Update: Auditing the AML Program? What?s New?
Update: Auditing the AML Program ? What?s New?
By Alan S. Abel, CPA, representing the American Institute of Certified Public Accountants to the Bank Secrecy Act Advisory Group
In each issue of The SAR Activity Review, representatives from the financial services industry offer insights into some aspect of compliance management or fraud prevention that present their view of how they implement the BSA within their institutions. The Industry Forum section provides an opportunity for the industry to share its views. The information provided may not represent the official position of the U.S. Government.
Counter to the conventional wisdom and surprising to many today, the core legal and regulatory requirements that serve as the foundation or the ?Four Pillars? of a Bank Secrecy Act (BSA) /Anti-Money Laundering (AML) program for financial institutions were established by law and implementing regulations for a number of key covered sectors well before the enactment of the USA PATRIOT Act of 2001 (PATRIOT Act). With regard to the ?Fourth Pillar,? that a covered financial institution shall have ?an independent audit function to test programs,?24 the only language change the PATRIOT Act brought forth was to substitute the word ?testing? for ?audit?. Without speculating on Congressional intent eight years in the past, that one change, however terse, established a strong foundation for significant implementing rules, regulatory guidance and expectations, and the evolution of leading AML compliance program auditing practices going forward. Also, from the time that this article?s antecedent was published in the sixth issue of The SAR Activity Review in November, 2003, we have seen a number of important changes stemming from the experiences and ?lessons learned? by covered financial institutions? management and boards, and their internal and external auditors, and in examination feedback from their regulators.
The Audit Objectives ? Pretty Much the Same
In issue six, I talked about the primary objectives of an auditor?s independent review of a suspicious activity reporting program and important criteria and elements that a leading practices audit program should consider.25
They were then, and still are:
- Determine whether the overall AML/BSA compliance program and its suspicious activity reporting component is suitably designed and operating effectively.
- Identify any material program weaknesses, control deficiencies and corresponding opportunities for program, process, and control enhancements, and report them to senior management and the board (usually the audit committee).
- Assist management with identifying money laundering, terrorism financing and other financial crime vulnerabilities, and not lose sight of the context of risk focused supervision and the four major qualitative risk factors universally recognized by regulators ? compliance, reputational, strategic, and operational.
- Perform and document procedures and results that may be useful to regulators in conducting their supervisory examinations.
To these I would add:
- Assess and identify possible gaps and opportunities for management to continually improve its suspicious activity detection, investigation, analysis, escalation, documentation and reporting processes and controls, including due diligence feedback, and the enterprise-wide AML risk assessment process.
- Assess management?s AML strategic planning process.
- Identify opportunities and methods to help management make program enhancements continuous and sustainable.
- Assess and identify opportunities to enhance management?s self-monitoring and self-testing compliance review program. A robust, centralized, compliance monitoring program has increasingly become a regulatory expectation, particularly for larger enterprises (this doesn?t really apply to smaller entities).
- Assess how well AML compliance is integrated into the business.
Changes of Consequence
In the six years since I last addressed this topic, there are some big-ticket changes, many of which stem from natural program maturation:
1. The enhancement of the audit function itself in response to direct supervisory criticism. In recent years, there have been numerous supervisory examination reports and enforcement actions citing financial institutions for having insufficient AML/BSA audit functions, particularly in auditing suspicious activity reporting processes, or more importantly, in not properly identifying and highlighting their lack thereof. Generally these criticisms have been about:
- Deploying insufficient levels of audit resources dedicated to auditing AML programs, their process, and controls.
- Using internal staff or consultants who lack the requisite credentials, experience, and subject matter training and expertise.
- Failing to employ well-considered risk-based approaches in auditing, resulting in insufficient attention to higher-risk areas and processes, and with questionable frequency.
- Lack of proper audit effort and skills for validating transaction monitoring systems.
- Failure to sufficiently escalate significant and meaningful findings to management and audit committees.
- Lack of follow-up with management on urgent findings, and not sufficiently holding management?s ?feet to the fire? for remediation of reported deficiencies.
