From new regulations to new technologies, banks face a lot of change that require proper oversight. The role of internal audit is becoming more important for banking institutions as they face greater compliance challenges while also benefitting from increased opportunities to grow and reach new customers through digital banking.
Staying on top of these risks requires the internal audit plan for banks to be highly organized, build repeatable processes, and operate on a more continuous basis. The less they get bogged down with auditing inefficiencies and outdated procedures, the more they will be able to collaborate and provide strategic oversight with other departments, like enterprise risk management.
With that in mind, consider the following 4 best practices for internal audit in the banking sector:
1) Keep track of the shifting regulatory environment
New rules on cybersecurity governance, operational resilience, and frequent regulatory queries. Sound familiar? Your organization needs to be able to demonstrate compliance with new legislation, and Internal Audit departments are expected to provide assurance over those topics. If your organization operates in various territories, it’s critical to monitor the regulatory landscape in each of these geographies. Regulators often require detailed and summarized data, and they generally don’t allow much time for a response. Banks need to be able to provide accurate and valid information on their internal controls environment. Preparing reports and summarized data for a regulator may take longer than necessary if you’re not working with an appropriate reporting and analytics tool.
2) Watch for emerging risks
While monitoring the evolving regulatory landscape can help banks stay on track, you should also be aware of emerging risks which may require you to then add new internal controls or update existing ones.
Banking institutions should focus on risks that include:
- Cryptocurrency and blockchain: Internal auditors need to consider how they provide oversight for crypto assets, much as they do with other currency controls. Banks might also use or consider adding blockchain technology, which creates oversight responsibilities for internal auditors, like assessing associated security risks.
- Digital banking: Blockchain isn’t the only technology to keep an eye on. While digital banking isn’t new, it continues to grow and evolve. As banks increase the number of customer-facing features for mobile and online banking, in areas like payments and financial planning, internal auditors need to provide assurance that these offerings are rolled out with proper compliance protocols in place.
- Cybersecurity: The number of cyber-attacks across the financial sector has significantly increased over the past few years. Cybercriminals are smart and banks need to learn how to navigate across the challenging landscape of more sophisticated cyber threats. Financial institutions are a lucrative target for threat actors who leverage various attack vectors, like ransomware, Distributed Denial of Service (DDoS), and supply chain attacks. Does your organization know how to prevent being victimized by these attacks?
- Geopolitical strife: War is one example of geopolitical strife that can affect internal audit programs for banks, especially at multinational financial services firms. Internal auditors need to be aware of these issues, given the risks that can result from not complying with sanctions.
- Increased employee attrition: It’s one of the most underestimated risks impacting many industries. You may have heard of the “great resignation” and “silent quitting”. These are more than catchy phrases invented by HR professionals. Many organizations are struggling to attract and retain highly skilled auditors. High attrition may lead to a lack of resources to deliver all projects in your audit plan. Once you find new team members, they will need to go through the onboarding process before they become fully operational. One way to reduce the overall onboarding time is by centralizing your audit activities within a single tool. It can be frustrating for employees that join a new organization and are required to familiarize themselves with several different software tools to perform audit work. These can often include audit planning tools, separate applications for fieldwork, solutions for issue tracking, and additional tools for reporting and analytics. Banking institutions can save time if all these capabilities are available within a single audit solution.
3) Become more agile
Considering that new risks tend to emerge at any time, and the technology we rely on rapid changes, the role of internal audit in the banking sector needs to avoid becoming static. Instead, effort should be made to move to a more agile auditing process, where risks are assessed and controls implemented on a continuous basis. Otherwise, by the time auditors make recommendations from their findings, the bank’s needs and priorities may have already shifted.
Agile coaches tend to say that agile is a journey, not a destination. Shifting from a waterfall to an agile approach can take time, but the effort does pay off. Timely identification of bottlenecks and enhanced interaction with key stakeholders are just a couple of examples of the benefits of adopting agile. With the right tone from the top, the agile way of thinking can be adopted across all layers of the banking audit process.
George Zornas, internal audit director at Bank of Cyprus, a TeamMate+ client, notes that “Risk is not static, it changes all the time. Plans must evolve with the risks.”
4) Centralize communication
The last in our list of best practices that focus on internal audit for banks is to centralize communication around the audit process. Doing so will help everyone follow the same internal audit checklist, be aware of emerging risks, and implement agile audits more easily.
Rather than sending data and reports back and forth over email, for example, internal auditors can use cloud-based systems to keep all audit-related information in a single location. That way, banks can reduce the odds of someone using the wrong file version from an old email or missing an important piece of communication that they weren’t made aware of.
Ideally, banks should consider automating their audit-related communications. Data that flows directly between systems will facilitate greater collaboration and more accurate analysis.
Additionally, financial institutions should leverage the resources they already have. There’s a huge overlap between internal audit and the second line of defense function. As a result, these two functions need to collaborate. Frequent and centralized communication with risk managers can help auditors gain valuable insights about emerging risks and threats. Facilitate this communication even further by using a centralized platform and exchange data with each other.
Overall, these 4 best practices can help internal auditors at banks deliver timely observations on high-risk topics. You still need to dig into the details to provide greater assurance, but these best practices can put you on course for success.