A common question from financial services firms is when they should establish internal audit arrangements. A rule of thumb is that if you're asking the question, you probably already need an internal audit. If there are any questions as to the efficacy of the second line, an independent challenge is a great way to bottom out those issues. There are solutions available for all sizes of firms that can provide comfort regarding key risks, such as anti-money laundering (AML), sanctions, fraud, and market abuse.
How does internal audit act as a third line of defence?
Internal audit functions operate a risk-based approach to assurance with an annual plan of work that is usually agreed by the board audit committee. With the frequency of AML and financial crime fines within the industry, and dependent on the size of the internal audit programme, it's common to see AML (or other areas of financial crime) as a high-risk issue with an annual review scheduled. Fraud (both internal and external) is becoming an increasingly significant risk, but anti-bribery and corruption, tax evasion, and market abuse are all areas that should receive periodic specialist review.
Audit plans should flex and change in line with an understanding of the firm’s key risks, corporate events, or even the externalities of regulatory challenge or investigations. Where regulatory engagement results in remediation work, or the need to investigate issues (with good or bad outcomes), specialist financial crime resource in the internal audit team can lend credibility and independence to that investigation. Where remediation is required, this can be a significant challenge to many firms in terms of cost and coordination, and the Board and senior management may be challenged over ensuring oversight of the work.
The use of internal audit to challenge the business and to test the completion of key milestones can provide comfort to senior management, the Board, and externally to regulators.
Engaging the right resourcing model
With firms under increasing cost pressures, the focus on the most efficient and effective method by which to provide an internal audit service remains a key focus for Boards. The costs of a good head of internal audit and team can be challenging for smaller firms, and even the largest ones often seek external assistance, where it isn't cost-effective to maintain highly specialised resource in-house. The level of external support required generally dictates the type of engagement with third parties.
When it comes to financial crime, firms may use their own permanent IA resources or use outsource or co-source arrangements with third parties where required. In an outsource arrangement, an outsource provider will deliver the whole of an internal audit function from end-to-end, including financial crime-related audits where applicable. They'll deliver the audit plan, and scope, execute, and report in each individual audit review.
In a co-source arrangement, a firm will partner with an external provider to deliver specific aspects of an IA review or series of reviews. Co-source arrangements can vary from ongoing integrated co-sourcing arrangements to resource augmentation or the provision of subject matter expertise (SME) co-sourcing. For financial crime-related reviews, arrangements typically include at least the fieldwork elements, particularly any file review or sample-testing activities. The co-source provider will handover to internal IA personnel at an agreed point, which is often prior to the sharing of draft findings with the business.
Enabling appropriate knowledge and understanding
A key challenge for internal audit functions is to ensure the team has the skills and experience, including technical subject matter expertise, commensurate with the scale and risks of the organisation. In the financial crime space, it's not uncommon for firms to lack the knowledge required to challenge the design and execution of financial crime risk management by the business and/or control functions.
In a financial crime audit, the auditors will need to understand and test complex processes and regulatory requirements. These may include single complex areas, such as a deep-dive transaction monitoring review, or an overarching process that involves multiple regulatory requirements across several business units and products; for example, end-to-end client due diligence, enhanced due diligence review, or the parameterisation of a market abuse monitoring system. This will involve going beyond testing how the business executes that framework and challenging subject matter experts in the first and second lines of defence on how they manage and control risks in their areas of responsibility.
One way to overcome this hurdle is by using external support via an internal audit outsource or co-source arrangement. Firms can buy in specialist experienced resources with the requisite financial crime expertise to conduct a financial crime-related review, or support with a review managed by an in-house internal audit team.
Delivering a successful financial crime audit
The successful completion of an internal audit review will also have key attributes beyond appropriate staffing. A key expectation is for management to set a 'tone from the top' to ensure the business genuinely engages with the audit team. While few people working for a financial services firm won't experience a 'tick box' internal audit at some point in their career, the use of specialist resource will provide a more insightful challenge to the business.
Many people will revel in the discussion of peer standards and practices with specialist internal auditors and the associated sharing and discussion of new ideas and methodologies, but some individuals may feel threatened where their knowledge may be incomplete or where there are known failings. Few internal auditors will complete a career without experiencing the deliberate frustration of an audit or the refusal of the business to accept well-founded concerns. Escalation paths to the CEO and/or the Board can be key to removing these log jams.
Establishing an appropriate scope for the audit (and a commensurate budget for the work) is important and this can be best achieved with the early engagement of specialist resource. Not only will this enable the engagement to focus on key risk areas, relevant to the firm, but bringing in a peer-firm will also ensure that the business can't divert the focus from key risk areas.
Where a co-source arrangement is utilised, there are many practical factors that can impact the effectiveness of the audit review. These are often limited to a pre-agreed number of hours and activities may not include involvement in the discussion of audit findings or report finalisation, which can result in dilution of the issues. The business may be aware of the limitation on resourcing and seek to extend the work beyond such budgets, and it may be beneficial to extend an engagement where this is experienced.
The handover from the co-source service provider to the in-house team does need to be well coordinated. Not only is this important for record keeping and the evidencing of the work undertaken, if the in-house team isn't well-placed to conclude the work this can result in frustration for the auditor and auditee, potentially hindering future engagements. This problem can be avoided with a well-planned and documented handover procedure.
After the audit
Fully outsourced internal audit service provision does remove many of the difficulties of coordinating two teams, but it can result in other challenges. The aim of internal audit is to partner with the business in order to drive improvement and changes where necessary. Where this partner is external, internal management can take a 'them and us' approach to audits which then becomes less productive and can therefore require more time at greater expense.
The follow up to an audit can be almost as important as the audit process itself. The issues identified by internal audit will result in actions agreed with the responsible management with associated commitment in terms of completion. A key element is to track the completion of these items and to test it where appropriate. Again, the re-testing of audit areas is likely to require specialist resource, although cost is usually minimised by adopting a risk-based approach to re-testing.
The challenge for firms in meeting their financial crime obligations can be seen from the cascade of related fines announced by the regulator across a wide range of businesses. A key element in meeting this challenge is having specialist financial crime internal audit resource. This support may take the form of co-sourcing, outsourcing or one-off reviews. Whichever model a firm may choose, there can be significant comfort for senior management and the Board from a strong internal audit financial crime team. It's important to ensure that any service provider supporting this arrangement has the knowledge, skills, and depth of talent to be able to technically challenge the business in areas of financial crime risk management and operational execution.