What does your CTO actually think when internal audit walks through the door? Join us at the next Chartered Institute of Internal Audit IT Audit Forum that we have been asked to chair in 2026.

Challenge

The co-sourced internal audit service at a specialist lender had lost credibility with Technology,  Change and Cyber risk stakeholders who were progressing change activity at pace and could not support time to onboard and upskill junior staff at the same time as delivery.  Fees from the provider were increasing with little focus on skills transfer and value delivered.

Approach

We identified an initial and highly targeted review where we could explore ways of working together and act in a coaching role for the in-house internal audit team.

We provided on-demand support during all elements of discovery and scoping, planning, fieldwork, quality assurance and reporting. This involved our own SMEs augmenting with the in-house team to attend more technical stakeholder interviews and perform an ongoing quality assurance role in the background. We also supported the report with benchmarking of controls and performance against peer and aspirational organisations.

Finally, we completed the engagement by holding a training and knowledge sharing session that helped to build a common baseline understanding of the risks for the full in-house team.

Outcome

We reset the relationship, brought fresh energy, and focused on upskilling the in‑house team while integrating seamlessly into their ways of working.  The team is now more confident and capable, and stakeholders consistently report meaningful value being delivered.

 Challenge

A Bank was navigating a period of accelerating change - core banking modernisation, cyber strengthening and digital transformation running concurrently - while regulatory expectations around operational resilience, third-party oversight and board accountability continued to sharpen.

The Risk Director recognised a growing gap. The second line had the intent but not the specialist capacity to provide meaningful oversight across multiple technology and change programmes simultaneously. Risk reporting to the Risk Committee lacked the forward-looking edge that regulators increasingly expected. Early warning indicators existed on paper but were not consistently driving action or decision-making. And with PRA supervisory priorities, Dear CEO letters and Consumer Duty raising the bar, the CRO needed confidence that second line oversight was not just present but credible, proportionate and defensible.

The Bank needed an experienced specialist who could embed within the Risk Team, strengthen oversight from the inside and help close the gap between where the second line was and where it needed to be - without adding bureaucracy or slowing delivery.

Approach

A senior risk specialist was embedded within the Risk Team on a secondment basis, working under the direction of the Risk Director and operating as a trusted extension of the second line function.

The initial focus was on documenting and agreeing a clear, proportionate second line approach to change oversight - establishing the framework before applying it. This gave the Risk Director an agreed basis for challenge that was understood by both first and second line, reducing friction and improving the quality of engagement with programme teams.

From that foundation, the work extended across the full scope:

• Technology and cyber risk oversight activity across live programmes, providing specialist challenge that the risk team could not resource alone
• Transformation project oversight, focused on delivery confidence, decision quality and escalation effectiveness
• Cyber risk and operational resilience programme oversight, assessed against the expectations set out in SS1/21, PS16/24 and the PRA's evolving supervisory priorities

Throughout, the approach was proportionate to the Bank's scale and maturity - challenging where it mattered, pragmatic where it didn't and always focused on outcomes rather than process for its own sake.

Outcome

The second line approach to change oversight moved from informal and reactive to documented, agreed and consistently applied. The Risk Director had a clear framework to point to - one that the Board, internal audit and regulators could see and test.

Technology, cyber and transformation risks that had previously sat in programme-level registers without meaningful second line challenge were surfaced, escalated where necessary and tracked to resolution. Oversight became genuinely concurrent rather than retrospective.

The quality of risk reporting transformed. Early warning indicators became forward-looking and actionable. The Risk Committee received information that enabled them to ask better questions, challenge more effectively and make decisions with confidence. Board members commented on the step change in the quality of risk insight they were receiving.

The Risk Director gained specialist capacity without a permanent headcount increase - and a second line function that could credibly demonstrate to the PRA, internal audit and the Board that oversight of change, technology, cyber and operational resilience was proportionate, evidenced and aligned to current regulatory expectations.

The Bank didn't just strengthen its risk oversight. It gave its customers better protection, its Board better assurance and its regulators better evidence - exactly what a well-functioning second line should deliver.