If you have been paying attention to the extensive requirements of the Money Laundering Regulations (if not, start here), you will know that ‘Independent Audit’ is an important piece of the puzzle.
It can be difficult to know where to start – and who should be involved. Let’s see if we can demystify the process!
What is an independent audit under the Money Laundering Regulations?
Regulation 21 says:
“Where appropriate with regard to the size and nature of its business, a relevant person must…
…(c) establish an independent audit function with the responsibility—
(i) to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by the relevant person to comply with the requirements of these Regulations;
(ii) to make recommendations in relation to those policies, controls and procedures; and
(iii) to monitor the relevant person’s compliance with those recommendations.”
When the Regulations first came into a force, there was a general assumption that this would only apply to the large law firms.
That myth has been dispelled by the SRA. As our statutory AML Supervisor, they say in the most recent Risk Outlook that ‘most firms’ should be commissioning independent audits. Which is a pretty clear indication of what they expect.
The SRA is increasing their AML supervision function and many firms are being targeted for close scrutiny. We anticipate that they will increasingly want to see evidence of an independent audit function. Firms will have to justify themselves if they do not consider independent audit necessary under the Regulations.
How does this differ from the ‘Firm wide risk assessment’?
A Firm wide risk assessment is seen by the regulators as the cornerstone of AML compliance. Once a firm analyses and understands its priority risks, its AML processes, controls and training can be tailored accordingly. Basically, everything flows from the risk assessment. That is why the risk assessment is the first thing the SRA asks to see when they come knocking.
Think of an independent audit as the quality control function. It provides a feedback loop to the firm. Does what happens on the ground follow the firm’s AML procedures? Are the controls properly tailored to the firm wide risks? Are there any gaps?
The audit is a critical analysis of the effectiveness of AML systems, which will either tell you what you already know or highlight blind spots.
Who can conduct a ‘Regulation 21 audit’?
Unhelpfully, ‘independent’ is not properly defined in the Regulations. But logic dictates that it means:
- either somebody internal who is not marking their own homework (i.e. is not generally involved in AML compliance)
- or an external third party
Who should be involved?
An audit will be a significant commitment of resources if conducted internally. The auditor will be diverted from their usual management, fee earning and other duties for at least a few days.
So the first question to ask is, who has capacity and can we afford to divert them to this project?
Secondly you will need to make sure that the auditor:
- has the knowledge and experience to be able to conduct an audit (they do not need to be an AML professional, but will need a working knowledge of the Regulations, LSAG Guidance and general legal practice – there is a steep learning curve)
- has the analytical skills to digest large amounts of information from disparate sources, come to reasoned conclusions and communicate their recommendations effectively to the firm’s managers
- will be able to maintain their independence in the face of internal defensiveness (this might dictate the seniority and character traits of the auditor).
The reality is that in a small or mid-size firm, it might be difficult to come up with a shortlist of willing and able auditor candidates.
What does the independent audit need to cover?
Again, this is not something that is dictated by the Regulations in detail. In our view, the auditor should be looking at a number of core documents, including:
- The firm wide risk assessment
- AML polices and procedures
- AML training records and content of training
- Standard file risk assessments used in each department
- AML Registers (e.g. reports to the MLRO)
To do the job properly, we also believe the auditor should dig more deeply into the day-to-day implementation of AML procedures. Our favoured tools are:
- Interviews with senior people
- Interviews with file handlers
- Interviews with junior and support staff
- File review
How long is an audit likely to take?
This largely depends on the size of the firm and the extent of the audit that is required. In our experience, even a small firm will take at least four days’ work for one person.
Can we use a template audit?
Yes, and it’s a good idea to give your auditor all the tools they need without having to reinvent the wheel.
Our free template can be found below (subject to revision). We have drafted it to give the auditor a solid indication of what will be expected of them.
How often should we repeat the audit?
Unsurprisingly, the Regulations are not prescriptive on this point and again it is likely to depend. A firm with a glowing audit might decide that another is not necessary for two, maybe three, years. Whereas a firm with lots of recommendations is likely to want to repeat the process annually, at least until the audits are more positive.