Financial Crime Prevention, Crisis and Continuity Management in Focus at the IIA Finance Forum
Close to 90 professionals joined Finance Forum arranged by IIA Sweden, The Institute of Internal Auditors in Stockholm on Thursday last week. To kick off the conference, Louise Brown from Advisense Financial Crime Prevention team was invited to discuss the topic “Infiltration and corruption – part of everyday business?”.
Compared to many other countries, Sweden is not quite in the front-line with regards to managing anti-fraud and corruption. On the contrary, Sweden is seen as lagging behind its Nordic neighbours. A key issue that many companies are now focusing on is to is better understand the current risk environment, and with that to establish a common risk taxonomy. It might occur evident, but when it comes to terminology and fraud and corruption, Sweden is perhaps slightly unique.
Commonly, a variety of terms is used in Sweden, including “friendship corruption” which by international standards is referred to as nepotism, “undue influence” but also “infiltration” and “enablers”, when in essence the type of behaviour which we are talking about is corruption. Having a varied vocabulary can help explain more specifically what an issue is about, but it can also make it confusing.
Moreover, when companies carry out their risk assessments, experts agree that a vital part that often is missing is the clarity of how you arrive at certain results, over and above demonstrating that a risk assessment has been done. This is a risk within risk management, namely that there are different perceptions of what constitutes a high or a medium level risk.
A consistent theme during the conference was further crisis and continuity management, understanding your risks, business impact analysis, and prioritization. The message is that when analysing and addressing their risks, companies cannot set everything as priority one or 100%. The first success factor in crisis and continuity management is precisely to be able to set clear priorities from the top. Proper conditions for management are further created when there are clearly defined process owners.
The task of establishing both a risk taxonomy, priorities, roles and responsibilities is observed as a red thread both in fraud and corruption prevention and within crisis and continuity management. Who is supposed to lead what in an anti-fraud and corruption management program, who is supposed to lead during a crisis?
The conditions for effective leadership are based on understanding and interpreting the situation. The better you have done your risk analysis, the faster you will understand and be able to organize to meet the needs and lead. Plans need to be tested and evaluated, so that the organisation can learn what is missing in the process and develop robust capabilities accordingly. Third-party risk should be included at all times in terms of risk of fraud and corruption, but also third party ability to act in a crisis and ensure continuity in delivery.
The role of internal audit will be increasingly critical going forward. With the new IIA global guidelines coming into force, the evidence of conformance is highlighted and will support auditing of fraud further. In this context, it will become increasingly important to consider goal achievement and productivity of the internal audit process. Questions to ask include, if internal audit is delivering towards general goals only and if it has sufficient understanding of the current risk environment. This will impact the risk analysis and audit planning, but also time and resource allocation.
Organisations today operate in a highly regulated environment. A well-maintained internal audit function is an essential part of the governance framework. The internal audit function should have the capacity to strengthen certain key areas and processes to be able even better meet identified and emerging challenges. Given the updated regulatory and reporting requirements specifically on anti-money laundering, counter-terrorist financing but also the prevalent risk of financial crime at large, the internal audit function needs to be properly equipped with resources.
“A potential pitfall can be that internal audit focuses on the same issue areas as the compliance function. Rather, internal audit should focus on compliance as a function in itself. Specialist competencies may be needed to address specific issue areas that are identified during an audit, and management has to take into consideration that one consequence of the internal auditing process can be that additional examinations may be needed.”
Key takeaways:
- Financial crime is part of the everyday risk exposure in the Swedish and Nordic business community.
- Discuss your risk taxonomy in the organisation to make sure that you are clearly talking about the same things, especially in what can be perceived as a grey zone across various forms of economic crime and unethical behaviour.
- Scrutinize how the levels high, medium and low risk are established when analysing your risks. You need to be able to prioritize, and creating ‘inflation’ by addressing low risks as medium or high hinders the organisation from working risk-based.
- During the audit planning process, carefully review if and how the internal audit function may need specialist competencies and external support to meet the needs of the organisation.