Regulators have been steadily raising the bar on financial crimes compliance. So, how can financial institutions position themselves to clear it? Reinforcing the internal audit function as the last line of defense between a bank and its regulators is a primary step.
Consistent with prior years, regulators from the Securities and Exchange Commission to the Office of the Comptroller of the Currency have pronounced financial crimes compliance a priority. Last year, the Department of Justice advised financial executives that they could face personal as well as corporate liability if noncompliant, as described in an ACAMS Today article titled “An Ineffective Audit Department’s Impact on Corporate and Personal Liability.”1 More recently, the New York Attorney General issued a proposal that would require chief compliance officers to annually certify their financial institution’s anti-money laundering and Office of Foreign Assets Control monitoring programs.
It has become increasingly clear to the senior management and boards of every institution that they must ensure the effectiveness of their financial crimes compliance programs. For financial crime professionals, the pressure to deliver is high. But rising along with it is the possibility of securing needed resources from a more focused bank leadership to shore up all three lines of defense in the classic compliance model (business units, compliance departments and internal audit departments). This article focuses on internal audit.
The Importance of Audit Team Strength
The internal audit team faces acute pressure. As the last line of defense, it requires not only sufficient staffing but exceptional domain experience to effectively assess and report on financial crimes compliance.
With domain experience comes confidence, which translates into the ability to effectively raise and communicate issues to stakeholders and convey it all in audit reports. Confidence facilitates discussions with stakeholders responding to audit team observations about their lines of business. Also, when observations are validated, confidence helps withstand any pressures to drop issues or diminish their importance. It is a slippery slope that has to be tightly managed. Thick skin is required by both stakeholders and auditors. With domain experience comes the credibility and resolve to stand up to even the toughest stakeholder.
It must be said here that the demand for this level of subject-matter expertise currently exceeds the pool of qualified candidates. As challenging as this makes the hiring process, perseverance is required. Simply using certified public accountants or career auditors to do the job is no longer a good option.
With all this in mind, let us talk about building an effective compliance audit function. Success resides with culture foremost, followed by structure, budget, process or methodology and relationship management.
Culture Comes First
It is not rocket science that without a strong culture of compliance coming from the board and senior management (aka “tone at the top”), there is a likelihood of failure by control functions no matter how they try to mitigate risk. Throwing all the money in the world into controls without culture is a waste.
This is why the first rule is to ensure your institution’s culture supports what you will need to obtain buy-in for your structure. In fact, it may come to the point where you will need to decide whether or not it is worth the personal risk (reputation or otherwise) and potential liability to stay in your role or with the company if you are not receiving the support you need. You should be forceful, if necessary, but respectful in communicating your needs. The response you receive will provide color as to whether the senior management and board are serious about supporting your vision.
Structure Before Budgeting
Some might say budget should come next, but structure is next in line. This is because you will need—and should need—to sell your budget requirements to senior management and the board. You simply cannot know your budget without knowing your structure.
Structure depends on each institution’s risk profile, particularly its geographic risk. For example, a small institution operating in a few states may only call for one subject-matter expert (SME) where a large institution will call for a more complex structure.
No matter what, always start slow, taking a needs-based approach. If you walk in and ask for your entire staff straight out, your credibility will be lost. Be intelligent in explaining your vision; it will go a long way. Provide clear support for it. How fast you need to staff up will depend on the deliverables of the function. Consider co-sourcing from another part of your institution’s audit function in the short term, if necessary. For one thing, it may make sense to co-source instead of hiring for some areas, such as model validation. Also, if your staffing needs change, it will be easier to separate a co-sourced resource than an employee.
In small institutions, you can get away with one to a few SMEs and train up co-sourced staff to perform under the direction of yourself or of your SMEs. There is no need to hire an army. Make every attempt to leverage existing staff to the extent possible.
