Annual Conference and Global Internal Audit Leadership Summit 2017 (27 Oct)

Managing Cyber Risks. (KPMG) Cybersecurity is one of the top 5 risks as rated by CAEs. Cyberattacks are one of the top 3 man-made risks which can be addressed. In a survey, Asian CEOs aren’t as well prepared as their US counterparts when dealing with cyber risks and cybersecurity. There is a need for cybersecurity risk assessment. Sometimes, insiders can provoke a cyberattack too. Due to the widening of the digital footprint, it can lead to greater cybersecurity threats. External threats like new technology, technology change, regulatory compliance and changing market forces will continue to affect the cyber landscape. The new cybersecurity bill by CSA is slated to be released in Feb 2018. The Bill will affect CIIs from 7 different industries. The cyber risk gap needs to be plugged through the use of specialist reviews and audits. Some of the losses that an organization could face are theft of client information, IP, corporate date, DOS attacks etc. Nowadays, it is quite common for the attacker to attack your service provider (since there are less strict internal controls) and get information from them about your company. Some of the staff from your vendor might not be well screened also. Usually, there is no point trying to figure out who the cyber-attacker is as it is hard to prosecute if it’s not in Singapore jurisdiction. Some of the tactics that cyber-attackers use is ransomware, key loggers, phishing, insider data theft and man in the middle attacks. Do not give away passwords at any cost. Training/education is important, more so that IT tools at times. As auditors, we can audit the data classification in an organization. Cybersecurity is a growing factor and needs to be included as a risk indicator. There needs to be a detailed response plan after being attacked. There is also a need to link the cybersecurity threats to your business. One can read the ISO27000 series, MAS TRM Guidelines, NIST, COBIT and others.

SAP Case Study. (SAP) SAP is a German company. Maintenance costs is a big part of the implementation costs of having such an ERP software. For SAP itself, some of the risks facing the organization are acquisition risks, cloud computing etc. Within the audit team, they use the SAP Audit Management Software, which is automated from the end to end auditing process. One will be able to see clear audit plan overviews and also real time status updates of the plan. There are also resource management tools in place which will help improve the global resource transparency. In addition, there are audit executive dashboards in use. All these lead to better cost savings, user satisfaction and faster audit cycles for the organization. As a result, during quality assessments, the IA function scores better. Analytics helps in audit sampling for auditors.

Internet of Things. (Microsoft) The Internet has shifted from the Internet of content to service to people and now to ‘Things’. Internet is very commonly used nowadays as it is more efficient and has led to increased productivity. It has brought the whole world together through Skype. There is data in chips in our everyday devices and such data can be harnessed for decision making. Some of the benefits of IoT are that it leads to 1) safety, comfort and efficiency; 2) faster decision making; 3) revenue generation. Some of the risks of IoT are 1) privacy, security and legal (types of data collected can be collected and should be collected etc). The major challenges that will be faced are to obtain the business and IT buy-in and also the fact that data magnitude can be huge and complex and hard to interpret. It is important for IA to stay ahead of the changes and understand the risks emanating from IoT. We need to be trusted advisers to the business. CAEs need to determine the skillsets required, like from data scientists, private specialists etc. IA needs to recruit the right people. We need to change our approach to how to audit etc. The process flow is like this: device connection -> data sensing -> communication (access rights) -> data analytics (queries etc) -> data value -> human value

Data Analytics at MAS. (MAS) Data is the new AIR that we breathe. Insight is the new storage of value also. There are a few Vs we need to be aware of: Veracity, Value etc. We have approached the other departments, like banking, insurance and capital markets, to understand what are the pain points of these departments. We have moved from rule based (AML + STR) to machine learning. There is a strong need to enforce data quality and to move from just big data to smart data. Labels must be given for supervised machine learning in order for it to work more efficiently. However, there is also such a thing as unsupervised machine learning etc. For data, there is a need to achieve generalisability. An important question to ask is whether your model can work on future data? Or just past data? Ensure that your data can be interpreted and cleaned before it can be used. The process is as follows: 1) know the question; 2) understand the data; 3) find the right algorithm; 4) be aware of the limitations; 5) be sceptical; 6) automate; 7) experiment. It is important to share insights across the different departments. Machine learning is a programme which automatically improve its performance through learning and experience. Culture is hard to change and in fact, culture is more important than the application of an algorithm.

Cybersecurity Lessons Learned. (SWIFT Asia Pacific) SWIFT is a co-operative that is based out of Belgium. Nowadays, cyberattacks are tailored for a particular institution and that can be really scary. Hackers are now able to perform multi-stage attacks. There is a hacker collaboration space in the dark web. Cross-border banking usually requires the use of SWIFT. Hackers have different motivations for committing crimes and it is difficult to predict. Cyber must be managed from the top-down. One needs to understand that spending money doesn’t make you more secure and there is a need to evaluate cost-benefit analysis. At times, it could be the client servers which have issues. There is a need to dictate how the client runs their programmes in order to secure their environment. There needs to be a cyber-response plan in place to address attacks and to recover. In future, SWIFT would make it compulsory for banks to report on their compliance to SWIFT’s assurance framework. This will certainly help to improve transparency.

Ethics in a Digital World. (Avande) Avanade is a cloud service provider and is a partnership between Accenture and Microsoft. In this digital age, there is a debate between Personalization vs Privacy. Facebook tried to have two bots chats with one another, but they turned racist and eventually had to be put down. Although AI development is swift, it might be necessary to put the guardrails on AI and curb its growth in view of ethical considerations. What is morally acceptable in today’s society? What is lawful? Digital is becoming a way of life and ethical behaviour is vital in this day and age. Is there a need for a framework to manage ethical dilemmas? What are the possibilities of digital tech? Core ethical values are embodied by leadership and there needs to be a good tone from the top.

