Governance, Risk Management & Culture

Financial Services Internal Audit Planning Priorities 2022

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.

4.1. Third Party Risk Management—Regulatory Requirements

No organisation operates in isolation, however, whilst not every organisation is increasing the volume of engagement with third parties in its ecosystem, we are seeing a trend of organisations becoming increasingly reliant on third party relationships. Reasons for this include the nature of the relationships, how bespoke the services are being tailored (making substitutability challenging), or even how ‘close to core’ the services are. Regardless of the reason, increasing reliance on a third-party ecosystem is clear and this makes the management of that ecosystem all the more important. Furthermore, the financial impact of a failure in this ecosystem is costly (through fines, loss of custom or reputational damage). In addition, the COVID-19 pandemic has rapidly increased focus on third party risk as firms have seen accelerating digitisation across entire operations, with traditional services and operating models requiring unprecedented changes to new ways of working in such a short space of time.

Regulators are providing more clarity and greater harmonisation of third party risk regulations in 2021, providing increased direction for firms operating across multiple jurisdictions, greater linkages to third party management and operational resilience across group level entity structures and heightened data security requirements, including use of the cloud. Our experience has shown firms that acknowledge the cross functional nature of third party risks and implement third party oversight in a holistic manner, enabled through technology, achieve far greater clarity and consistency compared to firms that assess individual third-party risks in individual siloed teams.

While financial services Internal Audit functions will already be aware of a number of regulatory requirements, there have been significant new regulatory developments in 2021 on third party risk that have broadened requirements for firms.

For the European Regulators, firms are now expected to assess the risks and materiality of all third party arrangements, including those that do not fall within the definition of ‘outsourcing’ and have clearly articulated that materiality, outsourcing and risk must be independently assessed and considered as part of a proportionate and risk-based approach.

In addition, the European Regulators' approach to branch and subsidiary supervision, has started to increasingly focus on the risks that may arise from intra-group outsourcing. The Regulators do not necessarily consider intra-group outsourcing as carrying less risk compared to external outsourcing services, but they acknowledge that firms may adjust due diligence requirements and adapt contractual clauses depending on the level of ‘control and influence’ it has over the intragroup entity.

Internal Audit should consider if the firm has an adequate Third Party Risk Management (TPRM) framework embedded across the business and should examine this from both a design and an operating effectiveness perspective:

Design effectiveness:

Operating effectiveness:

Assess if the following factors are designed adequately:

  • Overarching governance model;
  • TPRM framework and associated policies;
  • Appropriate allocation of roles and responsibilities;
  • Processes and controls to manage third party risks throughout their lifecycle;
  • Tools and technologies supporting the TPRM process; and
  • Appropriateness of metrics used to measure risk appetite and tolerance within the organisation.

Assess control performance in the following areas:

  • Risk identification and assessment;
  • Third party selection;
  • Contract execution;
  • Role and responsibility allocation;
  • Ongoing monitoring and reporting assessment appraisal; and
  • Contract termination and exit or renewal management.

Hot topics—Given the uncertainty brought about by the COVID-19 pandemic, particular focus should be given to understanding how the TPRM framework assesses and monitors financial insolvency, operational resilience, subcontracting risk and digital risk. For example, Internal Audit should be understanding how the business is utilising tools that enable access to real-time information to supplement the more traditional ‘point-in-time’ data that is collected, which we are seeing has become a key funding priority as firms continue to respond to the pandemic.

Regulatory compliance—Assess adherence to key regulatory requirements, including the:

  • Outsourcing guidelines published by European Banking Authority, European Securities and Markets Authority, European Insurance and Occupatonal Pensions Authority and others.

4.2. Remuneration – Risk and Reward

In recent years, the regulatory and governance framework in financial services organisations has become increasingly complex, with remuneration forming a key part of this framework. Across the banking, asset management and insurance sectors, remuneration continues to be a key area of focus for EU regulators, given the link between risk, reward and individual accountability. Remuneration structures, policies and processes have been subject to a significant amount of regulatory change and evolving regulatory guidance at EU level relating, for example, to how firms should identify their “Material Risk Taker” population and how variable remuneration should be determined and allocated to individuals based on performance, while ensuring that variable remuneration is appropriately adjusted for risk and does not impact a firm’s ability to maintain a sound capital base.

For banking and asset management firms, there is a specific EU regulatory requirement that the implementation of their remuneration policies be subject to a central and independent internal review on at least an annual basis. For insurance firms, such reviews are also highly advisable as they are a key means by which a firm’s Board can help to ensure that it is discharging its responsibility for the oversight of the implementation of the firm’s remuneration policy.

While equivalent principles apply across the banking, asset management and insurance sectors, the remuneration rules and latest developments are specific to each. Across all sectors however, we have been seeing an increased focus from EU regulators on the implementation of existing rules.

