Future of bank audits: Increased regulation and impact on audit functions
ComplianceAugust 30, 2023

Future of bank audits: Increased regulation and impact on audit functions

After a retrospective analysis of recent bank failures, Deloitte concluded that banks should "expect heightened regulatory scrutiny on the fundamentals of banks' business models, risk management programs… and issue escalation." Internal auditors are perfectly positioned to prepare their organizations for increased regulatory attention during bank audits. In this article, we will explore the areas internal audit leaders can focus on to prepare for a more stringent audit of banking processes.

Strategic risk governance

Auditors should have a deep understanding of their organization's business strategy. Silicon Valley Bank (SVB) pursued a rapid growth strategy, but the level of growth outpaced management's ability to "transition to heightened standards" and to correctly identify risks to the business caused by rapid growth, according to a Federal Reserve review. In an audit of banking strategy, internal auditors can ensure proper risks have been considered in line with the business model. For example, SVB should have considered whether they were prepared for increased compliance requirements as they moved up in tiers. An audit of banking risks could have reevaluated control processes as the bank became more complex and offered new financial products. 

Solutions

TeamMate+ Audit

Audit management

The world’s leading audit management software - empowering audit departments of all sizes.

Issue remediation

A recent report from the FDIC on SVB's failure pointed out repeated issues that were not addressed after regulatory bank audits. For example, the regulatory audit of banking technology raised repeated issues without clear resolution. The year the bank failed, regulators documented Supervisory Recommendations (SR) "related to end-of-life management, vulnerability timeframes, configuration management, IT succession plan, project management reporting, risk assessment, asset inventory, and business continuity management." These issues represent the core risks and controls that any audit of banking information systems should target. The internal audit team should have reviewed these risks and controls during their own bank audits, and they should have held management accountable for mitigation. IIA Standard 2500 requires the CAE to review open issues and ensure these have been remediated. Once a risk exposure has been identified in a bank audit, an action plan must be implemented with proper controls.

Enterprise Risk Management

Increased regulatory attention focused on independent risk management functions within financial institutions is also likely. Internal auditors should be prepared to perform a risk management effectiveness review prior to the regulators’ bank audit. The report from Deloitte lists several focus areas related to risk management that auditors should have on their radar to prepare the organization for the inevitable regulatory bank audit, including:

  • The scope of risk assessments that challenge management's assumptions and strategies and proactively look for emerging risks and potential control gaps.
  • Adequacy of the risk management team to handle changes to the bank's size and complexity with the correct staffing levels, professional skills, organizational position, and tools to do the required work.
  • Evidence that demonstrates proper risk governance and timely communication of risk indicators and emerging risks to the board.

When designing an audit of banking risk management practices, auditors need to consider the adequacy and effectiveness of the overall function and how the risk management team addresses specific risks, such as liquidity, market, and interest rate risks.

Agility

According to the report from Deloitte previously mentioned, banks should expect increasing supervisory agility. Given the pace of market developments, supervisors will most likely learn to move and react quicker to prevent events disrupting the financial system. This could mean even more scrutiny and higher frequency of ad-hoc regulatory queries. It’s extremely difficult to come up with an annual audit plan if you don’t know how much time your audit team will need to invest in handling regulatory reviews, queries, etc. With that in mind, you need to change your current approach and adopt agile ways of working. You can no longer continue to utilize an old waterfall approach as even regulators are moving away from it. Thus, you need to react timely, respond to the changing environment, and frequently refine your plans.

Proactive audit of banking operations

The recent collapse of several banks will lead regulators deeper into an audit of banking operations. Internal Audit teams should anticipate more stringent bank audits and review areas needing more robust controls and processes. The areas discussed in this article are ones that every bank audit function can add to their plan immediately to ensure management is working toward a sound strategy, addressing significant concerns, and making decisions that consider the risk impact on the organization. 

Subscribe below to receive monthly Expert Insights in your inbox

For auditors who are challenged to improve audit productivity while delivering strategic insights, TeamMate provides expert solutions, delivered with premium professional services, to auditors around the globe and in every industry.
Back To Top