Audit programs have been predictable and formulaic for most of banking’s history. Financial institutions (FIs) have conducted the same audits at the same time every year, adding new types of audits as needed.
In a world that moved at a relatively slow pace, that worked just fine. The board was able to glean the information it needed to assess risk and make strategic decisions.
It doesn’t work anymore. The COVID-19 pandemic is the latest in a long line of events that have demonstrated that the business-as-usual audits of years past are no longer the effective tools they once were. Today’s dynamic operating environment requires a different approach to audit management to effectively inform and guide the board’s strategic decision making and allow it to function as close to real-time as possible.
This radical change in strategic planning and operations requires a nimble audit program—one where quality control is key. The board and management need to know whether strategic plans and adjustments to those plans are functioning as intended. From borrower concessions and new loan programs to IT security and compliance policies and procedures, the board needs to know if its strategic plans are performing as expected and whether they are creating undue risk.
This necessitates four key changes in audit programs:
Management can only succeed when it has the information and insights it needs to do its job. When it comes to oversight of audit management, it’s not just about conducting audits. It’s leveraging audit results to inform risk management. This can be accomplished with best practices. They include:
Be nimble and proactive. Risk management should never be a stagnant process, but in a time of increased risk like a pandemic, it should be especially nimble. Management needs to stay ahead of risk and be prepared to use new approaches, more frequent audits, and new internal controls.
Promote a culture of risk awareness. Risk management should not be a siloed back-office process. Make it clear that everyone has a role to play.
Involve the FI’s most knowledgeable staff. Be sure to include representatives from every department and business line, and don’t limit the discussion to management only. Process owners and other sharp minds involved in the day-to-day brainstorm risks and controls that may not be obvious to management.
Require dynamic reporting. Assessing the impact of COVID-19 or any other major shift in the operating environment is not a one-time event. Ensure there is dynamic reporting on a weekly or monthly basis to see how risks are trending.
Share reporting results with business lines. If you want staff to respond to a growing risk, they need to know about it.
Be prepared to change your business practices. COVID-19 is just one example of an ongoing event that impacts critical operations. Plans should be flexible enough to deal with degrees of severity and should be adapted as needed. An FI shouldn’t be in a position where people don’t know what to do.
As the board and management work through the COVID-19 pandemic and future events, they will need to adapt their audits to keep pace with outside events. Relying on audit parameters of the past, including frequency, depth, and breadth, will expose FIs to unknown levels of risk. Proactive audits that assess internal controls and provide insights that can be leveraged by risk management are necessary to keeping FIs safe, sound, and profitable.
Curious to learn more about how audits are changing as a result of the pandemic? Download our on-demand webinar A CFO’s Guide to Audit and COVID-19 – What Have We Learned So Far? Packed with insights for everyone from the C-suite to internal auditors, it explores the evolving role of audits in assessing safety and soundness during the COVID-19 pandemic and beyond.