Download the full PDF.
In Grant Thornton LLP’s fourth annual survey of chief audit executives (CAEs), financial services CAEs revealed that increased regulatory burdens are forcing them to make trade-offs between meeting regulatory compliance requirements and pursuing higher-value activities1. However, these regulations have also enhanced their governance practices. Their responses reflect the realities of operating in a heavily regulated industry and further reinforce the views of CAEs across the U.S. — that there has been a major shift in internal audit to compliance-related activities.
Regulatory requirements are adding to internal audit departments’ workloads in financial services organizations across the country, with 54% of respondents reporting that meeting these requirements constituted 1–25% of their workload in 2014. In the next 12 to 24 months, CAEs expect this percentage to increase.
At financial institutions large and small, CAEs cited increased costs as the biggest impact of regulation, with other major effects being improved governance and more rigorous testing. For organizations with total assets of more than $50 billion, the increased regulatory burden has forced CAEs to shift resources from activities they see as having higher value (i.e., pursuing opportunities for growth). This was less of a concern for institutions with total assets of less than $50 billion.
One-to-many approach gains traction
Greater regulatory requirements mean that internal audit departments are being pushed to use their resources more efficiently and to add value throughout the internal audit process. In the survey, 66% of financial services CAEs indicated they are leveraging control testing results across multiple compliance requirements (e.g., testing controls over logical security and using those results to satisfy PCI, SOC and ISO) — the one-to-many approach. This number is up from 59% in 2013, indicating financial services CAEs are feeling more comfortable with the new paradigm and are working to get as much value as possible out of compliance activities.
According to Warren Stippich, National Governance, Risk and Compliance practice leader: “To meet all key risks, the internal audit plan must become more holistic and efficient — internal audit activities simply can’t be segregated as distinct goals anymore for planning purposes. If any risk area is left on the table, it creates more risk for the organization as a whole and puts the internal auditors in a precarious position. The goal of adding value is not going away for internal audit, no matter what the compliance expectations may be.”
One-to-many isn’t easy to implement, and internal auditors may be tied to the idea that they must perform control testing in one area at a time to ensure accuracy. “We disagree and challenge CAEs to at least take another look at the possibility,” Stippich asserts. “Intuitively, killing two or more birds with one stone is a clear path to efficiency gains, although not an easy one.”
Indeed, while financial services CAEs may be eager to capture efficiencies by using testing results across compliance activities, respondents indicated it is not as straightforward as they had hoped. Sixty-two percent of respondents, compared to 48% in 2013, stated that up to 25% of their control testing could be completed once and leveraged across multiple compliance requirements. However, only 31% of financial services CAEs thought that the same would hold true for 26–50% of control testing, down from 48% in 2013. According to Nigel Smith, national Financial Services Advisory practice leader: “With continued pressure on profitability, we believe that financial services firms will need to do more with less by applying advanced analytics techniques to streamline compliance processes without reducing the effectiveness of controls.”
Operational risk looms large
Financial services industry respondents — including those at large institutions — identified operational risk as their most important audit focus. This differed from the overall survey results, in which compliance risk ranked highest. “While compliance is still enormously important, the challenge for financial services companies going forward will be to find the most efficient course for satisfying mounting regulatory requirements,” says Smith.
What's keeping CAEs up at night
- Regulatory risks. The number of CAEs that rated regulation as having the most potential to affect their organization’s growth fell to 64% in 2014 from 83% in 2013. However, of the large financial services institutions sampled, nearly 80% still rate regulation as their most significant risk.
- Third-party risks. Financial services institutions that called out third-party vendors as having the greatest impact rose by five percentage points in 2014, reflecting continuing industry concerns. Third-party or vendor risk is currently a concern for 80% of financial services CAEs.
- Fraud or anti-corruption risks. Those financial services CAEs that cited fraud or anti-corruption as their top concern rose modestly in 2014, but those that rated it as their second-biggest concern rose significantly (to 35% from 22%) over the same period.
- Business continuity risks. The number of financial services institutions that rated business continuity as their No. 1 priority increased to 12% in 2014 from 9% in 2013. Events like Superstorm Sandy may have increased these concerns.
- Cybersecurity risks. Data privacy and security — including cybersecurity — were listed by financial services CAEs as having the most potential to affect their organization’s growth by 68% in 2014, down from 78% in 2013, indicating it remains top of mind.
- Technology risks. As financial services companies have embraced and made major efforts to keep up with technological advances in the marketplace, certain risks have decreased. Financial institutions seem to have a better understanding of what is required and most have been able to implement cloud computing, which puts less of a strain on the compliance function. Respondents also seem to have a handle on social media: Only 36% — compared to 54% in 2013 — saw it as having the most potential to affect their organization.
Internal audit technology tools are making inroads
Within the financial services industry, 36% of respondents said that their institution is effectively leveraging governance, risk and compliance (GRC) technology, a significant increase from 16% in the 2013 survey. The number of financial services institutions large and small using a GRC- or internal audit-specific technology tool increased to 37% in 2014 from 33% in 2013, reflecting the slow adoption of such tools. However, as seen in Chart 5, nearly 70% of survey respondents from large financial institutions reported using a GRC- or internal audit-specific technology tool.
Within the financial services industry, 82% of survey respondents said they are not planning to implement a GRC tool in the next 12 months. “There is an opportunity here for financial services internal audit functions. Many organizations have leveraged business process reengineering techniques and technology to improve productivity in their back office operations, but have not applied the same disciplines to the risk, compliance and internal audit functions. There is an opportunity to streamline the approach, increasing efficiency while allowing skilled staff to focus on risk mitigation,” says Smith.
Financial services CAEs feel the pain of regulation even more than their peers, so they must find the best way to use their resources efficiently and effectively to do more than just satisfy compliance needs. The top three goals that financial services CAEs identified for their internal audit organization over the next 12 months include:
- Building talent and skills. Due to the economic recovery, competition for the best workers is high and internal audit turnover has increased. Regulators want to see a strong and stable audit department that includes staff with a wide range of skills to address specialized situations. It may be worth considering available alternatives, such as learning programs, guest audit programs or co-sourcing.
- Increasing efficiency. CAEs are watching what their peers are doing, which audit software programs are being implemented and which new regulations are likely to affect their internal audit functions. Implementing the one-to-many approach and effectively leveraging technology may help achieve the desired gains.
- Improving organizational strategy. CAEs are well-positioned to contribute more to the overall strategy of their institution by improving processes, mitigating risk and identifying opportunities for cost savings. While adding real organizational value has always been a top priority for the internal audit function, smart CAEs will continue to find ways to make a difference in their organization.
Author's note: We wish to acknowledge the many contributions of Jack Katz and Christopher Paulison, whose assistance was invaluable in the development of this publication.
About the survey.
1 The survey was administered online from November to December 2013. A total of 433 internal audit professionals responded, representing a range of public and private companies across industries and company sizes in geographically dispersed U.S. locations. Respondents perform internal audit functions under varying titles, including CAE, vice president and director; throughout this survey, we refer to all respondents as CAEs. Visit www.grantthornton.com/caesurvey for more information.
2 Hernandez, Anthony, and Morgan, Kevin. Prescriptive analytics: Winning in a competitive environment, Feb. 20, 2014.