Skip to main content
Image coming soon

Internal Audit Root-Cause Methodology for Global Banks

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

Internal Audit Root-Cause Methodology for Global Banks

Build findings that close sustainably and satisfy multi-regulator examiners in a single workpaper set.

The audit committee presentation shows a Repeat Observation next to a finding from eighteen months ago. The finding was well-written. The management action plan was approved. The issue came back because the root cause was never documented precisely enough to force a structural fix, only a visible one.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Internal audit at a global financial institution runs on evidence and opinion. The evidence standard required by the ECB SSM differs from what the FCA asks for, and a Federal Reserve examination team has its own documentary preferences. A finding that satisfies one regulatory perimeter may not be structured the way a different supervisor expects workpapers to be laid out. Repeat observations accumulate not because auditors miss issues, but because the finding architecture and root-cause documentation leave enough ambiguity that management can address the letter of the finding without fixing the mechanism. The IIA Global Internal Audit Standards introduced new conformance language requirements that most audit functions are still translating into policy. DORA added an entirely new audit programme requirement for ICT operational resilience. Model risk audit is expected at a level of technical depth that requires skills beyond traditional financial controls testing. Each of these can be addressed through methodology, not through more resources.

What you walk away with

  • Write findings with root-cause analysis that management action plans address at the mechanism level, not the symptom level.
  • Build workpaper evidence packs that satisfy ECB, FCA, and Federal Reserve examination requirements without re-documentation for each supervisory engagement.
  • Implement the IIA Global Internal Audit Standards into your audit charter and quality assurance programme with the specific language each standard requires.
  • Conduct a DORA operational resilience audit across the five regulatory pillars with the evidence documentation each pillar requires.
  • Validate management action plan closure with a documented re-testing standard that holds under examiner review and eliminates repeat observations.

The 12 modules

Module 1. Root Cause vs. Symptom: The Distinction That Determines Repeat Observations
Most findings that return as repeat observations were closed on paper. The root cause was never documented in a way that forced management to address the mechanism rather than the visible gap. This module teaches the five-why root cause technique adapted for banking control failures, with worked examples from credit risk, operational risk, and compliance audit contexts. Output: a root-cause documentation template your team uses on every finding going forward.
Module 2. Finding Architecture: The Five Elements That Get Signed Off First Time
A well-structured finding has five elements: condition, criteria, cause, consequence, and recommendation. Each does specific work, and when any one is thin, the finding either gets pushed back in review or closed with the wrong management action. This module walks through each element with before-and-after examples from global banking audit reports, covering what ECB and FCA quality reviewers look for when they assess the internal audit function's work product.
Module 3. Cross-Regulator Evidence Standards: One Workpaper Set for Three Supervisors
ECB SSM examiners, FCA supervisors, and Federal Reserve examiners each have a different evidence vocabulary. The workpaper that satisfies one does not automatically satisfy the others. This module builds a cross-regulator evidence standards map, showing which artefact types carry weight with which supervisor, so a single workpaper set supports multi-jurisdiction examination without re-documentation for each regulatory engagement.
Module 4. Risk-Based Audit Planning Across Business Lines at a Multinational Bank
Risk-based audit planning at a multinational bank means calibrating coverage to where the regulator-significant risk actually sits, not where the audit universe was last assessed. This module covers the annual risk assessment methodology, scoring business lines across inherent risk and control environment quality, and producing an audit plan that the audit committee and the supervisor can both trace back to a defensible risk basis without reopening the scoring model every quarter.
Module 5. Audit Universe Management: Keeping Coverage Current Across a Global Footprint
An audit universe across dozens of countries and multiple business lines goes stale fast as new products, legal entities, and outsourcing arrangements are added. This module covers the governance process for keeping the audit universe current, including the intake process for material new activities, the linkage between the Three Lines model and universe scope, and the evidence an examiner needs to conclude that coverage is both appropriate and complete.
Module 6. Management Action Plan Closure: What Closed Actually Means to the Examiner
Not all closed statuses carry the same weight. An action closed in the tracking system but not independently validated by audit is a vulnerability in the next examination. This module establishes the internal audit validation standard for management action plan closure, covering what evidence the audit team should independently obtain, the difference between design-effectiveness and operating-effectiveness closure, and how to document the validation in a way that holds under regulatory review.
Module 7. IIA Global Internal Audit Standards: What Your Audit Charter Needs to Say Now
The IIA's updated Global Internal Audit Standards introduced changes to the mandate, independence, and quality assurance requirements for internal audit functions. This module translates the key changes into concrete policy updates, covering the mandatory elements of the audit charter, the quality assurance and improvement programme requirements, and the conformance reporting language the audit committee needs to receive at least annually to satisfy the standard's disclosure requirement.
Module 8. IT and Model Risk Audit: Testing Controls in a Quant-Heavy Banking Environment
Testing controls in an environment with quantitative models, algorithmic trading systems, and model validation frameworks requires different audit skills than traditional financial controls testing. This module covers the model risk audit methodology from model inventory completeness to validation independence testing, and the IT general controls audit adapted for complex core banking and trading infrastructure, with evidence templates for each testing procedure and coverage decision.
Module 9. DORA Operational Resilience Audit: Building the Programme Across All Five Pillars
The Digital Operational Resilience Act requires financial institutions to test ICT resilience, manage third-party ICT risk, and report major incidents to competent authorities. This module builds the DORA audit programme covering the five pillars: ICT risk management, incident classification, resilience testing, third-party oversight, and information sharing. Includes the evidence the regulator expects in each pillar and the audit opinion language that accurately reflects the institution's compliance status.
Module 10. Data Quality and Regulatory Reporting Audit: BCBS 239 and the RDARR Framework
BCBS 239 sets the international standard for risk data aggregation and reporting accuracy. An audit of regulatory reporting quality tests both the data lineage from source system to regulatory return and the governance framework covering data owners, quality controls, and accuracy attestation. This module covers the BCBS 239 audit methodology, data mapping documentation requirements, exception population sampling, and the findings that appear most frequently in supervisory data quality examinations at global banks.
Module 11. Audit Committee Communication: The Three-Section Format That Clears in One Reading
The audit committee briefing that gets read in full has three sections: what changed in the risk landscape since last quarter, what the audit work found and what management committed to address, and what the audit function assesses as residual risk. Anything longer invites questions that should have been answered in the document. This module builds the three-section format with worked examples, rating criteria, and the conventions that senior audit committees at large financial institutions forward upward.
Module 12. Continuous Monitoring and Audit Analytics: Moving Beyond Annual Coverage
Moving from annual point-in-time coverage to continuous monitoring changes both what the audit team produces and how the Three Lines model interacts day to day. This module covers the technology-enabled continuous monitoring toolkit, from data analytics scripts that flag anomalous transactions for audit review to the dashboard format that gives the Chief Audit Executive a real-time view of control health, plus governance for feeding continuous monitoring findings into the formal audit cycle without double-counting.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Preparing for an ECB SSM quality inspection that will review prior audit findings for root-cause depth and management action plan closure evidence.
Designing the internal audit programme component of the institution's DORA compliance implementation, covering all five regulatory pillars.
Updating the audit charter and quality assurance improvement programme to reflect conformance with the updated IIA Global Internal Audit Standards.
Rebuilding the management action plan validation process after repeat observations appeared in consecutive audit committee reports and drew supervisory comment.

