At The Institute of Internal Auditors International Conference in New York this July, I had the privilege of moderating a panel of CAEs on global audit issues, emerging risks and challenges in the financial services industry.
We had a large international group, including hundreds of CAEs, who were eager to hear from our panelists representing some of the world’s largest financial institutions. Among the panelists were Mark Carawan, CAE of Citi; Naohiro Mouri, Chief Internal Auditor of AIG Japan Holdings; Nicola Rimmer, General Manager Audit at ANZ Bank; and Stephan Schenk, Executive Vice-President and Chief Auditor at TD Bank.
Panelists began with a discussion of the evolving risk landscape. As you might imagine, fraud, reputation and cybersecurity topped the risk list, with cloud risk rising in response to growing demand for mobile banking and big data analytics.
Although those risks are not necessarily new, the conversation focused on ways the internal audit function is evolving to stay ahead of the risk curve. Panelists emphasized the importance of continuous monitoring and the need for audit automation, digitization and more sophisticated tools to support the ascendancy of internal audit into a more strategic role as risk advisor across all lines of defense.
The need for the implementation of new audit technology and ongoing training in how to make the most of these new and sophisticated tools was a recurring theme, echoed in a subsequent question about the future of the internal audit function. Our panelists all emphasized the critical need for internal auditors to be able to anticipate and identify potentially disruptive risks and work closely with first-line managers to bring value-added mitigation recommendations to the table.
For me, the biggest takeaway from the discussion was the consensus among both panelists and CAEs in attendance, that regulators around the globe are beginning to align their efforts particularly in areas such as anti-money-laundering (AML) and the Bank Secrecy Act (BSA).
There seems to be a growing acknowledgement that money knows no borders. Regulators from various geographies around the globe are in much closer communication than ever before. They communicate regularly and they are creating a lot of pressure for financial institutions to make sure they are addressing risks — not only strategic risks, but local regulatory risks. And they are interested in the credentials of the people assigned to watch over these risks, to ensure technical competency.
From an internal audit perspective, this future state of increased regulatory cooperation and scrutiny demands robust risk assessments and risk training, to ensure that stakeholders understand all of the significant risks institutions face. Current regulatory hot buttons include: vendor risk management, AML/BSA, and cybersecurity to name a few.
In closing, I’d emphasize again that when it comes to internal audit, the tendency is toward unification – this includes ability to see the big picture, connect the dots, articulate interdependencies and collaborate. Regulators increasingly practice the same. For a more in-depth analysis of global regulation, I’d recommend our recently published white paper, The Challenges of Running a Global AML Program. Your thoughts and comments are appreciated, as always.