ACAMS had the opportunity to discuss the importance of the audit function within the anti-money laundering (AML) framework with Jack Sonnenschein, CAMS and Peter Wild, CAMS.
Jack Sonnenschein, CAMS, joined American Express as vice president of Enterprise Compliance Risk Management in 2009 with global responsibility for risk assessment, compliance monitoring, testing and compliance training. Prior to joining Amex, he served as managing director and global head of AML Audit at The Bank of New York Mellon, responsible for anti-money laundering independent testing.
Previously, Sonnenschein was director of Risk Management Standards and Initiatives in Citigroup's Global Anti-Money Laundering group and Client Service Partner in Chase's Internal Audit Group responsible for delivering financial and technology audit services. Sonnenschein started his career at Touche Ross (now Deloitte & Touche) in Quebec and New York where he earned his chartered accountancy and certified public accountant designations.
Peter D. Wild, FCA, CAMS, joined the Internal Audit Department of JP Morgan in 1996 and has been responsible for the Information Technology audit support for the corporate Legal and Compliance applications since 2007. Upon moving to the United States from England he became the IT audit director for Republic National Bank of New York. Later he was a senior audit manager at Coopers & Lybrand and then moved to the Melville Corporation as the IT audit director and subsequently became their director of Information Systems Planning.
Peter is a Fellow of the Institute of Chartered Accountants in England & Wales (FCA). He is a Past President of the New York Chapter of the Information Systems Audit and Control Association (ISACA) and is currently serving on the board of the New York Chapter of ACAMS. He is also a member of the Honourable Artillery Company of London.
ACAMS Publications: What do you think are the challenges facing audit professionals today and how do they differ from a few years back?
Jack Sonnenschein: Challenges facing audit professionals arise in three areas: First, in ensuring a solid understanding of AML/anti-corruption/sanctions laws and regulations: second, an awareness level of the various technologies used in support of achieving AML objectives and third, proficiency in operational and technology controls in support of AML operations.
Peter Wild: In the beginning, the audit professional was basically a historian who provided an opinion on the truth and fairness of a set of financial statements covering a period of time in the past. There were a limited number of ways that the accounts could be wrong and the expectation was that one could not audit for collusion or fraud.
The auditing and independent testing of Money Laundering/Terrorist Financing (ML/TF) is very different. There is a requirement to look at every business process with customer transactions. Whereas the financial statements are required to be materially correct, in the ML/TF world there is almost zero tolerance for error. Now the auditor's view has to be very much more prospective with a much greater emphasis on the design of effective controls in order to prevent and detect potential ML/TF events in the future.
AP: How large a role does audit have in the overall health of an institution?
JS: An internal Audit is the third line of defense and regulators expect a robust testing program executed by knowledgeable staff to protect the institution.
AP: What do you foresee the audit landscape looking like in five years?
JS: I see two areas where we will see marked changes: 1) Audit groups will craft explicit goals around the knowledge and expertise required of its staff and 2) Companies will opt for quality of staff over quantity.
PW: In order to effectively address the expectation of increasingly granular audit coverage there will be a need for more automation to support the independent testing. This will not only provide the opportunity to review the whole population of transactions but also enable the testing to be closer in time to the original date of the event.
AP: Given the current publicity surrounding poor audit controls in several key institutions, what do you suspect their next steps will be in order to mitigate the damage and ensure this doesn't happen again?
JS: Firms will need to establish a track record before confidence can be restored. In the meantime, auditors need greater discipline in the risk assessment process to identify areas of risk and more knowledgeable and experienced people to assess controls and design testing programs.
AP: If you had carte blanche to build your audit program, what would it look like?
JS: The program would be staffed by teams with experience in operations, technology, audit and AML. Also, the program would dedicate a larger portion of these experienced staff to focusing on risk assessments and continuous or emerging threats.
PW: There would be a greater use of automated auditing techniques to provide greater coverage, which could eliminate the need for sampling. The automated techniques would not only be used to display exceptions in the population but also provide independent metrics to identify areas for detailed testing. There would be a greater emphasis on the use of Continuous auditing which would provide a faster response closer to the original event.
AP: Government regulations affect every industry in one way or the other, how have they helped to mold the audit processes and procedures that we use today?
JS: In addition to the FFIEC AML exam manual, SR08-8 provides guidelines around risk assessment, monitoring and independent testing that are very relevant to those engaged in AML testing. Consent orders, while not "regulation" are another consideration in helping firms to identify common internal control failures and inappropriate business practices.
AP: What types of trends are you seeing in the audit world?
JS: While it would be nice to see more computer assisted audit techniques being used, this is still an area with great promise. An emerging trend in the audit world is specialized groups focused on compliance, AML, anti-corruption and sanctions.
PW: The auditors need to be able to demonstrate their qualifications and expertise – which is where the CAMS-Audit certification is unique. As previously mentioned, there will continue to be an expectation of greater and more detailed coverage leading to more use of automation to support the testing.
AP: Do you see a growing need for training and what are institutions doing to help meet those needs?
JS: There is a growing emphasis on training but also for benchmarks that the training was appropriate, timely and accurate. Certifications will take on additional value in being able to quickly demonstrate compliance to a published standard.
PW: An institution should always strive to deliver the best levels of training for all staff and provide a combination of external and internally developed courses which are the subject of continuous review.
AP: Do you have any advice for professionals looking to crossover to audit from other areas of AML?
PW: Obtain the CAMS certification, study the FFIEC Manual and gain sufficient experience to obtain the CAMS-AUDIT Certification.
AP: How do you think CAMS-Audit will help address the needs of audit professionals worldwide?
PW: It shows excellent level of competence on how to audit AML which is not only beneficial for the individual but also for the enterprise when needing to demonstrate the competence of its staff. It will continue to be developed further to reflect the regulations in other jurisdictions.
AP: When asked by ACAMS to join the Audit Committee to help create the CAMS-Audit certification, what made you say yes?
JS: Financial institutions have been enlisted in the fight against terrorism, corruption and money laundering— issues that impact our very way of life. Recent regulatory actions highlight that the independent testing requirement needs to do a better job of identifying AML/TF program failures sooner.
This program will increase the skills and expertise of those entrusted with the independent testing role to assist them in satisfying regulatory expectations.
PW: It is important to continue to grow the profession particularly in this area which has come under closer scrutiny recently from the regulators. To best serve our shareholders we need to have a mechanism to gain and demonstrate the knowledge needed to address this unique challenge. It is an honor to have participated in the development of this certification which takes the profession to the next level.
