on the effectiveness of risk management and internal control systems.

 

As a result of these drivers, organisations are actively reviewing their current levels of maturity in relation to internal control. They are having to understand their current level of maturity at a more detailed level, and in cases of rapid growth, focus on defining the path to a maturity level that is in line with their wider strategic ambitions.

What should internal audit be doing?

Area of Focus

Reviewing the maturity of the foundations of internal control
Suggested steps

The foundations of internal control have a direct impact on the effectives of downstream control management processes such as control testing. Internal audit should consider incorporating a thematic review of the maturity of internal control foundations in the annual audit plan. As part of this, internal audit should also look at whether sufficient evidence is available to support disclosures on internal control made within the annual report.
Drive alignment and integration across the three lines of defence An indicator of internal control maturity is when there is alignment of control terminology and integrated control management processes across the lines of defence.

Internal audit should continue to play an influential role in aligning and integrating the role of each line of defence on the topic of internal control.
Educate internal audit practitioners on what’s possible with technology Internal audit functions should proactively educate their teams on the latest techniques to design and implement controls enabled by technology.

Where possible, internal audit recommendations should include insights on how to streamline the control environment and highlight where technology could be deployed to implement more robust controls.
Readiness for new UK Corporate Governance requirements Internal audit functions are well placed to help organisations navigate the evolving landscape on internal control. They should consider instigating a readiness assessment to provide independent assurance on the ability of the organisation to satisfy the new UK Corporate Governance requirements.

Authors: Rob Dighton and Adithya Ravi 

Why is it important?

In recent months, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have published several ‘Dear CEO’ letters detailing their regulatory focus for the upcoming period. The governance surrounding Environmental, Social and Governance (ESG) decisions and issues have quickly risen to the forefront of the regulators’ agenda. Both the PRA and FCA expect Financial Services (FS) firms to incorporate ESG factors into their business decision making, as they believe the financial services industry has a crucial role to play in pursuing the government’s net zero agenda. As a result, financial services firms are taking ESG factors into considerations across more and more strategic decisions. Strong governance surrounding these decisions will be key going forward and will allow firms to have confidence that the decisions made are well controlled and subject to thorough challenge in line with regulatory expectations. Internal audit functions should provide robust and appropriate challenge to their firms’ senior management to ensure that there are appropriate controls and processes in place to factor ESG considerations into business decision making, wherever appropriate.

What’s new?

Whilst the PRA and FCA are pleased with the rapid progress on the governance of ESG related risks, there is still scope for improvement. Here are the key areas the FCA and PRA will focus on in the coming months:

Dear CEO letter – Banks and Insurers SS3/19 submission feedback:
In their response to firms’ SS3/19 submissions, the PRA published a ‘Dear CEO’ letter addressed to banks and insurers. This letter outlined the regulators’ supervisory focus for the next year, including the ongoing assessment of compliance with the submission, and indicated further scrutiny for firms deemed non-compliant. Below are other important areas outlined in the letter:

  • Oversight by the Board and Executives: The Boards and Executives of these firms are now expected to demonstrate how their businesses integrate climate factors into strategic decision making and governance structures. They are also expected to demonstrate that the approach to implementing climate factors into these areas is coherent and based on available metrics.
  • Risk Management Frameworks: Firms are expected to demonstrate how climate risks are coherently factored into risk management, including Risk Management Frameworks (RMF) and Risk Appetite Statements (RAS).
  • Modelling: Firms are expected to demonstrate that climate risks are appropriately embedded into quantitative models, for example, stress testing and credit risk models. Where such modelling does not allow for full implementation of climate risks, appropriate proxies should be demonstrably in place.
  • Counterparty exposure: Firms are expected to be able to demonstrate that climate risks are considered when developing counterparty strategies.

 

Dear CEO letters – February and March 2023 (Asset Managers and Payment firms):
In two ‘Dear CEO’ letters, separately addressed to Asset Managers and Payment firms, the FCA set out its expectations surrounding internal governance processes related to ESG. These expectations include:

  • Public commitments: There is a concern that public pronouncements on ESG targets by financial services firms are misleading or inaccurate. Firms are expected to have governance structures in place related to publication of their ESG commitments, the testing of their delivery and the use and selection of third-party ESG benchmarking data.
  • Governance structures: The FCA will seek to ensure that asset managers have appropriate governance structures in place to oversee ESG related management information and to embed sustainability into their firm’s strategic thinking, as well as their investment processes.

 

ESG Benchmark Administrators (rating agencies):

  • In a ‘Dear CEO’ letter addressed to ESG Benchmark Administrators in March 2023, the FCA noted that there were instances where ESG factors were not sufficiently explained in some firms’ methodologies, leading to poor disclosures throughout the financial services sector.
  • The FCA expects to scrutinise the data that goes into disclosures and the governance structures in place to ensure the accuracy and completeness of any data that is publicly disclosed.

 

Furthermore, the PRA has noted that several firms are not disclosing all of the key information set out in their disclosures. The PRA expects this to be a key area of regulatory focus going forward.

What should internal audit be doing?

Area of Focus

Governance around key decisions
Suggested steps

Assess the governance processes surrounding all business decisions and whether ESG factors are appropriately considered. Further, assess whether ESG management information is useful for decision making, in order to support robust challenge and analysis by executive management.
ESG embedded in the Risk Management Framework
  • Review the embedding of ESG in counterparty strategies, risk and management information.
  • Perform focussed reviews on the embedding of ESG in the Risk Management Framework.
Governance around key metrics
  • Assess the appropriateness of metrics and management information used by Boards and Executives to monitor progress against ESG commitments, including whether metrics are decision-useful and relevant to the firms’ risk appetite.
  • Assess the appropriateness of key metrics employed to monitor scope 1, 2 and 3 emissions.
Setting and delivering on commitments
  • Ensure that the governance structures in place when deciding and setting ESG targets are working effectively to ensure goals are both realistic and ambitious, and to ensure that Boards and Executives have appropriate oversight over ESG/climate target setting
  • Where firms have made commitments, transition plans should be created to support meeting these commitments. Internal audit should assess whether the transition plans are suitable to meet the commitments set by management.
  • Where commitments are set at a group level, local roles and responsibilities should be well defined with supporting governance structure to enable effective communication and reporting across different entities.
ESG/Sustainability Benchmark Administrators
  • Assess the onboarding of benchmark administrators as the FCA will continue to assess the appropriateness of their metric methodologies.
  • Review investment performance ratings (such as ESG/carbon performance ratings) to assess assumptions used in the setting/calculation of the ratings.
  • Assess controls in place to confirm the accuracy of reported data and to ensure the robustness of governance procedures surrounding the creation, approval and publication of these benchmarks.

Authors: Hetty van der Wal, Sarah Cook and Phillip Holt

Why is it important?

The number of ‘green’ and ‘sustainability-related’ financial products has increased exponentially over the last couple of years as firms grapple with rising demand from consumers and regulators to demonstrate how they positively contribute to the planet and its people. However, with varying definitions of what is considered ‘green’, universal regulations and labelling systems such as the Sustainable Finance Disclosure Regulation (SFDR) have become more important.

There is a growing concern that consumers may be misled as firms rush to promote green products in order to strengthen their perception in the market, without robust governance and understanding over the product lifecycle. Ensuring that financial products meet and continue to meet advertised Environmental, Social and Governance (ESG) criteria will be a key focus area for regulators going forward, with renewed emphasis on positive consumer outcomes.

What’s new?

Regulators are focussing more and more on the compliance of ‘green’ and ‘sustainability-related’ financial products, using green taxonomies and green labels, to ensure customers are able to understand the sustainability of products they may buy. Here we outline a few key areas for consideration.

