Investment ManagementHot Topics – Internal Audit (Aide Memoire)

October 2021

Investment Governance• Evaluate the roles and responsibilities of the Board,

CIO and the other Governance Committees• Review the controls around identification and

management of potential and/or existing conflicts of interest

• Assess governance and oversight of risk exposures across all asset classes

• Review the appropriateness of performance attribution and market risk reporting

• Review the oversight over investment restrictions, end-customer suitability and outsourced investment management functions

There is an increased regulatory and industry focus on governance. Firms need to demonstrate effective risk management including conflicts of interests and independent challenge to investment-related activities.

Oversight & Governance

Inclusion and Diversity• Assessment of inclusive culture and diversity at all

levels• Evaluate the gender representation• Assessment of internal policies and practices in

relation to inclusion and diversity• Review of defined key indicators of diversity e.g.

diversity at different grades, pay gap data and progress against the FCA’s ethnicity action plan

• Review KPIs and targets set by the Board around key indicators of diversity and Board’s assessment of culture

• Review of gap analysis against Board’s expectations and KPIs and assessment of Management’s actionable plans and adherence to the Board’s strategy.

• Assess the MI supporting the effectives of the Inclusion & Diversity program and strategy

The FCA has also issued a consultation paper (CP21/24) in July 2021 to propose changes to Listing Rules to require companies to disclose compliance against Board diversity targets on a ‘comply or explain’ basis.

Risk Management and Capital Adequacy• Review Senior Management’s approach for assessing

how the Prudential Regime applies to the firm including consideration given to any waivers and notifications that may be required.

• Assess the Board’s and Senior Management’s awareness of the FCA’s broader prudential objectives and expectations and applicability of prudential consolidation.

• Review the firm’s assessment of how the K-Factor apply to the business model.

• Review the methodology used to assess the Fixed Overheads Requirements (FOR) and calculation of K-Factor requirement, as applicable

• Assess how firms consider their Internal Capital Adequacy and Risk Assessment (ICARA) will be performed and whether the following key components have been considered: strategy and business model, assessment of material harms, own funds (resources and requirements), liquidity (resources and liquid

assets), intervention points, stress testing, recovery and wind-down.

• The frequency and sufficiency of discussions on risks at the Board-level and other relevant committees

• Assess if remuneration requirements of the IFPR needs changes to the existing framework and whether the firm has accordingly implemented the new requirements

• Evaluate the appropriateness of Risk Management Framework including risk appetite and triggers.

• Review of risk related MI and information to assess • Asses the roles and responsibilities of the 1st and 2nd

lines of defence in relation to risk identification, monitoring and reporting

IFPR Second CP (21/7) also retains a clear focus on the FCA’s overarching objective to minimise harm, with further emphasis on the principle of senior management responsibility for maintaining appropriate governance and risk management arrangements.

Investment Management Hot Topics IA Areas of Focus – FCA Business Plan

Oversight & Governance

SM&CR• Assessment of the appropriateness of population of

Senior Management Functions (SMFs) and identification of certified persons (CPs)

• Review of the guidance provided to SMFs to help them in understanding and recording reasonable steps

• Review of the SMF leaver process, including production and issuance of SMF regulatory references

• Review of initial and subsequent (annual) fitness and propriety (F&P) assessments for existing and new employees

• Review of appropriateness of defined triggers to

require re-assessment of F&P assessment• Appropriateness of conduct rule training to SMFs, CPs

and other conduct rules employees, as applicable• Assessment of conduct rule breach framework to

identify, escalate and report conduct rule breaches for SMFs, certified staff and other conduct rules

In the FCA’s view, SM&CR is integral to improving culture within the financial services industry. In December 2020, the PRA published its findings of the firms’ implementation and embeddedness of SM&CR. FCA viewed this as a success and that SM&CR was driving positive behaviour in the industry.

Investment Management Hot Topics IA Areas of Focus – FCA Business Plan

Regulatory

Fund Liquidity• Review the alignment between asset portfolio and

redemption terms before launch of new funds. Also, verify if such assessment is approved by the senior management or the Board and is regularly reviewed

• Evaluate whether the stress testing arrangements are proportionate taking into account the size, investment strategy, nature of the underlying assets and investor profile of the fund

• Assess the contingency plans to ensure that all available liquidity management tools can be used where necessary

• Assessment of client’s redemption rights and role of second line in stress scenario building and providing

challenge to first line• Enquire into the firm’s efficiency in terms of using

redemption notice periods and controls over the assessment of clients' redemption rights.

