New Approaches 2018 Planning Priorities for Internal Audit in Financial Services - Chartered Institute ...

Page created by Claude Valdez
New Approaches 2018 Planning Priorities for Internal Audit in Financial Services - Chartered Institute ...
New Approaches
2018 Planning Priorities for Internal Audit in Financial Services
2018 Overview

                      Mixed economic messages making strategic planning difficult
                      •      Following a resilient 2016, economic activity in the United Kingdom has softened in the first half
                             of 2017.
                      •      Markets remain buoyed by easy monetary policy and a strengthening global recovery.
                      •      But higher inflation – on the back of a weaker pound – has eroded households’ real incomes
                             growth and began to weigh on consumption.

                      Implementation of key regulatory changes, and preparations for more
                      2018 will bring significant challenges to firms across EMEA in the form of continuing macro-policy
                      uncertainty, the implementation of a demanding and still evolving regulatory agenda and other
                      market developments putting pressure on the industry. Key focuses includes:
                      •      Data privacy | GDPR compliance and scrutiny of big data
                      •      Implementing new accounting standard (IFRS 17, IFRS9)
                      •      Prudential Rules | Regulatory attitudes towards the use of internal models
                      •      Brexit including potential loss of passporting

                      New technology changing industry norms
                      •      There are new forces acting on the industry that have the potential to shift the competitive
                             landscape, creating new risks and opportunities.
                      •      Fintechs have materially changed the basis of competition, and have laid the foundation for
                             future disruption.
                      •      There is a needs for understanding transformative potential of new entrants and innovations on
                             business models in the industry.

FS Internal Audit : 2018 Planning Priorities                         © 2017 Deloitte LLP                                          1
2018 Sector Overview

                      •      Open Banking
                      •      Data
                      •      Innovation

                      •      Product Innovation
                      •      Cyber Risk
                      •      Big Data

                      Capital markets
                      •      Trading obligation
                      •      MiFID II, EMIR, CSDR, SFTR

                       Investment management
                       •      MiFID II, PRIIPs
                       •      FCA Asset Management

FS Internal Audit : 2018 Planning Priorities              © 2017 Deloitte LLP   2
Overview Of 2018 Hot Topics

          In addition to topics recognised as key in prior years, 2018 sees the addition of a number of new
          planning priorities to consider. ‘Model Risk Management’ has been introduced as a new theme,
          reflecting the current focus of regulators on this topic. ‘Customer Vulnerability’ has been added as
          an aspect of the perspective on the treatment of customers in an aging population.
          Rapid developments in robotics, automation, Blockchain and FinTech are pushing all of these into
          deployment in firms’ operational models, generating new and evolving risks for internal audit to

                                                                           Strategically Manage Prudential and Regulatory
        Focus on your Conduct and Culture Programme                        Requirements
         Culture                                                               Financial Reporting

         Corporate Governance                                                  HMRC Common Reporting Standard

         Senior Manager Regimes                                                Corporate Criminal Offences

         Customer Vulnerability                                                Model Risk Management

                                                                                Enhance the Structure and Capabilities of Risk
        Increase Focus on Technology and Disruption                             Management

         Cyber Risk                                                             Financial Crime and AML

         Robotics and Automation                                                Risk Appetite Frameworks

         Blockchain and Financial Infrastructure                                Operational Resilience

         FinTech                                                                Agile Internal Audit

         Data Analytics
FS Internal Audit : 2018 Planning Priorities             © 2017 Deloitte LLP                                                     3
Focus on your Conduct and
   Culture Programme

      Culture in financial services firms remains a priority for the FCA and PRA

                   Culture drives individual behaviours which in turn affect day-to-day practices in firms and
                   their interaction with customers and other market participants. Culture is therefore both a
                   key driver, and potential mitigant, of conduct risk.

        Why is this planning priority?
        •      Firms need to have structures, processes and incentives that support and reinforce the culture they
               want to promote and prevent poor conduct.
        •      Culture change needs to be driven by the tone from the top but also requires staff to accept and
               implement the processes in place that drive the culture the firm adopts.
        •      Boards need assurance that a culture of learning from mistakes, rewarding the right behaviour and
               systems and processes that produce the desired behaviours are being embedded.
        •      Providing assurance to boards around values on the ground, however, is just part of the picture as
               culture is not merely the articulation of an organisation’s values.

                  The Internal Audit challenges

       • Are the right management decisions taken at the appropriate level with the right stakeholders?
       • Is there sufficient evidence to document rationale and circumstances of key decisions being taken?
       • Do Senior Managers delegate responsibilities in a transparent and effective manner in line with regulatory responsibilities?
       • Are the executive committees decisions and responsibilities appropriately delegated within the firm?
       • Does the talent agenda attract the right staff from a limited talent pool, train and development them to address specialist
         areas, and include development and succession planning?
       • Does the disclosure on implementation and compliance with codes of conduct and ethics increase transparency?
       • Is MI on culture is objective and does it contains evidence-based analysis and recommendations?

FS Internal Audit : 2018 Planning Priorities                     © 2017 Deloitte LLP                                                    5
Corporate Governance
      Good governance is critical to delivering a sound and well-run business

                   At the centre of good governance is an effective board. The PRA has a major interest in
                   promoting good governance across the financial sector and supporting the work of boards in
                   delivering it.

        Why is this planning priority?
        •      FSB thematic peer review on corporate governance, assessing how applied by publicly listed, regulated
               financial institutions. Identifies effective practices while noting gaps and areas of possible weakness.
        •      PRA has published a consultation paper on substantive changes to recovery planning, which includes
               governance implications.
        •      Business, Energy and Industrial Strategy Committee (BEIS) inquiry report calls for reforms to the UK
               Corporate Governance Code and greater enforcement setting out a number of key recommendations

                  The Internal Audit challenges

       • How clear and appropriate are Terms of Reference, roles and responsibilities, and delegated authorities for Boards and
         relevant committees?
       • Is the governance dynamic and composition effective, including the skills, experience, balance and competence of members
         of governance committees and whether they receive adequate training to remain abreast of relevant new laws and
       • Does governance MI and reporting including evidence of robust challenge with a clear link to risk appetite of the firm?
       • Is the MI and reporting supported by appropriate governance and capabilities, including people, processes and IT systems?
       • Is there alignment of financial rewards with corporate values and provision of fair outcomes?
       • Is there appropriate risk competence: the collective risk management competence of an organisation (knowledge, skills,
         learning, recruitment, induction and retention)?
       • How do governance committees respond to assessments of their effectiveness

FS Internal Audit : 2018 Planning Priorities                    © 2017 Deloitte LLP                                                  6
Senior Manager Regimes
      Enhancing ownership and accountability

                   Internal Audit functions are likely to conduct audits with an emphasis on clarity of individual
                   accountabilities, delegated authorities and legal entity-specific governance arrangements.

        Why is this planning priority?
        •      PRA proposals to extend the Senior Managers Regime and Certification Regime (SMCR) to insurers.
        •      The PRA’s has proposals include:
                  -      requiring insurers to annually assess and certify the fitness and propriety of employees performing
                         functions deemed capable of causing ‘significant harm’ to the firm or its customers;
                  -      applying the PRA’s Conduct Rules to all key function holders (KFHs) and material risk-takers at
                         large insurers;
                  -      requiring firms to notify the PRA of internal disciplinary action against individuals within scope of
                         the SM&CR due to breaches of the Conduct Rules.

                  The Internal Audit challenges

       • How robust is the approach to on-going identification of Senior Management Functions and Certified Individuals?
       • Need to focus on the high risk areas including framework, processes and underlying documentation for evidencing
         “reasonable steps” and handovers between Senior Managers.
       • Review the status of the Certification Regime Implementation Programme and the effectiveness of related policies affecting
         the employee lifecycle.
       • Evaluate the extent to which the Conduct Rules have been embedded into existing conduct, recruitment, appraisals,
         training, HR and reward-related process by which breaches are monitored.

FS Internal Audit : 2018 Planning Priorities                      © 2017 Deloitte LLP                                                 7
Customer Vulnerability
      Evolving FCA focus on customer vulnerability

                   The FCA continues its focus customer vulnerability noting that vulnerable customers are
                   more susceptible to harm and generally less able to advance their own interests.

        Why is this planning priority?
        •      Vulnerability is not set in stone, nor is it a permanent state for a customer. It can range from physical
               disability, mental illness, financial literacy challenges, and also age.
        •      The risk posed to firms can range from failure to set up an appropriate forbearance strategy, to
               inadequate advice for an elderly policyholder, to failing to provide documentation in a form accessible to
               a visually impaired customer, or increased risks of being scammed where mental capacity is limited.
        •      Consequently, we see ‘vulnerability’ and the need to recognise and manage it permeating many aspects
               of internal audit activity, particularly in audits of customer facing or operational areas.

                  The Internal Audit challenges

       • How has vulnerability been factored into new and existing products? Does there need to be a change in how products are
         distributed and managed? Is there a framework to support this?
       • How are vulnerable customers identified? How accurate is the vulnerable customer population? Customers once identified
         may no longer be vulnerable, and what is the process to review and move out of this where necessary? Do system
         capabilities allow for proper identification and record keeping to ensure appropriate management?
       • How differently are vulnerable customers treated? Are indications of vulnerability acted upon and a different route taken for
         the customer to ensure an appropriate outcome? Does the firm have set processes? Is there an exception route of
       • How consistency around vulnerability driven? Is there a policy? How is this cascaded, trained and monitored?

FS Internal Audit : 2018 Planning Priorities                    © 2017 Deloitte LLP                                                      8
Increase Focus on
Technology and Disruption

Managing Cyber Risk To The Organisation
      Address sophistication, but maintain focus on the basics

                   Cyber risk has been highlighted as a focus area by most regulators in recent years and we
                   expect greater supervisory scrutiny from the FCA in 2018, as the FCA is increasing its
                   specialist knowledge in this area and there has been supervisory activity at individual firms.

        Why is this planning priority?
        •      Cyber Security’s status as one the key hot topics across the industry doesn’t show any signs of abating.
        •      During 2018 we expect that Boards will increasingly be under scrutiny over their practical IT and cyber
               expertise, and their ability to demonstrate that they can oversee and challenge management
        •      There is also a risk that organisation are becoming too focused on “overly hyped” cyber initiatives, with
               traditional, operational, information security controls being overlooked. Many organisation still grapple
               with basic information security programmes and controls.
        •      The field of cyber risk insurance is also evolving rapidly and brings a range of new challenges.

                  The Internal Audit challenges

       • Is an appropriate focus being maintained across the full breadth and depth of Cyber and Information Security operational
         controls, commensurate to the nature of the information risk exposures and risk profile of the organisation?

                    Internal audit will need to ensure it has an appropriately skilled and experience Cyber internal auditors to face off
                    against stakeholders and fully understand the cyber risk challenges the organisation is facing.
                    Internal audit will also need to enhance its understanding and readiness to assure cyber risks across new technologies
                    that will form the technology architecture of the future, such as cloud-based, Agile systems and innovative solutions
                    enabled by technologies such as Blockchain.

FS Internal Audit : 2018 Planning Priorities                            © 2017 Deloitte LLP                                                  10
Robotics and Automation
      An air of transformational change on the horizon

                   A recent Deloitte survey on Robotic Process Automation (RPA) noted a sharp increase last
                   year in the number of organisations that have investigated RPA, and a significant number
                   that have already implemented or piloted RPA.

        Why is this planning priority?
        •      The spectrum of “automation” ranges from enabling strategies that improve parts of business
               processes, to implementing sophisticated technologies with cognitive elements. RPA enables businesses
               to ‘take the robot out of the human’ by automating repetitive and rules-based processes to reduce cost,
               increase quality and boost the speed of operations.
        •      This has been very successfully applied in automating rules-based tasks such as complaints handling,
               and know your customer processing.
        •      As operational processes are becoming more automated, the need for a robust and reliable control
               environment and the ability to effectively report on the status of that environment, is ever more critical.

                  The Internal Audit challenges

       • Is the organisation’s robotics and automation strategy consistent with other initiatives?
       • How can controls be strengthened as processes are automated?

                    Define and implement a structured approach for auditing robotics and automation in the business.
                    Strategically consider how automation may impact, or even transform the internal audit function by being used to
                    establish sophisticated continuous auditing and monitoring techniques or automate operational tasks.
                    Develop skills to understand and assess the technology infrastructure and associated risks, including coding and
                    programme script quality control and management.

FS Internal Audit : 2018 Planning Priorities                          © 2017 Deloitte LLP                                              11
Blockchain and Financial Infrastructure
      Transforming the infrastructure of financial services

                   Organisations are examining how Blockchain technology can be used to make the settlement
                   process more efficient and cost effective, with a view to system launches as early as 2018.
                   The next twelve months will require securing central bank and regulator support;
                   understanding the regulatory environment; tackling governance, data security, and
                   operational risk concerns; and improving and testing the technology, particularly in terms of
        Why is this planning priority?
        •      Distributed ledger technology (DLT), or Blockchain, enables transparency, immutable records and allows
               autonomous execution of business rules, allowing superior automation capabilities.
        •      For example the focus in insurance is around ownership verification and commercial property and
               casualty claims processing.
        •      The regulatory environment is uncertain. Standards are only just starting to be developed. Formal legal
               frameworks don’t exist.
        •      Updating financial infrastructure through DLT will require significant time and investment.

                  The Internal Audit challenges

       • How well controlled is the organisation’s involvement in the development of Blockchain, both within the organisation and
         through participation in industry groups?
       • Is there robust governance around the business case for investment in Blockchain?

                    Internal audit teams need education in the technology, its disruptive potential and the effect on the business.

FS Internal Audit : 2018 Planning Priorities                           © 2017 Deloitte LLP                                            12
      Identifying practical business application for disruptive technologies

                   Disruptive technologies and its practical business application are at the forefront of
                   digitalisation and innovation initiatives and are expected to revolutionise the way the
                   financial services sector operate, trades, or service customers.

        Why is this planning priority?
        •      AI is expected to exponentially disrupt the way firms gather information, make decisions, and even
               connect with stakeholders.
        •      As firms seek to harness AI and advanced analytics to improve internal processes or enhance customer
               experience, regulators increasingly focus on the risks and unintended consequences these may bring.
        •      Boards will need to understand, to the regulators’ satisfaction, that they have achieved the right
               balance between competitive position and risk – to the organisation itself, to customers and more
               broadly market integrity.

                  The Internal Audit challenges

       • How well does management understand the risks inherent in FinTech initiatives and business models and challenge
       • Does the approach adopted by the business takes into account interests of customers and market integrity?

                    Internal audit will need to develop skills and resources aligned to business innovation hubs to ensure it can map the
                    environment, understand risk profile and provide timely assurance.
                    Internal audit needs to stay close to industry innovation and regulators’ evolving expectations to be able to
                    appropriately challenge and support the business where it is seeking to innovate or use ‘disruptive’ technology.

FS Internal Audit : 2018 Planning Priorities                           © 2017 Deloitte LLP                                                  13
Data Analytics
      Challenging yourself and the business to deploy analytics effectively

                   Analytics demand is trending towards easy to use, real-time, pervasive analytical
                   environments that accommodate the growing use of mobile, social, cloud and big data

        Why is this planning priority?
        •      Data analytics is a key part of organisation’s strategies for getting value from exponentially increasing
               volumes of data.
        •      In many instances the use of analytics in operational activities has moved beyond hypothetical to
               application, with investment in tools, people and processes.
        •      The regulatory landscape around the use of analytics on large customer datasets is evolving, with
               guidance and requirements continuing to emerge.

                  The Internal Audit challenges

       • Is the organisation’s data analytics strategy aligned to long-term strategic goals or short-term needs? Is there a clearly
         defined structure and vision for analytics transformation
       • Is analytics embedded in the organisation’s processes and decision making?
       • Is there appropriate governance around the decisions to develop analytics in business processes, and then oversight of
         their use in line with regulatory expectations?

                    Internal audit will need its own approach to using analytics throughout the audit process, from planning to testing to
                    reporting. Internal audit will need the skills to both develop this as well as know where to expect to see analytics
                    deployed by the business.

FS Internal Audit : 2018 Planning Priorities                           © 2017 Deloitte LLP                                                   14
EU General Data Protection Regulation
      Harmonising the currently fragmented legal framework for privacy

                   Connected to the challenge of winning customers’ trust is the issue of how to collect, store,
                   manage and use customer data securely, and firms need to ensure that they fully take into
                   account current and future data protection regulations as they design their solutions.

        Why is this planning priority?
        •      GDPR is enforceable from 25th May 2018 and introduces a range of requirements that have significant
               impact on organisations. Combined with increasing demands from consumers, privacy is now firmly
               placed at the top of the corporate agenda.
        •      GDPR mandates organisational accountability and will require organisations to implement robust privacy
               governance to demonstrate this. This is in addition to a wide range of other requirements. The
               maximum penalty for serious non-compliance will be 4% of annual global turnover.
        •      Guidance from the Article 29 Working Party and UK Information Commissioners Office is still emerging,
               therefore understanding of what compliance looks like is still unclear and open to interpretation.

                  The Internal Audit challenges

       • How effectiveness is the organisation’s GDPR readiness programme? Are appropriate governance structures in place,
         including a data protection officer?
       • Is management effectively controlling the risks surrounding implementation of new data stores and platforms?
       • How are the risks relating to personal data processing in the context of the GDPR being controlled. How is the organisation
         monitoring and responding to regulatory guidance that is emerging.

                    Internal audit should plan to leverage both new technologies as well as the organisation’s consolidated data stores to
                    drive more insightful and efficient internal audits/reviews.

FS Internal Audit : 2018 Planning Priorities                           © 2017 Deloitte LLP                                                   15
Strategically Manage Prudential
 and Regulatory Requirements

Financial Reporting
      Multiple significant financial reporting developments

                   After many years of consultation there is a suite of IFRS changes on the horizon that will
                   fundamentally change what an insurance company looks like on paper, with implications that
                   require an organisational-wide response.

        Why is this planning priority?
        •      IFRS 9 will impact the credit landscape and introduce a number of strategic and business challenges.
               The scale and complexity of the changes required by IFRS 9 means that it is a large, high risk project
               for many organisations.
        •      IFRS 15 outlines a single comprehensive model of accounting for non-insurance revenue arising from
               contracts with customers. Effective from 2017 the standard requires system and process developments.
        •      IFRS 17 will be complex, introducing fundamental differences in liability measurement and profit
               recognition, and have organisational-wide implications.

                  The Internal Audit challenges

       • How robust has the organisations impact assessment been with regards to the IFRS changes? How effective has the
         oversight and governance been around the set-up and management of the organisation’s response to the impact
       • Are the IFRS programmes appropriately resourced and being accurately tracked against programme milestones?
       • Where new models are required to support the IFRS changes are these appropriately controlled and managed?

                    Given the pervasive nature of the impacts, particularly from IFRS 9 & 17, internal auditors will need to ensure that
                    they understand the changes in detail in order to be able to consider the effectiveness of the organisation’s response
                    through audits in many areas, including technology, policyholder data, investor communications and remuneration.

FS Internal Audit : 2018 Planning Priorities                           © 2017 Deloitte LLP                                                   17
HMRC Common Reporting Standard
      Cross-jurisdictional sharing of tax information

                   Financial institutions shared their first set of data with HMRC in 2017 for automatic exchange
                   with counterparty jurisdictions. Financial Institutions are now expected to have completed all
                   their remediation work by the end of 2017 and to report as appropriate in 2018.

        Why is this planning priority?
        •      CRS establishes obligations for businesses, including identifying which group entities are financial
               institutions, verifying account holders’ tax residency and reporting information on reportable persons to
               HMRC annually.
        •      The regulations also include provisions that can require financial institutions to notify their customers
               about CRS obligations, penalties and HMRC disclosure facilities.
        •      Under CRS, reporting volumes for FS firms have grown significantly. Under previous regimes, insurers
               benefited from exemptions that excluded reviewing the back-book of business, these are not available
               under CRS.

                  The Internal Audit challenges

       • Does the operating model include adequate procedures for CRS compliance? Are sufficient resources and training in place to
         support these?
       • Is the governance approach around CRS submissions appropriate? Is the evidence required for tax authority audits
         sufficient and adequately maintained?
       • Has the organisation reviewed performance in meeting the first year requirements and identified improvements needed to
         meet the increased volume of reportable information expect in the second year of CRS?
       • Have policy administration system been enhanced to identify products under the scope of CRS?
       • Have underwriting systems been enhanced to capture the indicia information for foreign accounts?

FS Internal Audit : 2018 Planning Priorities                   © 2017 Deloitte LLP                                                18
Corporate Criminal Offences
      implementing and maintaining reasonable controls

                   The Government has introduced new Corporate Criminal Offences for Failing to Prevent the
                   Facilitation of Tax Evasion. The legislation comes into force on 30 September 2017 and
                   HMRC expects businesses to have taken the initial steps to comply by this date.

        Why is this planning priority?
        •      Requires businesses to implement and maintain controls that are reasonably intended to prevent their
               associated persons assisting in tax evasion. The powers are widely drawn, making UK and non-UK
               corporates and partnerships liable for facilitating the evasion of tax, globally.
        •      Penalties for non-compliance are expected to include significant monetary fines and action under the
               new rules would expose an organisation and its senior individuals to significant reputational risk.
        •      The Government guidance sets out six principles for companies and partnerships to follow in
               establishing their reasonable procedures, including risk assessment, training, and monitoring of
               compliance with procedures.
        •      There will be a transitional period for implementation, but all companies and partnerships are expected
               to take significant steps ahead of 30 September 2017.

                  The Internal Audit challenges

       • Is the programme to manage the implementation of the requirement being effectively managed and overseen?
       • Does the project to ensure compliance leverage existing governance structure and risk assessment processes?
       • Will management be conducting a post implementation review of the new controls and processes?
       • Is there evidence a culture of compliance which is driven from the top down? Does this include undertaking appropriate due
         diligence on associated persons such as intermediaries?
       • Post implementation is there a process in place to monitor and review compliance, including ongoing communication and

FS Internal Audit : 2018 Planning Priorities                   © 2017 Deloitte LLP                                                19
Model Risk Management
      The need for an effective Model Risk Management Framework

                   A Model Risk Management Framework (MRMF) remains the key governance structure
                   through which a firm’s risk management approach to its model inventory is structured. An
                   effective MRMF enables active management of model risk across diverse model classes
                   within a defined model risk appetite as set by the Board.
        Why is this planning priority?
        •      Insurers are increasingly using complex models throughout their business.
        •      There is a heightened expectation among Non-executive Directors for more effective MRMFs as a
               mechanism to manage and control risk. Boards are increasingly seeking to embed more effective model
               management to support monitoring of the key strategic risks against the risk appetite statement and to
               achieving the business strategy and objectives.
        •      Firms are increasingly drawing upon developments and insights in other companies to inform the
               treatment of model risk and its categorisation within the wider risk framework.
        •      The identification and management of model risks remains a hot topic for UK and global regulators.

                  The Internal Audit challenges

       • Is there a MRMF in place, has it been designed appropriately and do management understand and use it?
       • Is the MRMF based on an appropriate risk identification processes that has ben effectively implemented by management?
       • How well embedded is the MRMF and do management understand and monitor the outcomes of controls against the major
         risks across key capital, pricing and business planning models?
       • Is there an appropriate process to set and keep under review risk appetite limits in relation to model risk?
       • How complete is the model inventory and how robustly is it maintained by management? How appropriate and consistently
         applied are the risk ranking methodologies applied to the model inventory in order to identify the key models?
       • How well do current model risk capabilities, documentation and processes compare to developing regulatory expectations
         and observed market practice?

FS Internal Audit : 2018 Planning Priorities                     © 2017 Deloitte LLP                                              20
Enhance the Structure and
Capabilities of Risk Management

Financial Crime and AML
      An unrelenting focus on financial crime continues

                   From a UK regulatory perspective, the FCA’s unrelenting focus on financial crime continues,
                   particularly in relation to AML, as reiterated by its Business Plan (2016-17), which
                   references AML as the FCA’s second highest of seven priorities for the coming year.

        Why is this planning priority?
        •      Firms have been strongly encouraged to conduct assessments of the risks posed by their customers and
               institute sophisticated systems and controls which prevent financial crime, supported by new standards.
        •      Criminal Finances Act 2017 – changes the landscape for reporting entities through the creation of
               unexplained wealth orders, allowing co-ordination of Suspicious Activity Reports between institutions.
        •      Fourth Money Laundering Directive – came into force on 26 June 2017 with: changes to the definition of
               Politically Exposed Persons; greater detail on the meaning of beneficial ownership; a renewed and
               extended emphasis and detail on risk assessment; a broader definition of correspondent relationship;
               and, removal of the automatic application of simplified due diligence for certain types of customer.
        •      There is also the requirement now inforce for an ‘Annual Financial Crime Report’ to be submitted by
               large general insurance intermediary firms.

                  The Internal Audit challenges

       • How effectively have governance frameworks supporting the changes to financial crime legislation been implemented? Do
         the frameworks aim to embed a culture which prevents financial crime?
       • Does the organisation have suitably skilled resources in key business areas
       • How robustly did management complete an impact assessment and how effectively are the steps being taken to address
         the impact being monitored?
       • What is the quality of the underlying documentation for evidencing compliance?

FS Internal Audit : 2018 Planning Priorities                    © 2017 Deloitte LLP                                              22
Risk Appetite Frameworks
      A primary lens for assessing a firm’s risk management sophistication

                   A Risk Appetite Framework (RAF) remains one of the primary lenses through which a firm’s
                   risk management sophistication and capabilities are viewed. An effective RAF enables pro-
                   active management of the risk profile within the defined risk appetite as set by the board.

        Why is this planning priority?
        •      Boards are increasingly seeking to embed more effective risk appetite limit setting and reporting to
               support monitoring of the key strategic risks against the risk appetite statement and to achieving the
               business strategy
        •      A heightened expectation among Non-executive Directors of insurers for more effective use of risk
               appetite as a mechanism to manage and control risk.
        •      In the absence of an effective RAF, many insurers struggle to demonstrate compliance with expected
        •      There is an increasing recognition that non-financial risks should receive greater prominence in the RAF
               pertaining to key performance metrics such as profitability.

                  The Internal Audit challenges

       • How strong is the link between the firm’s business strategy and objectives and the risk management framework (RMF)?
       • Does the RAFs include financial and non-financial risks?
       • Is there appropriate governance and ownership of the RAF? What is the perception of the RAF across the organisation and
         its impact on the risk culture?
       • Does the RAF form an integral part of the firm’s business decision making across all levels of the hierarchy?
       • How does the organisation’s current and target state activities for the design and implementation of the RAF compare to
         regulatory expectations and developing market practices?

FS Internal Audit : 2018 Planning Priorities                     © 2017 Deloitte LLP                                               23
Operational Resilience
      Preparing for uncertainty and disruption

                   Organisations are facing increasing amounts of uncertainty and disruption, bringing both
                   risks and opportunities, which more resilient organisations are better prepared to overcome
                   and gain from.

        Why is this planning priority?
        •      Operational Resilience is the ability to anticipate and assess, protect and control, plan and prepare, and
               respond and recover in the context of major disruptive or catastrophic risks, whether they are internal
               or external, known or unknown, in addition to the ability to adapt and reform in the longer-term.
        •      Board Members and Audit Committees have become increasingly aware of the regulatory focus on
               Operational Resilience. Since the launch of the second Dear Chairman exercise, firms have become
               increasingly concerned about the prospect of a regulatory visit to scrutinise a firm’s Operational
               Resilience strategies.
        •      Spurred by a number of high–profile attacks on firms, supervisors will increase their focus on cyber

                  The Internal Audit challenges

       • How aligned are risk management and other risk resilience related functions?
       • How robust is resilience to/planning for major disruption and catastrophic risks? How frequently is the planning reviewed
         and refreshed?
       • Is the scope of risks or scenarios addressed under crisis management and resilience appropriate? This includes whether the
         time horizon over which major disruptive or catastrophic risks are reasonable and realistic?
       • Does the testing of operational resilience plans include all relevant parties in the organisation, including risk management,
         technology and operational management, corporate communications, people and facilities, Board members and governance

FS Internal Audit : 2018 Planning Priorities                     © 2017 Deloitte LLP                                                 24
Agile Internal Audit
      A mindset change

                   Internal auditors face a wide range of challenges. Yet the overarching theme for most
                   Internal Audit groups is the need to change. An Agile Internal Audit approach provides
                   methods that work to change both the mindset of internal auditors and their work
        Why is this planning priority?
        •      Originally a software development methodology, agile aims to reduce costs and time to delivery while
               improving quality.
        •      Agile Internal Audit is the mindset an Internal Audit function will adopt to focus on stakeholder needs,
               accelerate audit cycles, drive timely insights, reduce wasted effort, and generate less documentation.
        •      Agile prompts internal auditors and stakeholders to determine, upfront, the value to be delivered by an
               audit or project: What level of assurance is needed? What risks are most concerning? Then the audit or
               project aims to produce that value. Agile also prioritizes audits and projects based on both importance
               and urgency as well as readiness to undertake the work.
        •      Finally, reporting doesn’t focus on documenting the work but on providing insights.

                  The Internal Audit challenges

       • Agile Internal Audit methods work to shift internal auditors’ mindsets and processes by pursuing:
                • Clearer outcomes
                • Increased engagement
                • Improved documentation
       • By aligning mindset and process, Agile Internal Audit frameworks direct time and effort toward the issues, challenges, and
         risks that most affect the organization’s ability to implement strategy and achieve goals. At the same time, it aims to
         conduct routine assurance activities without unnecessary resources, effort, or reports.

FS Internal Audit : 2018 Planning Priorities                    © 2017 Deloitte LLP                                                   25
This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from
action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining
from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2
New Street Square, London, EC4A 3BZ, United Kingdom.

Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP
do not provide services to clients. Please see to learn more about our global network of member firms.

© 2017 Deloitte LLP. All rights reserved.
You can also read