Internal audit

in financial
services
reimagined
Predictions for success in a
fast-changing profession

kpmg.com
 About the authors
John-Paul Font
Advisory Principal
Kreg Weigand
Advisory Partner
jpfont@kpmg.com kweigand@kpmg.com
John-Paul Font is a principal in Kreg Weigand is a partner in
KPMG’s Internal Audit and Enterprise KPMG’s Internal Audit and
Risk practice and a member of Enterprise Risk practice. He has
KPMG’s National Enterprise Risk Management (ERM) over 25 years of internal audit, operations, and risk
team. John-Paul has more than 20 years of internal management experience in the financial services,
audit and risk management advisory experience. He retail, and manufacturing industries. Recognized as an
specializes in internal audit services, Sarbanes-Oxley integrated assurance thought leader, his deliverables
assistance services, ERM services, data analytics, include complex internal audit engagements, SOX,
business process improvement initiatives, operational GRC, ERM, and compliance transformation. In addition
and functional business assessments, operational due to his focus on internal audit and risk management
diligence, postmerger integrations, internal audit function services, Kreg has significant experience in facilitating
assessment, fraud risk management reviews, FCPA executive management and boards, program
controls implementations, and enterprise-wide control management, corporate governance, data/information
self-assessments. John-Paul serves as KPMG’s National privacy, operational process improvement, and
Internal Audit Solutions leader. compliance.

Nicole Lauer
Advisory Principal
Mark Wuchte
Advisory Managing Director
nlauer@kpmg.com mwuchte@kpmg.com
Nicole Lauer is a principal in KPMG’s Mark Wuchte is a managing
IT Risk Consulting practice. She has director in KPMG’s Internal Audit
more than 15 years of experience and Enterprise Risk practice. He
in delivering IT audit, controls and compliance, and has more than 14 years of experience providing audit
remediation services to clients across several industries. and advisory services to financial services clients,
Nicole serves as the global lead for IT audit and controls particularly global financial institutions and bank
for several multi-national advisory clients and is also holding companies, commercial and community
the lead IT specialist for a number of publicly traded banks, and broker-dealers. Mark works closely with
corporations. She specializes in internal audit services senior management of leading financial institutions
and methodology, IT risk assessment, and controls across all three lines of defense to help assess,
implementation and remediation in support of enterprise develop, implement, and test processes and controls
wide compliance programs. to comply with increasing regulatory obligations and
expectations.

Thank you to our contributors!

Eduardo J. Ramos Randy Tripp
Executive Vice President and Chief Audit Managing Director and General Auditor
Executive TD Ameritrade
American Express

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Internal audit in financial services reimagined b
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
 Contents
New thinking for a new era 3

Disruption on all fronts 4

Envisioning next-generation internal audit functions 7

How to get started with internal audit transformation 12

How KPMG can help 15

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Internal audit in financial services reimagined 1
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
 New thinking for a new era
Rapid technology change. Shifting regulations. Talent shortages.
The financial services industry is being disrupted from many
fronts, and the effects are trickling down to internal audit
functions. The next three to five years will add significant
complexity to the business of internal audit, presenting both
new challenges to overcome and opportunities to shine.

This new era demands new thinking, new skills, and In this paper, we combine our collective experience working
new capabilities. Given the scope and pace of change, with leading financial services organizations to improve internal
traditional approaches to internal audit will soon prove audit with firsthand viewpoints of internal audit leaders from
incapable of providing the level of risk-related assurance American Express and TD Ameritrade. We feature American
and insight financial services organizations need to protect Express and TD Ameritrade in this paper because their internal
and enhance organizational value. audit functions are challenging traditional thinking and audit
approaches. The perspectives of their internal audit leaders help
For internal audit to effectively meet the raised
shed light on the future of the profession.
expectations of stakeholders—including the audit
committee, executive team, and business line Read the following pages to examine what’s ahead for
managers—greater speed, agility, business alignment, financial services industry internal audit departments, and
and future focus will be paramount. Therefore, internal gain actionable advice for building next-generation internal
audit will need to become more data-enabled, dynamic and audit functions.
driven than ever before.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Internal audit in financial services reimagined 3
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
 Disruption on all fronts
Much has been written about the massive disruption of
the financial services industry, (including by our colleagues
at KPMG1). Relentless technology innovation, a shifting
regulatory landscape, and a talent shortage are creating
massive complexity for internal audit.