IA in the Age of Transformation. (Asia Pacific Black Sun, Sofitel Singapore, UOB, NTUC, EDB) What are the elephants in the room? This refers to important issues that are not being addressed by IA. IA needs to keep themselves relevant. 43% of jobs in Singapore can eventually become automated (mechanized, robotized, digitalized) etc. However, there are still many opportunities in the audit space to add value. IA needs to be high tech, high touch (build strong relationships with management), and high trust. IA’s job is to highlight exceptions to management and in order to do so, they need to be loud and courageous in the boardroom and not shirk from difficult conversations. IA needs to avoid getting on the newspaper. IA needs to familiarize themselves in the area of sustainability reporting and professional scepticism. IA needs to constantly update themselves through attending training etc. Industrial domain knowledge is also important and this is usually learnt on-the-job. People retention is important and there could be a risk of knowledge loss without people. There is a need for IA to provide inputs on controls for IT projects right at the start. If there are no audit findings, it is possible for IA to issue a clean audit report. IA should gradually take on a more advisory role for the business.

auditing-service-singapore

Advertisements

Annual Conference and Global Internal Audit Leadership Summit 2017 (26 Oct)

Opening Address by Guest of Honour (Professor Tan Cheng Han). (SGX RegCo) Singapore Exchange Limited (SGX) has moved to a disclosure based regime for markets for regulators. Shareholders are active and can ask questions of the management or try to get rid of a few directors. There is a need to listen to businesses nowadays when trying to propose new regulations. We have moved from a prescriptive to a more principle based form of regulation. Nowadays, we listen to market participants and seek their inputs. We live in an uncertain world. Lawyers should facilitate transactions and not simply keep telling people want they cannot do. They should guide people to be able make decisions within the legal framework. In this way, it is similar to what Internal Audit does. As an auditor, it is important to stand your ground and do the right thing, all the time.

Transforming Internal Audit. (AIG) It is important for IA to be clear of their role. Internal Auditors should read the ‘Common Body of Knowledge’ by IIA and also the ‘Global Trends of 2030’. Our job is to find things and to help management see things that they have not been able to see (i.e. provide assurance). Many companies have evolved over the years, like IBM, GE, Rakuten in order to stay alive. Some might have to abandon their traditional model just to keep afloat. IA can also read ‘The Fourth Industrial Revolution’. Internal auditors should all get the Certified Internal Auditor certificate and show that they belong to a professional body with high standards. We all need to comply with IIA standards. The current IA role is shifting from one of assurance to also one of advice and insight. Some of the more recent trends in internal audit include performing data analytics on the whole population. Combined assurance is also one of the up and coming trends in Internal Audit.

In Conversation with an Audit Committee Chairman. (SIA, DKSH) The IA team in PwC has grown tremendously since its inception. The role of IA is to provide an independent assurance on governance and risk management. Is the level of risk management adequate for the business? IA should also get inputs from management on their performance. One factor to judge the CAE is on whether the audit plan is incomplete and what the status of the plan vs is the execution. One option is to conduct a 360degree feedback exercise. A CAE’s pay package should be established by the remuneration committee and with inputs from the audit committee. The bonus paid is relevant to the company’s profits and individual performance. IA is a business partner and must not be seen as competing/slowing down the business. There is a need for internal auditors to retain a strong ethical and moral compass when discharging their duties. If you feel you are being mistreated by management, do highlight this fact to the Audit Committee. In cases of disagreement with management, it is important to highlight to the AC what is your position. It may be wise for audit partners to resign from the audits where there is serious disagreement with management. Before joining an organization, it is important to try and assess its culture and whether the culture is ethical etc. The CAE must be outgoing and interact seamlessly with other stakeholders. He must demonstrate leadership potential etc. One way to assess that is through conducting reference checks on his background etc. It is not necessary for internal auditors to have accounting backgrounds. However, it is difficult to be a CEO without a finance/accounting background. In general, having a diverse IA team is important. As the chairman of the AC, it is important to do preparatory work and also to meet the IA informally a few times a year. For young auditors, it is important to spend on your own career development and set 3 year career plans on what do you want to achieve etc.

Innovative and Agile Internal Auditing at Google. (Google) In Google, the employees practice moonshot or 10x thinking and they try their best to think differently. Waymo is their project on self-driving cars. They have many interesting projects like on Calico, Capital G, Deepmind, GV, Jigsaw, Nest, Sidewalk Lass, Verlly, Waywo, X etc. Google was incorporated in 1998 by Sergey and Larry. Read the Founders’ letter to get an insight of some of Google’s core values. Also, on their website, there is a hilarious list of ’10 Things we know to be true’. Their IA has also to fit in with the culture at Google and they are moving away from SOX compliance to other forms of combined assurance. An intense level of collaboration is expected at Google. They use many syncs, tools and techniques to get their work. The stakeholders are usually understanding and it is not difficult for IA to receive information. Also, the IA team uses software so that the client can see the IA reports at any time and also there is live QnA that happens every Friday. The software will enable the IA team to view the project status live and also to view audit working papers. Audit findings are tracked using software. As for hiring, Google looks for collaborative people. As for other skills, Google looks out for cognitive abilities, role knowledge, leadership and Googleyness. The top down approach doesn’t always work and Google tends to empower employees instead. Due to the speed of change, the IA team only develops a 6 mth rolling audit plan and revises it accordingly due to changing level of risks.

Auditing Big Data. (New York State Office) In the New York auditors’ office, the IA role has been expanded to include both artificial intelligence and data analytics. Big data makes decision making easier and faster. Avoid rolling out apps when not many have access to the network. The greatest opportunities will come at a risk. You have to get comfortable with being uncomfortable. There is a need for big data and technical skillsets. Big data is large, complex and covers many complex data sets. There is a trend of lower cost of data storage. Despite this, data tags will help in the data retrieval. Big data has really helped the audit team in NY to improve the audit efficiency and effectiveness. There are mainly 4 risks associated with Big Data: 1) program governance; 2) tech availability and performance; 3) security and privacy; 4) data quality, management and reporting. When using big data, it is important to ensure that there is no invasion of privacy and that it is legal to collect and use any particular form of data. It’s a massive leap to fully integrate by data and analytics. The auditors analyze social media like Craig’s list to detect unlicensed car repair workshops etc. The team also builds AI when it is not available.

