Top Risk Areas for Internal Audit: Financial Services

As financial services leaders look ahead to 2026, internal audit functions are uniquely positioned to help organizations navigate a rapidly shifting risk landscape. Economic uncertainty, intensifying regulatory scrutiny, emerging technologies, and evolving customer expectations continue to redefine how organizations assess and respond to risk. For internal auditors, this environment presents an opportunity to elevate their impact by delivering forward-looking insights and assurance across a wide spectrum of business challenges.

Five priority risk areas for internal audit in financial services organizations to focus on in 2026 include:

• The AI balancing act: AI adoption creates dual risks of moving too fast or too slow, so it is essential for internal audit to confirm that organizational speed is matched by equally robust oversight.
• Bank Secrecy Act (BSA) compliance: Internal audit must take a more proactive role as regulators shift toward results-oriented BSA oversight and require organizations to demonstrate strong governance, transparent decision-making, and explainable technology.
• Credit concerns: Given an uncertain risk environment, internal audit should provide more rigorous oversight, validate credit risk management practices, and confirm that organizations are adapting their controls and review procedures to meet escalating regulatory and portfolio demands.
• Consumer compliance: Recent shifts in regulatory enforcement, rising loss-mitigation and collections activity, and continued consumer protection obligations are creating a complex compliance landscape that requires internal audit to maintain strong, risk-based coverage so controls keep pace with evolving requirements.
• Information technology risk: As financial services organizations expand cloud, AI, and fintech partnerships, internal audit must validate third-party oversight and adherence to shared-responsibility models and confirm that cybersecurity is an integral component of enterprise risk management.

The AI balancing act

AI is becoming a significant factor in reshaping how financial services organizations operate and plan for the future. Some organizations have embraced it, while others are still weighing risks and benefits, which creates two different risks for banks. Organizations that move faster than their controls and governance create gaps they will pay for later. Organizations that move too slowly can fall behind and become exposed to unauthorized activities. Overall, internal audit’s role is to confirm that for every increment of speed, there’s a matching increment of control.

Risk of moving too fast

As with all product development or modeling, when delivery outpaces control, significant risks might go unaddressed, and change control procedures might become informal. If AI is treated as simple automation, decisions might lack explanation, back-testing might be skipped, and results might not be reproducible. Data issues might be overlooked. Features might be introduced without traceable lineage, prompts might collect excessive sensitive data, and retrieval sources might become outdated. Compliance concerns might be neglected, and complaints or bias signals might not be incorporated into fixes due to insufficient monitoring.

Next steps for internal auditors

• Test the inventory. Obtain the full register of statistical, machine learning, and generative uses. Sample entries for owner, risk tier, and last update.
• Read the evidence. For recent deployments, review the deployment evidence pack and verify the purpose, tests, approvals, monitoring, and rollback are complete and consistent.
• Reperform decisions. Retrace outcomes and reconcile adverse action reasons with actual drivers. Log any mismatch with impact.
• Trace the data. For high-impact features, verify end-to-end lineage and confirm that quality gates map to measured performance impact.
• Check data use and feedback. Inspect prompts and embeddings for minimization, access, masking, and retention. For retrieval, confirm a current source catalog and a tracked wrong-answer metric. Verify complaints or if bias signals drove a tested change with an owner and closure.

Risk of moving too slowly

Caution without a plan creates different risks of exposure. If an organization lacks a governance framework tailored to its unique culture, it faces a greater likelihood of uncontrolled and unsupervised AI adoption, often referred to as shadow AI. Additionally, most vendors already embed AI in their products, but without proper training, policies, and guidelines, management cannot effectively evaluate or oversee these practices. Organizations must also consider the risk of falling behind competitors in terms of products and talent.

Next steps for internal auditors

• Set a minimal standard. Issue an advisory memo with a simple life cycle and a deployment evidence pack template. Schedule a near-term adoption review.
• Sweep for shadow AI. During audits, compare procurement, access logs, and team tool lists to the official inventory, and open findings for unregistered use.
• Create an AI control readiness heat map. Score each use against the minimal standard and report it. Use it to prioritize audits.
• Review key vendors. Request AI disclosures and change-notice terms. Examine monitoring evidence. Observe one exit tabletop.
• Validate data governance early. Sample features for end-to-end lineage. Confirm minimization in prompts and embeddings. Require an updated retrieval source list with clear owners.

BSA compliance

In the current volatile regulatory environment, internal audit is taking on a more proactive role in assessing and addressing top risks related to BSA compliance. Heading into 2026, internal audit teams will need to focus on traditional BSA obligations as well as on risks emerging from new technology, policy shifts, and evolving examiner expectations.