Technology change Operations, from the front office to the back, increasingly rely
Financial services organizations are operating in a on emerging technology innovations like intelligent automation,
marketplace under siege. Nimble and innovative fintechs predictive analytics, and blockchain to serve customers faster,
such as PayPal and Google Pay are pressuring traditional smarter, and more effectively.
financial services organizations to raise their game.
Such innovations have the potential to drive significant
Some of the world’s most powerful companies—from
business value and give financial services organizations
Amazon to Walmart—are entering the space, too, with
a critical competitive edge. But they also reshape the
potentially revolutionary business models for e-commerce
enterprise risk landscape, making internal audit’s job far
and banking. At the same time, changing consumer
more complex. There will be new processes to audit.
preferences and demographics are redefining how
There will be new risks to watch out for. There will be new
customers interact with financial services—and what they
regulations at play.
expect from their experiences.
“Emerging technologies and digital disruption are
These market shifts are converging to make financial
rapidly changing the way companies do business today,”
services organizations of all shapes and sizes more
says Eduardo J. Ramos, Executive Vice President and
digital than ever before. A recent KPMG International
Chief Audit Executive at American Express. “Digital
survey found that almost half of bank CEOs expect major
advancements will bring a lot of positive changes, but also
disruption in the sector over the next three years as a
introduce new risks that must be effectively managed by
result of technological innovation, more than two-thirds see
companies, with guidance from internal audit.”
technological disruption as more opportunity than threat,
and 63 percent believe they are already actively disrupting
the sector.2

1
KPMG LLP Financial Services practice
2
Reaching the next level of innovation in banking (KPMG International, 2018)

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
For example, financial services organizations that add risk governance and controls, credit management, and
automation to operational processes may also need to make consumer protections.3 At American Express, the regulatory
changes to the control environment in order to monitor and environment around consumer and commercial lending is
manage the associated risks, such as business disruption due especially top of mind.
to bot failure. Meanwhile, financial services organizations that
“We’re living in a time where the credit market is very
increase their use of data analytics may need new checks in
competitive,” Ramos says. “Internal audit needs to keep an
place to make sure they adequately protect sensitive data and
eye on the growth of the credit portfolio. In what segments
remain compliant with wide-ranging privacy rules.
is it growing? What contingency plans are in place in case
“With all the technology change in the industry, a major of an economic recession? Is the business engaging in
challenge is to keep up with auditing the business,” says Randy good, responsible lending and collection actions to mitigate
Tripp, managing director and general auditor for TD Ameritrade. potential credit risk?”
“As different business functions embed new technology, we
For each new exam focus area or rule change in the
must understand what’s changing in enterprise-wide processes
industry, internal audit must reexamine the effectiveness
and what new processes the business is implementing so we
of the risk assessment and testing processes it relies on to
can adjust our methodologies to assess any new risks that are
evaluate compliance. The audit committee also increasingly
introduced as a result.”
calls on internal audit to provide recommendations on
Shifting regulatory landscape necessary updates to controls, risk management, and
Rapid growth in financial markets, products, and services, governance processes in light of new regulations.
and the application of innovative technologies have
The good news is that internal audit departments can
increased the complexity, diversity, and interconnectedness
usually plan ahead for regulatory change.
of financial services providers as well as the scope of
relevant regulators. States are taking a proactive role in “Regulatory change is always a concern, but at least we
areas where there are not yet comprehensive federal typically don’t have to change overnight,” says Tripp of TD
requirements, notably data privacy and cybersecurity, and Ameritrade. “We usually have some lead time to figure out
Congress is separately considering legislation to strengthen how to comply and we may even have some input into the
these same areas. Federal financial services deregulation rule changes themselves.”
has moved to “recalibrate” and “tailor” the application of
Talent gap
existing requirements, however, the regulations remain in
Financial services organizations’ internal audit departments
place and regulators continue their focus on supervision.
are also dealing with a talent shortage.
Financial services organizations are still expected to
Today’s strong U.S. economy, featuring low unemployment
strengthen core risk management and governance
levels, is one factor. In January 2019, U.S. unemployment
practices, particularly in the areas of cybersecurity
levels dipped to 4 percent, leaving hiring managers
and data privacy. At KPMG, these areas made our
struggling to fill positions.4
“top ten” list of regulatory challenges facing financial
services organizations.3 But the bigger factor is how internal audit work is
changing—and the required skill sets along with it.
“Privacy, cybersecurity and third party risk management
continue to remain critical focus areas from a global Increasingly, internal auditors are participating in strategic
regulatory standpoint,” says American Express’ Ramos. business initiatives and providing opinions on risk
“These risk profiles remain persistently elevated due to management and compliance functions, both of which
new and emerging regulation, changing business practices, demand specialized knowledge. People with the ability to
and the rapid evolution of technology.” effectively interact with the business are increasingly hard
to find. At the same time, rapid shifts in technology—and the
Other regulatory challenges in KPMG’s top ten list are
increased rate of technology adoption across businesses—are
related to ethics and conduct, compliance processes,
requiring internal auditors to take on emerging technology
financial crimes, capital and liquidity, divergent regulation,
skills such as data mining and analytics.

