IIA Australia White Paper Engagement Risk Assessment 1720630977

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

Connect Support Advance

White Paper

Engagement Risk
Assessment for
AML/CTF Program
Audit
2024

This resource was prepared after the ‘Global Internal Audit Standards’ were published in 2024

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E [email protected] www.iia.org.au

© 2022 - The Institute of Internal Auditors - Australia


Engagement Risk Assessment
for AML/CTF Program Audit
Contents Introduction

Background 2 Anti-Money Laundering (AML) can be defined as:

- Purpose 2 Concealment of the origins of money gained from


- Introduction 2 crimes such as tax evasion, human trafficking, drug
Discussion 3 trafficking and corruption.

- Issue 3 Counter-Terrorism Financing (CTF) can be defined as:


- Discussion 3 Government laws, regulations and practices
Conclusion 6 intended to restrict access to funding and financial
Bibliography and References 6 services for people or organisations governments
Purpose of White Papers 7 designate as terrorists – by tracking down the
source of funds that support terrorist activities, law
Author’s Biography 7
enforcement may be able to prevent some of those
About the Institute of Internal Auditors–Australia 7
activities from occurring.
Copyright 8
Independent reviews of AML/CTF Part A Programs of
Disclaimer 8
reporting entities are:
Introduction
› Mandatorily performed to meet the requirements of
Purpose
the AML/CTF Rules Instrument 2007 (No. 1) under
The purpose of this White Paper is to discuss engagement either of the below:
risk assessment when performing independent reviews
› Part 8.6 ‘Independent review’ for a reporting
of Anti-Money Laundering / Counter-Terrorism Financing
entity that has adopted a Standard AML/CTF
(AML/CTF) Programs maintained by organisations that
Program or
provide designated services defined under Section 6 of the
‘Anti-Money Laundering and Counter-Terrorism Financing › Part 9.6 ‘Independent review’ for reporting
Act 2006’. These organisations are commonly known entities that have enrolled as a Designated
as ‘Reporting Entities’. The regulator governing these Business Group (DBG) and adopted a joint AML/
reporting entities is the Australian Transaction Reports and CTF Program
Analysis Centre (AUSTRAC).
› Presented by reporting entities to their audit
This document refers to the ‘Global Internal Audit committee and executive management to demonstrate
Standards’ published in January 2024 and effective in their organisation has effective controls over its
January 2025. significant AML/CTF risks.

© 2024 - The Institute of Internal Auditors - Australia 2


Engagement Risk Assessment
for AML/CTF Program Audit
Discussion Components of AML/CTF Program
Issue There are two parts to the AML/CTF Program:
This White Paper discusses information gathering › Part A must include processes and procedures that
required to perform engagement risk assessment for help in identifying, mitigating and managing ML/TF
the components of an AML/CTF Program risks.
Discussion › Part B focuses on procedures for identifying
Internal Audit is one assurance mechanism in a suite customers, beneficial owners including politically
of assurance activities, with many organisations using exposed persons (PEPs), and verifying their identity.
an integrated assurance 3 Lines Model (The Institute AML/CTF Independent Reviews
of Internal Auditors - Australia, 2022) to define their
assurance environment: An independent review is an impartial assessment of a
reporting entity’s current AML/CTF Program. AUSTRAC
› Line 1 originates or initiates risk and is responsible for (2024a) requires reporting entities that are considered
managing the risks and having in place mechanisms high-risk to independently review the components of Part
to demonstrate controls are working effectively. A Program every two to three years to assess:
› Line 2 monitors, reviews and tests effectiveness of
Line 1 control and management of risks. › Their effectiveness of the Part A Program having
› Line 3 independently evaluates and gives an opinion regard to ML/TF risk.
on the adequacy and effectiveness of both Line 1 and › Whether their Part A Program complies with the AML/
Line 2 risk management approaches. CTF Rules.
The 3 Lines Model approach demonstrates how assurance › Whether their Part A Program has been effectively
activities co-ordinate to provide assurance to the audit implemented.
committee and executive management.
› Whether they have complied with their Part A
AML/CTF Program Program.
An AML/CTF Program is a document maintained by a Who can Perform Independent Reviews?
reporting entity specifying how they comply with AML/
CTF legislation to identify and manage the risk of its AUSTRAC (2024a) has stated that independent review
products or services being used for money laundering (ML) can be performed by someone internal or external to the
or terrorism financing (TF). The objectives of an AML/CTF reporting entity as long as they have not been involved in:
Program include: › Performing any of the functions or measures being
› Compliance with applicable AML/CTF legislation in reviewed.
the jurisdictions they operate. › Designing, implementing or maintaining Part A of the
› Protect customers from being used in criminal or AML/CTF Program.
illegal activities through use of the entity’s products or › Developing ML/TF risk assessment or related internal
service offerings. systems and controls.
› Meet requirements of certain global standards This means an internal auditor may be the independent
relevant to their industry. reviewer provided they:
It is pertinent to note an AML/CTF Program should be risk- › Understand the business being reviewed.
based and tailored to the size, nature and complexity of
› Understand ML/TF risks.
each reporting entity.

© 2024 - The Institute of Internal Auditors - Australia 3


Engagement Risk Assessment
for AML/CTF Program Audit
Methodology and Scope of Independent Review

The organisation’s own established internal audit audit plan.


methodology can be applied for independent review. › The governance, risk management, and control
While the AML/CTF Program Part A contains many processes of the activity under review.
components, typical reviews may include:
› Applicable frameworks, guidance, and other
› ML/TF risk assessments. criteria that can be used to evaluate the
› Employees understanding and compliance with the effectiveness of those processes.
program. Internal auditors must review the gathered
› Transaction monitoring systems. information to understand how processes are
intended to operate.
› Adequacy of policies and procedures to manage ML/
TF risks. Internal auditors must identify the risks to review by:

› Adequacy and effectiveness of AML/CTF training › Identifying the potentially significant risks to
program for employees. the objectives of the activity under review.

› Compliance officer seniority and authority. › Considering specific risks related to fraud.

› Outsourcing function. › Evaluating the significance of the risks and


prioritising them for review.
› Branches and subsidiaries (including international)
implementation of the Part A Program. Internal auditors must identify the criteria that
management uses to measure whether the activity
In addition, any material changes faced by the is achieving its objectives.
organisation to its ML/TF risk profile since the last review
should also be considered. When internal auditors have identified the
relevant risks for an activity under review in past
International Professional Practices Framework (IPPF) engagements, only a review and update of the
AML/CTF reviews can be conducted using the ‘Global previous engagement risk assessment is required.
Internal Audit Standards’. This White Paper focuses on
Standard 13.2 ‘Engagement Risk Assessment’.
Engagement Risk Assessment

Risk assessment is the identification, analysis and


Internal auditors must develop an understanding
evaluation of risk relevant to achievement of an
of the activity under review to assess the relevant
organisation’s objectives. Engagement risk assessment
risks. For advisory services, a formal, documented
allows internal auditors to identify and prioritise risks to
risk assessment may not be necessary, depending
determine the engagement objectives and scope.
on the agreement with relevant stakeholders.
As part of the engagement risk assessment, Standard 13.2
To develop an adequate understanding, internal
‘Engagement Risk Assessment’ requires internal auditors
auditors must identify and gather reliable, relevant,
to develop an understanding of the activity under review
and sufficient information regarding:
by identifying, gathering reliable, relevant and sufficient
› The organisation’s strategies, objectives, and information.
risks relevant to the activity under review.
The table shown below contains sample components of an
› The organisation’s risk tolerance, if established. AML/CTF Part A Program, relevant risks, and a suggested
list of information to assist in the engagement risk
› The risk assessment supporting the internal
assessment. The sample components are chosen based
on AUSTRAC regulatory priorities 2024 (Austrac, 2023).

© 2024 - The Institute of Internal Auditors - Australia 4


Engagement Risk Assessment
for AML/CTF Program Audit
Sample Components Key Risks Suggested (minimum) document What this document signifies
of AML/CTF Part A to request as part of Engagement (high-level)
Program Risk Assessment
ML/TF risk Risk Assessment Customer risk assessment How to perform customer risk
assessment model is not fit for document rating and categorise
purpose Product risk assessment How to perform product risk
document assessment for new or existing
products
Channel risk assessment How to perform risk assessment
document based on the channel – online /
face-to-face
Jurisdictional risk assessment How to perform jurisdictional
document risk assessment including any
reliance on external third parties
for assessment
Transaction Rules not fit for TMP document Based on risk assessment and
Monitoring Program purpose the processes to follow to identify
(TMP) suspicious customer transactions
Not all products
or channels are Governance framework and How the TMP will be governed
monitored oversight and have oversight on processes
and controls
Periodic Review How the TMP undergoes periodic
review
Reporting Incomplete or Suspicious Matter Reports (SMR) To meet requirements per
Requirements inadequate reporting Chapter 18 of the ‘AML/CTF Rules
Instrument 2007 (No.1)’
Threshold Transaction Reporting To meet requirements per
(TTR) – if applicable Chapter 19 of the ‘AML/CTF Rules
Instrument 2007 (No.1)’
International Funds Transfer To meet requirements per
Instruction – IFTI (E) – if applicable Chapter 16 of the ‘AML/CTF Rules
Instrument 2007 (No.1)’
IFTI – Designated Remittance To meet requirements per
Arrangement – if applicable Chapter 17 of the ‘AML/CTF rules
Instrument 2007 (No.1)’
Outsourcing of AML/ Lack of Board Part A Program components Details of components of Part A
CTF Functions approvals and / or outsourced Program that are outsourced
oversight Approval documents for Board and Senior Management
outsourcing AML/CTF functions approval

