New Approaches

2018 Planning Priorities for Internal Audit in Financial Services

 2018 Overview

Mixed economic messages making strategic planning difficult

• Following a resilient 2016, economic activity in the United Kingdom has softened in the first half
of 2017.
• Markets remain buoyed by easy monetary policy and a strengthening global recovery.
• But higher inflation – on the back of a weaker pound – has eroded households’ real incomes
growth and began to weigh on consumption.

Implementation of key regulatory changes, and preparations for more

2018 will bring significant challenges to firms across EMEA in the form of continuing macro-policy
uncertainty, the implementation of a demanding and still evolving regulatory agenda and other
market developments putting pressure on the industry. Key focuses includes:
• Data privacy | GDPR compliance and scrutiny of big data
• Implementing new accounting standard (IFRS 17, IFRS9)
• Prudential Rules | Regulatory attitudes towards the use of internal models
• Brexit including potential loss of passporting

New technology changing industry norms

• There are new forces acting on the industry that have the potential to shift the competitive
landscape, creating new risks and opportunities.
• Fintechs have materially changed the basis of competition, and have laid the foundation for
future disruption.
• There is a needs for understanding transformative potential of new entrants and innovations on
business models in the industry.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 1

 2018 Sector Overview

Banking
• Open Banking
• Data
• Innovation

Insurance
• Product Innovation
• Cyber Risk
• Big Data

Capital markets
• Trading obligation
• MiFID II, EMIR, CSDR, SFTR

Investment management
• MiFID II, PRIIPs
• FCA Asset Management

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 2

 Overview Of 2018 Hot Topics

In addition to topics recognised as key in prior years, 2018 sees the addition of a number of new
planning priorities to consider. ‘Model Risk Management’ has been introduced as a new theme,
reflecting the current focus of regulators on this topic. ‘Customer Vulnerability’ has been added as
an aspect of the perspective on the treatment of customers in an aging population.
Rapid developments in robotics, automation, Blockchain and FinTech are pushing all of these into
deployment in firms’ operational models, generating new and evolving risks for internal audit to
address.

Strategically Manage Prudential and Regulatory

Focus on your Conduct and Culture Programme Requirements
Culture Financial Reporting

Corporate Governance HMRC Common Reporting Standard

Senior Manager Regimes Corporate Criminal Offences

Customer Vulnerability Model Risk Management

Enhance the Structure and Capabilities of Risk

Increase Focus on Technology and Disruption Management

Cyber Risk Financial Crime and AML

Robotics and Automation Risk Appetite Frameworks

Blockchain and Financial Infrastructure Operational Resilience

FinTech Agile Internal Audit

Data Analytics
GDRP
FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 3
Focus on your Conduct and
Culture Programme

4
 Culture
Culture in financial services firms remains a priority for the FCA and PRA

Culture drives individual behaviours which in turn affect day-to-day practices in firms and
their interaction with customers and other market participants. Culture is therefore both a
key driver, and potential mitigant, of conduct risk.

Why is this planning priority?

• Firms need to have structures, processes and incentives that support and reinforce the culture they
want to promote and prevent poor conduct.
• Culture change needs to be driven by the tone from the top but also requires staff to accept and
implement the processes in place that drive the culture the firm adopts.
• Boards need assurance that a culture of learning from mistakes, rewarding the right behaviour and
systems and processes that produce the desired behaviours are being embedded.
• Providing assurance to boards around values on the ground, however, is just part of the picture as
culture is not merely the articulation of an organisation’s values.

The Internal Audit challenges

• Are the right management decisions taken at the appropriate level with the right stakeholders?
• Is there sufficient evidence to document rationale and circumstances of key decisions being taken?
• Do Senior Managers delegate responsibilities in a transparent and effective manner in line with regulatory responsibilities?
• Are the executive committees decisions and responsibilities appropriately delegated within the firm?
• Does the talent agenda attract the right staff from a limited talent pool, train and development them to address specialist
areas, and include development and succession planning?
• Does the disclosure on implementation and compliance with codes of conduct and ethics increase transparency?
• Is MI on culture is objective and does it contains evidence-based analysis and recommendations?

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 5

 Corporate Governance
Good governance is critical to delivering a sound and well-run business

At the centre of good governance is an effective board. The PRA has a major interest in
promoting good governance across the financial sector and supporting the work of boards in
delivering it.

Why is this planning priority?

• FSB thematic peer review on corporate governance, assessing how applied by publicly listed, regulated
financial institutions. Identifies effective practices while noting gaps and areas of possible weakness.
• PRA has published a consultation paper on substantive changes to recovery planning, which includes
governance implications.
• Business, Energy and Industrial Strategy Committee (BEIS) inquiry report calls for reforms to the UK
Corporate Governance Code and greater enforcement setting out a number of key recommendations

The Internal Audit challenges

• How clear and appropriate are Terms of Reference, roles and responsibilities, and delegated authorities for Boards and
relevant committees?
• Is the governance dynamic and composition effective, including the skills, experience, balance and competence of members
of governance committees and whether they receive adequate training to remain abreast of relevant new laws and
regulations?
• Does governance MI and reporting including evidence of robust challenge with a clear link to risk appetite of the firm?
• Is the MI and reporting supported by appropriate governance and capabilities, including people, processes and IT systems?
• Is there alignment of financial rewards with corporate values and provision of fair outcomes?
• Is there appropriate risk competence: the collective risk management competence of an organisation (knowledge, skills,
learning, recruitment, induction and retention)?
• How do governance committees respond to assessments of their effectiveness

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 6

 Senior Manager Regimes
Enhancing ownership and accountability

Internal Audit functions are likely to conduct audits with an emphasis on clarity of individual
accountabilities, delegated authorities and legal entity-specific governance arrangements.

Why is this planning priority?

• PRA proposals to extend the Senior Managers Regime and Certification Regime (SMCR) to insurers.
• The PRA’s has proposals include:
- requiring insurers to annually assess and certify the fitness and propriety of employees performing
functions deemed capable of causing ‘significant harm’ to the firm or its customers;
- applying the PRA’s Conduct Rules to all key function holders (KFHs) and material risk-takers at
large insurers;
- requiring firms to notify the PRA of internal disciplinary action against individuals within scope of
the SM&CR due to breaches of the Conduct Rules.

The Internal Audit challenges

• How robust is the approach to on-going identification of Senior Management Functions and Certified Individuals?
• Need to focus on the high risk areas including framework, processes and underlying documentation for evidencing
“reasonable steps” and handovers between Senior Managers.
• Review the status of the Certification Regime Implementation Programme and the effectiveness of related policies affecting
the employee lifecycle.
• Evaluate the extent to which the Conduct Rules have been embedded into existing conduct, recruitment, appraisals,
training, HR and reward-related process by which breaches are monitored.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 7

 Customer Vulnerability
Evolving FCA focus on customer vulnerability

The FCA continues its focus customer vulnerability noting that vulnerable customers are
more susceptible to harm and generally less able to advance their own interests.

Why is this planning priority?

• Vulnerability is not set in stone, nor is it a permanent state for a customer. It can range from physical
disability, mental illness, financial literacy challenges, and also age.
• The risk posed to firms can range from failure to set up an appropriate forbearance strategy, to
inadequate advice for an elderly policyholder, to failing to provide documentation in a form accessible to
a visually impaired customer, or increased risks of being scammed where mental capacity is limited.
• Consequently, we see ‘vulnerability’ and the need to recognise and manage it permeating many aspects
of internal audit activity, particularly in audits of customer facing or operational areas.

The Internal Audit challenges

• How has vulnerability been factored into new and existing products? Does there need to be a change in how products are
distributed and managed? Is there a framework to support this?
• How are vulnerable customers identified? How accurate is the vulnerable customer population? Customers once identified
may no longer be vulnerable, and what is the process to review and move out of this where necessary? Do system
capabilities allow for proper identification and record keeping to ensure appropriate management?
• How differently are vulnerable customers treated? Are indications of vulnerability acted upon and a different route taken for
the customer to ensure an appropriate outcome? Does the firm have set processes? Is there an exception route of
governance?
• How consistency around vulnerability driven? Is there a policy? How is this cascaded, trained and monitored?

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 8

 Increase Focus on
Technology and Disruption

9
 Managing Cyber Risk To The Organisation
Address sophistication, but maintain focus on the basics

Cyber risk has been highlighted as a focus area by most regulators in recent years and we
expect greater supervisory scrutiny from the FCA in 2018, as the FCA is increasing its
specialist knowledge in this area and there has been supervisory activity at individual firms.

Why is this planning priority?

• Cyber Security’s status as one the key hot topics across the industry doesn’t show any signs of abating.
• During 2018 we expect that Boards will increasingly be under scrutiny over their practical IT and cyber
expertise, and their ability to demonstrate that they can oversee and challenge management
appropriately.
• There is also a risk that organisation are becoming too focused on “overly hyped” cyber initiatives, with
traditional, operational, information security controls being overlooked. Many organisation still grapple
with basic information security programmes and controls.
• The field of cyber risk insurance is also evolving rapidly and brings a range of new challenges.

The Internal Audit challenges

• Is an appropriate focus being maintained across the full breadth and depth of Cyber and Information Security operational
controls, commensurate to the nature of the information risk exposures and risk profile of the organisation?

Internal audit will need to ensure it has an appropriately skilled and experience Cyber internal auditors to face off
against stakeholders and fully understand the cyber risk challenges the organisation is facing.
Internal audit will also need to enhance its understanding and readiness to assure cyber risks across new technologies
that will form the technology architecture of the future, such as cloud-based, Agile systems and innovative solutions
enabled by technologies such as Blockchain.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 10

 Robotics and Automation
An air of transformational change on the horizon

A recent Deloitte survey on Robotic Process Automation (RPA) noted a sharp increase last
year in the number of organisations that have investigated RPA, and a significant number
that have already implemented or piloted RPA.

Why is this planning priority?

• The spectrum of “automation” ranges from enabling strategies that improve parts of business
processes, to implementing sophisticated technologies with cognitive elements. RPA enables businesses
to ‘take the robot out of the human’ by automating repetitive and rules-based processes to reduce cost,
increase quality and boost the speed of operations.
• This has been very successfully applied in automating rules-based tasks such as complaints handling,
and know your customer processing.
• As operational processes are becoming more automated, the need for a robust and reliable control
environment and the ability to effectively report on the status of that environment, is ever more critical.

The Internal Audit challenges

• Is the organisation’s robotics and automation strategy consistent with other initiatives?
• How can controls be strengthened as processes are automated?

Define and implement a structured approach for auditing robotics and automation in the business.
Strategically consider how automation may impact, or even transform the internal audit function by being used to
establish sophisticated continuous auditing and monitoring techniques or automate operational tasks.
Develop skills to understand and assess the technology infrastructure and associated risks, including coding and
programme script quality control and management.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 11

 Blockchain and Financial Infrastructure
Transforming the infrastructure of financial services

Organisations are examining how Blockchain technology can be used to make the settlement
process more efficient and cost effective, with a view to system launches as early as 2018.
The next twelve months will require securing central bank and regulator support;
understanding the regulatory environment; tackling governance, data security, and
operational risk concerns; and improving and testing the technology, particularly in terms of
scalability.
Why is this planning priority?
• Distributed ledger technology (DLT), or Blockchain, enables transparency, immutable records and allows
autonomous execution of business rules, allowing superior automation capabilities.
• For example the focus in insurance is around ownership verification and commercial property and
casualty claims processing.
• The regulatory environment is uncertain. Standards are only just starting to be developed. Formal legal
frameworks don’t exist.
• Updating financial infrastructure through DLT will require significant time and investment.

The Internal Audit challenges

• How well controlled is the organisation’s involvement in the development of Blockchain, both within the organisation and
through participation in industry groups?
• Is there robust governance around the business case for investment in Blockchain?

Internal audit teams need education in the technology, its disruptive potential and the effect on the business.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 12

 FinTech
Identifying practical business application for disruptive technologies

Disruptive technologies and its practical business application are at the forefront of
digitalisation and innovation initiatives and are expected to revolutionise the way the
financial services sector operate, trades, or service customers.

Why is this planning priority?

• AI is expected to exponentially disrupt the way firms gather information, make decisions, and even
connect with stakeholders.
• As firms seek to harness AI and advanced analytics to improve internal processes or enhance customer
experience, regulators increasingly focus on the risks and unintended consequences these may bring.
• Boards will need to understand, to the regulators’ satisfaction, that they have achieved the right
balance between competitive position and risk – to the organisation itself, to customers and more
broadly market integrity.

The Internal Audit challenges

• How well does management understand the risks inherent in FinTech initiatives and business models and challenge
accordingly?
• Does the approach adopted by the business takes into account interests of customers and market integrity?

Internal audit will need to develop skills and resources aligned to business innovation hubs to ensure it can map the
environment, understand risk profile and provide timely assurance.
Internal audit needs to stay close to industry innovation and regulators’ evolving expectations to be able to
appropriately challenge and support the business where it is seeking to innovate or use ‘disruptive’ technology.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 13

 Data Analytics
Challenging yourself and the business to deploy analytics effectively

Analytics demand is trending towards easy to use, real-time, pervasive analytical

environments that accommodate the growing use of mobile, social, cloud and big data
capabilities.

Why is this planning priority?

• Data analytics is a key part of organisation’s strategies for getting value from exponentially increasing
volumes of data.
• In many instances the use of analytics in operational activities has moved beyond hypothetical to
application, with investment in tools, people and processes.
• The regulatory landscape around the use of analytics on large customer datasets is evolving, with
guidance and requirements continuing to emerge.

The Internal Audit challenges

• Is the organisation’s data analytics strategy aligned to long-term strategic goals or short-term needs? Is there a clearly
defined structure and vision for analytics transformation
• Is analytics embedded in the organisation’s processes and decision making?
• Is there appropriate governance around the decisions to develop analytics in business processes, and then oversight of
their use in line with regulatory expectations?

Internal audit will need its own approach to using analytics throughout the audit process, from planning to testing to
reporting. Internal audit will need the skills to both develop this as well as know where to expect to see analytics
deployed by the business.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 14

 EU General Data Protection Regulation
Harmonising the currently fragmented legal framework for privacy

Connected to the challenge of winning customers’ trust is the issue of how to collect, store,
manage and use customer data securely, and firms need to ensure that they fully take into
account current and future data protection regulations as they design their solutions.

Why is this planning priority?

• GDPR is enforceable from 25th May 2018 and introduces a range of requirements that have significant
impact on organisations. Combined with increasing demands from consumers, privacy is now firmly
placed at the top of the corporate agenda.
• GDPR mandates organisational accountability and will require organisations to implement robust privacy
governance to demonstrate this. This is in addition to a wide range of other requirements. The
maximum penalty for serious non-compliance will be 4% of annual global turnover.
• Guidance from the Article 29 Working Party and UK Information Commissioners Office is still emerging,
therefore understanding of what compliance looks like is still unclear and open to interpretation.

The Internal Audit challenges

• How effectiveness is the organisation’s GDPR readiness programme? Are appropriate governance structures in place,
including a data protection officer?
• Is management effectively controlling the risks surrounding implementation of new data stores and platforms?
• How are the risks relating to personal data processing in the context of the GDPR being controlled. How is the organisation
monitoring and responding to regulatory guidance that is emerging.

Internal audit should plan to leverage both new technologies as well as the organisation’s consolidated data stores to
drive more insightful and efficient internal audits/reviews.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 15

Strategically Manage Prudential
and Regulatory Requirements

16
 Financial Reporting
Multiple significant financial reporting developments

After many years of consultation there is a suite of IFRS changes on the horizon that will
fundamentally change what an insurance company looks like on paper, with implications that
require an organisational-wide response.

Why is this planning priority?

• IFRS 9 will impact the credit landscape and introduce a number of strategic and business challenges.
The scale and complexity of the changes required by IFRS 9 means that it is a large, high risk project
for many organisations.
• IFRS 15 outlines a single comprehensive model of accounting for non-insurance revenue arising from
contracts with customers. Effective from 2017 the standard requires system and process developments.
• IFRS 17 will be complex, introducing fundamental differences in liability measurement and profit
recognition, and have organisational-wide implications.

The Internal Audit challenges

• How robust has the organisations impact assessment been with regards to the IFRS changes? How effective has the
oversight and governance been around the set-up and management of the organisation’s response to the impact
assessments?
• Are the IFRS programmes appropriately resourced and being accurately tracked against programme milestones?
• Where new models are required to support the IFRS changes are these appropriately controlled and managed?

Given the pervasive nature of the impacts, particularly from IFRS 9 & 17, internal auditors will need to ensure that
they understand the changes in detail in order to be able to consider the effectiveness of the organisation’s response
through audits in many areas, including technology, policyholder data, investor communications and remuneration.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 17

 HMRC Common Reporting Standard
Cross-jurisdictional sharing of tax information

Financial institutions shared their first set of data with HMRC in 2017 for automatic exchange
with counterparty jurisdictions. Financial Institutions are now expected to have completed all
their remediation work by the end of 2017 and to report as appropriate in 2018.

Why is this planning priority?

• CRS establishes obligations for businesses, including identifying which group entities are financial
institutions, verifying account holders’ tax residency and reporting information on reportable persons to
HMRC annually.
• The regulations also include provisions that can require financial institutions to notify their customers
about CRS obligations, penalties and HMRC disclosure facilities.
• Under CRS, reporting volumes for FS firms have grown significantly. Under previous regimes, insurers
benefited from exemptions that excluded reviewing the back-book of business, these are not available
under CRS.

The Internal Audit challenges

• Does the operating model include adequate procedures for CRS compliance? Are sufficient resources and training in place to
support these?
• Is the governance approach around CRS submissions appropriate? Is the evidence required for tax authority audits
sufficient and adequately maintained?
• Has the organisation reviewed performance in meeting the first year requirements and identified improvements needed to
meet the increased volume of reportable information expect in the second year of CRS?
• Have policy administration system been enhanced to identify products under the scope of CRS?
• Have underwriting systems been enhanced to capture the indicia information for foreign accounts?

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 18

 Corporate Criminal Offences
implementing and maintaining reasonable controls

The Government has introduced new Corporate Criminal Offences for Failing to Prevent the
Facilitation of Tax Evasion. The legislation comes into force on 30 September 2017 and
HMRC expects businesses to have taken the initial steps to comply by this date.

Why is this planning priority?

• Requires businesses to implement and maintain controls that are reasonably intended to prevent their
associated persons assisting in tax evasion. The powers are widely drawn, making UK and non-UK
corporates and partnerships liable for facilitating the evasion of tax, globally.
• Penalties for non-compliance are expected to include significant monetary fines and action under the
new rules would expose an organisation and its senior individuals to significant reputational risk.
• The Government guidance sets out six principles for companies and partnerships to follow in
establishing their reasonable procedures, including risk assessment, training, and monitoring of
compliance with procedures.
• There will be a transitional period for implementation, but all companies and partnerships are expected
to take significant steps ahead of 30 September 2017.

The Internal Audit challenges

• Is the programme to manage the implementation of the requirement being effectively managed and overseen?
• Does the project to ensure compliance leverage existing governance structure and risk assessment processes?
• Will management be conducting a post implementation review of the new controls and processes?
• Is there evidence a culture of compliance which is driven from the top down? Does this include undertaking appropriate due
diligence on associated persons such as intermediaries?
• Post implementation is there a process in place to monitor and review compliance, including ongoing communication and
training?

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 19

 Model Risk Management
The need for an effective Model Risk Management Framework

A Model Risk Management Framework (MRMF) remains the key governance structure
through which a firm’s risk management approach to its model inventory is structured. An
effective MRMF enables active management of model risk across diverse model classes
within a defined model risk appetite as set by the Board.
Why is this planning priority?
• Insurers are increasingly using complex models throughout their business.
• There is a heightened expectation among Non-executive Directors for more effective MRMFs as a
mechanism to manage and control risk. Boards are increasingly seeking to embed more effective model
management to support monitoring of the key strategic risks against the risk appetite statement and to
achieving the business strategy and objectives.
• Firms are increasingly drawing upon developments and insights in other companies to inform the
treatment of model risk and its categorisation within the wider risk framework.
• The identification and management of model risks remains a hot topic for UK and global regulators.

The Internal Audit challenges

• Is there a MRMF in place, has it been designed appropriately and do management understand and use it?
• Is the MRMF based on an appropriate risk identification processes that has ben effectively implemented by management?
• How well embedded is the MRMF and do management understand and monitor the outcomes of controls against the major
risks across key capital, pricing and business planning models?
• Is there an appropriate process to set and keep under review risk appetite limits in relation to model risk?
• How complete is the model inventory and how robustly is it maintained by management? How appropriate and consistently
applied are the risk ranking methodologies applied to the model inventory in order to identify the key models?
• How well do current model risk capabilities, documentation and processes compare to developing regulatory expectations
and observed market practice?

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 20

 Enhance the Structure and
Capabilities of Risk Management

21
 Financial Crime and AML
An unrelenting focus on financial crime continues

From a UK regulatory perspective, the FCA’s unrelenting focus on financial crime continues,
particularly in relation to AML, as reiterated by its Business Plan (2016-17), which
references AML as the FCA’s second highest of seven priorities for the coming year.

Why is this planning priority?

• Firms have been strongly encouraged to conduct assessments of the risks posed by their customers and
institute sophisticated systems and controls which prevent financial crime, supported by new standards.
• Criminal Finances Act 2017 – changes the landscape for reporting entities through the creation of
unexplained wealth orders, allowing co-ordination of Suspicious Activity Reports between institutions.
• Fourth Money Laundering Directive – came into force on 26 June 2017 with: changes to the definition of
Politically Exposed Persons; greater detail on the meaning of beneficial ownership; a renewed and
extended emphasis and detail on risk assessment; a broader definition of correspondent relationship;
and, removal of the automatic application of simplified due diligence for certain types of customer.
• There is also the requirement now inforce for an ‘Annual Financial Crime Report’ to be submitted by
large general insurance intermediary firms.

The Internal Audit challenges

• How effectively have governance frameworks supporting the changes to financial crime legislation been implemented? Do
the frameworks aim to embed a culture which prevents financial crime?
• Does the organisation have suitably skilled resources in key business areas
• How robustly did management complete an impact assessment and how effectively are the steps being taken to address
the impact being monitored?
• What is the quality of the underlying documentation for evidencing compliance?

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 22

 Risk Appetite Frameworks
A primary lens for assessing a firm’s risk management sophistication

A Risk Appetite Framework (RAF) remains one of the primary lenses through which a firm’s
risk management sophistication and capabilities are viewed. An effective RAF enables pro-
active management of the risk profile within the defined risk appetite as set by the board.

Why is this planning priority?

• Boards are increasingly seeking to embed more effective risk appetite limit setting and reporting to
support monitoring of the key strategic risks against the risk appetite statement and to achieving the
business strategy
• A heightened expectation among Non-executive Directors of insurers for more effective use of risk
appetite as a mechanism to manage and control risk.
• In the absence of an effective RAF, many insurers struggle to demonstrate compliance with expected
standards.
• There is an increasing recognition that non-financial risks should receive greater prominence in the RAF
pertaining to key performance metrics such as profitability.

The Internal Audit challenges

• How strong is the link between the firm’s business strategy and objectives and the risk management framework (RMF)?
• Does the RAFs include financial and non-financial risks?
• Is there appropriate governance and ownership of the RAF? What is the perception of the RAF across the organisation and
its impact on the risk culture?
• Does the RAF form an integral part of the firm’s business decision making across all levels of the hierarchy?
• How does the organisation’s current and target state activities for the design and implementation of the RAF compare to
regulatory expectations and developing market practices?

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 23

 Operational Resilience
Preparing for uncertainty and disruption

Organisations are facing increasing amounts of uncertainty and disruption, bringing both
risks and opportunities, which more resilient organisations are better prepared to overcome
and gain from.

Why is this planning priority?

• Operational Resilience is the ability to anticipate and assess, protect and control, plan and prepare, and
respond and recover in the context of major disruptive or catastrophic risks, whether they are internal
or external, known or unknown, in addition to the ability to adapt and reform in the longer-term.
• Board Members and Audit Committees have become increasingly aware of the regulatory focus on
Operational Resilience. Since the launch of the second Dear Chairman exercise, firms have become
increasingly concerned about the prospect of a regulatory visit to scrutinise a firm’s Operational
Resilience strategies.
• Spurred by a number of high–profile attacks on firms, supervisors will increase their focus on cyber
resilience.

The Internal Audit challenges

• How aligned are risk management and other risk resilience related functions?
• How robust is resilience to/planning for major disruption and catastrophic risks? How frequently is the planning reviewed
and refreshed?
• Is the scope of risks or scenarios addressed under crisis management and resilience appropriate? This includes whether the
time horizon over which major disruptive or catastrophic risks are reasonable and realistic?
• Does the testing of operational resilience plans include all relevant parties in the organisation, including risk management,
technology and operational management, corporate communications, people and facilities, Board members and governance
committees?

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 24

 Agile Internal Audit
A mindset change

Internal auditors face a wide range of challenges. Yet the overarching theme for most
Internal Audit groups is the need to change. An Agile Internal Audit approach provides
methods that work to change both the mindset of internal auditors and their work
processes.
Why is this planning priority?
• Originally a software development methodology, agile aims to reduce costs and time to delivery while
improving quality.
• Agile Internal Audit is the mindset an Internal Audit function will adopt to focus on stakeholder needs,
accelerate audit cycles, drive timely insights, reduce wasted effort, and generate less documentation.
• Agile prompts internal auditors and stakeholders to determine, upfront, the value to be delivered by an
audit or project: What level of assurance is needed? What risks are most concerning? Then the audit or
project aims to produce that value. Agile also prioritizes audits and projects based on both importance
and urgency as well as readiness to undertake the work.
• Finally, reporting doesn’t focus on documenting the work but on providing insights.

The Internal Audit challenges

• Agile Internal Audit methods work to shift internal auditors’ mindsets and processes by pursuing:
• Clearer outcomes
• Increased engagement
• Improved documentation
• By aligning mindset and process, Agile Internal Audit frameworks direct time and effort toward the issues, challenges, and
risks that most affect the organization’s ability to implement strategy and achieve goals. At the same time, it aims to
conduct routine assurance activities without unnecessary resources, effort, or reports.

FS Internal Audit : 2018 Planning Priorities © 2017 Deloitte LLP 25

This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from
action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining
from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2
New Street Square, London, EC4A 3BZ, United Kingdom.

Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP
do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

© 2017 Deloitte LLP. All rights reserved.