3
Ten key regulatory challenges for 2019: Actions to drive effective change in financial services (KPMG LLP, 2018)
4
National unemployment rate at 4.0 percent through January 2019 (National Conference of State Legislatures, Feb. 1, 2019)

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Internal audit in financial services reimagined 5
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
 In addition, business operations—including
risk management, compliance, and
governance processes—continue to grow
more complex. There is a greater need than
ever for an independent review, which means
internal audit simply needs more hands on
deck (or better ways of doing their work).
Other factors are also contributing to the
skills challenge facing internal audit groups.
Not only is the workforce increasingly young
and inexperienced, but the best people may
not stay long in the role. In a recent KPMG
survey, 50 percent of IT audit and compliance
professionals who described a skill deficiency in
their departments attributed it to difficulties in
recruiting and retaining staff.5
Creating a culture that’s attractive to the
new generation of business professionals is
an ongoing challenge, and it might require
nontraditional talent management approaches.
For example, our research further shows
that work life balance is a critically important
factor in team engagement, even more than
compensation. Further, variety of project
experience and professional development are
essential for driving excitement at work.
“Our organization values internal audit as a
training ground,” says Tripp of TD Ameritrade.
“We’re a source of talent for other business
groups and we have had significant success
over the last few years in transferring talent into
the business.”
“Our internal audit workforce is changing
dramatically,” adds Ramos of American
Express. “Just five years ago, we had
two people dedicated to data analytics.
Now we have a 30-person team dedicated to
implementing data-driven auditing techniques
throughout every stage of our audit lifecycle.”

5
KPMG IT Audit practice survey of approximately 100 IT
audit and compliance professionals attending a national
conference in 2018

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
 Envisioning next-generation
internal audit functions
Financial services industry disruption—and the resulting
competitive pressures—are forcing internal audit
departments to transform how they work and where they
focus. What will spell success in three to five years’ time?
Read our predictions.