Protecting consumers:

  • The rollout of the Consumer duty means that firms must act to deliver good outcomes for customers with ESG related financial products, such as sustainability-linked mortgages, or ethical savings accounts.
  • The Financial Conduct Authority (FCA) flagged that it will be conducting a follow-up on its 2021 Assessment of Value Review which will include reviewing how firms have embedded the “maturity of ESG in value assessment considerations.”
  • As part of the FCA’s 2023/24 business plan, the regulator wants to ensure “trust and consumer protection” related to the increasing number of ESG aligned financial products on the market. The FCA intends to publish the Sustainability Disclosure Requirements (SDR) Policy Statement in Q3 2023, with the aim of strengthening consumer trust and protections for ESG focussed financial products.
  • The FCA has signalled that it will be clamping down on “exaggerated, misleading or unsubstantiated” ESG claims, to improve consumer trust in sustainable products.

 

Anti-greenwashing:

  • As per the ‘Dear CEO’ letter from February 2023, the FCA noted that inaccurate information related to financial products can not only harm consumers’ confidence, but it may also “negatively impact the integrity of the UK financial disclosure regime.”
  • The FCA has signalled that it will review both, what commitments are communicated to investors, as well as how firms ensure these commitments are delivered with an effective end-to-end control framework.
  • The upcoming UK SDR aims to clamp down on greenwashing through inaccurate and inappropriate labelling of investment products. The FCA will assess firms’ readiness for emerging rules and ongoing compliance and therefore firms should be prepared for a period of regulatory flux and increased supervision from regulators.

 

What should internal audit be doing?

Area of Focus

Greenwashing
Suggested steps

  • Determine whether greenwashing risk is defined, measured and reported on in line with the firm’s risk management framework.
  • Challenge the definition of ESG aligned retail, insurance and investment products, including consistency with sustainability commitments (e.g. responsible investments) made by the firm.
  • Engage with 1st line teams to establish whether sustainable ambitions are embedded into the firm's day-to-day operations.
Good customer outcomes
  • Assess the control framework established to ensure ESG aligned financial products adhere to customer expectations and needs, including robust data management controls.
  • Review the firms’ governance structures used to identify, consider and mitigate ESG related consumer harm.
Product governance
  • Ascertain that controls used to monitor financial products and whether the products remain within the limits of the applied taxonomy or investment labels and that breaches are promptly and accurately flagged.
  • Assess how firms have built ESG considerations into financial products.
  • Evaluate how ESG factors are suitably integrated into investment decision-making, particularly for ESG aligned financial products.
Product marketing and labelling
  • Consider performing readiness assessments against the upcoming UK SDR, identifying regulatory gaps and support firms in implementing robust action plan(s).
  • Assess the adequacy of metrics used to determine fund labels, both internal metrics and those provided by third parties.
  • Identify knowledge sharing opportunities recognising that the SDR is designed to fulfil a similar goal as the SFDR. Hence where firms are selling financial products in the EU, internal audit should assess the controls surrounding the labelling, marketing and calculation of product labelled under the SFDR, highlighting control framework strengths and weaknesses that may be applicable to the SDR.

Authors: Hetty van der Wal, Sarah Cook and Phillip Holt

Conduct

Why is it important?

The Financial Conduct Authority’s (FCA) Consumer Duty (the Duty) went live for open book products on 31 July 2023 (PS22/9 and FG22/5) and is due to go live for closed book products on 31st July 2024. It has been described by the FCA as setting higher and clearer standards of consumer protection across financial services and requires firms to put their customers' needs first, fundamentally improving how firms serve consumers. The Duty focuses on consumers receiving good outcomes by firms delivering products, customer journeys and communications that meet the needs of their target market and are priced to deliver fair value. Implementation of the Duty has been a material regulatory change programme for a number of firms in 2023 and in 2024, firms will have to move to embedding those changes resulting in, what will become, the annual Board report which will opine on whether firms have met the requirements of the Duty.

What’s new?

The Duty introduced four customer outcomes. These are:

  • Products and services – products and their features and benefits should meet the needs of the target market;
  • Price and value – customers should derive value from products and their features and that should be reasonable relative to price;
  • Customer understanding – customers should understand the risks, features and benefits of the product to make an informed judgement on whether it is appropriate for them and continues to be so; and
  • Customer support – where customers need it, they should receive timely and sufficient information to make an informed choice. The ‘cost of living’ challenges has brought this into key focus.

 

The four outcomes are underpinned by a new Consumer Principle (which replaces principle 6) that requires firms to act to deliver good customer outcomes and defines three cross-cutting rules to:

  • Avoid causing foreseeable harm;
  • Enable customers to pursue their financial objectives; and
  • Act in good faith.

 

Having delivered on the functional elements of the Duty in 2023, we expect firms to be embedding the Duty by focusing on:

  • Cultural shift – firms should be focusing on ‘people and leadership’ activity to ensure all staff understand their roles and responsibilities and expectations of them to deliver good customer outcomes;
  • Embedding change – refining product governance and fair value frameworks as well as continuing to improve customer journeys that may cause foreseeable harm and being able to evidence that customers are adequately informed to make timely decisions;
  • Closed book products - firms should now be looking at how they ensure successful implementation of the Duty for closed book products ahead of the 31 July 2024 deadline; and
  • Third party oversight – where a firm has outsourced customer support functions to a third party, it should be reviewing and monitoring whether third parties have delivered on the Duty as communicated in their programme updates and considering whether approach and outcomes align to internal standards and expectations of the Duty.

 

What should internal audit be doing?

Area of Focus

Post July assurance activity
Suggested steps

Following Duty go-live in July 2023, firms will have identified areas where they have “potential gaps or weaknesses in their compliance” (FCA, PS22/9). Boards and governing bodies may look to internal audit to provide assurance that these gaps have been closed and regulatory interpretation is suitable before the requirement for the formal Board Assessment report in July 2024. Principle 2A.8.1R requires retail customer outcomes to be a central focus of a firm’s internal audit function so it is important the function is adequately resourced with an appropriate skillset to highlight any further issues or gaps in compliance of the Duty.
Price and value Firms need to ensure there is a ‘reasonable’ relationship between the price a customer has paid for a product and the overall benefits received. The FCA’s pre-implementation fair value framework review found that firms needed to make improvements in four key areas, including improving the collection and monitoring of evidence to demonstrate products and services represent fair value. Internal audit should review the robustness of the firm’s approach to price and value, focusing on the areas the FCA has identified firms typically fall short.
Evidencing good customer outcomes Internal audit should review and test the design adequacy, operational effectiveness of a firm’s ongoing monitoring of customer outcomes across the customer journey, considering whether the data and management information used by a firm is sufficiently robust. This could involve internal audit conducting independent outcome testing or repeating outcome testing conducted to assess whether the judgements reached are robust, effective and customer focused. Consideration may also be given to how a firm can employ best value through the choice of outcomes testing it uses, e.g. point in time outcome testing versus the end-to-end journey of a customer.
Culture Culture forms a key part of whether firms are successful in embedding and adhering to the Duty. Internal audit should consider whether the firm’s strategy, purpose and values are aligned to delivering good customer outcomes and the firm has obtained evidence that the tone from all levels is consistent, and evidence that staff are sufficiently empowered and supported to deliver good customer outcomes. Firms should consider the role that reward, remuneration and incentive structures play to drive good outcomes for customers.
Third-party outsourced providers Firms outsourcing all or part of the Duty requirements retain all regulatory responsibilities for Duty compliance. Third parties should evidence they are delivering good customer outcomes and firms should require this management information to form part of outsourcing oversight and monitoring arrangements. Internal audit should review the effectiveness of this monitoring and oversight and/or conduct its own reviews ensuring systems and controls are designed, implemented, and operating effectively in line with firm expectations.

