The Federal Reserve Board’s (FRB) revised Statement of Supervisory Operating Principles (Statement) significantly shifts its supervisory philosophy and practice. The revised principles emphasize a sharper focus on material financial risks, proportional supervisory action, and greater reliance on financial institutions’ internal audit function. For financial institutions, this represents not only a recalibration of supervisory expectations but also an expanded role for internal audit as a cornerstone of risk management and regulatory compliance oversight.
Background
At the heart of the revisions is a move away from procedural or documentation-driven supervision towards a risk-based approach that focuses on the issues that pose genuine threats to an institution’s safety and soundness. This risk-based prioritization is designed to employ supervisory resources more efficiently by reducing distraction from minor deficiencies and placing attention on matters that could pose material financial risks. The statement contains several key themes, but for purposes of this article, the following stand out:
- Risk-based prioritization: Examiners are instructed to concentrate on issues that pose material threats to safety and soundness, avoiding distraction from minor procedural deficiencies.
- Supervisory observations reinstated: The reversal of Supervision and Regulation (SR) Letter 13-13 allows examiners to issue nonbinding observations for issues that do not pose material financial risk, which is the new threshold for the issuance of Matters Requiring Attention (MRAs) or Matters Requiring Immediate Attention (MRIAs).
- Reliance on the work of other agencies: Examiners are encouraged to rely on examinations conducted by the primary state or federal supervisor, where appropriate, to avoid duplicative examinations.
- Tailored supervision: The allocation of resources and the intensity of examinations will be proportionate to the size, complexity, and systemic importance of institutions.
- MRA/MRIA Remediation: Examiners will rely on internal audit validations of MRA/MRIA remediation when the financial institution’s internal audit function is rated satisfactory, thereby eliminating duplicative remediation reviews.
The reinstatement of supervisory observations, the reliance on the work of other agencies, and the tailoring of supervisory resources to institution complexity all reflect this recalibration. However, the expanded role of internal audit is a consequential change that can provide meaningful benefit to financial institutions provided that the implication of new role is fully understood.
Internal Audit’s New Role & Potential Challenges
Previously, examiners often conducted validation of remediation efforts that were largely duplicative of internal audit validations, and such reviews were frequently conducted long after internal audit had completed their reviews, prolonging the financial institution’s remediation efforts and delaying closure of MRAs and MRIAs.
Under the revised Statement, once deficiencies are remediated, examiners are instructed not to delay termination of enforcement actions, relying on internal audit to validate the financial institution’s remediation efforts, with the examiner monitoring the sustainability of the remediation post-termination. This represents a fundamental shift in the perspective and role of the internal audit function from oversight to reliance. Yet, as the examiners begin to rely more heavily on internal audit’s work, the potential for tension becomes evident, particularly when audit conclusions and supervisory determinations diverge, raising questions about alignment, credibility, and the sustainability of remediation efforts.
The internal audit function has long been regarded as a critical function for bank governance, compliance, and risk management, but the function was often seen as serving in a supporting assurance role. The new supervisory principles elevate internal audit to a critical assurance provider responsible for validating the remediation and sustainability of supervisory issue closure. However, this shift introduces several potential points of friction.
Banks accustomed to lighter regulatory reliance on their internal audit function will need to adapt to the sudden increase in expectations for audit rigor, speed, and regulatory perspectives. Examiners may need to recalibrate their approach as well, balancing reliance on internal audit determinations with their own supervisory testing and judgment, which could lead to inconsistencies in applications across institutions.
Legacy audit functions may not yet be equipped for the level of continuous monitoring and rapid validation now expected, creating gaps between supervisory demands and operational realities. Culturally, internal audit functions will need to adjust to balance the role of being an arbiter and assessor with being an organizational partner across each risk stripe. While the intent of the revised principles may be to strengthen assurance and accountability, financial institutions and examiners alike must adapt to a new paradigm where internal audit is no longer peripheral but central to supervisory confidence.
Another practical challenge under the revised framework is the potential for discrepancies between internal audit conclusions and supervisory determinations. Even when internal audit signs off on a financial institution’s business as usual practice, examiners may still identify deficiencies with the practice and issue an MRA or MRIA. This creates a dual burden: not only must an internal audit team revisit its prior work, but it must also refocus its own analysis within the context of examiners’ determination and strengthen sustainability testing to ensure that the MRA or MRIA remediation is both durable and aligned with supervisory expectations.
This situation underscores the importance of internal audit adopting a forward-looking approach anticipating supervisory priorities, embedding sustainability monitoring, and treating remediation validation as an ongoing process rather than a one-time event. By doing so, banks can demonstrate to the regulators that their internal audit framework is both rigorous and resilient.
