Financial Services Internal Audit Planning Priorities 2023
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.
A ‘Risk Intelligent Culture’ supports and comprises of appropriate risk awareness, behaviours and judgements about risk‐taking. There are 7 key characteristics of a Risk intelligent culture of an organisation:Expectation of challenge: People are comfortable challenging others, including authority figures. The people who are being challenged respond positively.Prompt, transparent and honest communications: People are comfortable talking openly and honestly about risk using a common risk vocabulary that promotes shared understanding of risk. A learning organisation – continuously improving: The collective ability of the organisation to manage risk more effectively is continuously improving.Universal adoption and application: Risk is considered in all activities, from strategic planning to day-to-day operations, in every part of the organisation.Responsibility: People take personal responsibility for the management of risk and proactively seek to involve others when that is the better approach.Understand the value of effective Risk Management: People understand, and enthusiastically articulate, the value that effective risk management brings to the organisation. Commonality of purpose: People’s individual interests, values and beliefs are aligned with the organisation purpose, business objectives, goals and strategy and risk strategy, appetite, limits and approach.Risk culture is an increasing area of interest for Supervisors, and they can and do, challenge firms on all the elements that determine their culture and risk culture.
Objectives for Internal Audit to consider while leveraging existing frameworks and data for insights in risk culture are:
Internal Audit can also leverage existing frameworks with insights through analytics, such as:
There are also some key questions for Internal Audit to consider in framing discussions on culture:
Key contacts: Jessica Sutherland
Diversity of thought and inclusive behaviours in financial services help deliver better consumer and market outcomes including fair value, fair treatment, suitability, confidence and access. Firms need to be sufficiently diverse and inclusive to be able to understand the needs of their customer bases. A lack of diversity could lead to inadequate challenge at decision-making levels, which could lead to consumer and market harm. Inclusion is equally important as individuals should be able to express their views, speak up and raise concerns in a psychologically safe environment, supporting greater innovation and competition for customers and markets. Achieving major change takes personal commitment from everyone in an organisation. This includes leaders, who must prioritise improving diversity and inclusion, exemplify what inclusion means, and are held accountable for outcomes to ensure progress is made. Further, many organisations adopt a structured approach to diversity and inclusion, focused on standalone projects which do not address underlying cultural barriers that exist, and which fail to integrate diversity and inclusion into business processes.
Discriminatory practices are inherently objectionable. Internal Audit has both an opportunity and an obligation to help an organisation to foster a diverse and inclusive culture.
A diverse workforce and inclusive culture are essential components of successful organisations, correlated with improved job performance, reduced turnover, and decreased absenteeism.
Diversity, equality, and inclusion are critical attributes for job-seekers, and organisations that embrace DEI will have an advantage in recruiting and retaining top talent.
Internal Audit, with its broad perspective on risk and its extensive relationships across the organisation, is uniquely suited to help assess the current state of DEI in the organisation and advise on appropriate paths forward. This includes serving as catalysts by advising on risk indicators and KPIs; assessing whether DEI programs are meeting their intended objectives; and reporting results to the Board, Committees, and senior leaders. Internal Audit should be on the lookout for—and advise against— any quick-fix or shallow solutions proposed or enacted by Management. If the DEI initiative seems like a band-aid approach, employees and the marketplace will quickly take note. Specifically Internal Audit should:
Key contacts: Rachael Knight
In a rapidly transforming and uncertain world, effective risk management continues to be critical. Expectations of boards, regulators and other stakeholders in relation to risk management have undergone a ‘step change’ across all sectors in response to the COVID-19 pandemic and most recently the conflict in Ukraine and Russia. It is important that firms ensure:
(1) they can monitor and react to, current and emerging risks;
(2) their risk management frameworks and controls are effective, embedded and matured in line with the growth of the business and changes to its risk profile; and
(3) the risk management function has sufficient resources, capability and status to have a positive impact on decision-making. To ensure that Internal Audit needs to review risk management to provide an independent view of its effectiveness in its role as the Third Line of Defence to support the Board. Also, it helps Internal Audit functions meet regulatory expectations, and the requirements of the Internal Audit Financial Services (FS) Code of Practice.
