Auditing your firm's EWRA
Are you sure you know what the risks are when auditing your firm's Enterprise-Wide Risk Assessments (EWRA)?
The risk of money laundering within financial services is indisputable, and the industry is increasingly committing significant effort and expense in carrying out Anti-Money Laundering (AML) specific Enterprise-Wide Risk Assessments (EWRA) to better understand and mitigate potential AML risks.
Typically, the output of such an AML EWRA is intended to enable institutions to prioritise their resources and mitigate the risks of money laundering faced by them. It is particularly important where institutions face changes to their traditional business model and the regulatory environment in which they operate.
To be effective, an EWRA must be a dynamic and accurate reflection of an institution’s risk profile. With more regulatory guidance on the subject, we are seeing a growth in EWRA capabilities. Mature and advanced institutions are moving to a blended approach of qualitative and quantitative EWRAs that provide a much more holistic and sustainable view of risk across the enterprise.
The EWRA is often not subjected to internal audit review and testing, as a ‘key control’. Yet it should be, especially given the important role that an EWRA plays in helping an organisation articulate its AML risk profile.
In this article, we discuss how internal audit can play a vital role in testing an organisation’s EWRA methodology and process to determine if it is fit for purpose, by testing for common challenges and preventing a much needed risk assessment tool from degrading into an unwanted annual exercise.
The EWRA as a ‘key control’
While typically not understood as an organisational ‘key control’, the EWRA functions exactly as that. Within the context of AML, it plays a key role in identifying and defining the inherent risks within an institution and setting out the specific controls required to mitigate them. The existence and performance of the EWRA helps to articulate all controls within a risk and compliance framework, and therefore must be subjected to the same level of scrutiny for it to be effective. This is even more important for jurisdictions where the completion of a risk assessment is set out as a legislative requirement.[1]
For internal audit teams trying to provide a holistic coverage of an institution's AML systems and controls, it is advisable to consider the EWRA as an auditable topic in its own right.
What auditors should look for in an EWRA
When auditing an EWRA, audit teams should consider using the following list as some of the key factors that an effective EWRA should be able to demonstrate. An EWRA should:
- Maintain consistency of scope: an EWRA has to be a repeatable exercise that is performed at least on an annual basis. As such, consistency in scoping is essential to producing an EWRA that is of comparative value and provides key stakeholders (including regulators) with a clear view of year on year increase or decrease of the residual risk of an institution. When testing an EWRA, auditors should query if all lines of business, products and services, and the full geographic footprint of the organisation are being consistently covered from one assessment period to the next.
- Be aligned to the institution's AML risk appetite: whether a Risk Appetite Statement (RAS) is set at a business unit level or at the enterprise level, an EWRA without a RAS will be unable to provide measurable actions to address identified gaps. It will also be unable to highlight areas where the institution might be edging towards unacceptable risks. Auditors should query whether the conclusions of an EWRA report are aligned to an institution’s RAS and the extent to which the RAS has been integrated into the EWRA.
- Be based on hard data that is available and accessible: as regulators are increasingly leaning towards EWRAs that reflect hard data - (this includes data in relation to customer, products, services, transactions and geographical coverage or delivery channels) - an institution's ability to make this data continuously available and accessible for the purposes of critical analysis is crucial. An auditor must query the extent to which an EWRA is the product of quantitative data analysis and whether this analysis is supported by ‘quality’ data. Where there are data limitations, the nature of the limitation and the impact that it has on the EWRA must be clearly reflected in the EWRA report or EWRA methodology.
- Provide accurate assessment of sub-risk categories: an institution's sub-risk categories (such as Customer Risk, Products and Services Risk, and Geography Risk) are keystones of the EWRA. Auditors must assess whether the assessment of these sub-risk categories have been performed reliably and uniformly across the whole institution.
- Be supported by a defined and documented methodology: as they say, methodology is King - if they don’t, they should. A sustainable and repeatable EWRA is impossible to produce where the methodology lacks transparency and is not supported by well-defined artefacts (eg a well-defined risk assessment questionnaire). Auditors must test the methodology of an EWRA and get comfort on its currency, sustainability and consistency.
- Be informed by a multi-dimensional assessment of the control environment: while the evaluation of a control from the perspective of its ‘design’ and ‘operational’ efficiency will not be new to an auditor, it is worth paying attention to the fact that EWRAs may unduly focus more on the design of a control and less on its operational efficiency. This can lead to a skewed control rating thus impacting the overall results of the EWRA. Another dimension of assessing the control environment, for the purposes of an EWRA, is the distinction between centralised and decentralised controls. Where a control is centralised, it is important for that control to be assessed centrally and to apply that assessment uniformly across all affected units to avoid inconsistency, eg where a centralised on-boarding or transaction monitoring team performs controls for multiple branches of an institution, the relevant controls should be tested at the central base level, rather than picking and choosing isolated branches to test. This will help to ensure that no one branch is being subjected to a different standard and that any issues identified in relation to one is uniformly addressed across all.
- Be communicated appropriately to all key institutional stakeholders: a successful EWRA report should result in actionable tasks that are owned, delivered in time and measured through subsequent EWRA cycles. Therefore, the communication channels used to report and track progress against actionable items should be reviewed when auditing an EWRA.
- Be upgraded to automated systems/processes (where possible): this last factor is dependent on the institution's technological maturity. Often EWRAs are very manual and are retrospective in nature. This means that the EWRA is often reduced to a tick-box exercise and doesn’t necessarily provide a ‘current’ view. Auditors are advised to question the extent to which aspects (or even the totality) of an EWRA process can be automated. In an age where regulatory technology is at the forefront of most institutions' considerations, it would be a missed opportunity not to automate something as fundamental as an EWRA.
For more on EWRAs please read the Protiviti thought leadership document – Building Blocks for an Effective AML Enterprise Wide Risk Assessment.
Tasnoova Zaki - Senior Manager in Risk & Compliance at Protiviti UK
About Protiviti
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 80 offices in over 20 countries, Protiviti and its independently owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.
Named in the 2019 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60 per cent of Fortune 1000® and 35 per cent of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
[1] Please see as an example in UK Regulation 18 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.