A version of this article was previously published in the June 2019 edition of the Western Bankers Association’s WesternBanker Magazine.
While financial institutions can significantly differ in size, location, and complexity, all financial institutions must comply with regulatory requirements, meet service demands, protect assets, and best utilize resources. As market competition and consolidation increase, financial institutions are increasingly leveraging internal audit functions to address these requirements.
With this shift, banks and credit unions expect more from their internal audit functions or are adding them for the first time. That means internal auditors must expand their purview from risk and internal controls to overall management and operational performance — delivering solutions by recommending policy changes and process improvements instead of merely providing findings.
Whether your organization relies solely on internal audit employees, supplements its internal team with specialized external expertise, or outsources its internal audit functions completely, the following three steps are essential to achieving a more holistic and impactful internal audit.
Think beyond controls
Internal controls play a critical role in protecting assets, safeguarding resources, and processing and reporting timely financial information. However, internal audit activities shouldn’t stop with internal controls and financial risks. They should also extend to assessing operational risk — such as analyzing people, processes, facilities, and systems — as well as evaluating performance.
By taking a more holistic approach to internal audit — one that includes internal controls, risk management, and performance in the evaluation — organizations can create a culture of safety, transparency, efficiency, and effectiveness.
A holistic approach considers all of the factors that impact an organization — not just internal controls and financial risk. Beyond the internal controls, it’s important to consider the experience and knowledge of the existing internal audit staff when it comes to addressing new situations, products, and services. Financial Institutions should also consider whether the existing systems and processes are able to effectively support the scalability of current as well as new products and services.
Provide practical solutions
One of the most common criticisms internal auditors receive is that they don’t provide detailed, tangible solutions for resolving findings after identifying them. For example, many auditors limit themselves to the following:

