Article

Financial

Financial Services Internal Audit Planning Priorities 2022

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2022. We hope this informs your 2022 planning and assurance approach.

3.1. ESG and Climate Risk



Why is it important?

Growing investor and regulatory awareness and concern over the need to address social and environmental issues is driving the rapidly increasing interest in Environmental, Social and Governance (ESG) factors and sustainable finance. As Regulators set out their expectations for how financial institutions should manage climate related financial risk, including modification of governance and risk management frameworks, development of scenario analysis and stress testing, and disclosure of climate change related issues, it is vital that the Internal Audit function challenges the firm’s response to this. As a society, customers are now aware of the growing urgency to build relationships with those businesses who can demonstrate that their practices are aligned with society’s goals and ambitions. Reputational risk has become key as it flows from firms’ responses to embedding climate risk within their business, therefore Internal Audit should challenge whether firms have suitably assessed their related exposure to reputational risk and whether the impact of handling these issues poorly has been considered.

What’s new?

Regulatory Expectations:

  • In November 2020, the European Central Bank (ECB) published their supervisory expectations with respect to the risk management and disclosure of climate and environmental risk, applicable with immediate effect. Illustrating that a firm must treat climate and environmental risk holistically, the supervisory expectations are cross-cutting across an entire firm. Most importantly, the ECB has defined how the Third Line should respond in relation to emerging risk, stating: “IA functions should review the internal control and risk management framework, by considering external developments, changes in the risk profile and in products and/or business lines, to establish the extent to which the institution is equipped to manage climate-related and environmental risks.”
  • The ECB contacted specific firms at the beginning of 2021, highlighting their expectation for firms to complete their self-assessment against the ECB requirements together with defined suitable action plans for implementation of the framework with deadlines of February 2021 and May 2021 respectively.
  • The expectation of the Prudential Regulation Authority (PRA) for firms is to fully embed their approach to managing climate-related financial risk by the end of 2021.
  • The Financial Conduct Authority (FCA) has confirmed that, from 1 January 2021, premium listed companies in the UK will be required to provide disclosures about how climate change affects their business, consistent with the recommendations of the Taskforce on Climate-related Financial Disclosures (TCFD).
  • The Sustainable Finance Disclosure Regulation (SFDR) introduced various disclosure-related requirements for financial market participants and financial advisors at entity and product level, applicable as at 10 March 2021.

Political Influence:

  • The UK Government released a TCFD implementation roadmap setting out the expectation for all listed issuers and large asset owners to comply with the TCFD disclosure requirements by 2022, whilst mandatory disclosure for all firms is expected by 2025.
  • As investors demand for green bonds increases, the UK Government has pledged to issue the UK's first Sovereign Green Bond in 2021 and has confirmed it intends to fully implement a ‘Green Taxonomy’ to provide a common standard for measuring firms’ environmental impact, building on the scientific metrics in the European Union taxonomy as its basis.

ESG Wider Considerations:

  • The CEO of the FCA highlighted in her speech during the ‘Launch of the HM Treasury Women in Finance Charter Annual Review’, why diversity and inclusion matters, setting out the Regulators commitment to explore whether diversity requirements should be made part of premium listing rules.

What should Internal Audit be doing?

Area of Focus

Description

ECB Guide on Climate Related Risk
  • When designing and developing the Internal Audit Plan, Internal Audit should consider whether there is suitable coverage to incorporate the assessment of the firms response to all focus areas set out in the climate related regulatory expectation and supervisory guidance. Considering individual focus areas such as risk management or strategy, Internal Audit must ascertain how the firm has incorporated climate risk and ESG into existing control frameworks.
  • Where the business has provided self-assessments against regulatory expectations, Internal Audit are well placed to ensure there is an appropriate level of input and review; ascertain whether supporting action plans suitably address gaps identified; and incorporate well-defined road-maps that demonstrate to the Regulator how the firm intends to meet regulatory requirements.
Reputational Risk
  • Internal Audit should identify and challenge Management in areas that could be perceived as ‘Greenwashing’ by both the general public and the Regulator. In doing so, Internal Audit must ascertain how the firm’s financing activities, both direct and indirect, are reflective of the ESG strategy.
  • There are a number of globally recognised voluntary initiatives across the industry to which a firm may sign up in order to enhance their positive contribution to society as a whole, for example, ‘The Principles for Responsible Banking’ ensures that signatory Banks commit to aligning their business with ambitious targets that contribute to global and national sustainability goals. Internal Audit can challenge the firm’s commitment to addressing global social, economic and environmental issues through assessment of engagement with such initiatives, addressing the culture and tone of the firm.
Diversity and Inclusion and wider ESG
  • Whilst much of the European and UK regulation in this space so far has been climate focussed, industry direction and regulatory guidance could be expected to incorporate wider ESG issues in the future. Internal A are well placed to challenge the firm’s readiness and current infrastructure and business model for measuring and reporting on a wide range of ESG topics.