Speed and flexibility will reign supreme Internal audit will put new technology to work
Consider how the activities involved in doing a social media The digitization of financial services is driving a similar
audit have grown in just two years’ time at TD Ameritrade. digitization of internal audit itself. For internal audit leaders,
it’s not just about evaluating risk management and controls
“As social media has become much more integral and
processes that now involve more technology. It’s about
prevalent in our organization, it has raised the level of risk
embracing many of those same technologies to enable
and changed the regulations that impact us,” says Tripp.
better, smarter audits. In a recent KPMG International
“We’ve had to quickly evolve our audit approach to be
survey, bank CEOs told us they were investing in a range of
effective in these new areas.”
technologies, led by analytics and automation.2
Change is relentless in financial services organizations,
“At TD Ameritrade, we’re very focused on innovation,”
with technology change the most forceful of all. But as the
says Tripp. “We’re trying to make a quantum leap in our
business evolves, the audit committee and c-suite leaders
capabilities to assess the businesses, and that leap will
need to know the control environment continues to be well
be driven in large part by how we, as auditors, leverage
managed.
emerging technologies.”
To stay current, internal audit must continually advance
Over the next three to five years, internal audit leaders
the audit approach. Successful internal audit functions
will also look to hire more tech-savvy audit professionals.
of the future will be agile—able to change their approach
As technology, data and automation play an ever-greater
and focus quickly—on a timely basis—in line with current
role in the daily work of the internal audit function, people
business needs. In fact, the annual audit plan may become
must become more comfortable using (or working
a thing of the past.
alongside) modern technologies, such as data and analytics
At TD Ameritrade, the internal audit group views the annual (D&A) and artificial intelligence.
audit plan as a living document. “We continually evaluate
and modify our audit plan throughout the year based on
changes in the business and risk environment, subject to
audit committee approval,” says Tripp.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Internal audit in financial services reimagined 7
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
Automation will increase audit efficiency, effectiveness process improvements and control effectiveness.
Already positively impacting all kinds of financial services They derive insights from vast volumes of information,
operations, intelligent automation is one technology drawn from across the enterprise and external sources
that will prove critical to improving the efficiency and too, at super-fast speeds—far faster than a single person
effectiveness of internal audit—especially in the area of or even a team of people could. In this way, embedding
control performance. D&A technologies into audit procedures will help internal
audit provide better overall coverage. They’ll reduce
Control activities,
Related reading how much auditors rely on supposition and judgement
including monitoring
drawn from limited samples of data in their evaluations,
Internal audit plays a critical and testing, are
thereby increasing audit accuracy.
role in achieving intelligent typically a significant
automation goals and managing operational expense Conceptually, internal auditors could one day gain the ability
associated risks. KPMG’s four- for financial services to audit 100 percent of what is happening.
part insight series explores key organizations. But
The internal audit function at American Express is in the
opportunities for internal audit now it’s possible
midst of a digital transformation program called Audit
within intelligent automation to automate these
NextGen which aims to make internal audit as agile and
activities. Access the series once manual,
effective as possible through the use of data analytics and
at https://advisory.kpmg.us/ labor-intensive
audit process automation. A core component of this is
articles/2018/series-internal- processes with
the team’s Data-Driven Auditing (DDA) program. The DDA
audit-intelligent-automation.html. “bots” and other
program aims to combine data analytics and automation
forms of intelligent
tools to develop software scripts to instantly review millions
automation.
of transaction records across disparate company source
By supplementing team activities with intelligent automation, systems. Its purpose is to drive greater control assurance,
internal auditors can save time, money and improve bottom- broader coverage, and earlier issue identification.
line results.6
“While many of our audits have relied on some level of
“Automating testing to minimize manual labor will free up analytics over the past 5 years, in 2018 our team developed
auditors to be more insightful, devoting more time and a new data-driven threshold methodology to formalize using
energy to areas that demand higher thinking, like analytical Analytic Control Tests (ACTs) with calculated thresholds to
assessments,” says TD Ameritrade’s Tripp. drive quantifiable and consistent control conclusions,” says
American Express’ Ramos. “We successfully piloted two
“With our data driven auditing platform, we are applying
data-driven audits using this approach in 2018 and look to
statistical techniques to drive outcome based control
have a majority of our audit plan covered this way over the
effectiveness conclusions and trigger real-time audit work-
next 3 to 5 years.”
flows, that connect directly into our audit database, to improve
the effectiveness and efficiency of our audit processes,” says “Data analytics are transforming our traditional work
American Express’ Ramos. “These analytical dashboards and practices in internal audit,” Ramos adds. “We used to
work-flows will allow our auditors to analyze and discuss the randomly sample a subset of 40 to 60 accounts depending
results with functional leaders, and hone in on outliers.” on the population or control frequency. Now we can test
for exceptions and anomalies across millions of records in
D&A will advance how financial services organizations
one shot, through back-end testing that doesn’t interrupt
assess risk
our clients or disrupt operations. By leveraging a common
D&A is poised to become an exceptionally powerful tool
platform across all three lines of defense, DDA is helping
for the internal audit function. The majority of bank CEOs
to effectively and independently monitor and control risk.
(81 percent) plan to increase investment into D&A over
The launch has required partnerships across internal audit,
the next three years, according to a KPMG International
risk, and technologies functions at American Express,
survey.2
and demonstrates the alignment and collaboration across
D&A tools allow internal audit to provide data-driven groups.”
insights to assist management decision making on