Geopolitical Risks – What does it mean to Organizations and Internal Audit? (Focus Strategic Group Inc) Internal Auditors need to understand global and regional trends facing them. There are many geopolitical risks in this world and these threats can lead to supply chain disruptions. There is a massive distribution of wealth problem in this world. Some of the major events that have impacted the world are the Israel/Palestine conflict, war in Syria, Greece debt, Brexit, appointment of Trump, Spain/Catalonia separation. There is an increasing trend of protectionism for major economies and these countries are also against immigration. Trump is against the North American Treaty agreements, the TPP etc. In this world, there is only the certainty of uncertainty. People fight over many things, like land, resources, religion, perceived inequalities etc. China is also striving for more economic co-operation and wants to be the next Superpower via their one Belt one Road programme. They are also looking at how to harvest resources in the Arctic Circle. China started the Asian Infrastructure Investment Bank (AIB) and there are currently 57 countries on board with them. This bank can help provide funding for major infrastructure projects. The 3 prominent tech companies in China are Baidu, Alibaba, Tencent etc. In IA, we need to ask ourselves whether our organizations are secure. There is also a frequent need to check asset risks, read up on the latest news and check countries’ sovereign ratings. It is also possible to buy insurance to cover losses arising from geopolitical risks.

Panel Discussion: Transforming Internal Audit. (VISA, GIC, Google, SIA) There is a need for internal auditors to develop a more diverse set of skills especially in this world of digitalization. IA can be the change agent and also shape the company’s culture. For listed companies, IA can check compliance with the listing rules with methodology. The modern IA role is beyond compliance and more towards advisory. There may be a need for IA to revamp its methodology and include the need for analytics. IA needs to be proactive, adaptable and diligent. As auditors, we need good communication and networking skills and have the willingness to do things better. There is a need to use CAATs like Qlikview, SQL, Tableau to improve data analytics skills. There is a need for executive support before a data analytics programme can be rolled out successfully. One should start with the small DA projects with ROIs in order to show to management that it can work. An advanced maturity of data analytics would include things like predictive/behavior analytics and robotic process reengineering/augmented intelligence. Whereever possible, it would be good for IA to be able to automate its processes. IA can perform the prediction and look through the red flags. It is important to have good mentors who will grow and support you in your relationship. Auditors need to be curious and learn continuously. Company culture can be assessed via analytics and by the conducting of employee opinion surveys.

Internal-Audit

audit financial company tax investigation process business accounting

Astrophysics for People in a Hurry by Neil Degrasse Tyson (Part 2)

The Cosmos on the Table. How did the Earth’s crust acquire the materials? The answer is astronomical. Only 3 elements were natural in the big bang process. The table is a cultural icon for humanity. The periodic table is very interesting indeed as each element has different characteristics. Hydrogen has only one proton in its nucleus, and is the lightest and simplest element. It also forms the core of Jupiter. In the sun, hydrogen collide to form helium. It is not so combustible in nature as hydrogen. It is the second most common element in our Universe. On average, it is about 10% of all atoms. It has 92% of hydrogen’s buoyancy, but without its explosive characteristics. Lithium has 3 protons in its nucleus, and was made in the big bang. Carbon is found in all kinds of molecules and is very abundant. This is the basis of chemistry and all diversity of life. Is it possible to have life forms based on silicon? Sodium is a common glowing gas in street lamps. Aluminium occupies 10% of the Earth’s crust. Titanium is twice as strong as aluminium. It is mostly used for military aircraft etc. The number of oxygen atoms exceed that of carbon. Excess oxygen might bond with titanium to form titanium oxide etc. Iron is one of the most important elements in our universe. It has 26 protons. Gallium is a soft metal that has a low melting point. Technetium is radioactive in nature and is artificial. The book features other interesting metals, like osmium and iridium. It is very dense indeed. Most atoms actually come from Greek names, like Phosphorus, Selenium etc. Ceres and Pallas are asteroids found in the asteroid belt. Uranium is a radioactive element named after Uranus. Neptunium is named after Neptune in 1940. Pluto was eventually dismissed a planet. Plutonium is named after Pluto and was used by the US to bomb Japan in WWII.

On Being Round. Most objects are spherical in nature. It is affected by surface tension. Due to gravity pulling at every area, the Earth is largely spherical in shape as the mountains are very low compared to how big the Earth is. Olympus Mons on Mars is 65,000 feet tall and 300 miles wide at its base. The weaker the gravity on an object, the taller the mountains can form. Non-spherical shapes on Phobos and Deimos form because of the low surface gravity. Stars are near perfect gaseous spheres. However, if it is too close to a massive star, some material can be stripped away. Our Milky Way galaxy is more flat, than spherical. It used to be a spherical, but collapsed at its poles as it spun faster and faster. The Milky Way is neither collapsing nor expanding. It is a gravitationally mature system. Saturn looks like a hamburger and is flattened because of its fast rotating speed. A pulsar is like squeezing the mass of a Sun into a ball the size of Manhattan. The pulsars are the most perfect spheres due to their huge mass and small space. Different galaxy clusters have different shapes and there are no fixed shapes. The entire observable Universe seems like a massive sphere as it is receding in every direction we look. However, as the Universe is expanding faster than the speed of light, there will be some galaxies whose light will not reach us and we will know nothing about them.

