Building on new approaches

2019 planning priorities and key challenges for Internal Audit in Financial Services

The fifth edition of our annual report on the planning priorities for Internal Audit in Financial Services provides an overview of the developments and challenges faced by audit functions and where they could focus over the next year.

Focus on functional transformation

The financial services landscape in 2018 is in many ways, little changed from this time last year. Interest rates remain low, corporate strategies remain focused on cost reduction, and the uncertainty of Brexit continues to dominate the political agenda.

Despite this, it is clear from the breadth of topics that the role of internal audit (IA) in Financial Services (FS) continues to evolve. IA is being challenged to provide increasingly complex assurance and the focus on functional transformation, which we first articulated in our 2018 publication, continues. Reflecting this, the theme of this year’s publication is ‘building on new approaches’.

For the first time we have included a dedicated section focusing on some of the new tools and techniques available to IA to deliver their evolving mandate. Agile auditing, the use of automation and the talent needs of the IA teams of tomorrow are all featured. Whilst readers may be familiar with some of these terms, the inclusion of topics such as risk sensing and behavioural analytics represent the cutting edge of internal auditing and demonstrate how technology is changing the way our professions works. We develop such topics further in a separate publication, Internal Audit 3.0, released earlier this year.

New areas of focus

There are also a number of new focus areas to consider for inclusion in annual audit plans. We anticipate an increased emphasis on digital risks (including artificial intelligence and cloud computing), a renewed focus on prudential risks (including model error risk) and an acknowledgement that sustained M&A activity is increasingly requiring IA functions to confront the challenge of auditing high-risk Fin and Reg Tech acquisitions.

Our report provides further detail on each of these interesting topics. For each of the topics you will find a brief commentary providing some background, along with notes on how the topic can be audited and some of the potential challenges that you may face.

Explore the themes...

Digital Risk

  • Artificial Intelligence and Robotic Process Automation
    Evolving process efficiency

    Artificial Intelligence (AI) makes use of machine learning, visual recognition and natural language processing techniques, with advanced algorithms offering the ability to analyse data in an “intelligent” way. This can in turn drive operational and cost efficiencies as well as strategic transformation programmes, resulting in better and more tailored customer engagement. 

    Read the full chapter to find out more.
  • Cyber
    Shielding digital assets

    Cyber risk remains a key priority for all stakeholders in FS, emphasised by the fact that the new Chairman of the US Federal Reserve identified cyber threat as ‘maybe the single most important’ risk to FS today.

    Read the full chapter to find out more.
  • Data Privacy and GDPR
    Ensuring ongoing compliance

    Data protection continues to be a topic of ongoing discussion, challenge and focus by management, Boards, and IA alike.

    While GDPR came into force on the 25 May 2018, many organisations had “risk-accepted” long before that date that they would not be fully compliant with the legislation. As such, many have focused on what they deem as their “high risk” areas to establish what they hoped would be a defensible and pragmatic approach for when the new legislation became enforceable.

    Read the full chapter to find out more.
  • Cloud
    Backing up data safely, securely and efficiently

    The FS sector has seen rapid growth of cloud services and 'cloud first' strategies. As a result, IA’s ability to understand the impact of migrating data to, and use of, the cloud as part of the organisation’s operational risk profile is critical.

    Read the full chapter to find out more.

Strategy & Change

  • Countdown to Brexit
    Navigating a fast changing environment

    Many of the larger firms have spent considerable time and effort to design and implement new European or UK operations that will safeguard their business in a post-Brexit environment. It is important that these plans are now translated into efficient and workable businesses solutions to ensure implementation prior to the 1st March 2019.

    Read the full chapter to find out more.
  • Crisis Management
    Actively protecting brand value and reputation

    In a rapidly evolving world, organisations find themselves operating in a landscape of uncertainty with heightened risk and stakeholder scrutiny. These risks can come from geopolitical, economic, financial and societal events through to corporate misdeed, high impact operational or technological failures.

