Emerging Internal Audit Risks

December 6, 2019 by Uday Gulvadi


Regulators increasingly expect internal audit teams to continually develop and enhance their audit plans in the face of new risks. As the third line of defense, an internal audit team must be proactive to stay one step ahead of emerging risks. Developing strong competencies to understand these risks is vital for an internal audit team as a means of providing additional value to senior management, the board, and other stakeholders. Some of the emerging internal audit risks that teams should focus on include:

  • Strategic risk – In some institutions, internal audit is being asked to provide advice and insight about strategic projects and opportunities. This could include getting involved in the early stages of developing a new business line or a potential merger to help senior management better understand and manage potential issues. The presence of internal audit on such projects also helps the team gain deeper insight into how the organization is evolving.

    Regulators are looking at how strategic risk is considered as part of internal audit’s risk assessments. For example, is strategic risk assessed at the organizational level or at the level of auditable entities as well? How are strategic risk issues communicated by the team to the audit committee and the board of directors?
     
  • Cybersecurity – Today many financial institutions must comply with New York State’s cybersecurity rules, and other jurisdictions also have their own regulations. Financial services firms are seeing an increased focus from regulators on their cybersecurity risks and defense frameworks, people, and resources. Data privacy and protection are growing themes – the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two prominent existing regulations, but more new rules in this area are expected over the next few years. There is also an enhanced focus on security controls for data protection of personal data shared with vendors and third parties. Internal audit teams must include cybersecurity and privacy controls assessments as a key part of their audit program.
     
  • Culture and conduct – These issues remain a top regulatory priority, and many financial institutions are keen for internal audit to find ways to review controls related to culture and conduct. However, providing assurance on something relatively subjective has proven to be a challenge. To best support this risk area, internal audit teams should discuss with stakeholders what form culture and conduct assurance should take. One strategy could adopt be to provide a culture and conduct “maturity assessment” to management and the board. Following this approach, an internal audit team would use a culture and conduct assessment framework as a foundation, and build upon that through interviews with management and additional research. Potential benefits could include improved communications, enhanced governance, or focused management attention to specific culture and conduct issues.
     
  • Sustainability risk – Regulators are also taking more interest in the approach firms take to managing sustainability risks. For example, the UK’s Bank of England recently published a consultation paper, Enhancing banks’ and insurers’ approaches to managing the financial risks from climate change, which provides insights into how internal audit might include climate change concerns in the risk management framework to identify new risks, additional controls, and develop potential scenario analysis exercises. It may be possible that firms in other jurisdictions will need to think about providing public disclosures around these issues as well in the future.

Overall, it seems clear that emerging risks will continue to play a bigger role within internal audit teams’ risk-based audit plans and audit programs. Although regulatory interest may prompt some of this activity, internal audit’s proactive action in these areas can also help the organization’s board and senior management better manage these risks and achieve its goals.

How ACA Telavance Can Help

ACA Telavance offers a unique blend of banking, risk management, regulatory compliance, and technology expertise. We provide the following services to assist with your institution’s internal audit needs:

  • Fully outsourced or co-sourced internal audit
  • Internal audit training & internal audit quality assurance review
  • Targeted internal audits /risk and controls testing assessments
  • AML regulatory audits and remediation
  • FIDICIA audits
  • IT governance general and security controls assessments
  • Identity and access management solutions
  • Policy, procedures design, implementation and testing support
  • Targeted risk assessments – BSA/AML/OFAC, regulatory compliance risk assessments
  • Internal Audit Analytics

For more information about our Internal Audit services, click here to submit an inquiry.

Additional Resources

About the Author

Uday Gulvadi has over twenty years’ experience in internal audit, risk, and compliance advisory services and a unique blend of finance, corporate governance, risk, compliance, and information technology skills. He leads ACA Telavance’s Internal Audit, Risk, and Compliance Advisory services.

Prior to joining ACA Telavance, Uday gained extensive international business experience managing projects with international clients and held partner and director positions within the internal audit and risk management practices at leading, nationally recognized accounting and advisory firms.

Uday earned his Bachelor of Commerce degree from the University of Mumbai (India). He is also a Certified Anti Money Laundering Specialist (CAMS), a Certified Public Accountant, a Certified Internal Auditor, a Certified Information Systems Auditor (CISA), and a Chartered Accountant (India).

Uday serves on the Board of Governors of the Institute of Internal Auditors, New York Chapter and is the immediate Past President of the Chapter.