Overcoming Obstacles and Embracing Opportunities in Banking Internal Audit

The banking industry today faces unprecedented challenges, ranging from an evolving regulatory landscape to technological disruptions that have transformed the enterprise and its exposure to risks. In particular, three key risks have emerged that are prompting banking internal audit teams to adjust their audit process and approach: cybersecurity and data security, increased use of advanced technologies, and regulatory and legislative changes.

Recently, I moderated a panel hosted by AuditBoard where I discussed these risks with three seasoned banking audit experts representing a diverse range of perspectives: Michael Pugliese (Partner at CrossCountry Consulting), Carl Seabrook (Chief Audit Officer at State Employees’ Credit Union), and Denise Dombay (audit executive at a financial regulator). 

In this discussion, we explored the diverse perspectives of a consulting partner, audit executive, and regulator on the complexities of managing audit and risk management programs amidst these challenges, as well as actionable strategies for success. Watch the full recording on-demand, and read on for the biggest takeaways from our conversation. 

Takeaway 1. Prioritize the Proper Cybersecurity and Data Security Controls 

Nearly 50% of attendees at our panel ranked cybersecurity and data security as the top risk facing their banking institution. One approach to addressing these preeminent risks is taking a risk management approach rather than a purely compliance-driven approach, something Pugliese has seen as a consulting partner to banks. This represents a shift away from paper-based and checklist reviews against cybersecurity and InfoSec frameworks toward real-world effectiveness reviews based upon specific cyber threats and threats facing the financial services sector. 

“Instead of relying on checklists or document review and stakeholder reviews, we’re seeing banks focused on technical evaluations of control effectiveness, says Pugliese. “They are spending a lot of time getting level three, level two, and level one metrics to drive truly actionable insights that can help them mitigate the risks they’re facing and that result in significant confidence in their program.”

Takeaway 2. A Multi-Pronged Approach to InfoSec Is a Strong Approach 

FINRA’s strong internal InfoSec team takes a multi-pronged approach to tackling cyber and data security. “At FINRA, we do a quarterly exercise where InfoSec coordinates with ERM to assess inherent risk and control effectiveness,” says Dombay. “More recently, they’ve added an assessment of residual risk that is reported to the audit and risk committee on a quarterly basis.” This assessment covers five areas — application security, cyber defense management, identity access management, third-party information security, and security vulnerability management — each of which has multiple metrics that are measured on a quarterly basis. Other elements of FINRA’s multi-pronged approach to InfoSec include:

• Internal resources for educating staff
• Quarterly enhancements including improvements to security tools, ongoing PEN testing, implementing a new threat intelligence program, ethical hacking tests, and implementing new security controls.
• External reviews by a cyber insurance broker and an external cyber and interdependencies review.

If you’re planning to upskill your audit team around cybersecurity, you’re not alone. Over 40% of virtual attendees at our panel noted they are working with consultants to build better processes to address growing cybersecurity and data security risks, while 32% are hiring audit staff with experience in these areas. 

Takeaway 3. With AI and Other Advanced Technologies, Consider the Opportunities Alongside the Risks

According to a poll conducted during our panel, 63% of our virtual attendees said data privacy and protecting sensitive data was the most concerning risk related to advanced technologies. While this did not come as a surprise to our panelist speakers, they also acknowledged the benefits of these technologies in helping banking internal audit teams drive their audit programs. 

“With any new technology risks, there are also a lot of opportunities that come with them,” shared Pugliese. “From an opportunity perspective, particularly in banking, banks have been using some form of automation — whether its AI, machine learning, et cetera — to detect fraud and perform other key business functions. I think particularly in the risk and compliance space there are a lot of opportunities.” 

“Technology is key to our audit approach,” Seabrook noted, “and we are fortunate to have a dedicated group of professionals focused on leveraging advanced technologies, such as machine learning and audit software like AuditBoard to gain efficiencies in audit execution and to continuously improve our audit processes.”

Pugliese offered several considerations for anticipating the risks that accompany using advanced technologies: 

1. Take a use-case based approach. If you put thought into the use cases that will drive business value, rather than looking for problems to solve, the more likely you will get value out of your technology investments. 
2. Consider governance and controls. If you have a self-learning model, think about how you will audit it. What are the logistics of providing evidence that your AI is doing what it needs to do on a consistent basis? 
3. Build internal capabilities and COEs around the technology. This is important to becoming self-sustaining and self-sufficient as your understanding of the technology evolves. 
4. Prioritize quality data. With any technology you employ, data quality matters. It’s garbage in, garbage out, so if you don’t have confidence in your input, it will be difficult to have confidence in the output. Think about the whole ecosystem and prioritize solid data quality and architecture to get the most out of your tech investments. 

Dombay added her perspective as a regulator, noting: “We acknowledge that AI poses additional challenges and great benefits to the work that our member firms conduct with investors.” The following are areas of focus she suggested for banks considering what regulators might be looking for:

1. Model risk management. Best practices include: performing model validation, conducting upfront and ongoing testing of models, running models in parallel to ensure consistent results, maintaining an inventory of models, model performance benchmarking and embedding benchmarks within your policies and procedures.
2. Data governance and security. Best practices include: ensuring there isn’t bias, verifying sources (especially if they are being pulled in from outside the organization), employing data lakes which help maintain the consistency of data.
3. Customer privacy. Implementing policies and procedures and taking any necessary steps to ensure you are protecting customer data, especially PII and biometrics.
4. Supervisory control systems. Best practices include: cross-functional technology governance, conducting testing of all the applications, ensuring personnel are properly licensed, having a fallback plan, etc.

Takeaway 4. Develop a relationship with your regulator.

As the banking industry contends with increased regulatory pressure as well as changing compliance requirements, one of the biggest takeaways from our panel was the importance of developing a relationship with regulators. Monitoring your regulator’s areas of focus is a best practice for all banks, while further engaging by writing comment letters and proactively developing relationships with regulators can reap other benefits. “Organizations will often wait until they receive notification of an examination before they engage with their regulators,” Seabrook noted. “Meanwhile there are so many opportunities where your organization can benefit from by proactively engaging your regulators with discussions regarding how your organization has interpreted a new rule and your plans for implementation or to inform them of progress being made in certain areas of interest. It has been my experience that regulators, especially those serving in the credit union industry, truly want to help and see our organizations thrive.”

“The most effective regulatory program we’ve seen is a client that viewed stakeholder management and building relationships with regulators as fundamental to their program’s success,” recalled Pugliese. “Depending on size of your institution, don’t worry so much about being the first to market, which is costly and may be better for larger companies; rather focus more on being a fast follower — this is a concept that can be an effective solution for midsize banks.”

Now Is the Time for Bank Internal Audit Teams to Step Up 

The panel’s lively conversation underscores the importance of adapting internal audit processes to address these evolving challenges effectively. Bank internal audit teams must navigate the risks described above by building proper cybersecurity and data security controls, considering the benefits and risks of advanced technologies, and engaging with regulators proactively. Ultimately, internal auditors play a critical role in guiding their banks to develop risk resilience and achieve success amidst these challenges.