‘Audit’ can be an intimidating word, and the process is one that people don't often look forward to - or proactively manage as best as they potentially could.
Anti-financial crime audits, whether they be external or internal, are an expected part of a firm’s three lines of defence - but more importantly, a key part of the assurance cycle.
They don't have to be an uphill struggle, though. FINTRAIL’s audit and assurance experts have shared some of their best practices and tips for getting the right auditor in and managing the process effectively.
1. Define scope
It may sound obvious, but make sure you have a defined scope with your auditors so you understand what FinCrime topics they are covering and how. This should also align to your local regulators’ and banking partners’ expectations.
2. Be aware of regulatory changes
Regulatory audit changes are a constant battle for everyone, but it’s important to stay on top of them. Knowing what has changed since your last audit and whether you have implemented it will certainly be a question for most auditors.
Check out our Audit Regulations Guide to gain insight into key regulatory changes, emerging areas of regulatory focus and regulatory enforcement trends.
3. Be prepared
Much of the work we do in FinCrime is often reactive, but as you’ve organised the audit, you can be prepared for it. For instance:
Does your senior manager know they are going to be interviewed?
Are the team aware they will be involved in thematic sessions/testing?
The more planning you do, the better the outcome will likely be.
4. Honest self declarations
Within any kick-off session or self declaration session, try to be honest about the current situation. If you have a gap in your AFC framework, the likelihood is your auditors are going to find it. It is better to be honest with obvious gaps you are aware of and be able to demonstrate you are taking proactive measures to resolve them.
5. Collaborative, not combative
This point refers to both parties. There is no need for either side of the table to create a combative environment. Ultimately, a good auditor wants to provide you with useful information on where you need enhancements. This can be done in a considerate way without intimidating the life out of your analysts.
6. Practical recommendations
In our view at FINTRAIL, a good audit report will not only highlight areas of deficiencies, but also elaborate on expectations of how to resolve the issue. Just telling you that you do not meet line 1.3.11 of the AML Regulations or line 2.4.7 of the Bank Secrecy Act isn’t actually that helpful! Don’t by shy about asking for practical recommendations to resolve issues.
7. Auditor profiles matter
Do you actually know who is conducting the audit? Many regulators talk about fit and proper tests for those in regulated roles, but it’s reasonable to expect that your auditor is qualified for the job as well.
8. Be mindful of time
Make sure you have a full understanding of how long your FinCrime auditors are spending through the process. Whilst a short, light touch audit may sound good in principle, the likelihood is they are going to miss something.
9. Challenge findings
It is perfectly acceptable to challenge your findings or the rating of the findings. You should have a closing session with your auditors and make sure you come prepared with evidence why you disagree - just telling them you don’t agree is not going to be sufficient justification for closing a recommendation.
10. Opportunities for budget and project approvals
Audits are a perfect opportunity to provide justification to your management of where more budget is required for a new tool or more headcount.
11. Track your findings
Once your audit is complete, make sure you track your findings, allocate them to someone specific, and prioritise them against the ratings provided. Auditors know you won’t be able to do everything at once - but come the following year, you will need to be able to present sufficient progress against closing last year’s findings.
Selecting the Right Audit Partner
By following these tips, you’re likely to have a smoother, more efficient experience during your next audit. But of course, who you choose to work with will also determine the outcome.
FINTRAIL’s audit professionals come from the very industries we support - they have extensive experience in auditing the financial crime and compliance controls within electronic money, payment institutions, virtual asset providers and innovative financial service businesses.
To find out more about how we can support your audits and assurance requirements, get in touch with our team.