Posted: 31 Mar. 2020 10 min. read


Financial Services Internal Audit’s response in a time of crisis

Watch our latest webinar recording ‘COVID-19: Moving into Recovery’ here:

This blog outlines Deloitte’s high level views on key Financial Services Internal Audit (IA) considerations given the mass scale business disruption caused by COVID-19. As our businesses adapt to dealing with the initial impact of COVID-19, IA functions have an important role to play to continue to provide critical Assurance, help Advise management and the Board on the shifting risk and control landscape, and Anticipate emerging risks. However, the function’s first priority is to the team - without a functioning IA team, there is no IA function.

Individual country situations differ greatly and are changing rapidly and dramatically, so it is imperative for IA functions to keep abreast of governmental and regulatory announcements, as well as following centrally-coordinated organisational responses and devising IA-specific plans.

IA Team Considerations

Unlike other forms of crisis, a pandemic of this nature doesn’t only cause operational and technology issues for firms, but also has a major impact on both the health and day-to-day work of our teams.

  • Welfare of teams – Most IA functions are already geared towards remote working, but there is usually a face-to-face touch point with the auditee (and IA team) at various points in the audit – use the technology available to you and try to carry on. It is important to maintain regular check-ins with your teams and to do this via video if possible. Some team members live on their own and face-to-face contact (even if it is only via the laptop) is really important to maintain connection. These will be worrying times for team members, either because they are concerned about themselves / family members who are more at risk, or are fearful about the economic impact and their own job security.
  • Staff contingency planning – Statistically speaking, some team members are going to fall ill. Plan now for contingency arrangements on each key audit review and at the Leadership/ Management Team level. Think about to keep things moving where an audit or other activity is business critical and take steps now to ensure a smooth transition.
  • Flexibility in reporting – As IA responds to the crisis and changing business risks in differing ways (these are outlined below), there may be a need for more agile auditing techniques or more flexible reporting mechanisms to allow stakeholders to receive IA’s points of view in a near real-time basis. During this period, IA should not be hamstrung by traditional reporting templates and should consider ‘hot reviews’, unrated reporting, e-mail reporting, mid-review IA points of view (POV reporting), and oral feedback. This, among other developments, could provide an opportunity to enhance audit methodology for the longer term, i.e. not just a short term or temporary response.

Approach to crisis support

Assure – Regulators are indicating that they expect the three lines of defence to continue operating throughout the period of emergency measures. In our view, IA functions should do two things:

Review the 2020 audit plan to focus on the Truly Greatest Risks (i.e. those critical to the survival and success of the firm) and required regulatory audits. Functions should differentiate between short term and longer term audit needs. In the short term, many functions are also reviewing their skill set and capacity, offering assistance to support business critical functions (noting potential individual independence issues that this may create for the future).

Identify and audit high risk areas that emerge as a result of the emergency measures. Below, and over the page, we outline examples of some potential risk areas, noting there will be many more, varying by business:

  • Validating and challenging key MI used by management to make decisions on mission-critical activity;
  • Identifying capital and liquidity issues (current and future, including potential bank covenant breaches);
  • Challenging and benchmarking management’s assumptions regarding the nature, extent and duration of the situation;
  • Challenging management’s forecasts of business impact (some of these direct impact financial reporting, e.g. going concern, pension scheme accounting, goodwill and intangibles, Expected Credit Losses) noting that Q1 reporting deadlines are approaching and that many organisations have made public promises regarding customer concessions – are these being delivered and is the impact estimated appropriately? and
  • Challenging management’s assessment, monitoring and contingency plans of key outsource service providers.

Notwithstanding there may well not be a requirement to agree changes to the Audit Plan with a regulator, functions should consider the impact of short term actions on their ability to deliver adequate audit activity (including assurance) under the annual Audit Plan. Later this year and in 2021, audit functions will be held to account, with the benefit of hindsight, by Audit Committees, regulators and other stakeholders, for the coverage achieved. Regular communication with management and Audit Committee Chairs is very important to ensure short-term actions taken are thought through and have support.

Advise – IA functions are well placed to have a role on Crisis Management Boards to highlight emerging risks and to apply a risk and control mind-set to new / developing processes as management create workarounds to cope. IA may also be more able to ‘step back’ and consider a bigger, longer-term or more clearly structured picture than members of management that are in detailed ‘crisis mode’.

Deloitte’s crisis management framework uses three time frame periods to help firms navigate through the crisis: Respond, Recover and Thrive. The post COVID-19 working environment will look very different to today. As firms move through each of these time frames, Internal Audit has a role to advise on future control considerations in light of the new landscape, especially as firms move out of the continuity planning of the Respond phase and into the medium term state of Recover.

Anticipate – IA’s risk lens has never been more important as it plays a role in horizon scanning, supplementing the first and second line in identifying potential risk areas arising from the immediate business impact, including financial risks; different working behaviours; remote customer interactions; and a push towards an increased digital environment.

Click on the image to enlarge.

Sign up for the latest updates

Key contacts

Aaron Oxborough

Aaron Oxborough


Aaron is a partner in Deloitte’s Financial Services Internal Audit practice in the UK and has over 19 years of dedicated internal audit experience. He is responsible for the delivery of outsourced, co-sourced and one-off internal audit assignments across the Financial Services sector in the UK. He also supports the development of in-house internal audit functions through consulting activities and the delivery of bespoke training.

Russell Davis

Russell Davis


Russell is a partner in Deloitte's Financial Services Audit Group. He has specialised in Banking and Capital Markets for over 22 years, in the UK and overseas, providing a range of audit, assurance and advisory services. Russell provides assurance services to banking and capital markets clients, with a particular focus on retail, commercial and private banks. He has significant experience of working with financial services institutions in the UK, the US and Western Europe. He leads Deloitte's UK Financial Services Internal Audit Team, which provides cosourced, outsourced and advisory internal audit services (including reviewing and reengineering Internal Audit methodology; and performing External Quality Assurance Reviews) to a broad cross-section of clients.