Is there good news to share? Yes, there is. By and large, financial institutions have made much progress in employing or engaging more experienced audit professionals, greater level of effort, stronger and better documented risk-based approaches, and more thorough auditing and testing of processes, systems, and controls. Is there yet room to improve? Sure.
2. Examiner reliance. Stemming from #1, examiners say they increasingly rely on the reports, workpapers and competence of AML auditors.
Over the past few years, regulators have repeatedly emphasized the importance of the ?Fourth Pillar?, testing, and the BSA/AML auditor. They have stated repeatedly that when examiners get to a reasonable comfort level where they feel that they can rely on the professional competence and experience of the internal and external auditor, the quality of the audit, as evidenced by meaningful, well-written reports and well-documented workpapers, the effectiveness of auditors, as evidenced by their empowerment by senior management (and especially the Board Audit Committee) as demonstrated by their ability to get management?s urgent and effective response and remediation, they do.
3. Enterprise-wide risk assessment and ?risk response?. Also responding to regulatory criticism, we have seen considerable advancement in enterprisewide risk assessment, both broad-brush and for AML. Auditors have gotten much better at carefully considering management?s AML risk assessment in designing, scheduling, and staffing their own risk based audit procedures. Management?s risk assessment ought to be a very important tool for auditors to consider in performing, in turn, their own audit risk assessment. Similarly, broader promulgation and acceptance of the revised ERM COSO model26 as a foundation methodology for audit professionals has resulted in auditors? greater focus, not just on risk assessment, but on risk response. Competent and proactive management may now produce a rich, comprehensive, detailed, enterprise-wide risk assessment, but if the strategic and tactical responses are lackluster and lack teeth, then the question becomes, ?So what??
More recently, auditors, and audit methodology and procedures, have gotten better in ferreting out and testing the effectiveness of management?s response to their own assessed risk and the mitigating or compensating controls. Are we really focusing on and monitoring where we believe we have higher risk? Do we have adequate processes and controls in place for identifying and reporting unusual and suspicious activity? Are these processes and controls working appropriately as intended? Do we have any significant gaps? Can we brandish reports for adequately monitoring every red flag we wave and identify an individual who does that in every case? How responsive are we, and is it in a sustainable way?
4. Fraud and other reportable conditions. Most of the BSA SAR reportable conditions across the sectors are in fact fraud and not money laundering ? i.e. they are about BSA and not AML. But they are, nevertheless, required BSA-reportable conditions. Better risk assessment processes are leading, responsively, to better detection and reporting of both AML and non- AML activity. However, this necessarily increases the auditor?s scope and responsibility. In auditing SAR processes, auditors must consider the nature of the business, the entity itself, the ERM, and the AML enterprise-wide risk assessments. The radar screen must be all-encompassing.
5. IT Auditing. Audit departments have learned, and have come to appreciate, the need for greater attention to validating new or modified transaction monitoring systems as well as data quality, especially customer data quality. All too often IT auditors have learned that what comes out may not exactly tie to what goes in, or maybe it never came in quite right in the first place.
6. Customer Identification Program (CIP). The sixth anniversary of CIP for banks, broker dealers, and mutual funds is well upon us. Once considered a major implementation challenge with a high occurrence of backlogs and gaps, CIP processes and strong controls have become fairly routine to account opening processes for the covered sectors. Also, after six years of process maturity, it has become more difficult for management to live with and explain a lack of CIP in pre-existing accounts. ?How,? asks the auditor and the examiner, ?can you tell me that you know your customer if you haven?t looked at their file in more than six years?? The answer: not easily. CIP maturity also ties closely to IT auditing because of the importance of customer data quality to CIP effectiveness. Six years ago it was not uncommon to perform audit procedures for testing customer data quality and to surface missing or erroneous data entered without proper data validation controls. As auditors we still come across and hopefully escalate deficiencies in data quality, but today we do find the more egregious situations to be fewer and farther between.
