Limited functionality available
Watch our latest webinar recording ‘COVID-19: Moving into Recovery’ here: www.deloitte.co.uk/fsiawebinar
As we continue to observe how the next steps of the COVID-19 crisis play out, firms are planning how best to recover from the unprecedented economic and operational impacts. This second blog in our Financial Services Internal Audit COVID-19 series continues to outline Deloitte’s views on Internal Audit (IA) considerations as firms move from a state of respond into a state of recover. How does IA position itself to support management through the recovery phase?
Having taken drastic and swift actions to respond to the initial crisis, moving to recover poses a more complex set of challenges. This phase does not consist of a linear approach to transition and is likely to result in some movement between initial recovery steps (potentially adapting actions in response to any further negative impact / resurgence of the virus) and a full transition. As firms move through the recover phase, they should consider the following and IA can help firms’ management to do this:
IA has an important role to play in adjusting its mind-set to the recovery objectives, providing assurance over key risks presented by the inevitable changes, advice on the shifting control environment, and anticipating emerging risks.
Recovery phase risks
The risks outlined in our previous blog remain valid through the recover phase (although the list is by no means complete), however, recovery itself presents new challenges and risks. A Deloitte survey of financial services firms found their focus coming out of the initial COVID-19 response to be in the following areas, creating new / changing risks and requiring appropriate assurance:
1. Future of work. Firms have been reviewing their operating model and working practices to adapt to whole-firm remote working. The Government’s guidance on ‘COVID Secure’ environments will support this thinking, but the transition back into the office will create new challenges, which include:
a) how to support (through the provision of masks, etc.) and monitor the physical and mental wellbeing of employees. This means new business practices and policies are being created across all functions at rapid speeds and with varying due diligence;
b) where staff are based and how the work gets done;
c) GDPR compliance risks with clear desks not being enforced at home;
d) repurposed (and maybe reduced) workspaces;
e) staff movement around the office;
f) new and complex travel policies; and
g) differentiation between short, medium and long term transitions – consideration of the appropriateness and sustainability of tactical vs strategic solutions.
IA should play a role in providing assurance that work places are ‘COVID Secure’ before reopening and an ongoing role in this assurance thereafter (or oversight of second line assurance). This will include reviewing the design of controls and the impact of these new practices over time, as transition arrangements are likely to evolve significantly.
2. Technology investment. COVID-19 created a massive shift in the uptake and reliance of technology on all fronts. Massive investment is expected in order to sure-up and improve both front and back office digital capabilities. Previously committed improvement projects may be expedited and new transformational programmes will be born in the need to support changing ways of working and enhancing client experience. Prioritisation of project spend and project design will be critical and made more difficult in the home-working, changing environment.
IA will need to be able to support the sudden growth in technology and transformation programme risks, including (in addition to normal change risks) the need for built-in resiliency into new systems (e.g. automated controls to facilitate remote monitoring, as we explain further below) and strong due diligence of new suppliers.
3. Controls redesign. Financial services firms are fast realising that many of the most critical operational controls will need to be digitalised to function with an increased remote workforce.
IA has a vital role to play ensuring the responses of the first and second lines of defence are aligned and support the wider firm objectives.
The impact on Internal Audit teams
Internal Audit continues to have a crucial role to play in providing assurance, advice and risk anticipation as management navigate what is the most challenging of situations. What does this mean for the delivery of IA’s 2020 audit plans? In a recent Deloitte survey of Heads of Internal Audit, 20% of functions were broadly sticking to the original 2020 plan with a delayed timeline, the remaining 80% have re-planned to account for additional new risks, making some adjustments elsewhere in the Audit Plan to compensate. The changes and challenges are huge and demand focus, however, most (if not all) of the audits on original 2020 audit plans approved by management and Audit Committees were significant and were there for a risk-based reason. This is creating a resource squeeze in IA functions and an emerging demand for IA resources across the market for the second half of the year.
IA functions should revise risk assessment and audit plans, allowing for sufficient contingency to deal with new and emerging risks that may yet emerge.
What characteristics will recovery demand of Internal Audit?
Well-networked and working collaboratively with other internal audit functions and others outside the organisation to share better practices, resources, experiences and tools.
Russell is a partner in Deloitte's Financial Services Audit Group. He has specialised in Banking and Capital Markets for over 22 years, in the UK and overseas, providing a range of audit, assurance and advisory services. Russell provides assurance services to banking and capital markets clients, with a particular focus on retail, commercial and private banks. He has significant experience of working with financial services institutions in the UK, the US and Western Europe. He leads Deloitte's UK Financial Services Internal Audit Team, which provides cosourced, outsourced and advisory internal audit services (including reviewing and reengineering Internal Audit methodology; and performing External Quality Assurance Reviews) to a broad cross-section of clients.
Aaron is a partner in Deloitte’s Financial Services Internal Audit practice in the UK and has over 19 years of dedicated internal audit experience. He is responsible for the delivery of outsourced, co-sourced and one-off internal audit assignments across the Financial Services sector in the UK. He also supports the development of in-house internal audit functions through consulting activities and the delivery of bespoke training.