overview of a 360-degree group advisory audit: the last...
TRANSCRIPT
WHITE PAPER
Overview of a 360-degree
Group Advisory Audit: The
Last and Best Control to
Ensure Enterprise-wide
AML/CFT Compliance
Jose Thottungal CPA, CSSP, CAMS, MA
CAMS - AUDIT
Overview of a 360-degree Group Advisory Audit
Page 1 of 19
Table of Contents
EXECUTIVE SUMMARY -------------------------------------------------------------------------------- 2
INTRODUCTION ------------------------------------------------------------------------------------------- 2
BACKGROUND --------------------------------------------------------------------------------------------- 3
WHAT IS A BIG BANK? -------------------------------------------------------------------------------- 3
INTERNAL CONTROL STRUCTURE FOR A FINANCIAL INSTITUTION------------------------------- 3
LINES OF DEFENSE ------------------------------------------------------------------------------------- 3
COMPONENTS OF AN AML COMPLIANCE AUDIT -------------------------------------------------- 4
CHALLENGES IMPACTING AN AML PROGRAM ---------------------------------------------- 5
JURISDICTION RISK AND TYPOLOGIES --------------------------------------------------------------- 5
DIVERSE PRODUCTS ----------------------------------------------------------------------------------- 5
CHANGE IN RISK PROFILE ----------------------------------------------------------------------------- 6
VARIATIONS IN THE REGULATORY STANDARDS --------------------------------------------------- 6
LEVEL OF EXPERIENCE -------------------------------------------------------------------------------- 6
DATA QUALITY STANDARDS ------------------------------------------------------------------------- 7
OTHER FACTORS --------------------------------------------------------------------------------------- 7
SOLUTION: 360-DEGREE INDEPENDENT AUDIT ---------------------------------------------- 8
SELF-ASSESSMENTS ON AML COMPLIANCE ------------------------------------------------------- 8
AUDIT FEEDBACK ------------------------------------------------------------------------------------- 10
DEVELOPMENT OF A QUESTIONNAIRE---------------------------------------------------------------- 10
DISTRIBUTION AND COLLECTION OF THE QUESTIONNAIRE ----------------------------------------- 10
PRE-ADVISORY AUDIT ------------------------------------------------------------------------------- 10
GROUP AUDIT PROFILE ------------------------------------------------------------------------------- 10
OBJECTIVITY AND INDEPENDENCE ------------------------------------------------------------------- 10
AML PROFICIENCY AND DUE PROFESSIONAL CARE ------------------------------------------------ 11
ADEQUACY OF AML TRAINING ----------------------------------------------------------------------- 11
AUDIT RISK-------------------------------------------------------------------------------------------- 11
AML COMPLIANCE ADVISORY AUDIT PROGRAMS -------------------------------------------------- 11
RISK ASSESSMENT FOR THE BANK -------------------------------------------------------------------- 12
AML RISK ASSESSMENT BY GIA ------------------------------------------------------------------- 13
SCOPING AND PLANNING ----------------------------------------------------------------------------- 13
FIELDWORK AND TESTING --------------------------------------------------------------------------- 14
REPORTING -------------------------------------------------------------------------------------------- 15
REPORT TO THE BOARD ------------------------------------------------------------------------------ 16
GROUP COMPLIANCE DIVISION SENIOR MANAGEMENT UPDATE ------------------------------- 16
FOLLOW-UP ON CORRECTIVE ACTIONS -------------------------------------------------------------- 16
CONCLUSION ---------------------------------------------------------------------------------------------- 17
WORKS CITED -------------------------------------------------------------------------------------------- 18
Overview of a 360-degree Group Advisory Audit
Page 2 of 19
Executive Summary
The objective of this paper is to research, analyze, and conclude the way(s) to sustain AML
regulatory compliance for a big bank environment.
The strategy of a bank should be to maintain the best level of controls to serve the best interests of
all the stakeholders, shareholders, board of directors, customers, and regulators. Internal control,
supported by an appropriate structure, is a process—affected by the board of directors and
management—designed in such a way as to ensure the achievement of the bank’s strategic
objectives to a reasonable extent.
In the realm of AML control compliance, the three lines of defense are made up of: the first line
of defense (the business/front office of the business units and the subsidiaries); second line of
defense (the subsidiary and the group compliance and monitoring personnel); and the third line of
defense (the internal audit, or IA, at the subsidiary-level and group internal audit at the group-
level). The internal audit function was initially used as a means to provide assurance on the bank’s
compliance practices since 1970, when the Bank Secrecy Act was introduced. This practice
evolved into the AML compliance assurance as routine process.
This paper highlights a number of challenges faced by a bank while ensuring the sustainability of
AML enterprise-wide compliance, such as jurisdiction risk (i.e., country risk) and typologies,
diverse data quality standards bank-wide, variations in regulatory standards among jurisdictions,
diverse product and documentation standards bank-wide, diverse level of experience and training
bank-wide, and risk profile changes from time to time due to introduction/expansion of new
products, services, and/or channels within a bank.
I propose that a 360-degree AML Group Advisory Audit (GIA) is the last and best control to ensure
bank-wide compliance through key components, such as: self-assessments by key stakeholders at
the group/business unit level; feedback from key stakeholders on AML compliance at the
group/business unit level; independent group audit testing results; assessment of the
adequacy/effectiveness of AML enterprise-wide compliance through the analysis and evaluation
of results of self-assessments/feedback on the group audit and independent GIA audit test results;
identification of the areas that need AML control gaps remediation and improvements in the group-
wide adequacy/effectiveness of AML compliance; and reports to the group/subsidiary boards and
management, including the group compliance, for updating the group AML compliance risk
profile, with timely follow-up of the mitigation of the AML risk by the management.
Introduction
AML compliance cost has been skyrocketing, even to the tune of over USD $1 billion in the last
10 years, and huge penalties have been imposed on certain big banks, such as: HSBC, to the extent
of USD $1.9 billion; recent Officer of Comptroller of Currency (OCC) penalty on National Bank
to the extent of USD $100 million; and very recent Australian Transaction Reports and Analysis
Center (AUSTRAC) charging a fine (proposed civil settlement) on Commonwealth Bank of
Australia (CBA) to the extent of AUD $700 million (rough equivalent of USD $530 million) on a
large number of money laundering and counter terrorism violations. There have been similar, if
Overview of a 360-degree Group Advisory Audit
Page 3 of 19
not larger, penalties that have been imposed on several other banks in the United States. All these
indicate the need to emphasize sustainable AML compliance on an ongoing basis.
In recent history, U.S. regulators have emphasized the necessity of independent testing while
imposing civil money penalties on several banks, including but not limited to USD $1 million on
Merchant Bank of California in 2017, and USD $75 million on U.S. Bank National Association of
Cincinnati in 2015 (15) (16).
Federal Reserve Board: Financial Crimes Enforcement Network and the U.S. Attorney’s office of
the Southern District of New York also imposed a penalty of USD $613 million on US Bancorp,
alluding to the necessity of independent testing (17).
Under this context, the role of internal audit in a sustainable AML compliance is all the more
critical, as stated by The IIA in their publication, “BSA-AML Compliance by Internal Audit’s
role” (14).
Background
WHAT IS A BIG BANK?
As per the Federal Reserve Board of Governors, if a bank has more than USD $250 billion of total
assets, or more than USD $10 billion in foreign exposures, as per the balance sheet, then the bank
is classified as a big bank. These thresholds were determined more than 10 years ago, and the
thresholds are currently under review (1). Big banks have a consolidated approach to managing
the aggregate risk of all risk types across all business units to optimize the efficiencies of managing
the identification and monitoring of controls. This includes corporate compliance function
supporting and overseeing the enterprise AML compliance program (2). The AML compliance
program aggregates AML risks across the bank.
INTERNAL CONTROL STRUCTURE FOR A FINANCIAL INSTITUTION
The strategy of a bank should be to maintain the best level of controls to serve the best interest of
all the stakeholders: shareholders, board of directors, customers, and regulators. Internal control
supported by an appropriate structure is a process—affected by the board of directors and
management—designed in such a way as to ensure the achievement of the bank’s strategic
objectives, to a reasonable extent. In short, everyone in the financial institution has some
responsibility for internal control, including AML control, as applicable. This is per the standards
set by various organizations, such as the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), Basel Committee on Banking Supervision (BCBS), Sarbanes’ Oxley
(SOX), Financial Services Authority (FSA), and Institute of Internal Audit (IIA).
LINES OF DEFENSE
In the realm of AML control compliance, the three lines of defense are made up of: the first line
(the business/front office of the business units and the subsidiaries); the second line of defense (the
Overview of a 360-degree Group Advisory Audit
Page 4 of 19
subsidiary and the group compliance and monitoring personnel); and the third line of defense (the
independent GIA) (23).
The first line of defense is responsible for identifying, assessing, and controlling the AML risks
within the business. It is responsible for periodical internal testing and monitoring of control
effectiveness, either through the SOX unit, or any other dedicated team, for the business unit. As
part of the first line of defense, policies and procedures should be clearly specified in writing and
communicated to all personnel. They should contain a clear description for employees of their
obligations and instructions, as well as guidance on how to keep the activity of the bank in
compliance with regulations.
As part of the second line of defense, the chief officer in charge of the AML program should have
the responsibility of ongoing monitoring of the fulfilment of all AML duties of the bank. As per
the BSA AML Examination manual (3), the second line of defense, or the corporate AML
compliance function, has the overall responsibility of managing and monitoring AML control
activities across all the lines of applicable business lines/subsidiaries. The staff responsible for the
implementation of compliance control procedures is deployed within various business
lines/subsidiaries, both local and overseas. Under this scenario, the expectations with regard to the
reporting line responsibilities, and the relevant independence in performing this role while
embedded within the business lines, are established. The roles and responsibilities of the key
stakeholders are defined.
Internal audit, the third line of defense, plays an important role in independently evaluating the
risk management and controls, and discharges its responsibility to the audit committee of the board
of directors, or a similar body of oversight, through periodic evaluations of the effectiveness of
compliance with AML policies and procedures. Regarding the third line of defense, the GIA, in
coordination with the individual business unit/subsidiary units’ IAs, has a very important
independent role: to provide enterprise-wide assurance through evaluation of AML compliance
design, and to control effectiveness, enterprise-wide, in order to ensure the adequacy of the AML
controls and effectiveness of management oversight and quality control, including parameters
criteria for automated AML alerts and effectiveness of AML training of the relevant personnel (4).
The GIA is in a position to provide this assurance to the group board audit/subsidiary board audit
committee, and also to group/subsidiary senior management, on the design and effectiveness of
the key control processes supporting the AML program (5).
COMPONENTS OF AN AML COMPLIANCE AUDIT
Banks used to seek the help of GIA as an advisory role, initially to provide assurance on bank
compliance practices, since 1970. This practice evolved into AML compliance as a routine
process. The objective of the audit of the AML compliance framework and supporting controls
was focused on the assessment of the overall adherence to the risk-based framework. Since then,
there is a lot of focus on the 2010 standards covered by the International Professional framework
(IPPF). If one looks at the history of the evolution of compliance audit, including AML controls,
it started with individual compliance controls at the micro-level and progressed to the review of
compliance committee meetings/compliance governance. Further, the compliance audits
Overview of a 360-degree Group Advisory Audit
Page 5 of 19
progressed into the compliance framework and central regulatory coordination guided by the
advisory practice standards under the IPPF.
As per Chapter 13, "Road Ahead," of "Implementing the Professional Practices Framework: 2nd
Edition” from the IIA Research Foundation: "Internal Auditing is an independent, objective
assurance and consulting activity designed to add value and improve an organization's operations.
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control and governance process"
(11) (12).
Overall, banks should establish policies for conducting audits of:
The adequacy of the bank’s AML policies and procedures in addressing identified risks
The effectiveness of bank staff in implementing the bank’s policies and procedures
The effectiveness of compliance oversight and quality control, including parameters of criteria
for automatic alerts
The effectiveness of the bank’s training of relevant personnel
Challenges Impacting an AML Program
In order to ensure the sustainability of AML compliance enterprise-wide, banks have to overcome
different types of challenges, outlined below.
JURISDICTION RISK AND TYPOLOGIES
Challenges vary in regard to overseas jurisdiction risk. Some jurisdictions could be already under
Office of Foreign Asset Control (OFAC) sanctions, including that of state sponsors of terrorism.
Certain countries may also be supporting international terrorism as stated in section 6(j) of the
Export Administration Act of 1979. Certain countries or geographical areas could be considered
as having "primary money laundering concern" by the Secretary of State, and are often subject to
special measures under section 311 of the USA PATRIOT ACT (6).
Some geographic regions/countries may not be monitoring enough to ward off the menace of
money laundering and terrorist financing, and they may be considered non-cooperative by the
Financial Action Task Force (FATF). Some of them could be registered abroad, where there are
less stringent regulations. Some could be major money laundering countries/jurisdictions of
primary concern and already listed in Department of State's annual International Narcotics Control
Strategy Report (INSCR). Banks may have the potential risk of heavy drug trafficking or heavy
predicate financial crimes in the area where they could be operating.
DIVERSE PRODUCTS
Banks usually have a diversified product set, such as electronic banking, private banking, trust and
asset management services, foreign correspondent accounts, and services in the group, such as
electronic funds payment services with pre-paid open-loop cards, wire transfers (both domestic
and international), automated clearing house transactions, and Automated Teller Machines.
Overview of a 360-degree Group Advisory Audit
Page 6 of 19
Meanwhile, documentation standards vary in different jurisdictions/countries where the overseas
subsidiaries of the bank operate in accordance with the local regulations (6).
CHANGE IN RISK PROFILE
The business lines/subsidiaries (both domestic and international) introduce and expand new
products, services, and/or channels from time to time. The key challenge in this context is to
identify and analyze the impact of these changes on the AML risk profile of the respective units
(both domestic and international) in a timely manner. Timely aggregation of these impacts in the
individual units across the group is cumbersome and vulnerable to the risk of missing out in the
aggregate risk profile of the bank. The absence of the established process in the banking group to
continually reassess AML risks and communicate to the business units/subsidiaries, functions, and
legal entities in a timely manner results in the bank, subsidiary, board and/or senior management
not understanding and appropriately mitigating the risks across the bank. This situation at the bank
increases vulnerability to inappropriate and inadequate AML risk management (6).
VARIATIONS IN THE REGULATORY STANDARDS
While there have been concerted efforts to have the consistent standards by the various standards-
setting organizations, such as FATF, BASLE, FCA/PRA, and JMLSG, there are a number of
variations among the standards set by various regulatory authorities based on the level of maturity
and typology of the jurisprudence they regulate. Some apply prescriptive approaches and some
principle-based approaches, depending on the level of maturity of the standards-setting authority
of the country.
The bank faces the key challenge of varied regulatory standards among jurisdictions, where
subsidiaries and business units operate. In the case of the United States, regulators have
implemented more stringent and strict regulations, such as the Dodd-Frank Act (Dodd-Frank) and
the Foreign Account Tax Compliance Act (FATCA), with the objective of bringing the foreign
banks on par with the regulatory requirements for the domestic banks (7).
The European Union, on the other hand, has been a bit slow in trailing the U.S. as far as
strengthening the regulatory regime goes. For example, its "Second markets in Financial
Instruments Directive (MiFID 11)” the equivalent of Dodd-Frank was adopted by EU in 2014 after
more than two years. This was finally implemented in the last quarter of 2016. They issued "Fourth
Anti-money Laundering Directive (AMLD IV)" in June 2015, and the objective was to bring its
member countries closer to that of United States.
The Australian Securities and Investments Commission (ASIC) issued principle-based guidance
on cross-border financial regulation. In this, it permits conditional relief from certain Australian
regulatory requirements to foreign banks operating in Australia. On the contrary, Australian
regulators seek similar relief from foreign regulations to the Australian Financial Institutions
serving those countries (8).
LEVEL OF EXPERIENCE
Overview of a 360-degree Group Advisory Audit
Page 7 of 19
The level of experience of AML controls and the adequacy of AML banking training group-wide
varies among the business/subsidiary units, both domestic and international. AML compliance
staff members under the business lines/subsidiary units overseas have not had the same level of
experience as that of their counterparts back in the United States.
The basic principle is that the AML policies and procedures in the individual business
units/subsidiary units overseas have not adopted the dictum that U.S.-based (parent-country)
regulations are the basis of their respective AML controls focus and have not been adopted
uniformly.
What is absent is a group-wide methodology to bring about harmony in the training approach at
the individual business lines/subsidiary units. The current training methodology does not focus
much on imparting adequate training to the group/subsidiary board and the senior management on
current AML regulations and changes from time to time.
There is no timely update of the training materials to incorporate the changes to the AML
regulations enterprise-wide. Training materials, incorporating relevant examples of money
laundering or suspicious activity, are not tailor-made specifically to the relevant audience.
Inadequacies and inconsistencies in the group-wide training and testing materials documentation,
the dates of the training sessions, and maintenance of attendance records, such as the absence of
acknowledgments by the respective user management and unavailability for the examiner's review,
are prevalent (9).
