Financial & Credit


Financial & Credit

Financial Services Internal Audit Planning Priorities 2023

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.

2.1 Regulatory Reporting

Regulated firms are required to submit a range of returns on a regular basis which allow regulators to monitor the financial performance and position of regulated entities, including a number of more operational aspects of their performance and to perform benchmarking to inform the focus of their regulatory activities. The accuracy, completeness and timely submission of regulatory returns continues to be a key focus, including the governance framework around the process.

CRR regulated institutions have to report their Net Stable Funding Ratio (NSFR), new market risk requirements and changes to counterparty credit risk.

The European Regulators continue to develop proposals to implement all the remaining elements of Basel III (Basel 3.1) which is the final package of banking prudential reforms for CRR firms developed in response to the 2008/09 financial crisis. Basel 3.1 will result in significant changes to the way firms calculate Risk Weighted Assets under the Standardised Approach, and for firms who currently report under the Internal Ratings Based (IRB) Approach, they will be expected to apply a standardised output floor (OF). The OF will become a binding capital constraint for some EU Banks and introduce a new layer of complexity in capital planning and strategic decision-making for all. Banks should prepare now for the introduction of the OF, even while its design is still being debated by policymakers. Banks should be analysing the implications of the OF for internal capital allocation (understanding what we call “floor capacity”). Many Banks will also need to invest in the data and calculation infrastructure necessary to determine accurate revised standardised risk weights, which will be the basis for calculating the OF.

Area of Focus

Governance and Ownership


Senior accountability and ownership is fundamental to the production and integrity of a firm’s financial information and its regulatory reporting. Responsibilities should be clear for those involved in all stages of the end-to-end regulatory returns process, supported by robust processes, including independent testing and validation to ensure regulatory returns are reliable and accurate. Firms are also expected to have strong governance around key regulatory interpretations and should undertake work to identify the key interpretations and judgements, validate them and correct them where appropriate. Internal Audit should ensure that there is a well-defined regulatory reporting policy setting out the expectations of those charged with governance, including governance over key regulatory interpretations and judgements.


Firms’ governance arrangements for regulatory returns must be supported by an effective and robust control framework including controls around models, End User Computing (EUC) and reconciliation checks for errors. Internal Audit should assess whether operating models are clearly documented with effective controls at each stage of the process to ensure that returns are reliable, accurate and submitted on a timely basis.

Information Systems​

Some firms have outdated reporting system infrastructure and therefore require significant manual intervention to fill data and system gaps which in turn leads to a higher risk of data errors and misstatement of returns. The Regulator expects firms to place greater focus on robust sourcing of data supplemented by clear governance and sign off when incomplete data is used. Internal Audit should assess the controls over manual intervention and governance over incomplete data.

Regulatory Change​​

Firms require robust horizon scanning practices and associated analyses to closely monitor regulatory change. Internal Audit should assess the ability of First and Second Lines of Defence to be able to do this in a timely and effective manner.

2.2. ESG Risk Assessment and Disclosures

As the need to address Environmental, Social and Governance (ESG) issues continues to evolve at increasing speed, it is essential that organisations have a comprehensive understanding of the ESG risks most material to their operations. Understanding and reporting on the issues important to consumers, investors and the wider society demonstrates commitment to contributing to a more positive, fair and sustainable environment. Whilst most organisations have begun their ESG journey with a focus on Climate Change, wider ESG issues such as Diversity and Inclusion (D&I), labour practices and human rights compliance are climbing up the agenda in Board rooms across the industry. However, the challenge remains of how to assess these risks and what exactly to disclose. Internal Audit can play a critical role by providing necessary challenge of ESG risk assessment design and methodology, as well as testing the design of the ESG disclosure framework, thus helping to improve investor and stakeholder transparency. ESG will be a key industry topic for many years to come and early engagement and commitment across an organisation will help shape the frameworks put in place to address the evolving and complex issues.

Taskforce on Nature-related Disclosures (TNFD): The Taskforce on Nature-related Financial Disclosures (TNFD) was established in 2021 in response to the growing appreciation of the need to factor nature into financial and business decisions. The TNFD aim is to compliment the growth of the Task Force on Climate-related Financial Disclosures (TCFD) and this year, the TNFD has expanded its beta framework for nature risk management and disclosure, including the Taskforce’s approach and specific sector guidance. Ongoing market feedback will support the further design and development of the TNFD recommendations due in September 2023.

International Sustainability Standards Board (ISSB): The ISSB released its exposure drafts on 31 March 2022 with comments to be received by 29 July 2022. The draft standards set out the requirements for disclosures over climate and general ESG reporting. The exposure drafts set out the need for sustainability reporting to be connected to and complement the financial statements.

Greenwashing: As concerns over misleading environmental information continues to rise, European Regulators have stated there is a “clear rationale” for stricter regulation for ESG data and ratings providers, to help ensure they are accounting for the full impacts of the businesses they assess.

Green-bleaching: As disclosure requirements continue to multiply, a new concept called ‘Green-bleaching’ is emerging. This term refers to instances where organisations invest in sustainable activities but refrain from making claims about this, to avoid the data reporting requirements and the scrutiny arising from disclosure obligations.

Conference of the Parties (COP) 27: While COP26 saw many new commitments promised, COP27, scheduled for November 2022, will aim to assess the progress in reaching these goals. COP27 president commented that the event will focus on implementation of pledges made through identification and application of practical policies and practices, including climate finance and mitigation strategies.

Area of Focus

Materiality Assessment


  • ESG Risk Materiality Assessment is crucial to enabling a robust ESG risk framework. Internal Audit are well placed to challenge the methodology and data inputs into the exercise. Assessments should be informed by different areas of the business, consider stakeholder engagement and be re-performed on a periodic basis whilst the ESG landscape continues to evolve.
  • Challenge whether the business has considered ‘Double Materiality’ which acknowledges that a company should report simultaneously on sustainability matters that are financially material and those which are material with regard to the wider society.


  • Data continues to be one of the most significant challenges for organisations in carrying out reliable risk assessments and ensuring ESG related disclosures are complete and accurate. ESG data audits can provide valuable insight where a business must enhance data quality, data governance controls, capabilities of key systems, automation and integration into existing frameworks.
  • Internal Audit should review the level of engagement the business has with third-parties throughout the value chain, recognising where data gaps exists, there should be active commitment and action plans to work with related parties in order to build an understanding of related ESG risk exposure and key data metrics.


  • Regulators and investors recognise there will be data gaps across the disclosure framework as every organisation continues to grapple with the complexities of ESG reporting. However, Internal Audit must challenge the transparency and presentation of ESG reporting where assumptions have been made.
  • Challenge whether ESG reporting and related disclosures are subject to the same level of controls as financial disclosures.
  • Assess the control framework in place to monitor and adhere to multiple disclosure requirements across various regions. Internal Audit should evaluate whether there is an adequate disclosure strategy which is appropriately integrated and consistent across the business.

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Ce contenu vous a-t-il plu ?