Regulatory changes pose challenges to internal audit departments at financial institutions

Download the PDF

Across the financial services industry, recent regulations have introduced a multitude of new requirements that continue to present firms with significant operational, compliance and control challenges. Regulatory reforms in banking, securities and derivatives have left key financial institutions with new compliance and reporting requirements, mandated changes in market structure and business practices, and have imposed higher standards of conduct on many market intermediaries.


While there are a number of new regulations that have yet to be completed, many have required full compliance for one to two years. To meet their new compliance requirements, financial institutions have undertaken major reorganizations, deployed new IT systems, adopted new risk management and operational policies and procedures, and developed robust compliance monitoring programs. Many firms continue to experience implementation challenges in all of these areas and struggle to balance the regulatory mandates and associated compliance costs.

Financial institutions are moving beyond the initial phase of compliance implementation, and they are now seeking to validate how well their compliance programs are performing against the regulatory requirements. Contained within a number of new regulations is the requirement that the compliance programs be subject to independent audits or validation, with the results of such audits reported to management and the board of directors, and provided upon request to regulators. Furthermore, financial regulators have indicated that they expect internal audit departments to play a significant role in ensuring compliance with new regulations.

Contained within a number of new regulations is the requirement that the compliance programs be subject to independent audits or validation, with the results of such audits reported  to management and the board of directors...

As many of these institutions begin to assess the sufficiency of their compliance efforts, firm management and internal audit personnel are finding that they lack the resources and technical know-how within their internal audit departments to appropriately evaluate new risks and operating procedures, and control frameworks. Assessing the sufficiency of policies, procedures and controls around new compliance requirements is made more difficult by principles-based regulations for which little practical guidance on benchmarks for success has been issued. Robust audits of the current compliance and control environment demand internal audit staff use new and evolving regulatory expectations as performance benchmarks. And that places more reliance on maintaining auditor judgments in risk management, operations and technology.

Key challenges for internal audit departments
Internal audit departments are experiencing a number  of challenges related to recent regulatory changes. Increasingly, financial services firms are becoming aware that internal audit departments cannot consistently meet the standards of their mandates. Following are a few key challenges summarized.

Financial services  firms are clearly spending significant amounts  of money on operational changes  and compliance programs within the business  to meet ambitious compliance and reporting deadlines.


Staffing levels and fiscal constraints — A clear challenge for internal audit departments is the availability of resources. With so many new compliance requirements being implemented simultaneously, the demand on internal audit to validate compliance has severely strained existing staff resources. Financial services firms are clearly spending significant amounts of money on operational changes and compliance programs within the business to meet ambitious compliance and reporting deadlines. However, the resource needs of their internal audit departments are competing with the needs of the business for scarce financial resources.

Staff knowledge and experience — Many of the regulatory changes facing financial institutions are driving highly technical operational reconfigurations or mandate compliance with requirements that lack prescriptive  benchmarks for performance. Internal audit departments within financial institutions of all sizes are finding that they often do not have the technical expertise in-house to evaluate the sufficiency of policies, procedures and controls that have been put in place. Particularly challenging areas for internal audit department staff to evaluate are changes in certain business practices, the evaluation of risk management at the enterprise and product level, and IT systems reconfigurations. To meet this challenge, many audit functions are staffed with a combination of skills, including business professionals, staff from other control functions and traditional auditors. Additionally some audit functions have moved away from the pyramid staffing approach to a high-performance team model that has more
staff at the middle ranks or is somewhat more top-heavy.

Audit risk assessments — Proper identification and assessment of the range of risks at an organization is essential to planning and executing an effective internal audit process. The risk assessment is applied to the audit universe to develop an initial audit plan and is critical to efficiently managing scarce audit resources. They are used to prioritize work that is undertaken by internal audit and determine areas where certain compliance testing or risk assessments can be used to address multiple requirements. These risk assessments allow auditors to develop a deeper understanding of the lines of business and control functions, as well as the state of the control framework. The knowledge and experience gaps discussed are exacerbated by the higher analytical complexity expected in the current environment.

Addressing internal audit challenges in the face of regulatory change
This note has generalized the challenges being faced by internal audit departments across financial institutions with diverse organizational structures, business activities and technology capabilities. The specific challenges presented in each firm will vary, as will the appropriate steps to mitigate any gaps in the capabilities of the internal audit department. Taking that into consideration, internal audit executives at financial services firms are undertaking some or all of the following steps to address their evolving needs:

  • Involving internal audit in the business change planning and implementation process
  • Conducting assessments of internal audit staff knowledge and skills
  • Engaging external staff with specialized expertise to supplement their internal audit resources
  • Leveraging newly enhanced compliance and enterprise risk management programs to identify key risks
  • Implementing governance, risk and compliance technologies to streamline expanding and more complex audit universes