While ECIIA welcomes the European Central Bank’s (ECB) draft guide on internal models for financial services organisations, more clarity is needed in some areas over the role of internal audit and other assurance functions.
In response to the ECB consultation on its proposed guidance, ECIIA has highlighted several areas where a more explicit focus on the difference between the roles of the second and third lines of defence are needed.
For example, ECIIA says that validation of an organisation’s ratings-based approach for calculating how much capital it holds for regulatory purposes should be performed by a second line function – rather than by internal audit, as is currently suggested by the ECB.
“We should avoid overlapping between internal audit and the internal validation activities in order to make efficient the control function activities,” Farid Aractingi, ECIIA President, says. Internal audit’s role is to provide assurance that the validation approach is robust and efficient.
ECIIA also emphasised the need for ECB to adhere to a risk-based approach to the effectiveness of internal controls around internal models. For example, ECB has suggested an audit cycle of three years for those areas that did not show signs of increased risk.
“It is inappropriate to impose a minimum frequency of three years, for models or for any other area,” ECIIA said in its submission. “Each bank should be consistent with its own approach combining audit cycle and risk assessment.”