The role of Internal Audit within the AML Framework

In today’s world of tightening regulations and an evolving risk landscape, companies are facing increased pressure to comply with Anti Money Laundering (AML) regulations to avoid hefty fines, reputational risk, and disruptions to their operations.

Now more than ever, companies require assurance that their AML control framework is strong and tight enough to prevent and detect instances where their business can be used to clean money or to finance terrorism. Internal audit may provide this assurance to the company by assessing its AML control framework. It will also give the opportunity to the company to address any issues before they escalate or before they are detected by the competent authorities.

What is Internal Audit?

A company can never be in business without being susceptible to risks. Having said that, it needs to have sufficient mitigating controls to address those risks and reduce them to an acceptable level. According to the Chartered Institute of Internal Auditors, the role of internal audit is to provide independent assurance that an organisation's risk management, governance, and internal control processes are operating effectively. In essence, internal audit, being the third line of defence, will assess the design and operating effectiveness of the internal control framework and provide an independent opinion thereon. Most importantly, it would also propose recommendations on how identified weaknesses can be addressed by management. The independence of an internal auditor is crucial in ensuring opinions expressed are free from any internal and external interference, or undue pressure.

What is the regulatory requirement?

The Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) and the related Implementing Procedures (IPs) emphasize the importance of monitoring the AML control framework on an ongoing basis. These also encourage companies to consider the implementation of an independent audit function to assess the design and effectiveness of the implementation of measures, policies, control, and procedures adopted by the company to address AML risk. The IPs also state that a company is not necessarily required to set up an internal audit function, but it can also engage an independent consultant or an internal party, who is independent of the operations, to carry out this role.

What are the critical elements for an effective internal audit function?

The internal audit team should have the required qualifications and expertise in AML to be able to understand the regulatory obligations, best practices, as well as the latest money laundering typologies. This should be coupled with a thorough understanding of the operations of the company to be able to assess the AML risks it is susceptible to, based on the four key risk factors: product, customer, interface, and geographical risk.

Defining scope is critical. This is achieved by having an open communication channel between the internal audit team and the Board of Directors or Audit Committee during the scoping of an assignment, to ensure that resources are focused on those areas which pose the highest risk. Audits may be focused on specific high-risk areas (such as onboarding, monitoring, customer risk assessments, or reporting) or else take the form of a general health check of the  AML control framework to provide an insight into the company’s compliance with its AML/CFT obligations.

Such audits would typically have two facets. The first would focus on an assessment of the design of policies, procedures, controls, and systems to ensure that they meet the regulatory requirements, and are in line with best practices and with the risk appetite of the company.  

The second would include a review of the implementation of the company’s policies and procedures by the first line of defence, to guarantee that the controls designed by management are implemented in practice and that the controls are effective in mitigating the risk. This may also cover the oversight and checks carried out by the second line of defence, these being Compliance and the Money Laundering Reporting Officer (MLRO). Various methodologies may be used during this phase, such as data analysis to provide greater coverage, which could eliminate or reduce the need for large and timely substantive sampling.

Whilst preserving independence, internal audit should work together with management and the relationship between the two should be built on mutual trust. This can be achieved by discussing findings and remediation plans during the course of the audit. The internal audit report is first presented to management, which is, in turn, requested to comment on the findings before it is presented to the Board of Directors or Audit Committee. 

The role of internal audit should be dynamic and should adapt to the needs of the company. There are various ‘non-traditional’ assignments that may be undertaken by internal audit in order to assist the company, whilst it navigates through the various stages in its lifecycle. These could include involvement during the development of new tools, systems, policies, and procedures, or during the development of new products or service lines; the post-implementation assessment of systems, tools, policies, and procedures; assistance during de-risking exercises; assessments of the AML risk and control framework of an entity as part of the due diligence process prior to a merger and acquisition transaction or joint venture arrangement; as well as the provision of training.

This article was written by our advisory senior manager Alicia Vella, specialising in internal audit, AML, and regulatory compliance.

This article first appeared in the Sunday Times of Malta on 21/02/2021