This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 12 minute read

Is Internal Audit Falling Short?

Introduction

Against the backdrop of the recent “Dear CEO” letter issued by the Financial Conduct Authority (FCA), and the number of regulatory enforcement actions, this article aims to explore the role of Internal Audit (IA) in ensuring organisations have an effective financial crime program. Expectations from IA within the financial crime industry are changing as demonstrated by the Wolfsberg Group Principles for Auditing for Effectiveness.1 The Wolfsberg Group believes that IA should measure risk outcomes using the Wolfsberg Factors namely: (i) complying with financial crime laws and regulations, (ii) establishing a reasonable and risk-based set of controls, and (iii) providing highly useful information to relevant government agencies in defined priority areas.

According to the Institute of Internal Auditors (IIA) “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

A successful IA function should be able to offer unbiased insights, efficiently identify vulnerabilities, clearly communicate the root cause of issues, and construct value-adding management actions. However, it has never been more challenging for IA to fulfil its critical role as the final arbiter of internal assurance due to higher C-suite expectations, new technologies, and increasing regulatory complexity as demonstrated by the Russian sanctions program.

Having spent over 10 years earlier in my career as an internal auditor, and a further 20 years specialising in financial crime, I have always treated IA as a respected and trusted partner. Therefore, I am in a privileged position to have in-depth IA and financial crime practitioner experience in some of the world’s largest organisations. I felt it was important to highlight some of the common challenges I have faced and to give IA, and the auditees, something to think about…

Key Challenges

1. Expertise

Whilst it is a positive development that many IA departments have a dedicated team focussing on financial crime, they are often staffed by people with limited to no hands-on financial crime experience. This creates a multitude of issues that detrimentally impact the quality of the audit. One of the biggest risks with this approach is significant issues remain undetected or are underreported. Having the right skills and experience is critical to IA success. It is surprising having worked for three tier 1 banks that the issues facing the financial crime departments are strikingly similar although the success in addressing these issues varies considerably. In-depth knowledge of the control environment, pitfalls, and what works and what does not is invaluable.

One facet of financial crime that auditors struggle with is that money laundering regulations call for a risk-based approach. Therefore, there is an element of subjectivity applied to all financial crime programs. This grey area can cause issues with IA challenging management decisions based on their own perceptions of the underlying risk regardless of whether robust governance processes have been followed. Although the spirit of the challenge is often sound, there is a risk that IA can undermine the three lines of defence model by, in essence, performing the role of the 2nd Line of Defence (2LoD). In these situations, there is a risk that both the auditor and the auditee become so entrenched in their own positions that they agree to a set of weak management actions as a compromise. Invariably, the completed management actions support the original management decision which adds little value to the organisation.

In addition, with the onset of artificial intelligence (AI) and machine learning, advanced analytics IAs need to have the skills to provide assurance over the underlying models. This may be difficult to achieve due to the ever-increasing sophistication and complexity of these models and reliance on third-party providers. It is often hard for management themselves to understand these models and the associated risks. Subsequently, IA finds themselves in a tricky position to provide positive assurance. This is where a focus on outcomes may be the way forward for IA. In my view, it is extremely likely that an organisation will be subject to future regulatory censure in this space due to a lack of understanding of how the models actually work.

Potential Solutions:

  • Secondments between IA and financial crime departments.
  • Use of consultancies where IA does not have the capability or capacity.
  • Subject matter expertise training and certification.
  • Technical support from areas like credit and market risk in understanding models.
  • IA providing ongoing and proactive assurance to the financial crime program. This will assist with knowledge transfer and any nasty surprises.

2. Management Actions

In many cases, IA identifies the right issues, but the management actions are deficient. IA tends to spend more time and energy identifying the issues, which tends to be the more exciting part of the audit lifecycle, and less time defining management actions, which arguably is of equal importance. Commonly, there is a distinct lack of enthusiasm from both the auditors and management to spend the required time on the management actions as they have exhausted themselves agreeing on factual accuracy and the risks. Weak management actions:

  • Do not address the root cause. Therefore, the resolution is short-lived. If only the symptoms of the issues are addressed, then it is likely that the issue will return and need fixing repeatedly. Issues associated with areas like “data” or “culture” tend to receive this treatment as they are more challenging to resolve.
  • Are so wide-reaching that they will never be achieved e.g. remediate all data issues within the organisation. Please note that this example is exaggerated for effect.
  • Have incorrect ownership. As per the three lines of defence model, financial crime risk is ultimately owned by the 1st Line of Defence (1LoD). However, in my experience sometimes auditors do not uphold this principle and are more likely to assign ownership within the financial crime department (2LoD). It is imperative that IA assign ownership appropriately and are bold enough to have discussions with challenging 1LoD senior stakeholders especially where 2LoD controls are dependent on first-line processes e.g. Know Your Customer (KYC).
  • Have an overreliance on layering manual quality assurance (QA) controls which are expensive, cause further friction in the process, and often end up not leading to the control improvements expected.

