Demands on internal audit are growing faster than ever as management, regulators, and stakeholders increasingly turn to the profession for assurance and advice on a rapidly growing array of risks and opportunities.
A new report from The Institute of Internal Auditors Research Foundation (IIARF), which examines the challenges facing financial services internal auditors on a global level, identifies regulatory requirements, heightened expectations, and increased technology risks among the biggest threats.
The authors of A Global View of Financial Services Auditing: Challenges, Opportunities and the Future, Jennifer F. Burke and Steven E. Jameson, suggest regulatory compliance has become a top issue because the ever-evolving nature of regulations strains resources.
Spending on additional staff, new technologies, and revised processes combined with regulations that reduce fees and revenues can have significant impacts on financial institutions.
These new challenges not only include new regulations, but new regulatory bodies.
The Financial Services Authority of Indonesia, the Financial Conduct Authority and the Prudential Regulation Authority in the United Kingdom, and the Consumer Financial Protection Bureau in the United States are a few examples of new governing bodies with regulatory sway over financial institutions.
Compliance and regulatory risk topps list
Worldwide, compliance and regulatory risk topped the list for financial services chief audit executives (CAEs), according to the IIARF’s Global Internal Audit Common Body of Knowledge (CBOK) practitioners’ survey.
Completed earlier this year, the survey found that compliance/regulatory risks was listed as a top risk by 83 percent of respondents. Despite this, financial services CAEs indicated that operational risks comprised the highest percentage of 2015 audit plans.
Meanwhile, the profession, which has pushed for elevated stature and recognition to facilitate independence and add weight to internal audit recommendations, is straining under the growing burden of heightened expectations.
“It appears the caveat about ‘being careful what you ask for’ has become reality for many, bringing with it both opportunities and challenges. CAEs are finding themselves in the middle of almost every problem imaginable,” according to the report.
In a difficult position
With growing demands from management, directors, regulators, and external auditors, internal audit is increasingly in a difficult position of serving multiple, sometimes inconsistent, masters with differing agendas.
Beyond the potential for increased conflicts, these new overseers are demanding more time and resources from the financial service auditors. For example, when compared to other industries, the financial and insurance sectors are mostly likely to provide support to external auditors.
The CBOK survey found that financial services auditors spent the most time supporting external auditors, with 34 percent reporting spending more than 4 weeks annually.
Even more provocative is a growing elevation of internal audit’s importance to support regulators.
“Internal auditors have been asked to circumvent normal or traditional resolution process in challenging management, reporting to the board, and even reporting issues directly to regulators,” according to the report.
“Many internal auditors worry that the results of their work will be used by regulators to cite additional deficiencies in regulatory examination reports.”
Source of new and persistent risk
Technology continues to be a leading source of new and persistent risk for organizations and their internal audit functions, and the financial sector ranked the highest when it comes to time spent providing security for IT-related risks.
According to the CBOK survey, 47 percent of financial sector CAEs described the amount of time spent as extensive. The next highest, at 27 percent, were CAEs from publicly traded enterprises (excluding financial sector).
Similarly, financial services internal auditors see the risk of a data breach as more extensive than their counterparts in other sectors, with 43 percent describing the risk as extensive compared to an average of 34 percent.
The report also delves into two other areas, the growing demands related to managing audit and risk committee agendas, and the practicality of the Three Lines of Defense model in small and mid-sized financial institutions.