DATA QUALITY STANDARDS
Since the automation of a number of certain elements of the key processes, such as the customer
acceptance records, Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), transaction
monitoring, sanction list management, and automated alerts, the application of big data, enterprise-
wide, is very critical to effective AML compliance. Therefore, the quality of the data should be
maintained enterprise-wide. However, the data quality across the bank group is not consistent, and
quality is not homogenous, due to various reasons. The quality of data in the subsidiaries, newly
acquired or without strict enforcement of the standards, is a potential impediment in maintaining
group data quality standards. Moreover, group data quality maintenance is not as robust as the
tools supporting it and is not equipped to improve data quality while performing data profiling,
data standardization, geocoding, matching or linking, setting up rules, monitoring whether in-batch
or real-time, and even when performing data cleansing. The timeliness and reasonableness of data
quality is not mandatorily enforced. Overall, the effectiveness of the AML controls is adversely
impacted under the current scenario.
OTHER FACTORS
1. The front line of business, which is supposed to be the first line of defense, as far as AML
compliance is concerned, usually shifts the responsibility to the second line of defense
(compliance function).
Overview of a 360-degree Group Advisory Audit
Page 8 of 19
2. Inadequate strength of AML compliance resources to cope with the increased volume of labor-
intensive controls, including but not limited to performing the root cause analysis, could lead
to ineffective controls.
3. There are several controls, many of which are strong enough to mitigate AML risk. However,
the business unit is not aware of the few most critical controls, which could mitigate the AML
risk most significantly, as a result of which, cost effectiveness is minimal. As a result, the
controls are ineffective, as they are not adequately understood. This results in poor risk
management.
4. There are duplications and overlaps between the testing and risk assessment programs of the
AML compliance function and those of the first line of defense activities. While consolidating
and reconciling the findings/outputs of the AML compliance risk testing, operational risk, and
third-party risk testing by various teams applying different approaches periodically, huge
amounts of time and effort are put in, decreasing cost effectiveness.
5. The basis of the AML compliance framework of the bank is now more risk-based, away from
the procedures oriented, as in the past. However, the compliance staff in the business lines, and
the compliance functions themselves, are finding it difficult to move away from procedural
adherence to the residual risk-focused approach.
6. Many of the metrics are not set up on forward-looking measures of risk, most of which are not
defined properly, resulting in the generation of data with unclear implications. There is
potential risk in bypassing the high-risk exposures (10).
Solution: 360-degree Independent Audit
The Code of Ethics, Internal Audit Attribute Standards from 1000 to 1322, Performance Standards
from 2000 to 2600, Practice Advisory Attribute Standards from PA 1000-1 to PA 1321-1, and
Performance Standards PA-2010-1 to PA 2500 A1-1, and Information Technology Audit/testing
follows the Standards Global Technology Audit Guidelines as well as Guide to the Assessment of
the IT Risk (GAIT) as propounded through the International Professional Practice Framework by
The Institute of Internal Auditors, —are well ingrained in the audit and advisory methodologies of
the GIA of the bank.
While considering the complex challenges (primarily under the above section, “Challenges”) in
the banking environment, ensuring the sustainability of AML compliance entails the special
exercise of advisory/audit by the GIA. This is to be carried out through a 360-degree independent
enterprise-wide internal advisory audit, structured and executed in the following way:
SELF-ASSESSMENTS ON AML COMPLIANCE
The main objective of the GIA is to organize and facilitate an independent, confidential, and
objective self-assessment of the enterprise-wide AML compliance by key stakeholders from the
business lines and subsidiary units, both domestic and international. This exercise should be
approved by the respective boards as Key Performance Indicator (KPI) for the management of the
enterprise-wide operating units.
The following are some of the key benefits of this exercise:
Overview of a 360-degree Group Advisory Audit
Page 9 of 19
This is to bring out key stakeholders’ true opinions on the design and overall effectiveness of
the controls.
This will also bring out the self-consciousness of the ownership of the AML controls, as they
are vested with the key stakeholders. This will drive the timely and earnest mitigation by key
stakeholders once the results are applied as an integral part of the audit.
Such independent self-assessment will help the key stakeholders to identify the gaps or areas
for further improvement in AML control designs, resulting in a better understanding of the key
risks, controls gaps, and the number of efforts required to remediate those gaps.
This will also enable key stakeholders to indulge in more informed decisions about risk
appetite.
This will also generate a better understanding of the structure of their own unit and the state of
alignment of its own AML compliance program to its risk profile.
This will also help them make strategic decisions about de-risking through exiting the business
relationship.
The scope and objective of this self-assessment exercise as a part of the 360-degree GIA advisory
audit should be clearly communicated to the auditee senior management.
Following steps to be undertaken by the GIA under this process:
1. Identify the key stakeholders in the enterprise (group) based on their impact on the AML
compliance
2. Develop questionnaires/surveys for key stakeholders including, but not limited to, the
group/subsidiary board directors in the compliance board committee, the relevant management
of the business units, including the AML compliance management (including in the respective
business lines and the group/subsidiary training faculty covering the AML compliance).
3. The components of the questionnaire should be customized to the audience geared towards
meeting the GIA perspective of this exercise (i.e., the sustainability of the AML controls from
time to time). The questionnaire should be structured in such a way that ensures confidentiality.
The GIA is to distribute and to collect the self-assessments of the key stakeholders, enterprise-
wide, in confidence.
4. The collection should take place prior to embarking on the planning sessions with the auditee
senior management by the GIA teams. However, the results of the self-assessments should be
kept in sealed envelopes, away from the respective audit teams, and with the group Chief Audit
Executive (CAE) office such that the auditors are not privy to the details of the control
weaknesses identified by the auditee management until the independent audit testing is
completed and findings are finalized in the form of the initial report. This is with a view that
these results should not influence the upcoming GIA’s independent group-wide risk
assessment and independent testing. The objective is to keep the independent and objective
element of the GIA intact.
