As part of maintaining a healthy and robust compliance function, it is essential for all relevant financial businesses to undertake a regular and independent assessment. Within this article, we will touch upon a business’ legal and regulatory obligations to perform an independent audit and how the business can satisfy those obligations.
In accordance with section 26(1A) of the Proceeds of Crime Act 2015 (“POCA”), all relevant financial businesses must undertake an independent audit to test the business’ policies, controls, and procedures in terms of its customer due diligence and ongoing monitoring, reporting, record-keeping, internal control, risk assessment and management, compliance management and employee screening.
Meanwhile at a regulatory level, the GFSC has issued guidance wherein it sets out the expectations of financial businesses in terms of the independent audit. As well as addressing the efficacy and adequacy of a business’ policies, controls and procedures, it must also consider their implementation and how changes are introduced and communicated.
The GFSC expects an assessment to take place at least annually, depending on the nature of the business. It follows that a business must be able to show, at request of the GFSC, that an independent audit has occurred within the year. It may also be necessary to show the results of the audit and if action has been taken per the audit’s recommendations.
Section 16(1ZA) of the POCA goes on to state that a financial business’ policies, controls and procedures should be proportionate to the nature and size of the business. Therefore, the independent audit can address whether the current policies, controls and procedures are relative to the business. The financial business ought to be able to rely upon the audit report to prove that its measures in place are proportionate to the business.
Furthermore, in keeping with the business’ obligation to maintain an up-to-date risk assessment under section 25 of POCA, the results of an independent audit can also be fed into the risk assessment. This is because the independent audit is ultimately assessing the performance of the compliance function, and so, if exposures of risk are highlighted and measures are recommended, then those additional measures can be introduced and form part of the business’ risk assessment.
The GFSC’s guidance states that the audit should be performed by individuals who are dissociated with the business’ compliance function. To avoid any conflict or influence from the compliance function, an option could be to outsource the audit to a third party which should satisfy the business’ need to assess the independence of the individuals performing the audit.
Another route would be to make in-house arrangements, providing there is capacity and resources in place, but there would need to be an assessment on the independence of those in-house arrangements.
Although there is no requirement to engage a third party, the regulator does note there would be added benefit of instructing a third party from an operational standpoint.
The senior management will need to monitor and review the independent audit process.
In recent weeks we have seen an increase in relevant financial businesses being reminded of their obligation to undertake an independent audit to test their compliance function.
If your firm’s assessment is overdue or needs an independent auditor, we have a team at Triay Lawyers who would be happy to help you and your business.
This document has been issued on the 01th Sep 2022 by Triay Lawyers Limited, trading as Triay Lawyers, a Gibraltar private company limited by shares with registered office at 28 Irish Town, Gibraltar, GX11 1AA and with incorporation number 112599. The information in this document is for general information purposes only and does not constitute professional advice, legal or otherwise and does not intend to be comprehensive. Triay Lawyers does not accept responsibility for any loss that may arise from accessing or relying upon the information contained in this document.
When was the last time the compliance function of your financial business was independently audited? Did you know that there is an expectation by the GFSC for an audit to take place at le