Future of bank audits: Increased regulation and impact on audit functions

Issue remediation

A recent report from the FDIC on SVB's failure pointed out repeated issues that were not addressed after regulatory bank audits. For example, the regulatory audit of banking technology raised repeated issues without clear resolution. The year the bank failed, regulators documented Supervisory Recommendations (SR) "related to end-of-life management, vulnerability timeframes, configuration management, IT succession plan, project management reporting, risk assessment, asset inventory, and business continuity management." These issues represent the core risks and controls that any audit of banking information systems should target. The internal audit team should have reviewed these risks and controls during their own bank audits, and they should have held management accountable for mitigation. IIA Standard 2500 requires the CAE to review open issues and ensure these have been remediated. Once a risk exposure has been identified in a bank audit, an action plan must be implemented with proper controls.

Enterprise Risk Management

Increased regulatory attention focused on independent risk management functions within financial institutions is also likely. Internal auditors should be prepared to perform a risk management effectiveness review prior to the regulators’ bank audit. The report from Deloitte lists several focus areas related to risk management that auditors should have on their radar to prepare the organization for the inevitable regulatory bank audit, including:

• The scope of risk assessments that challenge management's assumptions and strategies and proactively look for emerging risks and potential control gaps.
• Adequacy of the risk management team to handle changes to the bank's size and complexity with the correct staffing levels, professional skills, organizational position, and tools to do the required work.
• Evidence that demonstrates proper risk governance and timely communication of risk indicators and emerging risks to the board.

When designing an audit of banking risk management practices, auditors need to consider the adequacy and effectiveness of the overall function and how the risk management team addresses specific risks, such as liquidity, market, and interest rate risks.

Agility

According to the report from Deloitte previously mentioned, banks should expect increasing supervisory agility. Given the pace of market developments, supervisors will most likely learn to move and react quicker to prevent events disrupting the financial system. This could mean even more scrutiny and higher frequency of ad-hoc regulatory queries. It’s extremely difficult to come up with an annual audit plan if you don’t know how much time your audit team will need to invest in handling regulatory reviews, queries, etc. With that in mind, you need to change your current approach and adopt agile ways of working. You can no longer continue to utilize an old waterfall approach as even regulators are moving away from it. Thus, you need to react timely, respond to the changing environment, and frequently refine your plans.

Proactive audit of banking operations

The recent collapse of several banks will lead regulators deeper into an audit of banking operations. Internal Audit teams should anticipate more stringent bank audits and review areas needing more robust controls and processes. The areas discussed in this article are ones that every bank audit function can add to their plan immediately to ensure management is working toward a sound strategy, addressing significant concerns, and making decisions that consider the risk impact on the organization.