Top 10 internal audit risks for FS firms in 2019 and beyond

The financial services industry entered 2019 on somewhat shaky ground. Total business volumes dropped for the first time since 2013 in the fourth quarter of last year, according to the latest PwC and CBI Financial Services Survey.

Optimism continued to decline, particularly among investment managers, banks and building societies. Respondents also predicted that business volumes and profitability would fall in Q1 2019; it has been 10 years since organisations forecast a contraction in volumes for the quarter ahead.


PwC highlighted the five key risks for financial services in 2019:

  1. Macroeconomic uncertainty; 
  2. Regulatory compliance; 
  3. Brexit; 
  4. Financial market instability; and 
  5. Making better use of data. 

Internal auditors help provide assurance for businesses across these crucial areas. But what particular issues will audit departments face over the coming 12 months and beyond? 

We’ve collated insights from the Big 4, the Chartered Institute of Internal Auditors (IIA), the European Confederation of Institutes of Internal Auditing (ECIIA) and our own research to bring you the top 10 risk areas.

1. Cyber security

Cyber security remains a priority for boardroom agendas, with high-profile breaches hitting the headlines on an almost weekly basis. GDPR’s introduction last year will only make these threats an even more pressing concern for businesses, as they weigh up the financial and reputational damage of cyber security failings.

The ECIIA and IIA’s Risk in Focus Report 2019 highlighted cyber security as the leading concern for auditors this year, with 66% of professionals citing it as a top-five risk at their organisation and 15% claiming it was the single biggest problem.

Auditors can support cyber security efforts by performing risk assessments and penetration testing of existing processes and selected IT assets to measure the company’s capabilities against best-practice industry standards. Audit departments should also review current frameworks and offer process improvement suggestions to maintain resilience within a constantly evolving threat landscape.

2. Industry 4.0

The impact of digitalisation, automation, cloud computing and the Internet of Things on organisations is often loosely termed Industry 4.0. The name predominantly applies to manufacturing and other production-focused sectors, but the underlying technologies are causing major disruption across multiple industries, including financial services.

Auditors must be prepared to deliver assurance across these areas, whether it’s more basic uses, such as chatbots, or sophisticated artificial intelligence and machine learning technologies.

Two-thirds of chief audit executives (CAEs) said the risks of digitalisation and associated changes will be an area of focus for their teams in 2019, according to ECIIA and IIA figures. Subject matter expertise across these disruptive technologies will become increasingly essential for audit departments as they take on these challenges.

3. Brexit

A recent Bank of England Systemic Risk Survey for H2 2018 revealed that UK political risk was by far the biggest high-impact event that could cause systemic problems for the country’s financial system. Nearly all (97%) risk management and treasury professional respondents were worried about political hazards, with 80% of these specifically mentioning Brexit.

At the time of writing, Prime Minister Theresa May has promised to return to Brussels for further concessions from the EU regarding the Irish backstop issue. The EU continues to be adamant that no substantial revisions to the current deal with the UK will occur, suggesting an impasse.

Unsurprisingly, the ongoing uncertainty over Brexit, in particular the possibility of a no deal split, remains front of mind for many businesses in 2019. Even when the dust settles, the disruptions to trade, European relations and financial services recruitment are likely to be felt for years to come. Our research shows 43% of internal auditors feel less secure in their jobs due to Brexit.

4. Data protection and management

We have already touched on the impact of GDPR, but the regulation affects more than just cyber security processes. Organisations are expected to dramatically improve their data protection and management, with Google already receiving a €50 million (£44 million) fine this year for perceived failings.

Data management problems also prevent businesses from taking advantage of better decision-making, increased competitiveness and more comprehensive compliance. Nearly 6 in 10 CAEs believe data security and compliance are a top-five audit issue for 2019.



How can auditors support firms in their data management aims? KPMG advises assessing the effect of GDPR on an organisation’s strategic goals and risk exposure. Integrating the regulation’s requirements into the annual audit programme will also help data compliance become key to the assessment and assurance process.

5. Third-party relationships and suppliers

Outsourcing and third-party relationships help companies boost efficiency and productivity by enabling them to rely on trusted suppliers for vital business functions while they focus on key strategic objectives.

While only 3% of CAEs in the ECIIA and IIA poll ranked outsourcing and third-party risk as their biggest concern for 2019, this is likely to be a key area for auditors across financial services in the coming years. This is particularly true given the rise of Open Banking and the growing number of partnerships between banking incumbents and innovative fintechs.

Auditors must be adept at reviewing third-party relationships and due diligence processes, as well as assessing outsourcing risks related to regulations, accounting, technology and taxes, among other areas. Cyber security will be a key focus area, as many firms outsource this responsibility to suppliers.