What you get with this course

  • Twelve written modules with downloadable templates for each key artefact: root-cause documentation, cross-regulator evidence matrix, DORA audit programme, IIA conformance checklist, and MAP closure validation standard.
  • Worked examples drawn from global banking audit scenarios across credit risk, operational risk, technology controls, and regulatory reporting.
  • The hand-built implementation playbook covering your specific regulatory perimeter, business line mix, and IIA conformance gaps.
  • Access to the Art of Service learning environment provisioned within 24 hours of purchase.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

Findings with solid condition and criteria documentation but thin root-cause analysis, leading to management action plans that close the visible control gap while the mechanism persists. Repeat observations at the next audit cycle. Workpaper evidence sets that need partial re-work before each supervisory examination.

After

Every finding carries a root-cause statement specific enough that the action plan either fixes the mechanism or explicitly accepts residual risk. A cross-regulator evidence standard that travels from ECB to FCA to Federal Reserve without re-documentation. DORA and IIA conformance documented and available for examination.

What happens if you do not address this

Repeat observations in the audit committee report carry professional consequences for the audit function beyond the individual finding. Supervisory examiners who see repeat findings draw conclusions about audit quality and independence, not just management responsiveness. The audit function's credibility with the board, with the regulator, and with management rests on findings that identify genuine root causes and stay closed.

Who it is for

An internal auditor at a large global financial institution, working across business lines or in a specialist function covering credit, market risk, technology, or compliance. Two to ten years into the role, responsible for producing audit findings, managing workpaper evidence, preparing sections of the audit committee report, and following up on management action plan closure. Operating under the IIA Standards, with regulatory examination readiness as a constant background concern.

Who this is NOT for. Not designed for audit committee members or Chief Audit Executives who are not personally writing workpapers. Not for external auditors whose evidence and reporting standards differ from internal audit practice. Also not the right course for risk and compliance professionals in the first or second line who are not formally part of the internal audit function.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Each module is designed for 45 to 60 minutes of focused reading and template work. The full course runs 9 to 12 hours total, self-paced with no fixed session times.

Why $199 is the right number

The IIA's professional development catalogue covers the standards but does not address multi-regulator evidence standards or the DORA audit methodology. Internal bank training programmes focus on the institution's own procedures rather than portable methodology. This course builds the methodology layer that sits underneath institution-specific procedures, making the skills transferable across regulatory perimeters, examinations, and roles.

FAQ

Is this relevant for a specialist audit area such as technology, model risk, or credit rather than general audit?
Yes. The methodology modules apply across all audit specialisms. Modules 8, 9, and 10 specifically address technology and model risk audit, DORA, and data quality audit with artefacts and testing procedures specific to each area.
Does the course address the updated IIA Global Internal Audit Standards?
Module 7 covers what changed and what your audit charter and quality assurance programme need to say to reflect conformance. Includes the specific disclosure language for the audit committee report.
How much of the content is specific to the EU regulatory environment versus a global approach?
Module 3 explicitly maps ECB SSM, FCA, and US Federal Reserve evidence requirements side by side. The rest of the methodology applies across regulatory jurisdictions and is not EU-specific.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!