Audit finding #1: Risk Assessment documentation is not kept up to date and does not contain version control.

• Recommendation: Schedule regular reviews to ensure descriptions relating to key services are accurate and current. If nothing changes in the business e.g. no new products, services or risks identified then an annual review is fine. Otherwise you should conduct a review each time something changes e.g., a new product or the product is now offered online both of which create additional risk for the business that needs to be assessed and addressed.
  
  Remember to update the version numbers of key documents each time you conduct a review or make a change outside of your normal review date. This is usually done via a table on the front page where you record the date the change was made and the new version number. As an auditor we expect to be able to see when a review or change has taken place. 
• Resources: Keep up to date with the current sector risk assessments:
  
  DIA
  Phase 1 Sector Risk Assessment DIA
  Phase 2 Sector Risk Assessment DIA
  
  FMA
  Sector Risk Assessment FMA

Audit finding #2: Dealing with customers in different countries without any assessment of their Money Laundering/Terrorism Financing risks.

• Recommendation: Your risk assessment documentation needs to note which countries you will and won’t accept business from and the process you follow when dealing with clients from different countries.
• Resources: Use the following links to research and risk assess the countries you do business with:
  
  FATF mutual evaluation of the country
  Corruption Perceptions Index 2019 
  Basel AML Index
  and the country rating as per the KnowYourCountry website.

Audit finding #3: Client due diligence (CDD) documentation – either not verified / certified or insufficient documents obtained.

• Recommendation: Make sure that the staff who conduct CDD have the appropriate training and understand the requirements of the Amended Identity Verification Code of Practice (IVCOP). 
• Resources: The IVCOP document below provides an outline of who can verify / certify and what documentation needs to be obtained: 
  
  Amended IVCOP

Audit finding #4: Failure to conduct politically exposed person (PEP) checks on all customers.

• Recommendation: Run new customers through some sort of PEP technology check – this is something the supervisors expect you to do for all customers.
• Resources: Some widely used PEP check tools are KYC360, MemberCheck, WorldCheck, Dimension GRC etc. These tools are specifically geared or designed for testing the PEP status of individuals. 

If you need help with any of the points listed above or have any questions regarding any aspect of your audit please don’t hesitate to contact the team . We are happy to answer your questions and point you in the right direction.