Internal Audit Reliance in Banking: A Strategic Decision, Not a Shortcut

Internal Audit Reliance in Banking: A Strategic Decision, Not a Shortcut

Internal Audit Reliance in Banking: A Strategic Decision, Not a Shortcut 1920 800 ECIIA

Internal control functions in banks are becoming more specialised, more interconnected and increasingly supported by data, automation and technology. In this context, Internal Audit functions are facing an important strategic question: when, and under which conditions, can they rely on the work of other assurance providers?

The ECIIA Banking Committee’s new paper, “Internal Audit Reliance Strategy in the Banking Industry”, explores this question from the perspective of Internal Audit in European banking. It provides a practical reflection on the opportunities, prerequisites, safeguards and limitations of a reliance strategy.

At its core, reliance refers to the extent to which Internal Audit may use the work of others — such as second-line functions, external auditors, specialists or other assurance providers — when forming its own audit conclusions. In banking, this is not a purely technical matter. It touches on audit planning, testing, issue validation, assurance mapping, governance, and the relationship between the different lines of defence.

Reliance requires a clear governance framework

A reliance strategy can contribute to more coordinated assurance, reduce unnecessary duplication and help Internal Audit focus its resources on areas of higher risk. However, these benefits can only be achieved if reliance is properly framed.

The paper underlines that reliance should not be treated as a procedural adjustment or a way to reduce audit effort. It requires a structured assessment of the assurance providers on which Internal Audit may rely. Their independence, objectivity, competence, methodology, quality of work and communication of results all need to be assessed and documented.

This is particularly important in the banking sector, where internal control frameworks are subject to strong supervisory expectations and where the integrity of the third line must be preserved. Any reliance approach must remain consistent with the Three Lines framework and must not weaken Internal Audit’s independent judgement.

A context-specific decision for each institution

One of the key messages of the paper is that reliance cannot be standardised across the banking industry. Each institution needs to assess whether reliance is appropriate in light of its own risk profile, control environment, governance structure, maturity of assurance functions and available documentation.

For some banks, reliance may be relevant in selected areas, for example where second-line controls are mature, independent and well documented. For others, the cost, complexity or residual audit risk may outweigh the expected benefits.

The Chief Audit Executive remains accountable for the reliance strategy and for the conclusions reached by Internal Audit. This means that reliance assumptions need to be regularly reviewed, challenged and reported through appropriate governance channels, including the Audit Committee.

From coordination to continuous evaluation

The paper proposes a roadmap built around four key steps: coordination, collaboration, progressive implementation and continuous evaluation.

A reliance strategy starts with a clear understanding of the roles and responsibilities of assurance providers. It also requires consistency across risk and audit universes, risk assessment methodologies, control plans, issue remediation frameworks and reporting processes.

Implementation should be progressive. Pilot approaches can help institutions test reliance in specific areas before considering broader application. Continuous evaluation is essential to ensure that reliance remains justified when risks evolve, when audit results raise concerns, or when the quality of assurance work changes.

The future of reliance

Technology, data analytics and artificial intelligence are also reshaping the discussion. As more controls become automated and more assurance activities become data-driven, Internal Audit will need to reassess how reliance is applied, evidenced and governed.

These developments may create opportunities for more integrated assurance, but they also introduce new questions around reliability, auditability, skills and accountability. In this environment, strong governance and clear documentation become even more important.

Read the paper

The ECIIA Banking Committee’s paper offers a balanced and practical contribution to an increasingly relevant debate for Internal Audit in banking.

It encourages institutions to approach reliance cautiously, structurally and in a way that preserves Internal Audit’s independence, while supporting better coordination across assurance functions.

Our website uses cookies, mainly from 3rd party services. Please read our Privacy & Cookies Policy to learn more.