    Crises present the biggest and growing threats to corporate value and executive reputation. Organisations that fail to effectively deal with the risk of crisis can see their reputation, strategic interests, bottom line, and even their existence, threatened or destroyed.

    Read the full chapter to find out more.
  • Disruption: Challengers, Fin & RegTech
    New ideas, new players, new risks

    Disruption is happening across the financial services landscape, with new technologies enabling challenger firms to reduce costs, develop rapidly, and revolutionise the value chain.

    RegTech businesses in particular are providing simple, cost effective ways to deploy technologies that can simplify and streamline system processes and procedures, dramatically reducing the burden on a firm's control function.

    Read the full chapter to find out more.
  • Ring-Fencing
    Protecting business and creating a safer environment

    The largest UK banks are required by law to separate their retail banking services from their investment and international banking activities with effect from 1 January 2019.

    Read the full chapter to find out more.


  • Customer Vulnerability
    A key area of focus for the FCA

    Vulnerability is not set in stone, nor is it a permanent state. It can range from physical disability, mental illness, financial literacy challenges, and also age. Firms must cater to a broad range of customers and not just the ‘perfect’ customer.

    Risks surrounding customer vulnerability can present themselves in a variety of ways, for example: Inadequate or inappropriate advice for an elderly borrower; Customers being at an increased risk of being subject to financial crime; Failure to provide documentation in a form accessible to a visually impaired consumer; Failure to establish an appropriate forbearance strategies; etc.

    Read the full chapter to find out more.
  • Pricing
    Pricing practices that support fair customer outcomes

    The FCA is currently undertaking a thematic review of pricing practices in the General Insurance market. This review represents the culmination of its focus on three linked areas across the past couple of years; value in the distribution chain, the use of Big Data by insurance companies and its impact on customers, and the market’s treatment of vulnerable customers.

    With the FCA conducting this review, and a clear view that customers should not be charged different prices for products where there is no clear cost difference to the firm, IA are increasingly being tasked with reviewing firm's pricing practices to provide assurance to the Board in this area.

    Read the full chapter to find out more.
  • Provision of Credit
    Ensuring affordable and sustainable lending decisions

    Whilst the FCA have specific requirements around affordability and creditworthiness, it is largely up to firms to determine when to advance or amend a customer’s access to credit. The onus is therefore on the lenders to ensure customers are able to repay credit balance both now, and in the future. Assessing the risk to the customer in these two ways brings an added ambiguity to the process.

    With interest rates likely to increase, today’s lending decisions must be sufficiently robust to protect both the customer and lender and manage future arrears levels.

    Read the full chapter to find out more.


  • Financial Crime
    Assurance over an evolving financial crime environment

    The embedding of relatively sophisticated conduct risk frameworks, coupled with an evolution in geopolitical sanctions regimes and changing legislation has contributed towards firms reconsidering the sophistication of their financial crime frameworks.

    Read the full chapter to find out more.
  • SWIFT Customer Security Programme (CSP)
    Creating a more secure payment environment

    The CSP is an initiative led by SWIFT to develop core security standards and an assurance framework applicable to all customers. The initiative is intended to identify mandatory controls that all SWIFT users must comply with, as well as additional advisory controls to be implemented at the user’s discretion.

    SWIFT users were required to submit an initial self-attestation by the end of December 2017, with a second self-attestation demonstrating full compliance being required by the end of 2018. Failure to comply can ultimately result in exposing the organisation to reputational risks, especially in instances where SWIFT publicly report non-compliant firms.

    Read the full chapter to find out more.

New regulation

  • Insurance Distribution Directive (IDD) 2018
    Providing assurance post implementation

    MiFID II is one of the core regulatory pillars of the European FS market and will impact everyone engaged in the dealing and processing of financial instruments.

    MiFID II encompasses a broad set of requirements and obligations for firms that are linked through a number of overarching objectives: increased market transparency and transaction reporting, improved execution, greater clarity on trading and investment costs, orderly trading behaviour within markets, enhanced product governance, and improved conflicts of interest management.

    Read the full chapter to find out more.
  • Payment Services Directive (PSD2)
    Developing a new payment landscape by 2020

    PSD2 came into effect in January 2018, bringing significant new compliance responsibilities in relation to the provision of payment services to consumers and corporates. The major changes to the payments landscape include Third Party Providers (TPPs) having the ability to initiate payments, access account information on behalf of customers and apply Strong Customer Authentication for electronic payments.

    PSD2 poses significant regulatory and operational risk to Payment Service Providers (PSPs) and will impact a range of business areas. Its implementation requires cross-functional collaboration to achieve compliance, owing to a high level of complexity and inherent risk.

    Read the full chapter to find out more.
  • IFRS’ 9, 15, 16 & 17
    IFRS changes will bring operational and implementation challenges

    With the already introduced IFRS 9 & 15, and the scheduled introduction of IFRS 16/ 17 in the coming years – the accounting landscape is rapidly evolving. All of these accounting standards will have a major impact across organisations and, with each of the standards at a different stage of transition, businesses will have choices to make around prioritisation and the extent to which the new standards are material to the organisation.

    Read the full chapter to find out more.

Prudential risk

  • Exposure Management
    Minimising catastrophe risk

    Exposure management is a key element of any insurance firm’s risk management strategy. A well formulated exposure management framework is a key contributor in the effective pricing of risks, risk retention, reinsurance management, and solvency and capital management.

    Read the full chapter to find out more.
  • Model Risk Management
    Enabling active management of model error risk

    Model Risk Management and consideration of the end-to end modelling process is a key priority within the FS market.

    The Federal Reserve System has recently announced regulation (SR11/7) aimed at formalising model governance in banking. In addition, the ECB launched a Targeted Review of Internal Models initiative, and the Bank of England PRA Stress Test 2017 guidance aimed to create more risk-focused model management in the market.

    Read the full chapter to find out more.
  • Solvency II – Matching Adjustment
    Demonstrating ongoing compliance with Solvency II

    The Matching Adjustment (MA) is an important tool for insurers with annuity portfolios. It results in a material reduction in the best-estimate of liabilities (BEL) and the solvency capital requirement (SCR) for a business through discounting at a rate higher than the risk-free rate.

    The MA is only available after a firm has successfully applied to the PRA and demonstrated that it meets, and has the processes and controls in place to continue to meet, the Solvency II regulations and PRA requirements. This includes ensuring a close ongoing match between annuity cashflows and the cashflows from its assets.

    Read the full chapter to find out more.


  • Oversight of 3rd parties (Part A – General)
    Identifying and mitigating third party risk

    Recently, there have been several high profile cases where third party supplier failure, or the inappropriate actions of suppliers, have caused either monetary loss or reputational damage. The issue of oversight of 3rd parties has been an issue raised in previous iterations of this publication, however, given these high profile failures it is clear that the risk has crystallised and concern in the market continues to be well placed.

    Read the full chapter to find out more.
  • Oversight of 3rd parties (Part B – IT & Technology)
    You can’t outsource risk

    The trend in outsourcing IT functionality is increasing, and will likely continue to do so given the availability and value of IT outsourced services.

    There are various levels of IT outsourcing, with the risk increasing as the provider has greater levels of access to a firm’s data and/ or systems configurations.

    Read the full chapter to find out more.
  • Risk Culture
    Proactively assessing a firm’s risk management sophistication

    Risk Management, driven by regulatory pressures and the desire for competitive advantage, is at the heart of why risk culture is at the top of many Boards’ agendas.

    Increasingly, risk culture is seen as a priority measure for IA (acknowledged by reference within the recently updated FS Code). In particular, a risk intelligent culture is seen as the ‘invisible glue’ that makes financial institutions work. Also, auditing and assessing risk culture profiles across population demographics is critical for monitoring traction on transitioning towards a desired risk culture.

