Agile internal audit management: Complying with industry’s dynamic regulations and beyond – A financial services perspective
The financial services sector undergoes constant changes, which include expanding organizational risk profiles, stricter regulations, and increasing stakeholder expectations. These factors create a demanding assurance landscape for internal audit teams. However, traditional internal audit processes and outdated technology hinder real-time visibility into risks and impede the flexibility to address these changes effectively.
To tackle these challenges, many internal audit teams are adopting elements of agile auditing, a proven and practical approach that offers the necessary flexibility. Deloitte defines Agile Internal Audit as a collaborative, self-organizing approach that relies on iterative development, allowing audit requirements and solutions to evolve. The primary focus is delivering the most significant business value and achieving continuous improvement, resulting in better, faster, and more resilient functions.
This blog post explores the various difficulties financial services audit teams face and outlines how they can leverage agile auditing to overcome these challenges.
Overcoming the challenges faced by financial services internal audit teams
We have listed the top challenges faced by internal audit teams of financial services and the possible solutions to overcome them below:
1. Keeping pace with a changing regulatory environment
Maintaining compliance and minimizing business disruption is crucial in a constantly evolving regulatory landscape. To achieve this, a continuous audit approach is necessary to adapt to regulatory changes promptly. Various entities in the financial sector, such as retail community banks complying with the FDIC Improvement Act (FDICIA), bank holding companies complying with the Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Stress Testing (DFAST), and securities broker-dealers reporting to the Financial Industry Regulatory Authority (FINRA), face the impact of regulatory changes. Traditional audit methods typically establish audit plans a year in advance, which makes it challenging to respond quickly to new or updated regulations.
Solution: A different approach is needed to stay current in this rapidly changing regulatory landscape. Internal auditors who adopt an agile mindset acknowledge that changes are inevitable and incorporate this understanding into their audit plans. They proactively monitor and address all risks, including regulatory risk, by frequently revisiting their risk assessments to accommodate new and evolving regulations. Based on the current regulatory environment, they update their audit plan accordingly, allowing for greater adaptability.
2. Using a restrictive audit process methodology
Traditional audit processes and methodologies may hinder the ability to adapt to the dynamic nature of risks and regulations quickly. In the financial services sector, conventional audit methodologies often follow a 1-3 year audit cycle that prioritizes entity coverage, with audit plan completion serving as the primary measure of success. This approach restricts the audit team’s agility in responding to changes during the audit cycle. Making changes to the audit plan requires an audit committee review, leading to additional delays.
Solution: Many financial audit teams embrace an agile mindset for a shorter audit lifecycle to overcome this limitation. A team practicing agile auditing is empowered to make timely decisions that ensure the audit plan adequately addresses emerging and escalating risks. By reducing the audit lifecycle to a quarter, the team can create and execute the audit plan based on the most up-to-date information without needing constant approval for changes. This approach enables greater flexibility and responsiveness to the evolving risk and regulatory landscape.
3. Reliance on outdated tools and technology
Another obstacle internal auditors face is the reliance on obsolete or internally developed audit tools and technology. These tools were originally designed for traditional audit cycles, featuring annual audit plans that typically remain unchanged throughout the year. Such internally developed or standard audit software often lacks the flexibility required to support agile auditing. Moreover, these tools and technology have limited capabilities and are not easily integrated into sophisticated organizational ecosystems. They may present a formidable choice of opting between coverage-based and risk-based audits, even though both are likely to co-occur, especially in agile auditing.
Solution: To overcome this challenge, audit leaders must stay informed about available technologies and understand the variations among different solutions. Agility also entails shifting to more effective technology as it becomes available. Therefore, audit teams should incorporate a technology maturity plan into their department’s strategy. This plan anticipates the need for technological advancements in audit solutions, analytical tools, process automation, and other supporting systems and integrations. By embracing evolving technologies, audit teams can enhance their efficiency and effectiveness in line with the agile auditing approach.
Internal audit management: Going beyond risk management and compliance
Forward-thinking organizations are not content with complacency. They continually evolve and adapt, exemplified by Netflix’s transformation and Apple’s success in disrupting multiple industries. These business pioneers respond to change and act as catalysts for change. Surprisingly, internal audits can play a leading role in this journey.
Consider this: No other department possesses the unique combination of skills, tools, professionals, and mandate to shape the organization’s path to the future. The C-suite is often preoccupied with immediate concerns, while the board provides guidance but lacks execution capability. Corporate counsel tends to have a narrower focus, and the Chief Risk Officer (CRO) may prioritize risk over opportunities.
In this rapidly changing landscape, there lies an opportunity for auditors and their teams to become catalysts for innovation. However, the internal audit team must evolve to drive organizational adaptation effectively. And one of the ways to do so is to follow an agile internal audit approach.
The days of relying solely on traditional methods and recruiting from a limited talent pool are over. Audit plans formulated over the past five years will offer little value in the next five years. A narrow-minded focus on historical financial reporting and current cash flows and earnings must give way to a broader perspective on the future.
As coined by Deloitte, the future is Internal Audit 3.0.
Internal Audit 3.0: Assure. Advise. Anticipate
The value sought and required by stakeholders in Internal Audit can be summed up in three key aspects: Assure. Advise. Anticipate.