Authors: John Lonen

Why is it important?

The capital markets sector is noted for the technically complex products which firms produce and handle daily. They are often only understood by a limited number of subject matter experts (SMEs), with relative opacity to senior management on occasion. As such employee conduct is held in high regard – with conduct risk frameworks fundamental for the successful prevention, monitoring, and resolution of potential misconduct.

Some of the principal controls that conduct risk managers need to operate effectively include front office supervision, where supervisors need to review team trading (cancel and corrects, late bookings, physical access, historical rate rollovers for example), as well as ensuring policies and procedures are in place and are communicated, and that training is provided and understood. Further, there are requirements around operating effective trade surveillance, covering areas such as communications controls (e-comms and a-comms), trade analysis and associated regulatory reporting (e.g. Suspicious Transaction and Order Report (STOR).

Conduct managers also have a responsibility to effectively monitor conduct within the business at a senior level, including high quality Management Information (MI) being requested, produced and understood. Connected to conduct risk are the effects that poor conduct can have, including various forms of market abuse within the sector, such as insider dealing and market manipulation.

This in turn is an area of continued focus for the Financial Conduct Authority (FCA) as it is linked directly to one of their key objectives (protect the integrity of the UK financial system) and is fundamental to two of the commitments made in their three-year plan, part of their 2022/23 business plan (Business Plan 2022/23 | FCA).

What’s new?

Conduct risk is a core area of focus for the FCA and will continue to be as it is built into their three-year strategy, contained in their 2022/23 business plan (Business Plan 2022/23 | FCA).

We note that an increasing number of firms are being fined by the FCA for breaches in their conduct risk model. An example of this would be an organisation failing to properly implement the Market Abuse Regulation (MAR) trade surveillance requirements relating to the detection of market abuse.

In addition, a number of firms have received increased scrutiny from the FCA due to their senior management having insufficient oversight and control over their conduct risk appetite. This shows a shifting attitude from the regulator; a higher level of understanding and demonstrating that direct action is being taken is required by senior managers at capital market firms.

In connection with this shift, the FCA is becoming increasingly focused on firm culture – moving away from prescribed policies and procedures based on attestations and instead fostering a workplace culture where speaking up is encouraged and good behaviours are rewarded. It will be incumbent on senior management to create and roll out this new approach. The FCA will expect to see evidence of actions taken by firms to enhance and improve their culture.

A recent regulatory development is Section 53 of the upcoming Financial Services and Markets Bill, connected to the consultation that the Treasury launched in July 2021 in relation to the Senior Managers and Certification Regime (SMCR). Section 53 creates an SMCR that could then be applied to financial market infrastructure firms. This shows an increasing focus from government and regulators on conduct and accountability of senior managers in the market more widely.

Furthermore, there have been multiple developments in the digital assets (incl. crypto, CBDCs, NFTs) and ESG (incl. Greenwashing) space over the last year which has greatly increased the waterfront of conduct risk to which capital market firms are subject to. This increases the pressure and importance of having an effective and well managed conduct risk framework in place.

What should internal audit be doing?

Area of Focus

Conduct risk framework
Suggested steps

Internal audit should consider undertaking a review of the conduct risk framework – in particular the Non-Financial Risk taxonomy and granularity of frameworks in place. We have noticed (and the regulator has begun to take action) a number of poorly defined or high-level conduct frameworks which are not fit for purpose. This should be a priority area for capital market firms.
Conduct risk appetites – senior control We have seen instances where the regulator has taken action against senior managers for not having a demonstrable understanding and clear control of the conduct risk appetites at their firms. Internal audit should consider the quality of risk MI, metrics and decision making in this space and challenge the involvement of senior managers.
Conduct Risk – controls The conduct controls that firms will need to have in place are numerous and the expectation is for control owners to implement preventative controls, instead of predominantly relying on post-trade controls, such as surveillance. Firms should also be able to demonstrate a full understanding and be able to evidence their key controls in place. Internal audit will want to undertake a comprehensive consideration of the key risks and controls related to conduct risk when designing their annual plan to ensure they are able to provide sufficient coverage of key controls.
Conduct risk – issues & consequence management Within the conduct risk framework, firms need to be able to demonstrate effective and timely issues and consequence management. Internal audit should consider the effectiveness of the feedback loop where controls are found to be ineffective, and actions should be defined and tracked. Similarly, appropriate unbiased consequence management in relation to poor employee behaviour needs to be evidenced and actioned by firms from a regulatory standpoint.

Authors: Daniel Harker, Sherene Vaver, Simon Crawley, Neil Cowie

IT and change

Why is it important?

Enterprise recovery refers to an organisation’s ability to successfully prepare for, respond to, and recover from a catastrophic cyber event. Any financial services organisation could suffer significant enterprise-wide impacts because of such an event. With digitisation continuing to drive technology into the core of all business processes, the unavailability of critical technologies can prevent delivery of critical business services, severely impacting key areas or the entirety of the organisation. To keep pace, most financial institutions are strengthening their security controls and looking for ways to uplift their cyber maturity.

What’s new?

We have continued to see an increase in high-profile major cyber incidents across 2023, which, when coupled with the following cyber trends, creates an increased risk of an enterprise-wide event.

  • Digital Operational Resilience Act (DORA): The EU’s DORA aims to strengthen the financial services sector’s resilience to technology related incidents. With the implementation period concluding in 2024, relevant financial services organisations will need to comply with the new requirements around Information and Communications Technology (ICT) risk management and ICT-related incident reporting.
  • Geopolitical tensions: Heightened geopolitical tensions due to the war in Ukraine are intensifying the risks and impact of cyber warfare between nation states. The banking industry is a key example of a critical infrastructure sector that is frequently targeted by adversaries in such attacks.
  • Advanced tactics: Ransomware groups continue to advance their data exfiltration tools and techniques to carry out extortion. These tools help ransomware groups more efficiently steal data from target organisations before encryption. The threat of publishing this stolen data is then used to extort victims.
  • Remote working: Initial Access Brokers (IABs) are cyber threat actors (CTAs) that sell access to corporate networks to other CTAs as a service. With the continued increase in remote working, IABs are now increasingly targeting remote accesses for onward sales. The insurance sector is perceived to be of particularly high value, given the sensitivity of information which is attractive to a variety of threat actors.
  • Vulnerable exploits: Cybercriminal groups are likely to exploit operating system vulnerabilities to bypass secure processes. This allows cybercriminal groups to maintain persistence in the network and steal credentials. The financial services sector is highly targeted because of its obvious access to accounts and funds.
  • Supply chain: As organisations increasingly shift operations and applications to the cloud, attackers continue to exploit weaknesses in third-parties, supply-chain, and cloud hosting solutions to gain access to networks.
  • Phishing attacks: Phishing-as-a-Service (PaaS) platforms capable of bypassing Multi-Factor Authentication (MFA) are being increasingly used in attacks. These platforms help threat actors gain initial access to target organisations with strict MFA policies in place without needing to develop sophisticated capabilities themselves.

What should internal audit be doing?

Internal audit functions continue to play a key role in ensuring their organisations have a robust approach to cyber risk. We have set out below the topics internal audit may wish to consider when scoping an audit in this area. Functions will also want to consider whether they have access to the necessary skills to perform such assurance.

