CP10 (Full Document) - European Banking Authority
CP10 (Full Document) - European Banking Authority
CP10 (Full Document) - European Banking Authority
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
· Development of internal processes for the identifying, assessing,<br />
monitoring, controlling, and mitigating operational risk; and<br />
· Implementation of new products, processes, and systems which<br />
expose the institution to material operational risk.<br />
490. Internal Audit activity should also cover issues such as the adequacy<br />
of the IT infrastructure, data collections, and data maintenance.<br />
Specific tests should be performed in order to check the data input<br />
process.<br />
491. Internal Audit functions should be staffed by individuals possessing<br />
the requisite skills and experience. It is important that they be<br />
familiar with the institution’s strategy and its processes for<br />
identifying, assessing, monitoring, controlling, and mitigating<br />
operational risk.<br />
492. Some cooperation between Internal Audit and the ORMF is<br />
permissible, especially in some operational riskrelated activities and<br />
processes where Internal Audit’s experience and skills are well<br />
developed (for example, analysis of processes, loss data collections,<br />
risk and control assessments, etc.). However, cooperation with the<br />
ORMF should not jeopardise the independence of Internal Audit.<br />
Whatever advice or information may be provided by Internal Audit,<br />
designing, implementing, and updating the operational risk<br />
framework remains the exclusive responsibility of the ORMF, and<br />
Internal Audit should not be involved in daytoday operational risk<br />
activities.<br />
Page 115 of 123