    Read the full chapter to find out more.


  • Indirect Taxation
    Addressing a changing regulatory landscape

    Indirect taxes are becoming more relevant for FS firms with the introduction of new VAT/ Goods and Services Tax (GST) regimes in places such as the Middle East.

    In a similar manner, there is a growing expectation from HMRC in the UK that a companies’ tax position is proactively managed and that a greater emphasis is placed on tax at board level – this has led to the introduction of new reporting regimes such as the Senior Accounting Officer (“SAO”).

    Read the full chapter to find out more.
  • Transfer Pricing
    Ensuring a globally consistent approach

    A transfer price (TP) is the price charged in a transaction between two related legal entities. As businesses become more global and with international tax issues high on the political and regulatory agenda, TP issues are a re-emerging area of concern.

    HMRC and other tax authorities have increased their functional capabilities, incorporating technological developments (such as analytics) when undertaking transfer pricing reviews.

    Read the full chapter to find out more.

Audit 3.0

  • Agile Internal Audit
    Better, faster, happier

    In our 2018 publication, we highlighted Agile as an emerging topic, where leading functions had begun applying the values and principles to their internal audit work. Since then, there has been a significant increase in the number of IA departments adopting Agile across FS.

    Agile IA is a mind-set supporting a collaborative environment for audit and the business to solve audit problems through taking an iterative, time-boxed approach.

    Agile may not be for everyone and careful consideration should be given to the potential benefits to each specific financial institution of adopting such an approach, comparing to the costs involved. Hence many IA functions have taken a workshop and pilot approach to assess these factors before deciding whether to undertake more significant investment. Once you have clarity on your vision and Agile IA blueprint, the next step is to pilot.

    Read the full chapter to find out more.
  • Talent
    Addressing the Internal Audit resourcing needs of the future

    As this document clearly demonstrates, there is an increased focus on the role and remit of IA, and audit committees are increasingly challenging functions to provide more complex assurance. With this, there is greater emphasis on hiring from non-traditional IA backgrounds (e.g. accountants) in favour of industry and subject-matter specialists (e.g. actuaries, conduct and risk specialists, data scientists, etc.).

    Addressing IA’s talent needs through diversification of the team will allow IA to respond to both today’s and tomorrow’s challenges.

    Read the full chapter to find out more.


  • Quality Assurance (QA)
    Continuous improvement, value creation and culture

    The remit, scope and approach of audit functions is under increased focus, with stakeholders and regulators looking to assess the value, the reach and the impact of IA.

    Read the full chapter to find out more.


  • Web-Based Risk Sensing (WBRS)
    Using open-source data to identify emerging risks

    The increase focus on data has prompted new, efficient and targeted ways of accessing and analysing information. Risk sensing, the practice of analysing open-source data, can help identify emerging risks.

    Read the full chapter to find out more.
  • Behavioural Analytics
    Technologies designed to quantify conduct risk

    Companies are facing unprecedented levels of regulatory scrutiny, with a particular focus on conduct risk and firms’ ability to identify and monitor the risk of poor outcomes for customers.

    Read the full chapter to find out more.
  • Call Monitoring Technology
    New insights through the deployment of innovative solutions

    There is a growing level of expectation from the FCA’s conduct risk agenda to ensure that services offered achieve a positive customer outcome. Current review processes are typically resource intensive, with large teams devoted to reviewing customer interactions.

    The use of technology provides an opportunity to review and enhance existing business processes and controls in this area. Voice analytics platforms use cognitive technology and risk algorithms to monitor voice interactions based on tone of voice and behavioural and human emotional tendencies.

    Read the full chapter to find out more.


  • Risk Assessments
    Increased transparency in the assessment and audit of risks

    Some IA functions have found that a traditional planning model can lead to a lack of transparency in the risk assessment process with audit plans based on risk-assessing auditable entities not necessarily translating later in the audit cycle into detailed focus on the key risks.

    Read the full chapter to find out more.
Did you find this useful?