Governance, Risk Management & Culture

Financial Services Internal Audit Planning Priorities 2021

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2021. We hope this informs your 2021 planning and assurance approach.

4.1. Outsourcing

Over recent years, outsourcing has taken on increasing importance for both Financial Services (FS) firms as well as for Regulators. This has been reflected in a specific focus from Internal Audit teams who are trying to enhance their understanding and oversight of third party risk. Recent events associated with the COVID-19 pandemic have greatly increased the need for FS firms to assess their existing outsourced relationships and the relevant risks embedded within those relationships.

Extended enterprise risk management in FS has continued to benefit from greater Executive awareness allowing organisations to tackle the topic with appropriate focus and strategic investment. This is even more important given the threats of high profile business failure, illegal third-party actions, or regulatory action with punitive fines. For FS firms, in particular, the key focus points are identifying the strategic third parties to ensure proportionate risk management effort, and addressing operational risks in relation to the extended enterprise.

Recent regulatory guidance, in relation to outsourcing and third party risk management, has captured current industry good practice and transferred this into formalised requirements. Items of particular interest and concern from the regulators include FS firms having robust exit plans, inclusion of inspection and audit rights, as well as service level agreements and key performance indicators, within third party contracts, and the requirement for assessing intragroup/affiliate risk. Some examples of recent regulatory developments are shown below.

  • On 25 February 2019, the European Banking Authority (EBA) issued their final report regarding the Guidelines on Outsourcing. Guidelines apply to all outsourcing arrangements entered into, reviewed or amended on or after 30 September 2019. Institutions and payment institutions should meet the requirements of this guidance for all existing outsourcing arrangements, other than for outsourcing arrangements to cloud service providers, following the first renewal date of each existing outsourcing arrangement, but by no later than 31 December 2021.

Area of Focus

First phase:


Internal Audit should consider if the firm has an adequate TPRM framework embedded across the business and should examine this from both a design and an operating effectiveness perspective:


  • Overarching governance framework, group-wide policy with associated standards and local addendums as required, and appropriate allocation of roles and responsibilities across the three lines of defence.
  • Processes and controls to manage third party risk throughout the third party lifecycle to termination.
  • Tools and technologies supporting the Third Party Risk Management (TPRM) process and appropriateness of metrics used to measure effectiveness of TPRM framework.

Operating effectiveness:

  • Risk identification and assessment, third party selection, contract execution, role and responsibility allocation, ongoing monitoring and reporting assessment appraisal, and contract termination and exit or renewal management.

Second phase: ​

The next phase should recognise that organisations will encounter a period of uncertainty for an unknown amount of time. Throughout this period, Internal Audit should:

  • Validate of TPRM segmentation methodology.
  • Ensure up-to-date and robust exit plans for outsourced services, prioritising critical outsourced services, exist.
  • Assess service level agreements for existing supplier relationships.
  • Understand supplier performance, particularly during the period of COVID-19 lockdown by examining and monitoring key metrics/indicators.

4.2. Governance Culture

The EU regulators consider the robustness and effectiveness of governance frameworks as the foundation of an established business that manages risk effectively and complies with regulation. Corporate governance arrangements, and the culture they promote and support, are crucial to a firm’s regulatory compliance, as well as the long-term sustainable success of the organisation.

COVID-19 has increased firms’ focus on the effectiveness of their governance frameworks and how efficiently these operate when normal operations are faced with significant disruption. A number of firms have been using the COVID-19 pandemic and key decisions taken in light of it, as case studies to test whether their governance operations are effective and assess whether there is opportunity to streamline their existing governance structure. ​

With the implementation of the Conduct Rules having come into force for a number of financial services firms, the focus has shifted from implementing the practical elements of the framework to assessing whether the Conduct Rule training provided is relevant for each cohort of individuals and the breach framework is appropriate and fit for purpose, in line with the spirit of the regulations.

