Experience from 17 CAEs of European SSM Banks in various European countries
General aim: “continue with business as usual as much as possible”
- Regulatory commitments:
- “postpone, for six months, the existing deadlines for remedial actions imposed in the context of on-site inspections, TRIM investigations and internal model investigations
- postpone, for six months, the verification of compliance with qualitative SREP measures
- postpone, for six months, the issuance of TRIM decisions, On-Site follow up letters and internal model decisions not yet communicated to institutions, unless the bank explicitly asks for a decision because it is seen as beneficial to the bank
JSTs will be in contact with the banks to provide clarity on the revised implementation timeline of those requirements and their specific application. The six-month delay mentioned above may be extended based on the ECB’s further assessment of economic and financial developments.”
2. Deadline for open audit issues:
Banks are taking a number of different approaches, from a broad exemption to extend all issues due dates by 3 months, to no relaxation of due dates-IAFs are collaborating with the 2nd line to have a common proposal for possible extensions to control issue due dates across the Bank.
This will likely result in higher levels of overdue issues being reported.
3.Secondment to 2nd or 1st line:
Limited secondment so far and offers to several services (mainly in the second line):
- Crisis management team
- Cyber security
- Operational risk management
There is a need for a clear procedure regarding the independence of the internal auditors and for an agreement from the Board/Audit Committee.
4.Audit plan changes:
The focus has been on trying to finalise all in-progress (Q1) audits.
It is important to agree with the audit committee on a set of criteria to postpone certain elements of the audit plan and to add new audits relevant to the evolving risk picture. Some Banks have prepared a “Corona Audit Response”:
- Priority continues to be given to mandatory audits
- The addition of new emerging risks and increases in the profile of some risks (i.e. new ways to service customers during this period may create new risks), remote work, BCP, accounting treatment of payment holidays, cybersecurity, impact on collateral management, fraud/unethical behaviours
Globally, the experience is to postpone 20% of the audit plan. All changes must be tracked and documented.
5.Current issues for running an internal audit department:
- Not everything can be audited remotely
- Some decrease of productivity noted
- Availability of the auditees remains the key challenge
- Infrastructure issues – ensuring remote access is available to all audit tools
- Challenge to reduce the psychological negative impact of continued remote work (important to have regular communication across the team, as well as video calls and less formal contact…)
- Keep productivity level as high as possible (what can be audited at distance vs what cannot be audited at distance, how to audit remotely);
- Some IAF’s have increased the focus on investigation, “real-time” monitoring of critical processes and services, including root causes analyses for issues.