I was wondering how many of you outsource your system validation or does anyone use your internal auditors.
IF you're looking to determine whether you should outsource or use Audit, my recommendation would be to hire a firm. BSA/AML system validation requires a level of expertise that your internal auditors likely do not have. Reconciling the core to the AML system and the AML system to the batch filing output is pretty straightforward; but it takes a specialist to identify gaps, confirm models operate as intended, assess the appropriateness of the alert thresholds, and evaluate the overall effectiveness of your suspicious activity detection models, enhanced due diligence identification models, and AML model governance program.
Personally, I advocate a two-prong approach, where BSA/AML employees perform self-testing and also hire a firm to perform an independent periodic system validation.