CECL Validations and Internal Audits: Understand the Differences

In banking, various models are used for analyzing business strategies, informing business decisions, and measuring risk and exposure to loss.

Model risk is the exposure financial institutions face when they rely on inaccurate or misused models for decision-making and risk management. The consequences can often result in financial loss and unsound business strategies — making effective validation critical to model-risk management. 

For your institution’s allowance for credit loss/current expected credit loss (CECL) calculation, two key functions help achieve sound model risk management: model validations and internal audit. Both are addressed in the Interagency Policy Statement on Allowances for Credit Losses.

While they may seem similar, they serve two distinct purposes and focus on distinct aspects of an institution’s analysis. Explore how understanding and implementing both model validations and internal audits can help improve the accuracy, reliability, and compliance of your CECL calculations, potentially leading to better risk management and operational efficiency.

What is CECL validation?

The main goal of CECL model validation is to verify the accuracy and reliability of the model used to estimate credit losses, whether developed internally or by a third-party. Explore factors critical for maintaining financial reporting integrity and regulatory compliance.

Governance

This involves examining the documentation, internal controls, and processes surrounding the CECL model and reporting. It includes reviewing formal documentation, internal control frameworks, and management and governance oversight.

Model selection

This evaluates the appropriateness and supportability of the selected model's assumptions and methodologies. It includes assessing model methodology, asset segmentation, appropriate use of peer data, and qualitative factors. 

A critical component of appropriate model selection is the complexity of the financial asset portfolios, and the degree to which the model is understood by management and governance. 

Validation of inputs / recalculation of outputs

This involves testing and independently recalculating model inputs and outputs to verify accuracy. It includes verifying model inputs, accurate and logical segmentation, adjustments, outputs and overall design and construction. This also includes identification of any model limitations, and key assumptions used by the model.

Outcome

An effective CECL model validation helps determine whether the model design and construction are conceptually sound, performing as intended, and compliant with generally accepted accounting principles (GAAP) and industry standards. 

What is an internal audit?

The primary goal of an internal audit is to evaluate the effectiveness of your institution’s internal controls, risk management (including model risk), and governance processes. Internal audits provide an independent assessment of your institution's operations and help identify areas for improvement.

Operational efficiency

Internal audits review processes and procedures to confirm they are efficient and effective. This includes assessing the design and operating effectiveness of internal controls.

Compliance

Internal audits help your institution adhere to laws, regulations, and internal policies. Testing includes reviewing processes and controls for compliance with GAAP, industry standards, and internal policies.

Risk management

Internal audits assess the identification, measurement, and management of risks. This includes evaluating your institution’s model risk management framework and practices.

Outcome

Internal audits provide an independent assessment of your institution’s operations and controls, identifying improvement areas. This helps keep internal controls and risk management processes effective and aligned with regulatory requirements.

What are the differences?

CECL model validation is specifically focused on the accuracy and reliability of the CECL model, while internal audits evaluate the overall effectiveness of internal controls and risk management processes.

Focus areas

There is an element of recalculation in evaluating the operational effectiveness of internal controls. In an internal audit, the auditor may test the mathematical accuracy of the calculation based on a wide range of assumptions used. A validation will go a step further to challenge and validate those assumptions. 

Key assumptions to be validated vary by model and methodology selected, but often include qualitative adjustments, indices referenced in forecasts, prepayment speeds and other average life inputs, peer group data, and utilization rates on unfunded commitments.

Outcome

CECL model validation tests the inputs and assumptions driving the model to determine the CECL model is functioning as intended, while internal audits provide an independent assessment of your institution’s operations and controls.

Management should adopt a risk assessment that carefully considers the differences between model validations and internal audits. While it’s important to consider the Guidance on Model Risk Management, there’s intentional subjectivity in determining when, and how frequently, a risk assessment should call for an internal audit versus a model validation. Management should define a cadence in performing both functions and align it with the institution’s risk assessment. 

Consult your external auditors and regulators throughout the risk assessment process. The risk assessment should incorporate considerations like:

• Changes in the model selection or economic environment
• Size and complexity of the institution and the model itself
• Whether the model is internally developed or developed and validated by a third party
• Degree to which the calculation and internal controls are relied on in financial statement audits
• Results of prior period internal audits and validations

Third-party model validation vs. user model validation

To the extent the selected model is developed and validated by a third party, it’s important to understand the differences between validations obtained by third-party vendors (certifications for purposes of this topic) and those conducted by the users of the models (validations for purposes of this topic).

When the institution uses a third-party model, that third-party service provider should provide an independent, external certification verifying the model’s underlying methodologies and mathematics are:

• Accurate
• In line with GAAP and industry standards
• Consistent with the vendor documentation

This certification should not be considered a validation of the institution’s application of the model, as these models are highly dependent on user input and should be customized by management based on institution-specific portfolios and policies. 

All models, whether developed internally or by a third party, require a validation separate from the certification. 

How CLA can help with CECL processes

CLA’s financial services group has experienced professionals ready to assist in both internal audits and validations of your CECL processes and models. We’re also available to support you in the risk assessment process to help determine an appropriate cadence for performing each.

Contact us

Boost your institution's financial reporting accuracy and strengthen your risk management framework. Complete the form below to connect with CLA.