[OR] [MAS] [E3] [C6] Audit and Regulatory Compliance

eBook 3: Chapter 6

 Audit and Regulatory Compliance

Introduction

Audit and regulatory compliance are critical components of operational resilience, providing independent assurance that frameworks, controls, and processes are effective, compliant, and aligned with regulatory expectations.  

While testing validates operational capability, audits ensure that these capabilities are consistently implemented, governed, and continuously improved.

In Singapore, the Monetary Authority of Singapore requires financial institutions to maintain robust governance structures, including independent review and audit mechanisms, as part of their operational risk management and resilience frameworks.

This chapter examines internal audit requirements, MAS expectations on audit timelines, and the importance of evidence and documentation in supporting compliance.

Internal Audit Requirements

Role of Internal Audit in Operational Resilience

Internal audit serves as the third line of defence, providing independent assurance over the effectiveness of operational resilience frameworks, including:

• Risk identification and assessment processes
• Business continuity and recovery strategies
• Scenario testing and incident response capabilities
• Governance and oversight mechanisms

MAS expects financial institutions to conduct periodic independent reviews to assess the effectiveness of operational risk management processes.

Scope of Audit Reviews

Internal audits should cover the full operational resilience lifecycle, including:

• Critical Business Services (CBS) identification and validation
• Dependency mapping across people, processes, technology, and third parties
• Impact tolerance setting and monitoring
• Testing and exercising programmes
• Incident and crisis management frameworks

According to BCM Institute-aligned guidance, audits should evaluate whether resilience measures are practical, executable, and aligned with recovery objectives, not merely documented.

Independence and Objectivity

To ensure credibility:

• Internal audit functions must be independent from business operations
• Auditors should possess domain expertise in BCM and operational resilience
• External auditors may be engaged for specialised or independent reviews

Value of Internal Audit

Effective internal audits provide:

• Identification of control weaknesses and gaps
• Validation of compliance with MAS expectations
• Recommendations for continuous improvement

Audit findings must be reported to senior management and the Board for timely remediation.

MAS Expectations on Audit Timelines

Regulatory Expectations

The Monetary Authority of Singapore expects financial institutions to implement regular and structured audit programmes as part of their operational resilience and BCM frameworks.

Key expectations include:

• Establishment of an Audit Plan
  Financial institutions are expected to develop a structured audit plan within a defined timeframe following the issuance of regulatory guidelines.

• Periodic Internal Audits
  Institutions should conduct internal audits regularly, typically aligned with risk exposure and organisational complexity.

• Timely Remediation of Findings
  MAS expects organisations to address audit findings promptly and effectively, ensuring that identified weaknesses are resolved.

• Ongoing Review and Continuous Improvement
  Audit is not a one-time exercise but part of a continuous cycle of review and enhancement.

Industry Practice on Audit Frequency

While MAS adopts a principles-based approach, common industry practices include:

• Annual review of risk assessments and business impact analysis
• Regular testing and audit cycles (e.g., every 1–3 years depending on risk criticality)
• More frequent audits for high-risk or critical services

Financial institutions must adopt a risk-based audit frequency, ensuring that critical areas are reviewed more rigorously.

Integration with Governance

Audit timelines should be aligned with:

• Board and senior management reporting cycles
• Regulatory reporting requirements
• Testing and scenario exercise schedules

This ensures that audit findings are timely, relevant, and actionable.

Evidence and Documentation

Importance of Evidence-Based Assurance

Regulatory compliance requires clear, auditable evidence that operational resilience measures are implemented and effective. Documentation serves as the foundation for:

• Audit validation
• Regulatory review
• Internal governance and oversight

Key Documentation Requirements

Financial institutions should maintain comprehensive documentation covering:

1. Policies and Frameworks

• Operational resilience framework
• Business continuity and crisis management policies
• Risk management policies

2. Risk and Impact Assessments

• Risk analysis and review (RAR)
• Business impact analysis (BIA)
• Impact tolerance definitions

3. Dependency Mapping

• End-to-end mapping of CBS
• Identification of critical resources and interdependencies

4. Testing and Exercise Records

• Scenario testing plans and results
• Exercise reports and lessons learned
• Evidence of improvements implemented

5. Incident and Recovery Records

• Incident logs and response actions
• Recovery timelines and performance metrics
• Post-incident reviews

Characteristics of Effective Documentation

Documentation must be:

• Accurate and up-to-date
• Comprehensive and structured
• Accessible for audit and regulatory review
• Aligned with actual practices and operations

MAS Perspective on Documentation

MAS expects financial institutions to maintain robust records and reporting mechanisms to support operational risk monitoring and audit activities.

Incomplete or outdated documentation can lead to:

• Audit findings and compliance gaps
• Regulatory scrutiny
• Reduced confidence in resilience capabilities

Linking Audit to Continuous Improvement

Audit is not an endpoint—it is a driver of continuous improvement.

Feedback Loop

Audit findings should feed into:

• Control Enhancements
  Strengthening policies, procedures, and technical controls

• Testing Improvements
  Refining scenarios and expanding test coverage

• Governance Adjustments
  Clarifying roles, responsibilities, and escalation processes

• Capability Development
  Enhancing staff training and organisational readiness

MAS Expectations

MAS emphasises that financial institutions must:

• Continuously monitor, review, and improve their operational resilience frameworks
• Ensure that audit findings are acted upon and resolved
• Maintain a proactive approach to risk management

Audit and regulatory compliance are essential for ensuring that operational resilience frameworks are not only designed effectively but also implemented, maintained, and continuously improved.

Guided by the expectations of the Monetary Authority of Singapore, financial institutions must establish robust internal audit functions, adhere to structured audit timelines, and maintain comprehensive evidence and documentation.

By embedding audit into the operational resilience lifecycle, organisations can achieve independent assurance, regulatory compliance, and sustained resilience maturity. Ultimately, audit transforms resilience from a theoretical framework into a verified, accountable, and continuously evolving capability.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.