Area of Focus

Digital Operational Resilience Act (DORA)
Suggested steps

Review the organisation’s ICT risk management framework, a key requirement within the EU’s DORA. This should include a risk management framework, systems deployed to detect anomalous activities, and appropriate response and recovery strategies.
Cyber incident response Review incident response capabilities of the organisation. This includes the ability to prevent, detect, mitigate, and respond to major incidents, and exercising such processes.
Ransomware readiness Understand the organisation’s preparedness for catastrophic ransomware attacks, working together with the Cyber Incident Response (CIR) team.
Backup of critical data Understand the data that is critical to the organisation and review the backup and archiving policies that are being implemented. This should consider the classification of data and its criticality to the business and should include the requirements and capabilities of data vaulting and recovery.
Third-party risk Review the management of and relationships with third-parties. Given the increasing complex nature of supply chains and use of third-parties, understanding, and managing the risks posed by third-party organisations is crucial. This evaluation should include take-on, contracts, and ongoing relationship management.

Authors: Nick O’Kelly and Ivelina Koleva 

Why is it important?

The post-pandemic era has seen a rebound in the investment of digital transformation and strategic change across all financial services industry sectors. Management at organisations of all shapes and sizes see new digital services as key in attracting new customers and in engaging more meaningfully with existing ones. By making investments into new digital services, management intend to deliver long term value and generate additional revenue opportunities.

Organisations, therefore, see the creation of a common, strategically linked language and methodology for digital transformation as a commercial imperative. For many organisations to deliver swiftly on change, the approach needs to be internally led with minimal external dependencies because of continued competition for talent and the evolving skills landscape. This in-house approach creates new areas of risk and opportunity to streamline governance and control processes. Internal audit should engage with the business early in the lifecycle and, in turn, manage risks proactively.

What’s new?

 

  • The emergence of new digital technologies creates an opportunity for organisations to prepare and integrate them with their current environment, developing value propositions and use cases for existing and new customers.
  • Agile methodology and tools have been gaining popularity, and we’re seeing more and more organisations adopting these in their operations and audit plans. These tools aim to improve collaboration across the organisation. The use of Agile, combined with continuous monitoring, are making programme delivery quicker and more efficient.
  • Data analytics is one of the domains gaining popularity, driven by the need to maintain transparency and visibility, and to better manage programme inter-dependencies. Analytics is also being used to support better decision-making and it’s use cases are only growing by the day.
  • In addition to change programmes that aim to reduce operational costs, we’re seeing a greater and sustained focus on service and product strategy, design, digital consumer engagement and innovation. These are ultimately aimed at attracting new customers and providing better services to the existing ones through continuous support throughout the customers’ digital service lifecycle.

 

What should internal audit be doing?

Area of Focus

Digital transformation strategy and approach
Suggested steps

Internal audit functions need to proactively assess the organisation’s innovation and digital transformation strategy and approach to ensure it will benefit the business long term. The key is not to penalise for single product or delivery failures but to look at the overall programme potential.
Governance for agile delivery Internal audit should assess the appropriateness of the levels of governance for agile delivery. They should also review the organisation’s control environment to ensure that the right level of controls are in place for agile programme delivery, leveraging continuous monitoring solutions to minimise delay.
First and second line risk and control functions Internal audit should work more closely with 1st and 2nd line risk and control functions to support the organisation in its transformation journey. They should also get involved early and should be continuously involved throughout the programme lifecycle.
Effective management information (MI) and reporting It is critical that effective MI and adequate reporting is in place to allow relevant senior stakeholders to provide the right level of governance and oversight. Effective stakeholder management and governance at senior levels can help foster an operationally effective environment throughout a programme lifecycle. We see a lot of organisations moving into a variety of “business partnering” models to embed risk management skills directly into programme delivery teams or product delivery pipelines.
Review of analytical tools As organisations adopt new analytical tools, there is a danger that the business has too many systems in play to accelerate digitalisation without proper assessment of performance and benefits. Internal audit should plan an assurance review of how these tools are embedded across the organisation to ensure they deliver value for money. A holistic approach is needed where the reviews include systems, structures, skills, and capabilities.

Authors: Sofia Triantafyllou

Why is it important?

With the anticipated integration of Generative Artificial Intelligence (GenAI) into business functions, artifical intelligence (AI), and GenAI risk management will continue to be a hot topic for internal audit teams throughout 2023, into 2024 and onward. GenAI is a subset of AI in which machines create new content in the form of text, code, voice, images, videos, or processes. It has been the Large Language Model (LLM) powering an easily accessible chat interface that enabled GeneAI to have its breakthrough moment and surprise even specialists in the field.

There are performance and operational risks that enterprises should keep in mind as they pursue the use Gen AI models – with a summary of pertinent risks in the context of LLMs summarised as:

 

  • Ethical use and unintended consequences: Is the GenAI being used in a manner consistent with the purpose of the overall exercise?
  • Privacy and intellectual property infringement: GenAI applications leverage global data, which raises legal questions related to privacy, copyrights, trademarks, or other intellectual property rights.
  • Uncertainty: How sure are you that this is the right answer?
  • Explainability: Where did you get that information?
  • Bias: Are we learning from the “wrong” or undesirable source?
  • Environmental impact: Is this worth the environmental costs?
  • Adversarial behaviour: Inputs that are specifically designed to fool a GenAI model or attempt to introduce malicious data into the training dataset.

 

To mitigate and minimise these risks, organisations are actively investing in developing controls to innovate with confidence. Control considerations include regulatory and principle-based guidance to ensure responsible development and use – such as considerations for embedding controls and mitigations through the GenAI development lifecycle. Reference considerations include AI specific regulatory developments, other principle-based approaches such as Deloitte’s Technology Trust Ethics (TTE) Framework or industry risk frameworks.

What’s new?

With the recent release of GenAI systems such as ChatGPT in November 2022, Bard by Google in March 2023, and Amazon’s release of its open source LLM called Falcon in June 2023, the interest around GenAI has increased, with both organisations and individuals exploring how they can utilise the tools. Whilst initial use was mainly by individuals, our research has shown more than 4 million people in the UK have used GenAI for work and organisations are investing heavily in enterprise use cases. Further, there have been changes this year to the AI regulatory landscape, with guidance being published to aid organisations in navigating the use of all forms of AI, including GenAI.

EU AI act (latest development from June 2023) – The AI Act uses a risk-based approach and classifies AI systems as either prohibited, high-risk, or low risk based on their potential for harms to society and individuals’ health, safety or fundamental rights.

AI regulation: A pro-innovation approach white paper (published in March 2023) – This whitepaper is the outcome of a collaboration of multiple UK government departments, contributing to the governments overall National AI Strategy. The whitepaper outlines an innovation focussed approach to AI development by investing in the long term needs of AI ecosystems, supporting the transition to an AI enabled economy, and ensuring the national and international governance of AI technologies is right. The paper outlines the government’s plans to regulate AI, identifying it as a critical technology. This new framework will encourage innovation in a responsible manner to drive growth and public trust, making the UK a global leader in AI.

ISO AI risk management framework (published in February 2023) – ISO published this document to provide guidance for organisations that are developing and deploying AI products but also to support with the risk management of these products.

In conjunction with the publication of the regulations and guidance above, the pace of AI development and deployment for the UK may become rapid.

NIST framework (published in January 2023) - The National Institute of Standards and Technology (NIST) has collaborated with organisations from both public and private sectors to develop the NIST AI risk management framework. The guidance is voluntary and aims to help organisations understand the considerations that should be made during the design, development, use, and evaluation of AI systems. Read more on the NIST framework.

What should internal audit be doing?