6
KPMG survey on the impact of intelligent automation on business and operating models (KPMG LLP, 2018)

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
At TD Ameritrade, 90 percent of audits now rely on D&A
and Tripp expects the depth of the team’s analytical
capabilities to increase over time.
“With D&A, we can look at more controls, more
transactions, and more processes with the same or fewer
resources,” says Tripp.
D&A tools also improve internal audit’s ability to quantify
results to management. Dashboards and visualizations
bring key findings to the forefront in a way that’s quick and
easy to explain, explore, drill down, and ultimately act on.
By compiling a single view of data and insights from across
the audit universe, internal audit will significantly increase
reporting value.
Finally, capabilities in predictive analytics support and
enhance continuous, real-time auditing. With predictive
analytics, internal audit will be able to assess and manage
risks outside of the normal, cyclical audit cycle. Rather,
internal audit (in collaboration with other risk management
and compliance groups) will be able to pinpoint anomalies
in the data that may point to potential problems down the
road—and may even prevent them. These insights will help
auditors identify the highest risk areas and improve audit
focus. As a result, audit planning can become far more
dynamic, relevant, and effective.
TD Ameritrade’s internal audit group is currently working
to gather larger, broader data sets from management,
business units, and external sources, such as news outlets
and competitive assessments, to stay abreast of business
changes and adjust audit focus on a timelier basis.
“With predictive analytics, we can deploy our resources
more flexibly and effectively. We can audit the most
critical areas where we spot possible risks on the horizon,”
says Tripp.
Internal auditors will take on more strategic roles
Today, checklist-like testing of processes and controls are
too simplistic for the complexities of the current business
environment. Increasingly, most financial services internal
audit functions are raising the bar, seeking to deliver
independent insights and analysis beyond the audit report.
As such, internal auditors will increase their knowledge
of the business processes they are evaluating so they
can help functions address deficiencies as well as make
more strategic recommendations for improving how the
organization manages risk. Mastering the ins and outs of
the technicalities of internal audit will still be crucial, but
practical business knowledge and experience is where
internal audit can add real value.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The future of internal audit in financial services 9
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
“The cornerstone of an effective internal audit Quality of the audit work will still matter most
department is strong and open communication, as well In the increasingly complex risk environment in which
as good, old-fashioned relationships across the three financial services companies operate, management will
lines of defense to successfully mitigate risk. Nothing look to internal audit for assurance that things are working
will replace that,” says Ramos of American Express. as intended—taking an increased role in independent
testing on behalf of the second line of defense.
Ramos has worked to evolve the role of internal audit at
That requires a big picture view of what the risks are
American Express and ensure that he and his senior team
(today and tomorrow) and how they are being managed.
have seats at the table to participate in strategic business
Piecing together individual audit findings won’t provide the
and risk management discussions. At American Express, the
holistic view management needs in order to act.
internal audit function reports directly to the Audit and Risk
Committees of the Board of Directors, and administratively As such, internal audit groups will change how they
to the CEO and Chairman. Members of the team are also measure the effectiveness of the function. Increasing
included in committee meetings on disclosures, operations, coverage and efficiency is great. But traditional success
enterprise risk management, fraud, compliance and more. As metrics—the number of audits completed or the number
a result, internal audit leaders are present at the table, and are of issues identified—will largely lose their meaning when
proactive in their recommendations, which ultimately leads to inevitable changes in the business push audits not included
more thoughtful risk management decisions being made by in the audit plan to the top of the priority list.
management.
“If we double the number of audits we do but the quality
Not all internal audit departments can rely on such high of our work suffers, there’s no value in that,” says TD
stature. To move into a more strategic advisory role to Ameritrade’s Tripp. “At the same time, if we issue an audit
management, some departments may adapt the profile report that’s “clean,” with no findings or issues, it doesn’t
of the typical candidate they hire into internal audit. mean it’s not valuable.”
Some may introduce innovative training programs such as
Providing the business with a holistic view that controls
cross-skilling and knowledge transfer between different
are working and risks are being managed effectively comes
business functions. Others may look to eliminate duplicate
down to audit quality—the quality of audit work that
work and automate manual and routine tasks so auditors
produces the end result, not the end result itself. And more
are freed up for higher-level thinking.
often than not, that comes down to people.
For example, Tripp envisions a future at TD Ameritrade
“Automated processes or not, people will always remain critical
in which testing is largely automated and business
to executing our duties as internal auditors,” says Ramos of
and IT auditing are more closely integrated to reduce
American Express. “At the end of the day, a machine isn’t
redundant controls. Then, auditors would be able to spend
enough to truly understand a business. There’s always going to
more time doing deeper analytical assessments using
be a human element in the way we operate.”
advanced technologies.
To evaluate audit quality, TD Ameritrade relies on a
“We’re working to train our internal audit teams to use
feedback program in which the department conducts
analytics and artificial intelligence to connect the dots of
one-on-one interviews with business managers who
different data points to see problems emerging and draw a
went through an audit. The interviewer asks questions
more complete picture of enterprise risk,” says Tripp.
like, “What value did you get from the audit?” “Were the
The internal audit department at American Express has auditors knowledgeable?” and “Did the process work
had success recruiting, hiring, training and retaining people for you?”
to drive its data analytics initiative forward. The internal
Similarly, at American Express, the internal audit function
audit function has relentlessly pursued critical skill-sets,
has a post-audit client survey program which incorporates
and has even hired a few PhDs who possess strong
both anonymous and direct feedback from stakeholders.
math and technology skills to go along with business
Ramos also regularly seeks and expects stakeholder
and audit know-how. The company also has a continuous
feedback—from senior executives, business partners
in-house data analytics training program and sponsors
and the regulatory community—to serve as a guide for
employee attendance at industry conferences to pick up
improving the audit function.
best practices in the field, as well as employee pursuits of
technical certifications.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Internal audit in financial services reimagined 11
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
 How to get started with
internal audit transformation
We’ve provided financial services organizations’ internal
audit departments with a vision of the future in three to five
years’ time. But how do they make it real? What specific
actions should they take today to get ahead of the massive
disruption already impacting the industry? Facing a vastly
changed future, how do they prepare themselves to be
effective risk analysts and advisors tomorrow?

