Skip to main content
Image coming soon

The Internal Audit Playbook for Broker-Dealer AI Recommendation Models

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Internal Audit Playbook for Broker-Dealer AI Recommendation Models

An audit program for SEC Reg BI, FINRA AI guidance, and SR 11-7 model governance over advice-engine recommendations.

Your Q2 integrated audit of the AI recommendation engine has to satisfy SEC Reg BI, FINRA's predictive-analytics notice, and SR 11-7 model validation in one workpaper set. Three control owners point at each other. Your conclusion has to bridge them.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A Senior Manager Internal Audit at a US broker-dealer is now the person who reconciles the model-risk team's validation memo to the data-platform team's lineage docs to the wealth-advisory team's suitability evidence. The recommendation engine produces a client-facing screen. Reg BI says that screen has to satisfy a care obligation. FINRA's AI notice says the model behind it has to be governed, tested, and explainable. SR 11-7 says the validation evidence has to be independent and current. The workpaper has to test all three on the same sample of recommendations, with lineage traceable from feature to client. Doing that with a generic IIA audit program does not work. The program has to be built for an advice engine sitting inside a broker-dealer.

What you walk away with

  • Build a risk and control matrix that maps Reg BI care, FINRA AI governance, and SR 11-7 validation to specific testable controls on the recommendation engine.
  • Design a sampling approach that lets a FINRA examiner re-perform any selected recommendation end to end.
  • Test data lineage from the feature store to the client-facing recommendation, with workpaper evidence at each hop.
  • Run fairness and disparate-impact testing aligned to FINRA's predictive-analytics framing without needing a data-science team.
  • Write an audit report that lands with the Audit Committee, the CCO, and the Chief Risk Officer with a finding the business can act on.

The 12 modules

Module 1. Reg BI care obligation as an auditable control
Translate the SEC Reg BI care obligation from a principles-based standard into a set of testable controls over a recommendation engine. Identify which screens, prompts, and disclosures fall in scope, which client account types are inside Reg BI versus an RIA fiduciary line, and how the care obligation interacts with the firm's own best-interest policy. Output is the Reg BI section of the risk and control matrix used for the rest of the audit.
Module 2. FINRA's AI and predictive analytics notice in an audit program
Walk the operative regulatory notices and guidance from FINRA on the use of AI, machine learning, and predictive analytics in customer-facing applications. Translate the supervisory expectations into audit assertions, evidence requirements, and control activities the second line can test. Map each expectation to a specific stage of the recommendation pipeline so nothing falls between the model-risk team and the wealth-advisory team.
Module 3. SR 11-7 model validation evidence in the integrated audit
Bring the SR 11-7 model risk management expectations into the integrated audit even where the firm is not a bank holding company. Inventory the validation artefacts the model-risk function should be producing, test their independence and currency, and identify the gaps a regulator would name on first review. Pin each validation artefact to the specific model version that generated the recommendations in the audit sample.
Module 4. Risk and control matrix for a recommendation engine
Build the full risk and control matrix that becomes the spine of the audit. Rows are inherent risks across data, model, deployment, monitoring, and client interaction. Columns are the three regulatory regimes plus internal policy. Each cell names the control activity, the owner, the evidence type, and the test the auditor will run. The matrix is the artefact the engagement is planned and reported against.
Module 5. Audit sampling that survives a FINRA re-perform
Design the sampling logic so any recommendation selected can be re-performed end to end by a FINRA examiner. Decide stratification across account type, recommendation category, and model version. Set sample sizes that satisfy both statistical and judgmental sampling standards. Document the rationale in a sampling memo that survives an Audit Committee challenge and a regulator's review.
Module 6. Lineage testing from feature store to client screen
Run the lineage walkthrough that traces each sampled recommendation from the inbound market and account data, through the feature store, through the model version, through the post-processing rules, to the screen the client sees. Capture the evidence at each hop. Identify control breaks at the handoffs between data-platform, model-risk, and wealth-advisory functions and write them up so the owners cannot pass them between teams.
Module 7. Fairness and disparate-impact testing without a data-science team
Apply the FINRA predictive-analytics framing on fairness and bias to the sampled recommendations. Use workpaper-grade techniques that the audit team can execute without standing up a parallel data-science capability. Cover account-type segmentation, protected-class proxies where applicable to the broker-dealer line, and outcome differentials in the recommendations the engine produces. Document the methodology so the model-risk team can repeat it.
Module 8. Suitability evidence on the client-facing recommendation
Reconcile the recommendation the engine produced for a sampled client to the suitability profile on file, the disclosures shown, and the action the client took. Walk the chain through to the trade confirmation if the recommendation was acted on. Test whether the screen, the disclosure, and the suitability assessment line up to a defensible care record.
Module 9. Change management and model version control
Audit the change management discipline around the recommendation engine. Test that every production version is logged, that every change went through model-risk review, that rollbacks have evidence, and that the version applied at the time of any sampled recommendation can be reconstructed. Identify where the change log diverges from the production deployment record and write the finding so the platform team owns the remediation.
Module 10. Ongoing monitoring and drift controls
Test the ongoing monitoring program the model-risk and platform teams operate. Cover input-data drift, output drift, performance against business KPIs, and incident response when monitoring triggers. Establish whether the controls would have caught the drift that a regulator would later find on its own examination, and recommend the threshold and escalation changes that close the gap.
Module 11. Issue rating, root cause, and Audit Committee narrative
Score the audit findings on a basis the Audit Committee will read consistently. Drive each finding to a root cause that crosses the model-risk, data-platform, and wealth-advisory boundary rather than landing in one team's lap. Draft the executive summary, the heat map, and the management response framing the Audit Committee will see, and prep the verbal walkthrough that follows.
Module 12. Coordinating with model risk, compliance, and the regulator
Position the integrated audit relative to the model-risk function's own validation calendar, the compliance team's Reg BI testing, and any open or anticipated FINRA examination. Decide what gets shared with the regulator proactively, what flows through the standard examination response process, and how the audit report is sequenced against the firm's broader regulatory reporting. Close the engagement with a clean handoff package the next audit cycle can build on.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

You are scoping the Q2 integrated audit and need the risk and control matrix that ties Reg BI, FINRA AI guidance, and SR 11-7 into one workpaper set.
You are sitting with the model-risk team's validation memo and need to test whether it covers the model versions that produced the recommendations in your audit sample.
You are walking lineage from the feature store to the client screen and the data-platform team and model-risk team disagree on who owns the break.
You are drafting the Audit Committee memo and need a finding narrative that names the root cause across three control owners without softening it.

What you get with this course

  • Twelve written modules covering the integrated audit end to end.
  • Risk and control matrix template tuned to a broker-dealer AI recommendation engine.
  • Sampling memo template that survives a FINRA re-perform.
  • Lineage walkthrough workpaper template with evidence checkpoints at each hop.
  • Fairness and disparate-impact testing methodology workpaper.
  • Audit Committee report template with heat map and management response framing.
  • Hand-built implementation playbook tuned to a Senior Manager Internal Audit role at a US broker-dealer.
  • 30-day money-back guarantee.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Week 1: complete modules 1 to 4 and draft the risk and control matrix for your engagement.

Week 2: modules 5 to 8 and run the sampling, lineage, and fairness workpapers on a pilot sample.

Week 3: modules 9 to 12 and draft the Audit Committee report from the populated workpapers.

Ongoing: re-use the matrix and workpaper templates on each subsequent integrated audit cycle.

Before and after

Before

A generic IIA audit program plus a model-validation memo plus a Reg BI compliance attestation, none of which line up on the same sample of recommendations, with three control owners pointing at each other.

After

One integrated audit program with a single risk and control matrix, a single sampling plan, lineage tested through every hop, fairness and suitability evidence on the same recommendations, and an Audit Committee report a regulator can read alongside its own examination.

What happens if you do not address this

The integrated audit ships with a softened finding because no single workpaper bridges Reg BI, FINRA AI guidance, and SR 11-7. The next FINRA examination identifies the lineage and validation gap the audit did not name, the firm has to remediate under examination pressure, and the Audit Committee asks why second-line testing did not catch it first.

Who it is for

Senior Managers and Directors in Internal Audit at US broker-dealers, RIAs, and wealth platforms running an integrated audit over an AI-driven recommendation or advice engine. Audit committee reports up. FINRA and SEC examiner re-perform downstream. Model-risk, data-platform, and wealth-advisory control owners in scope.

Who this is NOT for. External auditors signing the financial statements. Model developers writing the model itself. Compliance officers running the day-one Reg BI attestation. This is a second-line audit program for the integrated audit, not a model build, not the original Reg BI rollout.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable workpaper templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Around 12 to 16 hours of reading, plus the time to run the workpapers on your live engagement. Designed to be worked through during a single quarter's audit plan rather than studied in isolation.

Why $199 is the right number

A Big4 advisory engagement on AI audit framework design lands in the 80,000 to 200,000 USD range and arrives as slides rather than workpapers. The IIA's published AI audit guides are conceptual and not tuned to a broker-dealer recommendation engine. Internal build from scratch takes a quarter of senior audit time and still misses the SR 11-7 evidence bar on first regulator review.

FAQ

Is this an IIA-style framework or an actual audit program?
An actual audit program. Risk and control matrix, sampling memo, lineage workpaper, fairness testing methodology, Audit Committee report. The framework reasoning is in the modules; the artefacts are downloadable.
Our firm is not a bank holding company. Does SR 11-7 still apply?
SR 11-7 is not directly applicable to a pure broker-dealer, but FINRA, SEC, and Audit Committees all reference its principles as the operative model risk standard. The course covers when to apply it directly, when to invoke its principles, and how to position that in the workpapers.
Does this cover RIA fiduciary obligations too, or only Reg BI?
Both. The risk and control matrix has separate rows for Reg BI care and RIA fiduciary obligations, since many wealth platforms have account types under each. The sampling plan stratifies accordingly.
How is the per-buyer implementation playbook tuned to my role?
It is built around a Senior Manager Internal Audit running an integrated audit of an AI recommendation engine inside a broker-dealer with a wealth platform. Workpaper templates, sampling thresholds, and the Audit Committee report framing are tuned to that scope. Delivered alongside course access.
What if our audit team has not stood up AI audit capability yet?
The course is written assuming the integrated audit is happening now and the team is building the capability through the engagement. Each module is structured so the workpaper output is the artefact the team learns by producing.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!