Risks and bank's internal audit function: the challenges ahead

The importance and undertakings of the bank’s internal audit function have been conspicuously increasing and therefore, further flexibility, resources, and qualifications are essential. The vital assurance of fundamental challenges under accelerated changes answering to the growing needs of banks’ board of directors, committees, and senior management, as well as following the demanding requirements of financial supervisors are creating significant challenges. These fundamental challenges are related to the quality of the internal control systems, the risks of unexpected losses, and the risks of reputation. The banking sector is going through a significant transformation and new forms of risks are emerging in addition to geopolitical events, climate changes and real economy transition, and shifts in interest rates.

Given the new challenges on the horizon, the bank’s internal audit function needs to reinforce its independence and objective assurance, as well as develop internal consulting activities. These activities should create added value and improve the effectiveness of the bank´s operations, risk management, controls, and governance processes. In this context, the auditing principles and practices of independency, investigatory power, risk-oriented approaches and qualitative adequacy of controls and processes should contemplate different types of ongoing disruptions, namely in digital transformation, changes in business models, and generation of data by emerging technologies. 

Digitalisation is provoking significant transformations and several business models are being re-invented. Digitalisation is causing changes in consumers’ financial behaviour, businesses, and investors, as well as transforming the types of communication, transactions, and financial reporting. In parallel, business models are being challenged, re-invented or originating from innovative financial technologies (FinTech), with new competitors in areas such as deposits, payment systems, lending, investing, trading, among other lines of banks’ business. The bank’s internal audit function needs to guarantee a strong data quality process and governance components in audit plans, ensuring that the data generated is being used and absorbed by the ongoing changes in methods, processes, data analysis tools, internal controls, key performance indicators, risk management and financial returns. Crucial questions should be considered, namely: how is the bank making positive results? what are the key drivers of positive results? how does the bank plan to make positive results in the future? how will key drivers of positive results change? and what is driving this change? In a bank, the future viability of its current business model, the sustainability of the strategy and the key vulnerabilities are critical factors to challenge effectively on an ongoing basis and understand in detail.

An effective risk-based approach is fundamental. The disruptions and emerging technologies are creating new forms of risk in conduct, compliance, governance, brand, products (including digital assets), fraud sophistication, money laundering and terrorism financing, reputation risk, and cybercrime risks, among other areas. In this sense, within the bank’s internal audit function the implementation of an effective risk-based approach is key to rapidly allocate resources of internal auditing to most risky areas, allowing the efficient and prompt identification, evaluation, and prioritisation of actions in the audit plan. Focusing on the risky areas in the auditing reports facilitates not only the oversight function controlling rules and procedures, but also the development of insights (independent assessment of programmes and projects, management policies, operations, and results), as well as the foresight function by identifying rapidly the trends and challenges ahead. 

There are several emerging risks which could impact current and future internal audit plans and they need to be promptly highlighted. An independent and objective perspective on how the bank operates and manages risk, by challenging current practices and by being a catalyst for internal discussions and ongoing improvements, are expected attitudes from a modern and effective banking internal audit function. A valuable assurance, advice and insight should be provided, helping a bank to address short, medium, and longer-term challenges, rather than internal auditing just reporting problems that happened in the past and regular corrective actions. A suitable risk assessment needs to take into consideration the materiality, growing complexity of the internal controls, volatility of exposures to losses, types of processes and business, and evolution of regulatory environment.

The banking internal audit reports need to be an effective tool for communication and prompt corrective actions when need. The reports are required to be informative, accurate, reliable, and analytical, summarising the full picture and connecting the dots without dispersion and too much written information. Increasingly, the importance of internal audit is being focused on more than just financial controls, therefore on those additional aspects, different and complementary skills are needed for a credible and effective communication of internal auditing recommendations and opinions. 

Professional competence, combined technical knowledge and experience are critical to the efficiency of the bank’s internal audit function. The capacity to use information, examining and evaluating, as well as to communicate should be connected with appropriate best practices, methods, and auditing tools. Adequate qualifications and diversified skills should incorporate the ability to evaluate auditing outcomes, produce credible recommendations and opinions, and should influence and have a strong effect at the highest level management of the bank. Therefore, appropriate ongoing training is a crucial principle to follow the mounting technical complexity of banks’ activities, the growing variety of tasks due to the development of new products and processes, and growing responsibilities of the internal auditing function in a context of emergent new forms of risks in the financial sector.

References:

BCBS, 2012. The internal audit function in banks, June. https://www.bis.org/publ/bcbs223.pdf

IIA, 2017. International standards for the professional practice of internal auditing. The Institute of Internal Auditors. https://www.theiia.org/en/content/guidance/mandatory/standards/international-standards-for-the-professional-practice-of-internal-auditing/

EBA, 2018. Guidelines on the revised common procedures and methodologies for the supervisory review and evaluation process (SREP) and supervisory stress testing (EBA/GL/2018/03), July. https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2282666/6c2e3962-6b95-4753-a7dc-68070a5ba662/Revised%20Guidelines%20on%20SREP%20%28EBA-GL-2018-03%29.pdf?retry=1

Braga de Macedo, Jorge, Cassola, Nuno, Da Rocha Lopes, Samuel, 2020. Where banking is going in Portugal. Francisco Manuel dos Santos Foundation, August. ISBN: 9789899004719. https://www.ffms.pt/pt-pt/livraria/por-onde-vai-banca-em-portugal