We offer some tips for success, based on our breadth  hange the hiring profile: Technology skills,
C
of work transforming internal audit functions in financial
services organizations and many other industries.
 stablish a strategic vision for internal audit:
E
3 especially data analytics, will become critical to
future audit work. Internal audit professionals must
also have deep business know-how: they must
understand the ins and outs of individual business

1 Businesses constantly evolve and change and their

strategy and objectives shift with it. To provide real-
time value to the organization, internal audit must
processes and how each ties back to the big picture
from a risk perspective in order to tackle risks
broadly across the business. These are the skill sets
align its activities with the organization’s vision. Get
hiring managers should look for to fill roles in the
started by creating a vision for the function that
next-generation internal audit function.
meshes with the organization’s vision.
 aise internal audit’s stature: As internal
R
4  lign data needs to internal audit’s assurance
A

2
objectives: As internal audit groups embed
audit becomes an increasingly critical player
intelligent automation and data analytics into their
in organizational governance, focus, attention,
operating models, audits may run continuously and
and expectations on the function will continue
coverage may be complete. This is a positive change,
to increase. For internal audit to meet its new
but there are challenges. The volume of data needed
responsibilities, it will need a seat at the table.
for testing and analysis within the data-driven audit
By demonstrating a deep understanding of
function can become overwhelming. Develop a plan
organizational needs and delivering greater value
for obtaining and managing the source data that
with deeper, more relevant and more timely audits,
drives the audit plan forward but remain flexible
it’s likely to get it.
enough to shift data management strategy as the
business—and the audit plan—evolve.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
 What’s next for internal audit?

