The Taiwan Banker

In April 2024, an employee at Citigroup apparently entered a value into the wrong field and sent $81 trillion to a customer, instead of $280. Fortunately, a transfer that large could never have been executed, since that much money simply does not exist in the world. Nevertheless, the order was originally placed and then reversed after the transaction was approved by two employees, who failed to notice its size. The incident illustrates the importance of the internal audit function in ensuring smooth business operations. Technology interacts with risk in a broad variety of ways, creating a risk landscape which is bound to only become broader and more complex over time, forcing new practices in response. ‘Fat finger’ mistakes have been possible ever sense the advent of automated transaction processing, but each subsequent technological shift also creates emerging categories of risk. Consider the presence of an adversarial actor. The vast majority of practical cyberattacks use some combination of social engineering and out-of-date software. In the news, we might hear about zero-day, zero-click vulnerabilities implemented by state-backed actors, but real protection work mostly involves regular system patching and prevention of phishing. This responsibility does not fall solely upon the IT department. The hottest topic over the past couple of years has been AI. Suppose an auditor wanted a detailed summary of a foreign regulation and its implications for their business - now, in 2025, an LLM would be a perfectly good way to quickly analyze large amounts of possibly relevant natural language information. Even if you decide to spend extra hours manually going through a document without knowing what you are looking for, that does not mean your competitor will do the same. In addition to their benefits, LLMs clearly also pose a variety of risks for organizations. Any information entered into them can be used for training, if the model is not locally hosted, and they are not reliable substitutes for human judgment on business decisions. Worst of all, they do their best to conceal their ignorance, making it impossible to know definitively when they have succeeded in responding to the prompt. Even if they could be banned from work devices, meanwhile, employees are still likely to have access to ChatGPT or similar models, creating further risks from workaround solutions. It may be best to think of AI as a tool to suggest appropriate questions to ask, said Terry Grafenstine, Chair of the Institute of Internal Auditors, during a recent trip to Taipei. The answers to those questions can then be obtained through definitive evidence or human judgment. “If we can train our auditors that it's a tool among many, I think that it can really help to save time, but we need to make sure that they understand that it's not a magic box” which reliably produces the correct outputs. Banning it outright “would be as if, 10 years ago, we were to say don’t use Google” – not only likely to fail, but also leaving employees behind the technological curve. In the past, it may have been possible to think about many aspects of internal audit in isolation, according to Grafenstine. “People thought that if they’re business auditors, or if they were looking at a particular financial product like a mortgage, or they’re looking at credit cards, they thought that they could just look at the business process for borrowers in a given sector” without considering the full stack upon which their applications were built. With every technological iteration, however, it is becoming increasingly important to understand organizational processes from a holistic perspective to gain a comprehensive understanding of possible failure modes. From the IT perspective, when designing a transaction system for instance, a number might simply be considered as a data format, but the exact number of digits can make a critical difference from the business side. “Having worked in a really large bank myself, you could end up having a business auditor saying, everything looks okay, all the controls look fine. And then the IT auditor is looking at the application controls over separately, not understanding it from a business context.” “An awareness that every technology sits on a tech platform is really important.” In order to better prepare for the demands of a changing world, combined with geographic diversity for companies with international operations, IIA recently revised its International Professional Practices Framework (IPPF), which helps ensure that auditors around the world follow the same principles. The 2024 version adds topical requirements to the original global internal audit standards, and the first one to be released is cybersecurity. The newer standard provides much more detailed guidance on governance, risk management, and control processes than the older advice, which focused on piecemeal solutions. “The IPPF sets the standards that regardless of which internal audit function you go to around the world, especially in a highly regulated area, that you can expect to get the same level of quality because we have things like a required external quality assurance review.” Future topical requirements will include third-party risk, organizational behavior, and organizational resilience. Besides these mandatory topics under the IPPF, IIA is also thinking about other future-oriented changes with particular relevance to the financial industry. One is digital assets – which involve a plethora of new complicating factors, such as encryption security, liquidity, and distinguishing between fiduciary safeguards and automated mechanisms like smart contracts. Grafenstine pointed to the crash of the FTX exchange as “one of the largest governance failures ever.” “If there had been an internal audit function requirement to have some internal person looking at that, who's objective, who's independent, could have called out big warning signs that the digital assets were not being reported accurately – wouldn't that have saved everybody a lot of pain?” It is not just about technological changes, however; regulatory and market evolution can also produce similar challenges. Another of the most significant changes in the business environment in recent years is the increasing importance of corporate responsibility and green finance. Companies may approach these topics in different ways, depending significantly upon their regulatory regime, explained Grafenstine. Although a laissez-faire approach might at first appear more friendly, a lack of standard definitions only makes the job of internal audit harder in the end. In that case, it is most important to ensure that any statements released to the public are accurate, in a sense letting a company define its own standards and then enforce them. Ultimately, the role of internal audit is to prevent risk – a function which should be clear enough to regulators, but could might require justification to some boards and executive teams. To stay relevant, audit departments must aspire to drive value in the face of these changes, rather than only responding. This means keeping a keen eye on the big, strategic items, avoiding the “old stereotype” of just counting the little things.