Area of Focus Design Maturity and Embeddedness of the Risk Management Framework |
Description
|
Risk Reporting | Internal Audit should regularly assess the quality and appropriateness of Board-level risk information and reporting from the First and Second Lines of Defence. This should include whether significant matters which pose a threat to risk appetite and the achievement of the organisation’s strategic objectives are escalated promptly and the overall quality of supporting narrative and analysis. Internal Audit should provide assurance on the quality and reliability of risk information governance, reporting arrangements and extent to which this allows for informed risk management decisions and contributes to the right risk culture.
|
Adequacy and Effectiveness of the Risk Function | Internal Audit should understand the stature and prominence of the independent risk management function and in doing so should assess:
|
Key contacts: Adam Roberts and Mike Kirkman
The Financial Conduct Authority (FCA) expects asset managers' investment governance to be robust. This includes the processes for governance and oversight of risk exposures across all asset classes and the entire business model, including outsourced activities and counterparty risk monitoring. Firms should have controls, governance and oversight to monitor and manage risks throughout the investment processes, ensuring clients’ interests are prioritised. This becomes even more important considering the increased FCA focus on preventing and reducing customer harm as can be evidenced from the Business Plan for FY 2022-23. Further, it is essential that firms can demonstrate robust controls around compliance of investment mandates / guidelines including accurate and timely monitoring against investment guidelines, identification of active and passive breaches, escalation of such breaches internally as well as communication to customers.
Area of Focus Governance |
Description
|
Risk Exposures | Review whether risk exposures for key financial risks are monitored against the Board approved risk appetite at adequate intervals. Further, breaches if any are identified, escalated and resolved on a timely basis.
|
Investment Restrictions | Assess the oversight in place to ensure investment restrictions or guidelines are setup timely and completely in line with the Investment Management Agreements for Fund Documents. Also, review the controls in place to ensure timely identification, escalation, reporting and resolution of active and passive breaches to investment restrictions.
|
Outsourced Investments Management Functions | Evaluate the oversight arrangements over outsourced investment management functions. This includes assessing timeliness of required information relating to portfolio composition, performance, risk management, compliance with investment guidelines and any operational lapses.
|
Management Information | Review whether management information comprises an adequate level of detail and on a timely basis. Also, evaluate whether the management information serves to forecast foreseeable risks rather than being a reactive mechanism to risk events that have already materialised. |
No organisation operates in isolation, however, whilst not every organisation is increasing the volume of engagement with third parties in its ecosystem, we are seeing a trend of organisations becoming increasingly reliant on third (and fourth) parties. Reasons for this include the nature of the relationships, how bespoke the services are (making substitutability challenging), or even how ‘close to core’ the services are. Regardless of the reason, increasing reliance on a third-party ecosystem is clear and this makes the management of that ecosystem even more important. Furthermore, the financial impact of a failure in this ecosystem is costly (through fines, loss of custom or reputational damage). In addition, the increased regulatory scrutiny and prescriptive requirements (as a part of the third-party and operational resilience regulations) have rapidly increased focus on third party risk as firms have seen accelerating digitisation across entire operations, with traditional services and operating models requiring unprecedented changes to new ways of working in such a short space of time.
Regulators are providing more clarity and greater harmonisation of third-party risk regulations in 2022, providing increased direction for firms operating across multiple jurisdictions, greater linkages to third-party management and operational resilience across group level entity structures and heightened data security requirements, including use of the cloud. Our experience has shown firms that acknowledge the cross functional nature of third-party risks and implement third party oversight in a holistic manner, enabled through technology, achieve far greater clarity and consistency compared to firms that assess individual third-party risks in individual siloed teams.