The requirement in the remuneration rules applicable to banking and asset management firms is for the implementation of remuneration policy to be subject to a central and independent internal review each year. In a banking context, regulatory guidance expects this review to be undertaken by Internal Audit. For asset management firms, the current guidance is less prescriptive, although does expect firms to ensure that the review is independent. Draft EU guidance for investment firms under the upcoming Investment Firms Directive (IFD) suggests that Internal Audit will be expected to undertake this review. In practice, some firms will undertake a comprehensive review on a periodic (e.g. 3 yearly) basis and then review particular areas in more detail on a rotational basis each year. However, it will be important to ensure that material changes in policies, processes and practices year-on-year are considered, to ensure continued compliance with the remuneration rules.

For firms in the banking sector, the amended remuneration rules under the Capital Requirements Directive (CRD V) were implemented in the EU for performance years starting on or after 29 December 2020 (with the implementation date varying between jurisdictions across the EU). This has included certain changes in how Material Risk Takers should be identified and changes relating to the disapplication of certain remuneration rules on the basis of proportionality. In the EU, smaller firms are no longer permitted to disapply the limit on the amount of variable remuneration that can be awarded (the ‘bonus cap’) or to disapply clawback.

European regulated investment firms will become subject to specific remuneration rules under the EU Investment Firm Directive (IFD), with the result that many such firms and their senior staff may become subject to the rules on deferral, payment in instruments and malus/clawback for the first time.

From an insurance standpoint, EU firms must continue to comply with the Solvency II remuneration provisions (in place since 2016), and with the provisions relevant to remuneration under the insurance distribution regime (derived from the Insurance Distribution Directive (IDD)), aimed at enhancing consumer protection and mitigating the risks of conflicts of interests and mis-selling. EU firms must take account of the European Insurance and Occupational Pensions Authority’s new Opinion, published in 2020, which sets out its expectations regarding the application of the Solvency II remuneration rules.

Design: Review the processes in place around the current remuneration policies, remuneration governance frameworks and disclosures to ascertain whether they are compliant with the applicable reward regulatory requirements, including:

  • Remuneration policies and ancillary policies and procedures, such as relating to the structure and determination of fixed and variable remuneration, the identification of Material Risk Takers, structure of variable pay awards (including performance conditions, link to values and behaviours, risk adjustment) and treatment of new hires and leavers;
  • Governance including the composition and role of the Remuneration Committee and the role of control functions (e.g. Risk/Compliance) within broader reward governance, including the year-end process; and
  • If applicable, specific focus should be paid to areas of the business where commission-based arrangements influence reward.

Implementation: Test the implementation of remuneration processes and procedures underpinning the remuneration policy to ensure they are robust and effective and are being operated in compliance with the applicable rules and regulatory guidance:

  • Review the firm’s decision-making framework and the evidencing of this (e.g. input of control and other corporate functions, oversight of Material Risk Taker pay, assessments of firm’s capital soundness);
  • Test controls within remuneration process and procedures (e.g.. Material Risk Taker identification); and
  • Perform spot checks of systems and outputs.

Future state: Consider how the firm is adapting to future regulatory requirements via review of the firm’s readiness for future regulatory changes in reward (e.g. changes introduced under the EU IFD rules).

Reward structures: Assess the remuneration and incentive arrangements across all parts of the business to ensure that they are effective in encouraging a customer–centric culture and do not encourage inappropriate risk-taking.

4.3. Governance Culture

The European Regulators consider the robustness and effectiveness of governance frameworks as the foundation of an established business that manages risk effectively and complies with regulation. Corporate governance arrangements, and the culture they promote and support, are crucial to a firm’s regulatory compliance, as well as the long-term sustainable success of the organisation.

COVID-19 has increased firms’ focus on the effectiveness of their governance frameworks and how efficiently these operate when normal operations are faced with significant disruption. A number of firms have been using the COVID-19 pandemic and key decisions taken in-light of it, as case studies to test whether their governance operations are effective and assess whether there is opportunity to enhance and streamline their existing governance structure.

With the implementation of the Conduct Rules having come into force for a number of financial services firms, the focus has shifted from implementing the practical elements of the framework to assessing embeddedness of the framework in business as usual (BAU), e.g., is the Conduct Rules training provided relevant for each cohort of individuals, is the Conduct Rules breach management process fit for purpose, are individuals fit and proper to carry out their functions and how is this evidenced.

Whilst diversity has been on firms’ radars for some time, the enhanced focus on Black Lives Matter has pushed this higher up the agenda, including the recent discussion paper on diversity by the regulators. This has led to Boards re-assessing their own skills and composition, as well as firms looking at the extent to which they have appropriate policies around diversity and inclusion.

Area of Focus

Corporate governance (including Board effectiveness)


Review the corporate governance activities as follows, focusing on the design and operational effectiveness of key controls.

  • Frequency and robustness of external and internal Board and Board Committee Effectiveness Reviews and the timely and effective closure of findings;
  • The corporate governance structure and framework (including the composition (skills, experience, diversity), tenure, effective reporting and challenge, and activities of the Board and Board Committees) against relevant regulations/regulatory expectation;
  • Appropriateness of Management level governance structure, e.g. Committee structure across lines of business, control functions, legal entities, and robustness of reporting and timely escalations;
  • Key documentation, including the corporate governance policies and procedures to ensure that they support the overall culture and strategy.; and
  • Case studies to assess oversight and accountability around decision-making.