Author
Independent testing is one statutory requirement of an effective Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. Independent testing assists a bank’s board of directors and management to evaluate the effectiveness of their BSA programs and implement stronger controls as needed. Ninth District institutions often struggle to understand independent testing requirements; specifically, when employing outside firms. In this article, we discuss several key aspects of independent testing, considerations for those institutions outsourcing independent testing, and examples of red flags that can alert the board or management to potential issues.
Key aspects of independent testing
The Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual comprehensively outlines independent testing requirements and expectations. While it is important to address all requirements and expectations, we specifically highlight three critical elements that often come up during examinations: the importance of qualified auditors, the need for communication with the board and management, and third-party access to work papers and documentation.
Internal audit departments, outside auditors, consultants, or other qualified parties may conduct independent testing. The key point is that individuals involved in the independent testing function should not be involved in other BSA/AML functions that may present a conflict or lack of independence, including training or developing policies and procedures. Auditors should be qualified and have a thorough understanding of requirements and expectations of the BSA through periodic training and work experience. The depth of knowledge and level of ongoing training for persons completing independent testing should be commensurate with the level of complexity and risk of the institution they are reviewing, but in all cases, training should ensure that their knowledge is up to date with industry standards.
Auditors should note any violations, policy or procedures exceptions, or other deficiencies during independent testing. The final report should include these important findings, and the board or a designated committee should review the report in a timely manner. For example, we have observed auditor work papers documenting gaps to expectations outlined in the FFIEC BSA/AML Examination Manual, but audits did not bring them to the attention of the board or management, which limits the usefulness of independent testing. Not all issues identified during independent testing will rise to the level of a finding or recommendation status. However, an audit report containing sufficient detail of weaknesses in a BSA/AML program will allow the board and management the option to take action.
A good practice is to make independent testing documentation and work papers available for third-party review. Examiners, for example, often need to review documentation and work papers to fully assess independent testing. Reviewing the scope and final report does not allow for a complete analysis of compliance.
Outsourcing independent testing
Many institutions choose to outsource independent testing. This is an acceptable practice, but the board remains responsible for ensuring that testing is timely, thorough, and accurate. While the FFIEC BSA/AML Examination Manual details requirements and expectations for independent testing, additional risk management practices are needed to ensure compliance. These practices include vendor risk management, involvement throughout the entire engagement, and thorough review of the final report.
Vendor risk management of external firms consists of initial and ongoing due diligence to verify qualifications and expertise of outsourced firms. Due diligence includes the review of qualifications of the firm and résumés of the auditors involved in the independent testing engagement. The engagement letter and scope should be reviewed to make certain the vendor will address all of the minimum testing requirements. In addition, the engagement letter should include a provision allowing access to independent testing documentation and work papers.
It is essential that management be involved throughout the entire independent testing engagement. Management will have the most contact with auditors during the on-site portion of the engagement. Ongoing communication between management and the auditors is critical to ensure a comprehensive review. Ideally, auditors will bring concerns and deficiencies to management as soon as possible. This allows the institution to make sure the scope is fully addressed and to address any questions or discrepancies prior to the conclusion of the engagement and issuance of the report.
A thorough review of the final report is vital. While attention naturally focuses on conclusions and recommendations, reviewing the narrative of the report will ensure that critical details are not overlooked. The narrative includes how the vendor addressed the scope and describes deficiencies that did not rise to the level of a finding, but were nonetheless noteworthy. It is important that the board and management identify any inconsistencies and incorrect statements made in the report narrative, as well as in the findings and recommendations. If management determines that conclusions are inconsistent or incorrect, immediate discussions between the board and the external firm are necessary.
Independent testing red flags
Red flags that can alert the board and management to potential issues with outsourced firms include:
- The auditors scheduled to perform independent testing have limited or no BSA/AML training, experience, or work history.
- The engagement letter and scope are vague and do not detail the specifics of the engagement.
- The auditors have very little communication with management.
- The final report contains inconsistent or incorrect information.
- The outsourced firm is reluctant to provide documentation and work papers when requested.
We suggest referencing the FFIEC BSA Examination Manual for additional information.