This shift offers banks a chance to strengthen governance and build trust amongst key stakeholders and the regulators. By investing time on the front end, banks can demonstrate resilience and responsiveness.
Key Considerations for Institutions
Against the backdrop of evolving supervisory expectations, banks should carefully consider several strategic imperatives to ensure their internal audit function is equipped to meet the demands of the new regulatory environment. The following key considerations highlight the critical areas where banks should focus their efforts:
- Elevated expectations for internal audit quality: The FRB makes it clear that supervisory reliance on internal audit is contingent upon the function being rated “satisfactory.” This shift significantly raises the bar for audit quality, independence, and effectiveness. As such, banks should invest in strengthening their audit capabilities. First, institutions need to identify personnel with deep expertise in risk management, compliance, and identifying and measuring emerging risks. Next, internal audit programs should be broad, risk-based, and aligned with supervisory expectations and priorities to ensure activities are both credible and relevant.
- Greater accountability for remediation validation: Under the revised framework, internal audit assumes the primary responsibility for validating remediation efforts. This expanded accountability for the internal audit function requires a disciplined approach to documentation, timeliness, and sustainability. Internal audit reports should provide clear and sufficient evidence to support the closure of MRAs and MRIAs, ensuring that the examiners can rely on internal audit conclusions. Internal audit teams must operate with agility to perform validation activities promptly in order to avoid unnecessary delays. In addition, sustainability monitoring will be critical to ensure remediated issues do not re-emerge.
- Prepare for a cultural shift: Financial institutions should consider the broader strategic implications of this change. It is important that internal audit be viewed as a strategic partner in risk management rather than simply as a compliance function. This cultural change will require board and management support, and ongoing communication between key stakeholders. In addition, the board and/or designated audit committee will need to take a more active role in overseeing the internal audit function, reviewing audit plans, monitoring remediation validation, and ensuring clear lines of independence.
- Closer integration with risk and compliance functions: The expanded role of internal audit will require stronger collaboration with key stakeholders in the risk and compliance functions across the organization. Banks should ensure robust remediation governance structures are established.
- Strategic positioning of internal audit: Internal audit is no longer viewed as a backstop but as a frontline assurance partner under the FRB’s updated procedures. Therefore, the board and senior management must strategically reposition the function within the financial institution’s overall governance framework. Reinforcing independence is imperative to ensure audit reporting remains free from influence.
Key Insights for Navigating the Changes
As banks navigate the evolving landscape, it is essential to adopt a proactive and strategic approach to internal audit. The following insights outline key actions that institutions should consider:
- Strengthen internal audit ratings: Financial institutions should proactively enhance internal audit performance, including but not limited to, external quality assessments, benchmarking against industry standards, and addressing identified gaps.
- Align audit plans with supervisory priorities: Audit plans should mirror the supervisory focus on material risks. By aligning audit coverage with supervisory expectations, banks can demonstrate proactive risk management.
- Enhanced coordination with the regulators: Internal audit should engage directly with regulators to build strong communication channels and ensure methodologies and validation.
- Prepare for sustainability testing: Although the regulators may not delay closure of MRAs/MRIAs to test sustainability, they will hold banks accountable if deficiencies reappear. Therefore, internal audit must ensure sustainability testing frameworks are robust and adequately designed to monitor the long-term effectiveness of remediation.
How Forvis Mazars Can Help
The FRB’s statement represents a paradigm shift in supervision, emphasizing focus on material financial risks, proportionality, and greater reliance on internal audit. For banks, the expanded role of internal audit presents both an opportunity and a responsibility. Institutions that invest in their internal audit function will not only meet regulatory expectations but also enhance their ability to navigate a rapidly evolving regulatory landscape.
In the heavily regulated banking industry, financial services leaders face more challenges than ever, from striving to meet shareholder and regulatory expectations to pursuing digital innovation. Forvis Mazars can help your financial institution tackle issues inherent to the industry, including market growth, internal control threats, industry consolidation, and compliance. We work closely with financial institution clients to manage the full lifecycle of regulatory remediation, including MRAs, MRIAs, and enforcement actions. Leveraging our extensive experience in helping clients address supervisory findings, we use a co-sourcing approach to validate remediation efforts, ensuring corrective actions are effective, sustainable, and aligned with regulatory expectations.
We have the skills and experience in financial services that you can trust, combining a focus on Unmatched Client Experience® with the resources of a global firm. Serving you is our passion and privilege.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.