No results found
Financial Services Internal Audit Planning Priorities 2022
Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.
As organisations grow in both complexity and the rate at which they change, it is increasingly clear that traditional Internal Audit methodologies, such as annual planning, may fail to identify key business risks as they arise. Whilst adopting an agile mindset and approach serves to address this issue through rolling wave planning, constraints on time and resources have driven leading Internal Audit functions to consider ways in which they can use technology to adopt a more dynamic approach to risk assessment. Dynamic risk assessments enable organisations to robustly monitor and identify risks in time to take action, and many are taking this further by considering how they can perform continuous risk assessments, which offers the unique potential of enabling far greater coverage with the same resources using real-time assurance models, and can provide significant savings in cost, improved foresight, and better levels of assurance provided.
Enhancing the approach to First and Second Line risk assessment will enable efficiencies across organisations, including a risk-based approach to asset allocation (people and technology) and a consistent mechanism to discuss risk across the business.
This approach can promote coordination with multiple functions and alignment of resources and risk coverage but also elevate the dynamism of the Internal Audit assurance response.
To achieve true dynamism, it is important that Internal Audit make risk assessment more real-time by driving audit focus and ensuring that the function is adaptive, responsive and identifies the right risks. Internal Audit functions should reflect on their remit, and where necessary they should re-focus this to become more forward looking, anticipatory and advisory, so that not only can they provide better assurance but can add much more value to the business. Further, Internal Audit should champion the enhancement of First and Second Line risk assessment approaches to introduce more data-driven, real time and high frequency monitoring to support the risk assessment approach. Internal Audit should also look to leverage the enhancements to the risk assessment process across the First and Second Line of Defence for its own annual, periodic and real time risk assessment and planning processes. The following areas should be considered:
Key contacts: Russell Davis and Sarn Saundh
High impact reporting, including the use of alternate reporting methods to replace or accompany traditional reports in order to deliver impactful insights, has long been a key enabler for the next generation of leading Internal Audit functions. Faced with potentially the most significant economic challenges that the UK and other global markets have seen in a generation, it’s now more important than ever for Internal Audit to report faster, engage with stakeholders more quickly, and find new ways to add value (while simultaneously replacing processes that have historically been manual, ad-hoc, and unsustainable).
This was echoed in Deloitte’s 2020 Global Audit Committee Survey, which collected insights from over 60 Board Members, Audit Committee Chairs, and Audit Committee Members, from across more than 140 companies and 20 countries, including every major industry sector; 63% of Survey respondents said Internal Audit should be faster at reporting the results of their work, and there is a need to tailor output to better inform stakeholders of emerging concerns before they become critical.
As Internal Audit has responded to changing business risks in light of the COVID-19 pandemic, there has been a need for more flexible reporting mechanisms to allow stakeholders to receive Internal Audit’s points of view in a near real-time basis. Navigating these turbulent times has accelerated the plans which many institutions had in place to re-shape and digitise operations.
During this period, functions have increasingly moved away from traditional reporting methods and we have seen greater adoption of alternative, more agile reporting techniques such as ‘hot reviews’, unrated reporting, e-mail reporting, mid-review points of view (‘POV’ reporting), and oral feedback as alternatives. This, among other developments, has provided opportunities to enhance audit methodology for the longer term as opposed to just a short term or temporary response.
Internal Audit needs to rethink and innovate to improve the relevance and value of its Audit Committee reporting.
