The Wake-Up Call from Silicon Valley Bank: Reinforcing Risk Assessment in Internal Audit
By Michael McShea, CIA, CRMA, CFSA, Director, Advisory Services
The unexpected collapse of Silicon Valley Bank (SVB) in early 2023 (though some would argue it should not have been as big a shock as it was) threw some shade on the effectiveness of internal audit, highlighting the critical importance of robust internal audit functions and comprehensive risk assessments within financial institutions.
Internal audit plays a critical role in helping organizations navigate the complexities of risk and ensuring that an organization’s risk management, governance, and internal control processes operate effectively. At the heart of internal audit is the risk assessment process, the foundation for planning and executing audits that provide meaningful insights and value to the organization.
Risk assessments are integral to the internal audit process, as they help to identify and prioritize the risks that could adversely affect an organization’s ability to achieve its objectives. In the context of SVB, the rapid rise in interest rates and the corresponding impact on bond portfolios were risks that materialized swiftly. A proactive risk assessment should have flagged the sensitivity of the bank’s balance sheet to such changes in the rate environment and prompted internal auditors to scrutinize the effectiveness of the bank’s interest rate risk management strategies.
The FDIC’s comments on SVB’s failure focused on board effectiveness, the bank’s inadequate risk management practices, and the need for a stronger regulatory framework to ensure the safety and soundness of financial institutions. The FDIC pointed out that banks must have robust internal audit functions that can effectively challenge management’s risk-taking and ensure that risk management practices evolve with the changing financial landscape. These points aren’t new; however, they called attention to the level of comfort many organizations and departments had with the status quo.
A critical aspect of the risk assessment process is communication. Internal auditors must engage with stakeholders across the organization, including senior management and the board, to understand their perspectives on risk and ensure that the audit plan aligns with the organization’s strategic priorities. This collaboration ensures that the internal audit function is not operating in a silo but is integrated into the broader governance framework of the organization.
The output of the risk assessment process is an audit plan that lays out the audits to be conducted over a given period. This plan should be flexible enough to accommodate emerging risks that may arise unexpectedly. By being adaptable, an internal audit can ensure that it remains responsive to the organization’s needs in a rapidly changing environment.
This was further exemplified by the failure of Signature Bank in March 2023 and Government regulators seizing and selling off First Republic Bank in May, 2023. These three banks had approximately over $500 billion in combined assets. How many are at risk in 2024?