How should internal audit scope a first-time model risk audit?
Start with the model universe, not with model math. Internal audit should understand what counts as a model, who owns the inventory, how models are risk-tiered, which models affect important decisions, and which criteria apply to development, validation, approval, monitoring, change control, and issue remediation.
For a first-time audit, a practical scope is to assess the design of the model risk management framework and then test a small sample of higher-risk models. The sample should connect policy requirements to evidence: inventory record, intended use, validation, approval, implementation, monitoring, exceptions, and remediation.
The CIA point is that internal audit owns assurance over governance and controls. It should use specialists where technical depth is needed, but it should not become the team that approves or operates the model.
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.