Invisible Light. Not all light is visible. There are 7 different colours to the visible spectrum. Different colours have different temperatures. Herschel was the first man to discover infra-red light. UV light was also discovered soon after. Low energy and low frequency to high energy and high frequency is radio waves, microwaves, infrared, ROYGBIV, ultraviolet, X-rays, and gamma rays. There are countless applications for such different spectra of light. Eventually, we built telescopes to detect parts of the EM spectrum. The Universe is actually sending light that our eyes cannot see and we would be dumb not to see it. Even long after supernovas explode, infrared red and radio waves get emitted. There needs to be different mirrors and detectors to detect all light bands. Radio telescopes are extremely large. China has built the world’s largest radio telescope, ranging over 30 football fields large. Humans also developed interferometers. We have 66 large antennas of ALMA to detect microwaves. There are high frequency, high-energy gamma rays with wavelengths measured in picometres. They are measured using a scintillator and we can pump out electrically charged particles that collide with gamma rays and produce light. There were frequent flashes of gamma rays near the Earth which could not be explained. Radio telescopes can detect gas among stars in the galaxies. The different types of light can tell us so much about star formations etc.

Between the Planets. There are plenty of chunky rocks, pebbles, charged particles in between planets. A lot of the small meteors burn up in our Earth’s atmosphere. This helps to protect Earth from such impact. Long ago, a lot of debris hit the Earth, causing our hot and molten core. A lot of junk led to the formation of the moon. Many of the other planets like Mercury, Mars received bombardments, as per the craters in the ground. When a meteor strikes, the impact can cause rocks to emerge up as well. Some of the Moon’s rocks also hit our surface. The asteroid belt is between Mars and Jupiter. Some of them are really large and might destabilize the Earth if it hits the Earth. The Kuiper belt is located after Neptune. Halley’s comet is from this belt. There are some comets between our solar system and the nearest star. These are known as the Oort cloud. The magnetic force on Jupiter is simply tremendous. Some of the planets’ moons are really interesting to study. Io is tidally locked and interacts with other moons. It is the most volcanically active place in our solar system. Pluto and Charon have tidally locked each other. Moons are named after Greek personalities. The sun releases solar wind, which is a release of material from its surface at a rate of a million tons per second. These causes the beautiful aurora on Earth. Jupiter is our big gravitational shield from comets as it helps to defect them away. We also exploit their gravitational field when we launch probes to space.

Exoplanet Earth. There are plenty of beautiful things on Earth. You could probably observe many structures from up in space. Natural scenery and hurricanes, volcanic eruptions should be visible. Earth is just a pale blue dot from Neptune, 3 billion miles away. Earth appears blue due to two-third being covered by water. Once there is liquid water, there will be a stable pressure and temperature. Aliens can notice our weather patterns and even see our polar ice caps. The nearest star is Alpha Centauri, nearly 4 light years away and often visible at night. As Earth is not bright, it will be hard to detect via visible light. However, if you notice a star jiggle, it could mean that an object/planet has just orbited around it. The Kepler telescope is meant to detect other Earth like planets. It detects stars whose total brightness drops slightly and at regular intervals. From this, it can detect multi-planet star systems. Aliens might be able to detect the multiple radio waves that we emit. Light, throughout the Universe, behaves in the same way. Hence, it can be detected through a spectrometer. Methane is a molecule which indicates life stock. The alien’s best bet would be to detect oxygen in our atmosphere. Oxygen bonds readily with other atoms. We have discovered more than 3000 exoplanets.

Latest estimates, extrapolating from the current catalogs, suggest as many as 40 billion Earth-like planets in the Milky Way alone. Those are the planets our descendants might want to visit someday, by choice, if not by necessity. – Neil Degrasse Tyson

Reflections on the Cosmic Perspective. Learn to enjoy the pleasure of intellectual pursuits. Despite all the cosmic wonder, there are still horrible things happening on Earth. Some people are also selfish and do not help others. The world is big, but so should our hearts and minds be. Some adults feel that the world revolves around them and are very self-centered. People hold an expanded view of the cosmos. Humans experience a sense of smallness and insignificance after watching a show where they see Earth in the grand scheme of the Universe. However, I feel large and important. Human beings are not the most important thing in the Universe. Powerful forces make us susceptible. We are all part of this stream of human consciousness. The air and water you consume might have come from ages ago. We are largely made from the same atoms as when the Universe was formed. They are hydrogen, oxygen, carbon and nitrogen. We have to remain open to the concept of multiverses. The cosmos are humble, spiritual etc. They allow us to be more open to knowledge and to accept new ideas. There is no air in space, but yet we can admire its beauty from afar. Astronomy is good because it makes us more curious, and hungrier for knowledge.

Of all the sciences cultivated by mankind, Astronomy is acknowledged to be, and undoubtedly is, the most sublime, the most interesting, and the most useful. For, by knowledge derived from this science, not only the bulk of the Earth is discovered…; but our very faculties are enlarged with the grandeur of the ideas it conveys, our minds exalted above low contracted prejudices. – James Ferguson

Time to get cosmic. There are more stars in the Universe than grains of sand on any beach, more stars than seconds have passed since Earth formed, more stars than words and sounds ever uttered by all the humans who ever lived. – Neil Degrasse Tyson

51MPRrQ2G+L._SX308_BO1,204,203,200_

The End!

Astrophysics for People in a Hurry by Neil Degrasse Tyson (Part 1)

Preface. The public has become more interested in science. In addition, science fiction films help to generate even more interest. Astrophysics has always been on people’s minds. This book summarizes the major ideas and discoveries.