While financial services Internal Audit functions will already be aware of some regulatory requirements, there have been significant new regulatory developments in 2021/22 on third-party risk that have broadened requirements for firms.
The Prudential Regulation Authority’s (PRA’s) Supervisory Statement (SS) 2/21, ‘Outsourcing and third-party risk management’, was published in March 2021 and has come into effect since 31 March 2022. The statement makes it more explicit that firms are expected to assess the risks and materiality of all third-party arrangements, including those that do not fall within the definition of ‘outsourcing’ and have clearly articulated that materiality, outsourcing and risk must be independently assessed and considered as part of a proportionate and risk-based approach.
The Financial Conduct Authority (FCA), in collaboration with Bank of England and PRA, is planning to launch a discussion paper in 2022. The paper will propose an oversight regime for the supervisory authorities to set resilience standards, a testing approach, and enforcement powers for Critical Third Parties. The responses will be used to inform a consultation in 2023.
As per 2022 FCA Business Plan, there is an increased focus on improving oversight of Authorised Representatives (AR). An AR carries out regulated activity under the responsibility of an authorised firm. The authorised firm (the Principal) is responsible for making sure that the AR is fit and proper and complies with rules. The FCA is consulting (CP21/34) on changes to their current regime in order to:
The final rules were published during August 2022 via Policy Statement PS 22/11 with implementation due in December 2022. Please also refer to section 4.2 ‘Improving the Appointed Representatives Regime’.
Internal Audit should consider if the firm has an adequate Third-Party Risk Management (TPRM) framework embedded across the business and should examine this from both a design and an operating effectiveness perspective:
Design effectiveness:
Assess if the following factors are designed adequately:
Operating effectiveness:
Assess control performance in the following areas:
Hot Topics - Given the increased regulatory scrutiny particular focus should be given to understanding how the TPRM framework assesses and monitors financial insolvency, operational resilience, subcontracting risk and digital risk. For example, Internal Audit should be understanding how the business is utilising tools that enable access to real-time information to supplement the more traditional ‘point-in-time’ data that is collected, which we are seeing has become a key funding priority as firms continue to respond to the pandemic.
Regulatory Compliance Assess adherence to key regulatory requirements, including the:
Key contact: Talal Sangar Raja
In recent years, the regulatory and governance framework in financial services organisations has become increasingly complex, with remuneration forming a key part of this framework. Across the banking, asset management and insurance sectors, remuneration continues to be a key area of focus for UK and EU regulators, given the link between risk, reward and individual accountability. Remuneration structures, policies and processes have been subject to a significant amount of regulatory change and evolving regulatory guidance within the UK and at EU level relating, for example, to how firms should identify their “Material Risk Taker” population and how variable remuneration should be determined and allocated to individuals based on performance, while ensuring that variable remuneration is appropriately adjusted for risk and does not impact a firm’s ability to maintain a sound capital base. For banking and asset management firms, UK and EU regulations require that the implementation of their remuneration policies be subject to a central and independent internal review on at least an annual basis. For insurance firms, such reviews are also highly advisable as they are a key means by which a firm’s board can help to ensure that it is discharging its responsibility for the oversight of the implementation of the firm’s remuneration policy.
Design: Review the processes in place around the current remuneration policies, remuneration governance frameworks and disclosures to ascertain whether they are compliant with the applicable reward regulatory requirements, including:
Implementation: Test the implementation of remuneration processes and procedures underpinning the remuneration policy to ensure they are robust and effective and are being operated in compliance with the applicable rules and regulatory guidance:
Future state: Consider how the firm is adapting to future regulatory requirements via review of the firm’s readiness for future regulatory changes in reward (e.g., changes introduced under the IFPR or the EU IFD rules).
Reward structures: Assess the remuneration and incentive arrangements across all parts of the business as to whether they are effective in encouraging a customer–centric culture and do not encourage inappropriate risk-taking.
Key contacts: Jessica Sutherland
Did you find this useful?
To tell us what you think, please update your settings to accept analytics and performance cookies.