This is a second video aimed at helping clients gain a better understanding of Regulation 21 independent audits.
Click here to display content from Vimeo.
Learn more in Vimeo’s privacy policy.
The purpose of an independent audit function is to examine, evaluate and make recommendations regarding the adequacy and effectiveness of the practice’s anti-money laundering and counter-terrorist financing policies, controls and procedures (PCPs). Independent audits should not be confused with requirements under R19(3)(E), which relates to the ongoing monitoring and management of compliance with policies, controls and procedures.
There are a number of requirements to consider with regards to who is best placed to carry out a Reg 21 audit.
Firstly, they must be independent of the work area being audited, so this precludes the MLRO, the MLCO, members of the compliance team or the team that did the original work on policies, controls and procedures. They must also have the requisite skills and knowledge in auditing AML in order to be able to adequately carry out their duties.
Along with that, they must also have authority to access all relevant materials, including file materials, to be able to evaluate and report on the adequacy and effectiveness of the PCPs. Lastly, whoever carries out the audit must feel confident making recommendations about the PCPs and file remediation if required. In applying these changes, file remediation should retain the records of the files pre and post the remediation work. Ideally, they should also be well placed to monitor the practice’s implementation of these recommendations.
Findings should be reported directly to the practice’s senior management and, where the audit is conducted by an internal partner or member of staff, they must be prepared to make an internal report to the MLRO should they have knowledge or reasonable suspicion that a matter involving the proceeds of crime has taken place.
Sampling should be conducted on a risk basis, with greater emphasis and volume of file reviews being placed on higher risk disciplines. Similarly, this applies if your firm has multiple locations along with a large body of staff. A good rule of thumb is that higher transactional matters, you can assign two to three files per fee on it, potentially more if it’s a high risk area like conveyancing or tax advice.
File storage, management information policies and procedures need to be robust enough for the type of work, along with whether they’re in step with the regulator, so this will also be examined.
You should take a risk-based approach to determining the frequency of an independent audit. It may be appropriate to undertake audits at regular intervals, for example, annually. Though you should also consider whether an audit is required based on the times elapsed, and also changes to the practice’s risk profile structures, along with services provided since the last audit. In particular, this would apply when a practice takes over or merges with another business, especially if the new practice undertakes work with a much higher risk profile. For those areas, clients or matters which pose highest risk, as per your risk assessment, you should consider undertaking a targeted audit of these areas on a more frequent basis than the wider practice.
Firstly, it allows you to better manage risk, helping you to spot trends and identify both problem areas and strengths in the business. Further to this, if there are no file reviews taking place, then you have no way of checking whether your policies and procedures are being implemented. Having practical and well thought out policies and procedures are of no value if no-one’s adhering to them. Also, it can help identify training areas required based on areas, ensuring continuance of competences and staff development. It’s also now generally expected by the SRA that these audits will be carried out.
Dive into the heart of compliance regulation and evolution with HiveRisk’s monthly newsletter, curated by our very own Kate Burt.