Effective Audit Function BSAAML

1
Effective Audit FunctionBSA/AML
Nyron L. Davidson Founder Cerberean Consulting
Group
2
Discussion Outline

• An Effective Audit Function
• Risk Based Approach
• Four important elements of the audit function
• Leveraging off internal audits
• Audit Outsourcing

3
Risk Focused ExaminationsNew Exam
Procedures/Specialized Exams

• Regulators are continuing to move in the
  direction of risk-focused examinations (aka Risk
  Based Examinations) by concentrating on those
  financial institutions and activities that may be
  most vulnerable. Current priorities include
  BSA/AML Compliance, money services businesses
  (MSBs), credit and debit cards, store value cards
  etc.

4
Why Risk Focused?

• Promote sound financial system
• Apply expert knowledge
• Identify Emerging Trends and Risks
• Develop Forward-Looking Supervisory Policies,
  Procedures, and Practices
• Flexibility
• Proactive approach
• Significant preplanning
• Limited testing
• Risk management approach
• Minimize regulatory burden

5
Benefits

• More input on assignments
• More time to prepare with greater emphasis on
  planning time
• Specialization among examiners by working with
  specialized areas
• Collaboration
• Cooperation with internal and external auditors
• Coordination with other authorities
• Minimize Regulatory Burden
• Minimize cost of examinations and the time needed
  to complete these examinations

6
Risk Focused Examinations Four Key Steps

• Understanding the Institution
• Assessing the Institutions Risks
• Developing a Supervisory Program
• Defining Examination Activities

7
Risk Focused Examinations Supervisory Documents

• Institutional Profile
• Risk Matrix
• Risk Assessment
• Supervisory Plan
• Examination Program
• Scope Memoranda

8
Internal Audit

• WHY AUDIT REVIEW?
• Tool to understand the organization
• An independent group which looks at issues
• Independent evaluation of risk
• Gain knowledge of the control environment

9

• IMPACT UNDER RISK-FOCUSED APPROACH
• Review of audit as a control factor
• Ongoing- review changes to the audit process
• Reliance upon internal and or external audit

10
Key Role of the Audit Function

• Internal Audit is relied upon to review and
  appraise the soundness and adequacy of AML
  controls
• Management also relies on audit to provide
  feedback about the way the organization is
  functioning, as well as, validating the
  institutions process for accumulating and
  reporting on transactions and financial data

11
Key Role of the Audit Function

• The Institute of Internal Auditors define audit
  as
• An independent appraisal activity within an
  organization for review of operations as a
  service to management. It is a management
  control, which functions by measuring and
  evaluating the effectiveness of other controls

12
Internal Audit Function

• The board of directors and senior management
  are responsible
• The auditor should have Clout and Independence
• The audit function should be adequately
  staffed, possess the appropriate, skills,
  expertise, training and qualification
• Audit function should report to the board of
  directors directly or through a board appointed
  committee (i.e. Audit Committee). Audit function
  should report to the board of directors directly
  or through a board appointed committee (i.e.
  Audit Committee)
• Functional and Administrative Reporting Lines
• Internal audit function should be competently
  supervised and staffed by people with sufficient
  expertise and resources to identify the risks
  inherent in the institution and to assess the
  effectiveness of internal controls

13
Four Important Elements the Audit Function

• Competence of the internal audit staff
• Independence of the internal audit staff
• Adequacy of the internal audit coverage
• Audit Report and managements response

14

• Management, staffing and audit quality
• Internal audit function should be competently
  supervised and staffed by people with sufficient
  expertise and resources to identify the risks
  inherent in the institution and to assess the
  effectiveness of internal controls

15
Competence of the Audit Staff

• The first decision that must be made concerning
  internal audit is the competency of the employees
  performing the audit function
• Auditor competence is found in three areas
• Job qualifications and training
• Relevant work experience
• Quality of Work

16
Job Qualifications and Training

• Evidence of staff competency includes the
  auditors
• Resume
• Diplomas
• Certifications
• Continuing education
• Sufficient knowledge of applicable laws and rules

17
Relevant Work Experience

• Auditors resume will be best indication of
  relevant work experience and should include prior
  work experience and responsibilities
• Does auditor have experience in banking and bank
  accounting?
• What is the extent of specialized experience such
  as bank compliance and operations, electronic
  data processing, trust , and credit?

18
Quality of Auditors Work

• Quality is evaluated by reading the audit reports
  and reviewing work papers to see if they are
  complete and comprehensive
• Another important aspect of quality is the
  internal auditors ability to complete the annual
  audit plan on a timely basis
• Audits not completed timely could indicate that
  the audit staff was too small or inexperienced

19
Independence of Internal Audit Staff

• The auditor must have enough independence to be
  able to perform the audit function objectively.
  To be independent, an auditor must
• Have sufficient responsibility to perform the job
• Have senior managements support
• Be accountable to the board and executive
  management only
• Be independent of the activities he or she audits

20
Independence of Internal Audit Staff

• Is management able to restrict or alter the audit
  program in anyway?
• Any requests for deviation from the annual audit
  program should be reviewed and approved by the
  board or a committee thereof
• Does the audit report go directly to the board or
  its audit committee?
• The president or the head of the department that
  was audited should have no ability to negotiate
  or edit the contents of the audit report

21
Adequacy of the Internal Audit

• The scope of the audit should be consistent with
  the internal audit objective
• The objective of the audit is to assess
  compliance with applicable laws, rules, standards
  and internal policies and procedures

22
Adequacy of the Internal Audit

• The evaluation here is whether the scope of the
  audit is adequate given the nature of the
  institutions activities
• When reviewing the scope, consider the following
  
