As financial services firms look ahead to 2024, assurance teams are finalising their internal audit plans. Vivian Lagan explains key areas for inclusion and considers the scope of each review.
Financial services firms are currently in the process of finalising their 2024 audit plans – but it can be tricky to work out what to include and why. While many firms will be reviewing comparable areas, your internal audit plan will ultimately depend on your unique business model and current risk profile. There are also some staple topics to consider, which reflect ongoing challenges and concerns for firms across the sector.
Our quarterly internal audit hot topics will give you a thematic view across new and emerging risks on the regulatory horizon that's applicable across financial services. This will help you structure conversations and help define your own internal audit plans.
In January, the PRA published a Dear CEO letter to deposit-takers highlighting the importance of credit risk during this period of economic uncertainty. So far, these risks haven’t crystallised significantly (as per the Bank of England’s Financial Stability Report from July), but it’s a key area to watch out for and you need to monitor your credit risk closely. You also need to think about IFRS 9 compliance, and Basel 3.1 implementation – specifically the standardised and internal ratings-based approaches to credit risk.
Economic factors such as inflation, the cost of living crisis, interest rates, and energy costs are all increasing your credit risk profile. To mitigate the risks, you can review your credit risk management framework to make sure it remains fit for purpose, and check your credit portfolio to identify any non-performing assets and assess asset quality. This includes examining watchlist criteria and triggers, staging of assets, recovery rate assessments, limit setting and monitoring, covenant monitoring, collateral valuations, provision levels and changes.
The regulators will expect assurance over traditionally high-risk areas, and may want further data on retail credit card portfolios or unsecured personal loans. Reviewing your early warning indicator framework can support early intervention, and it’s important to consider early outreach options for customers and review your lending criteria to reduce further credit risk moving forward.
Model risk expectations have changed over the last few years, and the bar is now higher than ever. This includes new requirements from the PRA under SS1/23, updated disclosure guidelines for credit loss under IFRS 9, and inclusion in the Basel Committee for Banking Supervision’s work programme and strategic priorities for 2023/24.
The PRA has stressed that model risk is a material risk to banks and needs appropriate oversight. Internal audit needs to think about how to ensure robust assurance over model risk, to support its organisations’ efforts to strengthen model risk-management practices. This isn’t an easy balancing act and it’s important to consider resource challenges, and evaluate the level of rigour applied to the implementation of SS1/23 requirements. You’ll also need to think about:
Managing climate risk remains an ongoing challenge in the financial sector, with a raft of benchmarking and reporting approaches in place. This includes requirements around greenwashing controls, climate risk, ESG programme reviews, and readiness assessments. Key regulatory developments include the PRA’s recent thematic feedback of written auditor reporting and the Taskforce on Nature-related Financial Disclosures (TNFD), which aims to reduce the risk of biodiversity loss.
For your internal audit planning, there are a number of areas to include in your scope. First off, there’s SS3/19 implementation and the follow up Dear CEO letters, and you’ll need to think about your climate risk governance, risk management, scenario analysis and modelling, counterparty engagement, climate accounting, disclosures and data.
More specifically, you need to think about how each of these areas relate to your wider strategy, risk management framework, risk appetite statement, committee structures, and three lines of defence. You ultimately need to reflect these risks in your internal and external reporting, so it’s essential to think about what qualitative and quantitative data you have available, and how they can feed into TCFD and Pillar 3 disclosures, and wider risk management approaches.
Key areas for review include model risk (including scenarios selection, stress-testing, impact on the ICAAP impact and governance arrangements), and counterparty engagement strategies to manage those timeframes, and close the gaps on data, reporting and decision-making over time. It’s also important to sense check your climate data, including the reliability of carbon emissions reporting and independently assess the methodologies used to inform your data inputs.
Internal audit may also want to review any plans for TNFD implementation. While this is currently voluntary, there’s a good chance of it becoming mandatory over time. Early adoption, and drawing on synergies with the TCFD, can support an effective implementation and improve risk management processes.
Operational resilience is an ongoing priority for firms across the financial sector. Focusing on the ability to restore critical services (PS21/3), it also encompasses third-party risk (including SS2/21 compliance), new rules on critical third parties (DP3/22) and alignment with the EU’s Digital Operational Resilience Act (DORA) (which applies to UK firms operating in EU markets).
Internal audit needs to review compliance with the above regulations and offer effective challenge over any potential weaknesses in operational resilience and third-party oversight arrangements. This includes reviewing your operational resilience framework to make sure you continue to refine your important business services, your mapping, impact tolerances, and vulnerabilities. Internal audit also needs to make sure scenario and stress-testing is robust, with lessons learned feeding back into wider business processes. It’s also important to review your DORA implementation programme to ensure it’s on track and fit for purpose.
As an integral component of operational resilience, you also need to monitor your outsourced suppliers and key third party providers carefully to make sure you have effective oversight and influence along the supply chain. This includes identifying your critical third parties and implementing DP3/22 to reduce systemic risk across the sector, manage concentration risk, and reduce disruption. Firms also need to think about the role of all their third-party relationships, critical or otherwise, to ensure effective governance and clear ownership over these arrangements, accountability for contractual obligations, and performance management. Cyber security is an important consideration in operational resilience, but is covered in greater detail below.
It's also important to note that the traditional shared security model for cloud-based services has now evolved into a Shared Resilience Model. This will affect your broader risk landscape, and you need to review any changes needed to your control framework to make sure this mindset has been fully embedded across your business. When reviewing your current processes, it’s also important to consider engagement and training, governance, supply chain security, incident response and compliance with best practice security frameworks (as a minimum).
Effective cyber security and resilience processes are also integral to operational resilience and financial stability. This was recently highlighted in a speech by Elizabeth Stheeman, of the Bank of England’s Financial Policy Committee who stated that direct impacts of a cyber incident could lead to financial losses and liquidity stresses. There could also be contagion across the market, which could lead to indirect impacts. As such, financial services need to consider their cyber security controls and audit activity to reduce the potential for operational disruption and to help maintain financial stability across the sector.
When putting together your 2024 internal audit plan, you need to consider your compliance with a range of regulatory approaches and best practice frameworks. This will help you establish effective operational and cyber resilience processes, and actively support financial stability in line with wider market activity.
You also need to think about your cyber governance processes to make sure you are reporting issues promptly, with effective Board engagement and oversight.
Diversity and inclusion are key concern for regulators, who are keen to create a more level playing field in the workplace and reduce the risk of groupthink. Key regulatory updates include PS22/3 on diversity and inclusion on company boards and executive management, and CP23/20 which outlines steps to unlock talent, improve competition, and reduce risk.
For your 2024 internal audit plan, you can review your current diversity and inclusion frameworks to make sure they meet the FCA’s existing standards and to start implementing CP23/30. This includes assessing how well your diversity and inclusion framework is embedded across the business, and reviewing the metrics you use to monitor, manage, and improve D&I processes. You can support this work by reviewing your remuneration principles in the context of the cost of living crisis and high inflationary environment. Ultimately, you need to make sure these policies don’t inadvertently widen inequality gaps.
It's also important to regularly review your business to assess how key behaviours are defined, articulated, and monitored – and how they can support the wider culture. While hybrid and remote working patterns can broaden the recruitment net to cover a more diverse range of candidates, it’s important to continue monitoring these practices to reduce people risk, maintain the right culture and support employee wellbeing.
The Consumer Duty embodies a significant shift in regulatory expectations. Previously, it was enough to demonstrate fair treatment of customers and avoid poor outcomes – but now you need to proactively demonstrate how you’re ensuring good customer outcomes. To meet the challenge, you need to review your culture to embed outcome-orientated behaviours across the firm. With the regulation now in force for open book products, many firms are struggling to move to business as usual and demonstrate good outcomes for all retail customer groups and all in-scope products and services. Meanwhile, firms with closed book products must work towards the July 2024 deadline for implementing the equivalent infrastructure.
The Consumer Duty is a flagship initiative for the FCA, and it wants the rules to be a catalyst for tangible, significant improvements, not just in firms’ policies, procedures, and management information (MI), but in better outcomes for customers.
So, the key ‘exam question’ is: how effective are the changes you’ve made to demonstrate that you consistently generate good outcomes and good value from your products and services; and to ensure you can intervene meaningfully when this may not be the case?
Internal audit needs to think about supporting and overseeing the business regarding:
Poor regulatory reporting continues to be a key driver of section 166 reviews, and you need to make sure your underlying data and reporting processes are up to scratch. Key returns include COREP, PRA110, FINREP. Firms also need to make sure the ICAAP/ILAAP is up to date, and accurately reflects capital and liquidity to support recovery and resolution planning.
You need to review your regulatory reporting processes to make sure all returns are accurate, complete, and consistent. For the audit plan you can consider cyclical testing over key processes and controls to check your data quality verifications, reconciliation, and validation practices to support regulatory returns.
As you implement Basel 3.1, it’s important to consider how you will complete enhanced credit risk disclosures under Pillar 3, covering the leverage ratio, binding NSFR, large exposures, and the standardised approach to counterparty credit risk (SA-CCR).
You should also review your ICAAP and ILAAP processes, to make sure they align with your wider recovery and resolution planning. This includes consideration of more recent regulatory approaches, such as OCIR within the Resolvability Assessment Framework (RAF), and key themes including climate risk.
Financial services firms continue to face challenges around capital, liquidity, and loss of investor confidence, with high-profile casualties such as Silicon Valley Bank. As such, we’ve seen new rules on solvent exit, to address concerns around the quality of wind-down plans, and trading activity wind-down plans, to wind down trading activities in an orderly way. These concerns were reflected in a recent Bank of England speech, which highlights the need for proportionate regulation, effective risk measurement, adequate operational resources, and the ability to fail safely throughout recovery and resolution.
While all firms need to think about recovery and resolution planning, systemically and non-systemically important firms have a range of different requirements:
When implementing these regulations internal audit also needs to think how these elements interact with the Resolvability Assessment Framework. This includes consistency and alignment across all strands of recovery and resolution regulation, completion of the self-assessment report, and consideration of how the resolution strategy will affect the MREL calculation.
The payments sector is a tricky area in terms of regulatory and technical compliance, and continues to be a key area of focus for internal audit. The Payment Systems Regulator published its five-year strategy in 2022, which aims to boost competition, improve consumer protection, and make payments systems more usable for everyone. This includes ensuring that users are protected against fraud and reimbursed where appropriate.
When considering your 2023 internal audit plan, you should think about the following key areas:
When building your internal audit plan for 2024, you need to consider how the above risks relate to your business and reflect your unique risk profile and risk appetite. While some risks won’t apply, other’s may feature heavily and it will be a fine balancing act to include the right range and depth of coverage to meet your business needs.
For more insight and guidance on building your financial services internal audit plan, contact Vivian Lagan.