© 2024 - The Institute of Internal Auditors - Australia 5


Engagement Risk Assessment
for AML/CTF Program Audit
Once the above information has been gathered from the Bibliography and References
business, the auditor needs to understand and document:
Bibliography
› The objectives of the activity under review.
Anti-Money Laundering and Counter-Terrorism Financing
› The risks that could affect the achievement of each Act (2006) Cth.
objective.
Anti-Money Laundering and Counter-Terrorism Financing
› The controls intendent to manage each risk. Rules Instrument (2007 (No. 1)) Cth.
It is pertinent to note that the engagement risk assessment Austrac, 2023. AUSTRAC’s regulatory priorities 2024.
performed forms part of work paper documentation for [Online]
meeting requirements of Standard 14.6 ‘Engagement Available at: https://www.austrac.gov.au/business/how-
Documentation’. comply-guidance-and-resources/guidance-resources/
Conclusion austracs-regulatory-priorities-2024

Gathering reliable, relevant and sufficient information Austrac, 2024a. Independent reviews. [Online]
while performing engagement risk assessment by the Available at: https://www.austrac.gov.au/business/core-
internal audit function is a key enabler in developing the guidance/amlctf-programs/independent-reviews
appropriate engagement objectives and scope. There are Austrac, 2024b. Money laundering/terrorism financing risk
other components of the AML/CTF Program to consider assessment. [Online]
such as employee due diligence and training, and Available at: https://www.austrac.gov.au/business/core-
customer due diligence. guidance/amlctf-programs/money-launderingterrorism-
When planning an audit on components of the AML/CTF financing-risk-assessment
Program, it is important to consider when the previous Austrac, 2024c. Reporting. [Online]
independent review on that component was performed Available at: https://www.austrac.gov.au/business/core-
and determine if there are any material changes post- guidance/reporting
previous review which may warrant another audit.
Austrac, 2024d. Transaction monitoring. [Online]
There is no ‘one-size fits all’ approach in choosing the Available at: https://www.austrac.gov.au/business/core-
components of AML/CTF Program for each independent guidance/amlctf-programs/transaction-monitoring
review. A combination of the organisation’s current high-
Cox, A., 2020. White paper: Internal Audit independence
risk areas and overall regulatory environment should
arrangements. [Online]
be considered. The overarching objective should be to
Available at: https://iia.org.au/technical-resources/
gather meaningful information as part of the engagement
white-paper/white-paper-internal-audit-independence-
risk assessment so that it helps to effectively perform the
arrangements
internal audit engagement.
International Internal Auditing Standards Board, 2016.
International Standards for the Professional Practice of
Internal Auditing. [Online]
Available at: https://www.theiia.org/en/standards/what-are-
the-standards/mandatory-guidance/standards/

International Internal Auditing Standards Board, 2024.


Global Internal Audit Standards. [Online]
Available at: https://www.theiia.org/en/standards/2024-
standards/global-internal-audit-standards/free-documents/
complete-global-internal-audit-standards/

