Internal audit, compliance, and risk leaders recently shared their challenges, regulatory expectations, and opportunities regarding risk at a recent roundtable hosted by Forvis Mazars. Hailing from institutions ranging in size from less than $2 billion to more than $10 billion in assets, the participants discussed how they are navigating mergers, rapid growth, or transformation initiatives. This article will share some insights gleaned from the forum.
Key Takeaways
Some of the main takeaways from the roundtable include the following:
Stronger ERM – Internal Audit Alignment
Credit unions continue to refine how enterprise risk management (ERM) and internal audit work together while maintaining a clear separation between the two. Some of the ways leaders are addressing risks include enhancements to risk appetite statements, risk and control self-assessments (RCSAs), and risk metrics. Leaders noted that ERM helps them manage risk while internal audit helps preserve independent assurance.
Control Rationalization to Reduce Complexity
Simplifying control inventories is important, according to leaders. A focus on “key controls” can help institutions streamline testing, reduce noise, and clarify ownership, ultimately leading to more efficient, risk‑aligned control environments.
GRC Technology Integration Presents Challenges
While governance, risk, and compliance (GRC) platforms provide strong capabilities for individual functions, integrating risk, audit, compliance, and vendor management into a single ecosystem remains difficult. Some credit unions are exploring new ways to consolidate processes, improve transparency, and eliminate duplication.
Shifts in Examination Focus
While exams have become lighter and less specialized due to staffing constraints, examiner expectations for mature risk management practices keep rising. Examiners are currently focused on areas such as IT/cybersecurity, data governance and the Gramm-Leach-Bliley Act (GLBA), third‑party risk, Bank Secrecy Act and anti-money laundering (BSA/AML) model validations, commercial lending, and emerging artificial intelligence (AI)/model risk governance. Institutions involved in mergers reported a higher scrutiny of integration‑related risks and IT controls.
Managing Resource Constraints With Efficiency Strategies
Nearly all forum participants are balancing rising expectations with limited staffing. Some of their effective strategies include increased use of analytics, more frequent updates to audit risk assessments, one‑page committee reporting, consolidated audit reports across similar functions, and selective outsourcing to address high‑risk or specialized areas.
Reinforcing Audit Independence
Attendees raised concerns about reporting structures where internal audit sits under executives responsible for audited functions. Many leaders emphasized documenting clear functional reporting lines to the audit or supervisory committee to help maintain independence and meet three‑lines‑of‑defense expectations.
How Forvis Mazars Can Help
Forvis Mazars can assist credit unions with practical insights, industry‑aligned benchmarking, and hands‑on experience across governance, risk, and internal control frameworks. Our team works with credit union leaders to help enhance risk maturity, strengthen audit practices, improve resourcing models, and prepare for regulatory scrutiny.
To learn more or to participate in future roundtables, please contact our team.