As AI technology advances, internal audit teams must stay abreast of the developments and ensure they have the required skills and capabilities to provide the necessary insight to senior leadership teams.

Area of Focus

Understand the organisation’s AI strategy
Suggested steps

Internal audit should consider their organisation’s approach to governance of AI. This should include a review of the organisation’s strategy that defines the road map for AI adoption, detailing desired research areas, mapping the development process, and the business areas which will pilot developing systems.
Review internal policy, standards, and guidelines Similarly, internal audit should consider whether a policy has been developed that defines parameters of AI system development and deployment, as well as how this policy would be embedded and communicated. The policy should include specific standards and guidelines on the use of GenAI tools and should be reviewed and updated regularly due to the fast-moving pace of this emerging landscape. The organisation should ensure that the user community is aware of this policy and trained on do’s and dont’s of the effective deployment of the AI.
Determine whether an AI Inventory exists Internal audit will want to consider whether an AI Inventory has been developed. The development of an AI inventory records active and developing AI projects with details on their status, and risk management considerations so they can be monitored or managed effectively.
Determine which external regulations or industry guidance applies to the organisation As with many new areas, internal audit will want to understand how the organisation is staying up-to-date with new and changing regulations and the processes and controls in place to assess how a regulation will impact AI development or current deployment of AI systems, which is vital to prepare actions to ensure future compliance.
Assess extent to which AI risk management practices and cultural behaviours considers AI risks Internal audit should also consider AI in the context of risk management. AI should be integrated with the current risk management processes and procedures to ensure systems utilising AI are effectively manged, governed, and monitored. Current risk management processes may need to be amended to ensure that risks associated with AI are proficiently covered. Risk appetite statements may need to be updated as well to cover this new risk.

Lead authors: Lukas Kruger

Contributing authors: Lewis Keating and Michelle Lee 

Why is it important?

Investment in strategic change rebounded rapidly in 2022 and 2023 after the impact of COVID-19. Deloitte’s CFO Survey (Interest rate worries | Deloitte UK) shows that capital investment intentions exceeded pre-pandemic levels by mid-2022, slowed only slightly by Q4 2022 market conditions and is now more keenly focused on long-term strategy.

Many organisations are now investing in long-term growth, digital strategies and attracting new business again rather than reacting to short term operational challenges.

The prevailing industry response indicates that now is the right time to invest in technology, risk reduction, and digital solutions to enable future services, increase efficiency and attract the workforce of the future.

The next logical step for decision-makers considering how to invest in change and transformation is to assess how they deliver transformation and change.

The blockers are not always financial, as businesses often have financial resources available to invest in transformational change. What we see is programmes failing to deliver on their stated intentions due to inadequate planning, communication, and decision-making processes.

What’s new?

From working across the financial services landscape, we have identified trends that are driving change and transformation that we believe should be on internal audit’s radar.

Talent and skills

 

  • Arguably, the biggest challenge facing all firms is competition for talent – specifically attracting and retaining the right skills and expertise to deliver business priorities and simultaneously drive change.
  • The intensity of competition for talent has been amplified by the fact that companies do not own all the specialist human capital they need. Companies continue relying on the market and outsourced solutions, rather than investing in long-term skills and capabilities in-house.
  • The demand for new skills in digital technology and agile change across the industry places a high price on those with ‘ready-made’ skills and experience who can adopt senior roles without the need for further development and training.

 

Evolving operating environment

 

  • As businesses continue to operate in this highly uncertain political and economic environment there is still an appetite to invest in scalability, resilience and more flexibility.
  • The need to get solutions to the market quickly and ahead of the competition is accelerating, to demonstrate value to stakeholders and shareholders as early as possible.
  • Factors consuming management’s attention include competition for the right talent, an excess of prioritisation options, and the constant “change in change”.
  • On top of all of these factors, change leaders are responding to internal prioritisation processes, which impacts their direct control over internal resources, supply chains and their own development journeys.

 

Digital transformation

 

  • Technology advances are creating greater choice in solutions and an increased desire for automation. Most organisations are choosing to improve internal processes as well as review the way they interact with customers and suppliers. This holistic adoption of digital solutions adds complexity but brings an opportunity to pool capabilities.
  • Supply chain and resource constraints create an operational imperative for change. We are seeing organisations pivot away from offshore outsourcing arrangements, instead seeking to leverage reduced cost to digital solutions to improve customer experience and really drive value from automation where possible.
  • Cloud adoption is still the preferred channel for an organisations’ technology strategy. Some regulatory barriers (e.g. privacy concerns) have been overcome to enable greater online interactions, however consent and use of data is still a major challenge.
  • These drivers have pushed businesses to offer digital first products in their portfolio and to digitise internal operations ahead of any organisational reform, which impacts decision making on hiring plans and development.

 

Regulation and market activity

 

  • Operational and business resilience has been at the forefront of business leaders' and regulators' minds due to extending supply chains, resource constraints, and uncertainty across global markets.
  • Given the short timelines for executing resilience programmes and the complexity of transformation, organisations need to act quickly to mobilise change teams for interim changes over the next year, forcing the use of agile methods.
  • Market uncertainties continue to drive transactional activity to consolidate or ring fence operations, while firms who have recently done deals often take years to consolidate their acquisitions, impacting forecasts for change and opportunities to plan ahead.

 

What should internal audit be doing?

Auditing change delivery capability and change activities is not new, and such reviews are common across most audit plans. We would encourage teams to overlay any traditional approach to project auditing by taking a strategic view across the change landscape and business demand, including the investment case and overall strategic intent of the change. The success or failure of any one project can have a significant impact on the organisation's reputation and stakeholder, however by looking at the whole picture, internal audit can determine if risk lies in delivery, or in the direction of travel.

Area of Focus

Investment case and change strategy
Suggested steps

  • By prioritising audit time on change strategy and overall portfolio management, risks and thematic controls can be tested for the delivery of change, without dependency on traditional project milestones that may not occur until late in the audit year.
  • Reviews at investment level can be used for internal audit to be satisfied as to the alignment of change with wider strategic goals, and to ensure audit time is directed at the most impactful areas. Strategic reviews need to be timed and completed in conjunction with the business doing a portfolio review. The audit plan should focus on the checks and balances and the decision-making governance.
Portfolio and project governance
  • Portfolio teams should be consistently engaged through risk functions. Also, internal audit should be present at strategically important change boards and group meetings to observe upcoming decisions, review programme plans, progresses, budget, and the achievement of key deliverables and milestones on critical initiatives. Internal audit should, not be tied to the cadence of specific projects and programmes.
Major programme audit and thematic reviews
  • Focus on major transformation activities (programme assurance) remains a key part of internal audit’s armoury in the change space. Given the strategic importance of the success of such work, programme assurance should be folded into audit plans where it can be utilised impactfully.
  • Thematic reviews across the portfolio can be used to assess specific topics and provide visibility into the application of approved methodologies (e.g. benefits tracking/realisation, use of analytics, budgeting, tools).
Agile delivery health checks
  • Checking in on individual initiatives by establishing an agile health check approach with periodic checks into specific projects at critical points. Internal audit can work within the three lines of defence model to establish a consistent view that follows the change portfolio’s lifecycle. This helps to ensure that programmes are appropriately resourced and have the right controls in place to achieve time, cost and quality objectives.
Use of appropriate technologies and tools
  • Internal audit should understand the stated intent behind drives to adopt cloud-native and other transformative technologies, as well as solutions that place significant reliance on platforms and vendors to deliver on cloud transformation.
  • With the adoption of artificial intelligence (AI) and machine learning technologies, there is a significant risk that the technology is not well understood by the user base, customers, and even those who evangelise the services.
  • The audit plan should evaluate the strategy and adoption of platforms, tools and technologies and challenge where decisions are based on marketing promises, not business need, and ensure duty to customers is considered.

Authors: Lee Hales, Luke Thornley, Olga Harte 

Innovation

Why is it important?

Internal audit functions are frequently constrained by the number of auditors at their disposal, who are still using predominately manual and time-consuming ways of working. Whilst many leaders have recognised the need for digital fluency, resulting in analytics and visualisation training becoming a staple on the learning and development menu, very few have seen it as an opportunity to rethink the status quo and truly innovate.

Through the use of technology, internal audit has an opportunity to reimagine their ways of working, not just to gain efficiencies but to increase agility and enhance the quality of issues identified. For example, are cyclical coverage strategies, audits that provide a ‘point in time’ assessment, or the use of limited non-statistical sampling methods sufficient in today’s world? Is it right that teams frequently spend more time on discovering issues than understanding root cause and helping management think through solutions? Should it really take weeks and sometimes months to issue and finalise reports? Are functions leveraging their collective knowledge, or are they still reliant on retained knowledge within key individuals?

Digitalisation of the internal audit function offers both hope and new possibilities.

What's new?

There have been significant improvements in the quality and functionality of audit management systems, many of which now have high levels of integration and Application Programming Interface (API) capabilities to connect with other applications. This allows internal audit functions to create customised technology environments within their organisational context, and tailored visualisation layers. The software has also evolved to suit functions of a broader range of sizes, meaning it is no longer the reserve of only the largest functions.

Organisations themselves are also providing more opportunities for internal audit through greater investment in data and technology, and by taking a more strategic approach to information management. As the quality, reliability and availability of data in organisations improves, so does the opportunity for internal audit to leverage this through their assurance.

Over recent years automation technologies have become more accessible through low and no-code solutions, and over the past year, the potential for artificial intelligence (AI) has been observed through the release of large language models and other generative AI tools into the mainstream population. For example, some functions are using AI and machine learning to mine data in audit reports to identify themes and commonly reported issues across thousands of reports; others have applied a similar approach to risk assessment and used AI to highlight common areas of risk using minutes from stakeholder meetings. Other examples include automated audit committee reporting, the use of AI to generate the first draft of an audit report, automated working papers, predictive text for descriptions of risk and controls and QA chatbots. The opportunities are vast.

Whilst generative AI technologies are still in their proof-of-concept phase for a small number of functions, their potential to increase the productivity, quality, and impact of internal audit is clear.

Whether this is driven by growing stakeholder demand, cost reduction, productivity, or to help attract top talent (by enabling people to focus on more purpose driven and meaningful work), functions that do not engage with the digitalisation agenda now will quickly find themselves left behind. They will be lacking in agility to; respond to emerging risks; redirect resources; delivery efficiency; and in improve the quality of their insights.

What should internal audit be doing?

Be clear on your purpose - Digitalisation of internal audit is not the goal, but a means to help the function achieve its purpose through more intelligent ways of working that yield higher impact and value. By having clarity on the function’s purpose and vision, internal audit leaders can better identify, define, and prioritise their investment in digitalisation.

Make a start - Perhaps you have limited data sources and only a handful of tools. Consider what you can do with what you have and build from there. We’ve found that taking the first step helps functions gain momentum and start building a culture of innovation.

Set a digital strategy – Once the function’s digitalisation priorities have been set around deliberate outcomes, be clear on your roadmap to achieve the strategy and how you will measure progress.

Collaborate – Whilst many functions now have capable data analytics teams, some with data scientists, internal audit teams don’t typically have the full breadth of technology skills and capabilities required to digitalise all aspects of the lifecycle within their teams. In our experience, those functions who work closely with technology teams have been able to accelerate their digital strategies.

Create an innovation culture to drive digital – Taking a leaf from agile development approaches can benefit functions in a digital environment which is often dynamic and quick to change. Creating an innovation culture where leaders encourage teams to challenge the status quo and explore new ways of working, is key to identifying opportunities and addressing any issues that emerge from digitalisation.

Get tech savvy – Internal audit functions do not need to have large teams of technologists and data scientists who understand the inner workings of the latest generative artificial intelligence or be experts in technology architecture. However, having digital fluency and a basic understanding of technologies can help both leaders and their teams consider the art of the possible, spot potential use cases and translate their requirements to specialist teams who can help functions digitalise.

Internal audit digital and analytics survey 2023 | Deloitte UK.

Authors: David Tiernan and Nanette Scott 

Why is it important?

The application of ‘Agile’ in internal audit has come about from a recognition that it can evolve and upgrade the profession, and deliver better insights, more efficiently and with greater employee engagement. In doing so internal audit can have a greater impact and be more proactive in responding to change. Agile in internal audit is centred around intentional engagement with audit stakeholders, which in turn, strengthens relationships.

Looking ahead, the breadth of demand on internal audit and the pace and scale of innovation in the profession, means there is a need to consider leading with agility to enable functions to be purpose driven, leverage automation, and embrace digital technologies.

What do we mean by leading with agility? It’s about getting deeper into the agile mindset, culture, and behaviours and applying these across audit delivery, as well as the operations of the entire internal audit function. This will enable learning, prioritisation, and the ability to pivot in increasingly complex and interrelated risk environments.

While some organisations have considered Agile and may have developed a framework, rarely do we see this fully implemented in terms of the shift in mindset, culture and behaviour and as such the benefits of agile are not yet being realised.

Embedding agile is also dependent on having the right support network, such as experienced scrum masters, agile champions, an agile centre of excellence (COE), etc. Without this it’s very difficult for an organisation to progress from “Doing” agile, to inhabiting the agile mindset, culture, and the behaviours associated with “Being” agile.

There is no one-size-fits-all approach for Agile, and here we provide the opportunity for you to reflect on your existing agile practices and identify ways to take these to the next level.

What’s new?

With regards to agile in internal audit, it is not so much about what is new or what has changed but how it is evolving. The profession has made a great start and achieved marked progress, but there are some common observations which can contribute to functions progressing to the next level in their agile journey – and this will be by leading with agility.

Go back to your why
Functions experience challenges when they are not clear about why they are applying agile and ignore the notion of aligning to its organisation’s purpose, vision, and strategy. This prevents them from developing a purpose driven approach, which in turn results in having the application of agile frameworks as the end goal, which will not always realise all the potential benefits.

Where functions are clear on the outcomes that they want to realise from embedding agile, they can appropriately tailor the agile framework in a way that works for their specific function. Tailoring the framework should be a collaborative exercise based on the lived experiences on those applying it together with your agile support network.

Evolving agile in internal audit
There is a common misconception that the implementation of agile is complete once the “agile framework” has been rolled out. Agile is intentionally designed to be incomplete and to be further tailored to your function and stakeholder environment as it grows and matures. The recognition of this enables functions to continuously customise their agile ways of working though assessing and adapting against specific measurable outcomes on an ongoing basis.

In addition, functions have taken the approach of classifying support structures (such as experienced scrum masters, agile champions, an agile centre of excellence (COE), etc.) as activities of transformation projects. Where support networks are dissolved for example post project completion, it negates their importance in maintaining and sustaining a new business as usual (BAU), resulting in functions having stalled or regressed in their ways of working

Leading with agility everywhere
Functions who have applied agile ways of working may have initially started with audit delivery, but few functions have progressed beyond this point. Agile is rarely applied across the whole audit function (such as portfolio activities, annual planning process, quality assurance, learning and development, etc.). There has also been a lack of focus on leadership training and live coaching, to support leaders to create the environment for the new BAU to emerge or be sustained.

What should internal audit be doing?

Area of Focus

Go back to your why
Suggested steps

  • Remind yourself why you’re applying agile ways of working, keeping in mind your function’s purpose, vision and strategy, as well as the purpose, vision and strategy of your organisation.
  • Define or revisit the specific measurable outcomes you want to realise from embedding or strengthening your agile practices.
  • Understand your as-is state relative to your target state and how you will measure progress.
  • Involve the team and benefit from their learnings.
Evolving agile in internal audit
  • Take stock of your current agile application approach in relation to your initial implementation state versus your current state. Adopt a continuous improvement approach so your agile practices evolve with the function and business environment, by designing an agile journey which will evolve continuously and never be ‘finished’.
  • Invest in the support network (scrum masters, agile champions, an agile COE) to develop and embed new habits and behaviours, by formalising the roles, providing a clear career path and upskilling.
  • Ensure the agile support network has permission, authority, agile experience, and autonomy to challenge leadership, product owners (audit owners), teams’ behaviours, and existing agile practices.
  • Self-reflect and seek feedback from teams and stakeholders, as well as partner with peers in the industry to gain new ideas and insights in order to continuously reflect and adapt.
Leading with agility everywhere
  • Recognise the impact that leadership and product owners (audit owners) can have on a function’s way of working and invest in coaching, support and training for leadership. This will help them to shift their mindset and gain confidence with a new way of working, whilst empowering the team to make decisions through the responsible release of power.
  • Introduce agile principles at portfolio level, across function operations, and deliver strategic initiatives, such as data analytics, digital solutions, high impact reporting, so that a culture of experimentation is embedded not just in audit delivery but everywhere across the function.

Authors: Alexandra Rodrigues, Aestrid Solberg and Katie Jones

Why is it important?

Expanding stakeholder demands, and the increasing breadth and scope of risks continue to challenge internal audit functions. Leading functions have developed a clear vision and strategy, setting out how they will respond to these demands to maintain relevance and maximise their impact. The real leaders amongst these functions are those that are purpose-driven.

What’s new?

The revised draft Institute of Internal Auditors (IIA) Standards call for internal audit functions to develop a vision and strategy that support the organisation’s strategic objectives and meet the expectations of key stakeholders. A purpose statement that articulates internal audit’s value in supporting the organisation’s success is also required.

Purpose has become increasingly important for organisations and their stakeholders. Purpose-driven organisations have reaped benefits over the last 12 months in the form of strengthened brand recognition, faster growth and return on equity, increased employee engagement and the ability to attract top talent.

There is an opportunity to align internal audit’s role and remit with the organisation’s purpose, and a need to articulate the value the function creates for the organisation. This is a new orientation for many functions.

The need for functions to deliver more with less, whilst continuing to innovate and stretch themselves, continues to present a challenge. Functions need to be selective over their investments and define return on investment criteria to help assess whether existing and proposed strategic initiatives will drive achievement of internal audit’s purpose and vision. Those that don’t should not be taken forwards.

What should internal audit be doing?

Area of Focus

Revisit and challenge –
are existing visions and strategies fit for the future?
Suggested steps

Revisit and challenge whether internal audit’s existing vision and strategy are aligned to what the organisation will need from the function in future. Seek feedback from key stakeholders and bring the team together offsite to collate views and generate ideas in a focused environment. Consider the benefits of utilising an independent facilitator to challenge the team and bring fresh perspectives.
Start with purpose - why the function exists and value it creates for the organisation Review the organisation’s purpose statement and consider whether internal audit’s current purpose is aligned to this, or whether a refresh is needed.
When defining or refining internal audit’s purpose, consider the impact the function wants to have and the value it wants to create for the organisation – focus on why the function exists rather than what it does.
Set a clear vision - what the function will deliver over the medium to long term (three – five years) Clarify what key stakeholders need and expect from internal audit.
Ask yourself how they would describe the function in three to five years’ time if it was delivering on these expectations and creating the value articulated in its purpose statement. Would stakeholders see it as a function that looks to continuously improve and add value through a stretching remit of assure, advise, anticipate and accelerate?
Develop a strategy - how the function will deliver its purpose and vision Consider what the vision will look like in practice through the lenses of skills and capabilities, toolsets and mindset, to identify strategic priorities that will drive achievement and embedding of the function’s purpose and vision.
Be specific in defining outcome statements for each priority and the actions that will be required to deliver against these outcomes and to navigate any potential barriers to success. Start small, identify quick wins, prioritise, assign owners and hold them to account.
Experiment and iterate - keep it live and under review Pursue incremental improvements that generate lasting change, rather than big bang changes which tend not to work. Adopt a mindset of continuous learning – experiment through pilots, measure the impact, learn and adapt before adopting scaled change.

Authors: Emma Gauntley and Owen Jackson

Why is it important?

In March 2023, the Institute of Internal Auditors launched a public consultation on the proposed International Professional Practices Framework (IPPF), specifically seeking feedback on the revised Global Internal Audit Standards (“the Standards”) that will apply to all internal audit professionals and functions across all industries and sectors. Additional ‘Guidance’ to support the Standards and ‘Topical Requirements’ (i.e., practice aides for auditing specific risk domains) have been outlined and are planned to be released at a later date. The new Standards are expected to be finalised in Q1 2024 with a 12 month grace period for functions to demonstrate conformance.

The proposed structure of the new Standards is organised around five domains, comprising 15 Principles and 56 Standards. Each Standard includes requirements, considerations, and suggested evidence to demonstrate conformance.

The proposal represents an update and consolidation of existing Standards and supplementary guidance, rather than a drastic overhaul. However, as drafted there is a trend to a more rules-based approach indicated by a significant increase in the number of mandatory requirements (moving from 126 to 304 ‘musts’) for Chief Audit Executives (CAE), their functions and stakeholders.

Internal audit functions will need to incorporate the new requirements as well as approaches to capture evidence to demonstrate conformance within existing quality assurance and improvement programmes.

Whilst the IPPF is yet to be finalised there are a number of ‘no regret’ decisions and activities that functions should consider and where necessary factor into team delivery plans across the course of 2024 to help ensure they are compliant with the new Standards in good time.

What’s new?

Whilst many new requirements look to codify what is already considered good industry ways of working, the new Standards do not necessarily provide a stretch target for leading functions. Notwithstanding this, demonstrating conformance to the new requirements has the potential to be onerous for all functions and may be a stretch for many, particularly smaller functions and those who are already heavily constrained by existing resourcing levels. Some of the key changes are outlined below:

  • Domain 1: Purpose, introduces the purpose statement for internal audit for the first time, getting functions to link their purpose to that of wider organisation’s purpose.
  • Domain 2: Ethics and professionalism, provides greater clarity on the evidence of conformance to the Code of Ethics and due professional care. This includes the requirement for all internal auditors to undertake a minimum of 20 hours continued professional development per year, including two hours focused on ethics; as well as the need for CAEs to produce a methodology for assessing ethical issues.
  • Domain 3: Governing the internal audit function, places greater emphasis and requirements on Board oversight, responsibilities and involvement and new requirements around external quality assessments (EQA). Specifically:

    • Standard 8.1 Board interaction – prescribes several responsibilities for the Board including the frequency of communications with the CAE and having defined criteria for escalating issues.
    • Standard 8.3 Quality – includes a requirement for the Board to approve internal audit performance objectives annually that CAEs are required to develop to evaluate functionals performance (Standard 12.2).
    • Standard 8.4 EQA - the option to perform a self-assessment with independent validation in lieu of a full EQA is limited to every other EQA cycle (once every 10 years); and a requirement for EQA assessment team qualifications.
  • Domain 4: Managing the internal audit Function introduces several new requirements for CAEs including requirements for:

