Top Internal Audit Priorities for Financial Services Organizations, 2016

Top Priorities for Internal Audit in
Financial Services Organizations
Discussing the Key Financial Services Industry Results from the
2016 Internal Audit Capabilities and Needs Survey

1Top Priorities for Internal Audit in Financial Services Organizations
Introduction
Each year, Protiviti conducts its Internal Audit Capabilities and Needs Survey
to assess current skill levels of internal audit executives and professionals,
identify areas in need of improvement, and help to stimulate the sharing of
leading practices throughout the profession. The 2016 report that follows
describes the outlook of internal audit leaders within the financial services
industry. For the first time in many years, this survey reflects the views of
internal audit professionals during a time when the global economy and
its financial system were recovering from the global financial crisis. The
risk landscape it paints therefore reflects people’s risk perceptions in a
newly evolving world.
The findings discussed in our paper are based on responses from nearly
300 chief audit executives (CAEs) and internal audit professionals in the U.S. financial services industry.
In the opinion of these respondents, cybersecurity represented the greatest area for internal audit functions
to address. We have devoted one entire section of this report to the increasing attention that cybersecurity
continues to garner. But this is far from the only area internal audit organizations seek to improve as they look
forward to the coming year. A few areas that organizations prioritized as particularly acute challenges include:
• Agile Risk Management
• Model Risk Management & Data Analytics
• Mobile Applications
Michael Thor is a Managing
Director with Protiviti and
leads the firm’s North American
Internal Audit practice.

2 Top Priorities for Internal Audit in Financial Services Organizations
It is a near certainty that financial institutions will suffer cyber-related outages in the next few
years; the key issue is how they respond and recover.
Cybercrime Concerns Dominate
Chief among the issues identified this year is technology risk because of growing concerns about
cybercrime and the vulnerability of outdated systems to outages and attack. Escalation in the frequency
and sophistication of cyberattacks as well as the increased regulatory scrutiny around ensuring firms have
adequate cyber-risk programs in place have driven this risk to the top of the list.1
Exacerbating this is a
growing reliance on old and overly complicated IT systems, which are more susceptible to security breaches
and unpredictable outages that can cause disruption. A major challenge is that financial services firms are
playing catch-up in a technology environment that continues to evolve rapidly.
As financial institutions rely to an even greater extent on technology (see “Mobile Applications Challenge”
on page 3) they also need to be concerned with risks arising from third-party outsourcing and off-shoring
activities. Vendors’ different and possibly less stringent security standards could create the potential for data
loss or leakage. This increases the risk of a firm losing control of parts of its operations as supply chains get
longer and more complex.
As financial institutions grow even more reliant on digital technology, the severity of a potential cyber
breach increases exponentially. Cybersecurity has traditionally been the responsibility of the chief security
officer and/or the chief information officer; however, risk management and internal audit have a key role
to play in securing the organization by working closely with senior management to ensure cybersecurity is
embedded into the enterprise.
Agile Risk Management, Incorporating Risk Appetite and Risk Culture into the
Third Line of Defense
In the immediate aftermath of the financial crisis, financial institutions, especially banks, have invested a
great deal of time, energy and money on developing more robust risk management functions focused on
identifying and negating emerging risks. Although the perceived threat has fallen slightly, the responses
we received suggest still more needs to be done to meet both the demands of the modern environment
as well as the heightened expectations from regulators. Firms have recognized that they need to become
more efficient in managing risk, compliance and internal audit requirements. Dealing with the myriad
regulatory demands and changes in the operating environment requires firms to have agile and effective risk
management and compliance functions that operate more like business functions, providing value through
being agile, responsive and more forward-looking. Equally, firms need to maintain their focus on integrating
risk appetite and risk culture into their organizations to create a risk-aware environment that allows an agile
risk management philosophy to flourish. Even for those firms that have embraced the concept, integrating
and embedding risk culture into the entire enterprise is a constant challenge. A greater challenge for
internal audit is recognizing its role within an agile risk management philosophy and how it can assist in
reinforcing and independently testing both risk appetite and risk culture in the organization.
1
The 2015 annual report by the Financial Stability Oversight Council said that although U.S. banks and financial businesses have been
leaders in erecting barriers to hackers, cyberattacks still present a potential systemic danger, www.treasury.gov/initiatives/fsoc/studies-
reports/Documents/2015%20FSOC%20Annual%20Report.pdf.

Increasing reliance and complexity of models, especially in the area of stress testing, has driven
increased demand for resources with the knowledge and skills to address the risks associated with
the use of these same models.
Model Risk Management
Internal auditors have ranked model risk management one of the top areas where they need to improve
their technical knowledge – and for good reason. The internal audit function is tasked with verifying that
financial institutions have a comprehensive model risk management practice, which includes governance,
processes, policies, adherence to policies, and documentation.
Having internal audit staff with the competence and skillset to provide effective challenge to the first and
second line functions, using and providing oversight of the models, and overall model risk management
continue to be a challenge for financial institutions, especially those that do not have the scale to support an
in-house team of model professionals within the internal audit function.
As organizations continue to increase the use and complexity of models, and with increasing regulatory
focus on stress testing, already scarce modelling skillsets are in even greater demand.
Mobile is lauded for its ability to connect organizations with consumers but it brings its own
unique challenges and risks to the organization.
Mobile Applications Challenge
Continuing with the earlier technology trend, the survey shows a clear focus on auditing risks related
to the development, management, and use of mobile applications within financial services institutions.
Mobile banking and mobile payments are exploding in popularity as financial institutions are responding to
demands from their customers to offer more convenience through mobile channels. The speed of change,
the introduction of new third parties offering mobile services, as well as the myriad risks presented by
such brand new technology, are presenting a wave of new challenges for financial services firms, as well as
the internal audit functions that have to help the organization navigate the risks presented by these new
channels, processes and technologies.
The Changing Internal Audit Environment
Three years ago, the financial services industry results from the 2013 Internal Audit Capabilities and Needs
Survey showed that the focus of the entire industry was mainly on regulatory compliance – from stress test-
ing requirements to the broader concerns over compliance with the various regulations being issued under
the Dodd-Frank Act. Even though internal auditors are continuing to grapple with regulatory compliance, an
increasing focus is being placed on ensuring programs that have already been implemented, such as risk
appetite and risk culture, are being embedded into the organization as well as looking ahead to adopting a
more agile risk management function to help drive efficiency. The additional scrutiny regulators are placing
on firms’ cybersecurity controls is also reflected in cybersecurity being ranked third by internal auditors for
improving their technical skills. Respondents specifically called out the NIST Cybersecurity Framework as
an area for greater attention.

Unlocking the Power of Data to Help Manage Risk
Finally, data analysis continues to be a topic that internal auditors across financial institutions wrestle
with. The industry agrees that data analysis holds great promise; however, how to effectively deploy
and utilize expanding data analysis capabilities to harness the power of advanced analytics remains a
challenge to most internal audit organizations. That said, the use of analytics by internal audit functions is
continuing to evolve, driven by internal audit functions’ desire to make informed decisions on data from
key risk indicators in the various lines of business to help them dedicate their audit hours and testing more
efficiently and effectively. The more advanced firms report that they are implementing the use of aids such
as visualization tools and continuous monitoring, accessing enterprisewide data, as well as running analytics,
to help them better understand where the biggest risks exist.
Impacts on Internal Audit
The role of internal audit – the third line of defense – is changing. Under the U.S. Office of the Comptroller
of the Currency (OCC) Heightened Standards for Large Financial Institutions,2
the role of internal audit is to
opine on the readiness and design of risk management systems’ corporate governance structures, including risk
culture and risk appetite. Financial institutions are also facing a changing risk landscape, as highlighted within
the topics above.
Internal audit functions face a growing list of priority areas for the next 12 months. The foremost of these
are addressed in the following pages, with separate chapters exploring the impact of cybersecurity, mobile
applications, model risk, and the challenge of integrating risk appetite and risk culture within an agile risk
management philosophy.
2016 Internal Audit Concerns
Further areas of concern that firms need to consider in developing their 2016 audit plans include:
• Development of dynamic risk assessment and audit planning
• Talent management and acquisition
• Reliance across the three lines of defense
• Assessing effective risk management
• Vendor management
• Communication with stakeholders
2
www.occ.treas.gov/news-issuances/news-releases/2014/nr-occ-2014-4a.pdf.

About the Internal Audit Capabilities and Needs Survey
This year the 2016 Internal Audit Capabilities and Needs Survey consisted of questions grouped into four
divisions: cybersecurity and the audit process, general technical knowledge, audit process knowledge,
and personal skills and capabilities. Respondents from U.S. financial services companies were also asked
to assess industry-specific skills.
The results, based on information provided by all respondents (who numbered more than 1,300),
are contained within the master report (available at www.protiviti.com/IASurvey). In addition to
the overall findings, Protiviti collected and analyzed specific data from respondents in a number of
different industries, including financial services. The intent of this report is to provide internal audit
executives and professionals in the financial services industry with more focused insights about the
unique issues within their domains.

Everyone, from individuals to large businesses, is at high risk of cybercrime – identity theft, account
takeover, account cloning, fraudulent payments and/or transfers, the list goes on. But it is financial
institutions that are battling against cyber criminals on the frontline.
Cyber risk is recognized around the world as the foremost risk for most financial services firms, which for
the moment at least, remain liable for any losses. Financial institutions are also increasingly reliant on their
technology and systems infrastructure, with many banks’ growth strategies shifting to digital models. Such a
high degree of dependence on digital technology exponentially increases the risk, and the potential severity,
of cyberattacks for financial services firms.
General Technical Knowledge (top 10 areas)
“Need to Improve”
Rank
Areas Evaluated by Respondents
Competency
(5-pt. scale)
1 Agile risk and compliance 2.2
2 Internet of Things 2.7
3
(tie)
NIST Cybersecurity Framework 2.3
GTAG 16 – Data Analysis Technologies 2.7
5
(tie)
ISO 14000 (environmental management) 2.1
ISO 27000 (information security) 2.7
7 Mobile applications 2.3
8
(tie)
International Financial Reporting Standards (IFRS) 2.2
Country-specific enterprise risk management framework 2.9
10
(tie)
Assurance around outsourced service providers 2.6
2013 COSO Internal Control Framework – Evaluation of “Presence,
Functioning and Operating Together”
3.3
Cybersecurity and the Audit Process
An organization can have all of the audit controls, checks and balances in place, but if it
doesn’t know what it is trying to protect, its cybersecurity program is ultimately flawed.
– Cal Slemp, Managing Director
Cal Slemp is a Managing Director
with Protiviti’s IT Consulting practice.
James Armetta is a Managing Director
with Protiviti’s Internal Audit and Financial
Advisory practice.

Audit Process Knowledge (top 10 areas)
Rank
Competency
(5-pt. scale)
1 Data analysis tools – statistical analysis 3.5
2 Auditing IT – program development 3.0
3 Auditing IT – security 3.1
4
(tie)
Auditing IT – continuity 3.2
Quality Assurance and Improvement Program (IIA Standard 1300) –
Ongoing Reviews (IIA Standard 1311)
3.2
6
(tie)
Operational auditing – effectiveness, efficiency and economy of
operations approach
3.2
Fraud – fraud detection/investigation 3.2
Assessing risk – emerging issues 2.2
9 Audit planning – process, location, transaction level 3.5
10 Operational auditing – risk-based approach 2.4
A flurry of high-profile breaches at banks, credit card and payment providers, as well as large retailers, has
succeeded in embedding the message that every firm will be the target of a cyberattack at some point. The
only unknown is when an attack will happen and if the firm is prepared for the counterattack with processes
in place to deal with the aftermath.
The growing importance of cybersecurity at financial services firms is evident in the financial services industry
findings from Protiviti’s 2016 Internal Audit Capabilities and Needs Survey. Many internal audit professionals at
financial services firms stated that key priorities for improvement include leveraging the NIST Cybersecurity
Framework3
as well as the Internet of Things. Understandably, respondents to the survey are also eager to
improve their capabilities with auditing IT security.
Most companies are beyond thinking that it is not a matter of if they are attacked, it’s when. “The executive
management and boards of most organizations recognize that it is probable, and perhaps inevitable, that
they will be compromised,” says Cal Slemp, a Managing Director with Protiviti and a leader with the firm’s
Security and Privacy practice. “This is the main driver for boards calling for more enhanced, robust incident
response plans that are tested through tabletop exercises to determine potential gaps in responding to attacks on
the key assets of their organizations. The real challenge is establishing enterprisewide security and breaking down
the silos that have traditionally addressed IT security requirements and controls with technology and limited
processes, if any. Many companies have adopted leading industry standards such as ISO 27001 or the NIST
Cybersecurity Framework to guide them in assessing the strength of their security programs. Organizational
governance needs to be established for these frameworks to be effective when organizations adopt them. This
approach will ensure it is integrated into the culture of the organization. Firms need to have that top-down
approach. The board should state that it knows breaches are inevitable but it needs to know when the firm has
been compromised and that it has a robust response plan in place.”
One of the most important aspects to any firm’s cybersecurity plan is identifying its key assets – the proverbial
crown jewels.4
“An organization can have all of the audit controls, checks and balances in place, but if it doesn’t
know what it is trying to protect, its cybersecurity program is ultimately flawed,” says Slemp. “Firms need to
identify what they are trying to protect, and then need to be able to detect when there is a potential compromise
or an attack on those key assets. And when they are compromised, firms must be able to respond effectively.”
3
See Protiviti’s Flash Report: Cybersecurity Framework: Where Do We Go From Here? www.protiviti.com/en-US/Documents/Regulatory-
Reports/Information-Technology/IT-FlashReport-NIST-Cybersecurity-Framework-Where-Do-We-Go-From-Here-022514-Protiviti.pdf.
4
See Protiviti’s Board Perspectives: Risk Oversight, Volume 1, Issue 66: “Managing Cyber Threats with Confidence,” www.protiviti.com/en-
US/Documents/Newsletters/Board-Perspectives/Board-Perspectives-Risk-Oversight-Issue66-Managing-Cyber-Threats-Protiviti.pdf.

Having the right response plan in place is crucial to be able to mitigate the damage to the organization and
restore the business quickly. Many companies may have an incident response process in place but many do
not always have the appropriate personnel, tools and stakeholders on board to be able to respond effectively
to a breach.
“If a company is breached, it is not exclusively the responsibility of IT security to respond and recover,” says
Slemp. “Many stakeholders of the organization need to be involved, from legal to PR and communications. The
board of directors and executive management also need to be involved as well as the crisis management team –
the list goes on.”
Internal audit has a key role to play in ensuring the organization has an effective cybersecurity policy and
response process in place, preferably taking a proactive role in helping the firm to develop its cybersecurity
strategy and policy from the outset, then ensuring this strategy is maintained throughout the organization.
Cybersecurity risk must be formally integrated into the audit plan, while auditors need to ensure they have
the required knowledge to be able to evaluate the organization’s cybersecurity program against the NIST
Cybersecurity Framework.
The NIST framework is not a regulation and therefore is not a requirement for firms. In many cases, firms
already have many of the controls recommended by NIST but the degree of compliance varies between
organizations. Firms that conduct business with the U.S. government or with regulators are required to
demonstrate that they are following the framework and even though others may have a policy in place,
the maturity level may still need to be developed.
One area of concern for firms has been the cybersecurity risk posed by third parties such as vendors.
Financial institutions can spend millions securing their own infrastructure and systems from cyberattacks
but all too often the threat comes from within, from their own employees or from their suppliers, which
may not have such sophisticated defense systems.
Companies, including internal audit, need to evaluate the cyber risks associated with their vendors with the
same rigor they evaluate their own internal risks. Protiviti’s 2015 Vendor Risk Management Benchmark Study
showed that organizations are striving to make improvements in their third-party risk management programs
and have a better understanding of the nature of vendor threats. It also shows that boards are seeking
assurances from management that vendor risk is being assessed, managed and monitored appropriately,
especially if it relates to the loss or exposure of sensitive data through cyberattacks or other compromises.
The improvement in understanding of vendor risk may be due to the release of new regulatory guidance over
the past few years, including the NIST Cybersecurity Framework, as well as the 2013 update to ISO 27001.
The NIST framework is U.S.-centric – global banks often prefer an internationally recognized framework.
“Traditionally these banks have used ISO 27001,” says Slemp. “They are not abandoning that standard but
Protiviti is helping a lot of companies to leverage ISO and map it to the NIST control framework. Companies
that have embraced this culturally are more able to understand it.”
The NIST framework was first published three years ago, so it is not a new development and chief
information officers and chief security officers are familiar with it. It is new from an internal audit
perspective, however, and as such it may not have been automatically included in annual audit plans.
Companies that partner internal audit with IT and/or the security function to benefit from their guidance
and insight are often more successful in understanding and implementing the NIST framework.