6. Treasury management

Corporate treasury and bank treasury departments are evolving to become trusted strategic business partners in many organisations. According to KPMG, the introduction of cutting-edge automation technology is helping drive this trend, as treasury functions begin implementing sophisticated payment systems to tackle fraud, reduce competitive pressures and formulate new hedging strategies.

In our inaugural 2019 Treasury Market Report, 89% of professionals said technology helps drive treasury team efficiency. More than one-quarter (27%) of candidates also claimed technology would improve job security, with the ongoing management of such systems requiring skilled treasury professionals.

Internal audit can help support treasury growth by conducting independent reviews of an organisation’s financial risks, payment systems and cash management processes. Assessing financial reporting procedures and bank relationship management structures is also key to building a strong treasury department.

7. Governance, culture and ethics

Conduct and culture have been under the spotlight for many firms since the global financial crisis in 2008, with the banking industry bearing the brunt of the reputational damage. However, high-profile bankruptcies at BHS and Carillion, as well as public outrage at employment practices at firms such as Sports Direct, have seen corporate governance concerns rise in prominence across multiple industries in the UK. The Harvey Weinstein scandal has also led to a greater focus on sexual harassment and gender equality in the workplace.

The Financial Reporting Council published an updated UK Corporate Governance Code in 2018, but many organisations will want to go beyond the minimum requirements for culture and conduct. Indeed, 25% of CAEs indicated culture as a top-five risk to their organisation, the ECIIA and IIA revealed. HR and people risk ranked even higher at 42%.

Auditors will be expected to identify whether or not the right tone at the top is being set, while also measuring the effectiveness of anti-discrimination and equality initiatives. Furthermore, audit teams must show HR communication of the company’s culture and ethics policies is satisfactory. Gartner figures show 27% of audit teams are not confident in their current capabilities to provide assurance over cultural risks.

8. Net working capital (NWC) management

KPMG predicts NWC efficiency will become a key risk for internal auditors over the next two years. NWC management is considered a valuable measure of an organisation’s financial maturity, and the Big 4 firm believes there are several key drivers of activity in this area:

  • Poor solvency ratios increasing financing costs; 
  • Pressure to meet market analyst expectations; 
  • A growing focus on cash generation (rather than profits and losses) as a measure of success; 
  • Increased technology adoption to drive continuous improvement of NWC processes; and
  • Better bonuses and incentives linked to NWC management. 

Audit departments will therefore need professionals who have controlling, accounting and treasury skillsets, as well as experience of business process analysis, modelling and benchmarking.

9. Transformation and change management

Technology transformation and change is the second biggest hot topic among IT auditors for 2019, with only cyber security considered more important in a recent Deloitte study.

Organisation-wide projects, technologically driven or otherwise, pose significant challenges for businesses. They are often complex, involve numerous stakeholders and typically face resistance among the workforce. Failing to achieve employee buy-in at all levels of the company is a frequent downfall of ambitious transformation programmes.

KPMG has outlined five ways that auditors can help organisations achieve their change management objectives:

  1. Offer independent assurance over project governance structures and the set-up/monitoring of company-wide implementations; 
  2. Assess return-on-investment monitoring processes; 
  3. Evaluate contract compliance for project-specific service providers; 
  4. Provide project risk management assurance; and
  5. Conduct pre- and/or post-implementation reviews of material projects and deliver assurance to key stakeholders on the outcomes. 

10. Skills shortages

A lack of available talent is a problem for audit teams at both an organisational level and within their own departments. A global Protiviti report found the ability to attract and retain top talent is the second biggest risk that will affect businesses in 2019, beating even cyber threats and regulatory challenges.

Record high employment levels in the UK are only exacerbating skills shortages across multiple professions. Furthermore, our latest research shows audit departments themselves are struggling to source the skills they need to tackle the difficulties they face. Finding candidates with the right technical and interpersonal capabilities was cited by 44% and 32% of audit hiring managers, respectively, as the biggest recruitment hurdles they encountered in 2018.

We have seen a specific shortage of auditors who have information and cyber security experience, with employers often refusing to put an upper limit on salaries in an effort to attract the best candidates.

Are you adequately resourced for 2019 and beyond?

Only 44% of organisations in a PwC poll felt their internal audit teams provided significant value in 2017, compared with 54% the previous year. The consultancy claimed this was more to do with high expectations than departmental shortcomings.

However, our research shows 48% of auditors believe their teams are inadequately resourced for the challenges they face. As the war for talent intensifies, organisations must ensure they have auditors with the right skills and experience to provide assurance in an increasingly complex risk landscape.

If your business requires help strengthening its audit function, or you are a candidate hoping to take the next step in your career, please contact me on 0207 936 2601 or via email at to discuss your options.