Experience from 14 CAEs of European SSM Banks in various European countries
Practical Tips to be ready
- Make sure everybody has a Laptop
- Set up procedures for working from home and train people
- Set up a remote communication plan on a regular basis
- Get sufficient VPN access
- Get all your auditors abroad back at home
- Keep social distance for people still in the bank
- Be involved in the Crisis Management calls (CEOs, Crisis Committee…)
- Define the internal audit Business Continuity Plan arrangements
Impact on the Audit Plan
- Perform ongoing audits remotely if possible
- Consider postponing the ongoing audits of areas providing critical services that are under stress (payments, technology…): flexible audit plan
- Assess the new audit assignments based on the Bank current priorities (business continuity plan, new behaviours of customers…)
- Consider extending due dates for corrective actions based on new risks/priorities: more time for medium risk findings and focus on high-risk findings
- Show sensitivity for auditees when issuing “unsatisfactory” reports in critical areas under stress.
- Consider secondments of audit staff to help the business (1st & 2d line of defence) when possible and needed
- Discuss with JSTs the Bank’s regulatory commitments (with a focus on mandatory activities vs other priorities for the Bank), including possible extensions to the validation of regulatory issues
- Consider new internal audit priorities and plan revisions – ensure adequate reporting to the Audit Committee of any proposed changes
- Assess the need for a special audit engagement on Business Continuity Program shortly (review 1st and 2d line of defence).
New Risks in the current context
- Health and safety of staff
- Impact on Loan Portfolios (sensitivity analysis)
- IFRS9 – accounting for payment holidays
- Effectiveness of Business Continuity Plan arrangements
- Increase of cyber risk and IT security from extended remote working
- Physical security of the Branch network