Financial Services Internal Audit Planning Priorities 2022

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.

5.1. Product Governance

The Markets in Financial Instruments Directive (MIFID) II was implemented across the industry with considerable regulatory uncertainty and continue to pose challenges to firms who manufacture and distribute investment products. This uncertainty has resulted in many firms focussing on updates to, or the creation of, Product Governance policies and tactical solutions, with the strategic implementation of a robust Product Governance framework still in flight. Product Governance remains a key consideration of the Regulator. A asset managers and distributors should prioritise effective co-operation to address potential harm to consumers from poor product design. It is important that Internal Audit teams are considering product governance arrangements in the four main areas identified by the Europera Regulators as key findings: product design, product testing, distributors and governance and oversight.

Firms, as product manufacturers, should take the MiFID II product governance requirements into account, particularly the interests of the end clients, throughout the product lifecycle.

Some asset managers are not undertaking activities in line with the MiFID II requirements regarding Product Governance. In particular asset managers (i.e., manufacturers in this context) are finding it challenging to obtain information about end consumers from distributors. Due to data confidentiality and other commercial sensitivities, distributors rarely pass this information onto asset managers, hindering their ability to meet good practice on product governance.

Most asset managers do not consider a ‘negative target market’ (i.e. where a manufacturer has defined criteria for whom the product is not intended for) and that for several firms conflicts of interest's frameworks were not effective.​

In some cases, cost information shown in marketing documents did not match the information in regulatory documents such as the Undertakings for the Collective Investment in Transferable Securities Directive (UCITs) Key Investor Information Document (KIID).​

Area of Focus

Product design


The European Regulators expect firms to identity, manage and mitigate potential conflict of interests (COI) when providing a service and state that just having a ‘COI framework’ is not sufficient. Internal Audit teams should therefore be focusing their activity in this regard on assessing the design and operating effectiveness of the firm’s COI framework to ensure that any potential COI are being managed appropriately and to establish whether the product approval process also considers COI. Not managing conflicts could be a breach of applicable regulatory requirements.

In addition, Internal Audit should undertake regular reviews of products to determine whether the target market is defined for all products, including an assessment of whether negative target market is captured. MIFID II requires asset managers to specify the type of clients the product is not compatible with—Internal Audit should also determine whether the risk/reward profile is consistent with the target market.

Product testing​​

Internal Audit should consider whether all products are subject to regular review and should assess the appropriateness and robustness of the firm’s scenario and stress testing, including the operating effectiveness in order to ensure compliance with the MIFID II requirements. As part of this, Internal Audit should consider who determines whether scenario testing is robust and whether this determination is suitable. Internal Audit should also undertake regular review cost and charges disclosures to ensure accurate information is captured.


Due diligence allows asset managers to establish whether their distributors’ intended product recipients match the product’s target market. Failure to do so may result in investor harm. Internal Audit teams should be assessing the quality of management information (MI), whether product MI covers all elements of risk management and whether trigger events are identified.

Governance and oversight​​​

Internal Audit teams should look to assess the adequacy of design and operational effectiveness of how the Second Line of Deference and product governance related Committees offer meaningful challenge. The European Regulators identified that this challenge is not always sufficient and the role of Second Line of Defence is often poorly defined. Internal Audit should determine whether the roles and responsibilities relating to product governance are clear and documented.