Internal audit teams are being asked to provide assurance that regulated staff are properly certified. Charlotte Henry explains what’s expected
The new Certification Regime (CR) represents a significant shift in responsibilities from UK regulators to financial services firms, and auditors are at the frontline in ensuring a smooth transition. While senior managers will continue to be pre-approved by regulators, firms will be responsible for ensuring that a much wider pool of people, outside the scope of the Senior Managers Regime, are certified as “fit and proper”.
The CR has therefore added significantly to auditors’ responsibilities for providing independent assurance to the board. They must consider how to ensure the certification population has been identified correctly, how to test the certification process, and how to examine documentation and report their results to the board.
Accountability for the conduct of certified persons will ultimately lie with senior managers and board members, who will answer to the regulatory authorities. More than ever, however, they will want assurance that all reasonable steps have been taken to ensure the right people are in the right positions so they can effectively manage the risks to the business.
It is important to establish the individuals that are captured by the CR to ensure that the firm correctly identifies all certified staff. A firm must ensure that no individual performs a “significant harm function” unless she or he has been certified as fit and proper.
The challenge for audit is to make sure that the correct individuals have been included within the population. This will require sufficient knowledge and understanding of how the UK regulators have interpreted Capital Requirements Directive IV, and an awareness of when an individual is considered as a ‘material risk taker’, as there is overlap with the remuneration rules. Otherwise, the final population could prove to be inaccurate.
This requirement could be evidenced by a formal note detailing the approach taken by the firm on why individuals are considered to be within the certified population along with a complete list of individuals.
One role of the audit function will be to assess whether the process for certifying individuals is working effectively. To be effective in this role, audit must have a thorough understanding of the internal processes adopted by the firm for issuing a certificate in order to be able to determine whether that process has been followed.
The following factors could be taken into account, but it is not an exhaustive list:
Although it is not exhaustive, this list helps to illustrate the key areas of focus for audit. It is important that the fitness and propriety assessments are robust enough to highlight any areas of concern. Fitness and propriety assessments should include the following:
These assessments are similar to the previous Approved Persons regime, but the FCA and PRA have increased their focus on this area. Previously some errors and breaches of the Approved Persons regime could have resulted in an informal warning and caution. Now they will have to be dealt with via the formal certification process and should be taken into account when determining if an individual should be re-certified. For example, an individual who incorrectly claims expenses.
The FCA and PRA will expect firms to be able to show compliance with the CR. This will also provide assurance to the board. Audit should review a selection of certificates and relevant processes to determine whether a person is fit and proper (against the firm’s fit and proper policy) which might be difficult as some of the elements are judgement-based elements. This could include a review of personnel and certification files along with individual interviews. However, if there is a variance in results these concerns should be recorded and escalated to the board.
Ensuring systems and processes are well designed and implemented consistently across large financial services organisations will require significant time and resources in the next year. Audit chiefs must ensure teams have the right training and support for a smooth transition to the new regime and to meet their ongoing obligations.