‘The Universe is under no obligation to make sense to you.’ Neil Degrasse Tyson

The Greatest Story Ever Told. Almost 14 billion years ago, the Big Bang occurred and matter and energy expanded. Scientists have worked to try to combine the understanding of the general theory of relativity with quantum gravity. Max Planck is the father of quantum mechanics. Currently, we have no known laws of physics to predict the behavior of the universe over time. The Universe split into the electroweak and the strong nuclear forces. The electroweak forces split into the EM and weak nuclear forces. All this happened in less than a trillionth of a second. Photos can convert their energy into matter-antimatter particle pairs under intense energy. After the interaction of electroweak forces, the universe was a soup of quarks, leptons, antimatter siblings etc. The photon belongs to the boson family. The electron and neutrinos belong to leptons. There are 6 different types of quarks (up and down, strange and charmed, top and bottom). Quarks have fractional charges that come in thirds. Now, a millionth of a second has passed. New heavy particles called hadrons started to form. Now, protons and neutrons started to form. The LHC attempts to collide hadrons to create larger particles. Matter and anti-matter will annihilate one another, but there will one single hadron will survive. Electrons annihilate with positrons, and only 1 electron out of a billion survive. Eventually, elements like helium, deuterium and tritium are formed. Below 3000K, electrons stop combining with nuclei. For the first billion years, our universe expands and cools, while galaxies are formed. More than a hundred billion of them are formed, each containing billions of stars. Some stars explode. Our Sun is simply an undistinguished star. Wayward debris would orbit and form large bodies. These formed planets and the matter would start to cool. Earth is in a Goldilocks zone where oceans are in liquid forms. The early organisms on Earth were simple anaerobic bacteria, which excretes oxygen as its by-product. Ozone was also formed and these protected us from the Sun’s UV photons. We are thankful for the existence of carbon and the various simple/complex molecules. However, often, there are asteroids that hit Earth and cause havoc to our ecosystem. There was one which made dinosaurs extinct. Did our Universe just pop into existence from nothing? The Universe will continue to evolve.

We are stardust brought to life, then empowered by the Universe to figure itself out – and we have only just begun. – Neil Degrasse Tyson

On Earth as in the Heavens. Some of the religious people criticized Newton when he discovered gravity. The 19th century was a time of invention. The Sun contained a lot of similar elements as Earth. Helium was discovered too. Do the law of physics apply to the whole Universe? We sent out the Pioneer 10 and 11 and the Voyager 1 and 2 in the 1970s to look for outside life. All these spacecraft used gravity assists to escape the solar systems. It is not clear whether aliens would understand them. The Big G is the constant of gravitation. Our Universe is indeed very uniform. The speed of the light is one of the most famous constants. It is simply a law of physics. It is not time or location dependent. The conservations laws of mass and energy, linear and angular momentum and electric charge are all very important. Most of the gravity in the Universe is the form of dark matter, which is difficult to detect. Should Newton’s law of gravity be adjusted to account for dark matter? Einstein’s theory of relativity builds on Newton’s law of gravity as it applies to objects of extremely high mass like black holes. The Universality of physical laws make the cosmos very appealing.

Let There Be Light. The cosmos expanded rapidly after the Big Bang. Cosmic background radiation can still be detected. Photons can lose energy and form infrared photons, sliding down the spectrum. When something glows, it emits light in the full spectrum, but there will be a noticeable peak. Cosmic background radiation (CMR) was already predicted into the 1940s. In 1948, scientists predicted what the temperature of the cosmic background should be. Their answer was unerringly accurate. The first cosmic microwave background (CMB) was observed in 1964. They developed an antenna to detect microwaves. There was a constant leftover signal in their measurements. The signal came from every direction in the sky. When we out into space, we are looking back in time as light takes time to travel. Depending on the time that the photons that scattered off electrons, a different colour profile would be registered. The CMB will have spots that are slightly hotter or cooler. Analyzing the CMB will enable you to determine how quickly matter accumulated etc. Dark matter has gravity but does not interact with light. It forces the Universe to expand faster.

Between the Galaxies. There are over a hundred billion of them. How much void is there in space? Our galaxy is the Milky Way. The nearest one to us is over 180,000 light years away. The nearest one which is larger than ours is the Great Nebula in Andromeda, over 2 million light years away. Our detectors have enabled us to detect many more objects. Dwarf galaxies contain only up to a million stars, and they are hard to detect. They are also dim. Often, these dwarf galaxies may get eaten up by the main galaxy. Galaxies can collide and clusters will be formed. There is also the possibility of homeless stars, which are not in any galaxy. Supernovas have been found exploding away from their host galaxies. Supernovas are stars which have increased their luminosity over a billion fold. There are also intra-cluster gas that is so hot and can form stars. Quasars are super-luminous galaxy cores and are extremely distant. These are fascinating due to their huge mass. There are hydrogen clouds everywhere in the Universe. These light also passes through huge sources of gravity. Light that appears to us might have experienced curvature due to gravity etc. There are plenty of cosmic rays in the Universe, which are horrible, and move almost at the speed of light. There are plenty of particle collisions in intergalactic space.

Dark Matter. Gravity is difficult to understand. It has the ability to warp space-time at a distance. For example, light rays bend as they pass by a massive object. The bulk of the gravity in the Universe cannot be explained. Fritz Zwicky analysed this problem in 1937. He noticed some galaxies had a very high average velocity. However, it does not account for the speeds measured. Newton’s laws show that it is possible to achieve an orbital speed to escape the clutches of gravity. Other galaxy clusters also reveal this same problem. This supports the existence of ‘dark matter’ in the Universe. Cosmic dark matter seems to have at least 6 times the gravity of visible matter. It is not matter that happens to be under-luminous or non-luminous. It turns out that dark matter and nuclear fusion do not mix. Dark matter does not seem to do very much. Dark matter only comes into play for large bodies, like the motion of stars around the centre of the galaxy. It seems to be well spread across the Universe. The Universe is expanding, but gravity wants to make things coagulate. We do not know what dark matter is, just that we know that it is real. Skeptics tend to slam dark matter’s existence. Dark matter is real, as it has been deduced from its effects on visible matter. We are trying our best to detect the presence of dark matter. Right now, we just have to be happy with our understanding of dark matter.

