The Evolving Audit: 4 Changes You Need to Make to Your Audit Program

Audits aren’t known for variability. While historically there might be a small change due to a regulatory update here and there, financial institutions typically have a relatively consistent audit program from year to year.

That’s changing.

The predictable and formulaic audit programs that have served institutions well for most of banking’s history were yet another victim of the COVID-19 pandemic, forcing banks to shift their strategy almost overnight. One primary example is institutions that had plans to roll out new digital services had to fast-track those plans as their customers went on lockdown. Consequently, they were subject to added risks they were not yet prepared for.

Technology is also moving at a faster rate than ever before. Driven largely by new consumer expectations and the tech giants setting those expectations, as well as the need to streamline operations to boost competitiveness among digital disruptors and nonbanks, financial institutions are adding new services seemingly every few months (if not quite literally). This opens banks up to greater risks, especially as they look to partner with fintechs for innovation.

Embedded finance and banking-as-a-service trends are also on the rise, as banks consider whether to bundle offerings, either white-labeled or cobranded, that nonbanks can offer to their customers. In fact, embedded finance – from payments, lending, and insurance – is expected to generate $230 billion in revenue by 2025, a 10x increase from $22.5 billion in 2020, says Cornerstone Advisors’ Ron Shevlin. These new and emerging strategies and partnerships are also opening up new risks.

And let’s not forget the rising threats of cyberattacks. As the world becomes more digital, fraudsters are trolling for ways to steal information – and they’re getting smarter. According to a new report, the world saw an alarming 105% surge in ransomware cyberattacks last year. Even more, beginning in May, banks will have 36 hours to disclose certain types of cyber incidents.

As the banking business continues to evolve, banks must also prepare for new laws and regulations. Deloitte’s 2022 Banking Regulatory Outlook points to several key areas banks should watch for, including climate, financial inclusion, and digital assets.

All of these factors are necessitating quick and radical changes in strategic planning and operations, requiring a nimble audit program. The board and management need to know whether changes are performing as expected and whether they are creating undue risk.

This requires four key changes in today’s audit programs: 

1. Agile, flexible, and proactive

We are living in tumultuous times. The development and adoption of advanced technologies, including cloud computing, robotics, and AI, paired with the ease of connecting with people around the globe have impacted nearly every industry. While these advances bring new opportunities and challenges, they also compress the time to respond to each event or development.

The world is undergoing rapid economic, political, and cultural changes as well. And, as recent events have shown, every organization must be prepared to respond to wholly new contingencies. It is in this setting that today’s internal audit departments operate.

To thrive, internal audit programs must be agile, flexible, and proactive to recognize and respond to emerging risks quickly. To add value, internal audit programs must be able to effectively communicate the knowledge and insights gained from their activities across the financial institution. Traditional audit planning and performance methods are no longer adequate to meet the demands placed on modern internal audit departments.

Related: Audit Management Resources

2. More frequent

Audit frequency needs to be adjusted to align with changes in the business model. Waiting for the next scheduled audit to determine the impact of major changes is risky.

Traditional annual or biannual audit planning must be replaced with more frequent and fluid scheduling that anticipates and responds to potential and developing risks.

And audit teams must be able to respond to external challenges and changes in the financial institution’s business model with speed and flexibility.

3. Depth & breadth

The depth of testing may need to change based on the breadth of changes. But risk management is all about prioritizing. It identifies areas that require the most attention so that the necessary resources can be allocated. There are more functional areas and processes to review or audit at a financial institution than could ever be reviewed or audited, making it essential to prioritize areas that pose the greatest risk.

Additionally, each institution is unique and will have its own sets of risks. Reviewers and auditors should focus their attention on areas that pose a significant risk to the institution. They should also consider the areas that have not been reviewed or audited recently and ensure those are given the proper weight.

When attempting to understand a department’s processes, they should also speak to more than just the department head. Department heads are great at knowing what policies or procedures state, but the frontline is in the best position to explain what they do on a day-to-day basis. Speaking to more than one individual can help uncover process deficiencies or outdated policies.

It’s also helpful to consider what’s new at the financial institution. Sometimes new products and services make it out the door before being properly vetted. Auditors should identify any new product, service, or process that may change the risk landscape at the institution and include it in the audit plan. Then, they should audit controls mitigating the risks of these new products and services to ensure they are effective or in need of remediation.

4. New internal controls

Institutions will need to test additional internal controls for effectiveness. But it’s not enough to adjust or introduce new internal controls to resolve a finding and move on. Financial institutions must revisit these controls to ensure they are performing as intended.

For example, a finding might show that employees haven’t been following funds availability policies. Frontline staff who are trained to do everything they can to help customers might think that waiving funds availability rules for a good customer is an example of “going the extra mile” and providing exemplary customer service. Staff doesn’t realize that the policy protects both the institution and the customer from losing money on a bad check.

To address this finding, the institution might decide to retrain staff on the policy. While this can be an effective approach, the institution won’t know for sure until it goes back and reviews whether staff has done a better job consistently complying with the policy after training. Ongoing monitoring may show a significant improvement in compliance, but it also might demonstrate just a slight improvement.

Ask the Auditors: Top Takeaways about Internal Auditing for Compliance and Risk Management (ncontracts.com) 

Is it time to change how you manage internal audits?

Financial institutions are a part of an industry subject to rapid change on all fronts. From changing consumer expectations set by global tech giants to increased bank-fintech partnerships to ongoing cybersecurity threats, and finally, new and evolving compliance and regulatory guidelines – risk continues to change as well.

An audit management solution can be powerful to help adjust to these changes, but it needs to be a solution that grows and adapts with the bank. Legacy systems built on outdated hardware or software don’t offer the kind of flexibility modern financial institutions need.

When selecting an audit management software, institutions must ask about its capacity for expansion and integration and seek one with a track record for industry knowledge, reliability, and responsiveness. The right audit management software can transform internal audit departments and give staff the tools they need to provide the assurance and insights that help organizations thrive.

Learn about the key components to look for in an audit management solution in 

 The Audit Management Software Buyer’s Guide.