Why independence matters with AML audits
AML/CFT supervisors recently expressed concern about the lack of independence of some AML/CFT audits. During a special auditor outreach session, they listed some examples that were of concern. This included the wife of the business owner carrying out an audit for that
particular reporting entity. In another example, auditors offered their audit for free as an incentive for the firm to use the software solution provided by a related company.
The supervisors were quick to remind the industry of the need for independence by both the regulated entity and the service provider. They warned that in future, if they spot a lack of independence, it is likely they will hand down a private warning and ask the regulated entity to do the audit all over again.
So, while it may be tempting for a business to work with only one advisory firm or software provider to meet all its AML/CFT needs, the key word to bear in mind is independence.
Firms need to engage independent auditors to assess their compliance under the Act, or risk falling foul of the supervisors. Maintaining such independence is an important pillar of
the successful operation of our AML/ CFT regime.
What is the audit requirement?
Under the Anti-Money Laundering and Counter Financing of Terrorism Act 2009 (AML/CFT Act), most reporting entities need to complete an independent audit every two years.
This requirement provides a systematic check of the firm’s AML/ CFT programme. It assesses whether it is functioning effectively in practice, and whether the policies, procedures and controls are appropriately based on the risks of money laundering and terrorism financing (ML/FT) identified by the business.
This audit must be completed by an ‘independent’ person who is appropriately qualified to carry it out
What does ‘independent’ mean exactly?
‘Independent’ means the person carrying out the audit must not have been involved in putting together the risk assessment for the business, or in the creation, operation, or maintenance of the business’ AML/CFT programme. That person must also be sufficiently
independent of the area of the business responsible for undertaking these AML/CFT functions.
When selecting an auditor, reporting entities should consider any potential conflicts of interest that could call into question the auditor’s independence. The supervisors say it is relevant to consider whether the auditor has a financial interest in the business, or vice versa. If one party has a financial interest in the other’s business, then it needs to be considered whether this could influence the outcome of the audit, or whether either party’s financial interest could be harmed by the audit results. If it could, the person is not sufficiently independent, and you should look for another auditor.
If AML/CFT company (A) provides generic guidance, templates, training, or information to enable a regulated entity (company B) to undertake its own risk assessment, or establish and operate its own AML/ CFT programme, this may not affect the ultimate independence of A and preclude it (or a related company) from auditing company B.
The important distinction lies in whether A has helped B to tailor and implement the programme or conduct the risk assessment, by providing bespoke, rather than generic, information and services. The real issue arises when one of the business’ integral AML/CFT processes or obligations is outsourced to another company, who then turns around and conducts the audit, or the auditor is related to the company that helped with these integral processes or obligations. In short, if they helped build it (specifically for your company), they shouldn’t audit it.
Remember, the standard for auditor independence should be determined by viewing independence through the eyes of an objective, reasonable and informed third party.
Why is independence important?
Auditors must be independent to ensure the objectivity of their assessment and audit findings.
If an auditor (or their company, or a related party) helped the regulated entity put together its risk assessment, then it may be hard for that auditor to be objective when it comes to assessing whether that same risk assessment meets the requirements of the AML/CFT Act.
Likewise, if an auditor (or their company, or a related party) had been contracted to, or provided software for conducting customer due diligence (CDD) for a regulated entity, it will then be hard for that