Effective Audit Function BSAAML - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Effective Audit Function BSAAML

Description:

... money services businesses (MSBs), credit and debit cards, store value cards etc. ... Apply expert knowledge. Identify Emerging Trends and Risks ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 45
Provided by: csbs
Category:

less

Transcript and Presenter's Notes

Title: Effective Audit Function BSAAML


1
Effective Audit FunctionBSA/AML
Nyron L. Davidson Founder Cerberean Consulting
Group
2
Discussion Outline
  • An Effective Audit Function
  • Risk Based Approach
  • Four important elements of the audit function
  • Leveraging off internal audits
  • Audit Outsourcing

3
Risk Focused ExaminationsNew Exam
Procedures/Specialized Exams
  • Regulators are continuing to move in the
    direction of risk-focused examinations (aka Risk
    Based Examinations) by concentrating on those
    financial institutions and activities that may be
    most vulnerable. Current priorities include
    BSA/AML Compliance, money services businesses
    (MSBs), credit and debit cards, store value cards
    etc.

4
Why Risk Focused?
  • Promote sound financial system
  • Apply expert knowledge
  • Identify Emerging Trends and Risks
  • Develop Forward-Looking Supervisory Policies,
    Procedures, and Practices
  • Flexibility
  • Proactive approach
  • Significant preplanning
  • Limited testing
  • Risk management approach
  • Minimize regulatory burden

5
Benefits
  • More input on assignments
  • More time to prepare with greater emphasis on
    planning time
  • Specialization among examiners by working with
    specialized areas
  • Collaboration
  • Cooperation with internal and external auditors
  • Coordination with other authorities
  • Minimize Regulatory Burden
  • Minimize cost of examinations and the time needed
    to complete these examinations

6
Risk Focused Examinations Four Key Steps
  • Understanding the Institution
  • Assessing the Institutions Risks
  • Developing a Supervisory Program
  • Defining Examination Activities

7
Risk Focused Examinations Supervisory Documents
  • Institutional Profile
  • Risk Matrix
  • Risk Assessment
  • Supervisory Plan
  • Examination Program
  • Scope Memoranda

8
Internal Audit
  • WHY AUDIT REVIEW?
  • Tool to understand the organization
  • An independent group which looks at issues
  • Independent evaluation of risk
  • Gain knowledge of the control environment

9
  • IMPACT UNDER RISK-FOCUSED APPROACH
  • Review of audit as a control factor
  • Ongoing- review changes to the audit process
  • Reliance upon internal and or external audit

10
Key Role of the Audit Function
  • Internal Audit is relied upon to review and
    appraise the soundness and adequacy of AML
    controls
  • Management also relies on audit to provide
    feedback about the way the organization is
    functioning, as well as, validating the
    institutions process for accumulating and
    reporting on transactions and financial data

11
Key Role of the Audit Function
  • The Institute of Internal Auditors define audit
    as
  • An independent appraisal activity within an
    organization for review of operations as a
    service to management. It is a management
    control, which functions by measuring and
    evaluating the effectiveness of other controls

12
Internal Audit Function
  • The board of directors and senior management
    are responsible
  • The auditor should have Clout and Independence
  • The audit function should be adequately
    staffed, possess the appropriate, skills,
    expertise, training and qualification
  • Audit function should report to the board of
    directors directly or through a board appointed
    committee (i.e. Audit Committee). Audit function
    should report to the board of directors directly
    or through a board appointed committee (i.e.
    Audit Committee)
  • Functional and Administrative Reporting Lines
  • Internal audit function should be competently
    supervised and staffed by people with sufficient
    expertise and resources to identify the risks
    inherent in the institution and to assess the
    effectiveness of internal controls

13
Four Important Elements the Audit Function
  • Competence of the internal audit staff
  • Independence of the internal audit staff
  • Adequacy of the internal audit coverage
  • Audit Report and managements response

14
  • Management, staffing and audit quality
  • Internal audit function should be competently
    supervised and staffed by people with sufficient
    expertise and resources to identify the risks
    inherent in the institution and to assess the
    effectiveness of internal controls

