‘An insightful article around the current pressures Internal Auditors face within the Financial Services sector. Regulatory changes and the increasing threat of cybersecurity have ensured Internal Auditors are more in demand than ever.’
This article was published on accountingweb.com.
Internal audit has long pushed for more clout and recognition of its work. But in a prime example of “be careful what you wish for,” auditors are now overloaded by the demand from a number of internal and external sources.
According to a new report from the Institute of Internal Auditors Research Foundation, A Global View of Financial Services Auditing, “with growing demands from management, directors, regulators, and external auditors, internal audit is increasingly in a difficult position of serving multiple, sometimes inconsistent, masters with differing agendas.”
Authors Jennifer Burke and Steven Jameson surveyed more than 14,000 internal auditors in 166 countries. Respondents indicated that their key challenges include regulatory requirements, managing governance committee agendas, heightened expectations, increased risks from cybercriminals, coordination of defense systems, and management of resource allocations.
Here’s a snapshot of findings in each category.
Compliance and regulatory risk tops the list of issues requiring the most attention from internal audit. Operational risk is a close second.
Regulatory changes have larger impacts, with increasing disclosures.
Regulatory agencies have increased with expanded power.
Because of the operational impact of regulatory changes and the increased risk of lack of compliance, internal audit is much more involved in regulatory compliance issues.
Regulators expect more from internal audit. According to the report, “In some countries, the regulators also expect internal audit to review and comment on the risk and control culture within the organization. These expectations have been elevated to the point where some have suggested that maybe internal audit should have a formal, direct reporting relationship to the regulators. Various indirect reporting relationships are already in place in some countries."
As demands and responsibilities grow, so, too, do agendas.
Boards of directors have turned to audit and risk committees to help them satisfy fiduciary responsibilities and provide some level of liability limitations against lawsuits and regulatory actions.
The financial sector has the highest number of formal audit committee meetings compared to all other organizations, averaging 6.7 meetings annually.
The number of agenda items and presenters has grown, leading to lengthier meetings.
Financial services internal auditors report far more often to the audit committee than do auditors in other industries. The majority (69 percent) of respondents report directly to the audit committee, compared to 54 percent across all industries.
Internal audit still assists external auditors; however, internal audit now also must assist regulatory examiners almost as much as or more than external auditors.
Internal auditors have been asked to bypass normal or traditional resolution processes in challenging management, reporting to the board, and even reporting issues to regulators. According to the report, “Many internal auditors worry that the results of their work will be used by regulators to cite additional deficiencies in regulatory examination reports.”
IT risks rank fourth among the top risks identified by chief audit executives and the percentage of time required to audit those risks. The authors note, though, that senior managers, directors, regulators, and investors also worry about cyber-risks.
Broader data and privacy controls and programs that encompass preparation, detection, analysis, containment, eradication, and recovery are essential. Internal audit’s involvement in preparation “can yield big dividends” when a breach occurs, the report states.
Forty-three percent of respondents considered their company’s data breach risk as extensive.
Ten percent of respondents said they hold an information systems audit certification, and 3 percent are certified in IT security.
Three Lines of Defense
Seventy-eight percent of respondents in the financial sector follow the “Three Lines of Defense Model.” The first line is management controls and internal-control measures; the second line includes financial control, security, risk management, quality, inspection, and compliance; and the third line is internal audit.
It’s important that internal audit reports directly to the audit committee when different elements of the “three lines of defense” report to the same executive.
Internal Audit Resources
Chief audit executives ranked analytical and critical thinking as the top skill out of 14 for internal auditors. Accounting ranked sixth; fraud auditing was tenth.
Rotational chief audit executives who serve for a limited time while expanding audit approaches create challenges in continuity, independence, and even whether they understand standards and quality assessments, the report states.