Preparing for an Audit – Top five things to do

Posted on by

This article features our ‘top five’ things firms should do when preparing for an audit. Accelerate Advisory specialises in AML/CFT audits. Under Section 59 of the AML/CFT Act, Reporting Entities (REs) are required to complete an independent audit every two years. The audit examines the following:

  • The AML/CFT risk assessment and AML/CFT programme. The auditors review the content of these two core documents against the requirements of the AML/CFT Act, and any guidance materials issued by the AML/CFT Supervisors.  
  • Staff Vetting policies and controls, and AML/CFT training. 
  • Customer Due Diligence processes and controls, including ‘know-your-client’ (KYC) procedures. 
  • Account monitoring, suspicious transaction reporting, and prescribed transaction reporting. 
  • Governance and oversight of your AML/CFT policies and controls. 

This AML/CFT Audit Guidance released by the AML/CFT Supervisors provides more information on the requirements of an audit.

In our experience, firms can be unprepared for an audit. This is because they are either new to their AML/CFT obligations, or have not done enough to demonstrate how policies, processes and controls operate in practice. 

Firms can benefit from reviewing our list and consider how it applies when preparing for their AML/CFT audits. We also consider the list below can apply across any kind of audit.  

Our top five things

  1. Understand your Auditor’s ‘Scope of Engagement’: Your auditor should prepare a scope of engagement for you, also known as the engagement letter. The scope covers what will be tested and gives you an idea of the areas your auditor will cover. The scope may also stipulate the procedures the auditor will perform. The more robust the procedures, the greater the ‘level of assurance’ your auditor can provide.  Make sure the scope of engagement clearly outlines the level of assurance provided, so you understand the degree of trust and confidence in the assurance opinion. 

    Whilst a greater level of assurance probably means a more expensive audit, you should consider the long-term value a quality audit can provide, especially if this is your first audit under the AML/CFT Act. A quality audit can provide more detailed recommendations, which gets you off on the right foot. A quality audit can save costs on remediating policies, processes, and controls in the long run. Remember, your AML/CFT supervisor may ask for evidence of your audit at any time. If the audit quality was poor, this may increase the risk of negative regulatory attention. 

    If needed, we recommend you hold a pre-audit meeting to understand the engagement. You can use the pre-audit meeting to validate whether the auditor is qualified to conduct the audit, and to confirm their independence. Attributes to consider when validating an auditors qualification is their level of knowledge regarding the topic, prior experiences, and how knowledgeable they are of your industry. For independence, the auditor should not have a hand in creating or updating your risk assessment or programme. The AML/CFT supervisors expect REs to document what they have considered when assessing the auditor’s independence and relevant experience to perform the audit.
  1. Ensure your records are readily retrievable:  The audit is essentially an independent verification that the controls and processes in your AML/CFT programme are designed and operating effectively. In order to do this, auditors pick a sample and need to retrieve records that clearly demonstrate those controls are occurring. We recommend you clearly title your records, and ensure they can be easily accessed. When providing the documents to your auditor, we recommend the documents be indexed against the auditor’s documentation request. For example, if an auditor is asking for a particular client’s onboarding documentation, you should name the file in a manner that references the document in the auditors request listing. This ensures documents are not mixed up, and saves you valuable time from the auditor having to come back to you, to validate whether all documents were received. 

    For AML/CFT audits, records must be kept for a period of at least 5 years after the date on which they ceased to be used on a regular basis. In our experience, areas of poor record keeping include staff training registers, customer due diligence documentation (particularly politically exposed person (PEP) checks), and evidence of account monitoring and suspicious activity reporting (SARs). We recommend you follow good record-keeping practices throughout the year, so you are well equipped to handle any unexpected documentation requests. If you have not been keeping records, you can start now! 
  1. Ensure staff are prepared to assist: In our experience, the willingness of staff to assist with document requests, and clarifying controls, processes and systems for auditors is a key to a smooth and effective audit. To do this, you must create a culture of compliance, where staff are encouraged to contribute to good compliance practices in their day-to-day roles, including raising concerns and cooperating with auditors. We have seen instances where staff were not aware we were conducting an audit, or were nervous and non-responsive. Staff should be briefed on the purpose of the audit, and how they can assist. If possible, ask your auditor for an agenda, and their list of selected interviewees –  share this with your staff. For those REs who outsource one or more areas of their AML/CFT, ensure you discuss the availability of your outsourced service providers to answer questions, and provide records, if necessary.  
  1. Treat Audit preparation as a year round process: This means to document everything throughout the year, and create that ‘audit trail’, including internal processes and controls. By doing this, you can ensure your auditors hit the ground running. Consider what internal documents can be leveraged to describe process and controls as documented in your AML/CFT programme. 
  1. Once the audit is underway, relax! If you implemented the above four things then the audit should be a smooth sail. Preparation is key. It is important to note audits do not need to be stressful experience. Focus on asking your auditor questions and aim to learn from any suggested recommendations, so you can improve your internal policies, processes, and controls. By doing this, It provides you with a greater understanding of the challenges in your AML/CFT compliance, which gives you a head start in remediating any findings and saves you costs in the long run.

If you believe you’ve not been meeting your obligations throughout the year, it is important to seek professional help. Accelerate Advisory assist our clients with their compliance requirements so that managers and owners can focus on running their business. 

If you would like to receive a pre-audit checklist from Accelerate Advisory, or require an independent audit, please complete the form on this website, email us at [email protected] or call us at +21 02535718. 

Note – Post Covid-19, we now offer a remote option for conducting independent AML/CFT audits. This means we can test your compliance online via video conference facilities, without compromising your health and safety.

Disclaimer: This blog post provided is for information only and cannot be relied on as evidence of complying with the requirements of the AML/CFT Act. It does not constitute legal advice and cannot be relied on as such. 

Leave a Reply

Your email address will not be published. Required fields are marked *