Internal Audit Checklists for Derivative Programs
intermediatePublished: 2026-01-01
Internal Audit Checklists for Derivative Programs
Internal audit provides independent assurance that derivative trading controls are operating effectively. Audit programs should cover governance, risk management, operations, and compliance across the derivative lifecycle. Regular audits identify control weaknesses before they result in losses or regulatory findings.
Definition and Key Concepts
Audit Scope
| Area | Focus |
|---|---|
| Governance | Board oversight, policies, limits |
| Front office | Trading, limit compliance, authorization |
| Middle office | Valuation, risk measurement, P&L |
| Back office | Confirmation, settlement, reconciliation |
| Compliance | Regulatory reporting, position limits |
| Technology | System controls, access management |
Audit Frequency
| Risk Level | Frequency | Scope |
|---|---|---|
| High risk | Annual | Comprehensive |
| Medium risk | 18-24 months | Standard |
| Low risk | 24-36 months | Targeted |
| Continuous | Ongoing | Automated monitoring |
Audit Standards
| Standard | Application |
|---|---|
| IIA Standards | Internal audit methodology |
| COSO Framework | Internal control evaluation |
| COBIT | IT control assessment |
| Regulatory guidance | OCC, Fed, SEC requirements |
How It Works in Practice
Governance Audit
Board and senior management oversight:
| Control | Testing Procedure |
|---|---|
| Board approval of policies | Review board minutes for policy approval |
| Risk appetite statement | Verify documented and current |
| Limit structure | Confirm limits align with risk appetite |
| Management reporting | Review frequency and content of reports |
| Escalation procedures | Test escalation for limit breaches |
Policy and procedure review:
| Document | Audit Objective |
|---|---|
| Derivatives policy | Current, approved, comprehensive |
| Trading procedures | Documented, followed |
| Valuation policy | Independent, appropriate methodology |
| Collateral policy | Documented, enforced |
| New product approval | Process exists and followed |
Front Office Audit
Trading controls:
| Control | Testing Procedure |
|---|---|
| Trade authorization | Sample trades for proper approval |
| Limit monitoring | Verify real-time limit checking |
| Limit breach handling | Test escalation process |
| Segregation of duties | Confirm front/back office separation |
| Voice recording | Verify recording and retention |
Sample testing:
| Test | Sample Size | Pass Criteria |
|---|---|---|
| Trade authorization | 25 trades | 100% authorized |
| Limit compliance | All breaches | Proper escalation |
| Trade capture | 50 trades | 100% accurate |
| Confirmation timeliness | 30 trades | Within SLA |
Middle Office Audit
Valuation controls:
| Control | Testing Procedure |
|---|---|
| Independent pricing | Verify front office not controlling inputs |
| Market data sources | Confirm approved vendors |
| Model validation | Review validation status |
| Price verification | Test sample valuations |
| Valuation adjustments | Review reserve methodology |
Risk measurement:
| Control | Testing Procedure |
|---|---|
| VaR calculation | Verify methodology and inputs |
| Stress testing | Review scenarios and frequency |
| Greeks calculation | Test accuracy against benchmarks |
| P&L attribution | Verify explained vs. unexplained |
| Limit monitoring | Confirm timely reporting |
Back Office Audit
Settlement and reconciliation:
| Control | Testing Procedure |
|---|---|
| Trade confirmation | Test confirmation matching rate |
| Settlement instructions | Verify SSI accuracy |
| Reconciliation | Review break aging and resolution |
| Collateral management | Test margin call process |
| Nostro reconciliation | Review outstanding items |
Worked Example
Derivatives Program Audit
Audit scope:
- Trading desk: Interest rate derivatives
- Volume: $50B notional, 5,000 trades annually
- Risk level: High
- Audit period: Annual
Planning phase:
| Activity | Duration | Deliverable |
|---|---|---|
| Risk assessment | 1 week | Risk matrix |
| Scope definition | 3 days | Audit scope memo |
| Resource allocation | 2 days | Team assignment |
| Notification | 1 day | Audit notification |
Fieldwork schedule:
| Area | Duration | Auditor |
|---|---|---|
| Governance | 1 week | Senior auditor |
| Front office | 2 weeks | Senior auditor |
| Middle office | 2 weeks | Staff auditor |
| Back office | 1 week | Staff auditor |
| IT controls | 1 week | IT auditor |
| Compliance | 1 week | Compliance auditor |
Sample testing results:
| Test Area | Sample | Exceptions | Rate |
|---|---|---|---|
| Trade authorization | 50 | 2 | 4% |
| Confirmation timeliness | 40 | 5 | 12.5% |
| Valuation accuracy | 30 | 1 | 3% |
| Limit compliance | 100% | 3 breaches | N/A |
| Reconciliation breaks | All | 15 aged | N/A |
Findings:
| Finding | Severity | Recommendation |
|---|---|---|
| Confirmation delays | Medium | Automate matching |
| Authorization gaps | Medium | Enhance approval workflow |
| Aged reconciliation items | Low | Accelerate resolution |
| Model validation overdue | Medium | Complete validation |
| Limit breach documentation | Low | Standardize forms |
Rating:
| Area | Rating |
|---|---|
| Governance | Satisfactory |
| Front office | Needs improvement |
| Middle office | Satisfactory |
| Back office | Needs improvement |
| IT controls | Satisfactory |
| Overall | Needs improvement |
Management action plan:
| Finding | Action | Owner | Due Date |
|---|---|---|---|
| Confirmation delays | Implement auto-matching | Operations | Q2 |
| Authorization gaps | Deploy approval system | Technology | Q2 |
| Aged items | Weekly escalation | Operations | Q1 |
| Model validation | Complete validation | Risk | Q2 |
| Breach documentation | New template | Compliance | Q1 |
Risks, Limitations, and Tradeoffs
Audit Risks
| Risk | Description | Mitigation |
|---|---|---|
| Sampling risk | Miss material issues | Risk-based sampling |
| Timing risk | Controls changed | Continuous auditing |
| Expertise gap | Technical complexity | Specialized training |
| Independence | Business pressure | Audit committee reporting |
Common Findings
| Finding | Frequency | Impact |
|---|---|---|
| Documentation gaps | High | Medium |
| Limit breach handling | Medium | High |
| Valuation issues | Medium | High |
| Confirmation delays | High | Medium |
| Segregation weaknesses | Low | High |
Regulatory Expectations
| Regulator | Expectation |
|---|---|
| OCC | Annual audit of derivatives |
| Fed | Comprehensive audit coverage |
| SEC | Internal control assessment |
| CFTC | Registered entity audits |
Checklist and Next Steps
Pre-audit planning checklist:
- Update risk assessment
- Define audit scope
- Assign audit team
- Notify auditees
- Request documentation
- Schedule interviews
Governance audit checklist:
- Review board minutes
- Assess policy adequacy
- Evaluate limit structure
- Test management reporting
- Verify escalation procedures
- Review committee structure
Front office audit checklist:
- Test trade authorization
- Verify limit monitoring
- Review breach handling
- Assess segregation of duties
- Test voice recording
- Evaluate trader controls
Middle office audit checklist:
- Test independent pricing
- Verify market data sources
- Review model validation
- Test valuation accuracy
- Assess risk measurement
- Review P&L attribution
Back office audit checklist:
- Test confirmation matching
- Verify settlement accuracy
- Review reconciliation process
- Test collateral management
- Assess break resolution
- Evaluate SSI maintenance
Reporting checklist:
- Document findings
- Assign severity ratings
- Develop recommendations
- Obtain management response
- Issue final report
- Track remediation
Related articles:
- For KYC/AML, see KYC and AML Considerations in OTC Markets
- For training, see Training Programs for Derivative Users