Either dark matter particles must wait for us to discover and to control a new force or class of forces through which their particles interact, or else dark matter particles interact via normal forces, but with staggering weakness. – Neil Degrasse Tyson

What we know is that the matter we have come to love in the Universe – the stuff of stars, planets, and life – is only a light frosting on the cosmic cake, modest buoys afloat in a vast cosmic ocean of something that looks like nothing. – Neil Degrasse Tyson

Dark Energy. Einstein perfected the thought experiments in his head and was very successful. His theories withstood the test of time. The general theory of relativity (GR) was published in 1916. Everything in the Universe moves under the influence of gravity. In 2016, gravitational waves were discovered, as were predicted by Einstein 100 years ago. These are created from major events, like the collision of 2 black holes. They first arose almost 1.3 billion years ago, during a collision of 2 black holes. In the 16th century, it was a heliocentric model. However, in truth, the planets revolve the star in ellipses. There was a cosmological constant in his equations of gravity. In his equations, the universe neither expands nor contracts. The masses move along straight-line geodesics. The Universe is never static. The cosmological constant was a big blunder as it was proven that the Universe was still expanding. There are ways to measure the distance from a supernova, for example, from its decreasing luminosity over time. Hubble telescope shows that distant objects race away from us further than nearby ones. Dark energy was present, but scientists could not explain it. Dark energy comprises of 68% of all mass-energy, dark matter only 27% and regular matter only 5%. The predicted shape for the Universe would be a one-way saddle. There is simply not enough mass to explain the Universe’s expansion. This was when dark matter came about. Dark energy helped to raise the mass of ordinary energy and dark matter to the mass-energy density. Dark energy helped to reconcile the differences. These could be simply virtual particles in a vacuum, which can’t be measured. It turns out that there was a place for lambda in Einstein’s equations. Do we need an alternative to GR? The repulsive forces are present in the vacuum, and will grow ever more with increasing vacuum. The fabric of the Universe can carry material faster than the speed of light. In a trillion years, you might not know other galaxies existed. As a result of dark energy, future generations will not understand our Universe. What else should we be looking for?

GR regards gravity as the response of a mass to the local curvature of space and time caused by some other mass or field of energy. – Neil Degrasse Tyson

Matter tells space how to curve; space tells matter how to move. – John Archibald Wheeler

Keep a lookout for Part 2! 🙂

51MPRrQ2G+L._SX308_BO1,204,203,200_

IIA Magazine Jun 2016 issue

A toxic culture is present when your work negatively affects your health – physically and emotionally. An example of such could be a change in management or management through fear and intimidation. The two options are to leave or to name the problem and discuss to make it better. Payroll should have continuous checks and balances. It is not good to report risks on an ad-hoc basis. Talent issues and development need to be addressed. There is a strong need to fight corruption. However, whistle-blowing hotlines might be underutilized, as employees fear retaliation after reporting. There are some companies which do not trust enterprise cloud deployments still.

The Fire Drill. Auditors can learn to deliver a focused message that results in management action. Effective planning of our work is the key. For instance, we can look at past audit findings. Next, one should compensate with competence, meaning backing up observation with data and experience. Sell with the passion of a champion. Findings should be sold to address a control weakness that is causing an unacceptable risk. One needs to communicate the big risks well. In the end, we need to deliver a focused message that can result in management action.

The Tech-Savvy Auditor. Effective use of audit technology can enable audit departments to provide valuable insights. Most IA staff are not familiar with IT or have weak IT backgrounds. This is not acceptable. Technology can lead to a more efficient audit and also might cut fraud losses. There is a need to improve the audit software. There should be a data analytics centre in-house. There is a need to review software usage.

Integrating Key Risks and Performance Indicators. IA can leverage its risk knowledge to improve operational performance and reduce risks exposures. IA can provide assurance on the achievement of objectives. IA can encourage the formalization of KPIs and KRIs. KRIs can serve as an early signal of increasing risk exposure. There needs to be a formal project charter. There needs to be a KPI framework with proper planning, reporting, monitoring etc. The key metrics need to be identified and a dashboard can help to present graphically the results. The KRI should be closely linked to the KPI.

Toxic Leaders, Toxic Culture. IA can identify unhealthy behaviors that may undermine the organization. Culture will affect an organization’s success. Therefore, identifying the toxic leader is important. Toxic leaders want power and control. These tend to be autocratic leaders. They could have a strong sense of entitlement and focus on themselves and not the organization. Exerting power through fear can undermine morale. They do not like to be challenged and seek to manipulate others. Closed-minded leaders think of ‘My way or the highway’. There is no need to confront the toxic leader. IA can refer the person to compliance or legal counsel. One can use behavioural psychology to analyse. For a more objective method, one can look at the reasons for turnover and examine turnover rates. One can also look at employee engagement survey results. One needs to use experience and facts as much as possible.

Analytics and the small audit department. No matter the size of an audit function, analytics can be implemented for big gains. How to go about using analytics? Some simple ones to consider are benchmarking, variance analysis, ROA, turnover etc. The analytics must have goals and performance measures. Selecting the right data source is the key and there is a need to verify the accuracy of the source. Brainstorming can help to identify key data. It is crucial to have a plan that will allow IA to continue to improve its analytics capability. It is important to attain small wins in analytics.

Business Risk. Keynote speakers for this year’s IIA International Conference identify emerging risks facing organizations. Cyber risks is at the top of the priority list for many. Ransomware is a big threat to hospitals nowadays. Other threats include politics, the economy and terrorism. Social media risks sometimes aren’t within an organization’s control. Auditors should use corporate culture to work in their favour. An organization must monitor the external environment closely. There should be a common understanding of what the risk appetite and risk cultures are. Audit needs to adjust fast and invest continually in education. IA now also needs to learn to be innovative.

An Anti-corruption Check-up. Capability maturity models can help organizations assess the effectiveness of the anti-corruption programs. This model was developed at Carnegie Mellon University. One can use the model to identify strengths and weaknesses. There are basically 4 levels of maturity. There are 7 components that form the basis of anti-corruption maturity model. There is a need to tally the scorecard too.

