No results found
Financial Services Internal Audit Planning Priorities 2022
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.
Growing investor and regulatory awareness and concern over the need to address social and environmental issues is driving the rapidly increasing interest in Environmental, Social and Governance (ESG) factors and sustainable finance. As Regulators set out their expectations for how financial institutions should manage climate related financial risk, including modification of governance and risk management frameworks, development of scenario analysis and stress testing, and disclosure of climate change related issues, it is vital that the Internal Audit function challenges the firm’s response to this. As a society, customers are now aware of the growing urgency to build relationships with those businesses who can demonstrate that their practices are aligned with society’s goals and ambitions. Reputational risk has become key as it flows from firms’ responses to embedding climate risk within their business, therefore Internal Audit should challenge whether firms have suitably assessed their related exposure to reputational risk and whether the impact of handling these issues poorly has been considered.
Regulatory Expectations:
Political Influence:
ESG Wider Considerations:
Area of Focus | Description |
ECB Guide on Climate Related Risk |
|
Reputational Risk |
|
Diversity and Inclusion and wider ESG |
|
Key contacts: Hetty Van Der Wal and Russell Davis
Insurers face inherent liquidity risks in their business models, and these must be appropriately managed to ensure consumer protection and ongoing viability of business services. As regulatory interest has moved beyond just the management of financial risk and towards an expectation of all round financial resilience, the prominence of liquidity risk has increased. Effective and sound management of this risk has a key role to play in ensuring firms’ resilience to financial shocks, with most firms finding that they need to potentially make significant enhancements to meet regulatory expectations.
We expect that all insurers, not just those with obvious and substantial liquidity risk exposures, will have to potentially make significant enhancements to their liquidity risk management frameworks.
Area of Focus | Description |
Liquidity risk management framework | Internal Audit should perform a review of the firm’s framework on liquidity risk management against the proportional requirements of SS5/19. Internal Audit should assess if the liquidity risk management framework adequately captures all of the key components, including but not limited to:
Internal Audit should also assess whether the governance and roles and responsibilities in liquidity management are clearly defined.
|
Regulatory expectations | Internal Audit should assess the gap analysis performed by Management to understand whether the current capabilities and processes are in line with the regulatory expectations, including a review of the remediation plans defined to address the gaps.
|
Inclusion in risk management internal audits | Liquidity risk should be audited as a core part of any end-to-end risk management audits, to help provide assurance and confidence over the firm’s implementation of the new guidance and the resulting liquidity status.
|
Leverage subject matter expertise | Subject matter experts should be used to perform audit planning and/or carry out testing and reporting, together with understanding the adequacy of the Liquidity risk framework against industry good practices. |
Key contacts: Henry Basing and Aaron Oxborough
Internal Ratings-Based (IRB) firms are required to apply a suite of ‘IRB roadmap’ model changes by 1 January 2022 in order to remain compliant in their calculation of regulatory capital. These regulatory changes can have a profound impact on probability of default (PD), exposure at default (EAD) and loss given default (LGD) risk parameter estimates, and hence capital estimation for a firm’s banking book. Failure to evidence compliance with this new regulation can ultimately threaten a firm’s IRB status as well as increase the ‘margin of conservatism’ required for estimates, leading to higher capital charges. Ultimately this is also coupled with reputational risks from Regulators if the model development programme is perceived to be low quality. As a result, many Banks are conducting significant IRB enhancement programmes over the next few years, in order to ensure the required process changes, model redevelopments and regulatory submissions are all delivered effectively. These programmes are often high risk, with tight timelines exacerbated by the volume of model changes required and extensive submission requirements. Across the banking industry, from Tier 1s with established IRB rating systems to challenger firms applying for IRB status, there is an increased onus for successful submission for IRB approval. As a result, assurance from Internal Audit on the effectiveness of delivery from these programmes is critical. Please also refer to our IFRS 9 ECL Estimation topic given its relevance to IRB Delivery Programmes.
