Internal Audit: Threading the needle

Internal Audit: Threading the needle

The Internal Audit functions of SSM banks find themselves challenged by regulation and supervision, technological change and scarce resources.

1000
Multi colour reels of sewing thread in drawer

Faced with a rapidly evolving risk environment, Internal Audit (IA) functions leaders must continue to develop new capabilities. However, an emerging challenge for banks' IA is to retain their independence while balancing the needs of the business against the ever increasing demands of Supervisors.

European banks continue to face a challenging operational and regulatory environment, putting their IA functions in a more prominent and pressurised position. To understand these challenges better, KPMG member firms recently conducted an Internal Audit Benchmark Survey of 22 SSM banks based in 11 EU Member States.

The full results of this study will be released in February 2018, at a roundtable event for the IA leaders of participating banks. However, an initial look at our findings shows that regulation and supervision is seen as the leading challenge for these IA functions. There are several aspects to this, including:

  • The need to monitor banks' compliance with an ever-expanding regulatory burden; 
  • The need for close co-operation with Joint Supervisory Teams (JSTs), including conducting follow-up work based on SREP findings; and
  • The need to meet supervisory expectations on internal governance and risk appetite, including IA functions themselves. Internal governance is a key priority for the SSM, and the on-site inspections of the 2017 SREP generated more IA-specific findings than in previous years. Some of the most common recommendations by JSTs focused on the resourcing, independence, coverage and quality of IA activities.

Apart from increasing expectations around regulation and supervision, our survey shows that IA functions face two other major challenges. The first of these is the impact of technology. The rapid advance of digitization, data analytics, artificial intelligence and other technologies poses a number of challenges for IA teams. These include the need to tackle growing cyber risks; the importance of adapting to rapidly changing business processes; and the requirement to develop new IA tools and techniques that harness the latest technology.

Another major challenge is resourcing. Banks are finding it increasingly difficult to attract and retain suitably qualified and experienced IA staff. Indeed, the 2017 SREP judged some IA functions as having insufficient resources to fulfil their remit. One way that a number of banks have tried to tackle this challenge has been through increased introduction of rotations between the first and second line and IA staff. This, when delivered effectively, has extended knowledge transfer, enhanced the skills of staff members and facilitated further integration across the bank.

Looking ahead, IA leaders identify a number of key priorities for the next three years. These include making better use of digital audit techniques; managing cyber and cloud outsourcing risks; enhancing their communication with Supervisors; and improving their combined and coordinated approach to the planning and performance of assurance activities across the bank.

However, it is notable that Heads of IA see culture and status as equally important priorities for the future. Remaining a trusted advisor, valued by banks' leaders and board members, is a key goal for many. But so too is achieving a culture that strikes the right balance between `assurance' and `consulting' activities.

Once again, banking supervision has a significant impact on these so-called `soft' factors. On one hand, the desire to advise banks' leaders about supervisory thinking carries the risk of compromising the independence that is essential to any effective IA function. On the other hand, the need to support JSTs in their work carries the risk of IA functions being perceived as supervisors' agents.

In short, IA functions, already under pressure to develop new capabilities to meet increasing regulatory and technological demands, face a growing challenge in ensuring they strike the right balance between supporting supervision, retaining their independence, and adding value to the business.

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today