Transforming Internal Auditing to Combat Financial Services’ Heightened Risk Exposure
The business environment for financial services can only be described as dynamic, with the pace, variety, volatility, and potential disruptive force of familiar and new risks seemingly accelerating every day.
Now more than ever, financial services organisations need the trusted advice and insight of high-performing internal audit functions. Unfortunately, many internal audit teams have not kept pace with the changing needs of their organisations, customers, and environment.
“Deciding when and on what to make an audit intervention is probably one of the biggest challenges in financial services today — and in most cases what is needed is nothing short of transformation.”
Steve Evenden
Internal audit needs a major upgrade to fulfil its potential value to the organisation. Below, we break down a seven-point plan to transform your financial services internal audit team and become the valued partner your organisation needs.
Where Internal Audit Falls Behind — and Falls Short
In many cases, internal auditing has evolved with the sector and delivers excellent value to management and the board. Too often, however, in our experience internal auditing is not aligned with changing risks and business priorities. The continued application of traditional auditing approaches limits both the scope and the ability to respond to organisational needs. In such conditions, it is hard to demonstrate to stakeholders that internal auditing is making a difference.
The problem affects all aspects of audit — tasks, tools, and talent. Without a significant overhaul, it cannot maintain scrutiny of the risk landscape and respond in a way that is timely and useful. We have found that traditional practices are time-consuming and inflexible, often based on an outdated risk assessment so that when reports are delivered, they address situations that have already been addressed or are no longer relevant. In such cases internal auditing is reactive and backwards looking, and fails to provide valuable insights. Being able to get your fingers on the pulse of the material risks of the business in real time is something all internal audit teams struggle with to a greater or lesser extent — and is a prime target of internal audit transformation.
Setting Your Sights on Transformation
The change must be transformational. Auditors must push themselves to think differently, introduce new audit products, get serious about data analytics, provide real-time assurance, and deliver customer-oriented outcomes. They need to have more than one approach in their toolbox. In such a flexible and dynamic environment, the business simply cannot wait a full audit cycle to get insights from auditors.
Technology is at the heart of the needed transformation. Manual processes are too slow and inefficient. They rely on limited sampling and incomplete analysis, providing untimely results, limited visibility, errors, and misinterpretation.
This is really both a major opportunity and a pressing need.
“We live in a world where we are becoming used to having information at our fingertips, but manual processing and legacy technology simply won’t allow us to have information real-time in order to surface the risks, maintain pace with the regulators, and help keep our organisations at the cutting edge.”
Steve Evenden
Digital transformation needs to be more than just doing the same thing but on a computer. Off-the-shelf solutions are not the answer. It’s about both more speed and more quality, in pretty much everything. The aims of any audit transformation should include:
- Expedited audit planning.
- Better aligned audit scope with organisational needs and customer priorities.
- Integrated processes for communication, planning, fieldwork, documentation, and reporting.
- Increased customer interaction.
- Real-time findings and insights enabling real-time (or rapid) remediation.
Processes need to be reimagined and Agile methodologies are extremely useful for this — when implemented well. However, the danger is to focus too much on the “uppercase-A” Agile mechanics (scrums, scrum masters, sprints, etc.) and not enough on “lowercase-a” agile decision-making. Auditors need to be doing the right thing at the right time.
How to Transform Internal Auditing: A Seven Point Plan
The new Global Internal Audit Standards create a great opportunity for internal audit functions to revisit everything they do. While there can be no magic solution, the following seven steps provide a useful, structured approach to implementing meaningful audit transformation.
1. Start with a fundamental mindset shift to accepting that “change is a constant.”
Auditors constantly shift based on new information, which requires open communication and transparency with stakeholders. This starts with the tone from the top all the way down through your brand new staff auditor. It’s important to note that change is a constant not just from a regulatory standpoint, but also from the first-line standpoint because the business’ priorities are also going to be changing. It’s critical to keep business changes in mind, factor them into your audit plan, and continue to scope changes throughout the year.
2. Encourage team members to be “jack of all trades.”
Move beyond being a master of one thing. Now more than ever, we need auditors to be multi-skilled. For instance, it’s no longer acceptable to say “I’m not a technology auditor.” There will be variants from people who can code down to somebody who can do a pivot table, but we all need to embrace a level of data competence to audit in the future.
Auditors of every level must broaden their talents to be successful in a variety of areas. The future state is that any auditor — staff, middle, or upper management — could step into any engagement and add value. They might not be experts in the business function they’re about to review, but they can provide a perspective on how to go about the audit.
One approach we’ve seen be instrumental in creating a “jack of all trades” perspective across a lot of financial services organizations is a rotational programme, which gives the whole third line a full perspective on where their particular business unit sits in the risk taxonomy amongst the entire organization.
3. Evaluate current tools for gaps.
Your audit technology should also support your transformation and a dynamic way of working. When introducing audit software, follow a careful, inclusive, supported, and sustained change management process.
Get tactical and inventory your tech stack, taking an objective look at your current tools and evaluating them for gaps. Is your audit and risk software easy to configure? Does it require expensive skilled resources to maintain and make changes? That’s something that we see very prevalently in the industry — whether it’s a manual process or a legacy technology — it’s convoluted, regimented, and so specific that you may rely on particular auditors who know the nuance of the system to make updates, which creates a bottleneck effect.
A few other key questions to ask about your tech stack:
- Does your software easily integrate with existing and modern tools to keep data flowing and enable comprehensive visibility and automation across audit, risk, compliance, and business strategy teams?
- Does it empower real-time communication between the first line and the auditors?
- Does it simultaneously support traditional and agile audit methodologies for a multifunctional audit team?
- Do you have access to sufficient support, training, enablement, and a robust peer community to make the most of your software investment, and quickly ramp new team members as you expand to support a broader audit universe?
4. Prepare your team with specific policies & procedures and training.
Each transformation is unique, so it’s essential to document your processes as you go through the changes and make decisions. The resulting document will look different for each internal audit team based on your business conditions, strategy, and goals. The guide should be a living document that is revised when needed.
Your audit training program should include these policies and procedures. Training sets expectations and provides your team with consistent guidance. As a best practice, prepare training resources that each auditor can refer to in the early days of the transformation.
5. Implement modern technology to improve audit efficiencies.
Automation can help you become more dynamic by providing deeper insights into a risk area before you begin testing. Your entire set of technology tools — including those for automation, analytics, collaboration, and visualisation — should be geared toward increasing internal auditing efficiency and agility. Again, this doesn’t mean you need to throw everything out — make sure your audit management solution supports integrations across your business’s technology ecosystem.
To imagine what this could look like: automation can provide deeper insights into a risk area before you begin testing, and even support testing efforts so the audit team can focus on more value-added testing. Once you incorporate dynamic risk data into the planning effort, the team is better informed about needing to pivot in your audit plan. Collaboration with stakeholders through integrated technology reduces the need for time-consuming emails and manually tracking support requests. All of this can then come together through your data visualisation tools that aggregate information and support the team’s ability to make informed decisions.
6. Tie audits to business priorities to audit the right risks at the right time.
Tying audits to business priorities, strategies, and objectives is an important step in making sure that the audit process is focused on addressing the organization’s most significant risks. When we’re meeting with senior management or at an audit committee meeting, we need to ask distinct questions about their priorities and the risks that are top of mind for them — making sure that you’re continually getting that information from them and the other influential leaders within the business. Keeping your finger on the pulse of the business means that the audit team can assist the organization in achieving its strategic objectives while providing assurance that the associated risks are effectively managed by aligning the audit plan with business priorities. Looking ahead, once we’ve established this link, the audit teams can focus on high-risk areas in the present rather than just at a specific point in time in the recent past.
7. Be dynamic with your transformation!
Don’t be afraid of change! Embrace audit transformation in a dynamic way. Incorporate creative and innovative methods and technology to boost efficiency, risk, and long-term growth. If you try something and doesn’t work, don’t be discouraged — adjust and be flexible. You don’t have to go all in right away. Take baby steps, experiment, and learn as you go.
Remember, transformation is a journey, not a destination. There is no “end” to transformation where we deliver it and pat ourselves on the back for doing a great job. We’re evolving our approach to internal audit to one that looks to continuously improve, adapt, and learn to support our business in responding to a volatile environment. There’s no better time to get started than now!
Steve is the Chief Internal Auditor at Nationwide Building Society. He has been an internal auditor for over 20 years in roles across the Financial Services Sector, and is currently the deputy President of the Institute of Internal Auditors in the UK. Connect with Steve on LinkedIn.
Mike Rissmiller is an Enterprise Account Executive at AuditBoard working with our financial services clients. A former Federal Reserve analyst and examiner, Mike started off his career focusing on bank capital and liquidity reporting before transitioning to industry audit as an Audit Manager for State Street Corporation. Connect with Mike on LinkedIn.