Area of Focus | Description |
Regulatory compliance | Verify that model development and validation controls are operating in line with regulatory requirements. Due to the technical nature of IRB regulation, often this requires input from subject matter expert’s (SME’s) in order to appropriately challenge the relevant model development, validation and approval controls. Areas of technical review include model methodology, performance testing and assessment of data quality. Furthermore, SME support is often necessary to provide assurance that regulatory self-assessments are sufficiently complete and accurate.
|
Processes and controls | Review of the relevant processes and controls across the model lifecycle, with assurance that these have been sufficiently followed prior to regulatory submission. This includes assessment of:
|
Programme assurance |
Assess and provide assurance that the regulatory change programme has been effectively managed, in order to ensure successful submission to Regulators. This includes assurances on:
|
Key contacts:Rohan Gokhale and Ian Wilson
Internal Audit functions in the UK are at different stages with regard to IFRS 17 assurance planning and are currently reassessing and adjusting their holistic assurance timelines. For many insurers the effort and cost has grown significantly from initial expectations and may continue to do so through to programme completion, as solutions are embedded, tested and re-worked. Also, in some organisations programmes have not yet been far enough progressed to enable meaningful audit activity to take place so Internal Audit may be planning its first real look at the detail in the current year. IFRS 17 has a number of areas of complexity and challenge and prioritising these can be difficult. Below we consider some of the key methodology decisions, highlighting common high-risk areas and Internal Audit's approach for providing assurance that informs governance around methodology.
Internal Audit functions are reconsidering their assurance timelines for two reasons—first, the impact of COVID-19 has changed the plans of Internal Audit and the wider organisation for 2021, and during March 2021, it was announced that the effective date of IFRS 17 will be deferred to 1 January 2023, prompting project teams to consider refreshing their own timelines. With many programmes on the cusp of transition from implementing IFRS 17 solutions into testing, assurance over the controls design and their operating effectiveness over the IFRS 17 new financial processes is an important milestone to identify and remediate any control weaknesses in advance of external audits.
Certain key decisions, the working assumptions, are made early and drive downstream effects of the implementation programme. For example, adopting the General Measurement Model (GM) will require many organisations to modify existing systems and databases to capture additional contract or portfolio level data; whereas the Premium Allocation Approach (PAA) may not require such a significant change to the organisation’s existing infrastructure (but may introduce different risks). The cost associated with identifying and correcting inappropriate accounting policy or methodology choices during the implementation programme can be substantial and may put key deadlines at risk.
Internal Audit has a key role to provide assurance over the IFRS 17 programme between now and completion of implementation in 2023. The nature of audit work that can be performed will be driven by the progress the business has made.
In 2020, with affected insurers having completed their impact assessments and moving into the solution implementation phase, the natural scope for Internal Audit appeared to be project assurance.
In 2021, Internal Audit scope could include methodology, as the business designs/implements solutions following conclusion of the gap assessments. Internal Audit will need to be mindful of the role of the external auditor, who will ultimately need to sign-off on the chosen technical methodology and remain connected on any technical points being raised and the management of their impact on the wider project.
In the final year of 2022 before go live, companies will be focussed on producing comparative period financial results ready for publishing externally in their financial statements in the following year. This will be the first time the entire financial reporting process is run end to end. At this stage, Internal Audit can provide assurance over the design and operating effectiveness of controls over the reporting process, in advance of external audit to identify and remediate any weaknesses.
Internal Audit should consider assurance activity in the following areas during 2022:
Key contacts: Anjali Savani and Charlie Scarr
During the initial stages of the COVID-19 pandemic, estimation of Expected Credit Loss (ECL) for calculation of loan impairment became more challenging for firms, due to sudden changes in economic activity coupled with unprecedented levels of Government support, which caused the classical relationships between economic activity and credit behaviour to break down. With core modelling and data assumptions becoming invalid under these new conditions, many firms were forced to apply expert-based Post Model Adjustments (PMA) to their model estimates in order to generate ECL estimates as accurately as possible.
A year later and firms are now facing a new challenge; ahead of improved economic baseline forecasts, these incumbent PMAs are in some instances becoming overtly optimistic, leading to a risk of “see-saw” estimation, with impairment swinging well below the acceptable range. Furthermore, as COVID-19 era information starts to crystallise into Banks’ risk data warehouses, firms will need to consider whether this data is usable for BAU-type activities such as model monitoring and redevelopment. Internal Audit’s assurance regarding the accuracy of IFRS 9 ECL estimates is therefore critical, due to the significance of the impairment calculation as well as its volatile and subjective nature. Please also refer to our IRB Delivery Programmes topic given its relevance to IFRS 9 ECL Estimation.
