AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Auditing collections


Collections (also known as recoveries) is a key part of the credit risk management lifecycle. Firms should have effective processes in place to deal with the failure of customers to make the agreed payments in a timely manner. It is important to not only prevent or limit financial loss but to ensure that customers receive fair outcomes and to protect the reputation of an organisation.

The objective of this guidance is for internal auditors to understand the core principles of collections within financial services as well as the key stages of collections, the types of risk to consider and the different types of audit review which can be undertaken.

This guidance has been derived from various sources, including practical experience as well as knowledge of regulations and review of other guidance available. It provides a list of hints and tips to consider when planning your review. The following framework has been used to provide guidance around the various topics that you could focus on as part of your review.

What is collections? 

Collections is the process that is followed to collect amounts owed where agreed payments are not received. These include payments on a mortgage or for loans (secured and unsecured), credit cards and overdrafts. The amounts maybe owed by individuals or companies depending on the nature of the agreement.

There are a number of stages in the process that are necessary to ensure that collections is managed smoothly. These are:

  • Effective customer contact strategy
  • The right amount is collected (by direct debit, etc)
  • An appropriate contact strategy, should the customer fail to pay or can no longer afford to pay
  • Appropriate measures including payment holidays are taken to support the customer if they fall into arrears or are in financial difficulty
  • Actions to recover monies owed are taken promptly to minimise losses

What things should you consider when planning your audit?

There are a number of aspects/risks to consider when shaping a review. We have outlined below the lenses/risks to consider when defining the approach to your audit. The importance of these lenses will be influenced by the nature of activities performed by your specific firm.

  • Conduct: Consider the type of customer – is it an individual or commercial customer? Regardless of whether the loan is regulated or unregulated, it is important to consider, should a customer encounter financial difficulty, that this is identified early and that payment arrangements are affordable and appropriate to the individual customer. The regulator is also focused on customer contact - is this appropriate both in terms of frequency and language/tone?
  • Data: Is customer data held safely and securely? Is it used for the purpose intended and not held longer than required? It is also important that all data is accessible as this prevents collectors asking customers to repeat the same questions or failing to provide the full picture, especially when the customer is in financial distress.
  • Regulatory: Dependent on the type of customer and if it is regulated business, various regulations may apply such as Mortgages and Home Finance: Conduct of Business Sourcebook (MCOB), Consumer Credit Act 1974, and Consumer Credit Sourcebook requirements, as well as specific regulations around re-possessions. Wider principles such as ensuring vulnerable customers are identified and treated appropriately apply to this area, as well as General Data Protection Regulation, breathing space and payment regulations. In addition, the new FCA Consumer Duty of Care* will potentially lead to a step change in the regulator expectations around how customers are treated.
  • Reputational: If there has been a systemic problem, then the reputational impact should be considered. For example, if the wrong fees or interest have been charged, this can cause significant impact to a firm.
  • Fraud: Both internal and external fraud scenarios should be considered, depending on the focus of your review.
  • Credit: Do forbearance arrangements comply with a firm’s policy and risk appetite? And are they being accurately calculated and correctly reflected in the customer credit files?

In addition, before you finalise your planning, it is important to understand the specific nuances of the collections activities performed by your organisation, including:

A) The range and types of products/customers where collection activities are undertaken, and the level of arrears and applicable fees and charges for each product type:

  • Second charge mortgages may have a particular risk of harm from the total debt escalating significantly when a customer defers payments or enters payment shortfall
  • Commercial v residential products
  • Types of customers and the regulations which apply, ie vulnerable, regulated, non- regulated. There will be more guidance for regulated and vulnerable customers which will need to be complied with, and it may be that this isn’t the same for non-regulated. What is key is that the approach taken is justified for the individual needs of that type of customer and their personal circumstances
  • Government backed products such as the Coronavirus Business Interruption Loan Scheme (CBILS)

B) Any “Dear CEO” letters highlighting specific firm concerns as well as general industry themes or regulatory fines:

C) Any firm-specific concerns flagged in:

  • Management or board information
  • Customer complaints
  • Second line, third line or external reviews
  • Risk events
  • Control weaknesses in risk registers
  • Quality Assurance results from the first line
  • Regulatory returns being late or inaccurate
  • Any specific concerns raised by first or second line over a certain cohort of customers or a particular product

D) Any recent automation or changes to processes such as:

  • Workflow system for the collections teams
  • Resource and capacity management
  • Self-serve functionality for customers
  • Customer income and expenditure assessment
  • Automation of behavioural scorecards to identify the potential for missed payments at an early stage
  • Forbearance options offered to customers online
  • Technology and open banking applied to obtain more transaction information
  • Automation to inform and enhance management information
  • Ease of customer journey where automation is implemented (number of clicks) versus use of pop-up boxes to support the customer with extra information (where the online journey becomes stuck)
  • Any products or specific process outsourced (collections for a particular product, physical mailing, etc)

The different areas that could be audited

Taking into account these inputs, this might drive certain areas to focus on in your review, or you could consider covering all or some elements of the framework as set out below.

