The Future Role of Internal Audit in Financial Crime Prevention
The outlook of the financial crime risk landscape is bleak, but efforts are ramped up in the head-to-head chase with organised crime. Research proves the connection between fraud and KYC failure, and experts argue that the most powerful tool to prevent fraud is through anti-money laundering measures.
Amidst these developments, a discussion about the future role of internal audit in financial crime prevention is due.
The outlook presented at the Financial Fraud Forum held in Stockholm on the 20th September by experts from the Swedish Economic Crime Authority, the London Police and others is clear. So is the perspective that anti-money laundering stands out as the recommended means to prevent fraud.
Fraud will potentially increase 25-60 percent from now to 2025. 70 percent of companies used by organized crime is for the purpose of laundering money. According to a recent global survey on economic crime, two-thirds of organisations across industries that suffered from fraud discovered their most disruptive incident through corporate controls. The same report says that fraud exposure in the financial services sector is to “29 percent caused by KYC failure”.
It is no news that only a few percentages, or even just one percent, of money laundering is stopped. 0,1 percent of criminal proceeds are recovered. Observers like to emphasise the view that there is no silver bullet, and that organisations should break their silos and use larger sets of data, more and different than a traditional focus on credit history, to tackle current challenges. Stronger links between the KYC process and transaction monitoring are needed, evidenced by the average rate of false positives in transaction monitoring of 60 percent or more, with subsequent costs of handling. Meanwhile, expectations from supervisory authorities are leaning increasingly towards the demonstration of effectiveness and a risk-based approach in AML efforts.
Challenges across the defence lines
There are some common challenges across all three lines of defence that are shared by many if not most organisations. Vulnerabilities in the first line operations typically include information collection, risk awareness and resources. At the same time, organisations are exploring how they can step up the automation of the KYC and customer onboarding process. In the second line, compliance functions are maturing, and working hard to improve the effectiveness of monitoring and securing appropriate controls. In view of the EBA Guidelines on the role of AML/CFT compliance officers, it is logical that a lot of attention at present is on the first and the second line, and how organisations should best navigate needs and regulatory requirements.
Moreover, and equally interesting is the much-needed discussion around the third line of defence and the future role of internal audit in financial crime prevention.
Recent supervision tells us something about expectations on internal audit from regulators.
Aspects that frequently warrant assurance:
- If internal audit performs an analysis of risks, make sure to cover all parts of the AML area (processes, models, systems, new or emerging risks, etc.);
- If the risk universe is complete;
- If the risk assessment process is adequately documented and followed?
- If there is a clear framework in place that has been discussed and documented by the competent committee or similar, and then audited by internal audit;
- If all lines of defence appropriately cover and deliver their responsibilities considering also if one of them relies too much on one of the others;
- If parts of the process or monitoring are outsourced and such has been audited by internal audit;
- And, if there is sufficient documentation of the work throughout the audit process?
The third line of defence should not be the final point of assurance. Nevertheless, current challenges in the third line involve competent resources with some subject matter expertise at hand and audit focus with actions corresponding to a risk-based approach.
Creating a common understanding of ‘efficiency’
According to Rasmus Forssblad, Director Internal Audit, it is important to ensure that there is a common understanding of what is meant and expected with regards to efficiency.
“In terms of internal audit efficiency, it can be understood as goal completion. But it can also be understood in terms of productivity. It is recommended to consider a few perspectives in this context, including if internal auditing of AML measures and anti-financial crime at large is delivering against general goals and/or if the IA function has sufficient understanding of the current risk environment, how the audit planning process is performed and what focus there is on selected auditing areas.Rasmus Forssblad
The second big question which will impact internal audit efficiency in financial crime prevention is specialist competence, which has material impact on the ability to focus on issue areas arising during the audit.
According to Rasmus Forssblad, the financial industry can likely expect an increasing importance of the third line of defence in with regards to AML and the AML compliance officer function. He also has the experience that it is important to emphasise that internal audit should audit the second line, not necessarily on the issue areas that the second line itself chooses to focus on. And equally important, be prepared to deal with the consequences that may arise when issues are identified that require further auditing.
Key takeaways on the future role of internal audit in financial crime prevention:
- Ensure that a risk-based approach is achieved.
- Analyse what is not captured in the first and second lines.
- Ensure specific competence to allow the organisation to deliver on general goals, but also properly understand the concurrent risk environment including consequences for the business.
- Allocation of time and resources in the internal audit plan- provide room for adjustments when specific issues are identified during the internal audit process which requires additional resources.
- Internal audit and compliance should exchange reports. This does, however, not mean the second and third line should look at the same things.
- Make sure not to exclude areas that are deemed well-functioning. Such should also be included in the internal audit.
For more information on this and related topics, please contact: