Financial Services Internal Audit Planning Priorities 2021

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2021. We hope this informs your 2021 planning and assurance approach.

3.1. Future of UK Controls

Why is it important?

The UK Corporate Governance Code already establishes a clear responsibility on the whole Board to establish a framework of prudent and effective controls — however, underlying the calls for a US style internal control attestation are very real questions which are being considered by the Business, Energy and Industrial Strategy Committee (BEIS) as a result of the Kingman and Brydon reviews.

Sir John Kingman’s Independent Review of the Financial Reporting Council states that BEIS should give serious consideration to the case for a strengthened framework around internal controls in the UK, learning any relevant lessons from the operation of the Sarbanes-Oxley regime in the USA.

Furthermore, Sir Donald Brydon’s review of the quality and effectiveness of audit to the Secretary of State issued in December 2019 suggested a number of improvements to a business’ control environment as part the review on the quality and effectiveness of audit. We understand an announcement from BEIS is due by the end of 2020.

What’s new?

The Brydon Report recommends:

  • The CEO and CFO to provide an annual attestation to the Board of Directors as to the effectiveness of the company’s internal controls over financial reporting and that this attestation be guided by new principles on internal controls reporting to be developed by the Audit Committee Chairs Independent Forum and endorsed by Audit, Reporting and Governance Authority (‘ARGA’).
  • Companies should be required to disclose when any material failure of their internal controls has taken place and that a disclosed failure would lead to the new CEO / CFO attestation being subject to audit for the following three reporting years.

The attestation process may need to be refreshed should BEIS implement Brydon’s recommendations for an enhanced attestation process.

Operational changes as a result of a period of sustained remote working during COVID-19 may result in a change in the control environment and the need for Management to revisit the risk assessment, with a particular focus on ensuring that key risks and mitigating controls have been identified.

What should Internal Audit be doing?

Internal Audit should consider the following areas of the control environment in conjunction with future announcements by BEIS:

  • Risk assessment – Review the risk assessment performed by Management as part of the year round financial close process.
  • Attestation - Review the current attestation process performed by the CEO / CFO and other key Management, including the underlying documentation and evidence for the conclusions reached.
  • Key controls - Review the process performed by Management to identify the key controls to ensure financial reporting risks are mitigated.
  • IT controls - IT controls are fundamental to the internal control environment. Management should have a clear view of how the IT controls are integrated into the overarching control environment. Internal Audit should assess the level of integration and the assessment and remediation of IT control deficiencies identified by Management.
  • Fraud risks - Assess Management’s consideration of the impact of events (specifically COVID-19) which have caused significant operational and financial disruption, resulting in increased pressures on businesses, its employees and its stakeholders at a time when the control environment of the entity may be weakened.

Key contacts: Adam Addis and Nicholas Bowker

3.2. Sustainable Finance and ESG

Why is it important?

Sustainable finance aims at integrating Environmental, Social or Governance (ESG) criteria into financial services, and at supporting sustainable economic growth. Pandemic-induced financial decisions made over the next year will shape the global economy for the next decade, just when we must drastically reduce emissions if we want to avoid orders of magnitude worse than COVID-19. As the potential impact of climate change on the financial sector rapidly grows, more and more firms globally are incorporating climate related risk into their risk universe and building sustainable finance frameworks.

Risk managers cannot ignore the seriousness of identifying, mitigating, and reporting on material climate risk exposure and as with any emerging risk to which the business is exposed, Internal Audit must assess the strength and resilience of the related control environment. Through independent assessment of the strategy, risk management, governance and internal control processes in place to manage the issue, the third line function must challenge firms’ approach in shaping viability and long-term sustainability for the future. 

What’s new?

  • In July 2020, a Dear Chief Executive Officer (CEO) letter was published by the Bank of England on managing climate-related financial risk. The letter has confirmed that firms should have fully embedded their approaches to managing climate-related financial risks by the end of 2021. 
  • In March 2020, the FCA released a consultation paper proposing to introduce a new listing requirement for commercial companies with a Premium Listing on the London Stock Exchange. If implemented, these companies’ annual reports for financial years beginning on or after 1 January 2021, will have to include climate-related disclosure(s) as recommended by the Task Force of Climate-related Financial Disclosures (TCFD), and/or to explain non-compliance.
  • In May 2020, the Network for Greening the Financial System (NGFS) released a guide for Supervisors, setting out five recommendations for courses of action of members of the NGFS as well as the broader community of banking and insurance supervisors to integrate climate-related and environmental risks into their work. 
  • In July 2020, the Climate Disclosure Standards Board (CDSB) produced application guidance to assist companies in the disclosure of material climate-related information in the mainstream report.
  • Principles for Responsible Banking Signatories and United Nations Environment Programme Finance Initiative (UNEP FI) Member Banks have developed a Portfolio Impact Analysis Tool for Banks and a Guidance Document, to support signatories in conducting an in-depth impact analysis as a starting point for effective implementation of the Principles for Responsible Banking.

What should Internal Audit be doing?

Strategy and governance

  • Internal Audit should assess the level of and nature of data inputs, the frequency and degree of formalisation of the sustainable finance strategy, involvement of internal and external parties and whether quantifiable KPIs have been defined and incorporated. 
  • Determine whether governance boards are diverse in knowledge, skills, experience and background to effectively take decisions informed by an awareness and understanding of ESG issues and sustainable finance. 


  • Determine whether the organisation’s risk appetite incorporates sustainable finance and is embedded throughout organisation’s processes, i.e. departmental KPIs and related reporting. 
  • Assess the organisation’s performance against defined strategic KPIs and where necessary, challenge whether internal review of related metrics and KPIs has been conducted. 
  • Review whether all climate related risks have been identified through enterprise-wide risk assessment and supporting mitigating controls are in place for those identified as material.
  • Assess whether risk management MI is adequate in supporting the Board in making decisions regarding climate related risks.

Regulatory compliance and reporting

  • Ensure 2nd line of defence periodically assess the evolving regulatory risk environment through appropriately designed mechanisms such as Compliance Monitoring Programmes and appropriate actions implemented in a timely manner.
  • Assess how the organisation has addressed new regulatory recommendations for climate related disclosures and ESG related reporting, as well as voluntary disclosure initiatives.
  • Challenge the accuracy of climate related reporting, identifying potential areas which could be perceived as ‘Greenwashing’ by the regulator.

Operations and green products

  • Assess whether the business has a clear understanding of responsibilities in relation to implementing the sustainable finance strategy in day-to-day operations.
  • Challenge how key monitoring metrics are being integrated into day to-day business management and operations.
  • Challenge engagement with green products, assessing whether operational activities are aligned with the organisation’s sustainable finance strategy. 

Key contacts: Russell Davis and Hetty Van Der Wal

3.3. IFRS 9

Why is it important?

IFRS 9 requires that lenders recognise a loss allowance for credit exposures to accurately reflect Expected Credit Losses (ECL) on a forward looking basis. Quantifying ECLs is extremely challenging in the current COVID-19 pandemic; the economic and credit outcome is currently highly uncertain and the market has not previously seen such sudden changes in economic activity alongside unprecedented state intervention and behavioural changes. ​

Loan loss reserving practices and disclosure are coming under significant scrutiny in the market and have already been the subject of multiple regulatory interventions and an elevated level of press comment. Further, ECL and a forward-looking view of credit loss is a fundamental part of loan pricing; there is an immediate need to have accurate ECLs to ensure loans are still adequately priced for risk.

What’s new?