For each element of the framework, we have outlined a high-level list of items to consider in your audit work.

Governance, culture and risk management

Training, competency and incentives

Management information and reporting

First and second line oversight

Capacity planning and forecasting

Is there a risk and control assessment? How well is it documented and are the key risks and controls understood by the business?

Is there clear linkage, where appropriate, to the senior management responsibilities map?

How is organisational culture assessed, and are demonstrable actions taken where challenges are found with the culture (eg significant training failure rates, high levels of attrition, etc)?

Is the level of arrears/ possessions within risk appetite? If not, is this being clearly reported and managed?

Are policies and procedures adequate? How often are these reviewed and by whom /which committees?

Is there an appropriate ratio of team leads to collectors, staff churn and sickness, number of open vacancies and length to fill a role?

Are there adequate business continuity plans/disaster recovery plans and when were they last tested?

Is there an appropriate focus on staff wellbeing?

Are there appropriate working arrangements and are people supported?

Is there an appropriate mix of manual versus automated controls and the use of spreadsheets/ technology tools? For example, is exception reporting in place to support processes?

How is training performed for new starters (what is the lead time to full competence)?

How is training performed on an ongoing basis?

Does the training adequately cover conduct/customer outcomes and regulatory considerations, particularly regarding vulnerable customers?

How is competency assessed?

How is feedback provided from Quality Assurance reviews/second line reviews and complaints linked across to training?

Are incentives given and do these drive the right behaviours (ie customer outcome focus)?

If staff have individual mandate levels, do these make sense given the level of the staff member, and are these being complied with?

Which committees/ boards is management information being provided to?

Are the different lenses being considered in dashboards? For example, credit, conduct regulatory, etc

Is the management information being discussed in the committees and, where needed, is demonstrable action taken (for example on queue hold times, abandoned calls, etc)?

Are the key risk Indicators/key performance indicators accurately capturing the data and are they complete?

Are the forbearance metrics forward as well as backward looking?

Is the management information using quantitative as well as qualitative indicators?

Is there appropriate consideration of any insight in complaints including any Financial Ombudsman Service referrals upheld around collection activities?

Have any risk events over collections materialised?

Is there appropriate reporting of any problems with customer credit files, such as incorrect information submitted?

Are regulatory reports being submitted accurately and on time?

Are any accounting errors reported correctly?

Is the level of Quality Assurance being completed appropriate and is it risk-based?

Is there appropriate oversight of third-party providers?

Is there appropriate review by the second line of the collections process across the various products (compliance and credit)?

Is root cause analysis performed where issues/errors are identified and are demonstrable actions taken?

Are risk incidents logged and analysed, and is appropriate action taken?

Is customer outcome testing being performed by both the first and second line, and are appropriate actions being taken to address any issues noted?

Are there appropriate sample sizes and selection of the sample selected across all journey types and selecting different customers/ forbearance treatments?

How is capacity planning calculated? Do the calculations and assumptions seem reasonable?

How does future capacity planning link to the wider forecasting of arrears levels?

How are future arrears calculated (use of economic climate predictions, product, customer predictions, etc)?

How are new products included/training of new staff considered in capacity planning?

Are product maturities /any other activities the collections team has to handle built into capacity planning?

What is the lead time for recruiting and training new staff and how far out is the forecasting?

Is the forecasting really being used in practice?

What level of staff turnover is built into the model? If staff numbers are expected to grow, have assumptions around supervision been built into the calculation?

How is the work for the staff assigned and monitored?

Is the workflow tool effective?

The individual parts of the collections process could be performed as specific audits or as an end-to-end review:

A) Customer communications

  • Is the tone of the customer communication appropriate, not aggressive and easy to understand?
  • Are fees and charges being adequately flagged as required per regulation and not buried in small print?
  • Are the communications the right frequency, not harassing the customer and providing the right level of guidance? Morever, are the communications not duplicated across the journey?
  • Is the timing of calls suitable?
  • Are the customer communications suitably adapted to the individual customer needs, particularly vulnerable customers?
  • Are there various channels easily available (not just an automated journey)? Is it easy for a customer to switch between channels (online, postal, voice)?
  • Are various channels utilised when a customer is not easily contactable?
  • Are channels of communications blocked if breathing space has been requested?
  • Are the appropriate statements/letters being sent, as per regulatory requirements in terms of content and timing? Are these automated or manual? If using physical mailing, is appropriate action taken when mail is returned?
  • Is there adequate signage to debt advice helplines and the appropriate support guidance included where required across the channels?
  • Are the letters and notices reviewed on a periodic basis by compliance to ensure they still meet current regulatory guidance?
  • Does management understand how their customer channels are being utilised?
  • Is dialler management in line with Ofcom rules?
  • Are vulnerable customers being appropriately identified along with the type of the vulnerability eg deaf, blind, etc? Has the customer agreed to being marked as vulnerable and are they being managed appropriately for their individual circumstances?
  • Is there an appropriate level of team leader and Quality Assurance review performed over the various processes and how is feedback handled?
  • This ties to the framework above but it is important to ensure that management has adequate real time management information and dashboards to oversee the communication processes

B) Customer payments

  • Are the agreed payment arrangements set up correctly and are all elements including any fees being correctly charged?
  • Is the collection of payments in line with payment regulations (ie are credit card number being suppressed, details being removed when appropriate, etc)?
  • What happens when direct debits fail? Is appropriate action taken to re-present the direct debit or collect payment through an alternative method?
  • Where payments are overdue, is this being flagged in a timely manner and are these accounts entering a collections process in a timely manner?

C) Identification of early arrears

  • Is there consideration of payment arrangements made even before a customer’s account falls into arrears?
  • Is the customer handled appropriately if they make contact before falling into arrears?
  • Is there appropriate identification of early signs of financial difficulty arrears or default trigger points (eg missed payment, behavioural scoring referral or a missed payment on another account)?
  • Confirm that there is no excessive pressure being applied in respect of payment arrangements
  • Is the repayment plan appropriate, agreed if required in writing and does it give the customer appropriate time to consider the arrangement?
  • Is there adequate signposting to debt advice?
  • Are the case notes to support decisions robust? It is expected that a customer who is experiencing significant uncertainty does not have to repeatedly describe their circumstances

D) Full understanding of customer circumstances

  • Are the income and expenditure (I&E) and circumstances of a customer fully understood before any arrangement is agreed and applied? Consider using the Standard Financial Statement or a similar tool which guides agents to what appropriate and accurate figures are for those statements for people in arrears
  • Does the customer have the ability to revisit their I&E as circumstances change? How often does the organisation review the customer’s circumstances?
  • Is there consideration of specific circumstances such as where the term of the loan goes beyond retirement age when the customer’s ability to repay may be impacted?
  • If the I&E information is being captured digitally, how is it validated and can the customer easily opt out of the digital experience?

E) Arrears management

An account may fall into arrears for various reasons. Where a customer may be facing financial difficulty then the overriding principle must be that all cases are treated individually based on their own merits.

  • Are there adequate documented and up to date policy and procedures?
  • Where arrangements to pay are made, are the arrangements being correctly applied?
  • Does the policy have a range of toolkit options and in practice are these being applied or do collectors default to one or two types?
  • Is there appropriate consideration of advice versus information and how are collectors trained/applying the difference?
  • Is there a defined process for logging breathing space cases?
  • What are the controls to ensure payments are not taken once an arrangement is agreed?
  • Are any unsupported arrangements, where the customer wants to state what they want without a full I&E being performed, appropriate?
  • Confirm that excessive pressure is not being applied
  • Is the repayment plan appropriate and agreed in writing, and does it give the customer time to consider the arrangement?
  • Is there adequate signposting to debt advice?
  • Are the case notes to support decisions robust? It is expected that a customer who is experiencing significant uncertainty does not have to repeatedly describe their circumstances
  • Is there appropriate treatment of exceptions where an arrangement is outside of the standard toolkit?
  • Where longer term arrangements are agreed, are these sustainable (and how is this assessed)?
  • Is there ongoing review of arrangements? How proactive is a company in ensuring forbearance arrangements still remain appropriate?
  • How does this arrangement then impact the customer’s credit file, has the credit file been treated appropriately and the customer adequately informed of the impact on their credit score?

F. Repossession and litigation

It should be noted for residential mortgages, it would be expected that repossessions should only be considered where all other available means of resolving the situation have been exhausted.