Regulators Focus on Cybersecurity
The FFIEC published its findings in March 2015 from a joint assessment conducted by U.S. banking
agencies the year before to assess cybersecurity preparedness at more than 500 institutions. The paper
contains key observations and questions that chief executive officers and boards of directors need to consider
when assessing their institutions’ cybersecurity preparedness.5
This includes high-level guidance for firms to
take appropriate risk mitigation steps, including: conducting ongoing information security risk assessments;
performing security monitoring, prevention, and risk mitigation; protecting against unauthorized access;
implementing and testing controls around critical systems regularly; enhancing information security
awareness and training programs; and participating in industry information-sharing forums.
In June 2015, the FFIEC issued a Cybersecurity Assessment Tool for institutions to use to evaluate their
risks and cybersecurity preparedness, which OCC examiners will gradually incorporate into examinations
of national banks to benchmark and assess bank cybersecurity efforts.6
“The FFIEC’s Cybersecurity Assessment Tool was introduced with a mapping of its controls to those in the
NIST Cybersecurity Framework, and also supports a risk-based approach to determine the target maturity
level for an organization and whether the cybersecurity preparedness is aligned with its risk,” says Slemp.
“However, it is worth noting that the maturity levels start at a ‘baseline’ level that ties back to the FFIEC’s IT
Examination Handbook, so financial institutions should already operate at this level. Where there is additional
perceived risk, the bar is higher, so it will be interesting to see what the examiners’ expectations are for security
as they begin to assess organizations using the tool.”
The assessment tool incorporates concepts and principles contained in the FFIEC IT Examination
Handbook, regulatory guidance, applicable laws and regulations, FFIEC joint statements, and concepts
from well-known industry standards, such as the NIST Cybersecurity Framework.
There are two parts to the assessment: an inherent risk profile and cybersecurity maturity.
The inherent risk profile identifies the amount of risk posed to a bank by the types, volume, and
complexity of the bank’s technologies and connections, delivery channels, products and services,
organizational characteristics, and external threats – notwithstanding the bank’s risk-mitigating controls.
Cybersecurity maturity is evaluated in five domains: cyber risk management and oversight, threat intelligence
and collaboration, cybersecurity controls, external dependency management, and cyber incident management
and resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced, and
innovative. A bank’s appropriate cybersecurity maturity levels depend on its inherent risk profile.
Internal audit needs to be in tune with these regulatory guidelines, market developments and any cyber issues
experienced by their peers to ensure they are prepared to handle those types of emerging risks.
With the OCC’s Heightened Standards, internal audit functions are expected to not only evaluate areas like
cybersecurity in terms of how the IT department is addressing it, but also opine on what the IT compliance
and/or IT risk functions are doing. Between the level of technical depth needed to look at the different
aspects of cybersecurity to the need to examine the practice of both the first and second lines of defense, the
bar has definitely been raised for financial services internal audit shops.
5
www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf.
6
Understanding the FFIEC Cybersecurity Assessment Tool: An Internal Audit Perspective is available at www.protiviti.com/en-US/Documents/
White-Papers/Industries/FFIEC-cybersecurity-assessment-tool-IA-perspective-whitepaper-Protiviti.pdf.

Chief audit executives and the internal audit function need to raise their awareness and knowledge of the
cybersecurity threat and relevant regulatory guidelines to be able to develop a robust cybersecurity strategy.
Below are cybersecurity action items for CAEs and internal audit to consider in their annual audit plans.
Action Items for Chief Audit Executives and Internal Audit Functions to Consider
1. Strategy and Policy: Work with management and the board to develop a cybersecurity strategy
and policy.
2. Cybersecurity Risk: Seek to have the organization become “very effective” in its ability to identify,
assess and mitigate cybersecurity risk to an acceptable level.
3. Cybersecurity Breach: Recognize the threat of a cybersecurity breach resulting from the actions of an
employee or business partner.
4. Board of Directors: Leverage board relationships to (a) heighten the board’s awareness and knowledge
of cybersecurity risk; and (b) ensure that the board remains highly engaged with cybersecurity matters
and is up-to-date on the changing nature and strategic importance of cybersecurity risk.
5. Audit Plan: Ensure cybersecurity risk is formally integrated into the audit universe and audit plan based
on the risk it represents to your organization.
6. Emerging Technology: Develop, and keep current, an understanding of how emerging technologies
and technological trends are affecting the company and its cybersecurity risk profile.
7. NIST Cybersecurity Framework: Evaluate the organization’s cybersecurity program against the
NIST Cybersecurity Framework, while recognizing that the framework does not go to the control level
and therefore may require additional valuations of ISO 27001 and 27002.
8. Preventative Capabilities: Recognize that with regard to cybersecurity, the strongest preventative
capabilities require a combination of human and technology security – a complementary blend of
education, awareness, vigilance and technology tools.
9. Clear Escalations Protocol: Make cybersecurity monitoring and cyber-incident response a top
management priority – a clear escalation protocol can help make the case for (and sustain) this priority.
10. Staffing Shortages: Address any IT/audit staffing and resource shortages, which represents a top
technology challenge in many organizations and can hamper efforts to address cybersecurity issues.

Improving Model Risk Management
The internal audit function is tasked with ensuring that financial institutions have a
complete model risk management practice, which includes governance, processes, policies,
adherence to policies, and documentation.
– Shaheen Dil, Ph.D., Managing Director
Charlie Anderson is a Managing Director
and Practice Leader for Model Risk Services
within Protiviti’s Data Management
Advanced Analytics Solutions practice.
Steve Lafrance is a Managing
Director with Protiviti’s Internal
Audit and Financial Advisory practice.
Shaheen Dil, Ph.D., is a Managing
Director with Protiviti and Global
Leader of the Data Management
Financial services industry internal auditors responding to Protiviti’s 2016 Internal Audit Capabilities and
Needs Survey have ranked model risk management (MRM) as a major area where they need to improve their
technical knowledge. And for good reason: The internal audit function is tasked with ensuring that banks
have a complete model risk management practice, which includes governance, processes, policies, adherence
to policies, and documentation.
Technical Knowledge – U.S. Financial Services Industry (top 10 areas)
Rank
Competency
(5-pt. scale)
1
(tie)
Basel guidance on internal audit 2.9
Basel III 2.2
3 Model risk management 2.7
4 Volcker Rule 2.2
5 Dynamic risk assessment 3.2
6 Interest rate/market risk 2.7
7 CFPB examination readiness 2.7
8
(tie)
Federal Reserve Guidance on Internal Audit (SR 13-1) 3.0
Vendor management 3.4
10
(tie)
Regulatory Compliance – Holding Company (Reg W) 2.7
UDAAP 2.8
Reliance on 1st and 2nd line monitoring 3.4

Although internal audit generally is well-equipped to perform these types of activities, the function
confronts several significant challenges, including access to the quantitative expertise required to evaluate
whether the model validations were conducted appropriately.
Basel III and the European Market Infrastructure Regulation (EMIR), along with guidance issued for U.S.
institutions by the Federal Reserve, Federal Deposit Insurance Corporation (FDIC) and Office of the
Comptroller of the Currency (OCC), are driving the need for significant changes in the model governance
infrastructures of affected financial institutions.7
This inevitably impacts the role of internal audit, since it
has to review the effectiveness of the model governance infrastructure.
Among other needs, these requirements mandate that institutions hold more risk capital, the definition of
which has narrowed. Additionally, this capital has to undergo periodic stress testing, which necessitates the
need for various additional models within institutions. These issues will still monopolize the attention of
affected financial institutions and their internal audit functions in 2016.
In the United States, regulatory bodies have been concentrating on model risk, model governance and stress
testing. Regulators have been heavily testing compliance with SR 11-7 and OCC 2011-12 “Supervisory Guidance
on Model Risk Management.” At the same time, regulators have been concentrating on Comprehensive Capital
Analysis and Review (CCAR)8
and Dodd-Frank Act Stress Test (DFAST)9
results.
The Federal Reserve evaluates the stress testing and capital planning processes of U.S. banking organizations
with assets greater than $10 billion through DFAST, and organizations with assets of $50 billion or more
through CCAR. Note that many organizations must comply with both. The Federal Reserve reviews and
assesses the results of both exercises on both a quantitative and qualitative basis.
These regulations require banks to create forward-looking projections of major balance sheet and income
statement items under hypothetical economic scenarios. The items being projected include credit losses as
well as Pre-Provision Net Revenues (PPNR). Some large banks are also required to conduct a Global Market
Shock exercise, involving large changes in values and identification of key counterparty vulnerabilities.
Producing such calculations is a complex undertaking, which calls for extensive governance and new processes.
Regulators have made it clear that data completeness and data quality are crucial, and banks are rapidly
building their data capabilities in order to be ready to produce the periodic DFAST and CCAR reports.
In addition, banks are working quickly to develop models that can be used to create the necessary
projections and calculations. The models are sophisticated and must be tested and shown to be capable of
producing suitable results.
As with other models, the CCAR/DFAST models must be developed, implemented, governed and validated
per SR 11-7 and OCC 2011-12 “Supervisory Guidance on Model Risk Management.” Each new model
must be separately validated prior to being used. Midsize banks may have dozens of new models for stress
testing purposes, and large banks may have hundreds.
7
For more comprehensive analysis on these changes, Protiviti has published several articles, including “Reducing Risk Through Model
Validation,” “Model Governance and Effective Risk Management” and “Building Confidence in ALLL Models – a Timely Practice”
(available at www.protiviti.com).
8
www.federalreserve.gov/bankinforeg/bcreg20130819a1.pdf.
9
www.federalreserve.gov/bankinforeg/srletters/sr1403.pdf.

10
For more comprehensive guidance on model risk management compliance challenges, see Shaheen Dil’s article, “Complying with the
New Supervisory Guidance on Model Risk,” in the February 2012 issue of The RMA Journal.
Size Makes a Difference
The model risk management challenges financial services companies and their internal audit functions face
generally vary by the size of the institution:
• Large institutions – The 20 or so largest U.S. banks already have varying degrees of mature model
governance infrastructure in place; their focus tends to be on upgrading the quality of their model
documentation and model validation processes. Although a number of large institutions have model
risk functions, most still have difficulty obtaining specialized skills and completing large model
building (or model validations) in a timely manner.
• Midsize institutions – These companies may face the most formidable model risk management
challenges. Many of these firms are just beginning to build their model risk infrastructure. This process
typically begins with a model risk oversight committee or the equivalent, consisting of members of
risk management, modelers and business owners. Internal audit frequently serves in a nonvoting
capacity on these committees. Since many of these efforts are starting from scratch, finding the talent
and specific skill sets necessary to fuel these efforts represents a major challenge for midsize financial
services institutions. “Many medium-size banks do not have the skills on board necessary to build or
validate models,” Dil observes. “For many midsize banks, it has been a struggle to embed these skills
and this capability into their cultures.”
• Small institutions – Few smaller banks can afford to hire full-time personnel with the skills necessary
to fulfill new model risk management requirements. Instead, these companies are competing for
external experts to come in and provide assistance.
Finally, there are several model risk management challenges all internal audit functions must contend
with, regardless of the size of their organizations. These include data quality and availability;
maintaining independence between model developers and model validators; and access to specific
technical (e.g., quantitative) expertise and talent.10
By addressing these challenges, internal audit functions will help management and boards of directors
understand the limitations of their models so they can make confident business decisions, which could
help advance business strategies and achieve regulatory compliance.

Internal audit teams are challenged with having quantitative expertise to assess whether the models meet the
regulatory requirements. Significant needs include:
• Assessing the model governance program (under SR11-7/OCC 2011-12);
• Assessing each model validation for consistency with those rules;
• Assessing model development, implementation and use; and
• Assessing compliance with CCAR and DFAST regulations.
The banking organizations that are subject to either the Federal Reserve’s CCAR or DFAST exercise are
expected to have sound model risk management practices that are consistent with existing supervisory
guidance on model risk management.11
As such, model risk management practice extends beyond model
validation and requires input from the business and the second line of defense, while the internal audit
function reviews the effectiveness of the overall capital planning/CCAR process, including the relevant
models. Notably, while CCAR banks largely have established overarching model risk management
functions, DFAST banks tend to operate in more flexible ways, ranging from pockets of model validation
and model risk expertise in various risk functions and business lines, all the way to outsourcing the entire
function to external vendors.
Incorporating the regulatory expectations set forth in SR 11-7 into the banking organization’s stress testing
and capital planning exercise presents specific and unique challenges.
The nature and requirements of the stress testing and capital planning exercises necessitate participation,
collaboration, and transparency between all model risk stakeholders, including model developers, users,
validators, internal audit, and bank management and the board of directors, to manage model risk and apply
mitigating controls12
or overlays where applicable. These mitigating controls and overlays can be identified
or quantified by any model stakeholders during every stage of the stress testing and capital planning
exercises. For instance, if the strict timelines of the stress testing and capital planning exercise do not allow
the validation team to perform a validation of a complete set of models, the validation team should make the
validation results transparent to all stakeholders. This allows the other stakeholders to apply controls and
overlays to mitigate any model risk.
Although internal audit, as an independent oversight function, will not participate in such a process, it is
essential that such a process is understood in relation to model risk management.
Firms need to ensure they have sufficient skill sets in the internal audit team – as well as sufficient staffing
levels – to assess model risk components. The difficulty is compounded by the scarcity of qualified
resources. Some banks have started to staff quantitative expertise directly in their internal audit teams but
many are relying chiefly upon outside resources to assist the bank’s audit team.
11
SR 11-7 Supervisory Guidance on Model Risk Management.
12
Mitigating controls may include the following: (a) restriction of use, (b) limited scope validation.

Audit Process Knowledge – U.S. Financial Services Industry (top 10 areas)
Rank
Competency
(5-pt. scale)
1 Current Expected Credit Loss (CECL) 2.2
2 Stress testing (CCAR/DFAST) 2.4
3 Derivatives and securities 2.4
4 Derivatives and hedging 2.4
5 Mergers and acquisitions due diligence 2.7
6
(tie)
Wholesale products 2.3
International regulation 2.2
Capital markets planning 2.4
9
(tie)
Other Than Temporary Impairment (OTTI) 2.6
Criticized asset management 2.4
Financial services industry internal auditors responding to Protiviti’s 2016 Internal Audit Capabilities and Needs
Survey, in a section specific to financial institutions, ranked the new Current Expected Credit Loss (CECL)
rules as the main area where they need to improve their audit process knowledge.
CECL is a proposed credit impairment accounting standard, which is expected to be adopted shortly. The new
standard is intended to address concerns that loss reserves were insufficient during the recent stress period.
The proposed CECL standard would require financial services institutions to generate forward-looking
and lifetime loss estimates to support their loss reserve decisions. Generating such estimates will entail
more sophisticated models, which in turn will require more historical data, incorporating more types of
information. The loss reserve estimation process would also involve multiple management judgements to be
made using sufficient supporting information. Furthermore, institutions would need to review and reclassify
their portfolios as required for the revised loss reserve standard and estimation models. Accommodating these
changes will entail significant changes in data governance, data sourcing, and related areas.
As institutions conform to the new accounting standard, internal audit would need to update the audit program
for the loss reserve process. The updated audit program should assess the quality of the collected data, the
consistency of asset classification, the information supporting management judgements, the accuracy of reserve
calculation and reporting, the robustness of the loss reserve model, and other areas.
For example, under the new accounting standard, it is expected that troubled debt restructuring (TDR) and
available-for-sale (AFS) assets will need to have reserves consistent with CECL methodology. Therefore,
internal audit would need to verify that the supporting systems have updated filters and codes as required to
assign these assets to CECL-conforming models. Under the proposed CECL methodology, institutions would
also need to determine the lifetime for each type of asset. Internal audit should also design controls and tests
to determine whether the lifetime estimation and methodology conform to the requirements and are correctly
applied to the loss reserve models.
Internal audit will also need to review several more areas that are not applicable to the current loss reserve
accounting rule, including: the long-term and possibly quantifiable economic and market scenarios applied to
the lifetime model; the decision of the supportive forecast window; and the support of the lifetime of different
types of assets.

Internal audit has a key role to play in ensuring the organization has an effective model risk management
(MRM) policy in place, which should also be formally integrated into the annual audit plan.
Action Items for Chief Audit Executives and Internal Audit Functions to Consider in Their Annual
Audit Plans
1. Ensure MRM is included within the audit universe.
2. Review the overall MRM process governance, design, resources, and adequacy to manage risk within the
appetite and tolerances set by the board of directors.
3. Address the functional adequacy of models within the business processes the models are supporting
(e.g., the Allowance for Loan and Lease Losses (ALLL) validation).
4. Ensure the organization has the resources and capabilities, internally or externally, necessary to both
challenge the effectiveness of models and review a validation for adequacy.
5. Conduct regular model governance audits, and ensure audit tests of CCAR and audit conceptual soundness
review of models and adjustments/overlays are completed.
6. Evaluate data integrity controls and testing, and evaluate source data quality and data completeness.
7. Conduct audit review of policies for board and senior management governance over CCAR, as well as
audit testing of board and management committee meetings for credible challenge.
8. Review that all material risks are covered in stress testing and CCAR, and that all risks are modeled
appropriately.

Barbi Goldstein is a Managing
Director with Protiviti’s Internal
Audit and Financial Advisory practice.
Shaheen Dil, Ph.D., is a Managing
Director with Protiviti and Global
Leader of the Data Management
Survey respondents indicated that the number one area where they need to improve their audit process knowledge
is data analysis tools and statistical analysis. This interest in advanced analytics capabilities is being driven by several
factors, including:
• Internal audit’s increasing role in supporting regulatory compliance needs and monitoring, and a growing
need to apply continuous monitoring on a broader scale to increase efficiency and add value to the organi-
zation through better insights into risks.
• External guidance calling for internal audit departments to better leverage data analytics to increase sam-
ple size and analysis of information for the organization.
• A growing focus on data quality and data governance, driven by organizations’ growing reliance on big
data and big data tools, increasing the need for sophisticated data analysis within internal audit.
• Rapid adoption of data analytics in other functions and groups throughout the enterprise (enterprise risk
management, data governance, compliance), leading to a similar expectation for the internal audit function.
Protiviti developed a second quantitative benchmarking study in 2015 that was distributed to a select group of
the largest U.S. financial institutions.13
The study showed that internal audit functions were seeking to achieve
several strategic goals in data analytics, chiefly to: increase more robust testing, increase efficiency, achieve
continuous auditing, raise visibility of risk indicators, and meet the heightened expectations of regulators.
Dealing with Data Analysis Tools
[Internal auditors] are implementing the use of visualization tools and continuous
monitoring, they are accessing data without a traditional “request” of IT, and they are
running analytics to help them understand where the biggest risks exist.
– Barbi Goldstein, Managing Director
13
Changing Trends in Internal Audit and Advanced Analytics is available at www.protiviti.com/en-US/Documents/White-Papers/Industries/
Internal-Audit-Data-Analytics-whitepaper-Protiviti.pdf.
Charlie Anderson is a Managing Director
and Practice Leader for Model Risk Services
within Protiviti’s Data Management

Rank
Competency
(5-pt. scale)
1 Data Analysis Tools – Statistical Analysis 3.5
4
(tie)
3.2
6
(tie)
operations approach
3.2
It was clear from the benchmarking study that analytics is treated as a high priority for large financial institutions’
internal audit functions since the majority of participants reported an increase in demand for data analytics
within their audits. Most internal audit functions (87 percent) reported that they had a dedicated data analytics/
information management group within their function, while these groups indicated that they needed to ensure they
had immediate access to business data within their own data warehouse or similar environment. The survey also
showed that the vast majority of firms’ internal audit analytics functions are continuing to evolve toward a risk-based
approach with the goal of providing continuous monitoring to some degree to be able to plan individual audits,
monitor key risk indicators (KRIs) and support risk assessments. Continuous auditing is also being pushed out to
new areas within the enterprise since, at the moment, the survey showed that firms now only monitor areas where
there are known risk issues.
Although there is clearly more work to be done, the findings of this benchmarking study show that internal
auditors are committed to developing a forward-looking internal audit analytics capability that allows for deeper
business insights via the monitoring of KRIs, rather than just analyzing data in support of individual audits.
“The use of analytics by internal audit functions has definitely evolved and continues to do so,” says Protiviti
Managing Director Barbi Goldstein. “Historically, data analysis for internal auditors has consisted of performing
population testing in support of specific audits. Today, internal audit functions want to have a view of the business
lines’ key risk indicators based on current data and use that knowledge to make informed decisions about where
to dedicate their audit hours and testing. They are implementing the use of visualization tools and continuous
monitoring, they are accessing data without a traditional ‘request’ of IT, and they are running analytics to help
them understand where the biggest risks exist. This allows them to take a truly risk-based approach to creating
their audit plan.”
Building an internal audit analytics function requires time and more resources, however. The financial services
industry results from Protiviti’s 2016 Internal Audit Capabilities and Needs Survey show that larger financial
services firms intend to hire more data analytics specialists this year, but talent is scarce, which means firms
have been retaining outside help to support the internal audit team.
Chief audit executives and the internal audit function need to raise their awareness and knowledge of data
analytics tools to be able to improve efficiencies and capabilities by adding more advanced techniques, such
as continuous monitoring and other indicators.

Adopting Agile Risk and Compliance
Risk is moving away from being a control checker and referee, to an enabler of
business performance, driving a single approach for risk management and is fully taking
responsibility for improving the risk culture of the organization.
– Cory Gunderson, Managing Director
Cory Gunderson leads
Protiviti’s Global Financial
Services Industry practice.
Matthew Moore leads Protiviti’s
Risk Compliance practice.
Organizations are realizing that their risk and compliance capabilities need to be agile, flexible and nimble in
order to respond more efficiently to the changing operating environment.
Rank
Competency
(5-pt. scale)
3
(tie)
5
(tie)
8
(tie)
10
(tie)
3.3
Managing risk and compliance has become increasingly complex and expensive for financial services organizations
post-financial crisis. The increased regulatory expectations, the ever-changing risk landscape and rise of inherent
risk represent a new and permanent operating paradigm for the industry. To adapt, firms are expending significant
time, money and resources to implement required changes and prioritize risk management and compliance.

As costs continue to increase, it is becoming clear that the overly manual, reactive and siloed approach to risk
management and compliance is unsustainable.
“Many organizations are beginning to change their vision for risk management,” says Cory Gunderson, who
leads Protiviti’s Global Financial Services Industry practice. “Risk is moving away from being a control checker
and referee, to an enabler of business performance, driving a single approach for risk management and is fully
taking responsibility for improving the risk culture of the organization. Leading practices in risk management
suggest creating a mantra – a simple and repeatable slogan that can be repeated in frameworks, policies and
corporate messaging to help frame culture.”
Responding to Risk and Compliance Gaps Over the Years Has Left the Financial Services
Industry in an Unsustainable Situation
Growth and innovation
have been forced to take a
back seat given risk and
compliance challenges.
Large bank fines
have topped $100B
over the past five years.
Operating costs have
become unsustainable
as quick-fix solutions and
increasing headcount are
the norm to improve risk
management practices.
Inherent risk continues to
rise given the underlying
business complexity and
increased pace of change.
Unsustainable
Costs
Significant
Fines
$100B
Inherent
RiskGrowth and
Innovation
Risk and
Compliance
A better risk and compliance model is one that is technology-enabled, proactive, aligned across all three
lines of defense and embedded into business processes. Business, risk, compliance and internal audit groups
need to work within an integrated framework with clear accountabilities to create an aligned organization
that can make sound decisions, while also driving efficiencies. This is the solution we refer to as Agile Risk
Management, where internal audit has a major role to play in proving independent assurance. Firms are
becoming more aware of the benefits of adopting such a program, and agile risk and compliance was ranked
as the top area where internal auditors would like to improve their general technical knowledge, according to
Protiviti’s 2016 Top Priorities for Internal Audit in Financial Services Organizations survey.

What Is Protiviti’s Agile Risk Management Philosophy?
Protiviti Agile Risk Management Philosophy
Operational
Excellence
Risk
Management
Aligned
Organization
Customer
Satisfaction
At the foundation of the Agile Risk Management philosophy is the central premise that business management and
risk management should create a unified operating model with clear first, second and third line accountabilities.
• Agile Risk Management enables successful anticipation and response to a rapidly changing environment
resulting in informed executive decisions through an aligned organization, operational excellence and
customer satisfaction.
• An Aligned Organization of proactive collaboration and engagement is achieved by converging business
and risk processes, while risk and business acumen is enhanced throughout the organization.
• Operational Excellence is sustained by the successful execution of business strategy supported by efficient
processes, optimized technology and risk agility.
• Customer Satisfaction is improved by risk management and controls driving consistent customer experiences
and ensuring the needs of customers are considered in the design of processes, products and services.
Creating an organization that can respond to change more easily is central to the Agile Risk Management
concept. Forward-looking organizations have designed components of their business model to be more
configurable. Applying a more flexible business model allows firms to plug in new requirements and strategic
changes smoothly, eliminating the current model of approaching change on a piecemeal basis, which only
serves to increase costs and complexity.

Bringing risk management and compliance closer to the first line and integrating them more fully with the business
creates a model that can automatically respond to changing business strategies as well as regulatory change.
Embedding agile risk management throughout the organization requires the front-line business units to still
be accountable for risks while also being supported in a proactive way by independent risk management. A
meaningful and well-understood risk appetite is used to make business decisions, while risk identification and
monitoring are integrated within business processes.
By more effectively aligning the business and the risk and compliance functions, firms benefit in a number
of different ways. They are able to leverage integrated and coordinated business, IT, risk and compliance
monitoring. The organization has agile risk skills and common tools and methodologies to act efficiently, while
reporting is used jointly to measure business goals and risk limits.
In all this, risk management enables the business, which leads to respected risk and compliance functions that add
value to the organization.
“Internal audit plays a critical role in agile risk management by providing independent assurance on the design
and effectiveness of risk management systems,” says Matthew Moore, who leads Protiviti’s Risk Compliance
practice. “This includes reinforcing the firm’s risk culture and holding front-line and risk management units
accountable for fulfilling their responsibilities within the agile risk management framework. Internal audit has
the unique perspective of being able to observe risk management activities across lines of defense and business
units, which allows it to add value by providing important feedback on the extent to which there is alignment
across the organization and the agile risk management philosophy is operating as intended.”
The time has come for proactive organizations to take the lead and adopt an agile risk management framework to
better meet the challenges of today’s customers, shareholders, employees, and the risk and regulatory environment.