5. The GIA team, separate from the independent testing team, has to identify the hotspots/areas
for improvements under AML compliance. They should analyze the results of the survey to
identify the gaps and the impact on the AML compliance enterprise-wide. This analysis is very
important, as this will provide the management’s perspective of the gaps. This will form an
integral part of the 360-degree exercise, which the GIA will complete to ensure sustainable
Overview of a 360-degree Group Advisory Audit
Page 10 of 19
AML compliance. This approach will provide a holistic assessment of the control gaps with a
whole-hearted acceptance and ownership from the key stakeholders.
AUDIT FEEDBACK
As part of the 360-degree GIA advisory audit of AML compliance, the GIA ensures that relevant
and timely feedback is obtained from various audit stakeholders under the group, as applicable.
This is to obtain the auditee’s perspective of the overall performance of the GIA’s independent
testing. The following key steps are to be completed:
DEVELOPMENT OF A QUESTIONNAIRE
Develop the questionnaire to obtain the feedback from the respective audit stakeholders including,
but not limited to, the group/subsidiary board compliance committees, and the business lines’
management, as well as compliance management. This questionnaire should cover advisory audit
scope, objective, risk assessment, AML key controls tested by the GIA in the respective
business/compliance function units, subsidiary units (both domestic and international), risk ratings
of the findings, and communication. This will bring out any deficiencies/weakness in the
independent testing process, which will help the GIA consider other measures to offset such
weaknesses in this advisory exercise and further improve the reliability of the accuracy of the test
results.
DISTRIBUTION AND COLLECTION OF THE QUESTIONNAIRE
The GIA team is to distribute to the applicable business lines, functional units, and subsidiary units
(both domestic and international), group-wide. This distribution is to be completed immediately
after the planning meetings with the respective senior management of the units with a target date
of collection immediately following the independent testing by GIA. The objective of this
feedback exercise as a part of the 360-degree GIA advisory audit should be clearly communicated
to the auditee senior management. This exercise should be approved by the respective boards as
KPI for the management of the enterprise-wide operating units. The GIA is to collect the feedback
of the internal audit key stakeholders via the questionnaires. The GIA is to collate and identify
areas to improve the GIA process.
PRE-ADVISORY AUDIT
The next step under this special exercise is the independent testing to be performed by the GIA.
As pre-audit preparation, a number of key steps are to be performed, including some of the
following.
GROUP AUDIT PROFILE
The following are some of the key standards adopted by the GIA audit/advisory methodology:
OBJECTIVITY AND INDEPENDENCE
Overview of a 360-degree Group Advisory Audit
Page 11 of 19
As per the International Professional Practice Framework (IPPF) standard No. 1100and PA 1120-
1 set by The Institute of Internal auditors (IIA): “The internal audit activity must be independent
and internal auditors must be objective in performing their work.”
The IIA interprets further that independence is the freedom from threats to the internal audit or the
CAE to enable them to perform the audit function without any bias.
The IIA defines objectivity as: “an unbiased mental attitude that allows internal auditors to perform
engagements in such a manner that they believe in their work product and that no quality
compromises are made.” There are established processes to deal with the potential risk of
impairment of the objectivity and independence already in place and effective in GIA. The
responsibility of the GIA while executing consulting/audit work are well-defined.
AML PROFICIENCY AND DUE PROFESSIONAL CARE
As per the International Professional Practice Framework (IPPF) standard No. 1200/PA 1200-1
set by The Institute of Internal Auditors (IIA), it is very important that the internal auditors
performing the AML consultancy/audit should have sufficient knowledge, skills, and other
required competencies to conduct this results-oriented job. The team as whole performs the
activities collectively with sufficient knowledge, skills, and competency in AML regulations.
ADEQUACY OF AML TRAINING
The training framework of the GIA emphasizes essential key elements, such as assessing the
training needs, establishing and updating the AML training plan and process of delivery, tracking
and reporting under the GIA and subsidiary IAs, and independent testing skills and resource plans.
The training plan focuses on key areas, such as AML group compliance programs, group risk
assessment processes, Customer Identification (CIP), Customer Due Diligence/Enhanced Due
Diligence, Suspicious Activity monitoring/reporting, sanctions screening, communication
protocols, data collection and analysis, AML tools controls for supporting IT auditors, new
products and channels, and controls awareness.
AUDIT RISK
The GIA performs the annual assessment of the acceptable level of audit risk (the risk that the
auditor may make incorrect conclusions/omissions to identify a material/significant deficiency in
the findings from the advisory audit perspective). Further, they do have documented guidelines
and procedures. The key elements they consider are planned detection risk, inherent risk, and
control risk to arrive at the acceptable audit risk. The audit evidence collected also depends on the
acceptable level of audit risk. If the inherent risk and control risk are high, then the planned
detection risk will be lower, and vice versa.
AML COMPLIANCE ADVISORY AUDIT PROGRAMS
The following are the key components of the Bank’s AML compliance programs:
The Framework consists of policies and controls procedures supported by the relevant
implemented controls
Overview of a 360-degree Group Advisory Audit
Page 12 of 19
Independent testing of AML compliance group-wide
An individual or a team specifically assigned to manage AML controls group-wide (chief
compliance officer along with a special team to support the position)
Adequate and appropriate training plan and execution
The key components are the four pillars of the AML compliance program as per FinCEN. A fifth
pillar was added to the AML compliance program (i.e., the establishment of a risk-based, Customer
Due Diligence procedure) on May 2018. (The “Fifth Pillar” of AML/BSA Compliance FinCEN
Issues Final Rule for New Customer Due Diligence Requirements under the Bank Secrecy Act”
by FinCEN) (18).