Similarly, in larger institutions, try a structure where you have your core team of SMEs and train-up and leverage existing audit staff co-sourced from other strategic locations in the institution. This not only gets you the coverage you need but also shows the board and senior management that you are not empire building. You can effectively double your staff by taking this approach, but it will require buy-in from the chief audit executive and your peers, since you will be establishing a matrix reporting environment.
Most auditors will welcome the opportunity to become recognized as part of a financial crimes audit team in addition to their own coverage areas. Some audit executives will not relish relinquishing some of their staff part time. That is where being a good politician will help. Make these co-sourced employees part of your core team of SMEs, even if they do not report directly up through your compliance audit function. Invite them to meetings, training, etc., and communicate with them no differently than if they were on your core team.
'Sell' Your Budget and Plan for Contingencies
Money is everything. Without proper funding, you will not succeed. Here is where you often need to be both an SME and salesperson, with a bit more emphasis on sales. If you set up the structure correctly and present it so that you are viewed as both effective and efficient, it will go a long way toward obtaining budgetary approval.
However, you should always have contingency plans since budgets constantly change. This may include anything from having co-sourcing readily available to adjusting audit schedules, but without material impact to the audit plan’s risk-based coverage.
Own the Process
The financial crimes audit executive should own financial crimes audit. Consistency in approach and reporting is extremely important. This is where methodology or process comes in.
Your entire audit department must follow the same methodology for executing financial crimes audits, raising and dispositioning issues, and communicating issues in audit reports to senior management and the board, and to regulators. Starting with standard review programs and training, the methodology should also include protocols for escalating any financial crimes observations to designated SMEs, for reports containing any financial crimes issue signed off on by designated SMEs and for integrated reporting by the financial crimes audit executive. Why integrated? To give an example, the last thing you want is to have two similar know your customer issues reported differently from one country to the next—or even worse, to have one dropped. It also helps in larger institutions where you will need to provide an annual opinion on the health of the overall programs.
Manage Relationships in a No Surprises Environment
Establish a no surprises environment—be fully transparent
Manage your relationships with stakeholders, regulators, audit committees, compliance committees, human resources and yes, your boss, the chief audit executive. Establish a no surprises environment—be fully transparent.
Hold regular meetings with stakeholders and regulators. Neither should have to ask many questions when you meet, since you should be routinely providing the relevant information prior to their turn to speak at your meetings. Use presentations and metrics—do not just verbalize. Themes and trending metrics are particularly helpful.
Listen to your other control functions and your regulators. Are they picking up anything you have not or covering anything you were not planning to cover? Get ahead of your regulators; they will respect you for it.
There may be a few surprises for you here and there, but if you find you are being surprised more than not, then something is wrong with your communication technique and possibly your listening skills. Your stakeholders need your help, whether they want it or not. Get as close to them as possible and make sure they know your team or at least their qualifications. Let them know you are there to help them and not undermine them. Too many auditors feel independence translates into operating in secret or in a “gotcha” environment.
Unfortunately, some stakeholders are just difficult to work with and will keep you as distant as possible, no matter how you try to manage the relationship. Some may go so far as to undermine you any way they can. The best approach in response to this is to remain professional.
Notably, human resources is on this relationship management list because, in most institutions, they can be an outstanding partner in driving budget approvals and obtaining the right talent. Educate the department on your vision. Become good friends with the top human resources executive who can be the most valuable asset in the short and long run.
There is no magic bullet for building and managing a financial crimes audit function. These suggestions for staffing, culture, structure, budget, methodology and relationship management represent some proven approaches used in three large, complex institutions. These supplement the advice published in the companion piece: “An Ineffective Audit Department’s Impact on Corporate and Personal Liability.” Today’s financial crimes auditors will need all the strength they can muster in this era of heightened regulatory oversight and enforcement.
- Ross Marrazzo, “An Ineffective Audit Department’s Impact on Corporate and Personal Liability,” ACAMS Today, December 2015-February 2016, http://www.acamstoday.org/ineffective-audit-departments-impact/