Internal audit of model risk management program

PwC brought deep expertise and a number of tools and accelerators to assist with the development of a comprehensive and rigorous audit program around model risk management, as well as execution of the testing program. Our services included:

• Development of a comprehensive Risk & Controls Matrix (“RCM”) covering model risks across the full model life cycle and first and second lines of defense (“LoD”). For each risk, the matrix included a detailed set of testing steps covering both the design and operating effectiveness testing of MRM controls;
• Development of a comprehensive audit strategy document describing how IA’s testing addresses all the model risks across different lines of business, functional areas, and different types of audits (dedicated MRM audit, business area audits, and IT audits) over time;
• Development of tools and templates for different types of testing, including the model-specific documentation and validation testing assessments detailed below;
• Execution of the design and operating effectiveness testing of the appropriate RCM tasks as part of a comprehensive MRM audit;
• Subject Matter Specialist (“SMS”) assistance with the testing of model-specific MRM controls for a diverse representative sample of models. The testing included:

First LoD testing: Evaluation of the model development and implementation documentation (including ongoing risk and performance monitoring plans) to help ensure that it is complete and consistent with the Bank’s model documentation standards and industry leading practices for documenting similar models.

Second LoD testing: Testing of operating effectiveness of independent model validation process to ensure that:

- The scope of testing comprehensively addressed all unique model
   risks associated with the model’s development, implementation,
   use, and monitoring;

- The rigor of the testing was consistent with the industry practices
   for a given model type and commensurate with the model’s risk
   tier;

- The validation report included comprehensive and detailed
   information about the validation testing performed;

- The validation report included explicit validation conclusions
   supported by testing evidence;

- Any identified risks were documented together with the
  appropriate longer-term remediation actions and near-term risk
  mitigants agreed with the 1st LoD.

- Assistance with the documentation of audit issues and audit report
  drafting.

At the end of the engagement, the Bank possessed a comprehensive MRM audit program and associated tools and templates. The Bank’s internal IA personnel have been trained on the testing requirements and use of the tools and templates. Additionally, the testing identified a number of areas of the Bank’s MRM program requiring enhancement. Where appropriate, PwC provided detailed recommendations on remediating the identified program weaknesses.