The Internal Audit functions of SSM banks find themselves challenged by regulation and supervision, technological change and scarce resources.
Faced with a rapidly evolving risk environment, Internal Audit (IA) functions leaders must continue to develop new capabilities. However, an emerging challenge for banks' IA is to retain their independence while balancing the needs of the business against the ever increasing demands of Supervisors.
European banks continue to face a challenging operational and regulatory environment, putting their IA functions in a more prominent and pressurised position. To understand these challenges better, KPMG member firms recently conducted an Internal Audit Benchmark Survey of 22 SSM banks based in 11 EU Member States.
The full results of this study will be released in February 2018, at a roundtable event for the IA leaders of participating banks. However, an initial look at our findings shows that regulation and supervision is seen as the leading challenge for these IA functions. There are several aspects to this, including:
Apart from increasing expectations around regulation and supervision, our survey shows that IA functions face two other major challenges. The first of these is the impact of technology. The rapid advance of digitization, data analytics, artificial intelligence and other technologies poses a number of challenges for IA teams. These include the need to tackle growing cyber risks; the importance of adapting to rapidly changing business processes; and the requirement to develop new IA tools and techniques that harness the latest technology.
Another major challenge is resourcing. Banks are finding it increasingly difficult to attract and retain suitably qualified and experienced IA staff. Indeed, the 2017 SREP judged some IA functions as having insufficient resources to fulfil their remit. One way that a number of banks have tried to tackle this challenge has been through increased introduction of rotations between the first and second line and IA staff. This, when delivered effectively, has extended knowledge transfer, enhanced the skills of staff members and facilitated further integration across the bank.
Looking ahead, IA leaders identify a number of key priorities for the next three years. These include making better use of digital audit techniques; managing cyber and cloud outsourcing risks; enhancing their communication with Supervisors; and improving their combined and coordinated approach to the planning and performance of assurance activities across the bank.
However, it is notable that Heads of IA see culture and status as equally important priorities for the future. Remaining a trusted advisor, valued by banks' leaders and board members, is a key goal for many. But so too is achieving a culture that strikes the right balance between `assurance' and `consulting' activities.
Once again, banking supervision has a significant impact on these so-called `soft' factors. On one hand, the desire to advise banks' leaders about supervisory thinking carries the risk of compromising the independence that is essential to any effective IA function. On the other hand, the need to support JSTs in their work carries the risk of IA functions being perceived as supervisors' agents.
In short, IA functions, already under pressure to develop new capabilities to meet increasing regulatory and technological demands, face a growing challenge in ensuring they strike the right balance between supporting supervision, retaining their independence, and adding value to the business.