  • Are possession proceedings only considered as a last resort?
  • Are there appropriate controls over the various ways of possessing a property – court order, voluntary surrender or abandonment?
  • Is there compliance with the Civil Justice Council’s Pre Action Protocol, where applicable?
  • Is the approach to recover other debts taken in line with the Consumer Credit Act 1974 and the FCA’s Consumer Credit Sourcebook?
  • Is a written letter sent to the customer in certain cases, with a number of inclusions prescribed per MCOB, if applicable?
  • If there are tenants or others living in the property, have they been notified per the Mortgage Repossessions Act 2010?
  • Are there appropriate controls over the management of properties in possession and the sale, such as:
    • Obtaining independent valuations
    • Making sure the property remains insured and secure
    • Review of the sales particulars
    • Steps to take if the property does not sell timely e.g. consideration of auction or if repairs are needed to make the property more marketable
  • Once the property is sold, are the actions taken appropriate, such as the customer needing to be informed and then the sales monies needing to be assigned, confirming this is accurate and the correct proceeds paid?
  • Are any write offs of shortfall debt appropriately recorded and is there consideration of any further legal recovery options?
  • Are any third parties involved in the possession or litigation process such as estate agents, bailiffs, legal firms, debt collectors, etc. being managed appropriately?

Customer outcome focus

Customer outcome focus is the final pillar and this needs to be considered in any audit review performed. It is critical to confirm that management has a customer outcome focus when performing any stage of the collections activities.
Our Internal Audit Financial Services Code of Practice makes reference to the risk of poor customer treatment and confirming the outcomes that result from the application of processes and controls.

Taking an informed sample and performing a deep dive to confirm that the customer outcome is appropriate and there are no signs of distress is critical and informs the auditor on the effectiveness of the control environment. This should encompass the whole of the customer journey and include all communication channels such as call listening/web chat, letters sent, etc.

It is an expectation of the regulator that the third line, along with the wider business and second line, performs an element of customer outcome testing, where appropriate.

Other audit considerations

A) Use of data analytics

Data analytics is a critical part of your internal audit approach. The nature and focus of your review of collections will influence what you focus on with your data analytics.

Areas to consider which may drive your testing sample include:

  • Is the whole tool kit being used or are they reverting to a particular type of forbearance?
  • Phone calls made outside of core hours
  • Where forbearance treatment switched the customer onto interest only, to test a sample that this was appropriate
  • Customers in arrears with significant interest rates (e.g. over 5% or 10% depending on product type) – to review that the treatment seems appropriate
  • Term extension requests hiding possible financial difficulties
  • Are arrears balances being cleared inappropriately when payment arrangements are made?
  • Customers in retirement in arrears to check their arrangements remain appropriate
  • Loans where there are higher interest and fees than capital outstanding again to check these arrangements remain appropriate
  • Search recorded telephone calls on voice for signs of vulnerability and then assess if this was handled correctly
  • Search recorded telephone calls on voice for signs of financial difficulty and then confirm early action was taken
    Mandates – have cases been handled by individuals who have the appropriate mandate level and exceptions clearly marked
  • Refunds and then collections – was it handled appropriately?
  • Are accounts moving through the action/contract strategies in line with expectations based on the customer profile? For example, customer is contacted by phone on day X after a missed payment; the first letter is sent on day Y, etc
  • Date financial difficulty was flagged versus date an arrangement to pay was agreed to ensure timeliness
  • Customers who waited in call queues with call dropped due to length of wait and requested call back. Assess if these were reviewed and acted upon

Data analytics tends to take longer than expected, so do start considering what sort of queries you would like to undertake as early as possible in the review cycle.

B) Linkage to other audit areas

Collections also impacts a number of other areas of an organisation, which you may want to consider as part of other audit reviews such as:

  • Credit: Forbearance arrangements should be correctly reflected in customer credit files
    Financial: Forbearance arrangements are recorded and appropriately reported in regulatory reporting returns as well as accounting returns. If it’s a government initiative and the loans have been partly guaranteed, then this needs to be appropriately accounted for
  • Responsible lending: The business considers any lessons-learned for cases that went into forbearance within 12 months of the loan being taken (or an applicable period for your business)
  • Servicing: There will be cross-over between servicing a loan and the processes for collections – are there clear roles and responsibilities and handovers when I&E assessments are being performed and alternative payment arrangements being made?
  • Third party oversight: If activities are outsourced, making sure that the vendor meets the wider regulatory guidelines around material outsourcing arrangements as well as the business’s own vendor policies


Planning is absolutely critical when looking to complete an audit of collections. It is a large and complex topic and making sure you have understood how collections works in your organisation, and the risks faced, in order to shape the review appropriately, is fundamental.

In addition, customer outcomes testing and data analytics are both essential audit tools to help provide depth of coverage and assurance.

A clear scope will help to ensure a quality audit deliverable is achieved within the committed timelines.

Further reading

External reading

PRA Thematic findings of Internal Audit Review of Collections
Bank of England 2019 Review and findings fast growing firms
FCA Forbearance and impairment provisions
FCA Coronavirus (Covid-19): Information for firms


Wholesale credit risk
Retail credit risk
Auditing credit risk management
Auditing third party risk

Content reviewed: 1 February 2023