2020 Internal Audit Planning

This content was published in September 2019. While we believe the content remains of interest, it doesn’t take into account major events since that date, including the current global COVID-19 pandemic.

Find out more about the potential business implications of COVID-19 here

The financial services industry continues to operate in a challenging geo-political environment with ever increasing growth constraints, margin pressure and ongoing regulatory scrutiny. In parallel, there is ongoing disruption and change driven from emerging technology, new entrants and changing customer behaviours.

Internal audit functions themselves are not immune from these disruptive forces and are continually being asked to do more with less. More today than ever, there is a conflicting demand on internal audit functions to demonstrate adequate assurance coverage of end-to-end risks, while at the same time delivering insight and value into key current and emerging risk areas.

This year’s internal audit planning documents seek to provide you with PwC’s view on the market issues impacting the financial services sector in 2020 and beyond, collated through our own experiences and insights from our subject matter experts.

Many of these risk issues span the financial services sector, but we have also considered those unique to Banking & Capital Markets, Insurance and Asset & Wealth Management.

Key themes are evident

We have seen a shift in the approach to audit planning with internal audit functions performing targeted risk focused reviews, which, when reflected upon collectively at the end of the year, can give stakeholders valuable insights into key themes. Whilst this document is structured into specific sections, there are some clear themes that cut across a number of topics such as governance, accountability and conduct, customer focus, emerging technology and transformation.

All of these topics should be considered with the backdrop of economic uncertainty as a result of Brexit, global geo-political uncertainty and the rise of climate risks.

Governance, Accountability and Conduct

We continue to see the regulators focused on governance, accountability, conduct and culture with the topics specifically highlighted as a priority priorities in both the FCA and PRA business plans, but also underpinning other regulatory focus areas.

Regulators are increasingly interpreting operational failures and/or risk management issues (be it related to operational resilience, financial crime, customer treatment or financial resilience) as potentially due to ineffective Board and senior management governance.

  • Brexit
  • Board effectiveness
  • SM&CR
  • Culture
  • Risk management, including climate risk
  • Remuneration
  • Diversity and inclusion
  • Financial Crime

View more

Customer Outcomes

The FCA has released a number of key publications this year relating to the treatment of customers. The suitability of advice and the need for products and services to meet the needs of customers has been a cross-sector area of focus of the FCA for the last two years. There is particular concern from the regulator around the treatment of vulnerable customers, long-standing / loyal customers and retirement outcomes coupled with an overarching question as to what level of care firms should provide to their customers, particularly when providing high-cost credit.

  • Vulnerable customers
  • Affordability
  • Overdraft prices
  • GI pricing
  • Easy-access cash savings
  • High-cost credit
  • General insurer fairness
  • Treatment of long-standing customers: Life insurers’
  • Assessing value for money in investment funds
  • Platforms
  • Duty of care
  • Suitability of advice: Pensions and retirement income

View more

Emerging Technology

An increasing number of firms are exploring the use of disruptive technologies such as Artificial Intelligence, Robotic Process Automation, and Blockchain. There are many factors that make these technologies ripe for adoption, including the scale of investment, the potential for these technologies to go mainstream, global reach and technical viability.

Emerging technology brings opportunities but also new risks, requiring firms to rethink their business and IT strategy, governance and architecture. Yet we have found that many firms do not, as yet, have a strategy that encompasses technological innovations and, as a result, are not monitoring their evolution or impact. The adoption of emerging technologies may not be considered in the context of the firm’s risk appetite, or the firm’s maturity and readiness to deploy emerging technologies. Unlocking a firm’s technological potential in a responsible and risk-controlled manner with the right governance mechanisms in place will be crucial.

  • Artificial Intelligence (AI)
  • Robotics (RPA)
  • Blockchain
  • Cryptographic assets
  • Open banking
  • Algorithmic trading

View more

Operational Resilience, Cyber Security, Outsourcing and Change Management

Both the FCA and PRA latest business plans list operational and cyber resilience as key areas of focus indicating that regulatory action will continue to increase in this space and signalling of increased supervisory focus on the insurance and asset and wealth management sectors. Regulators expect firms to be operationally resilient, fundamentally shifting the paradigm to a ‘WAR’ (Withstand, Absorb and Recover) footing. This is a material step change from the days of basic business continuity planning with supporting IT disaster recovery.

The frequency and sophistication of cyber-attacks is increasing, with the number of cyber incidents reported to the FCA in 2018 up by over 10 times what was reported in 2017. The Financial Services (FS) industry is a top target as attackers move up the value chain and seek bigger gains, while making more substantial investments. There are numerous examples of attackers with motives to steal money from FS organisations, for example, the compromise of payment systems at the Bank of Bangladesh in 2016 to steal almost $1 billion. As a result, cyber resilience continues to be an area of focus in the most recent regulatory business plans.

Financial services firms are increasingly seeking to outsource critical functions to a concentrated set of vendors to reduce cost and gain access to capabilities not readily available to the industry. Growing outsourcing, particularly in emerging technologies, makes it harder for firms to quantify and manage third party risk. Firms relying on outsourcing arrangements (often to unregulated providers) for the delivery of critical services should note that this is a significant area of focus of the FCA, given some of the recent issues faced by third party providers.

Across the financial services sector, firms are undertaking an increasing volume and complexity of change, delivered as part of projects and programmes that make up large change portfolios. Projects are inherently high risk. They can be complex and cross-organisational, and often there is not the right internal capability to deliver them. All too frequently, despite multi-million pound cost, projects fail to deliver the intended outcomes or benefits, with significant reputational, financial and regulatory consequences.

  • Data security and GDPR
  • Operational Resilience
  • Transformation
  • Third party outsourcing
  • Outsourcing to the ‘Cloud’ and other third party IT services
  • Cyber security
  • Managing legacy systems
  • IT governance
  • Cloud risk management

View more

Insurance-specific themes

The PRA has raised concerns around oversight of underwriting and associated controls, as well as related issues with reserving, business planning and capital, and are looking to “join the dots” on these disciplines. Similarly Lloyd’s of London looks to continue its hard line with loss-making syndicates and continue the remedial work of last year’s Business Planning season.

  • Underwriting and pricing governance
  • Exposure management
  • Reserving
  • IFRS 17 insurance contracts

View more


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Steve Frizzell

Steve Frizzell

Partner, Internal Audit Financial Services Leader, PwC United Kingdom

Tel: +44 (0)7802 659053

Nick Elliott

Nick Elliott

Partner, PwC United Kingdom

Tel: +44 (0)7714 708731

Fraser Wilson

Fraser Wilson

Partner, PwC United Kingdom

Tel: +44 7739 874087

Follow us