Shifting tone in exams and reporting

BSA and anti-money laundering examiners are moving beyond technical compliance and checklist-based reviews. Instead, they are adopting a more results-oriented approach that prioritizes program effectiveness and risk reduction. Organizations must demonstrate that their programs are working through actionable suspicious activity reports, quantified and contextualized risk assessments, and modern, explainable technology. Examiners expect organizations to focus resources on high-risk areas in line with the Anti-Money Laundering Act of 2020 and to respond to expanded oversight in digital assets, investment advisory services, and beneficial ownership reporting. A critical component of regulatory expectations is that executive leadership should set a strong culture of compliance and reinforce that culture through transparency.

Debanking and reputational scrutiny

The practice of debanking, which involves ending relationships with customers or industries considered high risk, has come under intense scrutiny. Regulators are paying closer attention to the reasoning and documentation behind account closures, especially when patterns might appear discriminatory. Internal audit can play a key role in reviewing the consistency and transparency of policies by confirming that procedures for ending customer relationships are properly documented and supported by sound justification.

Model risk and governance gaps

AI and machine learning are transforming how financial services organizations detect and report suspicious activity. Many banks have already implemented AI in some form to reduce the high volume of false positives from traditional transaction monitoring systems, and those that have not likely will do so soon, either through external vendors or by developing their own solutions. As AI becomes more integrated across compliance operations, its influence extends beyond BSA programs to the broader framework of enterprise AI governance. At the same time, greater reliance on algorithmic systems introduces new risks, such as opaque decision-making, bias, overfitting, and miscalibration. Internal audit should evaluate whether governance structures are in place to ensure effective model validation, clear documentation, meaningful human oversight, and strong explainability in alignment with regulatory expectations.

Next steps for internal auditors

• Assess if governance structures, resource allocation, and executive engagement align with regulator expectations.
• Examine whether account closures are based on consistent, well-documented rationale to prevent discriminatory patterns.
• Review the validation process for AI models used in transaction monitoring to make sure they are accurate and reliable.
• Evaluate the explainability of AI models and confirm that decisions can be clearly understood and justified.
• Review the presence and effectiveness of human oversight in AI-driven processes.

Credit concerns

A combination of persistent macroeconomic pressures and evolving portfolio dynamics is shaping the current risk environment for financial services organizations. Despite these recent cuts, interest rates are still relatively high and continue to challenge renewals, refinancings, and maturing loan facilities, particularly for borrowers with weaker credit profiles, as lenders maintain tighter credit standards. While rates have retreated from their recent peaks, concerns remain about the sustainability of these levels and the limited refinance and exit options available in the market.

Although down from its recent highs, inflation remains elevated compared to two years ago, and its impact is uneven across industries and geographic regions, which contributes to an uncertain outlook. The broader economy presents a mixed picture: Certain sectors and regions remain resilient while others are showing signs of softening. Slowing job growth, ongoing tariff uncertainties, and the potential impacts of government shutdowns and reductions add further complexity to the economic landscape.

Within loan portfolios, there has been a noticeable uptick in risk rating migration, with more loans being classified as problem loans. Certain products and geographies are experiencing heightened risk, and there is an increased reliance on independent loan review functions by both internal auditors and regulators. This shift underscores the need for deeper, more robust review procedures and documentation, as approaches that sufficed in previous years might no longer be adequate. Finally, reflecting ongoing consolidation trends, the banking industry continues to see active merger and acquisition activity.

Next steps for internal auditors

• Evaluate the organization’s loan review function. Determine if coverage is appropriate and whether any concentrations should be looked at.
• Reassess the problem loan function for today’s environment and whether loan management procedures and reporting have been updated.
• Obtain updated collateral valuations on problem credits and test the organization’s appraisal review function, as there might be other areas to consider in this environment.
• Tighten credit administration practices, including servicing efforts.
• Determine if there are any credit exposures related to current government changes and microeconomic factors.

Consumer compliance

Recent events with the Consumer Financial Protection Bureau have led to widespread uncertainty about the bureau’s future and its impact on consumer protection. Despite recent events, consumer protection regulations remain in effect, some of which have been in place for nearly 50 years. Internal audit departments must consider how other recent regulatory changes and economic factors might affect internal audit compliance risk.

