Returning Internal Audit to 'Business as Usual' in a New World
Eight Recommendations for Addressing the Impacts of COVID-19 on Financial Services Industry Audit Plans
The COVID-19 pandemic continues to create untold havoc on individuals, businesses and economies throughout the world, with no clear end in sight. The financial services industry (FSI) has by no means been immune. An abundance of pandemic-related events, including the implementation of cascading regional stay-at-home orders, various government relief programmes globally, downturns across numerous industries, and historic furloughs and job losses, have tested financial services institutions like no crisis in generations.
Empowering Next-Gen Internal Audit With Advanced Technologies
Technology plays an integral role in effective internal audit functions. The pandemic environment has further amplified the need to adopt new technology solutions in internal audit that are likely to remain even after social distancing expectations begin to ease.
Internal auditors within many organisations are leveraging advanced data analytics to map out action plans more effectively, make better inquiries into the various owners of risk and processes, and improve how, when and where audits are conducted. During the pandemic, internal audit task forces have used such data to inform and test the value of key risk indicators and, in some cases, recalibrate the indicators to better align with the data that’s available.
Additionally, process mining is becoming a key differentiator for internal audit programmes, particularly in a work-from-home environment. Process mining technology provides auditors with critical insight into how systems and processes are operating in those situations and identifies where deviations may be occurring.
Internal audit functions in a variety of sectors are deploying cognitive technologies like artificial intelligence, machine learning and natural language processing to increase the effectiveness, timeliness and efficiency of complex testing. For example, natural language processing techniques provide an automated way to identify word and phrase patterns in structured and unstructured data sources and documents. Such methods can be used to classify documents based on their contents, for example, by identifying adverse or otherwise noteworthy clauses in contractual arrangements.
Finally, auditors can deploy algorithms such as k-means and hierarchical clustering work to identify and group similar elements in data sets that may not be immediately apparent to the auditor reviewing the data. This will allow internal audit to, for example, identify suspicious or high-risk transactions and better stratify populations for risk-based analysis.
Internal Audit’s Role in Operational Resilience
The financial services industry has long relied on internal audit functions to assess and challenge the effectiveness of various programmes designed to protect and build organisational value. These programmes have included disaster recovery, business continuity, risk management, cybersecurity and many others designed to help institutions recover from an event.
However, with rapid technology development and globalisation, internal audit functions are having to evolve and adapt to emerging business risks and regulatory expectations. Regulators expect, and in many cases demand, that firms demonstrate greater resilience, while organisations, management and boards are under greater pressure to build out more robust resilience-focused programmes. The pressure comes amid fears that operational disruptions to the products and services financial services organisations provide have the potential to harm consumers and market participants, threaten the viability of these entities, and create instability in the financial markets. A string of large-scale technology outages and cybersecurity attacks in recent years has exposed systemic vulnerabilities and intensified regulators’ concerns.
Given the emerging nature and complexity of operational resilience, there is growing urgency for internal audit to play a bigger role in providing assurance that the governance, risk management and controls that are being created to enhance resilience capabilities are adequate. This evolving dynamic also provides an opportunity for internal audit to develop a flexible and comprehensive approach that not only targets all aspects of a resilience programme but also can be incorporated into existing business and IT audits.
Not a new concept, but one that is receiving scrutiny from regulators and leaders alike, operational resilience is defined as an organisation’s ability to detect, prevent, respond to, recover from and learn from operational and technological failures that may impact the delivery of critical business and economic functions or underlying business services. The concept of operational resilience is evolving as firms expand programmes and capabilities to address a broad range of threats that could cause business failures, systemic risk and economic impacts.
Within each organisation, operational resilience calls for stakeholders to promote a culture of resiliency through oversight, training and awareness, communications, and board reporting. The key components of operational resilience, which include defining and understanding important business services, impact tolerance and economic impact, are essential guideposts on the road to resiliency. And vitally important is the role internal audit plays in assessing these various components, providing assurance that stakeholders are addressing the key risks identified.
Working in concert with leading financial industry groups and individual institutions, Protiviti’s internal audit experts are expanding existing programmes to incorporate more comprehensive assurance over operational resilience. The revised resiliency audit approach addresses governance structures from an operational resilience perspective and provides coverage of all the foundational elements (e.g., cybersecurity, disaster recovery, business continuity planning and vendor risk management) within business-as-usual audits, and front-to-back resiliency processes.
For more information, read Protiviti’s white paper, The Road to Resiliency – Building a Robust Audit Plan for Operational Resilience, available at www.protiviti.com/operationalresilience.
The current COVID-19 pandemic is presenting financial services organisations with a series of shocks unlike any seen in generations. From rapid changes in how and where people work to a myriad of new risks across the enterprise, internal audit functions in the industry must rise to the challenge.
Chief audit executives and internal audit leaders must review their current slate of audits, prioritising backlogged projects to address the most urgent current risks to the enterprise. At the same time, they must evaluate new and emerging risks resulting from pandemic-related workplace changes and environmental exposures. To address these changes successfully, they should increase proactive communication among internal and external stakeholders and embrace the use of next-generation internal audit governance competencies, methodologies and enabling technologies.
Those FSI internal audit leaders that adapt successfully to this new normal and pivot from business as usual to take their rightful seat at the table will be best prepared to guide the internal audit function into the next generation.