9th MaRisk Amendment: Internal Audit as a Key Factor in Implementation

Introduction

The consultation on the 9th MaRisk Amendment is on the table, with BaFin targeting publication of the final version around mid-year. Experience from previous amendments tells us that no material changes to the consultation draft are to be expected, and clarifications are generally not subject to implementation deadlines – they take effect from the date of publication.

Implementation will be a major undertaking for many institutions, running across virtually every business area. This is precisely where Internal Audit plays a pivotal role: under BT 2.1, it is obliged to accompany significant projects – and the implementation of the MaRisk Amendment meets all the criteria of a significant project.

The art lies in designing this accompaniment in such a way that adverse developments are detected early, without jeopardising Internal Audit’s own independence. This article outlines how that can be achieved – and at which specific points in the Amendment Internal Audit makes the decisive difference.

What is Changing – The Key Points in Brief

To contextualise the audit perspective, a condensed look at the latest MaRisk Amendment suffices. Its defining feature is a new proportionality regime, under which institutions are divided into categories:

• very small institutions (up to approx. €1 billion in total assets),
• small institutions (€1 billion to €5 billion), and
• other institutions (up to approx. €15 billion).

Significant institutions above this threshold will in future fall directly under ECB supervision and no longer under MaRisk.

A large number of opening clauses are linked to these categories: ranging from the waiver of reverse stress tests, simplified business model analyses, and the elimination of expert rotation and market fluctuation concepts, to simplifications regarding the separation of functions and risk reporting.

In terms of content, the dominant themes are:

• ESG risks (assessment over a period of at least ten years, resilience analyses, ESG risk plans pursuant to § 26c KWG-E),
• new governance requirements (individual accountability statements under AT 5, approval obligation for the supervisory body when changing the head of key functions),
• sharpened model validation (initial validation, three-year cycle, separation of development and validation), and
• the reorganisation of outsourcing (ICT services under DORA third-party risk management fall outside AT 9, the outsourcing register is formally abolished, and full outsourcing of Compliance and Internal Audit is henceforth permitted only for very small institutions).

The common thread running through all these changes: the supervisory authority is replacing rigid, prescriptive rules with institutional responsibility – and in return demands a robust, documented justification for every relief provision claimed. It is precisely this paradigm shift that elevates the Amendment to a first-order audit topic.

The Paradigm Shift: From Target State to the Adequacy of Reasoning

For audit practice, this shifts the focus of examination. Where previously a clear, reliable target state existed – an auditor’s favourite basis – the question now becomes one of the adequacy of reasoning: Has the business area derived in a comprehensible way why an opening clause applies to its own institution? Are the assumptions documented, the materiality assessments cleanly derived, and the evaluations reconstructable by an independent third party?

Discussions with business areas about risk content, complexity, and the depth of documentation will inevitably increase as a result. The business area will consider its own reasoning sufficient; Internal Audit will need to demand more detailed evidence – and it is precisely in this friction that the value-add lies. Those who accompany the implementation from the outset can demand documentation quality where it is being created, rather than criticising it years later in hindsight. The principle of “if it’s not written down, it doesn’t exist” applies now more than ever – and Internal Audit is the function that can systematically ensure compliance with it.

Internal Audit in the Implementation Project

Recognising the Project – and Assessing Materiality Independently

The MaRisk implementation meets all the classic project criteria: unique, limited in terms of time and personnel, with a clear objective (supervisory-compliant implementation by the deadline) and high complexity.

Nevertheless, there is no guarantee that it will actually be set up as a project within the institution – business areas are experienced, in practice, at avoiding the term “project” because it triggers documentation and governance obligations. “Working group” and “quality circle” are popular alternative terms. Internal Audit should keep its eyes open and examine whether the project criteria defined in its own policies are in fact being met.

Equally important is an independent materiality assessment. Project owners’ judgements frequently lean towards immateriality. Internal Audit should therefore apply its own set of criteria – economic significance, regulatory relevance, impact on strategies, material risk types and the internal control system, complexity, discretionary scope, and target specifications – with a clear decision rule.

In the case of MaRisk implementation, the result will almost certainly be unambiguous: regulatory matters are affected, the ICS is impacted, complexity is high, and discretionary scope is extensive. There is no avoiding more intensive accompaniment. The precise intensity remains a risk-based, case-by-case decision – ranging from pure project information to a full project-accompanying audit; guidance is provided by DIIR Audit Standard No. 4 and the Global Internal Audit Standards. This intensity decision must also be documented, as the external auditor will enquire about it.

Role Clarity: Accompanying, Not Owning

The neutrality requirement is the existential question for project accompaniment. Internal Audit may act as observer, adviser, and sounding board – a sparring partner that counteracts the most serious adverse developments at an early stage and, in doing so, gains acceptance within project teams.

What it must not do: assume project leadership (an absolute no-go), bear technical or operational implementation responsibility, decide on measures, approve technical concepts, or grant approvals of a responsibility-bearing nature.

Warning signs of overly deep involvement include fixed attendance at every project meeting, self-developed control frameworks, binding implementation directives, or steering the remediation of deficiencies. Particularly treacherous is the attempt by business areas to instrumentalise Internal Audit as an arbiter: when area A wants one approach and area B another, Internal Audit should refrain from a definitive ruling – otherwise, “Internal Audit’s requirements” are subsequently cited, and neutrality is lost. Even the management board is not immune to the temptation of deferring a decision to Internal Audit.

The classic accusation – “you were in the project and said nothing” – can only be countered with documented restraint: establish the role in writing in advance, consistently document observations and recommendations, record prior engagements (including independent research), and separate the subsequent follow-up audit from the project accompaniment in terms of personnel as far as possible.

AT 8.2 as a Binding Constraint

The principle remains unchanged: before material changes to organisational structure, processes, or IT systems, the effects on control procedures and control intensity must be analysed – with the involvement of the organisational units subsequently affected, as well as Compliance and Internal Audit.

MaRisk implementation will generate such changes in series: new overviews and declarations, adjusted reporting lines, controls that are discontinued and new ones created. Particularly in the enthusiasm of a project, AT 8.2 analysis is easily overlooked; Internal Audit should actively call for it with each implementation package and request sight of the control impact analysis.

Examination Areas for Implementation Accompaniment

At its core, the accompaniment can be structured around seven areas that apply to every significant project – and which translate directly to MaRisk implementation:

Project mandate and gap analysis: Is there a formal project mandate with a target picture and scope? More importantly: is the impact analysis complete? Here, Internal Audit validates whether all thematic areas of the Amendment have been captured – from the DORA interfaces and the ESG requirements through to the institution’s own proportionality classification. An incomplete gap analysis is the most costly error, as it propagates through the entire project.

Governance and responsibilities: Is project leadership clearly assigned? The Highlander principle applies: there can be only one – even where virtually every business area is affected. Internal Audit itself is precluded from project leadership; depending on the institution, the Organisation, Controlling, or the Board Office may be appropriate. Roles, escalation channels, and decision-making pathways must be set out in writing.

Project planning and steering: A milestone plan with a view to the expected implementation deadlines, resource and budget planning, regular status reporting with escalation thresholds, and documented scope changes. With a hard implementation deadline, milestone tracking is not a formality but the central early-warning mechanism.

Project risk management: Are implementation risks being systematically identified, assessed, and updated? Project risks are classic operational risks – in larger undertakings, they should, in principle, also be captured within the institution’s OpRisk framework.

Technical concept and target processes: Is there a complete, consistent technical concept – based, for example, on industry association or service provider templates that require institution-specific tailoring? Are target processes, control points, exceptions, and process owners described?

Internal control system: Internal Audit’s favourite area – and particularly relevant for this Amendment, since rules are both being removed (EBA references, outsourcing register, prescriptive requirements in AT 7.2) and newly introduced. Which controls are being discontinued, how are they being compensated, which new controls are required, who performs them and how frequently, and are they effective? Transitional risks between old and new processes must not create control gaps – projects should close existing gaps, not open new ones.

Regulatory requirements, testing, and migration: Have all affected requirements been addressed in a traceable manner? Are there test and acceptance concepts with defined criteria, migration and cut-over plans with fallback options, and assured data quality? Where ICT is involved, a specialist IT auditor should be included in the accompanying team – a generalist reaches their limits here.

Where Internal Audit Makes a Technical Difference

Not every change in the Amendment requires the same degree of audit attention. At five points, however, Internal Audit’s contribution is decisive – because discretionary scope, documentation obligations, and audit risk converge there.

First: the opening clause check. Every relief provision claimed stands or falls with its justification. Internal Audit should establish a quality benchmark early: assumptions derived in writing, a board resolution where required (for example, when waiving the market fluctuation concept or when setting a low risk appetite), and assured retrievability of documentation. A “qualified expert estimate” without a documented derivation will not withstand external scrutiny.

Second: ESG risks. Since reliable ten-year models are absent, institutions will initially work with qualitative approaches, buffers within the risk coverage potential, and extended adverse scenarios. Internal Audit’s examination here focuses less on the model than on the methodology: are the qualitative approaches evidenced as such, are the assumptions documented, and are the buffer amounts and the risk types covered justified? And is the delineation between cross-sectional effects and the allocation to operational risks consistently regulated?

Third: governance declarations under AT 5. Individual accountability statements for the management board, the layer below, and key function holders, plus a continuously current institution-wide overview of reporting lines – this is a permanent line-management task that no one will be eager to own. Internal Audit should examine whether the relevant group of individuals is completely captured (including functions that effectively report directly to the board without holding a departmental head role), whether an update process with clear responsibilities exists, and whether the monitoring mechanism – who identifies that someone is not fulfilling their duties, and who then takes action – has been fully thought through.

Fourth: outsourcing. The formal abolition of the outsourcing register may tempt institutions to discard it entirely – a mistake. DORA covers only ICT services; for all other outsourcing arrangements, an inventory remains factually necessary. Internal Audit should press for the overview to be maintained in some form, for the delineation between AT 9 and DORA third-party risk management to be clearly documented, and for the new three-year cycle of risk analyses to be accompanied by a process for event-driven reviews – for example, following critical audit findings at the service provider or persistent SLA breaches.

Fifth: deposit modelling under BTR 2.3. Deposits from financial customers may in future only be modelled if they qualify as operational deposits within the meaning of liquidity regulation. This is a rewarding examination area with a clear target state: the criteria are in any case to be reported to the supervisory authority – Internal Audit can request sight of the notification and verify whether the controlling function has implemented the parameterisation of the variable rate book accordingly.

And finally, a matter of Internal Audit’s own house: The validation obligation applies to Internal Audit itself. In current supervisory audit practice, the risk-oriented audit planning model is treated as a model like any other – a purely qualitative annual retrospective is increasingly insufficient; a methodologically coherent derivation is expected, particularly for audit areas approaching cycle boundaries. Those who make use of the new five-year cycle for non-material activities should bear in mind the emerging rule of thumb of a maximum of around ten per cent of audit areas. And with the new emphasis on the effective implementation of risk strategy, Internal Audit gains an examination area that requires sensitivity: not to evaluate the strategy itself, but to examine whether measures and timeframes have been defined for strategic objectives, and whether the implementation is actually delivering against those objectives.

When No Formal Project Is Established

If implementation is carried out through the line rather than via a project, this does not relieve Internal Audit of its accompaniment obligation – it merely makes the task more arduous. In that case, the approach is: maintain a dedicated audit document, actively request documents and meeting minutes from the business areas, arrange to be invited to coordination meetings, and independently track risks and timelines.

The formal project elements (project mandate, project risk management) are absent; the substantive accompaniment is not. Breaches of an existing project management policy should be addressed – ideally first through direct dialogue with those involved, before being included in the audit report. The incidental consequence of the line-based approach: the workload does not diminish, it merely becomes less transparent – a point that Internal Audit may quite reasonably raise with the management board.

Reporting with Sensitivity

Under MaRisk, every audit must be reported in writing without undue delay. Where the project portfolio is manageable, a project-accompanying audit covering the entire year has proven its worth: all accompaniment activities are continuously documented within it, with an overall report to follow at year-end – material findings must, of course, be reported immediately and must not wait until year-end.

In terms of wording, restraint and neutrality are advisable for as long as nothing serious is identified. Those who convert every project discussion into a finding will destroy the trust that is the foundation of open collaboration – and will simply stop being invited in future. It must remain apparent to business areas that one can speak openly with Internal Audit without every word ending up in the audit report. The discourse should be conducted around the subject matter, not around the question of what Internal Audit should have been permitted to say.

Conclusion

The 9th MaRisk Amendment transfers responsibility from the supervisory authority to the institutions – and makes the quality of reasoning and documentation the decisive success factor.

This is precisely where the strength of Internal Audit lies: as an early-engaged, clearly delineated companion to the implementation effort, it ensures the completeness of the gap analysis, the robustness of opening clause justifications, and the effectiveness of the control system during the transition – without itself sliding into implementation responsibility. Those who establish the role in writing in advance, consistently document observations, and separate the subsequent review in terms of personnel give the management board the assurance that the institution will be compliant by the deadline – whilst preserving their own independence to audit the outcome impartially thereafter.

The accompaniment is best begun now: with Internal Audit’s own materiality assessment, a clear role paper, and a view across the gap analysis, even before the final version is published.