Large Bank Examination Workshop February 2026

Internal Audit • Internal audit should assess the overall effectiveness of the bank’s model risk management framework and policy and determine compliance with that policy. • Internal audit’s role is not to duplicate the risk management activities of vetting, approval and validation. Its role is to assess whether model risk management is effective.

Policy Existence Policy Adherence Documentation

Internal Audit

119

1 st Line of Defense Model rationale Model development Model use 2 nd Line of Defense Independent review (vetting) Model approval Validation and control

3 rd Line of Defense Internal audit

Three Lines of Defense

120

60

© Global Financial Markets Institute Inc.