Posted: 14 May 2020 12 min. read

Financial Services Internal Audit’s response in a time of crisis

Moving into Recovery

Watch our latest webinar recording ‘COVID-19: Moving into Recovery’ here:

As we continue to observe how the next steps of the COVID-19 crisis play out, firms are planning how best to recover from the unprecedented economic and operational impacts. This second blog in our Financial Services Internal Audit COVID-19 series continues to outline Deloitte’s views on Internal Audit (IA) considerations as firms move from a state of respond into a state of recover. How does IA position itself to support management through the recovery phase?

Having taken drastic and swift actions to respond to the initial crisis, moving to recover poses a more complex set of challenges. This phase does not consist of a linear approach to transition and is likely to result in some movement between initial recovery steps (potentially adapting actions in response to any further negative impact / resurgence of the virus) and a full transition. As firms move through the recover phase, they should consider the following and IA can help firms’ management to do this:

  1. Define the destination and launch the recovery playbook – Key to success will be defining the new target operating model for firms to best service their customers and keep their people safe.
  2. Understand the required mind shift – How is the firm turning the COVID-19 crisis into an opportunity?
  3. Identify and navigate uncertainties and implications – Firms will continue to navigate major uncertainties, especially changing social, institutional, investor, customer and human contracts.
  4. Embed trust as the catalyst to recovery – Financial services will need to build trust to lead through the unknowns in the market, supporting the economy as it addresses its own recovery.
  5. Learn from others’ successes – Recovery is still unchartered territory, therefore observing and learning from others is critical.

IA has an important role to play in adjusting its mind-set to the recovery objectives, providing assurance over key risks presented by the inevitable changes, advice on the shifting control environment, and anticipating emerging risks.

Recovery phase risks

The risks outlined in our previous blog remain valid through the recover phase (although the list is by no means complete), however, recovery itself presents new challenges and risks. A Deloitte survey of financial services firms found their focus coming out of the initial COVID-19 response to be in the following areas, creating new / changing risks and requiring appropriate assurance:

1. Future of work. Firms have been reviewing their operating model and working practices to adapt to whole-firm remote working. The Government’s guidance on ‘COVID Secure’ environments will support this thinking, but the transition back into the office will create new challenges, which include:

a) how to support (through the provision of masks, etc.) and monitor the physical and mental wellbeing of employees. This means new business practices and policies are being created across all functions at rapid speeds and with varying due diligence;

b) where staff are based and how the work gets done;

c) GDPR compliance risks with clear desks not being enforced at home;

d) repurposed (and maybe reduced) workspaces;

e) staff movement around the office;

f) new and complex travel policies; and

g) differentiation between short, medium and long term transitions – consideration of the appropriateness and sustainability of tactical vs strategic solutions.

IA should play a role in providing assurance that work places are ‘COVID Secure’ before reopening and an ongoing role in this assurance thereafter (or oversight of second line assurance). This will include reviewing the design of controls and the impact of these new practices over time, as transition arrangements are likely to evolve significantly.

2. Technology investment. COVID-19 created a massive shift in the uptake and reliance of technology on all fronts. Massive investment is expected in order to sure-up and improve both front and back office digital capabilities. Previously committed improvement projects may be expedited and new transformational programmes will be born in the need to support changing ways of working and enhancing client experience.  Prioritisation of project spend and project design will be critical and made more difficult in the home-working, changing environment.

IA will need to be able to support the sudden growth in technology and transformation programme risks, including (in addition to normal change risks) the need for built-in resiliency into new systems (e.g. automated controls to facilitate remote monitoring, as we explain further below) and strong due diligence of new suppliers.

3. Controls redesign. Financial services firms are fast realising that many of the most critical operational controls will need to be digitalised to function with an increased remote workforce.

IA has a vital role to play ensuring the responses of the first and second lines of defence are aligned and support the wider firm objectives.

  • Internal audit will need a response to the shift of the ‘control environment’ from inside typical business locations to various remote locations. One size will not fit all anymore.
  • Organisations who have previously invested in automation and continuous monitoring will be realising some of their investments. Where continuous monitoring is not well embedded, IA will have an opportunity to work with management in their redesign of controls with more automation in mind.

The impact on Internal Audit teams

Internal Audit continues to have a crucial role to play in providing assurance, advice and risk anticipation as management navigate what is the most challenging of situations. What does this mean for the delivery of IA’s 2020 audit plans? In a recent Deloitte survey of Heads of Internal Audit, 20% of functions were broadly sticking to the original 2020 plan with a delayed timeline, the remaining 80% have re-planned to account for additional new risks, making some adjustments elsewhere in the Audit Plan to compensate. The changes and challenges are huge and demand focus, however, most (if not all) of the audits on original 2020 audit plans approved by management and Audit Committees were significant and were there for a risk-based reason. This is creating a resource squeeze in IA functions and an emerging demand for IA resources across the market for the second half of the year.

IA functions should revise risk assessment and audit plans, allowing for sufficient contingency to deal with new and emerging risks that may yet emerge.

What characteristics will recovery demand of Internal Audit?

  • A team that respects and leverages diversity, championing better practices in the workforce that it expects to find evidence of in the functions it reviews, e.g. prioritising physical and mental wellbeing, inclusion and understanding boundaries.
  • An agile internal audit function that is prepared to shift its priorities as quickly as the firm itself does so, with appropriate buy-in from management and those charged with governance without compromising quality in audit delivery and reporting.
  • Up-to-date capabilities prepared to continuously revise risk assessments as well as the skills to be able to review the changes in risks that arise.
  • An assertive business partner that is trusted (without compromising independence and objectivity) with access to key stakeholders to challenge management’s decisions especially those which are being expedited in an environment of rapid change and urgency.
  • A cohesive team whom, irrespective of where they are working, is well-connected between each other, as well as individually into the business, in order to maintain access to stakeholders and share better practices.
  • With a reputation of having solid methodologies to identify and report risks/vulnerabilities, review key processes and procedures, and provide practical and impactful action plans in a timely manner.
  • Ability to produce quality audits from any location even with less stakeholder input – either through more use of tools or access to specialist skills.
  • A proactive team that reviews and enhances its own methodologies and capabilities, self-identifying and upskilling in areas that are going to be more important going forward – crisis management, transformation, data management (including governance and analytics) methods of auditing and reporting – and in order to deliver all of the above.

Well-networked and working collaboratively with other internal audit functions and others outside the organisation to share better practices, resources, experiences and tools.

Sign up for the latest updates

Key contacts

Russell Davis

Russell Davis

Partner, Risk Advisory

Russell is a partner in Deloitte's Financial Services Audit Group. He has specialised in Banking and Capital Markets for over 22 years, in the UK and overseas, providing a range of audit, assurance and advisory services. Russell provides assurance services to banking and capital markets clients, with a particular focus on retail, commercial and private banks. He has significant experience of working with financial services institutions in the UK, the US and Western Europe. He leads Deloitte's UK Financial Services Internal Audit Team, which provides cosourced, outsourced and advisory internal audit services (including reviewing and reengineering Internal Audit methodology; and performing External Quality Assurance Reviews) to a broad cross-section of clients.

Aaron Oxborough

Aaron Oxborough


Aaron is a partner in Deloitte’s Financial Services Internal Audit practice in the UK and has over 19 years of dedicated internal audit experience. He is responsible for the delivery of outsourced, co-sourced and one-off internal audit assignments across the Financial Services sector in the UK. He also supports the development of in-house internal audit functions through consulting activities and the delivery of bespoke training.