Key contacts: Hetty Van Der Wal and Russell Davis

3.2. Liquidity Risk Management for Insurers



Why is it important?

Insurers face inherent liquidity risks in their business models, and these must be appropriately managed to ensure consumer protection and ongoing viability of business services. As regulatory interest has moved beyond just the management of financial risk and towards an expectation of all round financial resilience, the prominence of liquidity risk has increased. Effective and sound management of this risk has a key role to play in ensuring firms’ resilience to financial shocks, with most firms finding that they need to potentially make significant enhancements to meet regulatory expectations.

We expect that all insurers, not just those with obvious and substantial liquidity risk exposures, will have to potentially make significant enhancements to their liquidity risk management frameworks.

What’s new?

  • Previously, insurers were not subject to the same level of liquidity adequacy rules as Banks. However, over recent years regulatory concern has grown, as the Prudential Regulation Authority (PRA) considers insurers to be underestimating their liquidity requirements and risk, whilst also experiencing worsening market conditions.
  • In June 2019 the PRA issued Supervisory Statement (SS) 5/19, which sets out significantly enhanced expectations on insurers as follows:
    • Liquidity risk management framework: Insurers must establish an effective system of governance and risk management. This includes a liquidity risk appetite statement, allocation of responsibilities and reporting lines, and the use of quantitative metrics which are monitored and reported on to the appropriate forum;
    • Sources of risk: Insurers must understand the potential sources of risk specific to their business. The risk is likely to come from a broad range of sources, such as asset, liability and concentration;
    • Stress testing: Firms must conduct stress testing and scenario analysis for all risks in their system, including liquidity; and
    • Liquidity buffers: Insurers should include a buffer in calculating their liquidity needs and prudently monitor their liquid assets to help ensure contingency of services.
  • As liquidity risk management capabilities and processes evolve, it is important that firms continue to assess and address aspects of their liquidity risk management that improves transparency and agility in line with the expectations from the Boards and the Regulators and to support increased focus on strategic liquidity management.

What should Internal Audit be doing?

Area of Focus

Description

Liquidity risk management framework

Internal Audit should perform a review of the firm’s framework on liquidity risk management against the proportional requirements of SS5/19. Internal Audit should assess if the liquidity risk management framework adequately captures all of the key components, including but not limited to:

  • Risk assessment;
  • Stress testing;
  • Risk appetite setting;
  • Liquidity buffer setting;
  • Risk monitoring; and
  • Liquidity contingency plan.

Internal Audit should also assess whether the governance and roles and responsibilities in liquidity management are clearly defined.

Regulatory expectations

Internal Audit should assess the gap analysis performed by Management to understand whether the current capabilities and processes are in line with the regulatory expectations, including a review of the remediation plans defined to address the gaps.

Inclusion in risk management internal audits

Liquidity risk should be audited as a core part of any end-to-end risk management audits, to help provide assurance and confidence over the firm’s implementation of the new guidance and the resulting liquidity status.

Leverage subject matter expertise

Subject matter experts should be used to perform audit planning and/or carry out testing and reporting, together with understanding the adequacy of the Liquidity risk framework against industry good practices.


Key contacts: Henry Basing and Aaron Oxborough

3.3. IRB Delivery Programmes



Why is it important?

Internal Ratings-Based (IRB) firms are required to apply a suite of ‘IRB roadmap’ model changes by 1 January 2022 in order to remain compliant in their calculation of regulatory capital. These regulatory changes can have a profound impact on probability of default (PD), exposure at default (EAD) and loss given default (LGD) risk parameter estimates, and hence capital estimation for a firm’s banking book. Failure to evidence compliance with this new regulation can ultimately threaten a firm’s IRB status as well as increase the ‘margin of conservatism’ required for estimates, leading to higher capital charges. Ultimately this is also coupled with reputational risks from Regulators if the model development programme is perceived to be low quality. As a result, many Banks are conducting significant IRB enhancement programmes over the next few years, in order to ensure the required process changes, model redevelopments and regulatory submissions are all delivered effectively. These programmes are often high risk, with tight timelines exacerbated by the volume of model changes required and extensive submission requirements. Across the banking industry, from Tier 1s with established IRB rating systems to challenger firms applying for IRB status, there is an increased onus for successful submission for IRB approval. As a result, assurance from Internal Audit on the effectiveness of delivery from these programmes is critical. Please also refer to our IFRS 9 ECL Estimation topic given its relevance to IRB Delivery Programmes.

What’s new?

  • A number of new IRB regulatory requirements require implementation, including:
    • Updated conditions for the definition of default (DoD), such as addition of unlikeliness-to-pay (UTP) criteria, conditions for curing, and materiality threshold for credit obligations past due;
    • Inclusion of new requirements to model LGD for ‘in-default’ exposures, including calibration to downturn and ‘point-in-time’ (as the ‘best estimate of expected loss’);
    • Introduction of extensive requirements for downturn LGD calibration, including regarding the identification of a downturn period; and
    • Requirement of cyclicality measurement of PD rating systems, for quantification of long run average (LRA) PD, for calibration purposes. For UK Mortgages, this was coupled with the requirement to build a model to extrapolate default information back to the 1990s, where available internal data does not cover this.
  • As liquidity risk management capabilities and processes evolve, it is important that firms continue to assess and address aspects of their liquidity risk management that improves transparency and agility in line with the expectations from the Boards and the Regulators and to support increased focus on strategic liquidity management.

What should Internal Audit be doing?

Area of Focus

Description

Regulatory compliance

Verify that model development and validation controls are operating in line with regulatory requirements. Due to the technical nature of IRB regulation, often this requires input from subject matter expert’s (SME’s) in order to appropriately challenge the relevant model development, validation and approval controls. Areas of technical review include model methodology, performance testing and assessment of data quality. Furthermore, SME support is often necessary to provide assurance that regulatory self-assessments are sufficiently complete and accurate.

Processes and controls

Review of the relevant processes and controls across the model lifecycle, with assurance that these have been sufficiently followed prior to regulatory submission. This includes assessment of:

  • Evidence that standards on model development, validation and monitoring have been adhered to in the model change processes; and
  • Evidence of sign-off on submission of models/material model changes from the necessary functions (such as Model Governance Committees).
Programme assurance

Assess and provide assurance that the regulatory change programme has been effectively managed, in order to ensure successful submission to Regulators. This includes assurances on:

  • A clear vision of the IRB model change landscape, such as identification of objectives of delivery and the relevant portfolios under IRB scope;
  • Effective programme governance (such as project plans, Risks, Assumptions, Issues and Dependencies (RAID) logs etc.); and
  • Clear identification of relevant stakeholder groups and functions, alongside definitions of roles and responsibilities in the delivery programme.


Key contacts:Rohan Gokhale and Ian Wilson

3.4. IFRS 17



Why is it important?

Internal Audit functions in the UK are at different stages with regard to IFRS 17 assurance planning and are currently reassessing and adjusting their holistic assurance timelines. For many insurers the effort and cost has grown significantly from initial expectations and may continue to do so through to programme completion, as solutions are embedded, tested and re-worked. Also, in some organisations programmes have not yet been far enough progressed to enable meaningful audit activity to take place so Internal Audit may be planning its first real look at the detail in the current year. IFRS 17 has a number of areas of complexity and challenge and prioritising these can be difficult. Below we consider some of the key methodology decisions, highlighting common high-risk areas and Internal Audit's approach for providing assurance that informs governance around methodology.

What’s new?

Internal Audit functions are reconsidering their assurance timelines for two reasons—first, the impact of COVID-19 has changed the plans of Internal Audit and the wider organisation for 2021, and during March 2021, it was announced that the effective date of IFRS 17 will be deferred to 1 January 2023, prompting project teams to consider refreshing their own timelines. With many programmes on the cusp of transition from implementing IFRS 17 solutions into testing, assurance over the controls design and their operating effectiveness over the IFRS 17 new financial processes is an important milestone to identify and remediate any control weaknesses in advance of external audits.

Certain key decisions, the working assumptions, are made early and drive downstream effects of the implementation programme. For example, adopting the General Measurement Model (GM) will require many organisations to modify existing systems and databases to capture additional contract or portfolio level data; whereas the Premium Allocation Approach (PAA) may not require such a significant change to the organisation’s existing infrastructure (but may introduce different risks). The cost associated with identifying and correcting inappropriate accounting policy or methodology choices during the implementation programme can be substantial and may put key deadlines at risk.

What should Internal Audit be doing?

Internal Audit has a key role to provide assurance over the IFRS 17 programme between now and completion of implementation in 2023. The nature of audit work that can be performed will be driven by the progress the business has  made.

In 2020, with affected insurers having completed their impact assessments and moving into the solution implementation phase, the natural scope for Internal Audit appeared to be project assurance. 

In 2021, Internal Audit scope could include methodology, as the business designs/implements solutions following conclusion of the gap assessments. Internal Audit will need to be mindful of the role of the external auditor, who will ultimately need to sign-off on the chosen technical methodology and remain connected on any technical points being raised and the management of their impact on the wider project. 

In the final year of 2022 before go live, companies will be focussed on producing comparative period financial results ready for publishing externally in their financial statements in the following year. This will be the first time the entire financial reporting process is run end to end. At this stage, Internal Audit can provide assurance over the design and operating effectiveness of controls over the reporting process, in advance of external audit to identify  and remediate any weaknesses.

Internal Audit should consider assurance activity in the following areas during 2022:

  • Governance, program benefits and change management;
  • Technology solutions including general IT controls (GITCs);
  • Controls over dry runs/parallel runs;
  • Data migration, transformation and security;
  • Controls over modelling governance;
  • Financial planning, budgeting and reporting processes; and
  • Actuarial and risk management processes.


Key contacts: Anjali Savani and Charlie Scarr

3.5. IFRS 9 ECL Estimation



Why is it important?

During the initial stages of the COVID-19 pandemic, estimation of Expected Credit Loss (ECL) for calculation of loan impairment became more challenging for firms, due to sudden changes in economic activity coupled with unprecedented levels of Government support, which caused the classical relationships between economic activity and credit behaviour to break down. With core modelling and data assumptions becoming invalid under these new conditions, many firms were forced to apply expert-based Post Model Adjustments (PMA) to their model estimates in order to generate ECL estimates as accurately as possible.

A year later and firms are now facing a new challenge; ahead of improved economic baseline forecasts, these incumbent PMAs are in some instances becoming overtly optimistic, leading to a risk of “see-saw” estimation, with impairment swinging well below the acceptable range. Furthermore, as COVID-19 era information starts to crystallise into Banks’ risk data warehouses, firms will need to consider whether this data is usable for BAU-type activities such as model monitoring and redevelopment. Internal Audit’s assurance regarding the accuracy of IFRS 9 ECL estimates is therefore critical, due to the significance of the impairment calculation as well as its volatile and subjective nature. Please also refer to our IRB Delivery Programmes topic given its relevance to IFRS 9 ECL Estimation.

What’s new?

  • PMAs applied to SICR (Significant Increase in Credit Risk) and ECL model estimates will need to be revised as conditions change in the credit and economic environment. The timing and methodology of PMA unwinding is critical, in order to mitigate inappropriate volatility in ECL estimates, whilst ensuring provision levels are kept accurate and up-to-date.
  • Intrinsic modelling assumptions must be addressed, particularly regarding the association between loss estimates and economic forecasts, ahead of prospective conditions changing and potentially new external effects (such as withdrawal of Government support schemes).
  • COVID-19 era outcome data is starting to become available in firms’ risk datasets, this needs to be effectively incorporated into business as usual (BAU) type activities such as model performance monitoring and re-development. This will force firms to face a number of questions, such as:
    • Should COVID-19 era data be included when developing new macro-models, despite the likely implausible relationships observed in this period (for example reducing Gross Domestic Product (GDP) with unemployment stable due to Government support schemes)?
    • Should COVID-19 era data be considered as a potential downturn candidate, for example, in use of downturn Loss Given Default (LGD) calibration or economic cycle definition?
    • Whether a firm’s IFRS 9 default definition should be adapted, for example, to incorporate extenuating initiatives on customer credit, such as payment holidays and the large-scale forbearance activities that resulted from COVID-19?

What should Internal Audit be doing?

Area of Focus

Description

PMA unwinding Review the appropriateness of current PMAs applied to SICR and ECL estimation, assessing the degree to which PMAs should be adapted based on current (and prospective) economic and credit conditions. Timing of PMA unwinding should be considered, in order to mitigate potential volatility or inaccurate estimation.
ECL models Assess the core modelling assumptions and limitations of current ECL models, particularly where assumptions were breached, and subsequently have led to introduction of short-term PMAs. Any model changes should pass through the necessary processes and controls, including review and model approval from the appropriate governance functions.
Forward-looking scenarios and weightings Assess the process where forward-looking economic scenarios are forecast in order to inform probability-weighted lifetime ECL estimates. The selection of these possible future scenarios and their weighting is one of the most material aspects of the ECL calculation. Particular consideration should be given to potential volatility of forecasts arising from uncertainty in predicting economic conditions in post-COVID-19 scenarios.
COVID-19 area data Assess whether necessary processes, controls and governance have been followed in the application of new COVID-19 data in BAU activities. For example, inclusion of COVID-19 data in model development should be assessed and sufficiently justified, alongside sign-off from the relevant governance functions.


Key contacts:Rohan Gokhale and Justin Le Blanc

3.6. Future of UK Controls



Why is it important?

The UK Corporate Governance Code already establishes a clear responsibility on the whole Board to establish a framework of prudent and effective controls — however, calls for a US style internal control attestation are being considered by the Business, Energy and Industrial Strategy Committee (BEIS) as a result of the Kingman and Brydon reviews. Sir John Kingman’s independent review of the Financial Reporting Council (FRC) states that BEIS should give serious consideration to the case for a strengthened framework around internal controls in the UK. Furthermore, Sir Donald Brydon’s review of the quality and effectiveness of audit to the Secretary of State issued in December 2019 suggested a number of improvements to a business’ control environment. The BEIS consultation required responses by 8th July. Responses are being collated and considered with the outcomes expected to be published in late 2021 or early 2022. As well as preparing for the future requirements, businesses are using this as a platform to reassess and transform their processes and controls.

In a recent interview Sir Jon Thompson, Chief Executive of the FRC, confirmed his expectation that a form of UK SOX will be introduced in 2023/24, that ministers are very engaged in the topic, and that in due course the scope of compliance will extend to large privates.

What’s new?

BEIS issued a consultation paper in March 2021, with responses received up to 8 July 2021. The consultation paper expanded on the reviews already performed by Kingman and Brydon, on which Deloitte formally responded to the consultation.

Options expanded on in the BEIS paper include:

  • Company Director’s being required to attest as to the strength of internal controls;
  • The external audit report required to provide detail on the work the external auditor has done on the internal control environment without a formal opinion; and
  • A formal opinion on the strength of internal controls from the external auditor.

The consultation sets out a tentative preferred option which would require a Directors’ statement about the effectiveness of the internal controls but (unlike the US’s approach to internal controls which mandates external auditor attestation in most cases) leave the decision on whether the statement should be assured by an external auditor to the Directors, Audit Committee and shareholders. The paper makes clear that this preferred option is not intended to shut down discussion of alternatives.

Notably, the scope of controls over reported information is likely to extend beyond solely financial reporting with specific proposals regarding payment practices, Climate-related Financial Disclosures and implementation of an Audit and Assurance Policy.

All of this is expected to be overseen by a new, strengthened Regulator, the Audit, Reporting and Governance Authority (ARGA) who will provide oversight of Audit Committees and will likely benefit from increased ability to enforce the Act not dissimilar to the Public Company Accounting Oversight Board (PCAOB) and Securities and Exchange Commission (SEC) within the US.

For many organisations not already listed in the US, this will be a require a lot of effort to assess, build and implement a new controls operating model, develop a risk based controls framework and embed the necessary technology to deliver. The time to act is now to deliver on these requirements.

What should Internal Audit be doing?

Area of Focus

Description

Readiness assessments

Internal Audit should be a key partner to the business in assessing readiness, through:

  • Supporting a quantitative and qualitative risk assessment, helping to ensure any control framework is risk-aligned addressing the most pertinent present and upcoming risks;
  • Reviewing the process performed by Management to identify the key manual, automated and general IT controls to ensure financial reporting risks are mitigated. Assess the First and Second Lines of Defence approach in documenting these, identifying gaps and stress testing remediation plans, supporting a successful future attestation; and
  • Considering the need for an attestation process, supported through technology and rotational testing and ensuring the Internal Audit functions are set up to support and deliver on the requirements of the Audit and Assurance policy.
Technology Implementing technology (e.g. GRC solutions) to support the operation of controls and how assurance is gained will be critical. Increasingly, the implementation of technology should support assurance activity by identifying, analysing and visualising data to identify outliers and understand root causes.

Internal Audit should play a role in selecting targeted investment to address areas of persistent challenge and provide assurance over the efficacy of longer term technology implementation projects.
Programme assurance Planning and implementing these changes is likely to require significant effort from businesses not already listed in the US. Internal Audit functions should therefore view project plans to deliver compliance, review project effectiveness and provide recommendations for continual improvement throughout the implementation journey.


Key contacts: Hugo Sharp and Michael Maullin

Did you find this useful?