Financial crime audit is not a new discipline, but the FCA's expectations of what it should look like have shifted significantly over the past few years. The combination of high-profile enforcement actions, increased use of skilled person reviews, and the FCA's explicit statements about the role of internal audit in financial crime governance has raised the bar for what a credible financial crime audit programme looks like.

The FCA's position on internal audit and financial crime

The FCA has been explicit in a number of contexts, Dear CEO letters, thematic reviews, enforcement decision notices, that internal audit is expected to provide meaningful independent assurance over financial crime controls. Meaningful is doing a lot of work in that sentence. The FCA is not satisfied with audit work that confirms the existence of a transaction monitoring system, reviews the policy framework, and concludes that controls are adequate. It wants to see audit work that tests whether the controls are actually working, whether the transaction monitoring is calibrated correctly, whether the alerts are being investigated properly, whether SARs are being filed when they should be, whether customer risk assessments reflect the actual risk presented by the customer.

This is a higher standard than many internal audit functions have historically applied to financial crime work. It requires more analytical depth, more specialist knowledge, and a greater willingness to reach conclusions that management may find uncomfortable.

Common deficiencies the FCA identifies

Drawing on the FCA's public statements and enforcement decisions, the most common deficiencies in financial crime audit programmes are the following.

Insufficient testing of transaction monitoring effectiveness. Reviewing alert thresholds and closure rationale on a sample basis is standard. What is less common, and what the FCA increasingly expects, is testing whether the TM scenarios are calibrated to catch the specific typologies relevant to the firm's business model and customer base. A firm that processes a large volume of international wire transfers and has no TM scenario designed to detect structuring is a firm with a gap, and that gap should be identifiable through audit work.

Over-reliance on management information. Internal audit that bases its conclusions primarily on the firm's own MI, SAR filing rates, alert closure times, training completion rates, without independently verifying the underlying data is not providing genuine assurance. The MI may be accurate; it may also be misleading. Audit work should go behind the numbers.

Inadequate coverage of high-risk customer segments. Politically Exposed Persons, correspondent banking relationships, and high-risk jurisdictions all require enhanced due diligence. Audit work that does not specifically test the application of EDD to these segments, including the quality of the EDD itself, not just its existence, is missing the highest-risk part of the customer portfolio.

Failure to follow the money. One of the most valuable things internal audit can do in a financial crime context is trace specific transactions through the firm's systems and assess whether the controls operated as designed. This is more demanding than reviewing the policy framework, but it is also more informative.

The resourcing challenge

Good financial crime audit work requires people who understand financial crime, not just internal audit methodology. This is a genuine resourcing challenge for smaller audit functions that cannot justify a dedicated financial crime specialist. The options are: develop the capability internally through training and on-the-job experience; bring in external specialists for specific audits; or use co-sourcing arrangements that give the function access to specialist resource on demand.

What is not an acceptable response, from the FCA's perspective or from an audit quality perspective, is to audit financial crime without adequate expertise and produce conclusions that the auditors are not qualified to reach.

Reporting financial crime findings

Financial crime audit findings should be reported to the audit committee in terms that connect the specific finding to the regulatory risk it represents. A finding that says "transaction monitoring alerts are not being closed within the firm's target timeframe" is a process finding. A finding that says "transaction monitoring alerts are not being closed within the firm's target timeframe, creating the risk that suspicious activity is not being identified and reported in a timely manner, with potential consequences under POCA and MLR 2017" is a risk finding. The latter is what the audit committee needs to understand the significance of what it is being told.

Kyle McMullan
Kyle McMullan
Founder, the audit hub

25 years in senior financial services internal audit and risk advisory. Kyle writes from direct practitioner experience, having held audit leadership roles, managed regulatory remediation programmes, and advised boards through some of the most complex compliance challenges in UK financial services.

Connect on LinkedIn
← Making the move from in-house audit to consultancy: what changes and what does notHow to run an effective audit committee presentation: a practitioner's guide →