Potential Solutions:

  • Apply more discipline to documenting management actions. Strike the right balance between practicality and mitigating risks.
  • Ask the auditee to write the management actions to assist with buy-in which are subsequently independently validated by IA.
  • Do not shy away from difficult conversations on ownership. Yes, it might delay the report but assigning the correct ownership is key to ensuring successful remediation. 

3. Prioritisation

Coupled with insufficient financial crime expertise is the incorrect prioritisation of audit observations. This is a two-way street, on the one hand, the priority of audit observations can be inflated and, on the other hand, underestimated. In both instances, this leads to a misallocation of precious management attention and scarce resources. The main reasons for this are fourfold:

  • When valid exceptions are identified, the size and scale of the issue are not quantified leading to a lower assessment of the risk. It is vital that a statistical sample is selected from the statistical population to ensure that exception rates can be applied across the whole population. Extrapolating exception rates in this manner can assist senior management in understanding the scale of the problem in areas like KYC. Stating that five out of a sample of 25 files failed is not the same as stating that 20% of the book is deficient. The latter is far more likely to get management attention.  
  • In situations where the organisation is at risk of, or under, an enforcement action there tends to be an overcorrection of audit priorities i.e. relatively minor issues are assessed as significant.
  • Contrary to the above, audits often cover operational processes where the mindset is to quantify exceptions in relation to the whole population rather than assess the risk with the actual exceptions i.e. one sanctions breach in a population of thousands can still represent a significant risk to the organisation.
  • IA plays a vital role within the control framework and therefore, it is imperative that the audit observations are positioned correctly. Although it is understandable that the regulatory environment an organisation is operating under impacts IA this can also have undesirable consequences.

In relation to the last bullet, interestingly, Independent Monitors are more likely than IA to employ the tactic of highlighting egregious cases even when the overall exception rate is minuscule i.e. the proverbial needle in the haystack. Although this will undoubtedly grab management and the regulator's attention it can have the undesired effect of sensationalising the underlying control failing. Whether IA should be doing more of this i.e. illustrating the control failing with real customer examples, where there is suspicion or knowledge of predicate crimes, is open for debate. With my IA hat on I think they should but with caution. A report referring to exception rates and control failings is all well and good but if the same report highlights that an illegal arms trafficker was allowed to transact directly understandably appeals to management's moral compass. As a financial crime practitioner, at times, this approach has diverted precious resources from higher-risk areas due to the visceral reaction from management regardless of the circumstances and context. Consequently, I have seen millions of pounds spent on controls that are well-intentioned but not sustainable. Some organisations have millions of customers and unfortunately, there will always be some bad actors that slip through the net. The cost vs benefit equation in line with the Wolfsberg Statement on Effectiveness2 should always be applied with a calm and rational head.

Potential Solutions:

  • Do not overegg minor issues even where there is the temptation to do so.
  • Where possible quantify the size of the risk exposure.

4. Reperformance 

Again, related to insufficient financial crime expertise is the reperformance testing of controls. Although, a valid audit technique, this can result in issues where the controls are subjective e.g. investigative processes such as transaction monitoring alerts. Most sophisticated organisations will have QA for such processes. However, rather than auditing the QA process, the auditor will sample alerts using a risk-weighted sampling approach. Due to the subjective nature of the process, this can result in countless lost hours debating differences of opinion on whether a regulatory filing should or should not have been made.

A similar, albeit maybe weaker comparison, can be made in relation to auditing financial crime models. The most sophisticated organisations have a Model Risk function whose role is to independently assess all types of models in an organisation. Therefore, an alternative approach could be for IA to ensure the Model Risk function and their approach to assessing financial crime models as opposed to auditing the actual financial crime models themselves. As expressed previously, I do not envy IA in this regard due to the ever-increasing complexity and sophistication of the models.

Potential Solutions:

  • Focus on testing the key controls within the framework with success measured by outcomes rather than process compliance. 

