Op-Ed: Test your internal controls

Op-Ed: Test your internal controls
Derek Smith Jr.

By Derek Smith Jr

The independence of mind and independence of appearance is what gives assurance services their value and credibility. Globally, the Financial Action Task Force (FATF) recommendation 18 speaks to financial institutions (FI) programs against money laundering including “an independent audit function to test the system”. Locally, the Financial Transactions Reporting Act, 2018, Section 19(2)(iv) requests every FI to implement procedures based on its nature and size to, at minimum, secure “independent audit arrangements to review and verify compliance with the effectiveness of the measures taken within the act”.

By tradition, external audit focuses more on providing assurance to financial statements while internal audit specializes in examining internal processes, procedures and controls. The distinction above appears fundamental and critical to the ongoing discussions of independence and objectivity, even more consequentially whether the local inclusion of the words “independent audit arrangements” gives rise to the obligation of an internal audit, external audit and/or both across the many professions that are captured under FTRA — in particular Designated Non-Financial Businesses and Professions (DNFBPs). This article will proffer no position and only seeks to offer contextual facts surrounding the options.

To appreciate “independent audit arrangements” as it relates to internal and external audits, here is an exploration of their objectives, independence and objectivity, and similarities and differences.


The objective

The Institute of Internal Auditors’ (IIA) Standards and Guidance states: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” This definition emphasizes independence and objectiveness of IA in both assurance and consulting services.

Similarly, but not exactly, an external independent audit is primarily conducted to review the financial records of a company. They examine the records and financial statements of the client’s firm, and provide objective reports on any irregularities.

Simply, an internal audit assesses the risk management and control functions as a core component of governance, risk and compliance (GRC), compared to the latter that expresses a professional opinion on financial statements of a company.


Objectivity and independence

It is imperative to note that independence and objectivity go hand-in-hand. Both of these terminologies are synonymous with internal and external audits. Objectivity is considered a mental attitude that allows internal auditors to perform engagements in a way that they have an honest belief in their work and that no significant quality compromises have been made. Objectivity concern is also present in external audits because of the independent auditors want to self-preserve the financial relationship.

Independence refers to freedom from influences affecting and threatening objectivity or appearance of objectivity. These threats to objectivity should be dealt with on an individual auditor, engagement, functional and organizational level.


Similarities and differences

Besides a different underlying objective between internal audits and external audits, there are surprising similarities and several additional differences regarding skills, timing, employment relationship and primary audience, amongst others. Both provide assurance, an auditor’s report and communicate issues in the financial process. Also, both can be performed by an independent accounting firm. However, traditionally, internal audits are conducted by internal staff auditors, and external audits are completed by independent accounting firms. Internal audits are voluntarily scheduled by management, whereas external audits are generally involuntary and prescribed by legal necessity. The primary audience of the recommendations of an internal audit is the board, executive management and regulators. Conversely, the primary audience of the external auditor’s expressed opinion is internal and external investors.



In short, both internal and external audits have critical roles to play in providing positions on various aspects of a financial institution. My career has afforded me opportunities to function as both an internal auditor and an external auditor. Additionally, as a lead risk and compliance professional, I was afforded the pleasure to assist executive management with, and sometimes respond directly to, requests of both audit function/arrangement. Theses occasions have provided me with a distinct appreciation of how both internal and external functions can assist each other in the execution of their various objectives.

FIs must, where in doubt and where there is no legal obligation to complete external audits, seek legal opinions regarding the obligation of FTRA, 2018 as it relates to internal controls.

Derek Smith Jr is a Top 40 Under 40 leader; the compliance officer at Higgs & Johnson, a leading law firm in The Bahamas; and the former assistant vice president, Compliance & Money Laundering Reporting Officer (MLRO), at an international private bank. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and an executive member of the Bahamas Association of Compliance Officers.