Governance, Risk & Compliance: GRC
The Evolving Role of Internal Audit in Operational Resilience
In January 2024, the Institute of Internal Auditors (IIA) unveiled its revised Global Internal Audit Standards, reflecting the global regulatory focus on operational resilience. At the core of these updated guidelines? A strong emphasis on leveraging technology to improve internal audits and risk management practices.
Embracing a tech-enabled approach well means doing three things: it’s about an organization’s overall responsiveness, agility, and effectiveness in identifying and mitigating potential threats. Taken together, these three elements fortify and organization’s governance frameworks and ensure continued resilience in the face of an ever-evolving risk landscape.
A Snapshot of Recent Operational Resilience Movement
The regulatory landscape surrounding operational resilience has been rapidly evolving, with various initiatives across different regions.
In Europe, the Digital Operational Resilience Act (DORA) establishes a new regulatory framework that requires financial institutions to enhance their operational resilience by effectively managing ICT-related incidents.
Similarly, the UK’s Financial Conduct Authority (FCA) introduced the Operational Resilience Act. This aims to ensure firms can prevent, adapt to, respond to, recover from, and learn from operational disruptions.
In the Asia-Pacific region, the Australian Prudential Regulation Authority (APRA) has introduced CPS 230, a comprehensive framework for APRA-regulated entities to identify, assess, manage, and report on operational risks.
The Monetary Authority of Singapore (MAS) has also issued guidelines on Business Continuity Management (BCM), encouraging financial institutions to adopt principles to minimize disruptions to critical business services.
Transformation is Underway
Amidst this evolving regulatory landscape, the role of internal audits is undergoing a transformation. Internal auditors are now expected to move beyond their traditional compliance assurance role and become more proactive and strategic partners in risk management. The new IIA Standards emphasize the identification and evaluation of emerging hazards, requiring internal auditors to modify their audit plans where necessary to ensure assessments and stress tests are in line with potential and material risks.
Key responsibilities of internal auditors in managing operational resilience include:
- Reviewing and stress testing internal controls to mitigate compliance and operational risks.
- Identifying and assessing emerging risks that may materialize after the conclusion of the standard audit cycle.
- Fostering cross-functional collaboration and knowledge-sharing across the organization and its subsidiaries.
To facilitate this shift, it’s all about the effective utilization of data and technology. According to the IIA Standards, technology plays a critical role in modern auditing. Why? Technology enables internal auditors to identify patterns and trends that may indicate potential risks or control deficiencies. By leveraging advanced analytics, real-time risk monitoring, and, in some cases, artificial intelligence, internal auditors can anticipate risks, identify trends, and provide insights that drive strategic decision-making.
Final Thoughts
As the regulatory focus on managing operational risks continues to grow, the internal audit function is becoming increasingly valuable. By adopting a proactive and strategic approach, internal auditors can mitigate risks and empower firms to transact with confidence and scale compliantly. This is the key to long-term organizational stability and longevity.