hiverisk aml compliance audit

Regulation 21 Independent Audit FAQs [Part 2]

This is a second video aimed at helping clients gain a better understanding of Regulation 21 independent audits.

Click here to display content from Vimeo.
Learn more in Vimeo’s privacy policy.

What is the purpose of a Regulation 21 independent audit function?

The purpose of an independent audit function is to examine, evaluate and make recommendations regarding the adequacy and effectiveness of the practice’s anti-money laundering and counter-terrorist financing policies, controls and procedures (PCPs). Independent audits should not be confused with requirements under R19(3)(E), which relates to the ongoing monitoring and management of compliance with policies, controls and procedures.


Who should carry out an independent audit within your law firm?

There are a number of requirements to consider with regards to who is best placed to carry out a Reg 21 audit.


Firstly, they must be independent of the work area being audited, so this precludes the MLRO, the MLCO, members of the compliance team or the team that did the original work on policies, controls and procedures. They must also have the requisite skills and knowledge in auditing AML in order to be able to adequately carry out their duties.


Along with that, they must also have authority to access all relevant materials, including file materials, to be able to evaluate and report on the adequacy and effectiveness of the PCPs. Lastly, whoever carries out the audit must feel confident making recommendations about the PCPs and file remediation if required. In applying these changes, file remediation should retain the records of the files pre and post the remediation work. Ideally, they should also be well placed to monitor the practice’s implementation of these recommendations.


Who needs to see the independent audit report in the firm?

Findings should be reported directly to the practice’s senior management and, where the audit is conducted by an internal partner or member of staff, they must be prepared to make an internal report to the MLRO should they have knowledge or reasonable suspicion that a matter involving the proceeds of crime has taken place.


How many files should be reviewed as part of an independent AML audit?

Sampling should be conducted on a risk basis, with greater emphasis and volume of file reviews being placed on higher risk disciplines. Similarly, this applies if your firm has multiple locations along with a large body of staff. A good rule of thumb is that higher transactional matters, you can assign two to three files per fee on it, potentially more if it’s a high risk area like conveyancing or tax advice.


File storage, management information policies and procedures need to be robust enough for the type of work, along with whether they’re in step with the regulator, so this will also be examined.


How often should you conduct an independent AML audit?

You should take a risk-based approach to determining the frequency of an independent audit. It may be appropriate to undertake audits at regular intervals, for example, annually. Though you should also consider whether an audit is required based on the times elapsed, and also changes to the practice’s risk profile structures, along with services provided since the last audit. In particular, this would apply when a practice takes over or merges with another business, especially if the new practice undertakes work with a much higher risk profile. For those areas, clients or matters which pose highest risk, as per your risk assessment, you should consider undertaking a targeted audit of these areas on a more frequent basis than the wider practice.


What are the benefits of a Regulation 21 independent AML audit?

Firstly, it allows you to better manage risk, helping you to spot trends and identify both problem areas and strengths in the business. Further to this, if there are no file reviews taking place, then you have no way of checking whether your policies and procedures are being implemented. Having practical and well thought out policies and procedures are of no value if no-one’s adhering to them. Also, it can help identify training areas required based on areas, ensuring continuance of competences and staff development. It’s also now generally expected by the SRA that these audits will be carried out.