29 November 2018

Most common control deficiencies for financial services organisations

There are common themes in control deficiencies which FS firms should address

With constantly evolving regulatory requirements, financial services businesses must ensure they continue to focus on maintaining a strong control environment, including oversight, compliance and monitoring.

In our experience there are certain common themes where control deficiencies often arise for financial services clients.

Management oversight of outsourced services

Many companies use third party service organisations for processing applications or transactions. While these services can be effective and efficient, the service organisation’s internal control systems could have a significant impact on a company’s financial and regulatory reporting. Where such relationships exist, management should (both for the service organisation and their own company) document the relevant controls that mitigate the risk of errors. There should also be policies for periodic monitoring of controls and action taken to mitigate potential new risks.

In response, many companies request assurance reports on the internal controls of their service organisations. For example, they obtain a SOC or ISAE3402 report from external IT providers or middle and back office service providers. Many assume that receipt of such a report and a review of the Independent Auditor’s Report are adequate control measures. However, the objectives stated within these reports are derived from the service organisations – not the client company. The client’s risk objectives may not necessarily align with those included in the report. It’s therefore important to check that the report is relevant for your own internal control purposes.

Testing of business continuity and disaster recovery plans

Codes of best practice and recent regulation specifically address the importance of business continuity and disaster recovery plans. They highlight that these plans should be tested periodically (at least annually) and updated for changing conditions.

Based on our work with clients operating in the financial services sector, we know that business continuity and disaster recovery plans are generally reviewed on a regular basis (usually annually). However, they are rarely subjected to an appropriate level of scrutiny and testing. It’s vital to check that these plans are truly fit for purpose so that, should the worst happen, the business can recover 

Board effectiveness

The board has a responsibility in law to make sure that the organisation it oversees does what it was set up to do. The members of the board must have the appropriate skills and abilities, be effective, and be focused on the right things. Company success depends on it. Regulation focuses heavily on the board, shaping the tone, competency, efficacy, leadership and stewardship of the organisation for stakeholders.

We often find that board effectiveness is assumed and not appropriately dissected. A lack of relevant expertise from both directors and non-executive directors along with a poorly defined corporate charter are common deficiencies. An independent board effectiveness review is a useful tool to ensure that board dynamics and roles are suitable for the organisational environment.

Compliance monitoring programming

Whilst compliance (and the monitoring of it) underpin much of the regulation in effect within the financial services sector, we find few firms have devised a comprehensive compliance monitoring programme (CMP). This should be applied to all aspects of a firm’s activities and underpinned by a formalised methodology, whilst also incorporating a tailored compliance manual.

Often a CMP is not assigned appropriate resources to ensure that incidents, complaints, deficiencies and/or breaches are promptly identified and remedied. The CMP should not just satisfy regulatory risk, but should be used as an effective response to wider business risks and to identify improvements and efficiencies in operational practices.