Craft Our Role. IA should create the role for themselves that is best for both the organization and their own personal development. IA needs to be ingenious, use creativity and resourcefulness when developing their role. Do not limit the scope to be too small. It is important to be familiar with the business in order to value add properly. The control environment needs to be evaluated properly. One can develop business acumen. It is crucial to ask the right questions. IA should network more with the other departments to build rapport and also to get a feel about the management style in the department. Learn to practise combined assurance. One can work with another dept for a joint review. This is the way to maximize external resources.

Fraud and related-party transactions. IA can identify red flags and reduce the risk and impact of related-party fraud. IA need to be able to recognize related-party fraud risks. Providing loans at below market rates is a red flag. Failing to disclose the related-party nature of the loan is a red flag. IA should try to identify related party transactions. Try to identify whether employees have link to companies that transact with the organization itself. It is also possible to compare cost variations among vendors to see how they differ from the average cost. The organization should not pay costs significantly above market prices.

Communicating Results. Sharing audit observations is one of the most important tasks auditors perform. Communicating properly can help enhance rapport. Make sure the observations are correct and are not challenged by management. Plan the timing of issue dissemination, which is as soon as possible. Try not to surprise management at the end of the audit. Write clearly. Exercise diplomacy.

‘One of the quickest ways to lose management’s respect is to make it clear that IA does not understand what is has been auditing. The answer is to take the time to learn the business, processes, and risk associated with the audited area.’

Care and Feeding of The Company’s Culture. How can IA help to ensure a healthy organizational culture? Auditing culture is certainly work examining. Healthy organizations should have guidance on norms and expectations and a healthy tone at the top. Transparency is important. Management should think long term and have a sound strategy. Ask yourself whether the root cause is behavioural or cultural in nature. The problem with culture is that it is not clear cut and might be hard to evaluate. Those who are toxic in nature might be held accountable and be responsible.

Internal-Audit

 

IIA Magazine Feb 2017 issue

IIA Feb 2017 Issue

Internal Auditors need to provide maximum return on investment and audit the right things. They need to understand the company’s strategic mission, objectives and KPIs. More auditors need to base their work on the International Standards for the Professional Practice of Internal Auditing.

The 5 emerging threats are (i) global economic uncertainty; (ii) increased regulatory burden; (iii) significant industry changes; (iv) business model disruption; (v) cybersecurity threats. Global economic uncertainty seems to a bigger risk in 2017 as compared to previous years. In the compliance space, with the new US administration, enforcement areas could see some change. Trump could change the legislative, regulatory and executive actions under Obama’s reign.

Although most companies feel that they could detect a sophisticated cyberattack, many of them do not have an adequate communication strategy in the event of a significant attack. Also, some of the BCP might be lacking. The continuous monitoring of cyberattacks is also a challenge.

Data Mining. By leveraging data, internal auditors can address issues beyond the reach of traditional analysis techniques. It involves making use of data which had previously no formulated relationships, patterns. Artificial intelligence, machine learning, statistics and database systems all come into play. Some of the techniques auditors can use are predictive modeling (IF), data segmentation (data clustering), neural networks (artificial intelligence), link analysis (links between records), deviation detection (red flags). The use of email mining can identify red flags in fraud etc. Social network analysis is also possible. IA should continue to look for ways to innovate their audit testing.

Intelligent Assessments. Use cognitive technology to help identify high-risk areas. These are intelligent computer systems that can aid in the performance of risk assessments. For instance, this tool can extract and analyze text from audit reports and analyze trends and high-risk areas. Natural language processing (NLP) has the power to tap into every sentence of every report to churn out more information. The machine will convert text to a certain structure and add meaning to the text and teach the computer to understand audit concepts. Words like ‘fraud’, ‘finding’, ‘auditee’ can be flagged out.

Turning Up the Heat on Fraud. A fraud risk assessment can help auditors take the organization’s ethical temperature. There are many ways to do it, example, through surveys, focus groups, workshops etc. The focus is mainly on fraud risk. It works best in small brainstorming sessions with operational management. Using the ACFE’s Fraud Risk Assessment Tool can be useful as it provides a structured approach. Risk assessment is about identifying where fraud might occur and the potential perpetrators. IA can do surveys to measure the ethical climate and voting can be anonymous. The results of the survey can be discussed with management. If there are high risk areas with fraud risks, IA can pay more attention to them.

The Accidental Discovery. Small or remote locations can be more susceptible to embezzlement, especially when they are not audited regularly. Confront someone after the facts have been reviewed. Look at the big picture. Controls that aren’t operating effectively are as good as them not being there.

Auditing what matters. Add value by selecting audits that contribute to achievement of strategic objectives. Auditors now should start looking at this area. Look at where the company spends the most money, what their main programmes are etc. Find out who is responsible for the strategy and make them IA’s stakeholders. Traditional audit activities can move towards strategy too. IA should use the COSO ERM framework in its entirety. The aim is for IA to a strategic partner to management. Don’t fear failure and find out more from the auditee by talking to them. The trick is to engage with processor owners easy and evaluate control design. IA should do the following: (i) Identify and define the risks; (ii) rate the risks; (iii) address risks in detail. Getting management buy-in is also important. The CAE must convince the AC to highlight the need for a strategic approach. Most IA wants to be a trusted advisor.

Core Principles and the QAIP. The new IPPF in 2015 can be incorporated into the QAIP to show that the IA is aligned with the mandatory IPPF elements. Learn to develop a concept and approach that is easy to understand. Core principles are a mandatory element of the IPPF. IA need to have general conformance with the Code of Ethics and Standards. The 5 steps are (i) establish a maturity framework (ineffective, partially effective, effective, sustainable, world class); (ii) map core principles with the standards and code of ethics; (iii) Define characteristics of maturity in 3 aspects of standards and QAIP characteristics, infrastructure and process characteristics, core principles and specific characteristics; (iv) perform internal and external assessment consistent with requirements of QAIP; (v) Evaluate and report maturity levels for core principles.

