The emerging and continued volatility in global markets has created a dynamic risk environment for large financial institutions. Various factors such as geopolitical tension and tariff turbulence, as well as significant disruption to federal agencies, are contributing to a sense of uncertainty in the business landscape. As regulators continue to perform their own supervisory reviews, they will place increased reliance and, therefore, additional scrutiny on internal audit’s work when assessing a company’s capability to manage risks.
As organizations close on Q1 2025, internal audit functions should continue to monitor their risk assessments for appropriate coverage for the following topics:
- Slowing Global Growth and Inflationary Pressures: These pressures weigh on the creditworthiness of borrowers—both commercial and retail customers—and require continued assessment of the impact on credit risk. Chief audit executives (CAEs) need to ensure that providing meaningful risk coverage and appropriate risk mitigation remains a critical focus, especially over asset quality, where there is real estate and consumer credit exposure.
- Liquidity Risks: Slowing deposit growth and rising funding costs are increasing the potential for liquidity risk tail events. CAEs need to determine when appropriate audits over liquidity risk management, including evaluating governance and changes in strategy, are needed. Liquidity stress testing programs should be reviewed to ensure they are able to capture the changing environment with assumptions continuously reviewed for applicability.
- Cybersecurity Threats: With the increasing reliance on digital platforms, banks are vulnerable to sophisticated cyberattacks, including ransomware and phishing schemes. CAEs should pay attention to strengthening cybersecurity frameworks and help ensure depth in cybersecurity capability within their teams. The proliferation of artificial intelligence has provided additional tools to bad actors to attack organizations and these new threat vectors need to be incorporated into audit plans.
- Digital Operational Resilience Act (DORA): Banks with operations in Europe need to plan for and test compliance with DORA and similar regulations. Internal auditors need to understand specific provisions of DORA and related regulations, including requirements for ICT (information and communication technology) risk management, incident reporting, and operational resilience. Auditors should assess whether the organization’s ICT risk management frameworks align with DORA’s requirements; evaluate the organization’s procedures for handling and reporting ICT-related incidents; and test the organization’s ICT business continuity and disaster recovery plans to ensure they are robust and align with regulatory expectations for operational resilience.
A Road Map for Mitigating Risk
Navigating an ever-evolving business landscape will remain a challenge for the immediate future. With the rise of cybersecurity threats, data privacy concerns, and accelerating digital transformation, CAEs will need to take the necessary measures to ensure their organizations have robust systems in place to help mitigate these emerging technology risks. Effectively identifying, assessing, and addressing risks early has never been more critical to helping ensure long-term sustainability and success at a time with so much uncertainty.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.
Read Our Other CAE Perspectives: