Discover the Crucial Role of Internal Audit of ECL Models

Why internal audit of ECL matters for IFRS 9 reporters

IFRS 9 requires entities to estimate expected credit losses using models, judgement and forward-looking information. Those estimates influence provisioning, capital, profitability and disclosure. Internal audit provides independent assurance that the ECL methodology, historical data and calibration, model implementation and controls are robust and that the Accounting Impact on Profitability has been appropriately assessed and communicated to stakeholders.

Regulatory and stakeholder expectations

Regulators and external auditors expect robust governance and documented controls around ECL. Internal audit fills a critical role by validating the institution’s control environment, testing model governance and checking that Risk Committee Reports reflect model strengths and limitations. A proactive internal audit reduces the likelihood of regulatory findings, restatements or adverse audit opinions.

Core concept: What is internal audit of ECL?

Internal audit of ECL is an independent function that assesses whether an entity’s ECL framework is complete, implemented correctly, and operating effectively. The review covers governance, model design (ECL Methodology), inputs (including Historical Data and Calibration), assumptions and outputs, plus reporting and disclosures under IFRS 7.

Key components of an internal audit review

• Governance and model ownership: Verify roles and responsibilities, escalation paths and change controls.
• Model methodology review: Assess whether the chosen methodology (12-month vs lifetime, staging rules, PD/LGD/EAD estimation) is appropriate and documented.
• Data lineage and calibration: Trace historical data sources, check treatment of outliers, segmentation logic and calibration routines.
• Sensitivity Testing and validation: Confirm that sensitivity testing is performed on key assumptions and that results are used in governance and disclosures.
• System implementation and reconciliations: Test reconciliations between model outputs, accounting systems and financial statements.
• IFRS 7 Disclosures and reporting: Ensure disclosures match model outcomes and describe key judgements and uncertainties.

Example: a focused review on calibration

Practical example — an internal audit team selects calibration of Probability of Default (PD) for commercial loans. Steps include: obtain source data for at least 5–10 years, reproduce vintage analysis, confirm segmentation (industry, rating grade, exposure age), re-run calibration and compare resulting PD curves to those used in production. Deviations >15% require explanation and remediation. This approach ensures Historical Data and Calibration are appropriate and defensible.

Practical use cases and scenarios for internal auditors

1. Year-end ECL assurance

Objective: provide assurance that year-end ECL balances are complete and correct. Activities include model run reconciliations, reasonableness checks of macroeconomic scenarios and review of manual overrides. Internal audit should verify the Accounting Impact on Profitability by comparing current-year allowances to prior expectations and explaining material movements to the Audit Committee.

2. Post-model change review

When models are updated (new segmentation, revised LGD models), internal audit performs change control testing: review approvals, back-testing results, and validate deployment to production. Documented change logs and sign-offs are required to demonstrate governance.

3. Thematic reviews: Sensitivity Testing and scenario analysis

Run targeted sensitivity testing: stress GDP, unemployment and interest-rate paths to show impact on ECL. Internal audit should evaluate whether management’s stress scenarios are plausible and whether results are captured appropriately in Risk Committee Reports.

4. Coordination with external stakeholders

Internal audit should coordinate with external audit and risk teams to avoid duplication. This coordination helps streamline evidence provision and clarifies expectations about scope and timing of reviews — particularly ahead of the external audit of ECL.

Impact on decisions, performance and reporting

An effective internal audit function reduces model risk, supports more accurate provisioning and improves management decision-making. Key impacts include:

• Improved accuracy and defensibility of ECL estimates, reducing surprise provisioning hits.
• Stronger governance and fewer control deficiencies, which lowers audit fees and regulator scrutiny.
• Clearer IFRS 7 Disclosures that build investor confidence about the quality of credit risk estimates.
• Better-informed Risk Committee Reports that influence capital planning, pricing and provisioning policy.

Example: profitability and provisioning trade-offs

Consider a mid-size bank that found through internal audit that an incorrect LGD segmentation understated lifetime losses. Correcting this increased ECL by $12m and reduced pre-tax profit by 2.6% for the quarter. Early detection allowed management to explain the impact to the board, adjust pricing in new originations and update stress tests.

Common mistakes in internal audit of ECL and how to avoid them

1. Limited scope restricted to documentation: Avoid reviews that only check paperwork. Include substantive model re-performance and data reconciliation steps.
2. Insufficient testing of assumptions: Perform Sensitivity Testing on core assumptions (PD, LGD, macro weights) and ensure results inform disclosures.
3. Poor data lineage and weak calibration checks: Validate Historical Data and Calibration end-to-end and ensure version control for datasets.
4. Lack of coordination with risk and accounting: Align audit timing with risk model validation and accounting close to reduce rework and contradictory findings.
5. No follow-through on remediation: Track remediation items and verify fixes in subsequent reviews; don’t close issues prematurely.

How to address resource limitations

If internal audit capacity is limited, adopt a risk-based approach: prioritize high-impact portfolios, perform rotating deep dives, and leverage sampling and automated tests. When specialized model expertise is needed, consider co-sourcing or specialist secondments.

Practical, actionable tips and a checklist

Use this checklist as a baseline for internal audit engagements on ECL:

• Scoping: confirm portfolios in-scope, materiality thresholds and objectives.
• Governance: verify model inventory, owner sign-off, change logs and approval evidence.
• Methodology: assess ECL Methodology documentation and alignment with IFRS 9 principles.
• Data: validate source systems, completeness checks, handling of missing data and outlier treatment.
• Calibration & back-testing: reproduce calibrations, perform vintage analysis and back-test model outputs against actual defaults.
• Sensitivity Testing: run +/- scenarios on PD/LGD/EAD and macro assumptions and assess disclosure adequacy.
• Systems and controls: test reconciliations, access controls and automated calculations in production systems.
• Disclosures: confirm IFRS 7 Disclosures are consistent, transparent and describe key uncertainties.
• Remediation tracking: provide a remediation plan and agree timelines with model owners.

Practical tip: maintain a reusable workpaper template that captures evidence, re-performance steps and sign-offs; this reduces audit lead-time each period and standardizes conclusions. For additional practical resources, internal auditors often use ECL implementation checklists to structure assignments and ensure coverage.

Internal audit teams can also benefit from automated tooling; consider vendor solutions and bespoke scripts to speed sample selection, run reproducibility tests and capture evidence. For a curated list of digital aids, review typical ECL internal audit tools used in the market.

When designing test procedures, align them with the organisation’s model validation function and reference documented ECL modeling best practices to ensure consistency between independent assurance and model development teams.

KPIs and success metrics for internal audit of ECL

• Number of high-priority model control findings per year (target: decreasing trend)
• Average time to remediate audit findings (target: within agreed SLA, e.g., 90 days)
• Coverage of material portfolios (%) reviewed annually (target: 100% on a rolling basis)
• Re-performance variance between internal audit and production ECL outputs (target: within tolerance, e.g., ±5%)
• Number of material disclosure adjustments identified pre-financial statements (target: zero post-internal audit)
• Stakeholder satisfaction scores from finance/risk on audit approach and usefulness

FAQ

Reference pillar article

This article is part of a cluster supporting the broader discussion in The Ultimate Guide: The role of risk management in applying IFRS 9, which explores the partnership between risk teams and accounting in ECL calculation and governance.

Closing: the evolving audit landscape

Internal audit’s role in ECL is evolving: increasing model complexity, demand for transparent IFRS 7 Disclosures, and heightened regulatory scrutiny mean audit teams must combine data skills, model understanding and accounting awareness. The interplay with external assurance — including coordination around the external audit of ECL and technical reviews such as auditing ECL models — is critical to deliver comprehensive assurance. Strengthening internal controls and documentation, particularly around internal controls over ECL, will reduce findings and improve financial statement reliability.

Looking forward, the future of ECL auditing will likely include greater automation, expanded use of scenario libraries and more integrated assurance across risk, finance and audit functions to provide faster, higher‑quality evidence.