A lot of attention is placed on numbers churned out during a firms’ stress testing exercise. After all more importance is placed on these numbers by various stakeholder, such as investors and regulators, as the results effect level of capital and dividend pay-outs. It goes without saying that it must be equally important for emphasis to be placed on data quality, controls and governance around this process. This is where internal audit is important in adding value.
For the process to be effective, the first stage is to clearly define the responsibilities that the three lines of defence have in this respect.
Checking that the process has been followed and controls are operating effectively for a mature stress testing process, should be the responsibility of the first line. The review and challenge of assumptions and results, should fall within the remit of the second line and not internal audit in this instance. This is often misunderstood as the third line’s responsibility. In fact, internal audit should take a view of how management discharges their responsibilities.
Where the stress testing process is not mature, internal audit should deem that a key risk is that the process and controls are not going to function properly. Internal audit can play a role in performing checks and reviews after first and second line have performed their duties but before submission to the regulator. These checks can be on reconciliations and integration between systems and functions. However, care must be taken not to interfere with the first and second lines’ process.
An internal audit review can also be undertaken after the completion of stress testing, where it can add value by looking at ways to make the process more effective and efficient, e.g. data accuracy checks and completeness.
Model risk is the predominant key risk noted by firms. Expertise in modelling is a challenge to not only the business but to internal audit. In order for internal audit to add value to the validation of models, knowledge of best practise in this area is usually required.
Due to the level of uncertainties in the stress test scenarios, there is usually a mismatch between this inherent uncertainty and the data requested by the regulator. This is one of the areas where data quality issues can arise. Other areas can be gaps, inconsistencies and inaccuracies in data. Internal audit can play an important role here due to its independent view.
Internal audits can add great value to the stress test process by reflecting on best practises usually based on their experiences in other firms. These best practise recommendations can include documentation of models, structure of systems and validation techniques. This is usually a challenge for most internal audit teams. Co-sourcing is a great opportunity to bring in this expertise, where they have experienced these best practises and can add value to this process. There is also an expectation for internal auditors to form a view on areas such as reverse stress testing, risk modelling, recovery stress test and ILAAP. Expertise in this area is required along with an understanding of the regulators expectations.
Dhallu & Co. and the author will not be liable for any reliance you place on the information in this publication. You should seek independent advice.