Moving through recovery: Re-thinking Internal Audit’s remit post COVID-19 | Deloitte UK has been saved
Limited functionality available
As organisations move firmly into the Recover phase of Deloitte’s crisis management framework (“Respond, Recover, Thrive”) this latest blog in our series considers how Financial Services Internal Audit (IA) can use the learnings of the early stages of the pandemic to increase its longer term influence and impact.
The current COVID-19 situation presents new opportunities for IA functions to add more value around assurance, improve the advice they provide and increase their anticipation of risk. As organisations have navigated uncharted territory with often imperfect information, IA’s enterprise-wide viewpoint, ability to ‘join the dots’ and bring external industry insights has heightened its impact and influence. It has also highlighted what stakeholders really value from IA and challenged how functions provide this, within the boundaries of independence.
As part of Deloitte’s ongoing mission to make FSIA better, we’ve identified five areas which will become increasingly important as functions move through recovery and look to thrive in the future:
Born of necessity, recent developments in these areas show the way to more permanently re-imagine IA’s remit in the provision of assurance, advisory insight and the anticipation of risk.
Adding new value through Assurance
1. New products and more rapid insights
In the current fast paced environment a traditional, rated, “3 months to deliver”, end-to-end audit report with pages of actions has not grabbed the attention of time-poor executives or generated timely improvements to the risk and control environment. As a result, a number of functions have revisited their product suite.
However functions can’t leave their disciplines entirely. A function that gives opinions without grounding them in facts or evidence will quickly undermine its reputation for providing independent credible assurance, and will become just another opinion in the room.
To balance this, IA functions should:
2. Being true to an organisation’s values
Much has been said about business’s purpose in recent years.
It’s easy for a business to be true to its values and purpose when things are going well. It is much more difficult when things are not, or is it? If an organisation’s values, purpose and red lines are clear then decision making becomes in some ways simpler - certain options are closed off because they don’t align to the stated purpose or values.
For IA the pandemic has presented opportunities to add significant value to organisations by providing cultural insights or observations about how a board or management team are performing in their responses to the pandemic.
Key questions to consider include:
Sometimes it is necessary to make shorter-term compromises in the pursuit of longer-term ambitions. Were decisions made to keep the business solvent or still trading that compromised these in the short term but allow the organisation to continue existing in the longer term and able to pursue its purpose?
The key challenge for IA will be how to undertake these assessments – we will return to this subject in a later blog.
3. Culture and psychological safety
Like purpose, the topics of culture and psychological safety have been debated widely over the recent past. In our 2020 Planning Priorities publication we highlighted how IA has an important role to play by:
Over recent months, organisational cultures have been placed under new pressures in response to an increasingly volatile, uncertain, complex and ambiguous risk landscape. Concurrent global events have placed increased psychological pressure upon many different groups, including employees, customers, regulators, politicians and all other stakeholders.
Whilst some data points are factual (call volumes to a whistleblowing line for example), other information should be considered as part of both the response to COVID-19 but also the “new normal” of a remote office environment. Key questions to consider include:
Increasing IA’s advisory role
4. Lessons learned
The COVID-19 pandemic has been a test case for many recent areas of regulatory focus:
During COVID-19, functions have needed to plan and deliver work to cover new risks and related activities in the business, including tactical responses to the launch of new lending schemes, responses to increased and contentious insurance claims, heightened fraud risk (including Cyber) and other challenges posed by remote working (management, staff and customers alike).
IA is uniquely placed to perform timely, thorough and impactful “lessons learned” reviews that will help business drive continuous improvement in the risk and control environment and prepare for future incidents of this type. Whilst “lessons learned” reports are nothing new to IA functions, the uniquely broad and fast-paced nature of the COVID-19 pandemic make this an area where IA can raise its impact across the organisation, specifically with key members of management.
Useful questions for IA to consider, answer and report are often around the decisions taken, the governance and oversight arrangements and the evidence produced not just in making decisions but in recording them:
Anticipating new and emerging risks
5. Looking forward
IA also has the opportunity to challenge the business around potential forward looking pressures and the adequacy of management’s response.
Examples include increased litigation or regulatory challenge to COVID-19 related decisions; operation of schemes implemented in a rapid, tactical control environment; legal and operational risks presented by “return to work”; expected long term changes to employee and customer behaviour; technical interpretation and application (including availability of reliable data) of accounting standards in financial and management reporting (e.g. impairment and expected credit losses, insurance reserving, fair/ market pricing, going concern assumptions and other areas involving forecasting and management judgment); and the impact of the end of government employment support schemes such as furlough.
As we move through the Recover phase, IA has demonstrated its increased organisational importance and influence and now has a significant opportunity to accelerate its change journey and continue to grow its impact and influence. Future blogs will focus on what Financial Services IA can do to lock-in best practices, maintain and enhance audit quality and commence activities to Thrive in an environment when the effects of COVID-19 are less pronounced.
Matt is a partner specialising in providing Internal Audit co-source, outsouce and advisory services for a range of Financial Services companies both globally and in the UK. He has twice been a UK regulated head of internal audit and is passionate about the role internal audit can play.
Russell is a partner in Deloitte's Financial Services Audit Group. He has specialised in Banking and Capital Markets for over 22 years, in the UK and overseas, providing a range of audit, assurance and advisory services. Russell provides assurance services to banking and capital markets clients, with a particular focus on retail, commercial and private banks. He has significant experience of working with financial services institutions in the UK, the US and Western Europe. He leads Deloitte's UK Financial Services Internal Audit Team, which provides cosourced, outsourced and advisory internal audit services (including reviewing and reengineering Internal Audit methodology; and performing External Quality Assurance Reviews) to a broad cross-section of clients.
Owen is a Director in Deloitte’s Financial Services Internal Audit practice with 19 years’ experience of providing assurance and advisory services to organisations across the financial services and corporate sectors. Owen has a particular focus on internal audit innovation and transformation and over recent years has worked closely with functions adopting agile ways of working. Owen leads a number of co-sourced and out-sourced assignments across the UK with a particular focus on investment and wealth management organisations and retail banking.