As part of maintaining a healthy and robust compliance function, it is essential for all relevant financial businesses to undertake a regular and independent assessment. Within this article, we will touch upon a business’ legal and regulatory obligations to perform an independent audit and how the business can satisfy those obligations.
What is an independent audit under the Proceeds of Crime Act 2015?
In accordance with section 26(1A) of the Proceeds of Crime Act 2015 (“POCA”), all relevant financial businesses must undertake an independent audit to test the business’ policies, controls, and procedures in terms of its customer due diligence and ongoing monitoring, reporting, record-keeping, internal control, risk assessment and management, compliance management and employee screening.
What are the expectations of the GFSC?
Meanwhile at a regulatory level, the GFSC has issued guidance wherein it sets out the expectations of financial businesses in terms of the independent audit. As well as addressing the efficacy and adequacy of a business’ policies, controls and procedures, it must also consider their implementation and how changes are introduced and communicated.
The GFSC expects an assessment to take place at least annually, depending on the nature of the business. It follows that a business must be able to show, at request of the GFSC, that an independent audit has occurred within the year. It may also be necessary to show the results of the audit and if action has been taken per the audit’s recommendations.
What are the additional benefits of having an independent audit?
Section 16(1ZA) of the POCA goes on to state that a financial business’ policies, controls and procedures should be proportionate to the nature and size of the business. Therefore, the independent audit can address whether the current policies, controls and procedures are relative to the business. The financial business ought to be able to rely upon the audit report to prove that its measures in place are proportionate to the business.
Furthermore, in keeping with the business’ obligation to maintain an up-to-date risk assessment under section 25 of POCA, the results of an independent audit can also be fed into the risk assessment. This is because the independent audit is ultimately assessing the performance of the compliance function, and so, if exposures of risk are highlighted and measures are recommended, then those additional measures can be introduced and form part of the business’ risk assessment.
What does it mean to have an ‘independent’ audit?
The GFSC’s guidance states that the audit should be performed by individuals who are dissociated with the business’ compliance function. To avoid any conflict or influence from the compliance function, an option could be to outsource the audit to a third party which should satisfy the business’ need to assess the independence of the individuals performing the audit.
Another route would be to make in-house arrangements, providing there is capacity and resources in place, but there would need to be an assessment on the independence of those in-house arrangements.
Although there is no requirement to engage a third party, the regulator does note there would be added benefit of instructing a third party from an operational standpoint.
Who oversees the independent audit?
The senior management will need to monitor and review the independent audit process.
In recent weeks we have seen an increase in relevant financial businesses being reminded of their obligation to undertake an independent audit to test their compliance function.
If your firm’s assessment is overdue or needs an independent auditor, we have a team at Triay Lawyers who would be happy to help you and your business.