Issue remediation
A recent report from the FDIC on SVB’s failure pointed out repeated issues that were not addressed after regulatory bank audits. For example, the regulatory audit of banking technology raised repeated issues without clear resolution. The year the bank failed, regulators documented Supervisory Recommendations (SR) “related to end-of-life management, vulnerability timeframes, configuration management, IT succession plan, project management reporting, risk assessment, asset inventory, and business continuity management.” These issues represent the core risks and controls that any audit of banking information systems should target. The internal audit team should have reviewed these risks and controls during their own bank audits, and they should have held management accountable for mitigation. IIA Standard 2500 requires the CAE to review open issues and ensure these have been remediated. Once a risk exposure has been identified in a bank audit, an action plan must be implemented with proper controls.
Enterprise Risk Management
Increased regulatory attention focused on independent risk management functions within financial institutions is also likely. Internal auditors should be…