5. Scope 

Limiting the scope of an audit to ensure it is focussed on a particular area of financial crime or key controls tends to lead to a higher quality audit outcome. Performing a financial crime audit to a high standard requires that each step within the audit lifecycle, planning, fieldwork, and reporting be performed diligently and with considerable thought and oversight. The larger the audit the greater the likelihood that standards will slip. On the flip side, IA must ensure the audit scope is not too narrow which prevents any identified risks from being assessed e.g. audit of the transaction monitoring (TM) rule-setting process without consideration of product risk assessments.

One of the key challenges of being an auditor is the development of a comprehensive, risk-based, proportionate, and executable audit plan. Considering that IA is expected to provide independent assurance to management it is imperative that the IA plan is focused on the right risks and remains aligned to the organisation’s strategic priorities and business model. Although this sounds relatively straightforward, there are complexities such as where elements of a process are owned by different parts of the organisation e.g. for TM3 you can have different owners for (i) source data and completeness, (ii) data aggregation and transfer, (iii) data ingestion and mapping, (iv) TM system controls, (v) product risk assessment, (vi) tuning and calibration, (vii) alert generation and investigation (viii) regulatory reporting.  

Potential Solutions:

  • Use the “Project Management Triangle” to balance scope, time, and cost leading to a quality audit deliverable.
  • Proper assessment and documentation of the financial crime audit universe including inherent and residual risks. The assessment can be enhanced using analytics and AI.

6. Compliance Culture 

The culture of compliance within an organisation is imperative for IA to be successful. Unfortunately, some organisations treat audit reports as a performance management tool. Whilst this approach may be valid in exceptional circumstances I do not agree with the general principle. Most compliance failings are not due to any one individual. It is a collective failing. Punishing the person who has the courage to stand up and take accountability for financial crime is not the way forward and perversely drives the wrong set of behaviours and values. Management being open, transparent, honest, and cooperative with IA is key to an audit and an organisation's long-term success. I have experienced harmful organisational politics come into play which I find objectionable given the ethical and honourable pursuit of fighting financial crime. During these moments I have fallen back on a famous quote from Theodore Roosevelt which has helped me get through these dark moments.4

“It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.”

Conclusion

IA performs a vital role in any organisation. With such a powerful mandate it is important that IA holds itself to the highest standards of professionalism and integrity. If I could give myself some advice as a twenty-year-old fresh-faced auditor, it would be to partner more with the auditee, be more pragmatic, listen more, and be less focussed on identifying as many audit observations as possible, however well-intentioned. My focus should have been on testing the key controls and providing assurance which may lead to minimal, or no audit observations being identified. This should be as valued as a report with many significant findings which, unfortunately, maybe due to human nature, is rarely the case. Alternatively, if IA identifies factual and/or significant observations, then the auditee should be mature enough to accept the observations and shift their energy to the management actions. Dependent on the organisation’s control culture I have seen too many auditees needlessly, and sometimes forcefully, argue with IA to undermine the audit process. In my view, this is a zero-sum game.

If IA is performing its role effectively in providing assurance over financial crime programs, then surely is it logical that an organisation should avoid regulatory enforcement actions? I think it is. After reading this, I am sure there are countless auditors screaming that they have previously raised the right issues, perhaps over many years, but management has not listened. This may be the case, but I would then ask the question, why management has not listened and why management has not taken the right actions. Perhaps, due to some of the challenges covered in this article…

Most organisations lack the luxury of maintaining an in-house IA function specialising in AFC. However, this can be mitigated by outsourcing IA to third parties who can maintain independence and have the experience, resources, and time to provide insightful, high-quality assurance transcending any political issues. At Ankura, our AFC team offers bespoke solutions to banks, non-bank financial institutions, and corporates, acting as an extension of our client's organisations. By leveraging our decades of expertise, advanced technology, and significant resources, we ensure that internal audits provide meaningful and actionable insights and management actions, thereby strengthening the overall financial crime control framework.

For assistance with a detailed internal audit review aimed at uncovering potential vulnerabilities in your company's Anti-Financial Crime program, or if you have any other questions or concerns, get in touch with Lee Hale.
 

1. Wolfsberg Group Principles for Auditing for Effectiveness, The Wolfsberg Group, 26 March 2024

2 Publication of Wolfsberg Group statement on Demonstrating Effectiveness, The Wolfsberg Group, 30 June 2021

3. Please note this is an illustrative example and not an exhaustive list of TM process components.

4. Please excuse the use of male-only pronouns as the quote is from over 100 years ago. The principle is the important thing.

© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

emea, uk, afc, article, f-performance, finance, risk & compliance, financial services, anti-corruption, anti-money laundering

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with