As defined by the Institute of Internal Auditors, internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives in bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
This is especially so in recent times, where it is evident that the scope of responsibilities for internal auditors have since expanded significantly with increasing reliance being placed by various stakeholders on the assessment undertaken by the internal auditors, even as businesses become more complex and diversified.
According to the Guidelines on Risk Management Practices which serves as a guidance to financial institutions on sound practices for their internal control environment and business process controls, an institution should have in place an adequately staffed, independent and permanent internal audit function responsible for assessing whether existing policies, processes and internal controls (including risk management, compliance and corporate governance processes) are independent, effective, appropriate, and remain sufficient for the institution’s business.
MAS also expects the business activities of Fund Management Companies (“FMCs”) to be subject to an adequate internal audit, whereby the internal audit arrangements should be commensurate with the scale, nature and complexity of its operations.
The concept of maintaining the highest level of independence and objectivity is critical to the conduct of an effective internal audit and this can be achieved through ensuring the internal audit function have these key conditions in place:
Direct reporting access to the Audit Committee, Chief Executive Officer (“CEO”) or its equivalent where applicable;
Unrestricted access to all organizational resources and documentations;
Sufficient authority to ensure broad audit coverage and appropriate action on recommendations; and
No other operational responsibilities besides that of internal audit.
Salient Observations Picked Up by Internal Auditors
Audit observations provide management, the board, and stakeholders with adequate detail and an objective summary of an organization's operations and controls, which evaluate the current internal controls as well as test existing controls for the operating effectiveness of an organisation. Below are several salient observations and pitfalls that internal auditors pick up while reviewing the policies, processes and internal controls of financial institutions in Singapore:
1) Outsourcing
While there may be advantages to outsourcing functions to an external service provider, these outsourcing arrangements may also increase the risk profile of an institution due to, for example, reputation, compliance and operational risks arising from the failure of a service provider in providing the service, breaches in security, or the institution’s inability to comply with legal and regulatory requirements. Hence, it is important that an organisation identifies its existing outsourcing arrangements accurately In order to implement a sound and responsive risk management framework and subsequently undertake periodic reviews of all outsourcing arrangements to identify new outsourcing risks as they arise.
Did you know that Microsoft Office 365 (including Outlook and Teams) is a cloud-based service and would be considered as a form of outsourcing under the MAS Outsourcing Guidelines?
This is frequently overlooked and consequently, the required materiality assessment, risk evaluation, due diligence and periodic reviews are not performed. Fund managers who are aware of this form of outsourcing may also not know how to perform these assessments on large corporations such as Microsoft.
2) MAS Returns & Base Capital Monitoring
MAS requires holders of Capital Markets Services Licences to maintain a minimum base capital, maintain financial resources (FR) above the total risk requirements (TRR) and lodge financial returns with the MAS, in accordance with the base capital definition stated in the Securities and Futures (Financial and Margin Requirements for Holders of Capital Markets Services Licences) Regulations.
As set out in the Guidelines on Licensing, Registration and Conduct of Business for Fund Management Companies, “An FMC shall at all times meet the base capital thresholds upon obtaining its licence or being registered with MAS. It would be prudent for the FMC to maintain an additional capital buffer, over and above the requisite base amount. An FMC should make a reasonable assessment of the amount of additional capital buffer it needs, bearing in mind the scale and scope of its operations.”
It is common to find that in the calculation of the base capital, the current unaudited unappropriated profit or loss figures are being used instead of what was indicated in the last audited financial statements.
3) Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”)
Capital markets transactions offer a vast array of opportunities for transforming money into a diverse range of assets which in turn amplifies their attractiveness to money-launderers for layering their illicit proceeds for eventual integration into the general economy. The ease with which these assets can be converted to other types of assets, especially if they are liquid and marketable, also aids the layering process. Therefore, MAS expects financial institutions operating in Singapore to implement robust controls to detect and deter the flow of illicit funds through Singapore's financial system.
Such controls include the need for financial institutions to identify and know their customers (including beneficial owners), to conduct regular account reviews, and to monitor and report any suspicious transaction. Some notable AML/CFT requirements for capital markets intermediaries comprise risk assessment and risk mitigation. customer due diligence, reliance on third parties and suspicious transaction reporting.
In performing client due diligence over its customers, a company is required to obtain certain verification documents that are certified true copies, or copies of original documents that had been sighted so as to retain reliability of information and documentation. In addition, documents which are in foreign languages should be translated into English by a suitably qualified translator or by an employee of the company who is independent of the customer relationship and is conversant in that foreign language. However, it is not uncommon to see verification documents that were not properly retained, documented, or translated, which consequently result in an ineffective determination and evaluation of ML/FT risks associated with the customer.
Outsourcing of the Internal Audit Function
The internal audit may be conducted in-house, by an internal audit team from the head office of the financial institution or by an outsourced third-party service provider. On this note, it is not uncommon to see financial institutions outsourcing their internal audit function to a third-party service provider given the many advantages associated with outsourcing. Some key ones are:
Qualified personnel from outside the organization that are objective and unbiased;
More cost and time effective, freeing up internal resources and the need to have a continuous investment in maintaining an in-house team; and
Ability to draw on the outsourced provider’s broad experience across the industry for valued findings and “best practices” recommendations.
As such, by tapping on the capabilities and collective knowledge of experienced, independent internal auditors, financial institutions will be able to receive sharp and objective insights which can help them to improve the effectiveness of their internal risk management, control, and governance processes. Similarly, in the case where an institution outsources its internal audit function, the institution should also conduct periodic assessments to satisfy itself of the continuing ability of the service provider to perform the internal audit function satisfactorily. These may include assessments that are in line with the Quality Assurance and Improvement Program as per the International Standards for the Professional Practice of Internal Auditing (Standards).
It is imperative that organizations conduct regular comprehensive assessments of its policies, processes and internal controls, which is encompassed in internal audit. As a cornerstone of good corporate governance, internal audit can play an important role in providing the Board of Directors, Audit Committee, CEO, senior executives and stakeholders with an independent view on whether a firm has an effective risk and control environment, while acting as a catalyst for a strong risk and compliance culture.
Established since 2013, Lymon has been providing regulatory compliance and risk management services to financial institutions and their fund products. To find out more about how we can assist with your regulatory or structuring needs, do reach out to your usual contact at Lymon or our specialist below:
Jovi Gan, Director
+65 6709 4110