top of page
The Range

Independent Audit

GFSC Handbook independent audit requirement – how’s it going?

GFSC had widely trailed their intentions before tightening this aspect of board oversight in Handbook section 2.4.1 in July 2023. Now the revised independent audit provisions have been in place for 6 months, we’ve outlined below some points from discussions with clients and from working in this area.

 

Common questions

Some common queries … followed by our thoughts on each:

 

Does there have to be an independent review of all Handbook areas over a cycle?

This is some firms’ initial assumption but we don’t read the Handbook as requiring it. Attempting to cover all areas would go against the risk-based approach of Section 2.4.1, and independent review should be most effective if scoped as suggested in Handbook para 2.28.

 

Is it now mandatory to have independent audit?

Not absolutely, as the Schedule 3 requirement still includes “where appropriate”. But possible reasons for deciding it’s not necessary have been reduced. For example, we read Rule 2.25 as leaving very little room for private banking and fiduciary businesses to justify not having any independent review.

 

Is it the CMP by another name?

No, because it needs to look independently at whether second line of defence (compliance and risk) functions have been effective. Where CMP testing is performed by a compliance team, it’s unlikely to do this. Compliance teams often don’t have independence from the writing of processes aimed at meeting the Handbook, from sign offs within those processes or from testing them within the CMP.

 

Is it the same as internal audit?

Handbook para 2.20 sees internal audit as a form of independent audit, and structurally that’s clearly correct. But in practice, internal audit functions often:


  • lack detailed knowledge of local requirements, making their testing less likely to identify issues against those

  • have a heavy focus on requirements set at group level rather than on local legal requirements, and/or

  • work to a plan which local boards can’t influence, so they don’t get assurance in the areas they feel most need it.

 

Some internal audit functions don’t report directly to local boards, seeing their role as reporting to shareholders, and even when they do there needs to be a check that what they do meets the Handbook requirement.

 

Can we do this type of review internally?

Yes but many firms, not just small firms, would struggle to find adequate resource with knowledge of the requirements being tested against, and also meeting the independence requirements in Handbook para 2.20.

 

Can it be a one-off review or does there have to be a continuing cycle?

We think a one-off review could meet the requirement if done at least every 3 years. But in practice it would have to be a very large exercise to give meaningful assurance across enough areas in one “hit”.

 

Does the function have to extend to conduct requirements or can it be limited to the Handbook?

Although there are arguments for this type of testing beyond financial crime areas, the Handbook and Schedule 3 don’t go that far. For some clients we’d already been doing independent review including conduct requirements but the Handbook doesn’t require that.

 

As always, other interpretations may be available!

 

What’s important to make independent audit work for firms?

 

To add value and avoid creating unnecessary regulatory risks for the firm:

 

Have a programme of areas to be reviewed – a series of ad hoc reviews without an overall plan may not focus on the right areas or leave a trail of why they were selected. Independent audit is part of a firm’s governance structure and it’s valid for GFSC to ask how the review coverage was decided (as they do for CMPs). This doesn’t need to be complex but could take account of:

 

  • significant areas not previously independently tested

  • high impact areas such as international sanctions and governance CMP findings, and

  • new external requirements or internal processes

 

Management of actions – Handbook para 2.22(d) flags that an external firm may not be able to check whether the firm has implemented recommendations. Whether the review is internal or external, it needs to be clear how recommendations are considered, resulting decisions implemented and closed off against the independent review.

 

Type of testing – the Handbook doesn’t prescribe whether testing should be against an obligation (such as a Handbook Rule, which various internal controls or processes may be aimed at meeting) or of an internal process (such as client acceptance, which will cover various Handbook obligations). Nor does it say to what extent sample testing is required, although in many areas it’s hard to see how “adequacy and effectiveness” can be evaluated for Schedule 3 purposes without it. Various approaches are possible but it’s best to have in mind when planning a programme that these decisions will need to be made and may need adjusting with experience.

 

What stage are firms at right now?

Overall, our experience is that the changes have helped to reduce resistance to genuinely independent testing and that firms are working constructively to meet the requirement. Many have looked hard at internal resources and independence before deciding to commission external testing.

 

The Handbook did not give an implementation window or deadline, so technically took effect immediately. We didn’t see GFSC immediately press firms on implementation but they have been doing that for the last few months.

bottom of page