• Review the analysis of the fund’s exposure to illiquid assets relative to its total exposure, the approach and steps taken to reduce significant exposure over time; and

• Evaluate the firm’s policy and ability for internal fund lending in case of significant redemption requests received from clients.

In accordance with an ESMA report from March 2021, the governance and oversight processes over liquidity at a number of funds are ineffective in terms of frequency, granularity and clarity of reporting.

Market Abuse• Review portfolio management and pre-trade controls

in place to reduce the risk of market manipulation• Review post-trade surveillance controls to detect,

investigate and escalate potentially suspicious trades and orders

• Evaluate personal account dealing approval controls to help reduce the risk of Market Abuse, including the Second Line of Defence monitoring approach

• Assess second line monitoring and oversight controls, including the effectiveness of the Market Abuse Risk

Assessment framework • Review policies and procedures for the management of

inside information and insider lists, as well as the identification and escalation of inside information breaches

• Verify whether Market Abuse risk related training conducted, including the appropriateness and frequency of training provided

The EU Market Abuse Regulation came into UK as a law on 31st December 2020 by the EU (Withdrawal) Act 2018.

Product Governance• Assess the design and operating effectiveness of

governance and oversight arrangements specifically the Product Governance Committee

• Review the roles and responsibilities of relevant functions, committees and boards and the articulation of accountability of all stakeholders throughout the product lifecycle

• Assess the design and operating effectiveness of controls related to the design and management of

products and how conflicts of interest are managed• Assess the design and operating effectiveness of

controls related to Distributors of products• Review reporting and Management Information (“MI”) • Evaluate training of staff involved in the product

governance processIn March 2021, the FCA published a critical review of product governance practices at firms, concluding that a number of activities fell short of rules set out in MiFID-II’s product governance, and the FCA’s or Prod. regime.

Operational Resilience and Third Party Oversight• Review the identification of the firm’s important

business services by considering how disruption to these services could cause harm to customers or market integrity

• Assess the impact tolerances, to ensure the firm can continue to deliver important business services during severe but plausible scenarios

• Review disaster recovery, pandemic, and business continuity plans for existing and alternative outsourced parties to gain assurance of their resilience and

encourage ongoing dialogue on readiness and execution

• Identify and evaluate critical outsourced relationships to assess whether they are able to support the firm

• Review management plans in cases where critical services become unavailable or have capacity constraints

• The FCA published the final operational resilience policy statement in March 2021 and will be assessing firms’ implementation of the policy requirements post March 2022.

Investment Management Hot Topics IA Areas of Focus – FCA Business Plan

Suitability & Vulnerable Customers• Review the policies and procedures determining

suitability including due diligence on understanding client circumstances, clients’ investment knowledge and any potential vulnerabilities

• Review of the products distributed to ensure they are sold by the firm in line with its regulated activities and the product is sold to the intended target market

• Review of communications to retail clients relating to investment risks and assessment of adequacy of disclosure in respect of the product's intended target market, its objectives and the costs/charges associated with it

• Review first line documentation of suitability assessment and second-line monitoring and oversight including testing of client files

• Review of client profiling process and the matching process between client profiles and products and services offered

• Evaluate whether firms can show consistently that fair treatment of customers is at the heart of their business model

• Review of the accuracy of the process to conduct a periodic reviews of client circumstances, addressing any changes in circumstances and identifying any potential vulnerabilities

• Review of the effectiveness of the controls in relation to ensuring compliance with FCA rules for suitability

• Assess adequacy of staff Trainings to facilitate a proper conversation in identifying vulnerable customers

• Review of the automated advice specific risks within the firm’s governance processes

FCA will assess firms’ business models, and how these affect their products and services, to understand their ability to meet consumers’ needs, particularly those in vulnerable circumstances.

