Why independence matters with AML audits
AML/CFT supervisors recently expressed concern about the lack of independence of some AML/CFT audits. During a special auditor outreach session, they listed some examples that were of concern. This included the wife of the business owner carrying out an audit for that particular reporting entity. In another example, auditors offered their audit for free as an incentive for the firm to use the software solution provided by a related company.
The supervisors were quick to remind the industry of the need for independence by both the regulated entity and the service provider. They warned that in future, if they spot a lack of independence, it is likely they will hand down a private warning and ask the regulated entity to do the audit all over again.
So, while it may be tempting for a business to work with only one advisory firm or software provider to meet all its AML/CFT needs, the key word to bear in mind is independence.
Firms need to engage independent auditors to assess their compliance under the Act, or risk falling foul of the supervisors. Maintaining such independence is an important pillar of the successful operation of our AML/ CFT regime.
What is the audit requirement?
Under the Anti-Money Laundering and Counter Financing of Terrorism Act 2009 (AML/CFT Act), most reporting entities need to complete an independent audit every three years.
This requirement provides a systematic check of the firm’s AML/ CFT programme. It assesses whether it is functioning effectively in practice, and whether the policies, procedures and controls are appropriately based on the risks of money laundering and terrorism financing (ML/FT) identified by the business.
This audit must be completed by an ‘independent’ person who is appropriately qualified to carry it out.
What does ‘independent’ mean exactly?
‘Independent’ means the person carrying out the audit must not have been involved in putting together the risk assessment for the business, or in the creation, operation, or maintenance of the business’ AML/CFT programme. That person must also be sufficiently independent of the area of the business responsible for undertaking these AML/CFT functions.
When selecting an auditor, reporting entities should consider any potential conflicts of interest that could call into question the auditor’s independence. The supervisors say it is relevant to consider whether the auditor has a financial interest in the business, or vice versa. If one party has a financial interest in the other’s business, then it needs to be considered whether this could influence the outcome of the audit, or whether either party’s financial interest could be harmed by the audit results. If it could, the person is not sufficiently independent, and you should look for another auditor.
If AML/CFT company (A) provides generic guidance, templates, training, or information to enable a regulated entity (company B) to undertake its own risk assessment, or establish and operate its own AML/ CFT programme, this may not affect the ultimate independence of A and preclude it (or a related company) from auditing company B.
The important distinction lies in whether A has helped B to tailor and implement the programme or conduct the risk assessment, by providing bespoke, rather than generic, information and services. The real issue arises when one of the business’ integral AML/CFT processes or obligations is outsourced to another company, who then turns around and conducts the audit, or the auditor is related to the company that helped with these integral processes or obligations. In short, if they helped build it (specifically for your company), they shouldn’t audit it.
Remember, the standard for auditor independence should be determined by viewing independence through the eyes of an objective, reasonable and informed third party.
Why is independence important?
Auditors must be independent to ensure the objectivity of their assessment and audit findings.
If an auditor (or their company, or a related party) helped the regulated entity put together its risk assessment, then it may be hard for that auditor to be objective when it comes to assessing whether that same risk assessment meets the requirements of the AML/CFT Act.
Likewise, if an auditor (or their company, or a related party) had been contracted to, or provided software for conducting customer due diligence (CDD) for a regulated entity, it will then be hard for that same auditor to objectively review and assess the effectiveness of that CDD process as part of the AML/CFT programme.
An auditor will be more effective at spotting issues in a firm’s systems, processes, and controls if they are completely independent of the implementation and operation of these business functions. At the end of the day, you want an auditor that is going to show you where your weaknesses are, not just tick off their own work.
What does this mean for the AML/CFT industry and audit profession?
If an auditor fails to assess the work carried out objectively – and thoroughly – this increases the chance that money laundering/ financing of terrorism activities are not identified.
Even if a conflicted auditor could properly assess the work, the public perception may look upon this quite differently. This can significantly damage trust in the audit profession and the perceived value and integrity of the audit system.
Maintaining auditor independence ensures the audit process is robust and defendable which is crucial for the integrity of the industry and the AML/CFT system. If there is even a hint there could be a negative perception of the audit process, the supervisor expects the auditor either to stop providing the contracted services that would create a conflict, or not to perform the audit.
What to look for in an auditor
When a firm chooses an auditor, it must undertake sufficient due diligence to ensure the auditor is both independent and has not been involved in the establishment, implementation, or maintenance of the AML/CFT programme or risk assessment. The business needs to be able to sufficiently describe what it has done to ensure that independence.
Even if the auditor is sufficiently independent of the business itself, as well as the implementation of the AML/CFT programme, it can be beneficial not to use the same auditor or audit firm, repeatedly. Changing auditor (within the same audit firm), or changing audit firm altogether, can provide a more robust audit. This is because the auditor is able to assess the business with ‘fresh eyes’ and identify valid issues a previous auditor might have missed or overlooked. These potential benefits need to be weighed up against any perceived burdens associated with changing audit providers.
At the end of the day, a robust audit not only keeps you compliant, but helps you improve your compliance practices. And maintaining the integrity of independent audits, helps to maintain the integrity of the system overall, which we need to help keep a tight lid on money laundering and terrorism financing in our country.
Find out more about ‘What to look for when choosing an AML Auditor‘ with Tadius Munapeyi, Fellow Chartered Certified Accountant (UK) as he discusses how to get the most out of an audit.
About Strategi Compliance
Strategi’s team of experienced auditors have completed over 1,000 AML/CFT audits. It has been a leading provider of AML/CFT training, templates, ongoing support and independent
audit services across New Zealand since 2013.