Top Priorities for Internal Audit in Financial Services Organisations

Top Priorities for Internal Audit in Financial Services Organizations
Top Priorities for Internal Audit in Financial Services Organisations

Chief audit executives (CAEs) and their teams are focused on what the future holds for the financial services industry (FSI), which is enduring the return of geopolitical risk and the ever-present challenges of cybersecurity issues, as well as determining their exposure to emerging risks from digital and financial technology companies and services that are changing the economic environment.

Chief executive officers (CEOs), boards of directors and audit committees are increasingly asking CAEs to apply their independent lens and expertise toward analysing and articulating what the risk future and other emerging risks mean to the organisation, its risk profile and the execution of its strategy. CEOs and boards are also asking internal audit functions how increasingly fluid risks within the organisation’s core risk taxonomy are changing. The frequency and importance of these questions have increased in tandem with growing political, regulatory, economic and technological volatility.

The growing pressure bearing down on internal audit functions is reflected in the FSI findings of Protiviti’s annual Internal Audit Capabilities and Needs Survey. The purpose of our survey is to assess current skill levels of internal audit executives and professionals, identify areas being targeted for improvement, and help stimulate the sharing of leading practises throughout the FSI and the internal audit profession. The 2017 findings detailed in the pages that follow capture the outlook of internal audit leaders within the industry. The findings discussed in our paper are based on responses from nearly 200 CAEs and internal audit professionals in the U.S. financial services industry.

This year’s respondents identified a number of especially serious challenges related to technology, including:

  • Cybersecurity
  • Cloud computing
  • Big data/business intelligence
  • Smart devices, mobile applications and digital transformation

Yet, technology-related risks are far from the only concern at the very top of internal audit’s 2017 priority list. Our respondents also held up the following areas as top areas they are striving to improve:

  • Agile risk and compliance
  • Dynamic risk assessment
  • Consumer Finance Protection Bureau (CFPB) exam readiness
  • Stress testing for Comprehensive Capital Analysis and Review (CCAR) and/or the Dodd-Frank Act Stress Test 2017 (DFAST)
  • Model risk management
  • Anti-Money Laundering (AML) and Bank Secrecy Act (BSA)

While these issues figured prominently among the very top concerns in our findings, respondents also identified numerous other internal audit areas — some unique to the FSI (e.g., derivatives and hedging), others unique to financing activities (e.g., the current expected credit loss [CECL] accounting standard) and still others applicable across all industries (e.g., the updated cloud computing accounting standard) — they intend to strengthen in the coming months. We have organised the chapters and call-outs that follow to reflect the priorities and focal points respondents identified.

  1. Cybersecurity: Robust Cybersecurity Programs Required.
  2. Technology: Supporting Innovation Through Risk-Based Technology Auditing.
  • Auditing the Cloud Requires Strategic Clarity
  • Mobile and Digital’s Speed and Convenience Risks
  1. Stress Testing: Regulators Stress Internal Audit’s Role in Model Risk Management.
  • Data Analytics Capabilities Go Deeper
  1. Model Risk Management: Addressing CECL Requirements.
  2. Risk Management: Evolving Opinions: An Agile Approach to Assessing Enterprise Risk.
  3. Facing the Future with Confidence: Responding to Regulatory Volatility and Other Emerging Risks.
  • Emerging Risks Get Political
  • BSA/AML Gets Programmatic (and Personal)
  • CFPB Examination Readiness Requires Regulatory Agility
  1. In Closing

Recent political swings, the uncertainty of regulatory change and the never-ending disruptions sparked by technology’s onward march have combined to make the future of the FSI more daunting, more promising and more uncertain than ever. The near-term future of U.S.-based financial regulation represents just one of many factors that CAEs and their functions are focusing on. While internal auditors cannot project the future state of financial regulation, their work can help ensure that the organisation remains equipped to handle likely regulatory shifts.

To do so, the function needs to have the leadership, strategy, processes, technology and relationships in place that enable it to continually monitor how all emerging risks, including regulatory changes, along with all other elements of the organisation’s risk taxonomy, are developing. The findings and analyses that follow in this report are designed to help FSI internal auditors ensure that their organisations are prepared for an unknowable future.