As May marks Internal Audit Awareness Month, let’s take a look back at how the function has changed over the years, and how complexity in banking has impacted internal audit staffing and audit methodologies.
The evolution of complexity in banking can’t be ignored. Over the past 20 years, the industry has seen innovations in internet banking, mobile banking, dozens of payment methods for consumers and businesses, and new high-risk customer segments and partnerships. The financial services sector also experienced the most active period of regulatory development on record.
Twenty years ago, bank internal auditors were likely a homogenous group, except for the IT audit specialty, which was staffed by auditors with specialized training or prior experience in IT departments. Even then, many bank audits were conducted as integrated audits, with traditional financial/operational auditing and IT auditing combined.
Fast forward to today, and many banks today have specialty audit groups for IT auditing, compliance auditing, and commercial credit auditing in addition to traditional financial/operational auditing. Some banks even have specialty audit groups for fintech relationships. Larger banks might separate compliance auditing into two smaller groups for consumer compliance and BSA/AML/OFAC auditing. Larger bank internal audit departments may also have a dedicated analytics group. The granularity and complexity in bank internal audit departments follow the complexity in banking itself.
Typically, smaller bank and credit union internal audit departments respond to complexity by performing traditional financial/operational audits internally, and outsourcing or co-sourcing the specialty internal audits, whereas larger bank internal audit departments respond by hiring subject matter experts (SMEs) to join traditional audit teams and add value to audits with their expertise. Note that the smallest community banks and credit unions might outsource the entire internal audit function.
Another impact to staffing is that bank internal auditors are less likely to be “bean counters” with accounting backgrounds and more likely to come from varied, operationally oriented backgrounds. They may bring expertise in fintech, cannabis, or virtual currencies. Today’s bank internal auditors are also more likely to understand and use analytical tools, even if they’re not part of an analytics group.
In addition to addressing complexity with a mix of auditors, audit methodologies might differ. For example, compliance audits and commercial credit audits typically use less random and statistical sampling, opting for more judgmental sampling than traditional financial/operational audits. Audit teams may spend more time stratifying the population before selecting samples and rely on analytics to help with this.
As the Institute of Internal Auditors (IIA) puts it, internal audit’s role in corporate governance is vital, providing assurance, insight, and foresight:
Despite changes in the banking industry, what hasn’t changed over the past twenty years is the role the internal audit department plays in a bank or credit union. Internal audit forms the third line of defense — providing assurance that controls are functioning and catching issues before examiners do.