Professional Documents
Culture Documents
Banking
• Open Banking
• Data
• Innovation
Insurance
• Product Innovation
• Cyber Risk
• Big Data
Capital markets
• Trading obligation
• MiFID II, EMIR, CSDR, SFTR
Investment management
• MiFID II, PRIIPs
• FCA Asset Management
In addition to topics recognised as key in prior years, 2018 sees the addition of a number of new
planning priorities to consider. ‘Model Risk Management’ has been introduced as a new theme,
reflecting the current focus of regulators on this topic. ‘Customer Vulnerability’ has been added as
an aspect of the perspective on the treatment of customers in an aging population.
Rapid developments in robotics, automation, Blockchain and FinTech are pushing all of these into
deployment in firms’ operational models, generating new and evolving risks for internal audit to
address.
Data Analytics
GDRP
FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 3
Focus on your Conduct and
Culture Programme
4
Culture
Culture in financial services firms remains a priority for the FCA and PRA
Culture drives individual behaviours which in turn affect day-to-day practices in firms and
their interaction with customers and other market participants. Culture is therefore both a
key driver, and potential mitigant, of conduct risk.
• Are the right management decisions taken at the appropriate level with the right stakeholders?
• Is there sufficient evidence to document rationale and circumstances of key decisions being taken?
• Do Senior Managers delegate responsibilities in a transparent and effective manner in line with regulatory responsibilities?
• Are the executive committees decisions and responsibilities appropriately delegated within the firm?
• Does the talent agenda attract the right staff from a limited talent pool, train and development them to address specialist
areas, and include development and succession planning?
• Does the disclosure on implementation and compliance with codes of conduct and ethics increase transparency?
• Is MI on culture is objective and does it contains evidence-based analysis and recommendations?
At the centre of good governance is an effective board. The PRA has a major interest in
promoting good governance across the financial sector and supporting the work of boards in
delivering it.
• How clear and appropriate are Terms of Reference, roles and responsibilities, and delegated authorities for Boards and
relevant committees?
• Is the governance dynamic and composition effective, including the skills, experience, balance and competence of members
of governance committees and whether they receive adequate training to remain abreast of relevant new laws and
regulations?
• Does governance MI and reporting including evidence of robust challenge with a clear link to risk appetite of the firm?
• Is the MI and reporting supported by appropriate governance and capabilities, including people, processes and IT systems?
• Is there alignment of financial rewards with corporate values and provision of fair outcomes?
• Is there appropriate risk competence: the collective risk management competence of an organisation (knowledge, skills,
learning, recruitment, induction and retention)?
• How do governance committees respond to assessments of their effectiveness
Internal Audit functions are likely to conduct audits with an emphasis on clarity of individual
accountabilities, delegated authorities and legal entity-specific governance arrangements.
• How robust is the approach to on-going identification of Senior Management Functions and Certified Individuals?
• Need to focus on the high risk areas including framework, processes and underlying documentation for evidencing
“reasonable steps” and handovers between Senior Managers.
• Review the status of the Certification Regime Implementation Programme and the effectiveness of related policies affecting
the employee lifecycle.
• Evaluate the extent to which the Conduct Rules have been embedded into existing conduct, recruitment, appraisals,
training, HR and reward-related process by which breaches are monitored.
The FCA continues its focus customer vulnerability noting that vulnerable customers are
more susceptible to harm and generally less able to advance their own interests.
• How has vulnerability been factored into new and existing products? Does there need to be a change in how products are
distributed and managed? Is there a framework to support this?
• How are vulnerable customers identified? How accurate is the vulnerable customer population? Customers once identified
may no longer be vulnerable, and what is the process to review and move out of this where necessary? Do system
capabilities allow for proper identification and record keeping to ensure appropriate management?
• How differently are vulnerable customers treated? Are indications of vulnerability acted upon and a different route taken for
the customer to ensure an appropriate outcome? Does the firm have set processes? Is there an exception route of
governance?
• How consistency around vulnerability driven? Is there a policy? How is this cascaded, trained and monitored?
9
Managing Cyber Risk To The Organisation
Address sophistication, but maintain focus on the basics
Cyber risk has been highlighted as a focus area by most regulators in recent years and we
expect greater supervisory scrutiny from the FCA in 2018, as the FCA is increasing its
specialist knowledge in this area and there has been supervisory activity at individual firms.
• Is an appropriate focus being maintained across the full breadth and depth of Cyber and Information Security operational
controls, commensurate to the nature of the information risk exposures and risk profile of the organisation?
Internal audit will need to ensure it has an appropriately skilled and experience Cyber internal auditors to face off
against stakeholders and fully understand the cyber risk challenges the organisation is facing.
Internal audit will also need to enhance its understanding and readiness to assure cyber risks across new technologies
that will form the technology architecture of the future, such as cloud-based, Agile systems and innovative solutions
enabled by technologies such as Blockchain.
A recent Deloitte survey on Robotic Process Automation (RPA) noted a sharp increase last
year in the number of organisations that have investigated RPA, and a significant number
that have already implemented or piloted RPA.
• Is the organisation’s robotics and automation strategy consistent with other initiatives?
• How can controls be strengthened as processes are automated?
Define and implement a structured approach for auditing robotics and automation in the business.
Strategically consider how automation may impact, or even transform the internal audit function by being used to
establish sophisticated continuous auditing and monitoring techniques or automate operational tasks.
Develop skills to understand and assess the technology infrastructure and associated risks, including coding and
programme script quality control and management.
Organisations are examining how Blockchain technology can be used to make the settlement
process more efficient and cost effective, with a view to system launches as early as 2018.
The next twelve months will require securing central bank and regulator support;
understanding the regulatory environment; tackling governance, data security, and
operational risk concerns; and improving and testing the technology, particularly in terms of
scalability.
Why is this planning priority?
• Distributed ledger technology (DLT), or Blockchain, enables transparency, immutable records and allows
autonomous execution of business rules, allowing superior automation capabilities.
• For example the focus in insurance is around ownership verification and commercial property and
casualty claims processing.
• The regulatory environment is uncertain. Standards are only just starting to be developed. Formal legal
frameworks don’t exist.
• Updating financial infrastructure through DLT will require significant time and investment.
• How well controlled is the organisation’s involvement in the development of Blockchain, both within the organisation and
through participation in industry groups?
• Is there robust governance around the business case for investment in Blockchain?
Internal audit teams need education in the technology, its disruptive potential and the effect on the business.
Disruptive technologies and its practical business application are at the forefront of
digitalisation and innovation initiatives and are expected to revolutionise the way the
financial services sector operate, trades, or service customers.
• How well does management understand the risks inherent in FinTech initiatives and business models and challenge
accordingly?
• Does the approach adopted by the business takes into account interests of customers and market integrity?
Internal audit will need to develop skills and resources aligned to business innovation hubs to ensure it can map the
environment, understand risk profile and provide timely assurance.
Internal audit needs to stay close to industry innovation and regulators’ evolving expectations to be able to
appropriately challenge and support the business where it is seeking to innovate or use ‘disruptive’ technology.
• Is the organisation’s data analytics strategy aligned to long-term strategic goals or short-term needs? Is there a clearly
defined structure and vision for analytics transformation
• Is analytics embedded in the organisation’s processes and decision making?
• Is there appropriate governance around the decisions to develop analytics in business processes, and then oversight of
their use in line with regulatory expectations?
Internal audit will need its own approach to using analytics throughout the audit process, from planning to testing to
reporting. Internal audit will need the skills to both develop this as well as know where to expect to see analytics
deployed by the business.
Connected to the challenge of winning customers’ trust is the issue of how to collect, store,
manage and use customer data securely, and firms need to ensure that they fully take into
account current and future data protection regulations as they design their solutions.
• How effectiveness is the organisation’s GDPR readiness programme? Are appropriate governance structures in place,
including a data protection officer?
• Is management effectively controlling the risks surrounding implementation of new data stores and platforms?
• How are the risks relating to personal data processing in the context of the GDPR being controlled. How is the organisation
monitoring and responding to regulatory guidance that is emerging.
Internal audit should plan to leverage both new technologies as well as the organisation’s consolidated data stores to
drive more insightful and efficient internal audits/reviews.
16
Financial Reporting
Multiple significant financial reporting developments
After many years of consultation there is a suite of IFRS changes on the horizon that will
fundamentally change what an insurance company looks like on paper, with implications that
require an organisational-wide response.
• How robust has the organisations impact assessment been with regards to the IFRS changes? How effective has the
oversight and governance been around the set-up and management of the organisation’s response to the impact
assessments?
• Are the IFRS programmes appropriately resourced and being accurately tracked against programme milestones?
• Where new models are required to support the IFRS changes are these appropriately controlled and managed?
Given the pervasive nature of the impacts, particularly from IFRS 9 & 17, internal auditors will need to ensure that
they understand the changes in detail in order to be able to consider the effectiveness of the organisation’s response
through audits in many areas, including technology, policyholder data, investor communications and remuneration.
Financial institutions shared their first set of data with HMRC in 2017 for automatic exchange
with counterparty jurisdictions. Financial Institutions are now expected to have completed all
their remediation work by the end of 2017 and to report as appropriate in 2018.
• Does the operating model include adequate procedures for CRS compliance? Are sufficient resources and training in place to
support these?
• Is the governance approach around CRS submissions appropriate? Is the evidence required for tax authority audits
sufficient and adequately maintained?
• Has the organisation reviewed performance in meeting the first year requirements and identified improvements needed to
meet the increased volume of reportable information expect in the second year of CRS?
• Have policy administration system been enhanced to identify products under the scope of CRS?
• Have underwriting systems been enhanced to capture the indicia information for foreign accounts?
The Government has introduced new Corporate Criminal Offences for Failing to Prevent the
Facilitation of Tax Evasion. The legislation comes into force on 30 September 2017 and
HMRC expects businesses to have taken the initial steps to comply by this date.
• Is the programme to manage the implementation of the requirement being effectively managed and overseen?
• Does the project to ensure compliance leverage existing governance structure and risk assessment processes?
• Will management be conducting a post implementation review of the new controls and processes?
• Is there evidence a culture of compliance which is driven from the top down? Does this include undertaking appropriate due
diligence on associated persons such as intermediaries?
• Post implementation is there a process in place to monitor and review compliance, including ongoing communication and
training?
A Model Risk Management Framework (MRMF) remains the key governance structure
through which a firm’s risk management approach to its model inventory is structured. An
effective MRMF enables active management of model risk across diverse model classes
within a defined model risk appetite as set by the Board.
Why is this planning priority?
• Insurers are increasingly using complex models throughout their business.
• There is a heightened expectation among Non-executive Directors for more effective MRMFs as a
mechanism to manage and control risk. Boards are increasingly seeking to embed more effective model
management to support monitoring of the key strategic risks against the risk appetite statement and to
achieving the business strategy and objectives.
• Firms are increasingly drawing upon developments and insights in other companies to inform the
treatment of model risk and its categorisation within the wider risk framework.
• The identification and management of model risks remains a hot topic for UK and global regulators.
• Is there a MRMF in place, has it been designed appropriately and do management understand and use it?
• Is the MRMF based on an appropriate risk identification processes that has ben effectively implemented by management?
• How well embedded is the MRMF and do management understand and monitor the outcomes of controls against the major
risks across key capital, pricing and business planning models?
• Is there an appropriate process to set and keep under review risk appetite limits in relation to model risk?
• How complete is the model inventory and how robustly is it maintained by management? How appropriate and consistently
applied are the risk ranking methodologies applied to the model inventory in order to identify the key models?
• How well do current model risk capabilities, documentation and processes compare to developing regulatory expectations
and observed market practice?
21
Financial Crime and AML
An unrelenting focus on financial crime continues
From a UK regulatory perspective, the FCA’s unrelenting focus on financial crime continues,
particularly in relation to AML, as reiterated by its Business Plan (2016-17), which
references AML as the FCA’s second highest of seven priorities for the coming year.
• How effectively have governance frameworks supporting the changes to financial crime legislation been implemented? Do
the frameworks aim to embed a culture which prevents financial crime?
• Does the organisation have suitably skilled resources in key business areas
• How robustly did management complete an impact assessment and how effectively are the steps being taken to address
the impact being monitored?
• What is the quality of the underlying documentation for evidencing compliance?
A Risk Appetite Framework (RAF) remains one of the primary lenses through which a firm’s
risk management sophistication and capabilities are viewed. An effective RAF enables pro-
active management of the risk profile within the defined risk appetite as set by the board.
• How strong is the link between the firm’s business strategy and objectives and the risk management framework (RMF)?
• Does the RAFs include financial and non-financial risks?
• Is there appropriate governance and ownership of the RAF? What is the perception of the RAF across the organisation and
its impact on the risk culture?
• Does the RAF form an integral part of the firm’s business decision making across all levels of the hierarchy?
• How does the organisation’s current and target state activities for the design and implementation of the RAF compare to
regulatory expectations and developing market practices?
Organisations are facing increasing amounts of uncertainty and disruption, bringing both
risks and opportunities, which more resilient organisations are better prepared to overcome
and gain from.
• How aligned are risk management and other risk resilience related functions?
• How robust is resilience to/planning for major disruption and catastrophic risks? How frequently is the planning reviewed
and refreshed?
• Is the scope of risks or scenarios addressed under crisis management and resilience appropriate? This includes whether the
time horizon over which major disruptive or catastrophic risks are reasonable and realistic?
• Does the testing of operational resilience plans include all relevant parties in the organisation, including risk management,
technology and operational management, corporate communications, people and facilities, Board members and governance
committees?
Internal auditors face a wide range of challenges. Yet the overarching theme for most
Internal Audit groups is the need to change. An Agile Internal Audit approach provides
methods that work to change both the mindset of internal auditors and their work
processes.
Why is this planning priority?
• Originally a software development methodology, agile aims to reduce costs and time to delivery while
improving quality.
• Agile Internal Audit is the mindset an Internal Audit function will adopt to focus on stakeholder needs,
accelerate audit cycles, drive timely insights, reduce wasted effort, and generate less documentation.
• Agile prompts internal auditors and stakeholders to determine, upfront, the value to be delivered by an
audit or project: What level of assurance is needed? What risks are most concerning? Then the audit or
project aims to produce that value. Agile also prioritizes audits and projects based on both importance
and urgency as well as readiness to undertake the work.
• Finally, reporting doesn’t focus on documenting the work but on providing insights.
• Agile Internal Audit methods work to shift internal auditors’ mindsets and processes by pursuing:
• Clearer outcomes
• Increased engagement
• Improved documentation
• By aligning mindset and process, Agile Internal Audit frameworks direct time and effort toward the issues, challenges, and
risks that most affect the organization’s ability to implement strategy and achieve goals. At the same time, it aims to
conduct routine assurance activities without unnecessary resources, effort, or reports.
Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2
New Street Square, London, EC4A 3BZ, United Kingdom.
Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP
do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.