Does internal audit need to reperform model validation during a model risk audit?
Usually not in full. Internal audit should evaluate whether validation was independent, competent, risk-based, sufficiently documented, and acted on. It may perform targeted challenge work over high-risk assumptions, data, performance metrics, or unresolved findings, especially when the model is material or regulatory attention is high.
Reperforming the entire validator's work can blur roles and waste audit effort. A better audit approach is to test whether validation standards exist, whether the sampled model complied with them, whether exceptions were escalated, and whether the business used the model within approved limitations.
If the audit team lacks the technical skill to challenge the validation evidence, it should obtain specialist support. Avoiding the technical risk is weaker than resourcing the engagement properly.
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Related Articles
Join the Discussion
Ask questions and get expert answers.