Whilst diversity has been on firms’ radars for some time, the enhanced focus on Black Lives Matter has pushed this higher up the agenda, regardless of whether organisations have to adhere to specific corporate governance standards. This has led to Boards re-assessing their own skills and composition, as well as firms looking at the extent to which they have appropriate policies around diversity and inclusion.

Area of Focus

Corporate governance (including Board effectiveness)​


Review the corporate governance activities, focusing on the design and operational effectiveness of key controls, including reviewing:​

  • Frequency and robustness of external and internal Board Effectiveness Reviews, including the extent to which diversity is covered.
  • The corporate governance structure and framework (including the composition, tenure and activities of the Board and Board committees) against relevant regulations.
  • Key documentation, including the corporate governance policies and procedures to ensure that they support the overall culture and strategy.
  • Case studies to assess oversight and accountability around decision-making.

4.3. Remuneration – Risk and Reward

In recent years, the regulatory and governance framework in financial services organisations has become increasingly complex, with remuneration forming a key part of this framework. Across the banking, asset management and insurance sectors, remuneration continues to be a key area of focus for EU regulators, on account of the link between risk, reward and individual accountability. Remuneration structures, policies and processes have been subject to a significant amount of regulatory change and evolving regulatory guidance relating, for example, to how firms should identify their “Material Risk Taker” population and how variable remuneration should be determined and allocated to individuals based on performance and also taking into account appropriate assessments of capital and risk.

For banking and asset management firms, there is a specific regulatory requirement that the implementation of their remuneration policies be subject to a central and independent internal review on at least an annual basis.

For insurance firms, such reviews are also highly advisable as they are a key means by which a firm’s management body can help to ensure that it is discharging its responsibility for the oversight of the implementation of the firm’s remuneration policy.

While equivalent principles apply across the banking, asset management and insurance sectors, the remuneration rules and latest developments are specific to each. Across all sectors however, we have been seeing an increased focus from the EU regulators on the implementation of existing rules.

From an insurance standpoint, the Insurance Distribution Directive (IDD) is in full effect, which includes specific remuneration requirements, which aim to enhance consumer protection and mitigate the risks of conflicts of interests and mis-selling.

Going forward, firms in the banking sector will be subject to amended remuneration rules under the Capital Requirements Directive (CRD V) for the 2021 performance year (including changes in how Material Risk Takers should be identified and changes in the rules relating to the disapplication of certain remuneration rules on the basis of proportionality).

Investment firms will also become subject to specific remuneration rules under a new prudential regime for investment firms from mid-2021, with the result that many such firms may become subject to the rules on deferral, payment in instruments and malus/clawback for the first time.

Design: Review current remuneration policies, remuneration governance frameworks and disclosures to ascertain whether they are compliant with the reward regulatory requirements, including:

  • Remuneration policies and ancillary policies and procedures, such as relating to the structure and determination of fixed and variable remuneration, the identification of Material Risk Takers, structure of variables pay awards (including performance conditions, link to values and behaviours, risk adjustment) and treatment of new hires and leavers.
  • Governance including the composition and role of the Remuneration Committee and the role of control functions (e.g. Risk/Compliance) within broader reward governance, including the year-end process.
  • Remuneration disclosures, as applicable to the specific firm.
  • If applicable, specific focus should be paid to areas of the business where commission-based arrangements influence reward.

Implementation: Test the implementation of remuneration processes and procedures underpinning the remuneration policy to ensure they are robust and effective and are being operated in compliance with the applicable rules and regulatory guidance:

  • Review of decision-making framework (and the evidencing of this).
  • Testing controls within remuneration process and procedures.
  • Spot check of systems and outputs (e.g. individual year-end remuneration outcomes).

Future state: Consider how the firm is adapting to future regulatory requirements via review of the firm’s readiness for future regulatory changes in reward (e.g. changes to be introduced under CRD V or the new Investment Firm Directive (IFD).

Reward structures:Assess the Remuneration and Incentive arrangements across all parts of the business to ensure that they are effective in encouraging a customer–centric culture and do not encourage inappropriate risk-taking.