7. Training. Also responding to regulatory criticism, financial institutions have generally improved the quality of their BSA/AML training content and delivery, and that includes their internal auditors. External consulting professionals are ostensibly core competent as auditors and with the AML subject matter. Whether internal or external, audit professionals in the U.S. are subject to considerable and growing ?Continuing Professional Education? (CPE) requirements to maintain their certifications. Not surprisingly, as AML programs, and their component suspicious activity reporting, have matured in the business-as-usual environment, so too have the quality of subject matter experts, (SMEs), i.e. smart, seasoned compliance and audit professionals.
8. Trees, forests, efficiency and effectiveness. These days, the internal audit function is by no means immune from contemporary pressures to do more with less. As a result, audit programs and effort, regardless of over-arching control objective ? financial reporting, operational, or compliance are just as vulnerable to cost-cutting as are the business units and other support areas (see item #1 above). Today, the pressure is on to do less, not more. For BSA, this slippery slope can lead to obsessive focus on ?trees? (testing CIP, CTRs, SARs) and may get away from the proverbial forest, and from really helping management in a more operational way ? to identify opportunities to become more efficient and effective. Properly considering the forest requires a well-considered COSObased audit approach that asks, fundamentally, is the whole of the program truly greater than the sum of its parts? The seasoned audit professional and SME really needs to be asking the right questions. And through independent assessment, one can assist management and the board in their efforts to get to and sustain effective risk assessment and risk management, operational efficiency, well-being and protection of the business entity, its people, its reputation, and its assets.
Here are some of the right questions to be asking:
- Are we doing the right things, and are we doing them well? How do we compare to others?
- Are we sufficient, competent, and effective?
- Are we well-integrated?
- Are our program components properly positioned?
- Are we outsourcing and insourcing the right processes in line with our competencies and economies? Are we properly managed and accountable in all cases?
- Top-down and bottom-up ? is our program working as intended?
The Hubble Advantage
It would seem, at first glance, nonsensical to have a discussion about who has the greater performance advantage (or conversely, the performance handicap) ? the examiner or the auditor. But in closing, it?s worth highlighting two points of great consequence for each party, and also for management, the board, and law enforcement.
The seasoned, professional AML/BSA compliance auditor (and an important part of the message here ? an AML/BSA operational auditor), internal or external, has one important performance advantage over the examiner, and with very good reason. With full-time job experience comes valuable inside knowledge of the institution, the business units and business processes, management and staff. There comes a point where these professionals will hopefully come to know the business entity inside and out.
The examiner, on the other hand, has a tool that auditors can only dream about (and management too) ? namely, the entire universe of reported SAR activity from 1996 (and some even before that). Six years ago, the BSA database harbored roughly 1.5 million SARs, and most of them were filed by conventional deposit-taking and lending institutions. Today the SAR universe is well past 7 million reports and increasingly reflects MSBs and other covered sectors. When it comes to competency gathering, assessing due diligence and monitoring the event horizon, e.g. media searches connected with continuing business relationships, or potential new ones, financial institutions have generally made considerable strides, and the state of the art has become far more sophisticated.
However, at the end of the day, regulators and law enforcement have the power of that vast and rapidly growing SAR universe, and that?s a formidable power indeed. Here they will always have the better cards, and for good reason. Management, with auditors? help, will keep improving their ability to detect and report the suspicious activity that they can see in their own microcosm. But examiners and law enforcement have their ever-expanding Hubble telescope to see all those shooting stars.
24 USC Title 31, Section 5318(h)(1)(D) as amended by the USA PATRIOT Act of 2001, SEC. 352. ANTIMONEY LAUNDERING PROGRAMS: ?...(1) IN GENERAL.?In order to guard against money laundering through financial institutions, each financial institution shall establish anti-money laundering programs, including, at a minimum? ??(A) the development of internal policies, procedures, and controls; ??(B) the designation of a compliance officer; ??(C) an ongoing employee training program; and ??(D) an independent audit function to test programs.
25 See The SAR Activity Review - Trends, Tips and Issues (Issue 6), page 71 (November, 2003).
26 Enterprise Risk Management ? Integrated Framework, Executive Summary, September 2004, The Committee of Sponsoring Organizations of the Tread
ay Commission (COSO).
Excerpted from SAR Activity Review Issue 16, page 60
First published on 10/01/2009