6.4. Poor independent audits of entities
144. Many supervisors of financial institutions make use of FI's internal and external audits as an important source of information on FI's AML/CFT controls (many smaller DNFBPs do not have internal audit functions). Independent audits with an inadequate scope or of poor quality may present a challenge for the supervisor. In some systems, supervisors may rely heavily on audit information regarding the entity's specific risks, to understand how these risks are being managed and controlled, and the status of the compliance program. Therefore, if the entity's independent audit is inadequate, those independent audit findings cannot be leveraged to tailor the review areas covered by the supervisory authority and to allocate the resources necessary to assess the entity's compliance program. Moreover, poor independent audit report(s) and supporting paper work can hinder supervisors in understanding audit coverage and the quality and quantity of transaction testing that was performed as part of the independent audit. Without this knowledge, supervisors may be limited in their ability to risk-focus and identify areas for greater (or lesser) review.
145. Strategies to address this challenge:
• To prevent this issue, supervisory authorities should assess whether the entities have processes in place to ensure the audit scope and depth is appropriate and that audits are performed by competent, qualified and reputable independent auditors and take steps to satisfy themselves that the audits performed are of sufficient quality, for example by carrying out sample checks. Moreover, supervisors should confirm that the financial institution or DNFBP's independent audit plan assesses the effectiveness of AML/CFT controls across and within the entity or group's operations.