What is Audit's role in regulatory remediation activities?
-
RiskBowl,
We're looking for insights/ observations on what Audit’s role should be in regulatory remediation activities (e.g., MRA quality review and closure). I would say that Audit’s role should be more process/ compliance focused, reviewing both 1LOD/ 2LOD activities – but would appreciate further insights and specificity
We're remediating a large number of modeling/ assumption-heavy findings, and interested in understanding how to define Audit’s role clearly (without blurring the LODs)
Thanks
-
Audit will indeed have to “sign off” on the remediation before the regulator will consider closing the finding. The key question then is what does sign-off mean? What it does not mean is that Audit has to validate an assumption or calibration (and thereby assume the role of 2nd line/model validation teams).
Instead, Audit has to ensure that there are well defined processes that it can say will reasonably ensure a sufficient level of review and challenge by second line, and that the first line remediation approach is sound and keeping with the regulatory findings, regulations and expectations. Of course, Audit will also be expected to not just confirm that such processes and procedures exist, but they have been duly executed to a standard that Audit is comfortable with.
To the extent data is a significant component of your remediation, Audit is now expected to confirm that controls are in place along the data path to ensure quality is maintained and that they have done some independent testing of those controls
-
For our Fed remediation plan for Sanctions, Audit was key part of the remediation plan. We submitted a full Audit “TOM” including resource model, training, risk assessment, audit testing program, and senior mgmt. reporting. There was also a layered sign off for smaller vs. golden milestones, where Audit got involved to provide design assurance vs. operational effectiveness.