Evolving federal and state regulatory environment

The current environment suggests a relaxation of regulatory enforcement. While these changes could imply a decrease in risk-based audit coverage, examiners also have indicated increased reliance on financial services organizations’ internal audit and risk management functions to oversee these risks. Additionally, lookback periods can be agnostic of a prior regulatory landscape.

Recent changes that could potentially affect financial services organizations include:

• Removal of reputation risk: Reputation risk has been removed from prudential regulators’ examination manuals. The primary focus of this removal regarded debanking customers for potentially discriminatory reasons associated with certain industries and sources of funds. Reputation risk itself continues to exist for any financial services organization. Organizations might still be affected by negative public opinion and could face challenges in establishing new relationships or continuing existing ones if their reputation is perceived negatively.
• Removal of disparate impact: The anticipated focus is disparate treatment; however, claims can be brought through private legal action and state law.

Conversely, select state regulators are signaling an increase in enforcement. Many states have regulations similar to federal regulations, such as the Community Reinvestment Act and unfair, deceptive, or abusive acts or practices (UDAAP) requirements. Increases in state regulatory enforcement support maintaining existing risk-based audit coverage. Some states have regulations that are stricter than federal regulations, including state laws regarding disparate impact.

Loss mitigation and collection efforts on the rise

Increases in repossession and foreclosure filings increase servicing efforts and compliance risk. Outside the COVID-19 pandemic, loss mitigation and collections volumes have been low for years. Financial services organizations regularly engage in borrower assistance plans to improve loan performance and reduce negative impacts on borrowers and their surrounding communities. The Equal Credit Opportunity Act, the Real Estate Settlement Procedures Act, and Section 5 of the Federal Trade Commission Act still require communication and transparency, consistent treatment of borrowers, and protecting consumers from abusive or negligent servicing practices. Financial services organizations might not be able to meet these requirements if their loss mitigation and collections functions are understaffed or do not maintain adequate policies and procedures.

Next steps for internal auditors

• Maintain compliance with core, meat-and-potatoes regulatory requirements, given the potential examiner reliance on internal audit and risk management functions and historical expectations related to lookback periods.
• Analyze and consider the applicability of state laws before making changes to the internal audit plan, as state requirements might differ from federal regulations.
• Consider increasing coverage depth or frequency where volume and activity warrant it, specifically any third parties involved in loan servicing.
• Review the collections and loss mitigation life cycle.
• Perform analysis on instances where negative action, such as foreclosure, denial of a modification request, or repossession was taken on borrowers to determine that procedures were correctly applied.

Information technology risk

As noted with the other risk areas, financial services organizations continue to accelerate their adoption of cloud services, AI, and fintech partnerships, and the boundaries of accountability for IT risk are becoming increasingly blurred. Outsourcing and digital transformation introduce new vulnerabilities and shared responsibilities, which makes robust third-party management essential. A common misconception is that providers bear full responsibility for security; in reality, organizations remain accountable for safeguarding data, managing configurations, and overseeing identity and monitoring.

Regulatory frameworks, such as the National Institute of Standards and Technology Cybersecurity Framework and the Cyber Risk Institute Profile, emphasize that boards and management ultimately are responsible for verifying that outsourced services meet safety, soundness, and compliance obligations. The shared responsibility model clarifies the split between provider and customer obligations but does not absolve organizations of oversight.

Similarly, the persistent threat of cyber incidents can disrupt essential banking services, compromise sensitive data, and lead to financial losses. Unlike other risks, cyberthreats can simultaneously affect operations, customer trust, regulatory compliance, and reputation.

Regulators, such as the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency, expect cyber risk to be integrated into enterprise risk management frameworks. Boards and senior leadership are accountable for overseeing cybersecurity as part of their broader governance responsibilities, not just as an IT issue, that is managed alongside financial, operational, and compliance risks.

Next steps for internal auditors

• Verify that responsibility matrices for outsourced services are documented.
• Actively test controls in the customer’s domain for effectiveness.
• Validate critical configurations on a regular basis.
• Confirm that management reviews third-party System and Organization Controls reports and addresses any identified gaps.
• Integrate monitoring of outsourced services into enterprise risk reporting.
• Include cyber risk in the enterprise risk register and risk appetite framework.
• Review cyber-related key risk indicators (KRIs) alongside financial and compliance KRIs.
• Connect cyberthreats to business impacts in board reporting.

Looking ahead

The pace of change in financial services is accelerating. Internal audit functions that embrace a proactive, risk-focused approach can better meet expectations and guide their organizations through transformation. By challenging assumptions, strengthening governance, and focusing on outcomes, internal audit can reinforce its role as a strategic partner in resilience and risk management.