Financial Services Internal Audit Planning Priorities 2023

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.

1.1. Financial Crime and Sanctions

Why is it important?

Financial crime continues to be an area of regulatory focus. In previous years, insight papers have highlighted how regulated firms still struggle with key areas of the risk-based approach such as governance, customer risk assessment, customer due diligence, and monitoring. Recent Financial Conduct Authority (FCA) publications have placed a specific onus on regulated firms to address failures proactively and be able to demonstrate how they have successfully implemented change. This year’s FCA Business Plan suggests that the FCA intends to be a more assertive regulator, promising to use its enforcement and intervention powers more proactively, continuing on the path started in 2021 with the criminal prosecution of a large bank for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) failings.

The conflict in Ukraine has placed a renewed emphasis on Sanctions compliance. Firms now face a strong increase in the number of Special Designated Nationals and Blocked Persons, compounded by new penalties applied for breaches. The FCA has also confirmed that it expects the rise of fraud incidences observed under the COVID-19 pandemic to abate slowly, as tools put in place to control its spread begin to take effect.

What’s new?

  • Key areas of the risk-based approach to AML / CTF, long identified as being weak, are still found to be requiring improvement, particularly among smaller firms.
  • The FCA’s continued monitoring of the application of UK AML / CTF regulations has resulted in two ‘Dear CEO’ letters, addressed to operators within the retail banking and trade finance businesses: The first highlighted ongoing weaknesses in governance and oversight, enterprise-wide risk assessments (EWRA), customer risk assessments (CRA), customer and enhanced due diligence (CDD / EDD), and transaction monitoring (TM). The second letter highlighted issues with EWRAs, as well as counterparty analysis, and transaction approval and payments.
  • More recently (April 2022), the FCA has published an AML / CTF review of UK Challenger Banks, who are typically more reliant on smarter technology and IT systems for client onboarding and risk management. This report highlighted findings around CRA, CDD / EDD, Suspicious Activity Report (SAR) submissions and TM alert management. The report also identified issues with the appropriate implementation of financial crime change programmes and Challenger Banks failing to notify the FCA about any control failures as required under a Principle 11 notification.
  • Since March 2022, the US, UK, and the EU, have expanded Sanctions on an unprecedented scale and scope as a result of the Russian invasion of Ukraine. These measures have had a significant impact on companies’ Sanctions risk management frameworks, compounded by the introduction of a ‘strict liability civil offence’ for Sanctions breaches under the Economic Crime Act 2022. Under these rules, there are significant fines for non-compliance and the possibility of companies being ‘named and shamed’ even when no penalty is imposed.
  • The FCA’s 2022/23 Business Plan has highlighted that financial crime reduction will be achieved through an increase in authorisation rejections on the basis of non-compliance with Money Laundering Regulations (MLRs) or for financial crime reasons. This forms part of a wider focus on reducing the impact of fraud on society, which the FCA will achieve through improved supervision and proactive assessments of firms’ anti-fraud systems and controls.
  • The FCA has also flagged that its efforts into supervising crypto assets firms’ compliance with the MLRs will be ongoing, and sanctions imposed swiftly, where firms are found to be posing harm to consumers or market integrity.

What should Internal Audit be doing?

Area of Focus

Financial Crime Frameworks

Internal Audit should continue to focus on reviewing the keystone features of financial crime frameworks (EWRA, CRA, CDD / EDD, screening, and TM) in order to ensure they are designed to maximise firms’ management of financial crime risk while not interfering with important themes such as financial inclusion.
Sanctions Risk Management ​ Internal Audit should place particular focus on how CRA and EDD have been adapted to the current heightened risk of Sanctions evasion, particularly where beneficial ownership is less transparent, and higher risk jurisdictions are involved in the ownership chain.

Customer screening should also be taken into careful consideration as fundamental tool supporting CDD and ongoing-due diligence (ODD).
Fraud Risk Management ​ Internal Audit should place renewed emphasis on the ability to manage fraud risk effectively.

This should comprise of establishing whether firms assess their exposure to fraud risk and respond appropriately by designing and enhancing their fraud risk control environment.
Implementation of Financial Crime Programmes ​ Internal Audit should assess whether financial crime change programmes are tracked to completion while benefitting from ongoing senior stakeholder information and challenge. Specifically, firms should have clear project plans outlining milestones, accountabilities and delivery dates. senior management should also be tracking projects and ensuring that key deadlines are being met.  The Risk Committee, the Audit Committee and Chief Executive Officer should be involved in order to ensure appropriate governance and challenge.
Challenger Banks and Crypto Asset Providers ​ Internal Audit should continue to challenge the maturing financial crime compliance framework against MLRs and industry guidance to ensure that these firms are proactive in improving adherence to regulations while their business grows and evolves.

Where the firm offers crypto assets, Internal Audit should understand how the business achieves compliance with the FCA’s guidance on crypto currency.

Key contacts: Katie Jackson, Zeynep Ersoz and Francesco Trifilo

1.2. Fraud Risk Management Framework

Why is it important?

According to the Association of Certified Fraud Examiners (ACFE’s) 2022 report on occupational fraud, remote working was the factor most commonly cited as a significant contributor to fraud. Another emerging cause of fraud risk in 2022 has been the conflict in Ukraine which has exacerbated already fragile supply chains and rising commodity costs including crude oil, metals and grain, contributing to historic levels of inflation and rapid interest rates. The strain on organisations leaves them not only susceptible to internal management fraud but to external threats including via cyber attacks. As fraud prevalence continues to remain on the public agenda, regulatory initiatives have been introduced, aiming to help auditors and organisations tackle the threat and restore confidence in the markets. For regulated financial firms, this includes the Financial Conduct Authority (FCA’s) three-year Business Plan which has set out a commitment to “reduce and prevent serious harm” as a result of fraud.

What’s new?

  • Russia and Ukraine Conflict: For those organisations with direct exposure to Russia, exiting a formerly important market to comply with Sanctions may lead to substantial losses. Geopolitical uncertainty has also been a driver in the stock market sell-off that has resulted in significant recent falls in some indices. In trying to smooth over the adverse impact of Sanctions or appease shareholder expectations, firms might be incentivised to “improve” results therefore creating the risk of financial statements fraud.
  • Cost of Living: High energy and commodity costs have added to the ongoing supply chain crisis, a convergence that has contributed to increasing levels of inflation. Reduced consumer spending will result in many businesses experiencing cash shortfalls. Inflation also diminishes corporate profits as the value of money decreases. Such factors heighten the risk of fraud through the fabrication of revenues, questionable forecasting, as well as insider fraud by employees whose salaries will not match the high inflation and increasing living costs.
  • ISA 240 Revision: Effective December 2021, the Financial Reporting Council (FRC) issued its revised ISA 240. The updated standard seeks to clarify the external auditor’s role and objectives in identifying fraud with a focus on enhanced professional skepticism. Enhancements include more detail regarding the identification and assessment of risk, while also addressing the inherent challenges audits face particularly where management are colluding in fraud. An example includes the need for whistleblowing policies to enable employees to disclose concerns about actual or suspected fraud.
  • FCA Business Plan 2022/2023: The FCA published in April 2022 its three-year strategy for 2022-2025 setting out the outcomes for consumers and markets in the UK. Positioning its strategy on three themes or focus areas, one of its commitments is on “reducing and preventing serious harm”. Amongst the outcomes it wants to achieve is in slowing the growth in investment fraud and Authorised Push Payment (APP) fraud cases. It will also deal with problem firms unable to meet its minimum standards, for instance, those with weak controls that are particularly vulnerable to fraudsters.
  • Online Safety Bill: Included in the wide-ranging bill are proposals to tackle scams on user-generated platforms such as social media and search engine companies. Example content includes romance scams, fake stock market tips and other fraudulent advertising. Regulatory oversight from Ofcom will include ensuring businesses have systems in place to prevent scams and that financial promotions are only made by FCA authorised firms.

What should Internal Audit be doing?

Area of Focus

Consider the Risk Assessment

The fast-changing economic outlook demonstrates the importance of a dynamic fraud risk assessment. What might have constituted a reasonable risk assessment six months ago may no longer be suitable as new risks arise. Internal Audit should consider challenging management on changes to the firm’s risk appetite vis-à-vis the present outlook. By extension, they should seek to understand and quantify what the key gaps and vulnerabilities are given the emerging new risks, such as those resulting from the conflict in Ukraine and rising inflation.
Assess the Design of the Framework ​ Internal Audit should also consider the robustness of the existing fraud risk framework. An optimal framework should not only take into account the risk assessment, but it should incorporate governance upon which the organisational tone and culture are set. Its design should reconcile identified risks with effective controls to help with the detection and prevention of fraud. That latter undertaking may not always be fully understood in-house, for example, with highly sophisticated cyber attacks emanating from state-sponsored actors able to overwhelm internal capabilities. As such, input from a team specialising in fraud risk should be considered. The framework should also include timely resolution of fraud instances and lastly, have a ‘refresh’ aspect to make it sustainable especially given the speed at which recent crises have unfolded.
Changing Nature of the Regulatory Landscape ​ Increased regulatory scrutiny is evidenced by examples shown opposite. With the Audit Reform bill on the horizon, the government has now issued its response to the Business, Energy & Industrial Strategy (BEIS) White Paper consultation. Notable changes include the widening of Public Interest Entities (PIEs) and the requirement of Directors’ statement on the effectiveness of internal controls and the basis for that assessment. Other potential legislation includes the Online Safety Bill and a corporate criminal liability law. This evolving regulatory landscape will have implications for both organisations as well as auditors. For Internal Audit, collaboration and interaction with key stakeholders, including with Regulators, as well as coordination with other risk, control and compliance functions will allow for a proactive understanding of the fraud risk threat environment in line with regulatory expectations.

Key contacts: Mark Cankett , Fraser Beveridge and Christos Doumas

1.3. Payments Sector Regulatory Developments

Why is it important?

Significant technology, regulatory and infrastructure developments are driving major change, growth and innovation in payments. There is significant regulatory focus across a variety of areas for both incumbents and new providers, where there is significant potential to expand into new markets (for example, payments are being increasingly intermediated by BigTech and other non-traditional parties). Fees are also being reduced through regulation and competition and banks’ historic data advantages are being diminished by Open Banking and the Payment Services Directive 2 (PSD2), with this set to increase with the future introduction of Open Finance. At the same time, growth in the payments industry is increasing at a significant rate and interoperability is increasing through use of common standards which are also delivering richer data. There are also fundamental infrastructure changes occurring, requiring structural changes to the payment ecosystem, and requiring changes to the payment plumbing and data flows for ecosystem participants.

What’s new?

  • ISO20022: The ISO20022 messaging standard is replacing the existing SWIFT messaging standard and from November 2022 SWIFT messages will start to be replaced for cross-border payment and reporting messages.

    In the UK, this is also impacting CHAPS payments, where the Bank of England is moving to a new Real Time Gross Settlement (RTGS) system utilising ISO20022. Direct participants in CHAPS have been required to start sending messages in the new format from June 2022 and use the full enhanced message set from February 2023. The Bank of England is continually assessing CHAPS participants’ readiness for these key dates.

    There will be further impacts for other payment types through the future introduction of the New Payments Architecture (NPA). Other non-UK high value payment schemes will also be migrating and will have their own deadlines for this, e.g. November 2022 for TARGET2 (the RTGS system owned and operated by the Eurosystem) and Euro high value payments. Indirect participants will also be impacted and will need to discuss with their provider as to what steps they must take.
  • Strong Customer Authentication / Transaction Risk Analysis: Mandatory annual audit requirements persist around Strong Customer Authentication (SCA), with this now having gone live in the UK from March 2022, bringing e-commerce transactions into scope. All Banks and payment service providers (PSPs) should be utilising SCA for payment transactions. In addition, an increasing number of banks are now adopting Transaction Risk Analysis (TRA) which requires fraud rates to be below a certain level for a bank to exempt the usage of SCA. SCA requirements apply across any channel offering access to ‘payment accounts’ (including cards) across any customer segment (i.e. Retail, Business, Corporate, Private Banking etc.)

    The scope of the audit requirement extends across all electronic customer channels, such as internet banking, mobile apps, firm provided software, enterprise software integrations, other software integrations embedded through Application Programming Interfaces (APIs) or other interfaces, and ‘Open Banking’ channels.

What should Internal Audit be doing?

Area of Focus

ISO 20022

Internal Audit should perform a detailed review of ISO 20022 programme activities to ensure that regulatory deadlines will be met and how changes to adopt the new messaging standard are being implemented and tested. Additional investigation may also be performed to determine how enriched messaging data may provide key benefits and how these are realised.

ISO 20022 migration is inherently complex, posing significant challenges for impacted firms, in particular Internal Audit should understand the controls in place around the following areas:
  • Appropriate training is in place for the new messaging standard.
  • Upgraded messaging appropriately interfaces to the new standard.
  • Robust and detailed testing of In-flow translations, including the receipt of multi-format messages takes place.
The impact on banks will be significant across business operations and technology stacks which will require careful and comprehensive consideration with significant pressure being placed on technical resources.
SCA / TRA ​ Both SCA and TRA must be audited annually by operationally independent internal or external auditors. The audit should include an evaluation and report on the compliance of the firm’s security measures with the Regulatory Technical Standard (RTS) requirements, and the report must be made available upon request by the Financial Conduct Authority (FCA).

For the first year when TRA is adopted, and every three years thereafter, the audit must be performed by an independent external auditor. (i.e. Internal Audit can only perform this work in intervening years).

Key contacts: Steven Bailey and Sarn Saundh

1.4. Cryptocurrency / Digital Assets

Why is it important?

The market capitalisation of digital assets has seen substantial growth in recent years and even after the recent tumultuous period it is still highly valued at $993bn*. This market continues to show potential to increase further and reshape activity currently taking place in the traditional financial services sector to meet an array of business and consumer needs. Activity to adopt the widespread use of Cryptocurrency and Digital Assets continues at pace, for example: Security tokens present a $17bn* market capitalisation, Stablecoins are valued at $153bn*, Decentralised Finance (DeFi) is valued at $53bn*, and 17 Central Bank Digital Currencies (CBDC) have been launched as pilots. The digital assets ecosystem is also in a state of major evolution with further institutional interest from major banks and asset managers and several new businesses entering the UK market with Electronic Money Institution (EMI) and Authorised Payments Institution (API) applications to the Financial Conduct Authority (FCA). The issuance of CBDCs and Stablecoins is on the agenda of all major Central Banks including the Bank of England (BoE). As regulations evolve and further licensing requirements come into force, firms will need to assess their business models and strategy to align with their local regulatory perimeter requirements.

* Data obtained from CoinMarketCap. These values are subject to change on a daily basis.

What’s new?

Regulatory Framework Developments:

  • Markets in Crypto-Assets (MiCA) is a new framework that is under development by the EU that aims to regulate crypto assets and service providers to enhance financial stability around these products. It is expected that the UK will develop a similar framework going forward. To date the BoE and FCA have issued guidance around digital assets use and several warnings around its volatility.
  • Due to the nature of the assets (anonymity), Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) compliance controls are critical and which UK businesses must comply with. Most countries have a registry where entities participating in crypto activities must apply to or register. Part of the challenge within the EU is that each Member State has a different system thereby making passporting rights inaccessible for businesses. It is anticipated that MiCA will help solve this.
  • To further safeguard consumers, several changes are expected in the regulation of Financial Promotions for UK businesses and how these products can be marketed.

Cryptocurrency / Digital Assets Adoption:

  • The UK has announced they want to be the Technological Hub for Digital Assets (April 2022) and have stated their intention to regulate Stablecoins. It is also acknowledged that the framework would have to account for the risk that some Stablecoins pose. As such, HMRC has suggested amending the ‘FMI SAR’ to deal with failed Stablecoins (FMI SAR gives the BoE powers to oversee and direct the actions of a payment firm to ensure that their services continue in the event of a failure.  
  • Two US Senators have issued a bill to establish a crypto regulatory framework, setting out that the Commodity Futures Trading Commission (CFTC) would play a primary role in regulating products.

Prudential Regulation Authority (PRA) Dear CEO Letter (March 2022):

  • The letter sets out the PRA’s expectations that Banks and designated Investment firms consider the full prudential frameworks when assessing Digital Assets, along with Pillar 1 and Pillar 2 guidance. 
  • The PRA proposes that firms should apply a punitive treatment to Digital Assets under the Pillar 1 framework. These firms also need to include their assessment of how crypto risks affect prudential risk categories in their Internal Capital Adequacy Assessment Process (ICAAP). 
  • The letter provides a degree of short to medium term regulatory clarity for firms building a Digital Assets Strategy in advance of the finalised BASEL Committee Crypto Prudential Framework. 

What should Internal Audit be doing?

Area of Focus

Existing Regulation

Given the pace of UK Treasury and BoE consultations around potential upcoming regulation in the Digital Assets sector it will be key for Internal Audit to:
  • Assess processes in place to meet AML and CFT regulations across relevant jurisdictions.  
  • Assess processes in place to meet compliance expectations around Business Continuity Plans and Operational Resilience. These areas, whilst not specific to Digital Assets, are core components of demonstrating compliance with AML / CFT requirements.  
  • Assess processes in place around regulatory reporting requirements that should capture Digital Assets activity / transactions. For example, Tokenised Bonds that are transacted under Distributed Ledger Technology (DLT) should be included in traditional reporting mechanisms under MiFID to the PRA. For more specific assets such as E-money Tokens, Electronic Money Regulations (EMR) in the UK would apply with Safeguarding Reports required to be submitted to the FCA. 
Emerging Regulation ​ Internal Audit should:
  • Assess processes in place over regulatory horizon scanning to identify emerging requirements and good practice across relevant jurisdictions, e.g. capital and liquidity requirements and MiCA.  
  • Assess processes in place to ensure Financial Promotions are fair and not misleading.
  • Assess processes in place to implement changes to regulation (or those driven by good practice requirements to manage risk) into existing policies in a controlled and timely manner.
New Products and Services ​ As firms consider new products and services relating to Digital Assets, Internal Audit will have a key role to play in providing assurance that the business maintains a robust Risk Management Framework (which includes assessment of financial risk, AML / CFT and new technology risks) which anticipates and appropriately evaluates new risks posed by Digital Assets products.

Internal Audit should review and challenge the New Product Approval including asset class valuations processes and controls to help ensure the business complies with relevant regulatory requirements.

Internal Audit should also challenge, assess and report on how well management and those charged with governance understand and monitor the risks they face within their current crypto product set in this volatile and evolving environment.

Key contacts: Nikhil Kulkarni and Sarn Saundh

1.5. MIFID II - Transaction Reporting

Why is it important?

Transaction reporting underpins the ability of national competent authorities (e.g., the Financial Conduct Authority (FCA)) to investigate potential instances of market abuse and thus it continues to be important that firms can comply with the obligation to provide transaction reports that are complete, accurate and timely. Firms should regularly reconcile the reports provided to their competent authority with the data in their books and records, along with the data reported to and by their Approved Reporting Mechanism (ARM) to ensure that reporting is complete and accurate. The potential financial and reputational impact on a firm for failings in its transaction reporting could be damaging, with two recent fines in early 2022 amounting to more than £34m and £27m, respectively.

What’s new?

  • The Markets in Financial Instruments Regulation (MiFIR) has now been in effect since 2018 but resulted in significant changes on transaction reporting, including expanding the volume of in-scope instruments as well as expanding the number of data fields, to the extent that some firms are still finding it challenging over four years later. 
  • The European Securities and Markets Authority (ESMA) issued a statement outlining some planned changes to their validation rules in Q2 2022, and although the FCA is not planning to follow suit there is the possibility that this may change in the future. The FCA regularly provide updates on issues related to transaction reporting via their Market Watch publications, which provides additional information on their concerns in this space and highlights areas upon which  firms should focus.

What should Internal Audit be doing?

Area of Focus

Governance and Control Framework

Reperformance, the use of audit technology and a risk-based approach is essential for Internal Audit to be effective in challenging management's processes and controls. Specifically, Internal Audit should:
  • Assess the design, implementation and operation of front office transaction reporting controls including eligibility criteria, validations, exception management, reconciliations, issue management and risk assessment processes.
  • Establish how the Second Line functions have designed and implemented appropriate assessments of the First Line control suite.
  • Review the Compliance Monitoring Plan to validate whether it incorporates regular transaction reporting testing.
  • Evaluate the level of management information in place, how often it is generated, and to which senior Managers and Committees it is provided. 
  • Review whether the end-to-end trade and transaction reporting process is delineated into key functions and business lines and is documented and actively maintained.
Data Governance ​
  • Evaluate whether the firm has identified and documented all relevant data sources feeding into the generation of transaction reports, including data formats.
  • Ensure all external data sources are documented and that controls exist to ensure timely resumption of reporting when data issues arise.
  • Assess whether individuals are clearly identified as responsible for the maintenance of data (e.g., counterparty information, instrument, trader's details, algorithms, etc.), including timely resolution of errors and remediation of identified issues.
Reconciliation ​
  • Ensure that a process exists for the regular reconciliation between the firm’s trading records and the reports made to the FCA (via the ARM).
  • Examine the most recent reconciliations to understand the operational effectiveness of the process, the remediation of any identified issues, and any communications with the Regulator regarding said issues.

Key contact: Andrew Broughton

1.6. UK Solvency II Reform

Why is it important?

The UK Government published its highly anticipated consultation on its Review of Solvency II during April 2022. The proposals form part of wider changes proposed by the Government to the UK’s financial services regulatory framework, and broadly aim to achieve two key objectives – 1. free up Insurers’ capital to enable investment in green infrastructure and projects and 2. maintain the UK’s competitiveness by going “further and faster to capitalise on the UK’s Brexit freedoms and level up the country”. The Prudential Regulation Authority (PRA) has also published its own discussion paper (DP2/22 – Potential Reforms to Risk Margin (RM) and Matching Adjustment (MA) within Solvency II) complementing the Government’s proposal. The PRA is seeking the industry’s views around the reform options for RM and in particular, the calibration of the fundamental spread (FS) within the MA. The Government’s proposed reforms aim to unlock significant investment by Insurers into UK infrastructure, venture capital and growth equity, and other long-term productive assets, as well as investment consistent with the Government’s climate change objectives. This is one of the ways the Government is capitalising on its post-Brexit freedom, ensuring that UK regulations are tailored to the needs of the UK economy, rather than the needs of 28 countries across the European Union (EU).

What’s new?

The consultation sets out detail on the proposed reforms, including:

  • A substantial reduction in the RM of around 60-70 percent for long-term Life Insurers based on a cost of capital approach;
  • A reassessment of the FS used in the calculation of the MA;
  • An additional Credit Risk Premium (CRP) to the FS to capture the uncertainty around the expected loss within FS;
  • More flexibility to MA eligibility rules for both the asset universe and the liabilities to which an MA can be applied;
  • A reduction in the EU-derived regulations which make up the current reporting and administrative burden; and
  • The combined impact of the RM and FS reforms has been estimated by the PRA to result in a release of up to 10-15 percent capital currently held by Life Insurers.

The PRA’s Discussion Paper (DP) outlines its assessment of the proposed reforms for RM and the MA and discusses the potential combinations of reforms to the FS and RM in line with statutory objectives. Both the PRA’s DP and the UK Government’s consultation closed for responses on 21 July 2022. While the consultation and DP continue to remain largely silent on the impact of these changes on the Solvency CR to materially change as a result of the FS changes. The PRA has launched a Data Collection Exercise to further explore this. The PRA also hints that a move to a new calculation mechanism may be phased in over a period of time giving firms and the PRA more time to reflect any required changes within the Internal Model.

With such large RM reductions on the horizon, Life Insurers should consider re-evaluating their approach to:

  • Product strategy and pricing – certain products may now be more economically viable to write (particularly in conjunction with proposed changes to MA liability eligibility), enabling more favourable pricing for policyholders;
  • Deploying the capital released from the RM reductions – the Government is keen that this is used to support further investment in long-term assets and growth in the insurance market, rather than increasing dividends;
  • Hedging – driven by the change in the sensitivity of the RM and consequentially the balance sheet to movements in interest rates;
  • Reinsurance strategies and risk appetite – demand for longevity risk transfer could reduce or there could be a shift in reinsurance strategies towards the greater use of fully funded reinsurance; and
  • Risk mitigation to maintain policyholder protection – there is a need for firms to employ appropriate risk mitigation techniques. This is in line with current practice where firms are required to conform to the Prudent Person Principle (PPP).

What should Internal Audit be doing?

Area of Focus

Changing Regulatory Landscape

Internal Audit’s position within the organisation is uniquely suited to support management in assessing the impact by undertaking an assessment of management’s response to the anticipated reforms to Solvency II.
Process and Control Re-designs ​ Internal Audit, with its broad perspective on risk and its extensive understanding of the existing processes and controls supporting Solvency II requirements, is well positioned to review and assess the new processes and / or controls re-designed by management in support of the Solvency II reforms and advise on appropriate paths forward.
Board Investment Strategy ​ Internal Audit should review the Board’s investment strategy to assess whether it aligns with the Government’s objectives and regulatory expectations and perform an assessment of management’s actionable plans in line with the Board’s strategy.
Policies and procedures ​ Internal Audit should assess whether existing policies and procedures supporting calculations of FS, RM, MA, CRP and SCR have been updated and are reflective of the proposed changes as approved by management.
Business Impact ​ Internal Audit should review and evaluate management’s response to the large RM reductions, including but not limited to:
  • Product strategy and pricing.
  • Hedging.
  • Reinsurance strategies and risk appetite.
  • Risk mitigation activities to ensure policyholder protection.

Key contacts: Brandon Choong and Manan Shah

1.7. Operational Resilience

Why is it important?

The recently published Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) Business Plans for 2022/23 demonstrate that Operational Resilience remains a top UK supervisory priority. By 31 March 2022 firms were expected to identify and map their Important Business Services, set Impact Tolerances, commence scenario stress testing programmes to identify vulnerabilities, produce ‘Self-Assessments’, and ensure appropriate governance arrangements are in place. Whilst the past 12 months have been very demanding, the resilience journey is only just beginning. The three-year ‘transition period’ for the policy runs until 31 March 2025, and the actions that firms take in that time will be critical to their success. Their focus must now shift to addressing the initial operational vulnerabilities identified, expanding the depth and breadth of mapping and testing to detect and address additional vulnerabilities, and embedding Operational Resilience into the whole operating model to withstand severe but plausible disruptions.

What’s new?

The first key regulatory deadline has now passed as of 31 March 2022 - Operational Resilience should remain a key priority and an area of focus for Internal Audit. Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that Important Business Services can operate within their impact tolerance by no later than 31 March 2025.

Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key focus and challenge for Boards and senior management over the next three years:

  • Scenario Stress Testing: Testing is likely to be the key area of Operational Resilience policy expectations which continue to evolve throughout the period up to 31 March 2025, as firms gain experience in the stress testing necessary, and the Regulators assess and feedback on the approaches being followed.
  • Third Party Risk Management: Third party dependencies pose a significant threat to a firm’s operational resilience. Visibility, oversight, and assurance is imperative to adequately understand and manage the risks posed by third party and outsourced arrangements (including technology giants and those responsible for providing IT services). Boards and senior management cannot outsource their ultimate accountability and responsibility for their Operational Resilience and therefore need to gain assurance over the risks posed by the web of third and fourth parties in the service chain, especially when the service being provided is critical in providing a firm’s Important Business Service.
  • Transition to Business As Usual (BAU): As firms look to build longevity in their Operational Resilience framework and transversal capabilities, embedding Operational Resilience across the organisation will transform meeting the 2025 policy requirements and expectations into sustainable BAU activity.

Where smaller businesses are not required to currently comply with Operational Resilience-related regulatory requirements, some businesses are challenging themselves on how Operational Resilience is achieved through existing controls in place, with proportionate enhancements taking place to identify important business services and map this to resources in place, e.g. technology, data, people, processes, suppliers and facilities.

What should Internal Audit be doing?

It is expected that Internal Audit will already have identified Operational Resilience as important due to the continued focus on this topic by businesses and the Regulators focus on this area. As a result, Internal Audit should have either scheduled or delivered a review of the progress made to assess and respond to the final policy statements. The majority of Internal Audit functions we engage with across the Financial Services sector have already performed a number of reviews on the topic. With the current direction of travel, even internal audit functions at organisations who are currently out of scope for the regulations should be considering and challenging management on whether the operational advantages of proportionate compliance with the regulation warrants attention. There is a need to now move from programme readiness assessments reviews to broader engagement with the business including progress against Management’s remediation of vulnerabilities, further embedding of the framework and continued development of scenario stress testing. The key areas of focus for Internal Audit functions moving forward should be:

  • Providing robust challenge on the inputs and outcomes of scenario testing, challenging the approach undertaken to ensure that it is sufficiently detailed and enables identification of vulnerabilities for remediation.
  • Challenging the approach to third party risk management (TPRM), alignment with the outcomes of the PRA’s Supervisory Statement SS2/21 on ‘Outsourcing and TPRM’ and consideration of current key areas of TPRM such as engagement with Cloud service providers and the linkage to Operational Resilience e.g. the sophistication of mapping to enable delivery of Important Business Services.
  • Assessing management’s ability to monitor and report on the performance of Important Business Services along with the ability to remain within Impact Tolerance limits, with consideration over the firms understanding of remedial actions and the plans in place to remedy these over the transitional period ending 31 March 2025.
  • Monitoring the embedding and ownership of the Operational Resilience requirements within the First Line of the business (i.e. has a resiliency culture been achieved), as well as the links from a process and technology perspective to existing related disciplines (change management, disaster recovery, business continuity planning, and risk management).

Key contacts: Daniel McCatty and Mark Westbrook

1.8. Artificial Intelligence – Control Frameworks

Why is it important?

Artificial Intelligence (AI) is becoming increasingly common in business processes throughout the Financial Services (FS) sector. FS firms deploy AI across multiple service lines and are now harnessing its power in areas such as compliance, fraud detection, resume screening, credit scoring, product pricing and product recommendations, to name a few. Despite its growing use, we have seen that senior management is often unaware of exactly where and how and also the nature and extent of the risks faced by their organisation in relation to the use of AI. Moreover, Regulators are becoming increasingly active in their efforts to protect consumers from algorithmic harms such as bias that leads to discriminatory or unfair outcomes, outputs that mislead consumers or distort competition, and the collection of personal data that infringes on privacy rights. Thus, the growing use of AI systems in the FS sector requires an increased awareness of the risks inherent in those systems and an improved ability to manage those risks. This requires formalising an AI risk management framework and ensuring that teams in the Second and Third Lines of Defence have the required skills, knowledge and experience to be able to independently assess and provide assurance over the effectiveness of the AI control framework.

What’s new?

  • The UK Government published its ten-year strategy on AI during September 2021. The strategy has three main pillars:
    1. Investing in and planning for the long-term needs of the UK’s AI ecosystem.
    2. Supporting diffusion of AI throughout the UK economy.
    3. Ensuring that the UK adopts an appropriate approach to the regulatory and governance framework for AI.
  • On 8 December 2022, the Centre for Data Ethics and Innovation (CDEI) published its roadmap to an effective AI assurance ecosystem outlining their vision for AI assurance. The CDEI will publish an AI assurance guide to accompany the roadmap which will focus in more detail on the delivery of AI assurance and support practitioners using or providing AI assurance services. The CDEI will also partner with professional bodies and Regulators to set out requirements for AI systems and establish an AI Standards Hub, focused on global digital technical standards.
  • The development of AI assurance is further supported by the Information Commissioner’s Office (ICO). The ICO is developing an AI Auditing Framework (AIAF) which is intended to help AI assurance practitioners with tools and procedures for their assurance work. They are also planning to issue guidance on AI and data protection to assist organisations with their understanding of AI.
  • The ICO, the Financial Conduct Authority (FCA), the Competition and Market Authority (CMA) and the Office of Communications (Ofcom) have joined forces in the Digital Regulation Cooperation Forum (DRCF) to address concerns about a lack of consistency and the overlapping nature of regulatory mandates and to promote dialogue on the types and sources of algorithmic harms, provide policy recommendations for AI systems auditing and assurance, and coordinate the supervision of AI systems.
  • In October 2020, the Bank of England and the FCA launched the AI Public Private Forum (AIPPF) to facilitate dialogue between the public and private sectors to understand better the use and impact of AI in FS and on 17 February 2022, the AIPPF’s final report was published, focusing on the role of data, model risk and governance in the adoption and use of AI in FS.

What should Internal Audit be doing?

Area of Focus

Awareness of Regulatory Obligations

The regulatory environment related to AI is rapidly evolving and Regulators and industry bodies are still in the process of developing audit and assurance guidelines for AI systems. Therefore, Internal Audit should:
  • Develop a detailed understanding of the current and proposed regulations that impact the use of AI and the relevant audit and assurance guidelines.
  • Ensure that Internal Audit staff have the necessary skills, knowledge and experience to understand the requirements of a robust AI risk management framework.
  • Ensure that Internal Audit function is sufficiently resourced to oversee the growing number of AI systems in use and ensure compliance with relevant regulatory requirements.
Governance and Control Frameworks ​ Firms should re-assess their AI control frameworks to ensure that they are appropriate for the governance of a highly complex and rapidly evolving technology. Internal Audit should:
  • Verify that assessments of the regulatory environment are conducted for each AI systems in each jurisdiction in which the firm operates.
  • Verify that comprehensive risk assessments are performed for all AI systems.
  • Assess whether the governance structure and policies and procedures in place for development, testing, change management and approval of AI systems are appropriate.
  • Verify that periodic AI model re-validations are performed.
  • Assess whether there are adequate control measures in place to mitigate all AI-related risks, including related to data, inputs / outputs and system security controls.
  • Verify that there are appropriate performance monitoring measures in place.
Flexible Approach ​ The planned audit scope should be re-assessed each year to allow for evolving technology and changing regulatory requirements. A risk-based approach, which takes into account the purpose and the level of complexity of each system, can be considered for assessing the different AI systems in use across the firm.

Key contacts: Roger Smith and Barry Liddy

Did you find this useful?