The group audit program is updated to cover all of the above in regard to new customers, products,
geography, and channels for all the applicable business lines/subsidiaries (domestic and
international). The AML audit program based on the current audit methodologies is effective as
per the following characteristics:
All the deviations/violations are identified and the resulting risks/impacts explained
Maintenance of the quantitative or qualitative data supporting the findings/conclusions
Findings/observations are communicated in a timely manner to the auditee to reconfirm the
supporting facts and also explore whether there are any other mitigating controls already in
place (to assess the residual risk for issue-rating purposes and remediation-ranking).
The corrective actions are incorporated into the report, and the necessary remediation tracking
mechanism is already in place.
There is an established process to communicate the findings/recommendations with
remediation plans from the auditee to the group/subsidiary senior management and
group/subsidiary boards in a timely manner.
RISK ASSESSMENT FOR THE BANK
The group-wide AML risk profile is required to be updated as part of the pre-audit preparation.
This is carried through updating the latest available group-wide AML risk assessment completed
by the central group compliance unit in the GIA central risk assessment database. The GIA has to
apply due diligence to ensure that the aforesaid information is accurate and relevant, and this
covers all the applicable business lines/subsidiary units, including the controls functions relevant
to the AML risk profile.
The auditors should ensure that the risk assessment is duly supported by appropriate qualitative
and quantitative data. The GIA should assess whether there is a process in the group to periodically
review and update the group profile, and that the responsibilities are clearly assigned and carried
out. They should also assess whether the group compliance function has adapted the key steps as
per their policies and procedures, which include some of the following:
1. Identification of specific AML risk categories covering customers, products, geography, and
channels
2. Detailed analysis of collected data is performed
Overview of a 360-degree Group Advisory Audit
Page 13 of 19
3. AML program is evaluated in consideration of the results of the analysis, and the group AML
risk profile, which covers the business line/subsidiary units (both domestic and international),
is updated.
In brief, timely evaluation and updating of group-wide risk profile in the group audit central risk
assessment database, in tandem with that of the AML group compliance risk assessment, should
be completed as a part of the pre-audit (consultancy) under this exercise (19).
AML RISK ASSESSMENT BY GIA
Overall, the bank has taken guidance from The Wolfsberg Group, blended with that of the Basel
Committee on banking supervision; and FFEIEC’s AML Examination Manual; and the Practice
Advisory Standard number 2120-1 of International Professional Practice Framework by the IIA,
in its enterprise-wide AML risk assessment, appropriate to the size and structure of global
operations. The GIA strives to mimic a similar approach internally in its enterprise-wide group
audit risk assessment prior to embarking on the enterprise-wide independent testing process, one
of the five pillars of AML compliance regime.
The GIA is cognizant of the fact that the risk assessment should consider consequential risk, which
reflects the bank’s internal and external environment. This is unique to AML risk, as opposed to
credit or market risk assessments, where risk can be easily quantified, usually before accepting the
risk.
GIA uses the bank enterprise-wide AML risk assessment for the following purposes:
Identify, and or update, the changes/additions in the customer segments, products, geography,
and channels in the GIA enterprise-wide AML risk assessment process
Understand the new or modified AML tools used by the group
Update, and understand, the change in regulatory requirements enterprise-wide
Understand the bank’s risk-based approach to calculate the inherent risk and the method of
assigning score and weight to each factor
Understand and identify gaps or opportunities for the improvement of the design of AML
controls spanning five pillars, enterprise-wide, from the bank’s senior management perspective
Perform GIA’s own AML enterprise-wide risk assessment with regard to the five pillars of
activities covering the customer, products, geography, and channels
Assess the amount of effort and resources required based on the residual risk (high, medium, and
low risk) and ensure their alignment with the bank’s risk profile (13) (20) (21).
SCOPING AND PLANNING
The GIA is to execute a structured approach towards the scoping and planning of the AML
advisory audit exercise based on methodology, which was primarily adopted from the IIA IPPF
standards number 2010-1, 2200 to 2240, and 2210-1. As a practice, the scope was designed to
satisfy the objectives of this advisory engagement. The scope also includes consideration for the
relevant AML systems/tools, personnel, key processes (including but not limited to the outsourced
activities, such as the major parts of the Customer Due Diligence and sanctions screening). The
Overview of a 360-degree Group Advisory Audit
Page 14 of 19
control weaknesses already identified by the regulators review, external auditors, and other
external factors impacting the bank’s risk profile are incorporated into the group audit enterprise-
wide risk assessment exercise, which is already underway.
As a part of the scoping and planning processes, the GIA also undertakes the review of group AML
compliance program, group AML compliance committee charter/and or minutes, and board of
directors meeting minutes. This is to decide on the extent of sample size, testing, and
documentation, covering all appropriate areas with appropriate inclusion of the areas required by
the regulators.
As a part of the planning process, the GIA embarks on the key steps, some of which are given
below:
GIA ensures that the audit plan is linked to the AML risk and exposures, and that it is updated
to reflect the changes in the management directions, objectives, emphasis, and focus.
Prepare the enterprise-wide audit schedule with the date and availability of the respective
auditees (i.e., business units/head office/subsidiary units, both domestic and international).
Develop and document the engagement work program that will enable the team to achieve the
engagement objectives.
Schedule the planning meetings with the auditee senior management in the order of the audit
planning schedule already established.
Collect the initial data, such as the policies/procedures and any other guidelines, which the
GIA has not already seen before, required to initiate the audit process.
Share with the auditee the communications protocol, expectations, and deliverables, along with
the timelines.
Share the scope and objectives, respective responsibilities, and other expectations of this
special advisory audit.
Exchange the names of the coordinators from the GIA and the auditee.
Schedule the travel plans for the respective audit teams covering the enterprise-wide review.
FIELDWORK AND TESTING
GIA methodology for field work and testing currently in force under GIA advisory practice
engagements is primarily based on the IPPF standards propounded by the IIA for the advisory
practice. This advisory engagement is a fully integrated risk-based review covering the
manual/automated AML controls, internal or outsourced, to mitigate the risk, which cover the five
pillars of AML activities and the systems/tools that support them. These also cover the entity-level
and activity-level, controls some of which are also fully automated or partially automated.