While assurance remains the fundamental role of internal audit teams, the scope of activities, issues, and risks to be assured should extend beyond the past and encompass real-time insights. Internal Audit 3.0 emphasizes the need for functions to address evolving stakeholder demands through innovation and the enablement of technology, thereby broadening the reach of assurance activities.
Guiding management on control effectiveness, change initiatives, risk management enhancements, and the design of assurance mechanisms falls squarely within the internal audit team’s responsibilities and aligns with stakeholder expectations. Often, internal auditors lean on ‘independence’ as a justification to stay within their defined boundaries, limiting their ability to offer valuable insights and opinions. However, most stakeholders express a genuine desire for such guidance. Internal Audit 3.0 encourages functions to maintain independence while actively advising the business, fostering objectivity, integrity, and professionalism.
Transforming Internal Audit from a retrospective function that solely reports on past events, Internal Audit 3.0 emphasizes the importance of anticipating risks and helping the business understand and proactively address them. By incorporating risk sensing and risk learning, internal audit teams become a forward-looking function that raises awareness of potential issues and provides proactive measures before they materialize. This shift enables the function to stay ahead of emerging risks and support the organization in crafting preventive responses.
In summary, Internal Audit 3.0 encompasses a holistic approach that ensures a broader range of real-time activities, guides management through advisory roles, and anticipates and mitigates risks before they impact the organization. Embracing this new paradigm enables internal audit teams to meet stakeholder demands and contribute significantly to the organization’s success.
Charting the path to the future for Internal Audit Management
For internal audit teams to successfully transition from the present to the future, the following steps should be taken:
- Harness technology: Leverage the transformative power of technology to enhance internal audit. Integrate analytics, risk sensing, and visualization tools to gain deeper insights, improve decision-making, and reduce costs.
- Communicate effectively: Move away from static PowerPoint presentations and embrace dynamic reporting enabled by analytics and visualization tools. Graphic representations of emerging threats and opportunities can effectively inform and persuade stakeholders.
- Rebalance the audit plan: Strive for a well-rounded strategy that balances assurance and advisory activities properly. Increasing the focus on advisory activities will help the internal audit team remain relevant in the evolving landscape.
- Shape and align with stakeholder expectations: It is crucial to ensure that the audit committee and management fully comprehend and embrace the necessary evolution of internal audit. Transparent communication, open dialogue, and a persuasive advocate can help facilitate this understanding.
- Increase influence: Strong leadership from the Chief Audit Executive (CAE) and a compelling articulation of the impactful role of internal audit, including its position as a trusted advisor, can elevate its stature. This will enable the CAE to sit at the table with other C-suite executives, exerting more significant influence and making a meaningful impact.
- Cultivate the right skills and competencies: Traditional skills focused on controls and compliance must be augmented with advanced advisory skills encompassing strategy, strategic risk, scenario planning, as well as business and industry insight.
- Explore alternative staffing models: To maintain agility and responsiveness, the internal audit team should consider alternative delivery models such as co-sourcing, outsourcing, offshoring, and virtual teams. This ensures the availability of the right skills in the right quantities and locations.
- Audit of the strategic planning process: Validate the strength of management’s strategic planning process, which encompasses scenario planning to identify and mitigate risks that could significantly impact value.
- Evaluate the second line: Assess the risk management function end-to-end as a part of an optimal risk management structure. Internal audit management teams must pay particular attention to their process for identifying and assessing emerging risks, challenging whether they truly consider the unthinkable.
By following these steps, internal audit can navigate the path towards a future-ready state, enabling it to deliver enhanced value and contribute effectively to the organization’s success.
Financial services internal auditors should devise a comprehensive departmental plan addressing the three challenges discussed by adopting agile auditing. Firstly, cultivating an agile mindset is vital, allowing auditors to respond swiftly to pressing risks without being constrained by traditional audit methods. Engaging auditees and stakeholders from the outset and keeping them informed about issues or deficiencies during fieldwork, rather than waiting until the reporting phase, fosters greater involvement.
Secondly, an agile audit approach empowers auditors to proactively address the evolving risk landscape before their team falls behind. This entails staying attuned to emerging risk trends and new regulations and promptly adjusting audit strategies accordingly.
Lastly, embracing appropriate technology that facilitates flexibility in executing projects using agile methodologies is paramount. Audit departments are rapidly transitioning to agile auditing, leveraging the adaptability of an agile mindset. Those financial services internal auditors who have already embraced agile audit practices demonstrate heightened alignment with critical business risks, enabling them to pivot swiftly in response to emerging risk trends and evolving regulations.
By planning and executing these steps effectively, financial services internal audit teams can navigate the future landscape with agility and effectiveness, ensuring they remain proactive and well-positioned to address the industry’s ever-changing demands. They can utilize integrated internal audit software like IBM OpenPages with Watson to enhance internal audit, incorporating analytics, risk sensing, and visualization tools to delve into deeper insights, improve decision-making processes, and achieve cost reductions.
iTech has a pool of experienced and certified internal audit solutions experts and consultants. To know how we can help you implement the latest version of IBM OpenPages to meet your auditing needs, you can connect with us by sharing your details.