Now Future

Internal audit prioritizes future-focused

Cyclical and regulatory compliance
emerging risk reviews and higher impact
audits take priority; SOX often demands
operational reviews that drive value to
disproportionate attention and time
the business

Audit plan is responsive to disruption

Annual audit plan quickly becomes
and flexes to meet shifting
irrelevant as the business changes
strategic demands

Majority of audit work is enabled

Audit work is primarily manual via data, analytics and automation,
then transitioned to management

Audits are based on small,

100 percent audit coverage
random samples

The internal audit team possesses a mix

Most internal audit professionals have
of business, audit, technology and data
audit expertise only
analytics skills

Audit frequency is quarterly at best Continuous, real-time auditing is a reality

Internal audit is often left out of Internal audit is included in high-level

strategic discussions conversations with the board and C-suite

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The future of internal audit in financial services 13
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
 How KPMG can help
KPMG’s highly experienced and industry-focused internal
audit professionals drive meaningful insights to our clients
leveraging business and data analysis. With deep technical
skills, regulatory knowledge and business acumen, and
empowered by technology that employs intelligent
automation, we help our clients innovate solutions to achieve
their strategic objectives while effectively assessing and
managing business risk.
Achieving effective internal audit capabilities requires a significant level of investment in skilled resources, methods,
training, and technical infrastructure. With organizations being driven to do more with less, the internal audit
function has become a prime candidate for strategic sourcing. Our Strategic Sourcing service offering is designed
to assist organizations seeking to improve internal audit quality and oversight, increase value while optimizing
costs, enhance risk and controls management, and focus on core competencies.

Internal Audit Outsourcing Services: IT Internal Audit and Compliance

We advise companies on critical business Services: As IT becomes more complex,
risks, implementation of effective we help organizations transform their IT
controls and compliance processes, audit and compliance capabilities so they
identifying better practices, reducing can understand, prioritize and manage their
the cost of operations, and realizing IT risks and drive value into the business.
profit improvement opportunities. KPMG Leveraging industry leading technology and
leverages progressive and innovative innovative approaches to service delivery,
approaches to deliver cost efficient we serve organizations in all aspects of IT
assurance and tangible business audit and compliance monitoring, testing,
improvement results, such as Dynamic control and responsibilities. Clients turn to
Risk Assessment, industry-specific us for specialized knowledge and assistance
audit offerings, automation governance in enhancing their IT audit capabilities,
approaches and enablers, and data-driven creating a more robust IT compliance
auditing. function, and designing and executing their
SOX program.
Internal Audit Cosourcing Services:
Cosourcing can provide the opportunity
to tap into specific skill sets, industry
knowledge, and global resources on an
“as‑needed” basis. We can provide the
specific skills needed on demand—achieving
a level of flexibility that can be critical
in effectively dealing with a range of
operational issues.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The future of internal audit in financial services 15
The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDPPS 824515
Contact us
John-Paul Font
Advisory Principal
Internal Audit & Enterprise Risk
KPMG LLP
T: 214-840-6077
E: jpfont@kpmg.com

Nicole Lauer
Advisory Principal
IT Risk Consulting
KPMG LLP
T: 410-949-8949
E: nlauer@kpmg.com

Kreg Weigand
Advisory Partner
Internal Audit & Enterprise Risk
KPMG LLP
T: 612-305-5436
E: kweigand@kpmg.com

Mark Wuchte
Advisory Managing Director
Internal Audit & Enterprise Risk
KPMG LLP
T: 415-963-8442
E: mwuchte@kpmg.com

Some or all of the services described herein may not be

permissible for KPMG audit clients and their affiliates.

kpmg.com/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is
received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a
thorough examination of the particular situation.

© 2019 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered
trademarks or trademarks of KPMG International. NDPPS 824515