In the post-Basel III environment, interest rate risk in the banking book (IRRBB) has emerged as one of the most significant sources of financial and capital volatility for banks. Under the Basel Framework, interest rate risk in the banking book (IRRBB) refers to the current or prospective risk to a bank’s capital and earnings arising from adverse movements in interest rates that affect the bank’s banking book positions. Unlike trading-book risks, which are exposed to daily market price fluctuations, IRRBB reflects a slower and more structural exposure within the banking book. It stems from timing differences in how a bank’s assets, liabilities and off-balance-sheet positions respond to interest rate changes.
IRRBB exposures have the potential to affect both the future path of interest income and the present value of the bank’s balance-sheet positions. Consequently, IRRBB influences two critical measures: net interest income (NII) which reflects the short-term earnings impact and the economic value of equity (EVE) which represents the long-term capital effect. Because IRRBB exposures affect both profitability in the statement of profit and loss and the amount of capital in the balance sheet, they sit at the intersection of strategic balance-sheet management, capital adequacy, and long-term financial planning in modern banking.
Acting as a third line of defense, internal audit can play a pivotal role to provide assurance that the IRRBB model and measurement framework capture all material interest-rate sensitivities, perform expected calculations accurately, and produce consistent, reliable and insightful outputs within a sound governance structure. Reflecting this, the Basel Framework explicitly requires banks to subject their IRRBB measurement processes – including the underlying IRRBB models, to independent audit review.
This article explores how internal auditors can effectively assess IRRBB models and highlights some key practical considerations that may enable auditors to take into account throughout their audit processes.
Six Critical Dimensions
Auditing the IRRBB model can be typically divided into six dimensions that together determine whether the bank’s IRRBB measurement framework is accurate, reliable, and compliant with supervisory expectations.
1) Model Governance
Since governance is the backbone of sound model risk management, internal audit should corroborate whether roles and responsibilities for IRRBB model development, validation, usage and oversight are clearly defined and effectively segregated. Accordingly, audit procedures can verify that the “three lines of defense” are operationalized in the context of IRRBB and that reporting lines between risk-taking and control functions are segregated. Evidence of such effective governance can be drawn from the review of IRRBB policies, charters, and minutes confirming that segregation of duties is in place and IRRBB model is sufficiently and independently challenged by individuals who are responsible for overseeing the risk management practices (for example, Risk Management Department or Risk Committee).
In addition, internal auditors should check whether policies and procedures provide adequate guidance on the model’s design, assumptions, and limitations. Internal auditors should also verify that a detailed procedural document exists, clearly outlining step-by-step instructions on how the model is to be used in practice.
2) Data Input
IRRBB audits should incorporate the input data’s accuracy and completeness. As such, auditors should confirm that the bank’s IRRBB perimeter correctly defines which instruments are interest-rate sensitive. This can include verifying that data from key systems such as core banking, ALM, and treasury platforms are accurately fed into the IRRBB model.
Furthermore, internal auditors should have a robust understanding of the end-to-end data flow. When it is deemed necessary, internal audit may consider performing a reconciliation between source systems and model inputs to ensure completeness. For example, auditors can trace term deposits, loan portfolios, or swap positions from general ledger accounts into the IRRBB model. Where the input data requires manual adjustments, internal audit should evaluate whether there are effective data quality checks in place.
These steps establish confidence that the model’s input data is both accurate and representative of the bank’s true IRRBB exposures.
3) Assumptions and Scenarios
When auditing IRRBB models, it is essential to recognise that the reliability of the outputs depends heavily on the assumptions and scenarios embedded within the model. These include behavioral, market, and modelling assumptions, as well as the interest rate scenarios used to measure both economic value and earnings sensitivity. The internal auditor’s role is not only to confirm that the assumptions are documented and approved, but also to perform a sense check to ensure that they are reasonable, consistently applied, and aligned with the market conditions and regulatory requirements. Likewise, scenario design should be sufficiently comprehensive, covering both regulatory and internally defined shocks.
A model may be technically sound, but if the assumptions and scenarios are weak, outdated, or insufficiently justified, the resulting risk metrics can lead to a false sense of security for management and supervisors.