Understanding and Integrating Risk Culture
When the leadership team takes audit findings seriously and immediately puts pressure on
the line of business where the issues were identified to resolve the problem, it tells you a
lot about the risk culture of that firm.
– Michael Brauneis, Managing Director
Risk culture remains a key concern for internal auditors. Although the subject is not specifically flagged in
the 2016 survey results, it was singled out as an area for auditors to improve their technical knowledge in
last year’s results. The concept of risk culture has been a hot topic for the industry and global regulatory
bodies in the wake of the global financial crisis, but it remains an enigma for many financial institutions.
Regulators around the world have been encouraging financial institutions to articulate and formalize their
risk culture. On July 8, 2015, the Basel Committee on Banking Supervision (BCBS) released a set of revised
guidelines for enhancing corporate governance at banks, which includes the importance of a sound risk
culture to drive risk management within a bank.14
The Financial Stability Board (FSB) also has been very
active in providing guidance to financial services firms on the subject of risk culture. In April 2014, the FSB
published Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing
Risk Culture, to assist firms in identifying the foundational elements that contribute to a sound risk culture, as
well as core practices and dynamics that may be indicators of the effectiveness of an enterprise’s risk culture.15
The FSB’s view is that the soundness of an institution’s risk culture is based on the extent to which it governs
its risk/reward decision-making process, successfully executes its agreed upon strategy within its defined risk
appetite on a day-to-day basis, and structures its compensation practices to take into consideration prospective
risks and risk outcomes that are already realized. The FSB recognizes that risk culture has to be embedded in
the overall corporate culture, which will evolve over time.
14
www.bis.org/bcbs/publ/d328.pdf.
15
Guidance on Supervisory Interaction with Financial Institutions on Risk Culture: A Framework for Assessing Risk Culture,
www.financialstabilityboard.org/2014/04/140407/.
James McDonald is a Managing
Director with Protiviti’s Risk
Compliance Solutions practice.
Dolores Atallo is a Managing
Michael Brauneis is a Managing

In a survey conducted by Protiviti and the Risk Management Association (RMA) in 2013, only 37 percent of
respondents noted that they evaluated risk culture, while only 28 percent said that they believed risk culture
is fully integrated into their respective organizations.16
“Through internal employee surveys, some firms are trying to analyze today how their risk culture is being
embedded in the organization to see how well their employees understand the risk culture,” says Protiviti
Managing Director James McDonald. “The fact that firms need to do so shows it is a challenge. The CEO
can state that the company is going to do the right things and live within its risk appetite but that message
needs to be continually reinforced. Firms need to empower employees and provide them with examples of
what good behavior looks like, such as instances where an employee raises their hand and identifies an issue
early on, so the problem can be resolved before it becomes a larger issue.”
Another impediment to integrating risk culture can be pushback from employees who are resistant to change.
Firms often build incentive plans to reinforce risk culture that are focused on punishing bad behavior – taking
compensation from people who misbehave or break limits – rather than rewarding employees that are beacons
of good culture. That is a backward-looking behavior modification, more so than incentivizing proper future
behavior. “Those employees who raise their hands when they have an issue, with the issue then being debated
and escalated and addressed as appropriate, need to be rewarded,” adds McDonald.
Maintaining the consistency of risk culture messaging throughout the enterprise in all locations is a major
barrier to the effectiveness of risk culture in large financial services firms. Organizations can stage all-hands
town hall staff meetings to reinforce this messaging but it has to have the support of the board and executive
management, who need to work to ensure risk culture is integrated with the growth objectives and strategy
of the firm. Risk culture also needs to grow and change with the organization as it evolves, providing an
additional challenge for firms to maintain consistency in their risk culture messaging.
The BCBS guidelines on risk governance also recognize that compensation systems are a key component for
a financial institution to convey acceptable risk-taking behavior and reinforce its operating and risk culture.
It states that remuneration programs “should encourage a sound risk culture in which risk-taking behavior
is appropriate and which encourages employees to act in the interest of the company as a whole rather than
for themselves or only their business lines.”
16
Risk Culture: From Theory to Evolving Practice, RMA and Protiviti, 2013: www.protiviti.com/en-US/Documents/RMA-Journal-From-
Theory-to-Evolving-Practice.pdf.

Risk Culture is the Keystone
Culture is the keystone that holds things together, providing a source of strength or weakness for
the organization. An actionable risk culture helps balance the inevitable tension between (a) creating
enterprise value through the strategy and driving performance on the one hand, and (b) protecting
enterprise value through risk appetite and managing risk on the other hand. In effect, it balances the push
between strategy and risk appetite.
Source: Establishing and Nurturing an Effective Risk Culture – Enabling the Chief Risk Officer’s Success (Fourth in a Series)
(www.protiviti.com/cro-series).
PerformanceM
a
nagement
culture
RiskM
anagement
Business
Strategy
Risk
Appetite
Chief audit executives and the internal audit function have a pivotal role in fostering a strong risk culture,
which is the keystone of an organization’s risk management framework.
Compensation and incentive schemes are one obvious area for internal audit functions to review for their
alignment with the company’s intended risk culture but there are other areas that warrant internal audit’s
focus. Although the intangible nature of risk culture makes it difficult for firms to conduct specific standalone
audits to determine the level of cultural integration in the organization, several topics that internal audit
reviews in the daily course of business can provide insights into this area. Examples of these include evaluating
the percentage of known issues that were first identified by a business process owner (versus internal audit, a
regulatory agency, or another independent source) and the status of remediation of issues (issues that take too
long to address or are in “past due” status often are indicators of a firm’s risk culture).

Internal audit certainly has a greater role to play in reinforcing risk culture within the organization. An
effective internal audit department could and should have a role in reporting risk culture, but few audit
functions at financial institutions currently have the capabilities to perform a standalone audit of risk culture.
Firms can, however, include risk culture aspects in their existing audit processes: “This is almost a continual
process where audit can pick up on where risk culture has been embedded particularly successfully or not at
all,” says Protiviti’s Director Mathew Perconte. “Internal audit can reinforce some of the firm’s risk culture
messaging through their existing audits.”
Under the OCC’s Heightened Standards, internal audit’s role is to opine on the readiness and design
of risk management systems, corporate governance structures and risk appetite statements. “If internal
auditors are truly acting as independent practitioners inside a firm, they can drive culture because they
are going to report issues that are outside of boundaries,” says Timothy Long, a Managing Director with
Protiviti’s Risk Compliance Solutions practice.
Indeed, a good measure of the risk culture of any firm is how audit findings are viewed in the organization
and how seriously their recommendations are taken. “When the leadership team takes audit findings
seriously and immediately puts pressure on the line of business where the issues were identified to resolve
the problem, it tells you a lot about the risk culture of that firm,” says Protiviti Managing Director Michael
Brauneis. “The same is true for firms where audit exceptions are not considered to be a significant problem
and where there are many repeat findings.”
Effective root cause analyses are key to this effort. Beyond simply identifying a control breakdown and
recommending an immediate fix, audit can go a step further in evaluating the origin of the breakdown
to consider whether a risk appetite breach or incentives problem (e.g., pressure to cut control corners in
order to speed cycle time) might have contributed to the issue. Encouraging process owners to confront
and respond to these considerations can help the organization’s thinking and actions on risk culture evolve
past tone at the top to become a more practical consideration in day-to-day business activities.
Weaving risk culture audits into existing audit plans could also help when seeking to align the firm to the
OCC’s Heightened Standards, which require firms to show they have a strong risk management framework,
an engaged board, a risk appetite framework and a strong risk culture. “Regulators are requiring firms to show
their assessments on how their company is aligned with the heightened standards,” says McDonald. “We are
being asked by audit departments how they can show this. Our response is that they should, throughout the
year, have a number of audits of lines of businesses and support functions to gauge how the company’s risk
framework, risk appetite and risk culture are being followed. Audit needs to assess how well they are aligned to
the OCC Heightened Standards and a big part of that is risk culture.”

Understanding and Integrating Risk Appetite
Most of the focus has been around setting a risk appetite statement at the board level
but at some point regulators are going to start pushing risk appetite down into the
individual lines of business, which is exactly where it needs to be.
– Timothy Long, Managing Director
Scott Jones is a Managing
Director with Protiviti’s
Internal Audit and Financial
Advisory practice.
Timothy Long is a Managing
A financial institution’s risk culture and its risk appetite are explicitly interlinked. Risk culture should inform a
bank’s risk appetite statement (RAS) and in turn the risk appetite statement should inform the bank’s risk culture.
Guidelines from regulators around the world state that formal written risk frameworks should be maintained
that cover all applicable risk categories, as well as any other material risk types to which an institution may
be exposed. Until now, driven by regulatory demands, the focus has been on establishing a high-level risk
appetite statement at the board level. However, firms need to push the risk appetite framework into the lines
of business (LOB) for it to achieve its ultimate goal of aligning the enterprise’s risks with the stakeholders’
priorities in the most effective and efficient manner. The highest levels of management, up to and including
the board of directors, must sponsor the initiative, but involvement of LOB leadership and independent risk
management are crucial to ensure that all stakeholders embrace the overall approach.
Many financial services regulators around the world have stated that driving a risk culture throughout
an organization, resulting in a shared understanding and compliance with the risk appetite, is equally as
important as having a written RAS. Especially in large organizations, consistency in understanding and
realizing risk appetite throughout business lines is critical, as stated by Thomas J. Curry, Comptroller of
the Currency, in a speech on May 8, 2014: “[Over] the years we found instances in which large, complex,
and highly interconnected banks allowed operational units to define risk appetite in terms of their own
needs and priorities. At best, this resulted in organizational confusion. At worst, it contributed to major
breakdowns in risk management. And for banks with such broad impact on the financial system and the
economy, that is simply unacceptable.”17
17
Remarks by Thomas J. Curry, Comptroller of the Currency, before RMA’s Governance, Compliance and Operational Risk Conference in
Cambridge, Massachusetts, May 8, 2014: www.occ.gov/news-issuances/speeches/2014/pub-speech-2014-69a.pdf.
Matthew Perconte is a Director
with Protiviti’s Risk Compliance
Solutions practice.

Rank
Competency
(5-pt. scale)
1 Data analysis tools – statistical analysis 3.5
4
(tie)
3.2
6
(tie)
operations approach
3.2
“Most of the focus has been around setting a risk appetite statement at the board level but at some point
regulators are going to start pushing risk appetite down into the individual lines of business, which is
exactly where it needs to be,” says Timothy Long, a Managing Director with Protiviti’s Risk Compliance
Solutions practice. “A risk appetite statement for a $100 billion bank written at the board level is almost
meaningless because the practices in the various divisions from real estate to mortgages are completely
unrelated and separate; they need their own framework, defense lines and understanding of their own risk
appetite. Until risk appetite statements are pushed down to the lines of business, they don’t add value.”
Integration of risk appetite was an area that internal auditors identified as requiring increased knowledge,
skills, and capabilities. Integrating risk appetite is a difficult task for the organization as a whole and one
which many internal audit functions are also struggling to determine their role in providing assurance to
management and the board.
According to the Financial Stability Board’s Principles for an Effective Risk Framework, published in November
2013,18
the RAS must include measurable, frequency-based, understandable and comparable metrics that
can be translated into risk limits applicable to business lines, legal entities and group levels, and linked to the
enterprisewide RAS. The RAS needs to include qualitative statements that articulate motivations for taking on
or avoiding certain types of risks, as well as a reasonable number of appropriately selected risk metrics. The
RAS then has to be supported by appropriate controls and stress tests. Putting the RAS into action requires
the creation of a risk appetite framework (RAF), which pushes the RAS down into the LOBs and the various
support functions. The RAF proposed by the FSB comprises key aspects for the internal audit function to
consider when auditing risk appetite.
Key components of the RAF are risk appetite metrics, enterprise key risk indicators (KRIs) and business unit
KRIs, which all have defined tolerances and thresholds that are monitored frequently.
18
Available at www.financialstabilityboard.org/wp-content/uploads/r_131118.pdf.

Risk appetite metrics cannot be developed by the board and senior management to be pushed down into the
LOBs since there is significant risk that the risk appetite measurement and management process will become
a check-the-box exercise. The development process needs to be collaborative among top management,
independent risk management and front-line units to avoid a disconnect at the front-line level.
“Risk appetite metrics are designed to measure risk across the enterprise, encompassing all LOBs, regions,
products and services,” says Matthew Perconte, Director at Protiviti. “Some LOBs are struggling with
designing these metrics, which need to evolve as the organization evolves. The creation of these metrics
could be one area where internal audit focuses efforts to ensure the risk department and the business
continually update and improve risk appetite metrics.”
To drive risk appetite effectively, organizations need to be consistent in promoting good risk culture with
ongoing education and dialogue. A well-operating risk management framework should enable an ongoing,
enterprisewide conversation about risk, while maintaining focus on how risk management objectives are achieved.
“Another area where internal audit can test to see if the RAS is being implemented properly throughout
the organization is by monitoring communication channels, such as town hall and staff meetings and LOB
committees, to check if the RAS is being discussed widely in the company rather than being limited to the
risk committees. LOBs need to show they are actively considering the risk appetite when making business
decisions. Another good test is whether the organization’s risk appetite is being discussed in mandatory
internal training at all levels,” adds Perconte.
Chief audit executives and the internal audit function need to first ensure that they fully understand the
firms’ risk appetite statement and framework. From such a solid grounding, the internal audit department
forms an integral part of the risk appetite framework by providing oversight to ensure the framework is
being embedded into the lines of business. Auditors need to ensure they audit the strategic planning process
to check if the three- and five-year plans are informed by the organization’s risk appetite and risk capacity.
This then needs to be linked to the company’s capital stress tests to show that in a stressed environment
the firm will have the capacity to keep its set risk appetite and be able to hold the correct amount of capital.
Regulators will be looking for that linkage.
Internal auditors almost need to become risk managers. They need to understand where risks are
being generated and how they are supposed to be controlled. They are required to opine on the
risk management systems the business has in place in order to control those risks. That is not what
internal audit has traditionally done and in a lot of cases they are not equipped to do it.
– Timothy Long, Managing Director

The graphic below shows the key areas internal audit needs to consider when auditing risk appetite.
Key Aspects to Consider When Auditing Risk Appetite
The Financial Stability Board noted specific components of a strong risk appetite statement in the
November 2013 report entitled Principles for An Effective Risk Appetite Framework.
The RAS includes key background
information and assumptions that
informed the strategic and business
plans at the time they were approved.
The RAS includes qualitative
statements that articulate the
motivations for taking on or avoiding
certain types of risks and includes a
reasonable number of appropriately
selected risk metrics.
The RAS has strong
linkages with the short- and
long-term corporate strategy,
capital and financial plans.
Risk metrics are aligned to
the incentive compensation
plan and employees are
appropriately incented to
support prudent risk taking in
line with corporate goals.
The RAS allows the financial
institution to view the desired
risk profile under a variety of
scenarios.
The RAS expresses the
maximum level of risk
(material and overall) the
organization is willing to
operate within under normal
and stressed conditions.
The RAS includes
measurable, frequency-
based, understandable and
comparable risk metrics that
can be translated into risk
limits applicable to business
lines, legal entities and
group level, and linked to the
enterprisewide RAS.
The RAS clearly
establishes the type
and amount of risk
the organization is
prepared to accept in
pursuit of its strategic
objectives and
business plan.
The RAS is supported
by appropriate
controls and stress
tests.
Effective
Risk
Appetite
Statement
Informed
Qualitative
Linked to
Corporate
Goals
Defines
Risks
Supported
Material
Risk-Focused
Quantitative
Forward-
Looking

Coping With the Pace of Change in Mobile Applications
Firms need to design their programs and control structures around much faster cycle
times, which is where Agile software delivery and DevOps ... can help. Auditors need to
embrace the fact that continuous change is coming and they need to build their control
programs around it.
– Ed Page, Managing Director
Jason Goldberg is a Director with
Protiviti’s Business Performance
Improvement practice.
Ed Page leads Protiviti’s U.S.
Financial Services Industry IT
Consulting practice.
Mobile banking and mobile payments are growing in popularity as financial institutions are responding to
demand from their customers to offer more convenience and more products through mobile channels. Just
as smartphones are evolving, mobile payment technologies are being developed just as quickly, with many
different participants in a burgeoning ecosystem of traditional and non-traditional players, including the
likes of Apple, Samsung, Google, and PayPal, among others. The speed of change, the introduction of new
third parties as well as the myriad risks presented by such brand new technology are presenting a wave of
new challenges for financial services firms. It is unsurprising, therefore, that internal auditors in the financial
services industry have pinpointed mobile applications as an area where they need to improve their technical
knowledge in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey (mobile banking was ranked second
by internal auditors in the same survey conducted in 2015).

Rank
Competency
(5-pt. scale)
3
(tie)
5
(tie)
8
(tie)
10
(tie)
3.3
“New technologies are appearing at a very rapid pace,” says Ed Page, Managing Director and Leader of
Protiviti’s U.S. Financial Services Industry IT Consulting practice. “Keeping up with such a rapidly changing
environment is a challenge for everyone from risk managers to IT practitioners and auditors. That bleeds into
all kinds of change management and control considerations that we probably didn’t have to deal with before, at
least at the rate of change that exists now.”
The old model of branch-based banking, and even online services, was protected by the fact that financial
institutions owned the infrastructure on which those services were being provided. In the mobile world, there
are many more variables: the devices are owned by the customer; there are dozens of variations of smart
phones, with varying operating systems; and there has also been an influx of new third-party service providers,
which are offering services such as in-app payments or mobile wallets.
All of these different factors create a complex, disparate mobile environment. Page advises professionals in all
financial services departments to: “Embrace the pace of change and the fact that there are so many variables in
the environment as the new norm.”
Page adds, “Firms need to design their programs and control structures around much faster cycle times,
which is where Agile software delivery and DevOps, which is about continuous change management, can
help. Auditors need to embrace the fact that continuous change is coming and they need to build their control
programs around it.”
The traditional Waterfall method of delivering software is giving way to Agile software delivery methods. Controls
that IT auditors have become familiar with over time are largely based on a Waterfall methodology. To cope with
the rapidly changing environment of mobile banking and mobile payments, auditors need to adapt.
“Rather than fight this change, auditors need to become part of the team that develops the new software
services from the beginning, using the Agile method to ensure it is delivered in a method that still has the
necessary controls around it,” says Page.
There are many risks associated with mobile applications – security being the most obvious. Although the
cybersecurity regulatory framework is dealt with in other chapters of this paper, financial institutions that
are considering offering mobile payment services also have issues to consider around account provisioning,
data management, vendor management, and complex systems integration, as well as other operational and
reputational risks. The fragmented nature of the legacy technology and operations environment is only
compounded by the emerging technology overlay, making these challenges particularly acute.

Account Provisioning
The main risk of mobile applications for firms is around user authentication – making sure the user is who
they say they are. When using any type of mobile payment application – Apple Pay and LoopPay are just two
examples – the customer is required to provision their credit or debit card account onto their device. Banks have
experienced relatively high levels of fraud related to Apple Pay, specifically related to the organization of its
account provisioning system, where the issuer has been contacted to verify their identity and card information.
“This is where all of the fraud was occurring,” says Jason Goldberg, Director at Protiviti. “Fraudsters are
incredibly sophisticated. In cases where financial institutions were using personal data to verify an account
prior to provisioning, the fraudsters were socially engineering that information. Auditors need to think about
the user authentication process and account provisioning process to ensure they are doing all they can to
identify fraud. Auditors need to ask questions such as: What is the appropriate amount of time to allow users to
remain logged in without re-authentication. What levels of authentication should be required? Is there a need for
multi-factor authentication of a device?”
Firms also need to make use of intelligent monitoring of transactions and intelligent alerting, which is based
on all of the data they have related to account past behavior. Working with geo-location information with
mobile applications is one way to help reduce fraud as it can be used to match customers’ past transaction
history. Banks should be working with their core banking platform provider or third parties to look at all of the
data going through their networks.
There are additional challenges for firms now that the liability has shifted from the credit card issuers to the
weakest link in the transaction, which came into force in October 2015. There is an added complication in the
United States as it continues to transition from magnetic strip cards to EMV, or chip-and-pin enabled cards,
that pose a potential problem for retailers because the liability during a LoopPay transition shifts to them since
the technology bypasses the need for the customer to enter their pin number.
As well as the fraud liability issues, these payment services are relatively new technology with glitches that can
impact the consumer experience. These services are also not clearly understood by consumers or retailers, who
often blame the bank when payments fail, impacting their reputation.
Additionally, when the technology fails or there are issues with account provisioning, customers are
increasingly contacting their banks for technical support. Banks have to be prepared to train their customer
service teams or put in place new servicing teams that have more technical expertise.
With all of these new entrants into the payments space, financial institutions need to have robust vendor
management policies and procedures in place. Increasingly, firms are outsourcing mobile payment functions to
third parties and are also using core banking platforms that are also managed by third parties. These functions,
or modules, often don’t integrate well. Auditors need to take a close look at the end-to-end customer
experience on every path to make sure that it is controlled from module to module, and controlled in a way
that makes sense.

Mobile applications and mobile banking will continue to evolve rapidly. Internal audit must ensure that it is
up-to-date with the latest technology which will be adopted by their organizations and that their firms are
considering all potential risk exposures.
Action Items Chief Audit Executives and Internal Audit Functions Need to Consider
1. Ensure mobile applications and banking are covered in the audit universe completely (all products/services,
platforms, vendors, etc.).
2. Ensure that third parties are addressed in vendor management policies and procedures.
3. Consider fraud risk related to mobile transactions within customer-facing processes (originations
and servicing).
4. Understand the security approach to having a mobile presence.
5. Consider the end-to-end process for servicing. Mobile is typically a gateway to other services and platforms.
6. Understand mobile application change management plans and controls.
7. Consider all applicable mobile platforms supported (iOS, Android, Windows, etc.) in audit plans.
8. If applicable, consider the controls necessary to support an Agile software delivery model.
9. Consider cross-platform service management, including third-party components.
10. Consider the firms’ liabilities, policies and procedures in relation to account provisioning on mobile devices.

In Closing
Chief audit executives and internal audit departments will continue to be challenged by regulatory
requirements and advances in technology that subject organizations to a continually changing risk profile.
As this paper has shown, the list of internal audit priorities for financial services firms continues to grow and
with it the need for internal auditors to improve their knowledge in key areas, specifically cybersecurity and
model risk.
Advances have been made by internal audit to connect more with the lines of business and management
as part of collaborative efforts to improve oversight and to help the organization understand its risks and
achieve its strategic objectives. Such collaboration improves communication between the three lines of
defense while also helping organizations become more efficient and work to optimize existing resources as
difficulties in hiring and retaining talent become ever more acute.
In light of the lack of talent, firms need to consider additional investment in technology-enabled auditing
approaches and tools to help them meet their growing list of priorities, especially since emerging
technologies will continue to be adopted by banks eager to remain competitive in a changing marketplace.
Through enhancing efficiencies, knowledge and effectiveness, internal audit functions will be able to focus
on improving their skills in order to assist organizations in their continued growth, while at the same time
ensuring internal audit becomes a key strategic partner in the broader enterprise.

About Protiviti
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune
1000®
and 35 percent of Fortune Global 500®
companies. Protiviti and our independently owned Member
Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with
smaller, growing companies, including those looking to go public, as well as with government agencies.
Ranked 57 on the 2016 Fortune 100 Best Companies to Work For®
list, Protiviti is a wholly owned subsidiary
of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the SP 500 index.
Contacts
Scott Jones
Managing Director, Internal
Audit and Financial Advisory
+1.213.327.1442
scott.jones@protiviti.com
Cal Slemp
Managing Director,
IT Consulting
+1.203.905.2926
cal.slemp@protiviti.com
Ed Page
Managing Director,
IT Consulting
+1.312.476.6093
ed.page@protiviti.com
Cory Gunderson
Managing Director,
Global Leader Financial
Services Industry
+1.212.708.6313
cory.gunderson@protiviti.com
Michael Thor
Managing Director,
Internal Audit and
Financial Advisory
+1.317.510.4685
mike.thor@protiviti.com
Barbi Goldstein
Managing Director,
Internal Audit and
Financial Advisory
+1.212.603.8351
barbi.goldstein@protiviti.com
Matthew Moore
Managing Director,
Risk Compliance
+1.704.972.9615
matthew.moore@protiviti.com
Timothy Long
Managing Director,
Risk Compliance
+1.212.399.8637
timothy.long@protiviti.com
Michael Brauneis
Managing Director,
Risk Compliance
+1.312.476.6327
michael.brauneis@protiviti.com
Matthew Perconte
Director, Risk Compliance
+1.312.476.6998
matthew.perconte@protiviti.com
James McDonald
Managing Director,
Risk Compliance
+1.704.998.0786
james.mcdonald@protiviti.com
Dolores Atallo
Managing Director,
Risk Compliance
+1.212.708.6323
dolores.atallo@protiviti.com
Shaheen Dil
Managing Director,
Data and Analytics
+1.212.603.8378
shaheen.dil@protiviti.com
Jason Goldberg
Director, Business Performance
Improvement
+1.212.471.9678
jason.goldberg@protiviti.com
Charlie Anderson
Managing Director,
Data and Analytics
+1.312.364.4922
charlie.anderson@protiviti.com

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0516-101079
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on
financial statements or offer attestation services.
* Protiviti Member Firm
THE AMERICAS
UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro
São Paulo
CANADA
Kitchener-Waterloo
Toronto
ASIA-PACIFIC
AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bangalore
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
CHILE*
Santiago
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE/MIDDLE EAST/AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
THE NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
SOUTH AFRICA*
Johannesburg
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai

Top Internal Audit Priorities for Financial Services Organizations, 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Viewers also liked

Viewers also liked (15)

Similar to Top Internal Audit Priorities for Financial Services Organizations, 2016

Similar to Top Internal Audit Priorities for Financial Services Organizations, 2016 (18)

More from jennyhollingworth

More from jennyhollingworth (9)

Recently uploaded

Recently uploaded (20)

Top Internal Audit Priorities for Financial Services Organizations, 2016