Regulatory Shifts: How Audit Committees Can Respond

Financial institutions are operating in a regulatory environment that might appear to be easing. In practice, however, what is happening is likely a shift in how regulations are applied, not a reduction in oversight.

This shift introduces new considerations related to oversight, governance, and risk alignment. For audit committees, the implication is straightforward: Even with fewer explicit requirements, committees might face greater scrutiny of how decisions are made and supported. Management should be able to clearly connect decisions to measurable financial risk, and committees should recognize that reduced prescription can increase uncertainty in practice. Paying attention to the following considerations can help.

Distinguish among action, interpretation, and monitoring

Supervisory focus is moving away from subjective constructs toward more principles-based expectations, which can lead to the need for a stronger internal assessment. However, not every regulatory development requires the same response.

Audit committees should determine what requires action and what requires interpretation or monitoring.

• Act: Enacted or binding changes, such as formal rule updates or threshold adjustments, require direct action.
• Interpret: Supervisory guidance and examiner expectations shape how institutions are evaluated but require interpretation rather than immediate structural change.
• Monitor: Proposed rules should be monitored closely as they evolve, with consideration given to participating in the comment process as appropriate.

Directional signals from regulators, including speeches, policy statements, and executive actions, provide insight into regulatory priorities and can help institutions anticipate future developments.

Audit committees should expect management to apply a structured approach to triage these differing levels of response. Being clear on what requires implementation versus interpretation helps avoid overreaction while keeping the institution prepared.

Reevaluate risk and compliance practices in key areas

Regulatory developments might affect several core areas of risk and compliance, including:

• Reputation risk
• Anti-money laundering and financial crimes
• Fair lending and unfair or deceptive acts or practices
• Federal Deposit Insurance Corp. Improvement Act thresholds

Audit committees should assess whether current controls remain aligned with these developments. In some cases, processes might reflect prior expectations that no longer apply. However, decisions to scale back should be made carefully, particularly where existing practices support consistency and discipline.

Prepare for increased reliance on internal audit judgment

As regulatory expectations become less prescriptive, internal audit teams are being asked to operate with fewer defined benchmarks. This includes determining the appropriate scope and depth of testing and evaluating management decisions in areas where guidance is limited.

Shifting dependence on judgment introduces practical challenges. Without clear anchors, calibrating audit coverage becomes more subjective, and the methods by which internal auditors reach conclusions might be more up to management’s discretion. Internal audit teams also might need to rely more heavily on professional judgment, which can lead to variability if not supported by consistent frameworks. This can create some tension in roles with fewer defined rules and more gray areas.

Audit committees should play a more strategic governance role, requiring internal audit to have defined methodologies for applying judgment and documenting conclusions. Committees also should watch for conflicts between the assurance and management roles, as maintaining independence while adapting to these expectations will be important.

Strengthen governance to manage ambiguity

The broader implication of regulatory changes is a transfer of responsibility. As regulators signal which rules are clearly prescriptive versus which simply reflect a “prior experience” mentality, institutions are expected to establish and maintain their own standards. Governance frameworks should stop relying on generally accepted rules and focus specifically on requirements as they are written, supporting consistent risk assessment, control design, and documentation of key decisions. Clear rationale and supporting evidence will be increasingly important in demonstrating alignment with regulatory expectations. When governance is well structured, internal audit can help reinforce consistency and provide stability. When it is not, the lack of external benchmarks might increase exposure during examinations.

Moving forward

The current environment reflects a shift in regulatory approach rather than a reduction in expectations. Institutions that respond by strengthening governance, clarifying decision-making processes, and supporting internal audit with clear frameworks will be better positioned to navigate this transition.