GIA covers all the key control activities based on the GIA AML risk assessment. Some of the
critical ones are customer acceptance and onboarding, Customer Due Diligence, Enhanced Due
Diligence, transactions monitoring, sanctions screening, Suspicious Activity Monitoring (SARs),
management of high-risk customers, escalation process, whistle-blowing, AML group risk
assessment process, reporting to the regulators, law enforcement agencies, and OFAC compliance.
Some of the key steps are enumerated below:
Overview of a 360-degree Group Advisory Audit
Page 15 of 19
1. Review the applicable policies and procedures related to the adequacy of the documentation
and appropriate level of approval
2. Interviews/walkthroughs with key process owners, including but not limited to the respective
subsidiary/group board and senior management
3. Identify inherent risks and evaluate the control design’s adequacy.
4. Test the operating effectiveness of the AML key controls, including but not limited to the
AML training; or, assess the effectiveness of testing the key controls as a part of SOX testing
group-wide AML compliance. This is to be performed as per the GIA testing standards and
sampling methodology. Extended testing, if required, is performed.
5. Maintain adequate level of documentation of the testing and results to provide the basis for
findings to be escalated within the group audit management and to the board.
6. Communicate the audit findings and the related risk with the auditee management in a timely
manner, and obtain their feedback. Conduct a findings discussion with the immediate auditee
management. This is to confirm the observations/findings are factually correct, and to identify
if there are any additional compensatory controls in the respective AML control environment
not taken into account earlier. This part of the exercise is to enable the internal auditor to
refine the residual risk. This will help the auditor to develop the recommendations to mitigate
the risk in concurrence with the auditee. Good communication, direct with the auditee at this
juncture, is critical, as this would get a buy-in on the findings and their remediation from the
auditee, who will be willing to take the ownership for timely remediation (22).
REPORTING
The GIA is to perform the following steps to prepare for the final reporting assessment of the
adequacy/effectiveness of AML enterprise-wide compliance:
The GIA is to collate the results of the self-assessment by the bank’s senior management on its
AML compliance under their respective units on page #8. Similarly, GIA is to collate the feedback
on GIA from the respective senior management on page # 10. GIA is to also collate the results of
the independent test by GIA themselves on page # 14. GIA is to analyze and evaluate these three
results for the individual respective units to fine-tune the identification of control gaps in the AML
compliance and the severity of the residual risks for the individual units.
GIA is to consolidate the final results and complete the final risks, as well as rank them; identify
the areas that need improvements in the group-wide adequacy/effectiveness of AML compliance,
including the GIA AML compliance independent audit; and perform the evaluation of the overall
adequacy and effectiveness of the AML compliance program group-wide.
Meanwhile, GIA is to obtain the final remediation plan from the group-wide auditee/stakeholders
for the control gaps with residual risks, with well-defined deadlines.
GIA is also to compile the final report with an executive summary along with the AML compliance
heat maps and detailed reports, incorporating all relevant details to be supported by the audit issues
on the AML compliance program and the key stakeholders issue/risk remediation timetable for
respective units, both domestic and international.
Overview of a 360-degree Group Advisory Audit
Page 16 of 19
REPORT TO THE BOARD
GIA is to schedule a meeting with the respective subsidiary (both domestic and international)
board audit committees/compliance committees, as the case may be. GIA is to present the full
report, highlighting key elements and a key control gap remediation management plan specifying
the respective report ratings. The opinion of the respective board committees should be
incorporated into the respective reports.
Once this exercise is completed, the consolidated enterprise-wide final report is to be compiled by
the GIA. A meeting is to be scheduled with the group board audit committee/compliance
committee. The group board should be appraised of the highlights of this special 360-degree
enterprise-wide advisory group audit and the key findings, along with enterprise AML compliance
risk heat maps describing how this unique exercise ensures the facilitation of the sustainability of
AML compliance throughout the enterprise to an acceptable level in line with the risk appetite of
the bank as a whole, and the units in particular.
GROUP COMPLIANCE DIVISION SENIOR MANAGEMENT UPDATE
The GIA is to coordinate and plan to hold a meeting supported by a workshop session with group
compliance senior management to brief them of the consolidated AML control gaps, updated
residual risks, and updated risk ranking, with the senior management-committed control gap
remediation plans and deadlines of the group, business lines, and domestic as well as international
subsidiaries. This will help group compliance, and eventually the business lines and subsidiaries
to update the respective account key risks identified in the group advisory audit for updating their
AML risk assessment matrix.
Meanwhile, it should be emphasized to both the group compliance management and the
management of the business lines and subsidiaries (both domestic and international), that they
should have a very good understanding of their own updated AML compliance risks in light of
this particular exercise carried out by the GIA; and they should be accepting the ownership and
responsibility of their impact on the effectiveness of compliance controls. This does not absolve
them from their responsibility to update their AML compliance control risks in the respective units
from time to time, or whenever there is a change in the control environment, either due to the
customers, products, geography, and/or channels.
The GIAs themselves ought to update their own internal group audit AML risk assessment as a
precursor to the proceeding similar annual exercises.
FOLLOW-UP ON CORRECTIVE ACTIONS
The GIA should track and validate any corrective actions identified during the audit to gain
assurance that management has resolved the issues and that the corrective actions taken to resolve
the issues are implemented and sustainable. The following steps are to be completed by the GIA
as a part of the follow-up process:
Overview of a 360-degree Group Advisory Audit
Page 17 of 19
GIA is to hold the meetings with the respective business lines and subsidiaries (both domestic
and international) to review and verify the implementation of the respective management
action to rectify the key control gaps on a quarterly basis.
GIA is to update the respective group board/subsidiary audit/compliance committees on the
progress on a quarterly basis.
Similar updates are to be given to the group compliance for their updates in the control designs
and risk mitigation process for the group and subsidiaries/business lines. These updates should
also be reflected simultaneously in their respective AML risk assessment model, resulting in
the residual risk for AML group-wide risk profile.
Group senior management should ensure that the remediation of the group-wide key control
gaps and update of group-wide risk profile are factored into the key performance indicators of
the individual members of the senior management of the group, including that of compliance,
business lines, and subsidiaries (both domestic and international).
Conclusion
The above solution ensures that there is a continuum of the sustainability of AML compliance
enterprise-wide with an ongoing improvement of the AML compliance controls.
Regardless of the fact that the group AML team is putting in a lot of efforts to ensure the control
compliance is ongoing, the challenges, and their related inherent risks in this environment, are
continuous. There is the potential that some of these may elude the controls executed by the
activities of the first and second lines of defense, respectively.
Hence, this specific exercise by GIA (the third line of defense) is to be repeated every year: the
last and the best control to ensure that the challenges and their related risks, including but not
limited to the following, are mitigated to an acceptable level so that the residual risk is maintained
within the risk appetite of the organization on an ongoing basis:
Jurisdiction risk (country risk) and the risks from their typologies
Inherent risks from the diverse products and their varied documentation standards group-wide
Risk profile changes from time to time due to introduction/expansion of new products
/services/channels group-wide
Variations in the regulatory standards among group jurisdictions
Diverse level of experience and training group-wide
Diverse data quality standards group-wide
Moreover, this is the last and best resort to ensure that all key AML compliance risks are identified
and mitigated enterprise-wide in the hierarchy of the AML internal control environment.
Hence the GIA 360-degree AML group advisory audit is the last and best control to ensure enterprise-
wide AML compliance is sustainable on an ongoing basis.
Overview of a 360-degree Group Advisory Audit
Page 18 of 19
Works Cited
1. US Feds. US Fed rethinks how to define a big bank; https://www.fnlondon.com/articles/fed-
rethinks-how-to-define-a-big-bank-20181002. [Online] 2018.
2. FFIEC. AML Compliance Program Structure Overview;
ttps://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_039.htm. [Online]
3. FFIEC BSA_AML Infobase. BSA AML FFIEC Examination Manual
(https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_039.htm. [Online] 2014.
4. AML_CFT.NET; https://aml-cft.net/library/three-lines-defence/
5. The IIA UK; https://www.iia.org.uk/resources/audit-committees/governance-of-risk- three-
lines-of-defence/
6. FFEIEChttps://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_005.htm" BSA/AML
Risk Assessment-Overview
7. Protiviti; https://www.protiviti.com/sites/default/files/united_states/challenges- managing-
global-aml-program-protiviti-2017.pdf -The Challenges of Managing a Global AML
Program
8. Trulioo Global Identity Verification; https://www.trulioo.com/blog/why-do-banks-struggle-
with-cross-border-compliance/ Why Banks struggle with Cross Border Compliance
9. FFEIEC; https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_007.htm; BSA/AML
Examination Manual _2018
10. Mckinsey; https://www.mckinsey.com/business-functions/risk/our-insights/sustainable-
compliance-seven-steps-toward-effectiveness-and-efficiency
11. Internal Audit Institute of Australia Internal Audit Competency; IPPF Practice Guide-
Creating an Internal Audit Competency Process
12. The IIA Research Foundation; Internal Auditing: Assurance and Consulting Services
13. The Wolfsberg Group; https://www.wolfsberg-
Principles.com/sites/default/files/wb/pdfs/faqs/Wolfsberg-Risk-Assessment-FAQs-2015.pdf
–Frequently asked questions on Risk Assessments for Money laundering, Sanctions and
Bribery and Corruption
14. The IIA; https://dl.theiia.org/FSACPublic/BSA-AML-Compliance-NM.pdf; BSA-AML
Compliance by Internal Audit’s role
15. Office of Comptroller of Currency (OCC); https://www.occ.treas.gov/news-issuances/news-
releases/2017/nr-occ-2017-23.html-OCC Assesses Penalty Against Merchants Bank of
California
16. Office of Comptroller of Currency (OCC); https://www.occ.gov/news-issuances/news-
releases/2018/nr-occ-2018-17.html-OCC assess USUSD75Million Civil Money Penalty
against U.S. Bank National Association.
17. American Banker Journal; https://www.americanbanker.com/news/.
https://www.americanbanker.com/news/regulators-fine-us-bank-more-than-600m-for-aml-
errors
18. FinCEN; https://www.financialservicesperspectives.com/2016/07/the-fifth-pillar-of-amlbsa-
compliance-fincen-issues-final-rule-for-new-customer-due-diligence-requirements-under-
the-bank-secrecy-act/The “Fifth Pillar” of AML/BSA Compliance
19. FFIEC Bank Secrecy Act/anti-Money laundering Examination Manual 2014;
http://www.ffiec.gov./bsa_aml_infobase/pages manual/manual on-line.htm.
20. Auditing -updating an-AML -Risk-Assessment by donna-Dafidek.pdf
Overview of a 360-degree Group Advisory Audit
Page 19 of 19
21. The Wolfsberg Group https://www.wolfsberg-
principles.com/sites/default/files/wb/pdfs/faqs/Wolfsberg-Risk-Assessment-FAQs-2015.pdf.
Anti-money Laundering Risk Assessment FAQs (2014)
22. The IIA Standards Nos. 2010-1, 2020-1, 2030-1,2040-1, 2050-1, 2060-1, 2120-1, 2130-1,
2200-1 to 2240-1,2330-1 and 2500-1. International Professional Practice Framework
(IPPF)The IIA Standards 2020-1, 2050-1, International Professional Practice Framework
(IPPF)
23. Basel Committee -Sound Management of Risks Related to Money Laundering and Financing
of Terrorism issued in June 2017