Internal Control Transformation in the Financial Services Industry

1. Overarching relevance of internal controls

Optimised internal controls are essential in accomplishing key goals and objectives by ensuring that the relevant risks are being mitigated by the relevant controls which ensure effective and efficient operations.
Optimised internal controls entail:

• Standardisation: controls are consistently designed and implemented across the various company levels and functions, which is facilitated by enhanced documentation of controls
• Overarching scope: all potential risk factors are considered and mitigated to ensure complete risk management
• Cultural alignment: overarching awareness of controls throughout the company staff with a clear assignment of roles and responsibilities
• Continuous review: integrated assessment of controls with effective testing of the design and operating effectiveness of the controls. This is optimally accompanied by structured reporting to management
• Leveraging data: Rapid digitalisation has brought new technologies and digital tools into the financial services industry, with the potential to increase process efficiency by automating them. Technological innovations such as Expert Monitoring Systems (EMS), data mining and analytics offer promising possibilities for automated internal control processes.

2. Reviewing internal controls processes

The aim of robust internal controls is to effectively mitigate the company’s risks. Given the changing nature of risks, regular assessments of the existing business processes are required to ensure that the internal controls are covering all relevant risks. By anticipating and identifying risks for the business proactively, companies are ensuring that preventive and detective controls are in place which optimizes business operations as well as the corresponding financial and reputational risk.

a. The importance

The role and expectation of the internal control framework is evolving as it is no longer a mere ‘tick the box’ function but must provide true value to the business. It is therefore central for internal controls to provide more value and insights for the business. By identifying potential gaps and shortcomings and subsequently implementing the recommendations, companies will enhance risk management, optimise cost, and improve the performance of its preventive and detective controls. Moreover, the financial services environment is constantly evolving, and it is essential for companies to stay up to speed and implement new controls as a result of a change in the company’s strategy, new product offerings, new regulations, or emerging technologies.

b. The assessment

An internal control assessment contains several layers and deep dives into various features of the existing processes.

Phase 1: Process inspection: Identifying and reviewing current processes and assessing these against the key risks identified and relevant regulations in place

Phase 2: Design review: Deep diving into the design of the controls (mainly done through process walkthroughs) and evaluating it critically against best practices in the sector and regulatory recommendations

Phase 3: Operating effectiveness: Testing the operational implementation of the described as well as documented controls and measures in the company. This includes for example an evaluation of the monitoring capabilities

Phase 4: Improvement: The three review phases mentioned above lead to the creation of individual assessments and detailed documentation of key issues and gaps. This review is accompanied with a series of recommendations to fill the potential gaps and therefore increase the efficiency and effectiveness of the controls. These recommendations are aligned and defined with clear action points and a timeline for resolving the identified issues.

3. Deloitte value-add

Having highly effective internal controls in place to mitigate all pivotal risks (as well as the constant assessment thereof) is challenging throughout the financial services industry but we are here to help you. This could be for selected processes, specific risks you are worried about, or for an overall holistic assessment. But why should we be the ones helping you? We offer a unique team of knowledgeable subject matter experts (SMEs) who understand the processes we are looking at. Furthermore, our highly trained interviewers are part of the team who ask the right questions during the walkthroughs in order to understand how the process is really designed (not just looking at the documentation). Lastly, we have certified (internal and external) auditors as part of the team who are trained in analysing the internal controls, spotting gaps and knowing what is required from a regulatory perspective. This combination of technical know-how, knowing how to speak and comfort your employees, and audit skills enables us to support you in assessing your processes and corresponding controls. Furthermore, this provides us with the opportunity to transform your organisation toa point whereby you have the assurance that your risks have been mitigated by the correct controls. Assisted by our technology partners in Deloitte, we can automate and digitalise your assessment and control processes and advise you on how to best leverage these tools.

Our service offerings in internal control framework assessment consist of:

• Design assessment: We can assess and whether the controls have been designed effectively to mitigate the risks in the corresponding processes. The identification of areas of improvement including specific actions are part of this assessment.
• Operating effectiveness testing: We can deep dive into the implementation of processes and controls and test whether they are functioning properly. Also for this service, potential areas of improvement and which specific actions to take are part of the testing.
• Fraud risk assessment: We can support you in identifying potential (internal and external) fraud areas. This can be done through a holistic maturity assessment or a focused review of individual processes