The following steps should be considered:
Key contacts: Russell Davis and David Tiernan
As we near the end of 2021 many organisations will be grappling with how to respond to a post COVID-19 restrictions work environment and the challenges that it will bring. The successful rollout of vaccination programmes and the end of Government schemes to support workers who cannot work remotely will create a trend of organisations and their employees returning to work. The workplace that the employees return to and the economic environment in which their organisations operate may be very different to the pre COVID-19 environment and organisations and employees need to be able to adapt to this in an efficient and risk conscious way. For example, the economic impacts of the pandemic need to be factored into current business strategies such as lending into the commercial real estate sector, where cashflow, asset values and borrower credit quality will need to be reassessed. There will be heightened considerations around employee health, this is wider that legal obligations and will need to focus on issues such as operational resilience, for example how to keep a business running if your employees have an obligation to self isolate due to COVID-19 fears (such as the recent UK pandemic). We will almost certainly see organisations respond with future of work strategies whereby the workforce is increasingly remote and agile, this can have competitive benefits but also brings risks that need to be addressed such as remote working cyber risk challenges or the “virtual meeting” fatigue that employees have felt over the last year. Organisations should be considering all these risks and opportunities as part of their 2021 and beyond strategies and Internal Audit should be challenging the conclusions through ongoing stakeholder management, continuous monitoring and the 2022 Internal Audit Plan.
In 2020 we labelled the first phase of reacting to COVID-19 as Respond—In this phase organisations adapted to dealing with the initial impact of COVID-19 and Internal Audit functions had an important role to play to continue to provide critical Assurance, help Advise Management and the Board on the shifting risk and controls landscape and help Anticipate emerging risks. We recommended that functions should be:
The second phase we labelled as Recover—where Internal Audit had an important role to play in adjusting an organisation’s mind-set to the recovery objectives, providing assurance over key risks presented by inevitable changes, giving advice on the shifting control environment, and anticipating emerging risks. We highlighted three key areas of focus:
In the third and final Phase which we have labelled Thrive—we see an opportunity for Internal Audit to increase its value add and advisory role through undertaking quick agile “thrive” reviews with a focused scope covering a small number of key hypothesis questions and “Flash Reports”. Areas where we can see value from this approach include technology risk, commercial implications and people and the work environment.
Technology (incl. Cyber)
We recommend that Internal Audit functions focus on risks that will be increased due to the change environments, for example Cyber threats are magnified by change. There are risks that will arise from the physical environment changes for example how are controls from previously segregated areas such as trading floors going to be maintained in a hybrid model. Organisations will also need to assess what we term Control Debt, the extent to which controls were relaxed during the Respond and Recover phases, for example have exceptions been made to controls to take account of the previously unprecedented circumstances and do organisations know where these exceptions are or have plans to reverse them for example system access rights. Overall, the last 12 months have seen an acceleration of digitalisation and virtualisation and Internal Audits 2022 plans will need to take account of this.
Commercial implications
It is inevitable that there will be an increase in consumer distress that will create a need for greater sensitivity in relation to conduct risk and TCF. Internal Audit is well placed to challenge their organisations responses to this. There are specific sectors that will have been impacted and previous assumptions need be revisited for example risk appetite and risk profile changes for the leisure and hospitality sectors or commercial real estate. Many regulatory capital and liquidity regulatory obligations are dependent on customer behaviour modelling and these behavioural patterns may be distorted by COVID-19 for example the stability of retail current account balances with the retail sector largely closed there is a risk that an element of stability is assumed that will not be the case in a post lockdown environment. There are also strategic risks that need to be considered, for example new or accelerated client interaction models for example the evolution from branch-based banking.
People and work environment
There is a heightened awareness of the need for organisations to keep people safe and the legal and reputational risks of organisations getting this wrong are significant. Tis is wider than traditional HR and legal obligations and includes physical and mental wellbeing, stress management and the need for organisations to create a safe environment for Psychological safety-and the calling out of issues. Internal Audit should be assessing the risks that can arise from hybrid working models such as the challenges with building organisational and risk cultures remotely. The risk culture is a particular challenge for new employees, how do they benefit from their colleagues' experience of the control environment with remote mentors and supervisors.
Key contacts: Russell Davis and Dean Gilder
Did you find this useful?
If you would like to help improve Deloitte.com further, please complete a 3-minute survey
To tell us what you think, please update your settings to accept analytics and performance cookies.