No results found
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.
Financial crime continues to be an area of regulatory focus. In previous years, insight papers have highlighted how regulated firms still struggle with key areas of the risk-based approach such as governance, customer risk assessment, customer due diligence, and monitoring. Recent Financial Conduct Authority (FCA) publications have placed a specific onus on regulated firms to address failures proactively and be able to demonstrate how they have successfully implemented change. This year’s FCA Business Plan suggests that the FCA intends to be a more assertive regulator, promising to use its enforcement and intervention powers more proactively, continuing on the path started in 2021 with the criminal prosecution of a large bank for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) failings.
The conflict in Ukraine has placed a renewed emphasis on Sanctions compliance. Firms now face a strong increase in the number of Special Designated Nationals and Blocked Persons, compounded by new penalties applied for breaches. The FCA has also confirmed that it expects the rise of fraud incidences observed under the COVID-19 pandemic to abate slowly, as tools put in place to control its spread begin to take effect.
Area of Focus Financial Crime Frameworks |
Description Internal Audit should continue to focus on reviewing the keystone features of financial crime frameworks (EWRA, CRA, CDD / EDD, screening, and TM) in order to ensure they are designed to maximise firms’ management of financial crime risk while not interfering with important themes such as financial inclusion. |
Sanctions Risk Management |
Internal Audit should place particular focus on how CRA and EDD have been adapted to the current heightened risk of Sanctions evasion, particularly where beneficial ownership is less transparent, and higher risk jurisdictions are involved in the ownership chain.
Customer screening should also be taken into careful consideration as fundamental tool supporting CDD and ongoing-due diligence (ODD). |
Fraud Risk Management |
Internal Audit should place renewed emphasis on the ability to manage fraud risk effectively.
This should comprise of establishing whether firms assess their exposure to fraud risk and respond appropriately by designing and enhancing their fraud risk control environment. |
Implementation of Financial Crime Programmes | Internal Audit should assess whether financial crime change programmes are tracked to completion while benefitting from ongoing senior stakeholder information and challenge. Specifically, firms should have clear project plans outlining milestones, accountabilities and delivery dates. senior management should also be tracking projects and ensuring that key deadlines are being met. The Risk Committee, the Audit Committee and Chief Executive Officer should be involved in order to ensure appropriate governance and challenge. |
Challenger Banks and Crypto Asset Providers |
Internal Audit should continue to challenge the maturing financial crime compliance framework against MLRs and industry guidance to ensure that these firms are proactive in improving adherence to regulations while their business grows and evolves.
Where the firm offers crypto assets, Internal Audit should understand how the business achieves compliance with the FCA’s guidance on crypto currency. |
Key contacts: Katie Jackson, Zeynep Ersoz and Francesco Trifilo
According to the Association of Certified Fraud Examiners (ACFE’s) 2022 report on occupational fraud, remote working was the factor most commonly cited as a significant contributor to fraud. Another emerging cause of fraud risk in 2022 has been the conflict in Ukraine which has exacerbated already fragile supply chains and rising commodity costs including crude oil, metals and grain, contributing to historic levels of inflation and rapid interest rates. The strain on organisations leaves them not only susceptible to internal management fraud but to external threats including via cyber attacks. As fraud prevalence continues to remain on the public agenda, regulatory initiatives have been introduced, aiming to help auditors and organisations tackle the threat and restore confidence in the markets. For regulated financial firms, this includes the Financial Conduct Authority (FCA’s) three-year Business Plan which has set out a commitment to “reduce and prevent serious harm” as a result of fraud.
Area of Focus Consider the Risk Assessment |
Description The fast-changing economic outlook demonstrates the importance of a dynamic fraud risk assessment. What might have constituted a reasonable risk assessment six months ago may no longer be suitable as new risks arise. Internal Audit should consider challenging management on changes to the firm’s risk appetite vis-à-vis the present outlook. By extension, they should seek to understand and quantify what the key gaps and vulnerabilities are given the emerging new risks, such as those resulting from the conflict in Ukraine and rising inflation. |
Assess the Design of the Framework | Internal Audit should also consider the robustness of the existing fraud risk framework. An optimal framework should not only take into account the risk assessment, but it should incorporate governance upon which the organisational tone and culture are set. Its design should reconcile identified risks with effective controls to help with the detection and prevention of fraud. That latter undertaking may not always be fully understood in-house, for example, with highly sophisticated cyber attacks emanating from state-sponsored actors able to overwhelm internal capabilities. As such, input from a team specialising in fraud risk should be considered. The framework should also include timely resolution of fraud instances and lastly, have a ‘refresh’ aspect to make it sustainable especially given the speed at which recent crises have unfolded. |
Changing Nature of the Regulatory Landscape | Increased regulatory scrutiny is evidenced by examples shown opposite. With the Audit Reform bill on the horizon, the government has now issued its response to the Business, Energy & Industrial Strategy (BEIS) White Paper consultation. Notable changes include the widening of Public Interest Entities (PIEs) and the requirement of Directors’ statement on the effectiveness of internal controls and the basis for that assessment. Other potential legislation includes the Online Safety Bill and a corporate criminal liability law. This evolving regulatory landscape will have implications for both organisations as well as auditors. For Internal Audit, collaboration and interaction with key stakeholders, including with Regulators, as well as coordination with other risk, control and compliance functions will allow for a proactive understanding of the fraud risk threat environment in line with regulatory expectations. |
Key contacts: Mark Cankett , Fraser Beveridge and Christos Doumas
The market capitalisation of digital assets has seen substantial growth in recent years and even after the recent tumultuous period it is still highly valued at $993bn*. This market continues to show potential to increase further and reshape activity currently taking place in the traditional financial services sector to meet an array of business and consumer needs. Activity to adopt the widespread use of Cryptocurrency and Digital Assets continues at pace, for example: Security tokens present a $17bn* market capitalisation, Stablecoins are valued at $153bn*, Decentralised Finance (DeFi) is valued at $53bn*, and 17 Central Bank Digital Currencies (CBDC) have been launched as pilots. The digital assets ecosystem is also in a state of major evolution with further institutional interest from major banks and asset managers and several new businesses entering the UK market with Electronic Money Institution (EMI) and Authorised Payments Institution (API) applications to the Financial Conduct Authority (FCA). The issuance of CBDCs and Stablecoins is on the agenda of all major Central Banks including the Bank of England (BoE). As regulations evolve and further licensing requirements come into force, firms will need to assess their business models and strategy to align with their local regulatory perimeter requirements.
* Data obtained from CoinMarketCap. These values are subject to change on a daily basis.
Regulatory Framework Developments:
Cryptocurrency / Digital Assets Adoption:
Prudential Regulation Authority (PRA) Dear CEO Letter (March 2022):
Area of Focus Existing Regulation |
Description Given the pace of UK Treasury and BoE consultations around potential upcoming regulation in the Digital Assets sector it will be key for Internal Audit to:
|
Emerging Regulation |
Internal Audit should:
|
New Products and Services |
As firms consider new products and services relating to Digital Assets, Internal Audit will have a key role to play in providing assurance that the business maintains a robust Risk Management Framework (which includes assessment of financial risk, AML / CFT and new technology risks) which anticipates and appropriately evaluates new risks posed by Digital Assets products.
Internal Audit should review and challenge the New Product Approval including asset class valuations processes and controls to help ensure the business complies with relevant regulatory requirements. Internal Audit should also challenge, assess and report on how well management and those charged with governance understand and monitor the risks they face within their current crypto product set in this volatile and evolving environment. |
Key contacts: Nikhil Kulkarni and Sarn Saundh
The market capitalisation of digital assets has seen substantial growth in recent years and even after the recent tumultuous period it is still highly valued at $993bn*. This market continues to show potential to increase further and reshape activity currently taking place in the traditional financial services sector to meet an array of business and consumer needs. Activity to adopt the widespread use of Cryptocurrency and Digital Assets continues at pace, for example: Security tokens present a $17bn* market capitalisation, Stablecoins are valued at $153bn*, Decentralised Finance (DeFi) is valued at $53bn*, and 17 Central Bank Digital Currencies (CBDC) have been launched as pilots. The digital assets ecosystem is also in a state of major evolution with further institutional interest from major banks and asset managers and several new businesses entering the UK market with Electronic Money Institution (EMI) and Authorised Payments Institution (API) applications to the Financial Conduct Authority (FCA). The issuance of CBDCs and Stablecoins is on the agenda of all major Central Banks including the Bank of England (BoE). As regulations evolve and further licensing requirements come into force, firms will need to assess their business models and strategy to align with their local regulatory perimeter requirements.
* Data obtained from CoinMarketCap. These values are subject to change on a daily basis.
