2025 Trends FinServ Internal Auditors Should Know

As regulatory pressures and emerging risks mount for the financial services industry, greater collaboration to understand the full scope of risk and compliance needs across the enterprise will be critical to success. We spoke to audit leaders at major financial institutions and Big 4 audit firms to uncover the trends they anticipate will be most relevant for FinServ auditors in 2025.

See what’s on their radar, then download a copy of 2025 Audit Trends in Banking and Asset Management to learn about the successful strategies internal audit teams are using to enhance collaboration and meet new challenges.

Trend 1: Regulators and institutions alike are prioritizing AI

Examiners have taken their cues to prioritize AI from the OCC, and financial institutions are planning accordingly. As auditors include AI in their audit plans for 2025, a major challenge will be defining AI and understanding how it is being used in the organization, notes one partner at a Big 4 firm.

Strengthening Governance and Controls Around Responsible AI Usage: Having governance and controls around AI usage will be critical as its availability increases over time. One CAE at a large bank reports having enterprise-wide generative AI governance processes in addition to a governance council that approves GenAI use cases. Another CAE at a large credit union notes that they have a similar governance structure around AI that is focused on conforming AI usage within the organization’s risk appetite and boundaries. 

Trend 2: The updated IIA Standards encourage internal audit to collaborate across the three lines

The updated Standards’ emphasis on coordinated assurance has driven organizations to enhance their risk and control frameworks and create assurance maps that align taxonomies and track risk coverage across all three lines of defense. These efforts have facilitated deeper connectivity and process-level oversight to support effective risk management.

Harmonizing Risk Management for Coordinated Assurance: A vice president of internal audit at a large bank noted that after their bank moved from Category IV to Category III, all three lines faced elevated scrutiny from regulators on the connectedness of their taxonomies and systems. In response to the new regulatory pressure, all three lines — which were already functionally aligned — activated to further connect their risk and control framework, taxonomy, and processes, encouraged by the Standards’ updated prescriptiveness around coordinated assurance. This leader noted that being able to define the value proposition of connected risk for all stakeholders at the table was necessary in their efforts, and the new Standards have been helpful to make that case. 

A Big 4 partner specializing in banking and capital markets also noted the Standards’ emphasis on coordinated assurance, which has encouraged many organizations to create an assurance map to coordinate and track risk coverage across the business and different lines of defense. In the most successful scenarios, this assurance map has evolved beyond covering high-level risks to a more magnified overview of process-level risks — supporting greater connectivity across the three lines. This partner also noted that roughly half of the institutions they see have a common risk taxonomy across their organization, which has helped facilitate the definition of critical issues requiring escalation across the three lines. 

Trend 3: Regulatory sentiment toward connected risk

The need for internal audit to align with the first and second lines when collaborating has bumped up against regulators’ expectations for internal audit to be their eyes and ears on the ground. To manage this dichotomy, internal audit must make the effort to understand the second line’s work in reaching their conclusions while also being comfortable challenging them. 

Proactive and Clear Communication With Regulators and Audit Stakeholders: The CAE of a large credit union reports navigating this challenge by having proactive touch points with regulators about their strategy for working with other lines. This allows audit to get a pulse check on where they may need to reassess their strategy moving forward. The CAE added that audit teams must be prepared to clearly communicate to the second line their expectations for the level of work they are comfortable relying upon, and be equally comfortable challenging them so they can demonstrate these actions to regulators.

From strengthening AI governance to further coordinating assurance across the three lines, it’s clear that internal auditors at banks, credit unions, investment firms, and other financial institutions have a key role to play in optimizing risk management going forward. Get your copy of 2025 Audit Trends in Banking and Asset Management today to read how audit teams can lead the way.