15
Competence of the Audit Staff
  • The first decision that must be made concerning
    internal audit is the competency of the employees
    performing the audit function
  • Auditor competence is found in three areas
  • Job qualifications and training
  • Relevant work experience
  • Quality of Work

16
Job Qualifications and Training
  • Evidence of staff competency includes the
    auditors
  • Resume
  • Diplomas
  • Certifications
  • Continuing education
  • Sufficient knowledge of applicable laws and rules

17
Relevant Work Experience
  • Auditors resume will be best indication of
    relevant work experience and should include prior
    work experience and responsibilities
  • Does auditor have experience in banking and bank
    accounting?
  • What is the extent of specialized experience such
    as bank compliance and operations, electronic
    data processing, trust , and credit?

18
Quality of Auditors Work
  • Quality is evaluated by reading the audit reports
    and reviewing work papers to see if they are
    complete and comprehensive
  • Another important aspect of quality is the
    internal auditors ability to complete the annual
    audit plan on a timely basis
  • Audits not completed timely could indicate that
    the audit staff was too small or inexperienced

19
Independence of Internal Audit Staff
  • The auditor must have enough independence to be
    able to perform the audit function objectively.
    To be independent, an auditor must
  • Have sufficient responsibility to perform the job
  • Have senior managements support
  • Be accountable to the board and executive
    management only
  • Be independent of the activities he or she audits

20
Independence of Internal Audit Staff
  • Is management able to restrict or alter the audit
    program in anyway?
  • Any requests for deviation from the annual audit
    program should be reviewed and approved by the
    board or a committee thereof
  • Does the audit report go directly to the board or
    its audit committee?
  • The president or the head of the department that
    was audited should have no ability to negotiate
    or edit the contents of the audit report

21
Adequacy of the Internal Audit
  • The scope of the audit should be consistent with
    the internal audit objective
  • The objective of the audit is to assess
    compliance with applicable laws, rules, standards
    and internal policies and procedures

22
Adequacy of the Internal Audit
  • The evaluation here is whether the scope of the
    audit is adequate given the nature of the
    institutions activities
  • When reviewing the scope, consider the following
  • Who set the scope, the scope should be set by the
    auditor and approved by the board
  • Is the audit structured to assess the controls
    based on the risks posed by the products and
    services offered, customers served, and
    geographies

23
Adequacy of the Internal Audit
  • What should the audit program incorporate?
  • An assessment of the AML compliance officers
    adherence to his/her designated roles and
    responsibilities
  • The adequacy of policies and procedures
  • The AML training program
  • The integrity and reliability of systems used for
    AML compliance

24
Adequacy of the Internal Audit
  • What should the audit program incorporate?
  • Record retention
  • Currency transactions
  • Suspicious Activity Reports
  • Wire transfers
  • Know Your Customer
  • Sale and purchase of monetary instruments

25
Frequency of Audit Coverage
  • The audit schedule should be in the annual audit
    plan
  • The audit plan should be approved by the board
  • Each area should be on the annual audit schedule
  • Some areas will be audited more frequently than
    others

26
  • The manager of internal audit is
  • responsible for
  • Control risk assessment
  • Audit plan
  • Audit program and
  • Audit reports

27
  • Control Risk Assessment
  • (Risk Assessment Methodology)
  • Documents the internal auditors understanding of
    the institutions business activities and their
    associated risks. These assessments analyses the
    risks inherent in a given business line, the
    mitigating control processes, and the resulting
    risk exposure. They should be updated regularly
    to reflect changes to the system of internal
    control or work processes, and incorporate new
    lines of business.

28
  • Audit Plan
  • Based on the control risk assessment and
    typically includes a summary of key internal
    controls within each significant business
    activity, the timing and frequency of planned
    audit work and resource budget.

29
  • Audit Program
  • Describes the objectives of the audit work
  • and lists the procedures to be performed
  • during the review.

30
  • Audit Report
  • Presents the purpose, scope, and result of the
    audit including findings, conclusions and
    recommendations. Workpapers that document the
    work performed and support the report should be
    maintained.

