Empowering compliance: Crucial role of internal audit in navigating AML/CFT risk management

EY Sri Lanka Partner, Financial Accounting Advisory Services Rajith Perera

In today’s increasingly complex financial landscape, the significance of robust Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT) compliance cannot be overstated. With rising AML/CFT risks, Internal Audit plays a key role in ensuring compliance and managing inherent risks. This article highlights Internal Audit’s key role in effective AML/CFT risk assessments.

The imperative of comprehensive risk assessment

A thorough risk assessment serves as the cornerstone of an effective AML/CFT audit framework. Internal Audit must undertake this assessment at least annually, tailoring it to the specific business model of the bank. By analysing the customer base, Internal Audit can identify potential risks linked to high-risk customers or jurisdictions. The analysis considers different customer types — corporate, individual, private, and public — and recognising material changes that may elevate risk levels, such as the presence of Politically Exposed Persons (PEPs), High Net Worth Individuals, or complex ownership structures. 

The risk assessment should also cover the inherent AML/CFT risks tied to the bank’s products, services, and delivery channels. Special focus is needed for areas like correspondent banking, trade finance, deposits, payments, and both local and cross-border fund transfers. AML risks should be assessed across face-to-face, non-face-to-face, and proxy channels — especially where beneficial owners are hidden or hard to verify — as these increase the bank’s exposure to money laundering and terrorist financing. This helps Internal Audit assess risks and validate controls.

Evaluating control effectiveness

Further, Internal Audit plays a crucial role in evaluating the effectiveness of existing controls designed to mitigate residual risks related to AML/CFT compliance. This evaluation involves reviewing past issues, including overdue internal, external, or regulatory matters, and recurring problems that may indicate systemic weaknesses. Assessing risk events, incidents, and near-misses reveals the severity and frequency of risk.

Internal Audit must closely review the AML/CFT risk assessments conducted by the second line of defence. This includes evaluating screening operations, changes to controls and processes, controls related to Know Your Customer (KYC)/Customer Due Diligence (CDD), customer risk assessments, onboarding procedures, the quality and timeliness of name screening alert dispositions, and the effectiveness of investigations and Suspicious Transaction Report (STR) filings. Internal Audit assesses controls and suggests improvements.

A collaborative approach to risk assessment

To enhance the effectiveness of risk assessments, Internal Audit should foster collaboration with third parties, including independent consultants. This collaboration enhances audits and promotes knowledge sharing. Engaging external stakeholders gives Internal Audit broader insight into emerging risks and regulations, strengthening risk assessments.

Continuous improvement through training and upskilling

The financial sector’s pace demands ongoing training for Internal Audit professionals. By providing ongoing education on AML/CFT regulations, emerging risks, and audit methodologies, banks can ensure that their Internal Audit teams remain well-equipped to navigate the complexities of compliance. This commitment supports proactive risk assessment and audit execution.

Ultimately, the Internal Audit function is integral to the success of AML/CFT compliance efforts within banks. By prioritising comprehensive risk assessments, evaluating control effectiveness, fostering collaboration, and investing in continuous training, Internal Audit can significantly enhance the bank’s ability to manage inherent risks associated with money laundering and terrorist financing. As the financial landscape evolves, a strong Internal Audit function becomes increasingly vital in managing risks — a timely priority for banks globally.