Financial Services Internal Audit Credit



Financial Services Internal Audit Planning Priorities 2021

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2021. We hope this informs your 2021 planning and assurance approach.

2.1. Credit Risk Management – Risk Reporting

The ability of financial institutions to identify, measure and manage their credit risks is fundamental to their long-term viability. Credit Risk Reporting is where those abilities should be apparent for all to see. A firm that cannot appropriately assess the riskiness of its credit portfolios could be taking on too much risk – which can very rapidly translate into impairment, credit losses, write-offs and capital depletion. Credit Risk Reporting needs to contain the information required to steer firms through highly uncertain times. Key to this is the robust prioritisation and escalation of risk issues, highlighting whether the current risk management strategy is operating as intended with clear accountability for agreed actions.

Since March 2020, there has been a deluge of COVID-19 related changes to the way credit risks are managed and reported; some of the drivers for this are noted below:

  • Introduction of a number of new Government loan schemes / facilities driving additional complexity in monitoring and reporting.
  • EU regulators’ guidance on IFRS9 and COVID-19.
  • EU regulators’ proposal for temporary financial relief for customers affected by COVID-19.
  • IFRS 9, capital requirements and loan covenants.
  • EU regulators’ guidance to firms on mortgages, motor finance, and high-cost credit, rent-to-own, buy-now pay-later and pawn-broking.

Collectively, these reporting obligations raise the risks of misstatements, compliance failures and a decline in the quality of existing reports as a result of new reporting burdens.

In addition, firms are increasingly looking to report on their credit capacity (e.g. collections and recoveries management), and deploy integrated dashboards with more timely data for quicker decisions.

In May 2020, the EBA also published its finalised risk reporting guidelines: EBA Guidelines on loan origination and monitoring.

  • Assess the adequacy of credit risk reports and how well they help members of key governance and oversight committees to discharge their duties (as set out in the relevant Terms of Reference or Charters).
  • Focus on the reporting of COVID-19 related forbearance and how clearly its impacts have been explained to the audience of credit risk reports.
  • Check that the reporting of impairment and expected credit losses is consistent with regulatory guidance and the firm’s policies – especially given the additional scope for IFRS 9 models to be (temporarily) overridden with Management judgements in light of COVID-19.
  • Examine the extent to which diverse COVID-19 related scenarios have been reported to senior committees, with respect to credit risk.
  • Assess how clearly the strategy for dealing with COVID-19 associated credit risks have been communicated and tracked.

2.2. Recovery Planning

The emergence of the COVID-19 pandemic presented a different dimension of stress, with potential rapid asset quality, liquidity and capital impacts and the ability of a firm’s Recovery Plan to track a deterioration in the “BAU” environment has been of particular interest across the market. Firms’ indicator frameworks are now brought back into sharp focus, especially as a number of asset quality metrics are directly impacted by COVID-19 (such as arrears and provisions).

Proposed changes to Recovery Planning from the European regulators (which were not initiated by the COVID-19 pandemic) are two-fold currently:

  • Whilst no specific feedback or guidance has been provided by the EU regulators on COVID-19 and Recovery Plans, the use of central bank facilities throughout the pandemic so far has meant asset encumbrance has come back to the European regulators’ attention, as something which can pose a risk to liquidity and funding if not managed properly.

Whilst these are relatively minor changes, they require new thinking from firms around what scenario testing should include, and what the impacts of asset encumbrance are on Recovery Planning. Furthermore, the impact and response to the COVID-19 pandemic should bring out practical adjustments and enhancements to a firm’s Recovery Plan, especially in an environment where operational changes (such as working remotely or an increase in collections activity) is running alongside.

Continued scrutiny remains on firms with regard to the quality of their Recovery Plans. Internal Audit should assess whether the quality of Recovery Planning continues to be enhanced and that the practical learnings and ongoing response to COVID-19 is embedded.

