6 areas of risk for banking internal auditors in 2023

Cloud computing, digital assets, and fair lending compliance rank among the major 2023 risk areas for banking internal auditors.

As the effects of the COVID-19 pandemic continue to reverberate and shape markets, internal audit departments have had to become more resilient, flexible, and resourceful. But the challenges are far from over. A volatile economic outlook, geopolitical events, and rising interest rates continue to bring forth new and evolving risks.

Given a business environment with this much uncertainty, audit committees and teams at banks and other financial services organizations should consider the following six areas of risk as they build their internal audit plans for 2023.

As your internal audit needs evolve, we’re here to help.

Get in touch and get the resources and expertise you need.

Explore our services

1. Complex technology platforms increasingly create cyber risk and invite regulatory scrutiny.

As technology systems and platforms become more powerful and sophisticated, many systems require too much access or overly complicated means of access. Banks and their internal auditors are grappling with that complexity as they universally apply security settings and right-sized access for individual users and departments.

Regulatory agencies such as the Consumer Financial Protection Bureau and the Federal Financial Institutions Examination Council have updated their regulatory handbooks to reflect concern regarding these issues. Banking internal auditors need to include technology systems in their internal audit plans and monitor for consistent, uniform patching and updating as part of data protection and vulnerability management.

2. Cloud computing and robotic process automation (RPA) are proliferating and expanding into new areas.

The pandemic forced many organizations to accelerate their cloud migration plans. But even as cloud computing is becoming common across a wide range of industries, many cloud migrations have rolled out slower than expected, and the cloud remains a shared source of confusion among lines of business. Banking internal auditors now need to determine their role in cloud conversations. They can start by asking:

What information do we have in the cloud?
How are we managing our cloud information and architecture?
What’s expected of our organization related to our cloud solutions or technology?

At the same time, many banks are beginning to use RPA to reduce inefficiency and human error. However, when IT can’t keep up with approvals and requests for RPA implementation, employees might install and use unauthorized RPA solutions, including shadow bots. These shadow bots can create security issues, contribute to operational inefficiency, and conflict with the organization’s overall automation strategy. To avoid the proliferation of shadow bots and rogue RPA, the organization’s automation initiatives and the bots themselves should have a place in the internal audit plan.

3. Forward-looking banks are exploring the zero-trust approach to cybersecurity, and banking internal auditors can help guide the process.

As cybersecurity becomes an increasingly core concern, many banks are exploring a zero-trust approach in which users must continually verify their identities. Zero trust can shore up weaknesses and streamline cybersecurity processes, but organizations can’t turn on zero trust with the flip of a switch.

If a bank chooses to pursue zero trust, then banking internal auditors need to understand the business strategy and expected cadence for the rollout. Reaching zero trust is a long journey, and internal audit functions must make sure the process doesn’t unfold faster than the organization’s IT staff and infrastructure can handle. Banking internal auditors also need to adjust auditing to include areas that might be affected by zero trust, including identity management, defined resource access, continual trust evaluation, and access control.

4. Fair lending is becoming an area of critical regulatory focus, and organizations will have to use data to demonstrate compliance.

Fair lending and fair and responsible banking have gained traction both among the public and in federal and state regulatory agencies. Regulators are focusing on equity in lending practices and comparing how organizations measure against their peers. Additionally, compliance now comes with a near-uniform expectation that organizations perform some level of formal data analysis in proportion to their fair lending risk profiles.

To help comply and keep pace with expectations, banking internal auditors must examine whether the organization has an adequate second-line fair lending program, including ongoing analysis and monitoring. Banking internal audit teams should be ready to:

Verify that documentation is in place to support community outreach, investments, and lending practices
Examine the overdraft program
Assess the fair lending and banking risk assessment to determine whether coverage is sufficient based on products, services, complaints, and various other risk factors
Verify that first- and second-line testing covers items in the risk assessment

5. New offerings – including digital assets – are creating complex fraud and compliance risks that must be controlled.

Amid intense competition, banks and other financial services companies are pushing hard to meet customer demand and changing expectations with innovative new products and services.

However, organizations need to be mindful of the potential risks that come with rapid changes, including any new compliance-related risks. Banking internal audit teams need to get involved early and provide guidance regarding the due diligence, change management, and risk management processes that can help make a new product launch or other strategic initiative smooth and controlled.

Crypto assets are an area of particular concern. Crypto asset initiatives come with additional compliance requirements, including securing a nonobjection letter from the Office of the Comptroller of the Currency. Banking internal auditors need to make sure the organization’s crypto asset strategy and approach are part of the internal audit universe.

6. Banks that don’t include data in their internal audit universe need to catch up – and fast.

For many financial services companies today, data permeates all aspects of business and guides a wide range of key business decisions. As the reliance on data increases, so does the associated risk and the need for internal audit coverage of data strategy and governance.

But at many banks and financial services companies, a disconnect exists between data use and data governance. Banking internal auditors are just beginning to explore their role in shaping the organization’s data strategy and verifying the quality and integrity of data.

If data quality and governance doesn’t currently have a meaningful place in the organization’s internal audit universe, then banking internal auditors and organization leaders need to act quickly to remedy this gap. Every audit plan should have a data governance component that can answer fundamental questions such as:

To what extent are we using data for business decisions?
How do we know our data is complete and accurate?
Where does our data reside?
Do we have a data lake or warehouse?
Is critical data accessible to stakeholders?
What internal controls do we have in place to make sure we’re using data appropriately?

Crowe specialists have the expertise your organization might need.

The current environment requires deep industry awareness and a tailored approach to address numerous and complex new risks.

Crowe can help your organization make sense of changes, identify the risks and internal audit developments that matter most, and deliver the resources and expertise that can keep you a step ahead.

Related insights