The Financial Industry’s use of complex financial models continues to rise, so auditors need to be prepared to evaluate the risk associated with these models. While large banks may have the capacity to take on this new responsibility, those with smaller internal audit teams have to plan strategically to meet this requirement. Audit leaders must understand audit’s role in model risk management to be able to staff appropriately and manage the impact of financial models.

What Is Model Risk Management?

Financial Institutions use models to predict potential outcomes when making business decisions, but these tools are imperfect. Despite best efforts, it is impossible to eliminate the risk that the models are based on incomplete information, are not programmed with the right variables, or that the outputs are misused. In managing model risk, internal audit’s goal is to limit the likelihood of these issues occurring and the impact of financial exposure if it does happen.

The Three Lines and Model Risk

Guidance from regulatory agencies on managing model risk follows the IIA’s Three Lines Model as a framework for assigning responsibilities for mitigating risk. 

First Line: Develops Models

The first line includes the model developers who are responsible for the quality, accuracy, and completeness of the model. 

Second Line: Monitors Policies

The second line is accountable for the monitoring of policies related to modeling, the assessment of the models’ performance over time, and validating the models. To understand if the risk is mitigated as intended, models are considered independently and in aggregate, requiring the second line to keep an inventory of all models in use with key information about each model. 

Third Line: Assesses Model Governance Process 

As the third line of defense, internal audit evaluates the overall model governance process, including adherence to internal policies and external regulations.

Internal Audit’s Role in Model Risk Management

As the third line, internal audit plays a crucial role in risk management. Specifically related to model risk, auditors are responsible for ensuring model risk is assessed and included in the audit plan with adequate coverage for any regulatory areas. Several responsibilities require specific technical expertise, and only qualified auditors can take on this exercise. These responsibilities include:

  • Providing independent validation of the internal controls established for model development, usage, and validation.
  • Reviewing the documentation, timeliness, frequency, and completeness of model validation activities.
  • Determining if model owners and control groups comply with model risk policies.
  • Assessing if the model risk framework sufficiently addresses model risk for individual models and in aggregate.
  • Reporting any findings to Senior Management, the Board, and Regulators and then tracking the findings through remediation.

The use of models will expand and grow more complex as both the need for the models and the technological capabilities increase. For those teams with limited capacity, finding qualified resources will be the key to success. The pool of auditors with the technical and statistical expertise to audit the models is limited, and you may need to consider supplementing with outside help. As you are searching for qualified staff, keep in mind the responsibilities listed above so you can assemble a team to fulfill audit’s critical role in model risk management.


Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.