Area of Focus | Description |
PMA unwinding | Review the appropriateness of current PMAs applied to SICR and ECL estimation, assessing the degree to which PMAs should be adapted based on current (and prospective) economic and credit conditions. Timing of PMA unwinding should be considered, in order to mitigate potential volatility or inaccurate estimation.
|
ECL models | Assess the core modelling assumptions and limitations of current ECL models, particularly where assumptions were breached, and subsequently have led to introduction of short-term PMAs. Any model changes should pass through the necessary processes and controls, including review and model approval from the appropriate governance functions.
|
Forward-looking scenarios and weightings | Assess the process where forward-looking economic scenarios are forecast in order to inform probability-weighted lifetime ECL estimates. The selection of these possible future scenarios and their weighting is one of the most material aspects of the ECL calculation. Particular consideration should be given to potential volatility of forecasts arising from uncertainty in predicting economic conditions in post-COVID-19 scenarios.
|
COVID-19 area data | Assess whether necessary processes, controls and governance have been followed in the application of new COVID-19 data in BAU activities. For example, inclusion of COVID-19 data in model development should be assessed and sufficiently justified, alongside sign-off from the relevant governance functions. |
Key contacts:Rohan Gokhale and Justin Le Blanc
The UK Corporate Governance Code already establishes a clear responsibility on the whole Board to establish a framework of prudent and effective controls — however, calls for a US style internal control attestation are being considered by the Business, Energy and Industrial Strategy Committee (BEIS) as a result of the Kingman and Brydon reviews. Sir John Kingman’s independent review of the Financial Reporting Council (FRC) states that BEIS should give serious consideration to the case for a strengthened framework around internal controls in the UK. Furthermore, Sir Donald Brydon’s review of the quality and effectiveness of audit to the Secretary of State issued in December 2019 suggested a number of improvements to a business’ control environment. The BEIS consultation required responses by 8th July. Responses are being collated and considered with the outcomes expected to be published in late 2021 or early 2022. As well as preparing for the future requirements, businesses are using this as a platform to reassess and transform their processes and controls.
In a recent interview Sir Jon Thompson, Chief Executive of the FRC, confirmed his expectation that a form of UK SOX will be introduced in 2023/24, that ministers are very engaged in the topic, and that in due course the scope of compliance will extend to large privates.
BEIS issued a consultation paper in March 2021, with responses received up to 8 July 2021. The consultation paper expanded on the reviews already performed by Kingman and Brydon, on which Deloitte formally responded to the consultation.
Options expanded on in the BEIS paper include:
The consultation sets out a tentative preferred option which would require a Directors’ statement about the effectiveness of the internal controls but (unlike the US’s approach to internal controls which mandates external auditor attestation in most cases) leave the decision on whether the statement should be assured by an external auditor to the Directors, Audit Committee and shareholders. The paper makes clear that this preferred option is not intended to shut down discussion of alternatives.
Notably, the scope of controls over reported information is likely to extend beyond solely financial reporting with specific proposals regarding payment practices, Climate-related Financial Disclosures and implementation of an Audit and Assurance Policy.
All of this is expected to be overseen by a new, strengthened Regulator, the Audit, Reporting and Governance Authority (ARGA) who will provide oversight of Audit Committees and will likely benefit from increased ability to enforce the Act not dissimilar to the Public Company Accounting Oversight Board (PCAOB) and Securities and Exchange Commission (SEC) within the US.
For many organisations not already listed in the US, this will be a require a lot of effort to assess, build and implement a new controls operating model, develop a risk based controls framework and embed the necessary technology to deliver. The time to act is now to deliver on these requirements.
Area of Focus | Description |
Readiness assessments | Internal Audit should be a key partner to the business in assessing readiness, through:
|
Technology | Implementing technology (e.g. GRC solutions) to support the operation of controls and how assurance is gained will be critical. Increasingly, the implementation of technology should support assurance activity by identifying, analysing and visualising data to identify outliers and understand root causes.
|
Programme assurance | Planning and implementing these changes is likely to require significant effort from businesses not already listed in the US. Internal Audit functions should therefore view project plans to deliver compliance, review project effectiveness and provide recommendations for continual improvement throughout the implementation journey. |
Did you find this useful?
If you would like to help improve Deloitte.com further, please complete a 3-minute survey
To tell us what you think, please update your settings to accept analytics and performance cookies.