I’ve been on both sides of this coin. When I worked in a Financial Intelligence Unit in a major global financial institution, internal audit was looked at as an enemy. Internal auditors were there to play “gotcha” and expose any error, no matter how small.
My first thought was not, “how can they help us improve the program?” but rather, “how can we get them out of our hair as fast as possible?” Subsequently, I did a lot of work training AML internal audit teams at various financial institutions and conducting
AML independent examinations and internal audits myself. I couldn’t believe it, I was part of the dark side. But while in that role, I realized how important AML internal audit is and what a tremendous resource they can be for a compliance program.
For anyone who has done any writing, they know that if you are reviewing your work over and over again, you stop noticing mistakes. Not because they aren’t there, but because you are too close to the work to see them. That’s when another set of eyes can
be invaluable in spotting errors and ways that you can improve what you wrote. The same concept applies to internal audit. When you are running an AML compliance function, you are deep in the weeds and focused on the day to day operation – you may be too
close to see potential problems. You need a separate set of eyes to make sure you aren’t missing something. Enter AML internal audit. Your editor, your partner, your third line of defense. They are there to spot the problems before the regulators do. Doesn’t
that sound invaluable?
Work together, this isn’t a game of “gotcha,” this is a partnership in creating a top notch compliance program. AML internal audit has a vested interest in it as well. When a compliance failure is identified by regulators it isn’t just compliance that catches
heat, internal audit gets hit too for not spotting the problem first (it’s their job after all). In her speech regarding AML to the Securities Industry and Financial Markets Association (SIFMA) in February 2017, Susan Axelrod, the Executive Vice President
of Regulatory Operations for US regulator Financial Industry Regulatory Authority (FINRA), stated “[a]nother commonly cited area is a firm’s independent testing efforts. Put simply, we continue to see tests that are inadequate, such as tests reflecting a review
of procedures, but not implementation of those procedures.” Regulators are not just looking at compliance, they are looking at internal audit too.
Redefine and reset your approach to the compliance/internal audit relationship. Compliance should be open and forthright during audits and not make it difficult for internal audit to do their job. Don’t fight things that are clearly issues, instead focus
on working with audit to identify the best way to fix the issues. At the same time, AML internal audit should not make mountains out of mole-hills or assume that the reason for an issue (small or large) is that compliance is inept. Instead, dig for the root
cause of issues. Mistakes happen and often external factors out of compliance’s control (e.g., staffing shortages) can lead to issues. Identifying those root causes and helping identify solutions is what makes internal audit truly valuable. Through this approach,
compliance and audit can support each other. If it is a staffing issue, internal audit can highlight this and reinforce compliance’s request for additional resources. If it’s a technology issue, internal audit can help compliance identify the best solution
and push for the budget to get it.
AML internal audit can also be proactively helpful. Instead of just auditing existing programs, truly make them your partner. Bring them in to help with your decisions if you are making changes to your program or identifying a new compliance technology
to implement. They should have a seat at the table early, because it’s better to get their opinion up front before a problem occurs rather than afterwards.
You’re in this together. It’s still the beginning of the year, so start off your 2017 partnership on the right foot.