Assessment of Value Statements • Review of appropriateness of the parameters used for

value assessments, in line with the seven criteria laid out by the FCA

• Evaluate clarity of understanding of the firm’s Value for Money (VFM) corrective action and monitoring of these actions

• Review of the accuracy and clarity (ease to understand) of the statements

• Review the alignment with the firm’s product governance process including pre-launch reviews and regular post-launch assessments

• Assessment of the data, tools, instruments and products used by the control and support functions and the applicable risks for those instruments including evidence of robust challenge

• Review of the challenge applied by NEDs on the Board prior to approval and publication of the statements

The FCA reviewed 18 AFM firms between July 2020 and May 2021 to consider review their assessment of value arrangements. Most of the firms under review had not implemented these arrangements in line with the FCA’s expectations to comply with relevant rules and some firms did not meet the minimum consideration requirements.

Environment Social and Governance• Assess the tools that measure ESG-related factors and

data that produce meaningful MI• Review the impact of climate change and other

sustainability effects on business and the impact on risk framework

• Review the disclosure on how ESG factors are integrated into investment decision-making and advisory processes.

• Review the framework around SFDR level 1 & level 2 regulatory technical standards and alignment with the TCFD recommendations.

• ESG assessment of companies in which the firm invests on behalf of its clients to ensure it is accurate and independent, assessing that informed of unbiased voting decisions are made during shareholders meeting and reputational damage is prevented.

• Review of economic activities with performance criteria for their contribution to the environmental objectives such as climate change mitigation and adaptation, sustainable use of resources, pollution and waste prevention and control.

The FCA has proposed to implement new rules for standardised climate-related disclosures by listed companies and other FCA-regulated market participants from 1 January 2022.

Regulatory

Investment Management Hot Topics IA Areas of Focus – FCA Business Plan

PRIIPS• Review to ensure that the Key Information Documents

(KID) captures all key elements as required by the regulation (SRI, various risks, should be a standalone document and consistent with marketing information, etc.)

• Review that retail investors are provided with the KID in good time prior to being bound by any contract or offer relating to the PRIIP

• Review that the information contained in KID is easy to read, accurate and not misleading

• Verify whether KIDs contain the different performance

scenarios (favourable, moderate and unfavourable etc.)

• Verify whether all the costs (entry, exit, transaction etc.) have been included in KIDs

• Verify that there is a regular review of content and ensuring that revised versions are promptly made available.

The FCA issued a Consultation Paper (CP21/23 ) in July 2021 (which closes in September 2021) to amend certain rules of PRIIPS regulation to bring clarity to the areas of regulation that pose most harm to consumers.

Marketing & Distribution• Review the due diligence conducted on distributors to

ensure they have a good understanding of the investment characteristics of the financial instruments

• Assess the identification of appropriate target market through qualitative and quantitative research and retrospective reviews to ensure alignment between intended target market and actual target market

• Evaluate the appropriateness of marketing materials used in different jurisdictions and platforms to the intended target market and regulatory requirements

• Assess the consistency between the information provided in marketing materials and the risk management practices of the firm’s products

• Review the appropriateness of jurisdictional classification of documents identified as marketing material

• Verify inclusion of Risk Warnings as a part of marketing material

• Review controls and monitoring over training and professional requirements of client-facing staff as per regulatory expectations

• Review the process for defining and monitoring the distribution strategy for certain services, including review of controls in place to help ensure products are sold to the right customers

The FCA expects asset managers to ensure that marketing disclosures are fair, clear and not misleading. During Q2 2021, the FCA noted that there were a total of 84 promotions amended or withdrawn across the financial services industry as a result of non-compliance with the FCA regulations.

Regulatory

Investment Management Hot Topics IA Areas of Focus – FCA Business Plan

Culture and Governance• Evaluate how the firm relates its desired culture to its

business purpose, values, strategy and risk appetite and whether the desired culture is described, communicated and re-enforced

• Assess management’s framework and MI to measure and assess culture to identify pockets of the desired and undesired culture defined above.

• Assess the extent of whistleblowing procedures, ‘bottom up’ reporting and escalations and ‘top-down’ feedback, actions and the robustness of action plan implementation.

• Evaluate how the firm’s culture measures against the key indicators such as competence, motivation and relationships within the organisation.

• Evaluate whether the Board and the executive have a clear understanding of the firm’s strategy and related risk appetite.

• Assess whether the overall structure of the firm and the control framework align with the strategy and risks

• Assess the quality of management information consumed by Board to enable decision making and monitoring of outcomes as implemented by the executive.

Conduct Risk• Assess the definition of conduct risk and conduct risk

appetite• Evaluate the determination of conduct risk indicators

and measurement against appetite• Review the MI provided to the governing bodies on

conduct risk • Assess the policies and processes over treatment of

existing and vulnerable customers (especially long standing customers)

• Ensure that the three key elements of the proposed

New Customer Duty are being incorporated in the processes and framework of the business. This includes:– Outcomes (i.e. communication, product/service,

customer services, price/value)– Overarching cross cutting rules (i.e. the firms should

take all reasonable steps to avoid foreseeable harm and enable customers to pursue their financial objectives while acting in good faith) and

– Consumer Principle (i.e. compliance with the overall standard expected by the FCA).

AFM Governance• Assess whether there are appropriate resources,

including enough appropriately skilled and experienced people

• Verify whether AFMs have sufficient expertise and a granular understanding of delegates’ investment policies and strategies and risk and compliance procedures

• Assess whether staff responsible for fund oversight have direct experience in the relevant financial instruments and have detailed knowledge on the funds they oversee

• Assess whether the firm can demonstrate evidence of decision-making at the Board level and challenge by independent NEDs

• Assess whether conflicts of interest are identified, controlled and appropriately managed and Boards demonstrate effective challenge and oversight of risks and conflicts of interest

• Evaluate whether AFMs receive key performance indicators and risk metrics that are relevant to each fund’s strategy

• Verify whether AFMs consider delegates’ infrastructure and resilience, including business continuity plans

Oversight & Governance

Cyber Risk• Evaluate the cyber risk-awareness and employee

education programmes• Assess the organisation's cyber risk assessment in a

remote working environment• Review the adjustments to cyber incident response

(CIR) playbooks and plans in context with recent organisational constraints due to the pandemic

• Assess the framework to detect insider threats that may arise due to unauthorized remote access, misuse of personal devices, unsecure networks and printing equipment

• Validate whether the organisation has reviewed their plans to secure, recover and thrive from COVID-19 related cyber attacks

Investment Management Hot Topics IA Areas of Focus – Other Standing Topics

Conflicts of Interest• Review the identification and effective management

of actual and potential conflicts• Review the policies and procedures to prevent and

manage conflicts of interest including policies pertaining to Inducements, Remuneration, Personal

Account Dealing, Research, and Trade Execution (including Order Allocation)

• Review the processes to ensure that the firm and its staff do not receive unsolicited investment research

Stewardship• Assess the appropriateness of the governance

structure in line with the requirements of the Stewardship Code.

• Review of incentive structure to meet the stewardship objectives

• Validate controls to ensure engagement with issuers

• Review whether there is clear, timely and transparent communication with clients

• Ensure alignment with the ESG objectives• Review adequacy of case studies to back compliance

with the Stewardship Code 2020 (Code)• Assess whether there are clear explanations where

provisions of the Code do not apply

Client Money• Review the governance and senior stakeholder

involvement in setting the right cultural tone from the top to ensure the protection of client assets is taken seriously

• Evaluate the design of the business model is appropriately considered from a client assets protection perspective and includes timely identification and segregation of client money, internal

and external reconciliations, breach identification, management and reporting

• Validate internal controls to ensure client assets protection is achieved and regulatory requirements are met

• Evaluate the appropriateness and adequacy of due diligence over outsourced functions, including site visits. In particular, due diligence over outsourced providers and understanding of their IT environments.

AML• Review polices and procedures for identification,

assessment and reporting of the money laundering risks, to which the business is exposed

• Assessment of the transaction monitoring processes to identify and review transactions that may pose a

higher risk of being used for purposes connected with money laundering

• Evaluate processes to identify source of funds and source of wealth for higher risk customers, particularly for politically exposed persons

• Verify the staff training and awareness framework

LIBOR Replacement• Evaluate how the firm has implemented its transition

programme to new Risk Free Rates (RFR) by mobilisinga cross-business unit and cross geography impact analysis with sponsorship from the C-Suite.

• Review the firm’s assessment of the financial exposures and risks, operational and other impacts

• Review the impact analysis for all the investments/funds managed by the firm due to the transition, including an analysis of whether the

customers are treated fairly in the process.• Review the implementation of new RFR based

products and risk assessments.• Assess the role of second line/Compliance in managing

the transition risk.• Evaluate the identification of legacy contracts,

including fallback provisions post cessation of LIBOR settings and development of a roadmap for transition of tough legacy contracts.

