Auditing Liquidity Risk

Management for Banks

2nd Edition

Supplemental Guidance | Practice Guide

FINANCIAL SERVICES
About the IPPF
The International Professional Practices Framework®
(IPPF®) is the conceptual framework that organizes
authoritative guidance promulgated by The IIA for internal
audit professionals worldwide.

Mandatory Guidance is developed following an

established due diligence process, which includes a
period of public exposure for stakeholder input. The
mandatory elements of the IPPF are:

• Core Principles for the Professional Practice of

Internal Auditing.
• Definition of Internal Auditing.
• Code of Ethics.
• International Standards for the Professional
Practice of Internal Auditing.
Recommended Guidance includes Implementation and
Supplemental Guidance. Implementation Guidance is
designed to help internal auditors understand how to apply
and conform with the requirements of Mandatory Guidance.

About Supplemental Guidance

Supplemental Guidance provides additional information, advice, and best practices for providing internal
audit services. It supports the Standards by addressing topical areas and sector-specific issues in more
detail than Implementation Guidance and is endorsed by The IIA through formal review and approval
processes.

Practice Guides
Practice Guides, a type of Supplemental Guidance, provide detailed approaches, step-by-step processes,
and examples intended to support all internal auditors. Select Practice Guides focus on:

• Financial Services.
• Public Sector.
• Information Technology (GTAG®).
For an overview of authoritative guidance materials provided by The IIA, please visit www.theiia.org.

theiia.org
Contents

Executive Summary.................................................................................................................................. 2

Introduction ............................................................................................................................................. 3

Business Significant Risks ......................................................................................................................... 5

Key Principles for the Management and Supervision of Liquidity Risk ..................................................... 7
Governance of Liquidity Risk Management .................................................................................................... 7
Three Lines Model and Liquidity Risk Management ...................................................................................... 7
Liquidity Risk Appetite and Risk Tolerance ................................................................................................... 10

Measurement and Management of Liquidity Risk .................................................................................. 11

Public Disclosure .................................................................................................................................... 15

The Role of Supervisors.......................................................................................................................... 16

Appendix A. Relevant IIA Standards and Guidance ................................................................................ 18

Appendix B. Glossary ............................................................................................................................. 19

Appendix C. Basel Framework Principles for the Management and Supervision of Liquidity Risk .......... 21

Appendix D. Sample Liquidity Risks and Controls ................................................................................... 23

Appendix E. References ......................................................................................................................... 25

Acknowledgements ............................................................................................................................... 26

1 — theiia.org
Executive Summary

Banking supervisors1 consider liquidity to be a pillar of a robust and solvent financial sector. Supervisory
principles hold boards accountable for an organization's liquidity adequacy assessment. Those principles
advocate a relevant and active internal audit role in assessing an organization's liquidity risk management
(LRM) process.

To assure the institution's senior management and board that liquidity management is aligned to the
business strategy and risk appetite, internal auditors need an approach that fulfills internationally
supported standards and local regulations. The IIA's International Standards for the Professional Practice
of Internal Auditing (Standards) and the Three Lines Model clarify the role of the internal audit activity in
providing this independent assurance.

Regulators review and evaluate banks based on procedural and methodological tools, including specific
metrics and mandatory reporting. Each financial institution's liquidity risk management framework is a
crucial contributor to the health of the entire financial system and economy.

This practice guide gives an overview of international standards and best practices of LRM, including the
use of an LRM framework. It describes the organizational roles and responsibilities related to liquidity
governance, risk management, control, and monitoring processes. These include the internal audit
activity's role as the provider of independent assurance over the quality and effectiveness of those
processes. Due to the complexity of the subject, internal auditors should review whether they have the
necessary knowledge, skills, and experience to undertake LRM audit activities, as noted in the
Competency Rule of Conduct in The IIA’s code of Ethics.

1. In this practice guide, the terms “banking supervisor” and “supervisor” refer to a responsible authority with the necessary legal
powers to authorize banks, conduct ongoing supervision, address compliance with laws, and undertake timely corrective actions to
address safety and soundness concerns. Adapted from Basel Committee on Banking Supervision. Core Principles for Effective
Banking Supervision (Basel, Switzerland: Bank for International Settlements, 2012).

2 — theiia.org
Introduction

The central bank governors of the Group of Ten countries

Note
(G10) established the Basel Committee on Banking
Supervision in 1974. The G10 formed the Basel Terms in bold are defined in the
Committee to enhance financial stability by improving the Glossary in Appendix B.
quality of banking supervision worldwide. It also serves as
a forum for its 45 member countries for regular cooperation on banking supervisory matters. The Basel
Committee issued an initial capital adequacy framework in 1988, and it continues to revise and
supplement the internationally recognized framework to strengthen the banking sector's regulation,
supervision, and risk management.

However, liquidity risk was not well regulated before the financial crisis that began in 2007. Because of
weak liquidity management, many banks had difficulties rolling over funding to support lending activities
or maintain positive cash flows, despite having capital levels that complied with regulatory ratios then in
effect. As the commercial paper market froze, the banking system came under severe stress, and banks
were unable to trade or sell assets that had been liquid previously. The crisis brought to the forefront
liquidity's important role in the healthy functioning of the banking sector, financial markets, and the
greater economy.

In response, the Basel Committee reformed its standards and principles related to capital adequacy and
liquidity risk management. Known as the Basel Framework, the comprehensive set of reform measures
aimed to improve the banking sector's ability to absorb shocks arising from financial and economic stress,
strengthen banks' transparency and disclosures, and improve risk management and governance.2

Specific to the global liquidity standard, the Basel Framework issued a common set of supervisory
monitoring metrics, the liquidity coverage ratio (LCR) 3, the net stable funding ratio (NSFR)4, and a
guidance document for LRM, Principles for Sound Liquidity Risk Management and Supervision. The 17
internationally recognized principles for managing and monitoring liquidity risk, which are listed in
Appendix C, are grouped into five main categories that form the subsections of this guidance:

1. Key principles for the management and supervision of liquidity risk.

2. Governance of liquidity risk management.
3. Measurement and management of liquidity risk.
4. Public disclosure.

2. Basel Committee. International framework.

3. Basel Committee. Liquidity Coverage Ratio.
4. Basel Committee. Stable funding ratio.

3 — theiia.org
5. The role of supervisors.

Many banking systems have implemented and maintained Basel Framework requirements — taking into
account the requirements of their jurisdictions. In addition, many countries have created their own
adaptations of its liquidity standards and measures. Internal auditors should be aware of any variations
their organization has chosen, or is required to follow, regarding the Basel Framework’s LRM defined
practices. For example, a bank may differ in approach to LRM based upon its on- and off-balance sheet
obligations. Even when the organization does not follow the Basel Framework strictly, internal auditors
can refer to this guide's principles and best practices.

The internal audit activity assures senior management and the board that the LRM processes effectively
meet the organization's regulatory obligations and liquidity needs. However, fulfilling regulatory
obligations is only a foundation for sound LRM.

Much broader than assuring compliance with regulations, the internal audit activity's role is linked to the
organization's strategy and objectives (Standard 2200 – Engagement Planning). The internal audit activity
provides assurance and advice regarding managing those risks that threaten the organization's ability to
achieve its objectives. It assures senior management and the board that the LRM framework aligns with
the bank's strategy and risk appetite, and that LRM processes operate effectively as designed. In an ever-
changing global economic environment where technology, inflation, war, political unrest, and fraud
continue to rapidly move financial markets, an effective LRM framework is crucial to maintaining stability
in the banking sector.

4 — theiia.org
Business Significant Risks

To properly manage their organization's risks, employees must understand the terminology associated
with risk management, compliance, and internal auditing. One tool to communicate risk information
across organizations is a risk framework. The IIA's Financial Services Guidance Committee has developed a
comprehensive risk framework specifically for financial services organizations. This risk framework,
depicted in Figure 1, illustrates the significant areas of risk applicable to the financial services industry
globally.

Figure 1. The IIA's Financial Services Risk Framework

Source: The Institute of Internal Auditors.

Banking institutions are inherently vulnerable to liquidity risk, one of the significant risk areas in the
Financial Services Risk Framework. As defined in the Principles for Sound Liquidity Risk Management and
Supervision, liquidity is "the ability of a bank to fund increases in assets and meet obligations as they
come due, without incurring unacceptable losses."5

5. Basel Committee. Sound Liquidity Risk Management.

5 — theiia.org
The Basel Committee defines two main types of liquidity risk: funding liquidity risk and market liquidity
risk. Funding liquidity risk is "the risk that the firm will not be able to meet efficiently both expected and
unexpected current and future cash flow and collateral needs without affecting either daily operations or
the financial condition of the firm." Market liquidity risk is “the risk that a firm cannot easily offset or
eliminate a position at the market price because of inadequate market depth or market disruption.” 6 This
guidance refers primarily to funding liquidity risk, because market liquidity risk is more dependent on
outside factors that are unique to each bank.

Funding liquidity risk includes the various risks that could cause a bank to be unable to pay its debts and
obligations when due. For example, banks may be unable to procure sufficient funds under stressed
scenarios, such as inflation rate movement, stock market fluctuations, or delinquency rate changes which
would result in asset flight-to-quality and loss of trading counterparties or creditors. Systemic inability to
convert investments or procure funds can cause a liquidity crisis or a credit crunch, a time in which loans
become difficult to obtain and interest rates increase.

Liquidity risk is unpredictable and challenging to measure for several reasons:

• Cash-flow obligations are uncertain because they depend on external events and entities.
• The likelihood that a liquidity risk event may occur is hard to predict because of secondary risk
events.
• The impact of liquidity risk events can multiply and have wide-ranging adverse effects on the greater
financial system and economy.
• Liquidity risk evolves at a high velocity, which could quickly lead to a tipping point beyond which
recovery is difficult. This could happen even when an organization has not started to suffer loss of
liquidity.
• Changes in financial markets have made financial systems increasingly interconnected, leading to
faster transmission of stress and more complexity in containing the impact.

The internal audit activity plays an essential role in assessing LRM by providing assurance to governing
boards and regulators. Local regulations usually determine the general reporting requirements of banks,
and internal auditors should be aware of the reporting and other regulatory requirements related to
assessing the bank's liquidity adequacy.

Internal auditors also should be aware of the bank’s overall liquidity management framework and
practices, such as the volume of high-quality liquid assets, the amount and type of unencumbered assets,
the contingency funding plan, and stress test results. For example, bank management may be required to
report specific metrics quarterly or monthly, with or without a formal annual report on their internal
liquidity adequacy assessment process. The internal audit activity can add value by understanding and
evaluating the organization's ability to meet the regulatory requirements and adapt to future changes.

6. Basel Committee. Sound Liquidity Risk Management.

6 — theiia.org
Key Principles for the Management and
Supervision of Liquidity Risk

A bank must establish an LRM framework that ensures it can meet its obligations in its day-to-day
operation and during periods of liquidity stress, whether the stress is specific to the individual institution
or systemic throughout the financial system. The goal is to ensure that the institution can deal with
liquidity stress that could cause loss or deterioration of funding sources up to a predetermined risk
appetite or tolerance level. Thus, each bank must maintain an easily accessible buffer of highly liquid
assets at a level that reflects a prudent assessment of its exposures to key liquidity risk drivers. Exposures
to liquidity risk can come from business and funding models, customer and counterparty behavior
characteristics, product design features, and reputations.

The LRM framework must include a defined approach to managing the bank's liquidity risk events in an
orderly fashion aligned with the bank's risk appetite, risk tolerance, and strategic objectives. The
framework should also include a methodology for analyzing internal and external factors to identify,
assess, and manage liquidity risks. The methodology should include descriptions of the indicators, metrics,
and limits that inform and alert management of potential liquidity issues.

Governance of Liquidity Risk Management

Risk management is a fundamental element of sound governance. Successful management of liquidity
risk, like any other area of risk, requires clearly defined roles and responsibilities throughout the
organization. The Basel Framework holds the board accountable for determining that the bank's liquidity
and LRM processes are adequate. The bank's management is responsible for establishing and operating
the risk management framework on behalf of the board.

Three Lines Model and Liquidity Risk Management

As shown in Figure 2, the Three Lines Model differentiates responsibilities to ensure effective risk
management, control, and governance, along with independent assurance. Differentiated roles,
responsibilities, and processes in a clear governance structure support the organization's ability to achieve
its objectives in the context of the social, regulatory, and economic environments.

7 — theiia.org
Figure 2. The Three Lines Model

Copyright © 2020 by The Institute of Internal Auditors, Inc. All rights reserved.

The first line roles refer to operational management primarily responsible for maintaining effective
processes that manage and mitigate liquidity risk in day-to-day business activities. The second line roles
consist of separately established risk policy and control functions that independently monitor and
challenge the first line, ensuring that it operates within the predefined risk tolerance level.

Senior management's asset and liability committee (ALCO) oversees the establishment of policies and
strategy, makes key liquidity risk decisions, and regularly reviews the organization's liquidity risk profile.7
The risk management function reporting to the chief risk officer is typically charged with performing
second line responsibilities. In small or less mature institutions, the board or other types of committees
may perform similar functions. However, internal auditors should recommend in this situation that the
board create a clear delineation of first- and second-line responsibilities as part of good governance.

The ALCO typically reports to the board. Its members should include those with authority over the
business units responsible for executing liquidity-related transactions and other activities within the risk
management process. These roles need to be represented on the committee because they significantly
influence the institution's liquidity strategy.

Examples of such business units include lending, investment securities, and wholesale and retail funding.
Risk management may also validate the ALCO's decisions and the execution of those decisions. In
addition, the Basel Framework guidelines specify requirements for second line roles (risk management,
compliance, and financial functions) to report bank activities to the board regularly.

7. In this practice guide, the term ALCO refers to senior management’s assets and liabilities committee or to a committee or group
charged with similar responsibilities that may have another name.

8 — theiia.org
The third line is the internal audit activity, which provides independent assurance over the processes
implemented by the first line and overseen by the second line. Only the assurance provided by the third
line can be deemed objective and independent. Instead of being directly responsible for any risk
management activities, the internal audit activity independently assesses the adequacy and effectiveness
of the policies and processes applied by the other lines and reports directly to the board without the
influence of management. Such an evaluation includes determining whether the outcomes achieved by
management align with the organization’s mission, objectives, and risk appetite.

The nature and types of these functions depend on many factors, including organizational maturity. In
general, those in the first line role should propose targets that allow the organization to operate within
the defined risk appetite and policy limits. The functions in place to challenge first line targets (for
example, the bank's risk management function) should propose risk appetite and limits for board approval
and ensure that those proposals are appropriately consistent with the bank's risk profile.

The ALCO should review the liquidity risk profile and monitor conformance to the bank's stated risk
appetite. This oversight includes evaluating and reacting to changing market conditions and ensuring that
adequate liquidity and capital resources, as well as robust stress testing programs and contingency plans,
are in place. The board should review and approve the bank's strategy, quality, and risk management
practices at least annually, and must review and ratify any material policy changes. Ultimately, the board
is responsible for ensuring that senior management effectively manages liquidity risks.

To assess the effectiveness of the LRM framework, internal auditors should first understand the bank's
liquidity strategy (Standard 2201 – Planning Considerations). Internal auditors may participate in senior
management committee meetings as nonvoting observers to gain insight into this strategy. Nonvoting
observation enables internal auditors to maintain the independent positioning required by Standard 1110
– Organizational Independence. Internal auditors may observe ALCO meetings and any other risk
management committee and board meetings about liquidity risks to evaluate:

• How the entities work and establish responsibilities.

• Whether the entities are sufficiently informed to make decisions.
• The frequency and content of presentations about liquidity risks.
Internal auditors may review the charters and meeting minutes of the ALCO and any relevant risk
committee(s), as well as management reports and other documents. This review will help them better
understand the liquidity risk management process and the organization’s governance structure, such as
the roles and responsibilities within all levels of management.

Based on their observations and information gathering, internal auditors should identify and document
sufficient, reliable, relevant, and useful information to achieve the engagement's objectives (Standard
2310 – Identifying Information). Additionally, documentation is needed to support the engagement's
results and conclusions (Standard 2330 – Documenting Information).

Although the Basel Framework requirements may seem to give priority to such assessments over the
governance of liquidity risk management, Standard 2110 – Governance applies equally. It requires internal

9 — theiia.org
auditors to assess and recommend improvements to the organization's governance processes in a
number of areas. They include:

• Making strategic and operational decisions.

• Overseeing risk management and control.
• Promoting appropriate ethics and values.
• Ensuring effective performance management and accountability.
• Communicating risk and control information throughout the organization.
• Coordinating the activities of and communicating information among the board, external and internal
auditors, other assurance providers, and management.

Liquidity Risk Appetite and Risk Tolerance

According to the Basel Framework's LRM Principle 3 (see Appendix C), senior management should develop
the strategy, policies, and practices to manage liquidity risk according to the liquidity risk tolerance set by
the board. The board should review and approve the strategy, policies, and procedures at least annually.
Principle 3 also states that the board is ultimately responsible for the liquidity risk exposure assumed by
the bank and how the risk is managed.

Therefore, the board should establish a liquidity risk tolerance that reflects the bank's business objectives,
strategic direction, overall risk appetite, financial condition, funding capacity, and role in the financial
system. The tolerance should ensure that the firm manages its liquidity prudently in steady times to
withstand a prolonged period of stress. Senior management should articulate the risk tolerance so that
the trade-off between risks and profits is clear to all levels of management. The ALCO should continuously
review the bank's liquidity developments and regularly report to the board.

In support of the assessment of the LRM processes (Standard 2120 – Risk Management), internal auditors
should obtain the organization's board-approved risk appetite statement. The statement typically
includes metrics related to monitoring liquidity risk. Internal auditors should look for these metrics and
assess whether they effectively capture the key risks. The statement should describe how management
identifies the key risks the bank might be exposed to and how management sets the risk appetite and
specific liquidity risk tolerance levels. Risk tolerances may be expressed as exposure limits.

Typically, the risk appetite statement includes at least two liquidity metrics during normal conditions and
at least two during stress conditions, and the metrics are embedded in the limit structure. The risk
appetite and liquidity risk tolerances should be integrated into overall liquidity management, including
links to business strategy, risk strategy, internal capital adequacy assessment, and internal liquidity
adequacy assessment.

10 — theiia.org
Measurement and Management of
Liquidity Risk

A bank's liquidity strategy, including policies and procedures for measuring, managing, and controlling
liquidity, should help the bank maintain sufficient sources of liquid funds to meet its funding obligations
as they come due. The strategy, policies, and procedures should be designed to ensure that the bank is
able to fund all obligations across planned time horizons, during both normal operations and under stress
situations such as those caused by extreme internal and external events.

The policies and procedures should also outline appropriate early warning indicators to alert the bank to a
pending liquidity issue. These crises tend to spread quickly, given the rapid dissemination of information
through mass media, social media, and other forms of communication. Measuring liquidity risk based on
timely internal and external information is key to ensuring liquidity issues are identified and addressed in
a timely fashion.

The Basel Framework introduced two minimum standards for measuring adequate funding and liquidity in
stress situations. The liquidity coverage ratio (LCR), shown in Figure 3, was designed to promote the short-
term resilience of a bank's liquidity risk profile by ensuring that the bank has sufficient high-quality liquid
assets (HQLA) to survive a stress scenario lasting 30 days.

The net stable funding ratio (NSFR), shown in Figure 4, was developed to reduce funding risk over a long
time horizon. It requires banks to fund their activities with sufficiently stable sources to mitigate the risk of
future funding stress. The NSFR requires banks to maintain a stable funding profile proportionate to the
composition of their assets and off-balance sheet activities.

Figure 3. Liquidity Coverage Ratio: Global Minimum Standard

11 — theiia.org
Figure 4: Net Stable Funding Ratio

Internal auditors should verify that sound methodology is in place to estimate cash flows and is reflected
in the bank's measurement and management policies and processes. Internal auditors may verify whether
management:

• Has defined liquidity targets for cash and liquidity balances, monitors compliance with the specified
limits, and reports instances of noncompliance to the oversight function.
• Reviews end-of-day liquidity positions and activities and takes actions to address liquidity shortfalls
while abiding by the predefined governance requirements.
• Reports significant balance levels or shortfalls to the oversight committee.
• Monitors and takes action on, when appropriate, early warning indicators regarding the funding
sources and markets.

Internal auditors should also consider how management ensures that liquidity positions and metrics are
accurately computed. Data underlying liquidity monitoring and reporting systems should be assessed for
accuracy. The financial instruments should be correctly classified, and weights and discounts should be
applied consistently with the bank’s framework and applicable regulatory guidance.

Measuring liquidity risk exposure is not enough if the bank does not have a strategy to ensure it
manages the risk exposures appropriately. Good management of information systems, analysis of net
funding requirements under alternative scenarios, diversification of funding sources, and
contingency planning are the building blocks of a sound liquidity strategy. Senior management must
develop and implement an LRM strategy that aligns with the bank's risk appetite and liquidity risk
tolerance to ensure the bank maintains sufficient liquidity. The strategy should consider how
liquidity risk is affected by other risks, such as credit, market, operational, and reputational risks.

The Basel Framework also provides various expectations for an effective LRM strategy:

• Management should apply an LRM framework that requires the projection of cash flows and the
monitoring of risk exposures and funding needs, considering limitations to the transferability of
liquidity.
• The bank should maintain a cushion of unencumbered HQLA that can be readily used without
operational impediments.

12 — theiia.org
• Management should develop and implement a funding strategy that provides effective access to
diversified funding sources and monitors the factors that affect the bank's ability to raise funds.
• Intraday liquidity positions and risks should be actively managed under normal and stressed
conditions to ensure the bank can fulfill financial obligations.
• Early warning indicators should be established to alert the bank of potential concerns. Liquidity crises
can start small but spread quickly once taking hold.
• Collateral positions should be actively managed, with potential collateral calls being included in cash
flow projections and stress testing.
• A range of liquidity stress scenarios should be analyzed regularly: bank-specific, market-wide, and a
combination of both.
• Stress testing results should be reviewed and used to inform decisions to adjust LRM strategies,
policies, and positions.
• Management should develop and regularly test contingency funding plans: conditions for plan
activation, actions procedures, and protocols for addressing liquidity shortfalls in emergencies.

The ALCO is typically at the center of liquidity risk management. The policies and procedures that drive
the ALCO's decisions and the bank's execution of those decisions need to include clear delineations of
authority levels, escalation protocols, limits, and triggers. Internal auditors may evaluate whether the
ALCO adequately reviews and monitors:

• The bank's short-term funding strategies to meet anticipated obligations.

• The bank's liquidity position.
• Internal and external risk factors that could negatively impact the organization's liquidity risk profile.
• Liquidity forecasts and trends by management.
• Activities of the bank's subsidiaries and affiliates and its obligations to help them meet their
contractual obligations.
• Funding and contingency funding plans.
• Results of stress testing.
• Targets or ranges established for liquidity measures.

Liquidity stress testing is an integral component of a comprehensive liquidity risk management program.
It estimates the impact of stress events and management actions on the bank’s cash flows and liquidity
position. Stress scenarios should be customized to capture the bank’s key liquidity risk exposures resulting
from bank-specific business strategies.

For assurance engagements covering the measurement and management of liquidity risk, internal
auditors should determine whether:

• The bank's stress tests and scenarios represent a sufficient variety of bank-specific and market-wide
liquidity risk events.
• The assumptions used in the scenarios are appropriate.

13 — theiia.org
• The bank runs scenarios frequently enough to incorporate timely changes.

Stress testing can involve complex quantitative models, and the internal auditor may not have the
requisite competencies to evaluate the testing assumptions and effectiveness. In these instances,
according to IIA Standard 1210.A1 (related to Proficiency), the chief audit executive must obtain
competent advice and assistance for assurance engagements involving outsourcing the assessment or
employing a subject matter expert or guest auditor.

14 — theiia.org
Public Disclosure

Basel Framework LRM Principle 13 states that a bank should regularly communicate information on its
LRM and liquidity position to the public. Sufficient transparency enables market participants to maintain
an informed opinion on the bank's ability to meet its liquidity obligations, ensuring effective market
discipline.

However, some private banking holding companies do not have to disclose such information. Therefore,
internal auditors should be familiar with regulations relevant to their organization. The IIA Code of Ethics
requires internal auditors to uphold the principle of confidentiality, prudently protecting information
according to their legal and professional obligations and supporting the legitimate and ethical objectives
of the bank.

The information that the bank disseminates should detail the functions and responsibilities of the relevant
committees. The LRM framework indicates the degree of centralization or decentralization of the treasury
function that balances and manages the daily cash flow, liquidity of funds, and asset/liability
management. When the functions of treasury and LRM are decentralized, the framework should describe
the interaction between the units.

Additionally, the information should contain a qualitative explanation of the bank's liquidity metrics.
These metrics include the time interval covered, whether the calculations were carried out under normal
or stress conditions, the organizational level to which the indicators refer, and any assumptions used.

Internal auditors should evaluate whether the bank has established complete and accurate disclosures
that allow market participants to develop an informed opinion on its ability to meet its liquidity needs.
The purpose of this Basel Framework requirement aligns with one of the requirements within Standard
2130.A1. This requirement relates to the evaluation of the adequacy and effectiveness of controls related
to the reliability and integrity of the bank’s financial and operational information. The internal audit
activity must evaluate the adequacy and effectiveness of controls (Standard 1220 – Due Professional
Care) related to these areas:

• The bank’s achievement of its strategic objectives.

• The reliability and integrity of its financial and operational information.
• The effectiveness and efficiency of its operations and programs.
• The bank’s ability to safeguard assets.
• The bank’s compliance with laws, regulations, policies, procedures, and contracts.

15 — theiia.org
The Role of Supervisors

Supervisors periodically evaluate the bank's general LRM framework and its liquidity position to
determine whether the bank complies with regulations related to liquidity management and whether the
bank has sufficient capacity to adapt to the liquidity stresses that it might encounter. Internally, the first
and second lines ensure that the bank adheres to regulatory requirements and adopts effective measures
to correct any deficiencies detected.

Banks must demonstrate practices of prudent management of risks to supervisors, which includes maintaining
liquidity appropriate to the size and complexity of their operations and services. Additionally, regulations
specific to the management of liquidity risk establish multiple minimum requirements. Internal auditors may
assess whether internal controls are sufficient to ensure the accuracy of information submitted to supervisors
and whether the reporting capability is robust enough to support the submission on a timely basis. Supervisors
typically request the following information:

• Liquidity position, submitted daily or monthly.

• Liquidity surplus by time bucket.
• The LCR.
• The NSFR.
• Stress test results (simulation and scenario analysis).
• Contingency funding plan.

Supervisors generally communicate with each other and appropriate public authorities, such as central
banks, both within and outside their national jurisdictions, to effectively cooperate and coordinate
supervisory efforts. While such communication is periodic under normal conditions, it typically becomes
more frequent during periods of stress. Per IIA Standard 2050 – Coordination and Reliance, the CAE
should share information, coordinate activities, and consider relying upon the work of other internal and
external assurance and consulting service providers.

Internal auditors routinely work with supervisors to ensure the information provided to them is accurate
and timely. They also will work with the supervisor to interpret their audit reports (Standard 2400 –
Communicating Results) and understand the procedures performed in-house and by third parties. In
general, the internal audit activity can function as a key liaison to assist the supervisors and the bank in
fulfilling their responsibilities to each other and the public.

Working with supervisors is a common role for internal auditors. They should remain mindful of the
Confidentiality Principle in The IIA’s Code of Ethics that states, “internal auditors respect the value and
ownership of information they receive and do not disclose information without appropriate authority

16 — theiia.org
unless there is a legal or professional obligation to do so.” To follow this principle, internal auditors should
operate within appropriate confidentiality safeguards and coordinate with the organization’s legal team
when sharing organization information.

Conclusion
Regular internal audit assessments are crucial in validating the sufficiency of a bank’s liquidity risk
management program. These independent assurance activities should include a review of the
governance, management, measurement of liquidity risk, disclosures, and coordination with supervisors
confirming adherence to the Basel Framework and internally implemented liquidity thresholds aligned
with the bank’s risk appetite.

Proper management of a bank’s liquidity position is critical to its ability to withstand financial stress and
manage negative cash flows. Internal auditors can play an important role in confirming the sufficiency of
LRM process design and execution, which benefits not only the individual bank but the banking sector as a
whole.

17 — theiia.org
Appendix A. Relevant IIA Standards and
Guidance

The following IIA resources were referenced throughout this practice guide. For more information about
applying the International Standards for the Professional Practice of Internal Auditing, please refer to The
IIA’s Implementation Guides.

Code of Ethics
Principle 1: Integrity

Principle 3: Confidentiality

Principle 4: Competency

Standards
Standard 1110 – Organizational Independence

Standard 1210 – Proficiency

Standard 1220 – Due Professional Care

Standard 2050 – Coordination and Reliance

Standard 2110 – Governance

Standard 2120 – Risk Management

Standard 2130 – Control

Standard 2200 – Engagement Planning

Standard 2201 – Planning Considerations

Standard 2310 – Identifying Information

Standard 2330 – Documenting Information

Standard 2400 – Communicating Results

Guidance
Practice Guide, “Engagement Planning: Establishing Objectives and Scope,” 2017.

Practice Guide, “Evaluating Ethics-Related Programs and Activities,” 2012.

Position Paper, “The IIA’s Three Lines Model: An Update of the Three Lines of Defense,” 2020.

18 — theiia.org
Appendix B. Glossary

Definitions of terms marked with an asterisk are taken from the “Glossary” of The IIA’s publication
“International Professional Practices Framework®, 2017 edition” (also known as the Red Book), published
by the Internal Audit Foundation. Other sources are identified in footnotes.

board* – The highest level governing body (e.g., a board of directors, a supervisory board, or a board of
governors or trustees) charged with the responsibility to direct and/or oversee the organization’s
activities and hold senior management accountable. Although governance arrangements vary
among jurisdictions and sectors, typically the board includes members who are not part of
management. If a board does not exist, the word “board” in the Standards refers to a group or
person charged with governance of the organization. Furthermore, “board” in the Standards may
refer to a committee or another body to which the governing body has delegated certain functions
(e.g., an audit committee).

chief audit executive* – Describes the role of a person in a senior position responsible for effectively
managing the internal audit activity in accordance with the internal audit charter and the mandatory
elements of the International Professional Practices Framework. The chief audit executive or others
reporting to the chief audit executive will have appropriate professional certifications and
qualifications. The specific job title and/or responsibilities of the chief audit executive may vary
across organizations.

governance* – The combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.

liquidity – The ability of a bank to fund increases in assets and meet obligations as they come due,
without incurring unacceptable losses. 8

risk* – The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.

risk appetite* – The level of risk that an organization is willing to accept.

risk appetite statement – The articulation in written form of the aggregate level and types of risk that a
financial institution will accept or avoid in order to achieve its business objectives. It includes
quantitative measures expressed relative to earnings, capital, risk measures, liquidity, and other
relevant measures as appropriate. It should also address more difficult to quantify risks such as
reputation and conduct risks as well as money laundering and unethical practices. 9

8. Basel Committee. Sound Liquidity Risk Management.

9. Financial Stability Board. Effective Risk Appetite.

19 — theiia.org
risk management* – A process to identify, assess, manage, and control potential events or situations to
provide reasonable assurance regarding the achievement of the organization's objectives.

risk tolerance – The acceptable variation in outcomes related to specific performance measures linked to
objectives the entity seeks to achieve.10

10. Beasley, Hancock, and Branson. Enterprise Risk Management.

20 — theiia.org
Appendix C. Basel Framework Principles
for the Management and Supervision of
Liquidity Risk
Regulators and governing bodies worldwide have developed and discussed guiding principles for
managing and monitoring liquidity risk. Internationally, the 17 LRM principles detailed in the Basel
Framework are widely recognized.

Fundamental Principle for the Management and Supervision of Liquidity Risk

1 A bank is responsible for the sound management of liquidity risk. A bank should establish a robust liquidity risk
management framework that ensures it maintains sufficient liquidity, including a cushion of unencumbered,
high-quality liquid assets, to withstand a range of stress events, including those involving the loss or
impairment of both unsecured and secured funding sources. Supervisors should assess the adequacy of both a
bank's liquidity risk management framework and its liquidity position and should take prompt action if a bank is
deficient in either area in order to protect depositors and to limit potential damage to the financial system.

Governance of Liquidity Risk Management

2 A bank should clearly articulate a liquidity risk tolerance that is appropriate for its business strategy and its role
in the financial system.

3 Senior management should develop a strategy, policies, and practices to manage liquidity risk in accordance
with the risk tolerance and to ensure that the bank maintains sufficient liquidity. Senior management should
continuously review information on the bank's liquidity developments and report to the board of directors on a
regular basis. A bank's board of directors should review and approve the strategy, policies, and practices
related to the management of liquidity at least annually and ensure that senior management manages liquidity
risk effectively.

4 A bank should incorporate liquidity costs, benefits and risks in the internal pricing, performance measurement
and new product approval process for all significant business activities (both on- and off-balance sheet),
thereby aligning the risk-taking incentives of individual business lines with the liquidity risk exposures their
activities create for the bank as a whole.

Measurement and Management of Liquidity Risk

5 A bank should have a sound process for identifying, measuring, monitoring, and controlling liquidity risk. This
process should include a robust framework for comprehensively projecting cash flows arising from assets,
liabilities, and off-balance sheet items over an appropriate set of time horizons.

6 A bank should actively monitor and control liquidity risk exposures and funding needs within and across legal
entities, business lines and currencies, taking into account legal, regulatory, and operational limitations to the
transferability of liquidity.

7 A bank should establish a funding strategy that provides effective diversification in the sources and tenor of
funding. It should maintain an ongoing presence in its chosen funding markets and strong relationships with
funds providers to promote effective diversification of funding sources. A bank should regularly gauge its

21 — theiia.org
 capacity to raise funds quickly from each source. It should identify the main factors that affect its ability to raise
funds and monitor those factors closely to ensure that estimates of fundraising capacity remain valid.

8 A bank should actively manage its intraday liquidity positions and risks to meet payment and settlement
obligations on a timely basis under both normal and stressed conditions and thus contribute to the smooth
functioning of payment and settlement systems.

9 A bank should actively manage its collateral positions, differentiating between encumbered and
unencumbered assets. A bank should monitor the legal entity and physical location where collateral is held and
how it may be mobilized in a timely manner.

10 A bank should conduct stress tests on a regular basis for a variety of short-term and protracted institution-
specific and market-wide stress scenarios (individually and in combination) to identify sources of potential
liquidity strain and to ensure that current exposures remain in accordance with a bank's established liquidity
risk tolerance. A bank should use stress test outcomes to adjust its liquidity risk management strategies,
policies, and positions, and to develop effective contingency plans.

11 A bank should have a formal contingency funding plan (CFP) that clearly sets out the strategies for addressing
liquidity shortfalls in emergency situations. A CFP should outline policies to manage a range of stress
environments, establish clear lines of responsibility, include clear invocation and escalation procedures, and be
regularly tested and updated to ensure that it is operationally robust.

12 A bank should maintain a cushion of unencumbered, high-quality liquid assets to be held as insurance against a
range of liquidity stress scenarios, including those that involve the loss or impairment of unsecured and
typically available secured funding sources. There should be no legal, regulatory, or operational impediment to
using these assets to obtain funding.

Public Disclosure

13 A bank should publicly disclose information on a regular basis that enables market participants to make an
informed judgement about the soundness of its liquidity risk management framework and liquidity position.

The Role of Supervisors

14 Supervisors should regularly perform a comprehensive assessment of a bank's overall liquidity risk
management framework and liquidity position to determine whether they deliver an adequate level of
resilience to liquidity stress given the bank's role in the financial system.

15 Supervisors should supplement their regular assessments of a bank's liquidity risk management framework and
liquidity position by monitoring a combination of internal reports, prudential reports, and market information.

16 Supervisors should intervene to require effective and timely remedial action by a bank to address deficiencies
in its liquidity risk management processes or liquidity position.

17 Supervisors should communicate with other supervisors and public authorities, such as central banks, both
within and across national borders, to facilitate effective cooperation regarding the supervision and oversight
of liquidity risk management. Communication should occur regularly during normal times, with the nature and
frequency of the information sharing increasing as appropriate during times of stress.

22 — theiia.org
Appendix D. Sample Liquidity Risks and
Controls

The table lists some of the main risk areas and controls that internal auditors consider when performing a
liquidity risk engagement. The list is neither exhaustive nor meant to be used as an engagement work
program or checklist. In practice, these risk areas should be broken down into their appropriate balance
sheet accounts, product lines, or similar categories used by the particular organization and analyzed for
relevant risks. The controls are broadly represented in categories of elements, such as strategies,
documents, models, data flows, reports, and analyses that could be utilized to mitigate risks that may
occur in the listed risk areas.

Liquidity Risk Area Control Category

Equity capital and/or risk-weighted assets • Stress testing multiple scenarios has been performed.
include inappropriate variations in products
or investments. • Equity capital and risk-weighted assets are regularly examined for
appropriateness and completeness according to the Basel Framework’s
requirements and any local requirements.

Liabilities cannot be met when they come • Contingency funding plans for a variety of scenarios have been
due or can only be met at an uneconomic established.
price.
• Cash buffers are increased through sale of fixed assets.

• Short-term financing sources are adequate.

• Monitoring metrics that trigger a cutback in lending activities are in place.

• Excess reserves are converted to cash.

Assets cannot be converted into cash. • Asset liability management policy and procedures are in place.

• Assets have been securitized and illiquid assets have been removed from
the bank's balance sheet.

• Repurchase agreements (repos) have been increased.

• Commercial paper or bonds have been issued.

• Quantity and type of high-quality liquid assets are appropriate for the
bank's liquidity risk profile.

• Increase unencumbered assets.

Liquidity Risk Area Control Category

Off-balance sheet obligations are not • Protocols for testing off-balance sheet commitments are in place (such as
properly reported. FASB requirements 2016-02 ASC 842 and IFRS testing protocols).

23 — theiia.org
 Foreign exchange fluctuations are • Hedge exposures via currency swaps.
unfavorable.
• Hedge exposures naturally.

Bank's liquidity metrics are not aligned with • ALCO regularly reviews the liquidity risk profile and monitors the bank's
its risk appetite. compliance with the risk appetite as stated by the board.

• Control functions collaborate to ensure liquidity risk information is shared

across the organization.

• Intraday liquidity metrics are monitored on a real-time basis.

Liquidity events are not identified early • A process for responding to early warning indicators has been
enough to react. established.

• Liquidity risk metrics, triggers, and limits are regularly monitored.

• Macro- and micro-economic environments are regularly monitored.

• Geopolitical environments in relevant markets are regularly monitored.

Board is not updated completely, clearly, • ALCO or other relevant committee regularly reports on liquidity risks to
and/or timely. the board.

24 — theiia.org
Appendix E. References

Basel Committee on Banking Supervision. Basel III: a global regulatory framework for more resilient banks
and banking systems. Basel, Switzerland: Bank for International Settlements, 2011.
https://www.bis.org/publ/bcbs189.pdf.

Basel Committee on Banking Supervision. Basel III: The Liquidity Coverage Ratio and liquidity risk
monitoring tools. Basel, Switzerland: Bank for International Settlements, January 2013.
bis.org/publ/bcbs238.pdf.

Basel Committee on Banking Supervision. Basel III: The net stable funding ratio. Basel, Switzerland: Bank
for International Settlements, 2014. http://www.bis.org/bcbs/publ/d295.pdf.

Basel Committee on Banking Supervision. Core Principles for Effective Banking Supervision. Basel,
Switzerland: Bank for International Settlements, 2012. https://www.bis.org/publ/bcbs230.pdf.

Basel Committee on Banking Supervision. Principles for Sound Liquidity Risk Management and Supervision.
Basel, Switzerland: Bank for International Settlements, 2008. bis.org/publ/bcbs144.pdf.

Beasley, Mark S., Bonnie V. Hancock, and Bruce C. Branson for the Committee of Sponsoring
Organizations of the Treadway Commission. Strengthening Enterprise Risk Management for Strategic
Advantage. Durham, North Carolina: American Institute of CPAs, 2009.
https://us.aicpa.org/content/dam/aicpa/forthepublic/auditcommitteeeffectiveness/auditcommittee
brief/downloadabledocuments/strengthening-enterprise-risk.pdf.

Office of Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit
Insurance Corp., Office of Thrift Supervision, National Credit Union Administration, in conjunction
with the Conference of State Bank Supervisors. Interagency Policy Statement on Funding and
Liquidity Risk Management. 75 Fed. Reg. at 13,657 (March 22, 2010).
https://www.occ.treas.gov/news-issuances/federal-register/2010/75fr13656.pdf.

European Banking Authority. Final Report: Guidelines on ICAAP & ILAAP information collected for SREP
purposes. Luxembourg: Publication Office of the European Union, 2016.
https://www.eba.europa.eu/eba-publishes-final-guidelines-on-icaap-and-ilaap-information.

Financial Stability Board. Principles for an Effective Risk Appetite Framework. Basel, Switzerland: Bank for
International Settlements, 2013. fsb.org/wp-content/uploads/r_131118.pdf.

Korean Institute of Finance (On behalf of the ASEAN+3 Research Group). Regulation and Supervision for
Sound Liquidity Risk Management for Banks. Bangkok, Thailand: Fiscal Policy Research Institute,
2010. asean.org/wpcontent/uploads/images/archive/-documents/ASEAN-+3RG/0910/FR/17b.pdf.

Office of the Superintendent of Financial Institutions Canada. Supervisory Framework. Ontario, Canada:
OFSI, 2010. osfi-bsif.gc.ca/eng/fi-if/rai-eri/sp-ps/pages/sff.aspx.

25 — theiia.org
Acknowledgements
Financial Services Guidance Development Team
Claire Deng, CFA, FRM, Canada

Monroe Johnson, CIA, CPA, United States

Michael O'Bryan, CIA, CPA, CA, CFE, CISA, Canada

Rune Johannessen, CIA, CCSA, CRMA, Norway

Sherry Rodriguez, CIA, CRMA, United States

Dawn Anderson, CIA, CFSA, CPA, United States

Global Guidance Council Reviewers

Jose Esposito Li-Carrillo, CIA, CRMA, Peru

Nur Hayati Baharuddin, CIA, CCSA, CFSA, CGAP, CRMA, Malaysia

Larry Herzog Butler, CIA, CRMA, CPA, Germany

Elodie Sourou, CIA, Canada

Ana Cristina Zambrano Preciado, CIA, CRMA, CCSA, Colombia

International Internal Audit Standards Board Reviewers

Naji Fayad, CIA, CCSA, CRMA, Lebanon

Dominique Vincenti, CIA, CRMA, United States

IIA Global Standards and Professional Practices

Andrew Cook, CIA, Director (Project Lead)

Dr. Lily Bi, CIA, QIAL, CRMA, CISA, Executive Vice President

Anne Mercer, CIA, CFSA, CFE, Senior Director

Patricia Miller, Content Writer and Technical Editor

Helen Nicholson, Content Writer and Technical Editor

Geoff Nordhoff, Content Writer and Technical Editor

The IIA thanks the following oversight bodies for their support: Financial Services Knowledge Group, Global
Guidance Council, International Internal Audit Standards Board, the International Professional Practices
Framework Oversight Council.

26 — theiia.org
About The Institute of Internal Auditors
The Institute of Internal Auditors (IIA) is an international professional association that serves more than 215,000 members and has awarded 180,000 Certified Internal
Auditor (CIA) designations worldwide. Established in 1941, The IIA is recognized as the internal audit profession's leader in standards, certification, advocacy, education,
research, and technical guidance throughout the world. For more information, visit www.theiia.org.

Disclaimer
The IIA publishes this document for informational and educational purposes. This material is not intended to provide definitive answers to specific individual
circumstances and as such is only intended to be used as a guide. The IIA recommends seeking independent expert advice relating directly to any specific situation. The IIA
accepts no responsibility for anyone placing sole reliance on this material.

Copyright
Copyright © 2022 The Institute of Internal Auditors, Inc. All rights reserved. For permission to reproduce, please contact [email protected].

First edition, “Auditing Liquidity Risk: An Overview,” published December 2017

Second edition August 2022

27 — theiia.org