SECTION 3 Audit and internal validation
Competent authorities shall assess the degree to which an institution's audit and internal validation functions confirm that the operational risk management and measurement processes implemented for AMA purposes are reliable and effective in managing and measuring operational risk within the organization by verifying at least the following:
that the internal validation function provides a reasoned and well-informed opinion on whether the operational risk measurement system works as predicted, and that the outcome of the model is suitable for its various internal and supervisory purposes, at least on annual basis;
that the audit function verifies the integrity of the operational risk policies, processes and procedures, assessing whether these comply with regulatory requirements as well with established controls, at least on annual basis and in particular, that the audit function assesses the quality of the sources and data used for operational risk management and measurement purposes;
that the functions of audit and internal validation have a review program in place that covers the aspects of the AMA included in this Regulation and is regularly updated with regard to:
the development of internal processes for identifying, measuring and assessing, monitoring, controlling and mitigating operational risk;
the implementation of new products, processes and systems which expose the institution to material operational risk.
that the internal validation is carried out by qualified resources, which are independent of the validated units;
that where audit activities are carried out by internal or external audit functions or qualified external parties, these are independent of the process or system being reviewed and, where these are outsourced, that the management body and senior management of the institution remain accountable for ensuring that outsourced functions are performed in accordance with the institutions' approved audit plan;
that the audit and internal validation reviews on the AMA framework are properly documented and their output is distributed to the appropriate recipients within the institutions, including, where appropriate, the risk committees, operational risk management function, business line management and other relevant staff;
that the results of the audit and internal validation reviews are summarised and reported on at least an annual basis to the institution's management body or to a committee designated by it for approval;
that the review and approval of the effectiveness of the institution's AMA framework is undertaken at least on an annual basis.