4) Data Output
The data output dimension concerns the reliability and integrity of IRRBB model outputs and how they are communicated through management reporting.
Accordingly, internal auditors should confirm that IRRBB results covering both EVE and NII perspectives are produced at the expected frequency and reported through established governance channels.
Furthermore, audit work should verify that the IRRBB model is capable of providing sufficient and granular information to its users, including key risk metrics and their status against both internal and regulatory limits according to different scenarios, counterparty characteristics, time buckets and currencies.
Additionally, internal auditors should assess whether the model is capable of flagging any breaches of established thresholds and verify that there are robust processes for escalating, discussing, and tracking IRRBB breaches through to resolution.
5) Model Validation Activities
Validation represents the cornerstone of assurance over IRRBB frameworks. Internal audit should assess both the design and execution of the bank’s validation activities to confirm they are sufficiently comprehensive, independent, and proportionate to model risk.
As an initial procedure, it is essential for internal audit to confirm that validation is performed by a function that is independent from the model owners and risk-taking activities, as independence is what protects the validation process from self-review bias and ensures that model weaknesses are appropriately identified and reported.
In addition, audit procedures should review validation documentation and confirm that methodologies and coverage are conceptually satisfactory. When reviewing the methodology and coverage of the IRRBB validation process, internal audit should assess whether the techniques applied are sound and aligned with both regulatory expectations and the bank’s balance-sheet profile. This may include verifying that the validation covers key components such as assumptions, data transformations and scenario design. Internal audit should also confirm that validation challenges the full model lifecycle from input files to output files rather than selectively testing only areas that are easy to understand or evidence. Ultimately, the objective is to determine whether the validation approach is capable of detecting model weaknesses in practice, rather than simply confirming that the model runs.
Finally, internal audit should assess whether validation findings are properly classified, escalated, and remediated. High-impact findings should show evidence of an appropriate verification before closure, ensuring that recurring issues are systematically tracked and addressed. The goal is not merely to confirm that validation exists, but to ensure it meaningfully challenges model design, usage, and performance.
6) Use of Third Parties in Development or Validation
Given the increasing reliance on external vendors for IRRBB model development, calibration, or validation, internal audit should evaluate how third-party involvement is governed.
As such, internal auditors should confirm that vendor relationships are formalized through contracts defining scope, deliverables, confidentiality obligations, and independence criteria. IRRBB audit should also verify that management conducts appropriate due diligence before engaging external providers, assessing both technical competence and regulatory awareness.
Where external consultants contribute to model development, changes or recalibration, internal audit should confirm that their work is understood, independently reviewed and integrated into the bank’s risk management and governance framework.
IRRBB as a Strategic Activity
In today’s banking, IRRBB is no longer a narrow technical and quantitative risk management exercise of a particular department. Rather, it is a strategic activity that connects balance-sheet management, capital planning, risk management, regulatory compliance and analytics.
Accordingly, the role of internal audit is not limited to checking numerical accuracy and confirming existence of certain documentation but extends to providing an independent challenge over model governance, model design, data integrity and strategic use of IRRBB outputs. By embedding these considerations into their work, internal audit functions can reinforce confidence in their banks’ ability to manage interest rate risks in an increasingly volatile and regulated environment, positioning internal audit function as a trusted advisor rather than a compliance checkpoint. 
Mert Ozbilgin works as a senior regulatory advisor in a bank in Malta.
References:
- Guidelines issued on the basis of Article 84 (6) of Directive 2013/36/EU specifying criteria for the identification, evaluation, management and mitigation of the risks arising from potential changes in interest rates and of the assessment and monitoring of credit spread risk, of institutions’ non-trading book activities (Guidelines on IRRBB and CSRBB.pdf)
- Global Practice Guide: Auditing Model Risk Management, 2nd Edition (IIA Global Practice Guide: Auditing Model Risk Management)
- BCBS Interest rate risk in the banking book (Interest rate risk in the banking book)
- The Office of the Comptroller of the Currency’s (OCC) Comptroller’s Handbook “Interest Rate Risk” (pub-ch-interest-rate-risk.pdf)
- The first step to mastering IRRBB is to develop a comprehensive and robust data governance framework (The First Step to Mastering IRRBB Is Data Governance | Arcesium)