  • Firms’ ECL models may have stopped working effectively, due to market behaviour well outside their design tolerances.​
  • Expert judgement in / post model adjustments have become critical; there has been no time to collect data or rebuild models.
  • Control mechanisms for ECL levels and reporting will need to change to reflect the focus on different information sources and estimation techniques, e.g. governance and controls around post-model adjustments may need strengthening.​
  • Established approaches to IFRS 9 Staging and identifying problem loans may not cope with recent regulatory guidance and operational practices, for example, the high volumes of treatments being granted.​
  • Choice of scenarios, their probability of occurrence and likely loss severity will be a significant driver of Staging and ECL outcome. The high level of uncertainty means narrative and sensitivity analysis will need to evolve in order to demonstrate these material assumptions are supportable.

What should Internal Audit be doing?

Area of Focus

Problem loan identification​


  • Review the appropriateness of adjustments made to IFRS 9 Significant Increase in Credit Risk (SICR) and Staging thresholds/ criteria to accommodate payment holidays offered to customers.
ECL models​
  • Assess the appropriateness of use (or non-use, via judgmental overrides) of ECL suite models, including econometric models as well as Probability of Default (PD)/Exposure at Default (EAD)/Loss Given Default (LGD) models, in the context of the economic, fiscal, supervisory, legislative and social changes driven by COVID-19.​
Forward-looking scenarios and weightings
  • Assess the supportability of forward looking economic scenario forecasts in the context of the uncertain outcome, including uncertainties regarding the characteristics of the virus and the timing of availability of therapies/vaccines.​
  • Ensure governance, controls and internal reporting are effective in the new environment, with an emphasis on overlay/post model adjustment governance processes.​

Key contacts: Ian Wilson and Justin Le Blanc

3.4. IFRS 17

Why is it important?

Internal Audit functions in the UK are at different stages with regard to IFRS 17 assurance planning and are currently reassessing and adjusting their holistic assurance timelines. IFRS 17 has a number of areas of complexity and challenge and prioritising these can be difficult. Below we consider some of the key methodology decisions, highlighting common high risk areas and Internal Audit's approach for providing assurance that informs governance around methodology.

What’s new?

Internal Audit functions are reconsidering their assurance timelines for two reasons – COVID-19 has changed Internal Audit’s and organizations wider plans for 2020, and, during March, it was announced that the effective date of IFRS 17 will be deferred to 1 January 2023, prompting project teams to consider refreshing their own timelines. With many programmes on the cusp of transition from design stage into execution, assurance over the IFRS 17 applicability assessment performed across the product portfolio is an important early milestone in ensuring the implementation programme covers all insurance contracts as defined within the standard.

Certain key decisions, the working assumptions, are made early and drive downstream effects of the implementation programme. For example, adopting the General Measurement Model (GM) will require many organisations to modify existing systems and databases to capture additional contract or portfolio level data; whereas the Premium Allocation Approach (PAA) may not require such a significant change to the organisation’s existing infrastructure (but may introduce different risks). The cost associated with identifying and correcting inappropriate accounting policy or methodology choices during the implementation programme can be substantial and may put key deadlines at risk.

What should Internal Audit be doing?

While IFRS 17 introduces numerous accounting policy choices, the following methodology related decisions are some of the most pivotal in driving implementation. These should be the focus for independent assurance and challenge, ensuring appropriate controls and governance around the approach, data, judgements and assumptions behind each. These areas typically form some of the initial working assumptions agreed by project teams but are equally important further into implementation.

  • Understand what the business has already done: Make sure the business has identified the decision makers at group and, where applicable, subsidiary levels for determining accounting policy choices and governance processes for change mechanisms are in place, noting that these may currently be untested. In particular, IFRS 17 working assumptions should have been approved and Internal Audit should explore how the integrity of this process was maintained.
  • Gather information: To help evaluate the consistency of decision making between countries, business units or classes of business and understand whether reasons for differences are appropriate, auditors will need access to relevant information on an ongoing basis. Information may be in the form of simple or complex data, or more strategic in nature such as future acquisitions which may bring in new lines of business.
  • Assess Internal Audit capability: Assess whether Internal Audit has the right skills in the team to appropriately challenge the business and be confident whether appropriate information has been considered.

Also read our blog about IFRS 17

Did you find this useful?