Audit

Woman on laptop with man in background

What does an AML audit involve?

Anti-Money Laundering, Audit, Blogs, Legal Compliance /

We love an AML audit and really enjoy reviewing law firms’ policies and procedures to see the different approaches they take in respect of AML. Most of all, we find it extremely interesting to see how a firms’ culture surrounding compliance is changing.

In this blog, we delve into what an AML audit is, and what an AML audit involves. 

What is an AML Audit?

The AML audit process is a way to strengthen or improve a firm’s AML programme. It is a way of assessing whether Firm’s AML policies, controls and procedures are up to date, comply with The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR) and are functioning in practice as intended.

What's the purpose of an AML audit?

The purpose of the Audit is to:

  • Examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the Firm to ensure compliance with the requirements of the Money Laundering Regulations;
  • Make recommendations in relation to those policies, controls and procedures; and
  • Monitor compliance with those recommendations.

Why conduct an AML audit?

There are two types of audit: 

Mandatory Audit

Regulation 21 of the MLR requires a relevant person, where appropriate to the size and nature of the business, to establish an independent audit function. This does not necessarily need to be an external audit, however, it will need to be conducted by someone in the firm who is independent of the Risk/Compliance/Anti Money Laundering (AML) function, but equally has enough AML knowledge to be able to conduct the audit. It is important to note that any findings in an Audit Report carried out under regulation 21 are disclosable to the Regulator.

Non-Mandatory Audit (Internal Audit)

A Firm may choose to conduct an internal Money Laundering Audit as routine procedure, being a way of checking whether the Firm’s policies, controls and procedures are up to date and comply with the MLR. The Audit report in these circumstances would remain for internal purposes only and confidential to the firm.

What's does an AML audit involve?

There are four stages involved in an AML audit: 

1. Review of policies and procedures

Firstly, a review of all the firm’s AML policies and procedures, Firm Risk Assessment and the Firm’s matter-based Risk Assessment is conducted by the auditor.

When carrying out the review the auditor will assess whether the firm’s AML policies and procedures meet the requirements of the MLR.

The auditor will use a list/table of each specific regulation and check this against the firm’s AML policies and procedures to confirm whether or not the firm has met that requirement.

2. Test

As part of the audit the auditor should test the knowledge, understanding and application of the firm’s processes. This is normally tested through staff interviews and matter file reviews.

Interviews

Interviewing staff will help the auditor assess the staff’s knowledge and understanding of money laundering, money laundering red flags and the firm’s processes.

File reviews

The auditor will carry out a review of files and assess whether the matters comply with the firm’s AML policies and procedures.

The auditor may also request to review some closed files. Reviewing a closed matter will assist the auditor in assessing whether there was on-going monitoring of risk and whether the completion instructions to accounts included information as to risk.

3. The Audit Report

The audit will result in a written report on whether:

  • The firm’s risk assessment and AML policies, controls and procedures comply with the minimum requirements of the MLR.
  • Changes which are required as a result of deficiencies identified (if any).

The audit report should:

  • Set out the law (what specific regulations of the MLR were checked against).
  • Explain what was examined for that specific regulation.
  • Document findings of areas of compliance and non-compliance as well as identifying areas for recommended improvement in behaviour and practice. It should be made clear which areas the firm is compliant, non-compliant or partially compliant.
  • Include an indication of where there are potential failings and a recommended course of action.

4. Review

The firm should conduct a review following an implementation period to establish compliance with the recommendations. As part of the review the auditor will be assessing whether the recommendations have been carried out and whether there is any evidence to show whether they are effective.

Get in touch

If you would like to discuss this further or feel your firm requires an independent AML audit, please get in touch and we’ll be happy to help.

Get in touch

What does an AML audit involve? Read More »

two people working on laptops

Anti-Money Laundering – What to expect from an Independent Audit

Anti-Money Laundering, Audit, Blogs, Legal Compliance /

 

Regulation 21 of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (otherwise known as the Money Laundering Regulations) requires that regulated firms implement certain controls where it is appropriate to the size and nature of the firm. One of those controls is to establish an independent audit function. 

The size and nature test requires some objective thought and firms are directed by the Legal Sector Affinity Group’s Guidance to consider a number of factors including the number of staff and offices your firm has, your client demographic, and the nature and complexity of work you undertake. The Solicitors Regulation Authority’s take on it is that most firms (but not all) will need an independent audit. In its latest AML Report of October 2021, the Regulator found that a high number of firms visited (49 out of 69) failed to implement an independent audit where required. For those firms where an audit had been carried out, some common areas of concern were that the reviews were not sufficiently thorough or lacked an element of testing, they weren’t independent, and firms had not implemented the recommendations in a timely way. Such concerns could lead to firms being referred to the SRA’s Investigations Team. 

 

So if you have considered the size and nature test and determined that you need an independent audit, what should you expect from your review? It is key that your audit: 
    • Is independent from the people in your firm who are involved in setting and following the policies. The Regulations don’t prescribe that your audit must be carried out by a third party; but consider whether you are of a sufficient size to be able to resource a truly independent audit. Do you have staff with the right knowledge and capacity to carry out the audit? Even larger firms who have an audit function may find they do not have the necessary experience in AML. 
    • Is adequate in its scope and depth in order to give the firm assurance that the policies, controls and procedures they have in place are working. It should include a review of the existing documentation including firm and matter risk assessments and training plans, and a detailed review of how those processes have been implemented through file reviews and interviews with staff members to test understanding. The frequency of the audit should also be considered. Many firms decide to carry out an annual audit based on the size and nature test, but you may also consider focusing more frequent audits on higher risk areas as identified in your firm-wide risk assessment. 
    • Effectively identifies where processes are working well and roots out any problems with the process or where the process is not being followed. This means having the right person with the right expertise to carry out the audit so they know what they are looking for. It means carrying out an adequate number of interviews and file reviews across all locations and matter types so the Auditor can get a good feel for the firm and the types of issues that are occurring. Staff members from your fee earning teams, finance and any centralised onboarding teams should expect to be interviewed, along with the firm’s MLRO/MLCO. You may also consider focusing more frequent audits on higher risk areas as identified in your firm-wide risk assessment 
    • Provides feedback on where the firm’s current policies and procedures are not meeting the requirements of the Regulations and makes recommendations for improvement. A written report will provide you with the evidence that an independent audit has been carried out should the Regulator ever ask you for that information. The report should clearly set out the actions that should be taken to rectify any non-compliance. Recommendations should be implemented in a timely way and you should keep a record of the actions taken to meet the recommendations. 
    • Is part of an ongoing monitoring process to help you continually evaluate and improve compliance with the Regulations. Keep records of independent audits carried out for future reference and to evidence a robust auditing regime. 

There is no doubt that an independent audit requires some forwarding planning and investment in resources, whether that be internal resource or if you plan to engage an independent firm to carry out the audit on your behalf. It’s not a tick box exercise. Senior level commitment to the importance of implementing good anti-money laundering controls is therefore crucial and sets the tone for the firm and for the staff whose files may be reviewed or who may be interviewed as part of the audit process. But the reward for your investment is obtaining a real learning opportunity to understand what your firm is doing right and where it can make improvements and effectively manage money laundering risks.

 

Get in touch

For more information about our independent audit service, get in touch with our experts today.

 

 

Photo by Scott Graham on Unsplash

Anti-Money Laundering – What to expect from an Independent Audit Read More »

Two screens on a desk containing data spreadsheets

Time to audit data compliance?

Audit, Blogs, Data Protection /

We’re nearly a year since the frantic preparations for GDPR. How is it all going? Should we be checking? Should we audit data compliance?

Why do I need to complete a data compliance audit?

An audit allows an organisation to understand whether it is complying with the requirements of the Data Protection Act 2018, GDPR and PECR. Art 5(2) of GDPR states that

“The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles]”.

This is often referred to as the ‘accountability’ principle – completing and audit will allow an organisation to demonstrate accountability with the principles.

If the worst happens, and your organisation does suffer a data breach, the ability to demonstrate that you have completed regular audits and reviews of your data protection arrangements may assist in mitigating against a GDPR fine.

Data protection compliance is an ever evolving journey and not a destination. Audits allow organisations to assess any gaps in compliance and any improvements that can be made.

Initial Audit/GAP Analysis

If you haven’t already completed one, its a good idea to start with a full audit/GAP Analysis to benchmark the current level of compliance within your organisation. This audit will then form the basis of any improvements.

You should consider:

  • Do you have the relevant policies and procedures?
  • Have you completed a data audit, clearly documenting what personal data you process and the legal basis for processing it?
  • Do you have up to date data flow maps showing how data moves through your organisation?
  • Do you have a process for dealing with data subject requests within one month?
  • Do you have a process for dealing with data breaches and incidents?
  • Have you updated your contracts of employments and issued a privacy notice to all employees detailing how their data will be processed?
  • Do you have contracts in place with anyone who processes data on your behalf?
  • Do you have training scheduled or already completed?
  • Do you have a culture of privacy by design and default including a DPIA process?

Annual Compliance Audit

Once you have completed the work identified in your initial audit, the annual audit should be a much shorter exercise. The aim of this exercise is to test your process and controls to provide assurance that your organisations policies are being followed and to identify any improvements that can be made.

For an annual audit you should consider:

  • Are your policies and procedures up to date?
  • Do they reflect any process changes which have taken place?
  • Refresh your data audit – are your data flow maps up to date?
  • Is your Data Retention Policy being followed – ask IT to check whether you are holding data that should have been deleted?
  • Are data subject requests being responded to within one month?
  • Are data subject complaints being responded to promptly?
  • Is training up to date?Is there a good level of employee awareness?
  • Do you have contracts in place with all your data processors?

Report to the Board

Following the annual audit, you may want to complete a report to the Board detailing the findings together with MI on the number of data subject requests, data related complaints, breaches, incidents and any contact with the ICO.

How can Teal Compliance help?

Our Teal experts can help you with any aspect of data protection compliance, from carrying out a gap analysis, assisting you with a data audit or creation of policies/procedures to carrying out an independent annual audit. This can be done as a stand alone piece of work or as part of our DPO support service. Get in touch with our experts today.

Time to audit data compliance? Read More »