Financial compliance confidence is high, but audit evidence still lags

TL;DR: A survey of 1,000 financial and fintech professionals found 88.4% are very confident they would pass a surprise audit, yet 64% of financial services companies have received an identity-related audit citation in the past two years and 49.3% still spend 10 to 25 hours a month preparing audit data, according to StrongDM. The gap is not confidence but provability: compliance programmes that cannot produce timely access evidence are already behind.

NHIMG editorial — based on content published by StrongDM: The State of Compliance in Financial Institutions Report

By the numbers:

• 88.4% are “very confident” in passing a surprise compliance audit.
• 64% of financial services companies have received an identity-related audit citation in the past two years.
• 49.3% spend 10–25 hours monthly preparing audit data.

Questions worth separating out

Q: How should security teams reduce manual effort in audit evidence collection?

A: They should automate the connection between identity events, access changes, and logging so evidence is produced as a by-product of normal operations.

Q: Why do privileged access reviews often fail to satisfy auditors?

A: They fail when the review checks whether access exists but cannot prove how long it existed or whether it was removed everywhere it mattered.

Q: What do financial institutions get wrong about compliance automation?

A: Many teams automate reporting before they automate the underlying identity data quality.

Practitioner guidance

• Measure access revocation latency across all high-risk systems Record how long it takes to remove access after role change or exit, then compare that timing across privileged systems, directories, and downstream dependencies.
• Replace manual audit packs with continuous evidence pipelines Connect access approvals, entitlement changes, and system logs so audit evidence is generated continuously instead of assembled after the fact.
• Tighten least-privilege review for third-party and non-human access Separate employee access reviews from vendor, service account, and API credential reviews so external access is not hidden inside human recertification workflows.

What's in the full report

StrongDM's full report covers the operational detail this post intentionally leaves for the source:

• The survey methodology and full respondent breakdown across financial institutions and fintech firms
• The specific regulatory categories that respondents found most difficult to manage, including GDPR and ISO 27001
• The detailed split between manual approval, real-time logging, and automated compliance reporting
• The investment priorities that respondents said they will fund over the next 12 months

👉 Read StrongDM’s report on compliance in financial institutions →

Financial compliance confidence is high, but audit evidence still lags?

Explore further

View Full Forum →  |  NHI Foundation Course →