As financial services firms look ahead to 2024, assurance teams are finalising their internal audit plans. Vivian Lagan explains key areas for inclusion and considers the scope of each review.

Financial services firms are currently in the process of finalising their 2024 audit plans – but it can be tricky to work out what to include and why. While many firms will be reviewing comparable areas, your internal audit plan will ultimately depend on your unique business model and current risk profile. There are also some staple topics to consider, which reflect ongoing challenges and concerns for firms across the sector. 

Internal audit hot topics

Our quarterly internal audit hot topics will give you a thematic view across new and emerging risks on the regulatory horizon that's applicable across financial services. This will help you structure conversations and help define your own internal audit plans.

Credit risk

In January, the PRA published a Dear CEO letter to deposit-takers highlighting the importance of credit risk during this period of economic uncertainty. So far, these risks haven’t crystallised significantly (as per the Bank of England’s Financial Stability Report from July), but it’s a key area to watch out for and you need to monitor your credit risk closely. You also need to think about IFRS 9 compliance, and Basel 3.1 implementation – specifically the standardised and internal ratings-based approaches to credit risk.

What to include in your scope?

Economic factors such as inflation, the cost of living crisis, interest rates, and energy costs are all increasing your credit risk profile. To mitigate the risks, you can review your credit risk management framework to make sure it remains fit for purpose, and check your credit portfolio to identify any non-performing assets and assess asset quality. This includes examining watchlist criteria and triggers, staging of assets, recovery rate assessments, limit setting and monitoring, covenant monitoring, collateral valuations, provision levels and changes.

The regulators will expect assurance over traditionally high-risk areas, and may want further data on retail credit card portfolios or unsecured personal loans. Reviewing your early warning indicator framework can support early intervention, and it’s important to consider early outreach options for customers and review your lending criteria to reduce further credit risk moving forward.

Model risk

Model risk expectations have changed over the last few years, and the bar is now higher than ever. This includes new requirements from the PRA under SS1/23, updated disclosure guidelines for credit loss under IFRS 9, and inclusion in the Basel Committee for Banking Supervision’s work programme and strategic priorities for 2023/24.

What to include in your scope?

The PRA has stressed that model risk is a material risk to banks and needs appropriate oversight. Internal audit needs to think about how to ensure robust assurance over model risk, to support its organisations’ efforts to strengthen model risk-management practices. This isn’t an easy balancing act and it’s important to consider resource challenges, and evaluate the level of rigour applied to the implementation of SS1/23 requirements. You’ll also need to think about:

  • The Internal Ratings Based (IRB) repair programme and key focus areas, such as Probability of Default (PD) and Loss Given Default (LGD) models, IRB hybrid mortgage models, definition of default, and margin of conservatism approach
  • Audit of model implementation once redeveloped models are approved
  • Use of ESG and climate risk models, including stress testing, inclusion in the Internal Capital Adequacy Assessment Process (ICAAP), governance and scenario testing
  • IFRS 9 considerations, such as disclosures against the Taskforce on Disclosures about Expected Credit Losses (DECL) and the Taskforce on Climate-Related Financial Disclosures (TCFD), the Effective Interest Rate (EIR), significant increase in credit risk (SICR), and macroeconomic scenario model components.

Climate risk

Managing climate risk remains an ongoing challenge in the financial sector, with a raft of benchmarking and reporting approaches in place. This includes requirements around greenwashing controls, climate risk, ESG programme reviews, and readiness assessments. Key regulatory developments include the PRA’s recent thematic feedback of written auditor reporting and the Taskforce on Nature-related Financial Disclosures (TNFD), which aims to reduce the risk of biodiversity loss. 

What to include in your scope?

For your internal audit planning, there are a number of areas to include in your scope. First off, there’s SS3/19 implementation and the follow up Dear CEO letters, and you’ll need to think about your climate risk governance, risk management, scenario analysis and modelling, counterparty engagement, climate accounting, disclosures and data.

More specifically, you need to think about how each of these areas relate to your wider strategy, risk management framework, risk appetite statement, committee structures, and three lines of defence. You ultimately need to reflect these risks in your internal and external reporting, so it’s essential to think about what qualitative and quantitative data you have available, and how they can feed into TCFD and Pillar 3 disclosures, and wider risk management approaches.

Key areas for review include model risk (including scenarios selection, stress-testing, impact on the ICAAP impact and governance arrangements), and counterparty engagement strategies to manage those timeframes, and close the gaps on data, reporting and decision-making over time. It’s also important to sense check your climate data, including the reliability of carbon emissions reporting and independently assess the methodologies used to inform your data inputs.

Internal audit may also want to review any plans for TNFD implementation. While this is currently voluntary, there’s a good chance of it becoming mandatory over time. Early adoption, and drawing on synergies with the TCFD, can support an effective implementation and improve risk management processes.

Operational resilience and third-party risk

Operational resilience is an ongoing priority for firms across the financial sector. Focusing on the ability to restore critical services (PS21/3), it also encompasses third-party risk (including SS2/21 compliance), new rules on critical third parties (DP3/22) and alignment with the EU’s Digital Operational Resilience Act (DORA) (which applies to UK firms operating in EU markets).

What to include in your scope?

Internal audit needs to review compliance with the above regulations and offer effective challenge over any potential weaknesses in operational resilience and third-party oversight arrangements. This includes reviewing your operational resilience framework to make sure you continue to refine your important business services, your mapping, impact tolerances, and vulnerabilities. Internal audit also needs to make sure scenario and stress-testing is robust, with lessons learned feeding back into wider business processes. It’s also important to review your DORA implementation programme to ensure it’s on track and fit for purpose.

As an integral component of operational resilience, you also need to monitor your outsourced suppliers and key third party providers carefully to make sure you have effective oversight and influence along the supply chain. This includes identifying your critical third parties and implementing DP3/22 to reduce systemic risk across the sector, manage concentration risk, and reduce disruption. Firms also need to think about the role of all their third-party relationships, critical or otherwise, to ensure effective governance and clear ownership over these arrangements, accountability for contractual obligations, and performance management. Cyber security is an important consideration in operational resilience, but is covered in greater detail below.

It's also important to note that the traditional shared security model for cloud-based services has now evolved into a Shared Resilience Model. This will affect your broader risk landscape, and you need to review any changes needed to your control framework to make sure this mindset has been fully embedded across your business. When reviewing your current processes, it’s also important to consider engagement and training, governance, supply chain security, incident response and compliance with best practice security frameworks (as a minimum).

Cyber security

Effective cyber security and resilience processes are also integral to operational resilience and financial stability. This was recently highlighted in a speech by Elizabeth Stheeman, of the Bank of England’s Financial Policy Committee who stated that direct impacts of a cyber incident could lead to financial losses and liquidity stresses. There could also be contagion across the market, which could lead to indirect impacts. As such, financial services need to consider their cyber security controls and audit activity to reduce the potential for operational disruption and to help maintain financial stability across the sector.

What to include in your scope?

When putting together your 2024 internal audit plan, you need to consider your compliance with a range of regulatory approaches and best practice frameworks. This will help you establish effective operational and cyber resilience processes, and actively support financial stability in line with wider market activity.

Key considerations include:

  • Establishing and maintaining effective controls, governance and oversight processes in line with the FCA’s principles for business and the PRA’s fundamental rules.
  • Developing continual improvement processes to implement findings from the FCA’s Cyber Co-ordination Groups, and lessons learned from the PRA’s 2022 Cyber Stress Test.
  • Compliance with the European Cyber Resilience Act and NIS2 for UK firms that do business in the EU (although this still applies as good practice for firms that are out of scope).
  • Benchmarking best practice in line with the NCSC’s Annual Review 2023, to support good cyber hygiene, stay on top of the threat landscape and boost resilience. This includes international reviews such as the EBA’s recent observations on IT and cyber risk and findings from its IT risk questionnaire from its annual Supervisory Review and Evaluation.
  • Reviewing key cyber components to support operational resilience processes, DORA, the EBA Guidelines on ICT and security risk management, and the PRA’s SS2/21 on ‘Outsourcing and Third-Party Risk Management’.
  • Assessing compliance with the Bank of England’s CBEST and CQUEST expectations to improve supervisory oversight and reduce cyber risks.

You also need to think about your cyber governance processes to make sure you are reporting issues promptly, with effective Board engagement and oversight.

Diversity & Inclusion (D&I)

Diversity and inclusion are key concern for regulators, who are keen to create a more level playing field in the workplace and reduce the risk of groupthink. Key regulatory updates include PS22/3 on diversity and inclusion on company boards and executive management, and CP23/20 which outlines steps to unlock talent, improve competition, and reduce risk. 

What to include in your scope?

For your 2024 internal audit plan, you can review your current diversity and inclusion frameworks to make sure they meet the FCA’s existing standards and to start implementing CP23/30. This includes assessing how well your diversity and inclusion framework is embedded across the business, and reviewing the metrics you use to monitor, manage, and improve D&I processes. You can support this work by reviewing your remuneration principles in the context of the cost of living crisis and high inflationary environment. Ultimately, you need to make sure these policies don’t inadvertently widen inequality gaps.

It's also important to regularly review your business to assess how key behaviours are defined, articulated, and monitored – and how they can support the wider culture. While hybrid and remote working patterns can broaden the recruitment net to cover a more diverse range of candidates, it’s important to continue monitoring these practices to reduce people risk, maintain the right culture and support employee wellbeing.

Consumer Duty

The Consumer Duty embodies a significant shift in regulatory expectations. Previously, it was enough to demonstrate fair treatment of customers and avoid poor outcomes – but now you need to proactively demonstrate how you’re ensuring good customer outcomes. To meet the challenge, you need to review your culture to embed outcome-orientated behaviours across the firm. With the regulation now in force for open book products, many firms are struggling to move to business as usual and demonstrate good outcomes for all retail customer groups and all in-scope products and services. Meanwhile, firms with closed book products must work towards the July 2024 deadline for implementing the equivalent infrastructure. 

What to include in your scope?

The Consumer Duty is a flagship initiative for the FCA, and it wants the rules to be a catalyst for tangible, significant improvements, not just in firms’ policies, procedures, and management information (MI), but in better outcomes for customers.

So, the key ‘exam question’ is: how effective are the changes you’ve made to demonstrate that you consistently generate good outcomes and good value from your products and services; and to ensure you can intervene meaningfully when this may not be the case?

Internal audit needs to think about supporting and overseeing the business regarding:

  • following through on any implementation actions that were not ready by 31 July 2023, including producing and refining the MI needed to measure good outcomes
  • obtaining post-implementation assurance that it complies with Consumer Duty so that the board can ‘sleep at night’ in the knowledge that the firm meets the FCA’s expectations by truly delivering good outcomes for their customers
  • closed book actions to ensure it can confidently set about meeting the next key milestone of 31 July 2024, including a project plan that is sufficiently detailed, appropriately resourced and feasible in the remaining timeframe
  • optimisation – ensuring that customer outcome-orientated thinking and practices are embedded; and turning some of the tactical fixes of the past few months into something more strategic and robust – ie Consumer Duty ‘by design'.

Regulatory reporting

Poor regulatory reporting continues to be a key driver of section 166 reviews, and you need to make sure your underlying data and reporting processes are up to scratch. Key returns include COREP, PRA110, FINREP. Firms also need to make sure the ICAAP/ILAAP is up to date, and accurately reflects capital and liquidity to support recovery and resolution planning. 

What to include in your scope?

You need to review your regulatory reporting processes to make sure all returns are accurate, complete, and consistent. For the audit plan you can consider cyclical testing over key processes and controls to check your data quality verifications, reconciliation, and validation practices to support regulatory returns.

As you implement Basel 3.1, it’s important to consider how you will complete enhanced credit risk disclosures under Pillar 3, covering the leverage ratio, binding NSFR, large exposures, and the standardised approach to counterparty credit risk (SA-CCR).

You should also review your ICAAP and ILAAP processes, to make sure they align with your wider recovery and resolution planning. This includes consideration of more recent regulatory approaches, such as OCIR within the Resolvability Assessment Framework (RAF), and key themes including climate risk.

Recovery, resolution, and wind-down planning

Financial services firms continue to face challenges around capital, liquidity, and loss of investor confidence, with high-profile casualties such as Silicon Valley Bank. As such, we’ve seen new rules on solvent exit, to address concerns around the quality of wind-down plans, and trading activity wind-down plans, to wind down trading activities in an orderly way. These concerns were reflected in a recent Bank of England speech, which highlights the need for proportionate regulation, effective risk measurement, adequate operational resources, and the ability to fail safely throughout recovery and resolution.

What to include in your scope?

While all firms need to think about recovery and resolution planning, systemically and non-systemically important firms have a range of different requirements:

  • Systemically important firms need to think about their trading activity wind-down plans, which need to be in place by March 2025 – they also need to consider how these fit into wider requirements operational continuity in resolution
  • Non-systemically important firms need to think about their solvent exit plans, which must be ready by Q3 of 2025; these plans will replace the solvent wind-down option, which has been a key driver of s166 reviews, and firms need to consider longer timeframes, use of technology and operational barriers to success

When implementing these regulations internal audit also needs to think how these elements interact with the Resolvability Assessment Framework. This includes consistency and alignment across all strands of recovery and resolution regulation, completion of the self-assessment report, and consideration of how the resolution strategy will affect the MREL calculation.

Payments

The payments sector is a tricky area in terms of regulatory and technical compliance, and continues to be a key area of focus for internal audit. The Payment Systems Regulator published its five-year strategy in 2022, which aims to boost competition, improve consumer protection, and make payments systems more usable for everyone. This includes ensuring that users are protected against fraud and reimbursed where appropriate.

What to include in your scope?

When considering your 2023 internal audit plan, you should think about the following key areas:

  • SWIFT customer security programme: SWIFT members need to complete annual attestations, and internal audit needs to make sure these are accurate and fit for purpose; SWIFT is increasingly reporting non-compliant banks to the PSR.
  • PSD2 compliance: for those with EU responsibilities, this includes monitoring and reporting fraud data, complaints handling, major incident reporting, strong customer authentication, governance and fees.
  • Safeguarding: firms need to secure an external reasonable assurance audit of their safeguarding arrangements over customer funds.
  • UK Payment Schemes: internal audit needs to think about mandatory payment scheme attestations under Pay.co.uk requirements.
  • ISO20022: firms need to consider how they’ve implemented the standard and how they are delivering assurance over it – this includes interaction with CHAPS, cross border payments and Target2.

Looking ahead to 2024 

When building your internal audit plan for 2024, you need to consider how the above risks relate to your business and reflect your unique risk profile and risk appetite. While some risks won’t apply, other’s may feature heavily and it will be a fine balancing act to include the right range and depth of coverage to meet your business needs.

For more insight and guidance on building your financial services internal audit plan, contact Vivian Lagan.