The Wolfsberg Group has published a set of principles for auditing a financial crime risk management programme under its three factors of:
- complying with financial crime laws and regulations
- establishing a reasonable and risk-based set of controls to mitigate the risks of being used to facilitate illicit activity and
- providing useful information to government agencies
The Group has worked with its members’ second and third lines of defence to develop principles which it says can help internal audit. It notes the importance of the independent internal audit function in assessing programmes and confirming that they are properly focused and risk-relevant. The principles suggested are:
- internal audit should assess whether the financial institution can show its governance documents address the requirements of all relevant laws and regulations and assess that the institution has an effective set of controls to ensure these requirements are complied with
- internal audit should evaluate whether the institution has a well-designed, reasonable and risk-based set of controls, and then assess the effectiveness of the controls and
- an institution mat decide to set out indicators on information sharing
For each principle, the guidance suggests measures the institution can take to meet the principle.