In today’s world of tightening regulations and an evolving risk landscape, companies are facing increased pressure to comply with Anti Money Laundering (AML) regulations in order to avoid hefty fines, reputational risk and disruptions to their operations. Consequently, now more than ever, companies require assurance that their AML control framework is strong and tight enough to prevent and to detect instances where their business can be used to clean money or to finance terrorism.
Internal audit may provide this assurance to the company by assessing its AML control framework. It will also give the opportunity to the company to address any issues before they escalate or before they are detected by the competent authorities.
What is internal audit?
A company can never be in business without being susceptible to risks. Having said that, it needs to have sufficient mitigating controls to address those risks and reduce them to an acceptable level. According to the Chartered Institute of Internal Auditors, the role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively.
In essence, internal audit, being the third line of defence, will assess the design and operating effectiveness of the internal control framework and provide an independent opinion thereon. Most importantly, it would also propose recommendations on how identified weaknesses can be addressed by management.
What is the regulatory requirement?
The Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) and the related Implementing Procedures (IPs) emphasise the importance of monitoring the AML control framework on an ongoing basis. These also encourage companies to consider the implementation of an independent audit function to assess the design and effectiveness of the implementation of measures, policies, control and procedures adopted by the company to address AML risk.
A company can never be in business without being susceptible to risks
The IPs also state that a company is not necessarily required to set up an internal audit function, but it can also engage an independent consultant or an internal party, who is independent from the operations, to carry out this role.
What are the critical elements for an effective internal audit function?
The internal audit team should have the required qualifications and expertise in AML to be able to understand the regulatory obligations, best practices, as well as the latest money laundering typologies. This should be coupled with a thorough understanding of the operations of the company to be able to assess the AML risks it is susceptible to, based on the four key risk factors: product, customer, interface and geographical risk.
Defining scope is critical. This is achieved by having an open communication channel between the internal audit team and the Board of Directors or Audit Committee during the scoping of an assignment, to ensure that resources are focused on those areas which pose the highest risk.
Audits may be focused on specific high-risk areas (such as onboarding, monitoring, customer risk assessments or reporting) or else take the form of a general health check of the AML control framework to provide an insight into the company’s compliance with its AML/CFT obligations.
Such audits would typically have two facets. The first would focus on an assessment of the design of policies, procedures, controls and systems to ensure that they meet the regulatory requirements, and are in line with best practices and with the risk appetite of the company.
The second would include a review of the implementation of the company’s policies and procedures by the first line of defence, to guarantee that the controls designed by management are implemented in practice, and that the controls are effective in mitigating the risk. This may also cover the oversight and checks carried out by the second line of defence, these being Compliance and the Money Laundering Reporting Officer (MLRO).
While preserving independence, internal audit should work together with management and the relationship between the two should be built on mutual trust. This can be achieved by discussing findings and remediation plans during the course of the audit. The internal audit report is first presented to management, which is in turn requested to comment on the findings, before it is presented to the board of directors or audit committee.
The role of internal audit should be dynamic and should adapt to the needs of the company. There are various ‘non-traditional’ assignments which may be undertaken by internal audit in order to assist the company, while it navigates through the various stages in its lifecycle.
These could include involvement during the development of new tools, systems, policies and procedures, or during the development of new products or service lines; the post-implementation assessment of systems, tools, policies and procedures; assistance during de-risking exercises; assessments of the AML risk and control framework of an entity as part of the due diligence process prior to a merger and acquisition transaction or joint venture arrangement; as well as the provision of training.
Alicia Vella, senior manager, Advisory Department Mazars