In recent years, Bank Secrecy Act (BSA) and anti-money laundering (AML) enforcement actions have increasingly concentrated on internal audit, the third line in the classic three-lines model financial institutions use to protect themselves.
Why this matters and how you can respond
Because enforcement historically looked at second-line failures, some institutions downplay the third line, leading to some significant civil penalties. Here are four areas where internal audit deficiencies attract regulatory attention:
- Subject matter expertise: Regulators care about audit team qualifications. You’ll want to assess your auditors to be sure they have the necessary subject matter knowledge and experience.
- Planning and scoping: Internal audit plans and scope documents have faced regulatory criticism, especially when firms don’t conduct regular audits at a prescribed frequency. While it doesn’t mandate a set schedule, the Federal Financial Institutions Examination Council suggests 12- to 18-month intervals. Remember, regulatory expectations are constantly evolving: document all of your scoping decisions.
- Execution and reporting: Regulators have also found fault with execution — specifically, that assessments aren’t thorough enough. You should develop comprehensive tests and revisit sampling methodologies so they’re in line with 2020 OCC guidance. Document your audits so a third party can easily comprehend and repeat the work.
- Validation: Institutions without robust issue validation programs often draw criticism from regulators. Enforcement now emphasizes timely remediation, implementation of sustainable controls and independent testing.
Where we go from here
All firms should consider COVID-19’s impact and how examinations will evolve as your employees continue to work remotely. The pandemic has created new opportunities for malicious actors, even as remote work stresses normal compliance controls. Internal auditors must understand these threats and be prepared to address the new risks. Even before the crisis, regulators had been intensifying their focus on remediation related to compliance programs. Now, we expect this scrutiny will intensify.