• Who set the scope, the scope should be set by the
  auditor and approved by the board
• Is the audit structured to assess the controls
  based on the risks posed by the products and
  services offered, customers served, and
  geographies

23
Adequacy of the Internal Audit

• What should the audit program incorporate?
• An assessment of the AML compliance officers
  adherence to his/her designated roles and
  responsibilities
• The adequacy of policies and procedures
• The AML training program
• The integrity and reliability of systems used for
  AML compliance

24
Adequacy of the Internal Audit

• What should the audit program incorporate?
• Record retention
• Currency transactions
• Suspicious Activity Reports
• Wire transfers
• Know Your Customer
• Sale and purchase of monetary instruments

25
Frequency of Audit Coverage

• The audit schedule should be in the annual audit
  plan
• The audit plan should be approved by the board
• Each area should be on the annual audit schedule
• Some areas will be audited more frequently than
  others

26

• The manager of internal audit is
• responsible for
• Control risk assessment
• Audit plan
• Audit program and
• Audit reports

27

• Control Risk Assessment
• (Risk Assessment Methodology)
• Documents the internal auditors understanding of
  the institutions business activities and their
  associated risks. These assessments analyses the
  risks inherent in a given business line, the
  mitigating control processes, and the resulting
  risk exposure. They should be updated regularly
  to reflect changes to the system of internal
  control or work processes, and incorporate new
  lines of business.

28

• Audit Plan
• Based on the control risk assessment and
  typically includes a summary of key internal
  controls within each significant business
  activity, the timing and frequency of planned
  audit work and resource budget.

29

• Audit Program
• Describes the objectives of the audit work
• and lists the procedures to be performed
• during the review.

30

• Audit Report
• Presents the purpose, scope, and result of the
  audit including findings, conclusions and
  recommendations. Workpapers that document the
  work performed and support the report should be
  maintained.

31
AML/CFT Audit Reports

• The AML/CFT audit report should
• Sufficiently describe the work performed
• Indicate that all operational deficiencies were
  completely investigated during the audit
• Indicate any deficiencies that were identified or
  criticized in the previous report that remain
  unsolved

32
AML/CFT Audit Reports

• The AML/CFT audit report should
• Document the follow-up procedures, and
  managements response to deficiencies
• Be presented to the board, or a committee
  thereof, by the auditor or audit manager

33
Managements Response to the Audit

• Managements response is a critical factor in
  evaluating the effectiveness of internal audit
• Even if the auditor is fully qualified and
  his/her audits were comprehensive, they are of
  little value if management ignores the findings

34
Managements Response to the Audit

• Three areas to consider when evaluating
  managements response
• Appropriateness of the response
• Timeliness of the response
• Repeat deficiencies

35
Managements Response to the Audit

• Managements responses to audit findings should
  document appropriate corrective actions to the
  deficiencies
• A deadline should be provided in which management
  should respond to audit findings
• The board or a committee should monitor responses
  and investigate when responses are not provided
  in a timely manner

36
Managements Response to the Audit

• Repeat deficiencies should be noted in the audit
  reports, and the board should take appropriate
  action to achieve final resolution of
  deficiencies
• In some cases, it may be appropriate for the
  auditor to perform follow-up procedures to verify
  that corrective action was taken

37
Managements Response to the Audit

• Senior managements reaction to repeat
  deficiencies should be evaluated
• Senior management should send a strong message to
  employees regarding the correction of repeat
  audit deficiencies
• In some organizations, repeat audit deficiencies
  are considered in performance evaluations of
  department managers

38
Leveraging off Internal Audit

• It may be possible to rely on already-performed
  audit work in the risk assessment and planning
  process
• Leveraging off internal audit avoids redundant
  verifications and reviews of certain business
  areas while on-site
• This can be done only after audits work has been
  deemed credible and effective
• Examiners should document whether the scope of
  their own review will be influenced by the
  internal audit work already completed

39
Limits to the Use of Internal Audits Work

• Circumstances which would likely preclude
  leveraging off the work of internal audit
• The banks risk assessment process is not
  comprehensive
• The audit program for individual business lines
  are inadequate
• A recent audit was not performed since the prior
  examination

40
AUDIT PROVIDERS

• External audit
• ENGAGEMENT LETTER
• - Financial statement reviews
• - Operational reviews
• - Agreed-upon procedures

41
AUDIT PROVIDERS

• Audit Outsourcing Arrangements
• - Contract between institution and vendor. This
  include
• Expectations and responsibilities
• Scope and frequency of, fees to be paid and work
  to be performed
• Establish process for changing terms of service
  contract

42
AUDIT PROVIDERS

• Specify location of audit reports and related
  work papers
• Specify period of time that vendor must maintain
  workpapers
• Examiners Access available for regulatory by
  regulators in a timely manner and
• Vendor will not perform management functions,
  make decisions or act in a capacity equivalent to
  management or staff.

43
AUDIT PROVIDERS

• Vendor Competence- Perform due diligence
  (staffing, expertise and qualifications)
• Management- BOD Snr Mgmt should ensure function
  is competently managed
• Communication- Audit Committee Snr Management .
  Work to be properly documented
• Contingency Planning- Plan for discontinuity as
  arrangements can be terminated suddenly

44
Types of Control Breakdowns in Financial
Institutions

• Lack of adequate management oversight and
  accountability,and failure to develop a strong
  control culture
• Inadequate recognition and assessment of risk of
  business activities
• Absence or failure of key control structures and
  activities such as segregation of duties,
  limits/approvals, reconciliations and review of
  operating performance
• Inadequate communication of information between
  levels of management
• (top- down/bottom- up)
• Inadequate or ineffective audit programmes and
  monitoring activities.