The IA should provide a comprehensive review of your AML/CTF program
For your financial institution, the internal audit is your third line of defence and should provide an objective review of your Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF) programs, including policies, procedures, systems, processes and internal controls. How can you be sure your internal audit function is appropriately testing your AML/CTF activities?
Focus on five key themes when evaluating how the internal audit is addressing your AML/CTF concerns:
- Does your internal audit program have foundational components that are consistent with key elements of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 and the AUSTRAC Compliance Guide? For instance, the AML/CTF independent review should be risk-based and cover the core examination areas outlined in the manual.
- Does the internal audit adequately review AML risk during the internal audit planning process? The level and intensity of testing for each of the core AML/CTF areas should be risk driven, and for larger and more complex financial institutions, the internal audit may conduct its own AML/CTF risk assessment independent of the first and second lines of defence.
- Is the internal audit taking a holistic view of your overall AML/CTF environment or is it following a routine, check-the-box approach? Inexperienced internal audit staff too often focus on transactional testing instead of taking an overall look at processes and internal controls. The internal audit should start with design assessments of the core AML/CTF areas and processes before testing transactional results. The evaluation of transactions should include testing of controls as well.
- Does your internal audit staff have the skills and experience to evaluate the numerous qualitative factors necessary for a successful AML/CTF program? And are they periodically trained? For example, do they know what to look at to evaluate the adequacy of your processes and control activities based upon the risk profile of your institution and an understanding of leading industry practices? Do they effectively evaluate your culture of compliance?
- Is the internal audit keeping up with the constantly evolving regulatory expectations surrounding AML/CTF? If there haven’t been any significant changes in your audit plan and approach in recent years, odds are your internal audit approach is not keeping up with regulatory demands.
Five steps to an effective internal audit
Be sure the internal audit is focusing on the following key issues and includes these five steps when assessing your AML/CTF program and activities:
- Do you have a strong culture of compliance? Assessing your culture of compliance sounds very subjective, but there are measureable aspects to consider. Are findings and deficiencies addressed appropriately and timely by management? Does AML/CTF staff receive regular training? Does your AML/CTF officer have access to your board, and are AML/CTF issues reported to the board when appropriate?
- Do you have experienced and sufficient AML/CTF management and staff? It can be difficult to attract and retain strong AML/CTF staff, especially at smaller banks. Therefore, consideration of the strength of your AML/CTF staff should be a vital part of your internal audit effort. Look for backlogs in suspicious activity monitoring and reporting. Review the quality of investigations, suspicious activity reports and other issues. Take a close look at your AML/CTF training program—is it keeping up with the evolving AML/CTF landscape and tailored to your risk environment, or is it generic?
- Is management’s AML/CTF risk assessment effectively tailored to your environment? Evaluating the risk assessment can be one of the most difficult parts of your internal audit because there is limited formal regulatory guidance and a heavy reliance on industry practices in this area. Regulators are increasingly focused on whether your risk assessment adequately addresses and quantifies your unique risk profile. Be sure that your risk assessment covers your products, services, customers and geographies, as well as how each contributes to your overall AML/CTF risk exposure. Don’t just look at the reasonableness of the ratings, dig into the details of the methodology—and make sure it’s documented. Do the statistics and data analysis support the results? And has the data been validated for completeness and accuracy, and is this validation documented? For more complex financial institutions, risk assessments should be conducted at the subsidiary or business line level, and then consolidated across the enterprise.
- Do you have the right AML/CTF systems, and are the models working appropriately and as intended? There are typically three models within the AML/CTF area, including suspicious activity monitoring, customer risk scoring and sanctions screening. Review and evaluate the process and system owners, roles and responsibilities, change management procedures, user access controls, management’s initial and ongoing validation of both data integrity and model assumptions, and independent model validations. Additionally, internal audit should play an appropriate role in implementation and user acceptance testing within your organisation.
- Are your customer due diligence (CDD) and enhanced due diligence (EDD) practices appropriate to your risk profile? Understanding your customers and how they relate to your products and services is vital to an effective AML/CTF function. Your internal audit should take a close look at CDD and EDD practices as part of the approach.
The following customers and business areas deserve special attention:
- non-resident aliens, foreign nationals and politically exposed persons
- foreign correspondent banks
- trade finance
- payment processors
- money service businesses
- online and mobile banking operations
CDD activities should include a risk-based collection of customer information, which may include beneficial ownership so that you “know your customer,” as well as ongoing monitoring of customer risk. EDD activities should provide for periodic reviews of higher-risk customers to update information, conduct screenings and review aggregate transactional activity for reasonableness. EDD procedures should be tailored for the aforementioned business types if they are part of your customer base.
Don’t forget the basics
Be sure the scope and documentation of the internal audit covering your AML/CTF function is appropriate. Your internal audit and its scope should:
- include assessments for both design adequacy and operational effectiveness of key processes consistent with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 , Anti-Money Laundering and Counter-Terrorism Financing Rules and the AUSTRAC Compliance Guide
- include all applicable subsidiaries and lines of business
- confirm findings with management, and provide timely final reports
- state conclusions clearly
- make clear recommendations that address the root cause of any issues within the final reports
- retain work-papers, planning documents, process narratives and testing schedules
- explain out-of-scope areas, if any
- incorporate new regulatory guidance within the internal audit program on a timely basis
- define terminology and standards
- adjust internal audit procedures to changes in the risk profile, including attributes tested and testing methods (e.g., re-performance testing for higher-risk control activities)
- use appropriate sampling methodologies and sample sizes based on risk (larger sample sizes for higher-risk controls)
- track findings, and follow up on any prior audit or examination findings
Internal audit is your final, third line of defence. Especially when it comes to AML/CTF concerns, it is also an area facing increased scrutiny from regulators. It’s vital to ensure that your AML/CTF internal audit is tailored to your unique risks.