© 2024 - The Institute of Internal Auditors - Australia 6


Engagement Risk Assessment
for AML/CTF Program Audit
The Institute of Internal Auditors - Australia, 2022. Giri’s PhD opened doors for him to be part of academia
Factsheet: Integrated Assurance 3 Lines Model. [Online] over the past 10 years. He is currently an adjunct faculty
Available at: https://iia.org.au/technical-resources/fact- teaching ‘International Financial Crime’ for business
school students at a Top 20 ranked QS World University in
sheet/iia-australia-factsheet-integrated-assurance-3-lines-
Sydney.
model
This White Paper edited by:
The Institute of Internal Auditors - Australia, 2022. The 20
Michael Parkinson BSc(Hons), GradDipComp, PFIIA, CIA,
Critical Questions Series: What Directors should ask about
CISA, CRMA, CRISC
their Audit Committee. [Online]
Andrew Cox MBA, MEC, GradDipSc, GradCertPA,
Available at: https://iia.org.au/technical-resources/20-
DipBusAdmin, DipPubAdmin, AssDipAcctg, CertSQM, PFIIA,
critical-questions/what-directors-should-ask-about-their- CIA, CISA, CFE, CGAP, CSQA, MACS Snr, MRMIA
audit-committee
About the Institute of Internal Auditors–
The Institute of Internal Auditors, Inc., 2020. The IIA’s Three Australia
Lines Model: an update of the three lines of defense.
The Institute of Internal Auditors (IIA) is the global
[Online]
professional association for Internal Auditors, with global
Available at: https://www.theiia.org/en/content/position- headquarters in the USA and affiliated Institutes and
papers/2020/the-iias-three-lines-model-an-update-of-the- Chapters throughout the world including Australia.
three-lines-of-defense/
As the chief advocate of the Internal Audit profession,
Purpose of White Papers the IIA serves as the profession’s international standard
setter, sole provider of globally accepted internal auditing
A White Paper is a report authored and peer reviewed certifications, and principal researcher and educator.
by experienced practitioners to provide guidance on a
particular subject related to governance, risk management The IIA sets the bar for Internal Audit integrity and
or control. It seeks to inform readers about an issue and professionalism around the world with its ’Global Internal
present ideas and options on how it might be managed. It Audit Standards’ and associated professional guidance.
does not necessarily represent the position or philosophy The IIA-Australia ensures its members and the profession
of the Institute of Internal Auditors–Global and the Institute as a whole are well-represented with decision-makers and
of Internal Auditors–Australia. influencers, and is extensively represented on a number
of global committees and prominent working groups in
Author’s Biography Australia and internationally.
Giridhar KannanPhD, MBA, B.Com, AMIIA, Advanced
The IIA was established in 1941 and now has more than
Certified AML Specialist – AUDIT (CAMS-AUDIT).
200,000 members from 190 countries with hundreds of
Dr Giridhar Kannan (Giri) is the Founder and Director at
local area Chapters. Generally, members work in internal
AML SureCheck. In his 20 years of international financial
auditing, risk management, governance, internal control,
crime industry experience, Giri has held varied roles as a
information technology audit, education, and security.
first line banker, compliance regulator and most recently
as a financial crime internal auditor with a Big 4 Australian
bank.
His significant experience and exposure across all 3
assurance lines made him evolve as a subject matter
expert in AML/CTF compliance, governance, assurance,
audit and inspections, risk assessments, policy reviews,
enforcement proceedings, and data analytics.
Some of his notable achievements include identifying and
helping businesses as a trusted adviser to remediate gaps
in key financial crime risks, identifying and investigating
multiple financial crime and fraudulent market practices
worth approximately AUD 80 million. These have included
audit and regulatory roles.

© 2024 - The Institute of Internal Auditors - Australia 7


Engagement Risk Assessment
for AML/CTF Program Audit
Copyright
This White Paper contains a variety of copyright material.
Some of this is the intellectual property of the author, some
is owned by the Institute of Internal Auditors – Global or
the Institute of Internal Auditors – Australia. Some material
is owned by others which is shown through attribution and
referencing. Some material is in the public domain. Except
for material which is unambiguously and unarguably in
the public domain, only material owned by the Institute
of Internal Auditors – Global and the Institute of Internal
Auditors – Australia, and so indicated, may be copied,
provided that textual and graphical content are not altered
and the source is acknowledged. The Institute of Internal
Auditors – Australia reserves the right to revoke that
permission at any time. Permission is not given for any
commercial use or sale of the material.

Disclaimer
Whilst the Institute of Internal Auditors – Australia has
attempted to ensure the information in this White Paper is
as accurate as possible, the information is for personal and
educational use only, and is provided in good faith without
any express or implied warranty. There is no guarantee
given to the accuracy or currency of information contained
in this White Paper. The Institute of Internal Auditors –
Australia does not accept responsibility for any loss or
damage occasioned by use of the information contained in
this White Paper.

© 2024 - The Institute of Internal Auditors - Australia 8

You might also like