Regulatory Framework Developments:
Cryptocurrency / Digital Assets Adoption:
Prudential Regulation Authority (PRA) Dear CEO Letter (March 2022):
Area of Focus Existing Regulation |
Description Given the pace of UK Treasury and BoE consultations around potential upcoming regulation in the Digital Assets sector it will be key for Internal Audit to:
|
Emerging Regulation |
Internal Audit should:
|
New Products and Services |
As firms consider new products and services relating to Digital Assets, Internal Audit will have a key role to play in providing assurance that the business maintains a robust Risk Management Framework (which includes assessment of financial risk, AML / CFT and new technology risks) which anticipates and appropriately evaluates new risks posed by Digital Assets products.
Internal Audit should review and challenge the New Product Approval including asset class valuations processes and controls to help ensure the business complies with relevant regulatory requirements. Internal Audit should also challenge, assess and report on how well management and those charged with governance understand and monitor the risks they face within their current crypto product set in this volatile and evolving environment. |
Key contacts: Nikhil Kulkarni and Sarn Saundh
Transaction reporting underpins the ability of national competent authorities (e.g., the Financial Conduct Authority (FCA)) to investigate potential instances of market abuse and thus it continues to be important that firms can comply with the obligation to provide transaction reports that are complete, accurate and timely. Firms should regularly reconcile the reports provided to their competent authority with the data in their books and records, along with the data reported to and by their Approved Reporting Mechanism (ARM) to ensure that reporting is complete and accurate. The potential financial and reputational impact on a firm for failings in its transaction reporting could be damaging, with two recent fines in early 2022 amounting to more than £34m and £27m, respectively.
Area of Focus Governance and Control Framework |
Description Reperformance, the use of audit technology and a risk-based approach is essential for Internal Audit to be effective in challenging management's processes and controls. Specifically, Internal Audit should:
|
Data Governance |
|
Reconciliation |
|
Key contact: Andrew Broughton
The UK Government published its highly anticipated consultation on its Review of Solvency II during April 2022. The proposals form part of wider changes proposed by the Government to the UK’s financial services regulatory framework, and broadly aim to achieve two key objectives – 1. free up Insurers’ capital to enable investment in green infrastructure and projects and 2. maintain the UK’s competitiveness by going “further and faster to capitalise on the UK’s Brexit freedoms and level up the country”. The Prudential Regulation Authority (PRA) has also published its own discussion paper (DP2/22 – Potential Reforms to Risk Margin (RM) and Matching Adjustment (MA) within Solvency II) complementing the Government’s proposal. The PRA is seeking the industry’s views around the reform options for RM and in particular, the calibration of the fundamental spread (FS) within the MA. The Government’s proposed reforms aim to unlock significant investment by Insurers into UK infrastructure, venture capital and growth equity, and other long-term productive assets, as well as investment consistent with the Government’s climate change objectives. This is one of the ways the Government is capitalising on its post-Brexit freedom, ensuring that UK regulations are tailored to the needs of the UK economy, rather than the needs of 28 countries across the European Union (EU).
The consultation sets out detail on the proposed reforms, including:
The PRA’s Discussion Paper (DP) outlines its assessment of the proposed reforms for RM and the MA and discusses the potential combinations of reforms to the FS and RM in line with statutory objectives. Both the PRA’s DP and the UK Government’s consultation closed for responses on 21 July 2022. While the consultation and DP continue to remain largely silent on the impact of these changes on the Solvency CR to materially change as a result of the FS changes. The PRA has launched a Data Collection Exercise to further explore this. The PRA also hints that a move to a new calculation mechanism may be phased in over a period of time giving firms and the PRA more time to reflect any required changes within the Internal Model.
With such large RM reductions on the horizon, Life Insurers should consider re-evaluating their approach to:
Area of Focus Changing Regulatory Landscape |
Description Internal Audit’s position within the organisation is uniquely suited to support management in assessing the impact by undertaking an assessment of management’s response to the anticipated reforms to Solvency II. |
Process and Control Re-designs | Internal Audit, with its broad perspective on risk and its extensive understanding of the existing processes and controls supporting Solvency II requirements, is well positioned to review and assess the new processes and / or controls re-designed by management in support of the Solvency II reforms and advise on appropriate paths forward. |
Board Investment Strategy | Internal Audit should review the Board’s investment strategy to assess whether it aligns with the Government’s objectives and regulatory expectations and perform an assessment of management’s actionable plans in line with the Board’s strategy. |
Policies and procedures | Internal Audit should assess whether existing policies and procedures supporting calculations of FS, RM, MA, CRP and SCR have been updated and are reflective of the proposed changes as approved by management. |
Business Impact |
Internal Audit should review and evaluate management’s response to the large RM reductions, including but not limited to:
|
Key contacts: Brandon Choong and Manan Shah
The recently published Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) Business Plans for 2022/23 demonstrate that Operational Resilience remains a top UK supervisory priority. By 31 March 2022 firms were expected to identify and map their Important Business Services, set Impact Tolerances, commence scenario stress testing programmes to identify vulnerabilities, produce ‘Self-Assessments’, and ensure appropriate governance arrangements are in place. Whilst the past 12 months have been very demanding, the resilience journey is only just beginning. The three-year ‘transition period’ for the policy runs until 31 March 2025, and the actions that firms take in that time will be critical to their success. Their focus must now shift to addressing the initial operational vulnerabilities identified, expanding the depth and breadth of mapping and testing to detect and address additional vulnerabilities, and embedding Operational Resilience into the whole operating model to withstand severe but plausible disruptions.
The first key regulatory deadline has now passed as of 31 March 2022 - Operational Resilience should remain a key priority and an area of focus for Internal Audit. Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that Important Business Services can operate within their impact tolerance by no later than 31 March 2025.
Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key focus and challenge for Boards and senior management over the next three years:
Where smaller businesses are not required to currently comply with Operational Resilience-related regulatory requirements, some businesses are challenging themselves on how Operational Resilience is achieved through existing controls in place, with proportionate enhancements taking place to identify important business services and map this to resources in place, e.g. technology, data, people, processes, suppliers and facilities.
It is expected that Internal Audit will already have identified Operational Resilience as important due to the continued focus on this topic by businesses and the Regulators focus on this area. As a result, Internal Audit should have either scheduled or delivered a review of the progress made to assess and respond to the final policy statements. The majority of Internal Audit functions we engage with across the Financial Services sector have already performed a number of reviews on the topic. With the current direction of travel, even internal audit functions at organisations who are currently out of scope for the regulations should be considering and challenging management on whether the operational advantages of proportionate compliance with the regulation warrants attention. There is a need to now move from programme readiness assessments reviews to broader engagement with the business including progress against Management’s remediation of vulnerabilities, further embedding of the framework and continued development of scenario stress testing. The key areas of focus for Internal Audit functions moving forward should be:
Key contacts: Daniel McCatty and Mark Westbrook
Artificial Intelligence (AI) is becoming increasingly common in business processes throughout the Financial Services (FS) sector. FS firms deploy AI across multiple service lines and are now harnessing its power in areas such as compliance, fraud detection, resume screening, credit scoring, product pricing and product recommendations, to name a few. Despite its growing use, we have seen that senior management is often unaware of exactly where and how and also the nature and extent of the risks faced by their organisation in relation to the use of AI. Moreover, Regulators are becoming increasingly active in their efforts to protect consumers from algorithmic harms such as bias that leads to discriminatory or unfair outcomes, outputs that mislead consumers or distort competition, and the collection of personal data that infringes on privacy rights. Thus, the growing use of AI systems in the FS sector requires an increased awareness of the risks inherent in those systems and an improved ability to manage those risks. This requires formalising an AI risk management framework and ensuring that teams in the Second and Third Lines of Defence have the required skills, knowledge and experience to be able to independently assess and provide assurance over the effectiveness of the AI control framework.
Area of Focus Awareness of Regulatory Obligations |
Description The regulatory environment related to AI is rapidly evolving and Regulators and industry bodies are still in the process of developing audit and assurance guidelines for AI systems. Therefore, Internal Audit should:
|
Governance and Control Frameworks |
Firms should re-assess their AI control frameworks to ensure that they are appropriate for the governance of a highly complex and rapidly evolving technology. Internal Audit should:
|
Flexible Approach | The planned audit scope should be re-assessed each year to allow for evolving technology and changing regulatory requirements. A risk-based approach, which takes into account the purpose and the level of complexity of each system, can be considered for assessing the different AI systems in use across the firm. |
Key contacts: Roger Smith and Barry Liddy
Did you find this useful?
If you would like to help improve Deloitte.com further, please complete a 3-minute survey
To tell us what you think, please update your settings to accept analytics and performance cookies.