Regulators increasingly expect internal audit teams to continually develop and enhance their audit plans in the face of new risks. As the third line of defense, an internal audit team must be proactive to stay one step ahead of emerging risks. Developing strong competencies to understand these risks is vital for an internal audit team as a means of providing additional value to senior management, the board, and other stakeholders. Some of the emerging internal audit risks that teams should focus on include:
- Strategic risk – In some institutions, internal audit is being asked to provide advice and insight about strategic projects and opportunities. This could include getting involved in the early stages of developing a new business line or a potential merger to help senior management better understand and manage potential issues. The presence of internal audit on such projects also helps the team gain deeper insight into how the organization is evolving.
Regulators are looking at how strategic risk is considered as part of internal audit’s risk assessments. For example, is strategic risk assessed at the organizational level or at the level of auditable entities as well? How are strategic risk issues communicated by the team to the audit committee and the board of directors?
- Cybersecurity – Today many financial institutions must comply with New York State’s cybersecurity rules, and other jurisdictions also have their own regulations. Financial services firms are seeing an increased focus from regulators on their cybersecurity risks and defense frameworks, people, and resources. Data privacy and protection are growing themes – the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two prominent existing regulations, but more new rules in this area are expected over the next few years. There is also an enhanced focus on security controls for data protection of personal data shared with vendors and third parties. Internal audit teams must include cybersecurity and privacy controls assessments as a key part of their audit program.
- Culture and conduct – These issues remain a top regulatory priority, and many financial institutions are keen for internal audit to find ways to review controls related to culture and conduct. However, providing assurance on something relatively subjective has proven to be a challenge. To best support this risk area, internal audit teams should discuss with stakeholders what form culture and conduct assurance should take. One strategy could adopt be to provide a culture and conduct “maturity assessment” to management and the board. Following this approach, an internal audit team would use a culture and conduct assessment framework as a foundation, and build upon that through interviews with management and additional research. Potential benefits could include improved communications, enhanced governance, or focused management attention to specific culture and conduct issues.
- Sustainability risk – Regulators are also taking more interest in the approach firms take to managing sustainability risks. For example, the UK’s Bank of England recently published a consultation paper, Enhancing banks’ and insurers’ approaches to managing the financial risks from climate change, which provides insights into how internal audit might include climate change concerns in the risk management framework to identify new risks, additional controls, and develop potential scenario analysis exercises. It may be possible that firms in other jurisdictions will need to think about providing public disclosures around these issues as well in the future.
Overall, it seems clear that emerging risks will continue to play a bigger role within internal audit teams’ risk-based audit plans and audit programs. Although regulatory interest may prompt some of this activity, internal audit’s proactive action in these areas can also help the organization’s board and senior management better manage these risks and achieve its goals.