ARTICLE
9 April 2026

Navigating Internal Audit, Cyber Risk, And Regulatory Expectations In Broker-Dealer Operations

KI
K2 Integrity

Contributor

K2 Integrity logo
K2 Integrity is a global risk management firm dedicated to helping organizations across both the public and private sectors protect their assets, reputation, and operations and meet their regulatory obligations. Our team of top subject-matter experts includes former regulators, economic security officials, and industry veterans, who specialize in financial crime prevention, regulatory compliance, cybersecurity, investigations, and risk advisory, bringing practical skills and deep insight to every engagement. Using innovative technology solutions and a data-driven approach, we deliver actionable results that help clients identify emerging risks, respond effectively, and make confident decisions.
Explore Firm Details
Broker-dealers are operating in an increasingly complex risk environment shaped by evolving regulatory expectations, rapid technological advancements, and heightened exposure to cyber-enabled threats.
United States Technology
Yelena Talmazan and Olivia Makara
Your Author LinkedIn Connections
Yelena Talmazan’s articles from K2 Integrity are most popular:
  • in United States
K2 Integrity are most popular:
  • within Litigation and Mediation & Arbitration topic(s)
  • with readers working within the Construction & Engineering industries

Broker-dealers are operating in an increasingly complex risk environment shaped by evolving regulatory expectations, rapid technological advancements, and heightened exposure to cyber-enabled threats. On 25 March 2026, K2 Integrity held a webinar that explored how internal audit, compliance, cybersecurity, and risk management functions must adapt to meet these challenges—particularly in light of recent regulatory guidance and industry observations. We heard from experts Anthony Vinci, senior director, Office of Financial and Operational Risk Policy, FINRA; KeriAnn Kelly, senior vice president, Platform Solutions Engineering, Goldman Sachs; Olivia Makara, director, Cyber and AI Resilience, K2 Integrity; and moderator Yelena Talmazan, senior managing director, Financial, Internal Audit, and Risk Advisory, K2 Integrity. Click here to view a recording of the session.

Evolving Regulatory Expectations and Risk Landscape

On 9 December 2025, FINRA released its 2026 Annual Regulatory Oversight Report, which highlighted recurring control gaps and emphasized the need for firms to align their internal audit and compliance programs with evolving expectations. Importantly, recent guidance has not introduced entirely new requirements but rather has provided greater clarity and depth in areas such as operational resilience, cyber-enabled fraud, third-party dependencies, and governance of emerging technologies, including artificial intelligence.

Firms are expected to interpret these insights as signals for risk prioritization and control enhancement functioning end to end. Internal audit functions play a central role in translating these expectations into recalibrated and actionable audit plans and risk assessments. A critical takeaway is that compliance must extend beyond documented policies. Regulators are increasingly focused on how controls are implemented, monitored, and sustained in practice.

Internal Audit as a Strategic Risk Function

Internal audit continues to evolve from a retrospective assurance function to a forward-looking strategic partner. To remain effective, audit teams must recalibrate their approaches in several key ways:

  • Risk-Based Planning and Gap Analysis: Audit teams should align their annual plans with regulatory focus areas by conducting structured gap analyses against Written Supervisory Procedures (WSPs) and existing audits on the audit plan controls and supervisory procedures. This includes:
    • Mapping regulatory obligations and observations to internal processes
    • Identifying gaps between policy and execution
    • Prioritizing audits based on high-impact and emerging threats
  • Cross-Functional Risk Visibility: Many control failures stem from siloed operations. Internal audit should evaluate how effectively information flows across:
    • Cybersecurity teams
    • Compliance and AML functions
    • Business and operational units
  • Focus on Execution and Effectiveness: Audit scope should shift from verifying the existence of policies to assessing:
    • Whether controls are functioning as intended
    • Whether processes are scalable and sustainable
    • Whether outcomes align with regulatory expectations

Market Integrity and Financial Management

Market integrity and financial management remain priority focus areas for FINRA. However, expectations are shifting toward more holistic and operationally grounded assessments.

Market Integrity: Firms are expected to move beyond transaction-level reviews and assess the cumulative impact of their practices, including order routing decisions, execution quality across systems, and reliance on third-party tools.

Financial Management: Operational readiness is critical. Firms must ensure that systems, data, and processes can support increased regulatory demands, including real-time or near-real-time requirements. Key areas of focus include:

  • Accuracy of financial records and regulatory filings
  • Adequacy of capital and liquidity management
  • Transition from periodic to more frequent financial computations

Liquidity and Stress Testing: Regulators expect firms to develop realistic, firm-specific stress scenarios; identify early warning indicators of financial stress; and maintain actionable contingency funding plans.

Operational Resilience as a Core Compliance Requirement: Firms must demonstrate the ability not only to recover from disruptions but also to maintain continuity of critical operations. Key components of operational resilience include system and data resilience, testing and validation, and governance and accountability. Operational resilience must be embedded into the broader compliance framework, ensuring alignment between regulatory obligations and technical capabilities.

Cyber-Enabled Fraud

Cyber-enabled fraud represents a convergence of cybersecurity and financial crime risks. Emerging tactics such as synthetic identities, voice cloning, and deepfake technologies are increasing both the sophistication and scale of fraud.

Breakdowns often occur due to fragmented coordination between cybersecurity and AML teams, delayed escalation of risk signals, and a lack of shared visibility across systems and functions.

The emphasis is shifting toward early detection that depends on a combination of technical and procedural controls, including behavioral analytics for detecting anomalous activity, enhanced identity verification processes, multi-factor authentication and access controls, and real-time monitoring of account activity.

When dealing with cyber-enabled fraud, strong programs demonstrate integrated governance across cyber and AML functions, clearly defined escalation pathways, and shared understanding of risk indicators.

Third-Party Risk Management

As firms increasingly rely on external vendors, third-party risk has become a critical area of focus. Vendor environments are dynamic, and risks may increase due to expansion of services, introduction of new technologies, or changes in data handling practices. Regulatory expectations are clear: accountability cannot be outsourced.

Elements of effective third-party risk management include:

  • Initial Due Diligence
    • Assessment of vendor controls and security posture
    • Understanding of data flows and access rights
    • Evaluation of potential risks and dependencies
  • Contractual Safeguards
    • Data protection requirements
    • Audit rights and reporting obligations
    • Incident response and data recovery provisions
  • Ongoing Monitoring
    • Continuous assessment of vendor performance
    • Review of independent audit reports
    • Monitoring for emerging risks and vulnerabilities
    • Assessment of risk from due to fourth-party vendors handling firm data

Firms must continuously reassess vendor relationships to ensure that original risk assumptions remain valid.

Conclusion

The current regulatory and risk environment demands a more sophisticated and integrated approach to internal audit and risk management. Broker-dealers must evolve from compliance-driven models to resilience-driven frameworks that prioritize execution, coordination, and adaptability.

Internal audit plays a critical role in this transformation by:

  • Aligning audit plans with emerging risks
  • Evaluating the effectiveness of cross-functional processes
  • Validating operational readiness across critical areas

Ultimately, success will depend on the ability of the organization to anticipate risks, respond proactively, and maintain resilience in the face of ongoing disruption. This requires not only robust controls, but also a culture of collaboration, accountability, and continuous improvement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Yelena Talmazan
Yelena Talmazan
Photo of Olivia Makara
Olivia Makara
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More