8.4 Independent Audit Function
Effective from 13/7/2023(AML-CFT Decision Article 20.6)
A robust and independent audit function is a key component to a well-functioning governance structure and an effective AML/CFT framework. FIs are obliged to have in place an independent audit function to test the effectiveness and adequacy of their internal polices, controls and procedures relating to combating the crimes of money laundering and the financing of terrorism and of illegal organisations. In this regard, FIs should ensure that their independent audit function is appropriately staffed and organized, and that it has the requisite competencies and experience to carry out its responsibilities effectively, commensurate with the ML/FT risks to which the FIs are exposed, and with the nature and size of their businesses.
It should be noted that, while most FIs are expected to have the capacity to meet these requirements internally, depending on the nature and size of their businesses, some FIs (particularly smaller ones) may not necessarily have the resources to maintain a fully functioning and effective internal audit unit. In such cases, those FIs should ensure that they take adequate measures to obtain the necessary capabilities from qualified external sources. They should also ensure that they have in place adequate internal capabilities to provide sufficient coordination with and oversight of any external resources they may utilise, and that such external resources are adequately regulated and supervised by relevant Competent Authorities.
FIs should ensure that the periodic inspection and testing of all aspects of their AML/CFT compliance programmes, including ML/FT business risk assessment and AML/CFT mitigation measures, and CDD policies, procedures and controls, is incorporated into their regular audit plans. They should also ensure that all their branches and the subsidiaries in which they hold a majority interest, whether domestic or foreign, are part of an independent audit testing programme that covers the effectiveness and adequacy of their internal AML/CFT polices, controls and procedures.
Some of the factors FIs should consider in determining the appropriate frequency and extent of audit testing of their AML/CFT programmes by their independent audit functions include but are not limited to:
| • | The results of the NRA and any topical risk assessment; |
| • | The nature, size, complexity, and geographic scope of the FIs’ businesses, and the results of their ML/TF business risk assessments; |
| • | The risk profile associated with the products and services they offer and the markets and customer segments they serve; |
| • | The frequency of supervision and inspection by, and the nature of the feedback (including the imposition of administrative sanctions) they receive from, Supervisory Authorities, relative to enhancing the effectiveness of their AML/CFT measures; |
| • | Internal and external developments in relation to ML/FT risks, as well as developments pertaining to the management and operations of the FIs. |
The scope of such audits should include but not be limited to:
| • | Examine the adequacy of AML/CFT and CDD policies, procedures and processes, and whether they comply with regulatory requirements. |
| • | Assess training adequacy, including its comprehensiveness, accuracy of materials, training schedule, attendance tracking and escalation procedures for lack of attendance. |
| • | Review all the aspects of any AML/CFT compliance function that have been outsourced to third parties, including the qualifications of the personnel, the contract and the performance and reputation of the company. |
| • | Review case management and STR systems, including an evaluation of the research and referral of unusual transactions, and a review of policies, procedures and processes for referring unusual or suspicious activity from all business lines to the personnel responsible for investigating unusual activity |