Broken down to its most basic level, an audit is a method by which firms seek an external opinion on their policies, procedures, systems and controls. Rather than an exercise in detecting shortcomings and failures, the process of a compliance audit should be viewed as a means of testing an AML/CTF framework to identify opportunities to undertake enhancements as well as highlighting any issues. In essence, the intention is to provide assurance that the firm is operating in an compliant manner within its own specific regulatory framework.
What does an audit actually involve?
An audit will usually involve a period of initial fact-finding, followed by an on-site visit.
The on-site visit enables a comprehensive assessment of a firm’s internal policies, procedures, systems and controls, but this can be broken down into three key components – side-by-side walkthroughs to observe how procedures work in practice, testing to determine whether procedures have been followed and interviews with relevant persons to gauge individual knowledge, as well as the culture of compliance in the firm.
After the conclusion of the on-site visit, all information will be documented and a detailed report of findings will be presented to the board and senior management. This report will identify deficiencies, gaps, and weaknesses and present detailed recommendations for improvement.
What will we ask you for?
Prior to the commencement of the on-site component, we will request documentation such as:
- AML Manual and suite of accompanying procedural documentation;
- Latest MLRO Annual Report (as presented to the board);
- AML training materials and a log of employee training provided;
- CVs of key personnel within the firm (i.e. the MLRO and the compliance team);
- Company organisational chart;
- List of the location of all clients (to assess the jurisdictional/country risk posed by the client base);
- List of the location of all beneficiaries;
- List of all current clients showing value and volume of activity;
- List of all high-risk clients showing client type/industry sector;
- List of any exceptional transactions over the last 6 months;
- Compliance monitoring policy/plan and accompanying procedure;
- Any management information shared between senior management;
- Any historical audit reports to assess the resolution of previous audit findings and a log of any/all remedial actions; and
- Comprehensive breakdown of the firm’s business model.
How do we prepare for the audit?
A positive message to all firms preparing for an external review is that under-preparing for an audit is not helpful; however, neither is over-preparing. When we are asked for tips on how to prepare, a member of our team summed it up best:
‘ Transparency is key in order to limit the disruption to the firm’s operations and increase the likelihood of the auditors’ work providing reliable outcomes.'
Also, taking a step back, it is helpful to ensure you have the following in place prior to the audit:
- A compliance structure which is reflective of the current regulatory framework, yet is appropriately aligned with the size of the firm;
- A robust suite of effective AML/CTF policies and procedures to document how the firm has applied its framework and to mitigate the specific money laundering and terrorist financing risk posed to the business;
- A risk-based approach and evidence of this in both a customer risk assessment and a whole firm AML/CTF risk assessment;
- Documentation to show that all staff are fully trained on AML/CTF and all refresher training has been provided;
- All customer files are up-to-date and that all relevant/necessary information is saved on file;
- All systems are tested to ensure that they are fit-for-purpose, robust and accurate;
- All relevant staff are available for interviews and participation in the audit process for the on-site component.
How do we measure the success of an audit?
The effectiveness of a compliance audit should be measured by its ability to fulfill clearly defined goals and objectives. As the intention is to identify gaps, deficiencies and/or weaknesses in order to detect potential regulatory violations, then the best tip that we can provide in preparation for an upcoming audit is to make every effort to facilitate this.
This is as simple as providing all requested documentation in a timely manner, by making all relevant staff available where necessary and by engaging with the process in the spirit of transparency; this will ensure that the agreed-upon plan and approach is carried out and that any potential disruption of the day-to-day operation of the business is limited.
Ultimately, an effective audit will provide valuable insight and can support future business goals and strategies by enabling future growth in a compliant manner.
If you are interested in getting help or back up for your AML compliance programme or require independent assurance, let’s start a conversation today. Book your free audit consultation with Director, Philip Creed below.