This is the consolidated view of findings. Click 'see details →' on any item for the full details for each finding.
An Internal Audit team that accepts the AI's characterisation of the 2016 guidance as providing 'detailed expectations' for incident response and recovery — including specific recovery time objectives and communication protocols — may scope audit fieldwork against criteria that the 2016 document does not actually contain, while failing to identify that the more operationally specific FSB 2020 guidance exists and applies. Audit findings and management letters produced on this basis may misstate the applicable standard, creating regulatory exposure when supervisors or external reviewers assess the quality of the firm's Internal Audit function. Remediation of a misfounded audit program — including re-scoping, re-execution, and re-reporting — carries significant cost in staff time and potential reputational harm with the board and regulators.
see details →An Internal Audit team that relies on AI tools to confirm the currency of the CPMI-IOSCO Cyber Resilience Guidance risks conducting and reporting an audit cycle against a standard that is under active revision, without flagging to the board or audit committee that the underlying international framework is changing. If the firm's cyber resilience framework or internal audit criteria are not updated to reflect the consultative revision process, the firm may be behind the regulatory curve when the updated guidance is finalised — a position that supervisors may treat as a control failure. The cost to the firm includes both the direct remediation expense of updating audit programs and frameworks mid-cycle, and the reputational cost of having to explain to a regulator why the Internal Audit function was not tracking a publicly announced revision to a foundational international standard.
see details →