31
AML/CFT Audit Reports
  • The AML/CFT audit report should
  • Sufficiently describe the work performed
  • Indicate that all operational deficiencies were
    completely investigated during the audit
  • Indicate any deficiencies that were identified or
    criticized in the previous report that remain
    unsolved

32
AML/CFT Audit Reports
  • The AML/CFT audit report should
  • Document the follow-up procedures, and
    managements response to deficiencies
  • Be presented to the board, or a committee
    thereof, by the auditor or audit manager

33
Managements Response to the Audit
  • Managements response is a critical factor in
    evaluating the effectiveness of internal audit
  • Even if the auditor is fully qualified and
    his/her audits were comprehensive, they are of
    little value if management ignores the findings

34
Managements Response to the Audit
  • Three areas to consider when evaluating
    managements response
  • Appropriateness of the response
  • Timeliness of the response
  • Repeat deficiencies

35
Managements Response to the Audit
  • Managements responses to audit findings should
    document appropriate corrective actions to the
    deficiencies
  • A deadline should be provided in which management
    should respond to audit findings
  • The board or a committee should monitor responses
    and investigate when responses are not provided
    in a timely manner

36
Managements Response to the Audit
  • Repeat deficiencies should be noted in the audit
    reports, and the board should take appropriate
    action to achieve final resolution of
    deficiencies
  • In some cases, it may be appropriate for the
    auditor to perform follow-up procedures to verify
    that corrective action was taken

37
Managements Response to the Audit
  • Senior managements reaction to repeat
    deficiencies should be evaluated
  • Senior management should send a strong message to
    employees regarding the correction of repeat
    audit deficiencies
  • In some organizations, repeat audit deficiencies
    are considered in performance evaluations of
    department managers

38
Leveraging off Internal Audit
  • It may be possible to rely on already-performed
    audit work in the risk assessment and planning
    process
  • Leveraging off internal audit avoids redundant
    verifications and reviews of certain business
    areas while on-site
  • This can be done only after audits work has been
    deemed credible and effective
  • Examiners should document whether the scope of
    their own review will be influenced by the
    internal audit work already completed

39
Limits to the Use of Internal Audits Work
  • Circumstances which would likely preclude
    leveraging off the work of internal audit
  • The banks risk assessment process is not
    comprehensive
  • The audit program for individual business lines
    are inadequate
  • A recent audit was not performed since the prior
    examination

40
AUDIT PROVIDERS
  • External audit
  • ENGAGEMENT LETTER
  • - Financial statement reviews
  • - Operational reviews
  • - Agreed-upon procedures

41
AUDIT PROVIDERS
  • Audit Outsourcing Arrangements
  • - Contract between institution and vendor. This
    include
  • Expectations and responsibilities
  • Scope and frequency of, fees to be paid and work
    to be performed
  • Establish process for changing terms of service
    contract

42
AUDIT PROVIDERS
  • Specify location of audit reports and related
    work papers
  • Specify period of time that vendor must maintain
    workpapers
  • Examiners Access available for regulatory by
    regulators in a timely manner and
  • Vendor will not perform management functions,
    make decisions or act in a capacity equivalent to
    management or staff.

43
AUDIT PROVIDERS
  • Vendor Competence- Perform due diligence
    (staffing, expertise and qualifications)
  • Management- BOD Snr Mgmt should ensure function
    is competently managed
  • Communication- Audit Committee Snr Management .
    Work to be properly documented
  • Contingency Planning- Plan for discontinuity as
    arrangements can be terminated suddenly

44
Types of Control Breakdowns in Financial
Institutions
  • Lack of adequate management oversight and
    accountability,and failure to develop a strong
    control culture
  • Inadequate recognition and assessment of risk of
    business activities
  • Absence or failure of key control structures and
    activities such as segregation of duties,
    limits/approvals, reconciliations and review of
    operating performance
  • Inadequate communication of information between
    levels of management
  • (top- down/bottom- up)
  • Inadequate or ineffective audit programmes and
    monitoring activities.
Write a Comment
User Comments (0)
About PowerShow.com