Internal Audit should also consider whether its assurance approach to Recovery Planning includes coverage of the following typical issues identified in firms’ Recovery Plans:

  • Indicators included in the Recovery Plan are not broad enough to allow for identification of potential financial risk. Furthermore, the metrics are not calibrated to a suitable level to allow Management to respond in a timely fashion.
  • Recovery options provide little to no benefit (i.e. an increase to resources, or reduction in requirements) to the capital and liquidity position of the firm.
  • Scenario testing is focused on too few risks and does not always capture the key risks that the firm faces.
  • Dependencies between recovery options, as well as the dependencies the options have operationally and during stress scenario events are analysed at a high-level and not in sufficient detail, potentially reducing the usability of options.
  • Invocation of the Recovery Plan and the practicalities of actually implementing the Plan are not clear and have not been properly tested through Fire Drilling of the Recovery Plan.

2.3. Stress Testing

Stress testing forms a critical component of a firm’s risk management toolkit. The quality and the outcomes of a regulatory stress test will directly inform a regulator’s assessment of a firm’s capital and liquidity requirements. Given the recent COVID-19 pandemic, firms are considering the emerging repercussions and how to re-align their stress testing capabilities based on their actual recent experiences. Another key focus is on climate related financial risks which relies on developing climate related scenario analysis to support quantification of those risks and the impact on capital requirements. There is also focus on non-systemic growing banks and how they transition to using stress testing to inform capital buffer requirements.

The ECB report on banks’ ICAAP practices which includes a deep dive on how banks deal with climate related risks in their ICAAPs stated that “Banks’ practices for considering these in their risk management processes are barely established and heterogeneous.”

The European regulators have raised requirements for ICAAPs for climate related risks, and prescribe climate related scenarios.

The key requirements for scenario analysis for assessing climate related financial risks are:

  • Far-reaching impact in breadth and magnitude – climate related risks impact a broad range of sectors, business lines and geographic locations.
  • Uncertain and extended time horizons – climate related risks impact protracted time frames beyond current planning horizons and historical analysis may not be an indicator of future outcomes.
  • Foreseeable nature – there is a high degree of certainty around the outcomes of climate related financial risks.
  • Dependency on short-term actions – the outlook is dependent on the actions taken today.

Area of Focus

Model risk management


  • Review the adequacy of governance processes, design of the model, risk management controls and documentation around processes and assumptions, in particular expert judgement and post-model adjustments. The focus will be on existing models which need to be reconfigured as a result of COVID-19, as well as newly developed models and risk management frameworks which will evolve over time in relation to climate related financial risks and in general for growing banks.

Data integrity

  • Review data integrity controls, including controls over completeness and accuracy of data used in stress testing. Review appropriateness and consistency of the data used for climate related risks including scenario data (i.e. two degrees initiative, etc).

SME input

  • Internal Audit should liaise with relevant SMEs to understand how the firm’s stress testing approach for climate related risks compares to emerging best practice.

Alignment with risk appetite

  • Review the emerging risk appetite informed by climate related scenario analysis and consider appropriateness of inputs to inform decisions made to reset the firm’s risk appetite.

Superior capital planning

Superior capital planning should include:

  • Evaluation of the appropriateness of the stress scenarios selected, both stress assumptions and Management responses / actions, for both climate related scenario analysis and for new and growing banks adopting scenario analysis for the first time; and.
  • Assessment of the adequacy of timing of generation of stress results.

Scenario development

  • Internal Audit should consider the development of scenarios for climate related financial risks to assess the breadth, magnitude and timescales considered. Furthermore, this should be considered in the context of risk management given the increased assumptions required.

Horizon scanning

  • • Review the horizon scanning process in place to ensure robust monitoring of new regulatory publications given the many changes to the regulatory back drop such as Capital Requirement Regulation (CRR2),and Brexit.

Insert CSS fragment. Do not delete! This box/component contains code needed on this page. This message will not be visible when page is activated.

Did you find this useful?