    • Standard 9.2 internal audit strategy – Functions to develop a strategy
    • Standard 9.5 internal audit plan – The rationale to be included in internal audit plans when a high-risk area is not going to be subject to an assurance review
    • Standards 11.1 Building relationships and communicating with Stakeholders - The CAE to develop an approach for the function to build relationships and trust with key stakeholders
    • Standard 11.3 Communicating results - Functions to communicate ‘themes’ to the Board
  • Domain 5: Performing internal audit services introduces the following new requirements:

    • Standard 13.4 Evaluation criteria - introduces the concept of having measurable ‘evaluation criteria’ for every audit.
    • Standard 14.3 Evaluation of findings - requires internal auditors to identify a root cause and rate / rank findings.
    • Standard 14.4 Recommendations and action plans - mandates functions to make recommendations.
    • Standard 14.5 Developing engagement conclusions - requires functions to develop an overall engagement conclusion which aligns to the organisations risk appetite and tolerance for all audit work.

What should internal audit be doing?

Area of Focus

Understand the new requirements and perform a gap analysis
Key considerations to help functions achieve compliance to the IPPF

As an initial step, review the draft publication and understand what the new requirements are and how this will impact your function. During Q4 2023 or Q1 2024, perform a gap analysis to understand where you need enhance ways of working to strengthen conformance to the new Standards. This should be revisited post any revisions to the draft standards if applicable.
Action plan Develop an action plan to address current gaps and ensure that where no professional practices team exists, appropriate steps are factored into team delivery plans during 2024 and taken to ensure a satisfactory level of conformance is achieved / being demonstrated when the new Standards become effective (expected late 2024 / early 2025). This will likely result in a need to update and introduce new ways of working into the internal audit methodology and approaches.
Raise awareness and provide training to your team Provide awareness training to teams on the new requirements within the Standards, particularly where there is a need to adjust ways of working.

Confirm that a mechanism is in place to ensure that the team is undertaking the required continued professional development training hours each year.
Quality assurance and performance measurement Once new ways of working have been established in 2024, review existing internal quality assurance activities to ensure they are aligned with the new requirements and that appropriate practices are in place to agree, measure and report on performance objectives for the function. This may require amending audit management system controls to automate / capture data.
Stakeholder communications With added focus on Board responsibilities, take appropriate steps to communicate the new requirements to key stakeholders.
Consider the timing of your EQA During the transitional period following release of the new standards the IIA recommends that EQAs are undertaken with a focus on conformance to the existing IPPF. As ever, functions should aim to get maximum benefit from their EQA to help stretch them to the next EQA cycle. Undertaking an EQA during the transitional period may benefit from gaining a forward-looking view on existing performance to new requirements to understand where existing gaps may be. While performing an EQA after the transitional period may enable the function added time to introduce new ways of working to demonstrate and gain assurance over the function conformance to new requirements.
Use as a catalyst for impactful change As outlined the new Standards do not provide a stretch target for most functions. We would encourage functions to use this period as an opportunity to raise the bar beyond simple Standards conformance to revisit their purpose, vision, strategy and innovation priorities to ensure that they maximise value and insight to their organisations. These all being key features that our market leading framework for the function of the future, Internal audit 4.0, has been championing and can help to realise.

Authors: Dan Wright and Owen Jackson 

Why is it important?

Internal audit functions need to be thinking now about what skills they might need for the future to meet ever growing demands from stakeholders. In an increasingly uncertain risk landscape, internal audit teams are now expected to bring more business-oriented, enterprise-wide skills and perspectives to managing organisational risks, whilst at the same time being up to date with the latest regulation and industry practice. These skills of the future need to be considered whilst operating in an environment of constant change where resourcing and retention is becoming increasingly challenging. To support the organisation, internal audit needs to evolve and upskill at pace.

What’s new?

Key changes since 2022/23 include:

1. Focus on Purpose and Agility
The focus of purpose is not new, but the emphasis has become increasingly important with the release of the draft International Professional Practices Framework (IPPF) for consultation by the Institute of Internal Auditors (IIA). Within this draft purpose features as the focus of an entire domain. Increasing the emphasis on purpose is shifting the mindset of internal audit who now need to be more agile in their approach and mindset to auditing, adapting to the continuously changing landscape that their organisations operate in.

2. New proposed IPPF principles drive a focus on skills
The draft IPPF also raises the bar by requiring functions to perform a skills-needs-analysis to assess adequacy of their resources to deliver their plan. The draft standards tell us that there will be more focus on internal auditors demonstrating the knowledge, skills, and abilities to fulfil their roles and responsibilities successfully to drive quality in internal audit products.

3. Accelerating management of the more informed stakeholder
Increasingly informed stakeholders, with a deeper understanding of internal audit are seeking more value and quality from functions. Auditees too are more informed, invested and accountable. Strong communication and presentation skills and the ability to manage and negotiate with stakeholders are now not just skills for internal audit management, but the whole team. Internal audit also needs to be able to respond to Auditees' expectations for feedback on issues quickly and with deeper insights and practical opportunities for improvement.

4. Digitalisation
The internal audit function of the future will need to equip themselves digitally throughout the audit life cycle to demonstrate efficiencies, expand coverage, improve quality and share knowledge. They will need to make use of digital technologies, channels and ways of working to transform existing operational processes, and increase the value offered to stakeholders.

When it comes to the skills required by individual internal auditors, a basic understanding of IT general controls is now a pre-requisite, alongside data fluency.

5. Competitive labour market
Global events over the last three years have shifted the priorities of individuals and created challenges for recruiting and retaining the right talent for internal audit functions:

  • Experienced and qualified internal auditors are more selective in their life and career choices, making it increasingly difficult to attract the best talent to role. Organisations increasingly need to demonstrate more than financial benefits, sustainable values and clear career pathways.
  • There is a greater focus on functions to be able to develop skills and capabilities in-house, with more functions drawing on/realising specialist skills from guest auditors from the business, or creating role swaps and rotation programs which drive different learning and development needs of a function.
  • Many functions are finding the resources particularly scarce for certain growing areas of organisational focus such as:

    • Environmental, Social and Governance (ESG);
    • Diversity, Equity and Inclusion (DEI) issues, and reputational risks;
    • Robotic Process Automation (RPA) and Artificial Intelligence (AI) applications; and
    • Health and Safety, Security and Regulatory changes.

What should internal audit be doing?

Area of Focus

Strategy
Suggested steps

Determine what is the overall internal audit people strategy including:

 

  • Linking people strategy to the purpose of the function in the context of your organisation’s strategy.
  • Development cycle of an internal audit team member and the benefit to the business as well as the individual.
  • Consideration of location strategies, alternative delivery models, team design, and longevity.

 

Needs analysis Understand the:

 

  • Skills demand within your business and the gap in the skills and capabilities in the internal audit team.
  • Skills and capabilities to address core risks as well as new pervasive risk types.
  • Skills and capabilities required to enable functions to push beyond their core assurance remit to an approach to advise, anticipate and accelerate, adopting a digital and agile mindset to help them do so.

 

Pathway/Delivery method
  • Take stock of content and resources internally and externally to address the internal audit people strategy.
  • Prioritise learning needs based on key focus areas of the organisations and hence the function’s objectives.
  • Determine most efficient and effective pathways to fill the skills and capabilities knowledge gap considering the needs of the organisation and function and challenges of competitive labour market

Authors: Jamie Lee 

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey