Maintaining a robust internal control environment is a fundamental requirement of regulated firms. It is relevant to all of the areas that the FCA has said it is focused on during the pandemic and beyond, including information security, operational resilience, market trading and reporting. There is a risk that remote-working and any disruption to operations could have an impact. As it is likely for many firms that a significant part of their workforce will need to continue with a remote or flexible arrangement for some time, we have identified the key areas we believe should be addressed:
Risk and control assessment
It would be expected that firms have updated their assessment of relevant risks, and the mitigating controls. The output of this may have been to determine that there are no material changes. However, it is important to ensure that senior level discussion of the conclusions and rationale has been documented. For significant changes, there should be a clear linkage with the steps that have been taken and how the changes will be monitored. Under the Senior Managers and Certification Regime this type of documentary evidence is key to ensure that the responsible Senior Manager can demonstrate how they have met their personal responsibilities.
Does your risk assessment identify and prioritise new risk areas that may have emerged from the current environment?
Have you considered changes which may have occurred at your key outsourced service providers?
Operation of controls
Transaction volumes, availability of personnel and new ways of working may have impacted existing procedures. It is key that firms have taken a holistic view of any changes, to ensure that the overall response to risk remains appropriate.
Where it has been necessary to make changes to processes (e.g. evidencing review and approval by email), have you taken steps to ensure that appropriate evidence of the operation of a control is retained?
For controls which require involvement of multiple team members, have you ensured that those controls can continue to be operated on a timely basis?
Testing of controls
Firms may have made changes to their oversight and testing programmes for risk/compliance (second line) and internal audit (third line).
Are you satisfied that changes are appropriate, and that coverage is maintained over key risk areas?
Have you considered the need for targeted additional testing over business areas that may be more significantly affected?
Automation and robotics
Increasingly we are seeing businesses introduce automation tools such as RPA, moving away from manual processes. Looking ahead, we would expect that more organisations will focus on system driven controls. This enables staff to focus on review activities and remediating issues identified from controls, which is both more efficient and more resilient.
How can we help?
Our Financial Services & Markets group can provide independent assurance over the design and operating effectiveness of internal controls, internal audit services and other specific controls reviews.
By necessity, this briefing can only provide a short overview and it is essential to seek professional advice before applying the contents of this article. No responsibility can be taken for any loss arising from action taken or refrained from on the basis of this publication. Details correct at time of publication.
Smith & Williamson LLP is regulated by the Institute of Chartered Accountants in England and Wales for a range of investment business activities. A member of Nexia International.