Regulatory

Investment Management Hot Topics IA Areas of Focus – Other Standing Topics

Costs and Charges• Review the adequacy of the documented methodology

for cost/charges calculations including how industry body guidelines (such as the Investment Association) have been considered

• Review the controls in place for the periodic refresh of data (e.g. frequency and approach to data refresh)

• Assess the extent to which there are data gaps for specific funds and the action plan to rectify them

• Review whether data is compiled and published at the Employer Level

• Review policies and procedures around pricing structures including adequate challenge and oversight by senior management

• Review Standardised Key Information Documents (KID)• Review whether there is a documented rationale,

particularly where differences exist across different strategies (e.g. active versus passive)

• Assess whether charges are reasonable in relation to the costs incurred, including the appropriateness of charges against the quality of service

• Evaluate the accuracy of retrospective reviews of pricing structures to determine fairness between prices charged to new clients and long-standing clients

• Review on the controls around the introduction and monitoring of the single all-in fee to increase the visibility of all charges taken from the fund.

Transaction Reporting & Post-trade Reporting• Review the gap analysis performed for the

requirements introduced by MiFID II and MiFIR• Review the process for identification, reporting and

remediation of errors• Assess the roles, responsibilities and reporting lines in

relation to reporting.• Assess the governance structure and key

documentation as it relates to transaction reporting• Meet with senior management to understand the

receipt of MI and their approach to challenging interpretations and implementation

• Review the controls framework design and testing protocols

• Understand the transaction reporting trade and data flows

• Undertake a detailed analysis of a representative sample of reports to assess accuracy and completeness

• Review reconciliation processes, procedures and escalation protocols

Regulatory

Best Execution• Assess whether the firm has taken into account

current market conditions when determining the relative importance placed on the different execution factors when meeting obligations, and the venues or brokers relied upon to achieve best execution

• Evaluate the use of different types of orders to execute client order and manage risk during market volatility

• Review controls around deal placement and execution• Verify the controls around counterparty selection and

monitoring• Review the Best Execution policies and procedures

including first and second-line monitoring• Assess the consideration and prioritisation of

execution factors• Evaluation of training and competency programmes.

Investment Management Hot Topics IA Areas of Focus – Other Standing Topics

To examine if algorithms are operating as expected, there is an increasing need for assurance over their associated risks. Some key points to consider:• Assess whether there are controls in place to ensure clarity on whether a service is advised, non-advised,

discretionary or non-discretionary.• Verify whether the interface allows customers to obtain additional information or explanations at any time during

the process. • Evaluate whether there is a framework in place to identify and remediate behavioural bias.• Evaluate whether there are controls in place to ensure that regulatory requirements are complied with (e.g.

suitability) including the review of monitoring systems over such controls and the consideration of a hybrid model with human involvement where necessary.

Emerging Topics – Algorithms Assurance

This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.

Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 1 New Street Square, London, EC4A 3HQ, United Kingdom.

Deloitte LLP is the United Kingdom affiliate of Deloitte NSE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

© 2021 Deloitte LLP. All rights reserved.

Designed and produced by CoRe Creative Services RITM0782523

Deloitte UK Investment Management & Private Equity

For further information, please contact your usual Deloitte contact or one of the following team members:

DirectorAshish JainLondon

Director, Investment Management Internal AuditEmail: ashjain@deloitte.co.ukPhone: +44 20 7007 0807LinkedIn

Senior ManagerVasu VashishtaLondon

Senior Manager, Investment Management Internal AuditEmail: vvashishta@deloitte.co.ukPhone: +44 20 7007 8317LinkedIn

ManagerAsligul YalcinLondon

Manager, Investment Management Internal AuditEmail: asligulyalcin@deloitte.co.ukPhone: +44 20 7007 4617 LinkedIn

DirectorOwen JacksonCardiff

Director, Investment Management Internal AuditEmail: ojackson@deloitte.co.ukPhone: +44 2920 26 4297LinkedIn

ManagerDhavnish ShuklaLondon

Manager, Investment Management Internal AuditEmail: dhavnishshukla@deloitte.co.ukPhone: +44 20 7007 8317LinkedIn

DirectorMarc McNultyGlasgow

Director, Investment Management Internal AuditEmail: marmcnulty@deloitte.co.ukPhone: +44 141 304 6968LinkedIn