Posted: 18 Aug. 2020 10 min. read

Internal Audit Planning Priorities

Shifting of the credit risk profile as a result of government backed COVID-19 business interruption loan schemes

Explore the latest Financial Services Internal Audit (IA) suggested areas of focus for 2021:

Why is it important?

The COVID-19 pandemic has, almost overnight, emerged and disrupted organisations across the globe. To support smaller and medium businesses (SMEs), who may have and continue to lose revenue and see their cash flow disrupted during this outbreak, the UK government introduced two debt programme schemes for SMEs: Coronavirus Business Interruption Loan Scheme (CBILS), and the Bounce Back Loan Scheme (BBLS) in March 2020. These schemes are part of a wider package of government support for UK businesses and employees.

There are large number financial service providers (including high-street banks, challenger banks, asset-based lenders and smaller specialist local lenders) who are accredited by the British Business Bank (BBB) for providing CLBILS and BBLS loans. As at 16 August 2020 over £49 billion worth of loans were originated by the accredited lenders as part of CBILS (£14bn) or BBLS (£35bn).

All accredited lenders will need to demonstrate how their business has met the criteria for issuing CBILS and BBLS loans and how they continue to service these customers in-line with the relevant scheme requirements.

What’s new?

  • CBILS guarantees facilities up to a maximum of £5 million, available on repayment terms up to six years (for term loans and asset finance) and up to three years (for overdrafts and invoice finance facilities).  The first 12 months of interest payments is covered / payable by the government to the lender.
  • BBLS guarantees facilities up to a maximum of £50,000, available on repayment terms over six years at fixed interest rate of 2.5% per annum.  The borrower does not have to make any repayments for the first 12 months.  In addition, the borrower does not have to pay any set-up fees and the first 12 months of interest payments is covered / payable by the government to the lender.
  • These two schemes provide lenders with a government-backed guarantee against the outstanding balance of the facility, however, the borrower remains fully liable for the debt.
  • Accredited lenders must be able to demonstrate that all of their potential customers meet the eligibility criteria under the relevant scheme rules before being approved to receive a loan under CBILS or BBLS.
  • Accredited lenders must be able to demonstrate that they have relevant customer-facing and bank office staff in their organisation and any intermediaries are trained appropriately to apply and administer debt programme schemes.
  • Accredited lenders will be required to accurately register customer data on all the loans originated under CBILS and BBLS on BBB’s required platform in a timely manner.
  • Accredited lenders will potentially undergo periodic audits to check that the relevant scheme eligibility rules and processes have been complied with, including whether the economic benefits of the debt programme guarantee scheme have been proportionately passed on to borrowers in the form of lower borrowing costs than would otherwise have been charged.
  • As a result of the principal repayment holiday being offered under these schemes, going forward effectively designed arrears management strategies will need to be implemented within Collections/Financial Assistance or restructuring functions.

What are the risk areas and challenges?

  • Misinterpretation of scheme requirements (e.g. eligibility, re-finance, government guarantee).
  • Weakness in the First and Second Lines of Defence control processes leading to unacceptable quality outcomes and therefore regulatory risk exposure as a result of conduct, credit or BBB scheme requirement breaches.
  • Obtaining accreditation as a lender for these schemes on the basis of inaccurate or incomplete information.
  • Weakness in underlying data and IT systems resulting into the lender being non-compliant with the schemes and therefore unable to make a claim on the guarantee the relevant scheme offers leading to significant financial loss.
  • Weakness in fraud risk management controls resulting in an inability to prevent, detect and respond in timely manner leading to significant financial loss and reputational damage.

What should Internal Audit be doing?

Phase One

Adapt their audit approach including the reporting mechanisms to respond timely and appropriately to ongoing COVID-19 pandemic developments and provide assurance on a real-time basis to add value. This may include attendance at lending committees in an advisory capacity, a phased approach to agile short form reporting, and thematic / hot reviews.

Internal Audit focus areas for testing of these schemes should include:

  • Adherence to BBB’s accredited lender’s criteria and contract;
  • Design effectiveness and operational effectiveness of the processes and key controls (including lender fraud controls) put in place as a result of participation in the CBILS and BBLS schemes;
  • Appropriateness of the systems and IT infrastructure in place to help ensure accurate implementation of the lending process;
  • Pricing strategy to ensure that adequate proportion of the economic benefit has been passed to the customer;
  • Effectiveness of the controls put in place to ensure accuracy of customer data submitted to BBB required platforms; and
  • Effectiveness of the controls put in place by the business to ensure accuracy of the credit reference agency (CRA) data used for making lending decisions. If other approved lenders are not accurately and consistently recording BBLS and CBILS data in their submission files to CRAs then the customer’s serviceability and debt status could be based on an inaccurate data.


Phase Two

The Government fiscal support packages of CBILS and BBLS have driven significant demand into the lending process, requiring potential short-term tactical solutions to facilitate quick disbursement of funds. There has been little time or capacity to thoroughly assess the outcomes of the approved loans and the injection of such a large amount of credit into the market.

Internal Audit will need to focus on:

  • Undertaking substantive testing of live cases where CBILS or BBLS have been issued and provide proactive feedback on whether lending criteria (based on scheme rules) has been appropriately adhered to and evidenced, and ongoing servicing of the facility is operating effectively;
  • Testing integration of the CBILS and BBLS data into the core banking platform whilst also providing assurance over product classification and accurate reporting to CRAs within the submission file;
  • Reviewing the updates made to lending policies and procedures as a result of lending under CBILS or BBLS schemes; and
  • Reviewing accuracy of the data in core banking systems by undertaking comprehensive review of BBLS and CBILS records on core banking platform vs. external reporting (i.e. CRAs).


What’s next?

The focus on the application of debt programme schemes such as CBILS and BBLS will continue to increase, with the expectation of independent reviews by the regulators a possibility. As such, it is important that firms take advantage of this period to prepare, consolidate learnings from recent months and ensure a resilient approach is embedded.

Sign up for the latest updates

Key contacts

Damian Hales

Damian Hales


Damian is a Partner within the firm’s Financial Risk Measurement team. He has over 26 years of experience in the financial sector and specialises in Credit Risk Management across the full credit lifecycle (from pre-approval and prospecting, to collections and re-structuring) covering retail, commercial, corporate and asset backed lending. Damian also leads Deloitte’s Credit Risk Transformation offerings.