Champion of Trust. By modelling high standards of ethical behaviour, IA can help shore up faith in the organizations they serve. How can IA be a trusted advisor that is well respected? One way is via ethical commitment. IA needs to model ethical conduct in everything they do. IA must have the courage to sound off before things get in trouble. Ethical commitment is the key to a well-functioning IA. Ethics should come naturally to all. We also need to build ethical resilience (integrity, courage, honesty, accountability, trustworthiness).

Infusing IT Auditing into Engagements via a three-phase approach. The tech sector is growing at a rapid rate. Internal auditors also need to develop IT-related capabilities. IA needs to think about the future of integrated auditing. For a start, IA can incorporate IT perspectives into current audit engagements. This can involve documenting down what are the IT automated controls. One can also read IT policies or those on change management. One should also identify resources and pinpoint where they are stored (example: servers). Map core IT resources and data to key business objectives. Respond to IT risks and identify audit objectives that can add value. An integrated audit can help in this. In the middle term, IA can build an IT audit team, understand the IT framework like COBIT, perform IT audits and also foster relationships with IT and management. In the long term, IA can leverage on data analytics and obtain professional certifications (like IIA and CISA).

Breaking Down The Standards. With the right strategy, practitioners can divide conformance into bite-size, easily digested portions. The standards consist of attribute standards (series 1000 to 1322) and performance standards (series 2000 to 2600). Some IA may neglect the attribute standards and focus on the performance standards instead. However, both are very important. IA should perform an assessment of how well they are conforming to the Standards. An external assessment must be conducted once every 5 years. The audit work program needs to be reviewed and approved by the CAE before engagement commencement. Ultimately, conforming and understanding the principles behind the Standards are important.

Auditing Organizational Governance. IA has an integral role to play in improving the organization’s strategic performance. This area is becoming increasingly important in recent years. Governance reviews can help prevent governance failures. Less than 1 in 6 IAs conduct reviews for their organization’s strategy. Sometimes, it might be difficult to conduct a separate governance review. Rather, it might be easier to incorporate it as part of routine audits. One can focus on both the governance structures as well as the organizational culture. Some of the soft controls can include management competence/style; mutual trust and openness; strong leadership; high performance and quality expectations; shared values and understanding; high ethical standards. However, for some of these measures, there are no hard data to analyse. Hence, it is important for IA to read the signs. IA can also provide a more advisory role, which is educating board about developments and trends in the industry and governance best practices. In terms of strategic reviews, IA has much to work on. There is a tendency to focus on weaknesses in financial reporting etc.

Good Governance is All About Quality. The 5 quality rules are (i) customer focus; (ii) management leadership; (iii) Teamwork; (iv) Measurement; (v) Total commitment to continuous improvement.

pic_internal_audit_big

 

Anti-Money Laundering in a Nutshell by Kevin Sullivan

Awareness and Compliance for Financial Personnel and Business

Many AML personnel like to check and select a box without understanding why. You need to understand the nomenclature of AML. Understand what is causing alerts in the AML system. It is crucial to understand the Bank Secrecy Act. The major players are the financial institutions, the regulators and law enforcement. These players need to work together in a dynamic environment.

What is Money Laundering?

Laundering is a method of ‘cleaning’ the funds so that it would not appear to be suspicious. The gangsters created businesses like Laundromats so as to ‘gamble’ and to ‘wash clothes’. This was to avoid suspicion as to how the funds came about. This term has been around since the beginning of the 20th century. Why does a bad guy need to do it in the first place? If you have drivers who are paid to carry suitcases from one vehicle to another without knowing what is in the suitcase, chances are that it is hard to prosecute such people. These are known as mules. The trick is to employ the mules without them knowing what is going on. So when they get caught, they have little they know which they can reveal. AML is often very tactical and you may not know that it is happening. The industry is suspected to be about US $2 billion a year. In early stages, it is difficult to tell whether the source is for tax evasion, funding for terrorists etc. The aim is to ‘clean’ the source and make it appear legitimate. This could be done via ‘smoke screen’ transactions. Banks will perform due diligence on its customers, such as examining transaction timelines and transaction activity compared with similar businesses out there. There needs to be a predicate offense to initiate an AML case. The 3 stages are (1) placement; (2) layering; (3) integration. Placement is the act of talking bulk cash proceeds and bring it to a bank. This isn’t easy. Carrying a wheelbarrow of cash isn’t a good idea. The right way is to use a small denominations and use a business vehicle that is reliant on cash. However, law enforcement requires suspicious activity reports, currency transaction and cross-border declaration rules. Layering is where the launderer needs to make many small transactions. This is to avoid people from tracking him. One way is to use shell companies or move the money to other jurisdictions. Another way is to buy large value items and then sell them subsequently. Transactions above $10,000 must be reported to the Treasury Department. FATF has created an AML template to follow. If law enforcement wants information from a bank, they will need to send a subpoena. However, this requires time and the money might have been moved away already. Integration is where the funds are assimilated into the financial system. This is hooray for the launderer. Launderers often engage in transactions which are less than $10,000 at one go. Greed is a common cause of laundering. Terrorism is a possible cause as weapons cost money. Lastly, some criminals have an unbalanced mind. Every part of the AML team is important and plays a defined role.

Money laundering is the practice of integrating the proceeds of crime into the legitimate mainstream of the financial community by concealing its origin. – Kevin Sullivan

Methods of Money Laundering. There are only 3 ways: (1) through the legitimate financial system; (2) physically moving the money; (3) physically moving goods. For the first way, structuring deposits over a period of days, with each less than $10,000, is an example. One could hire other people to make deposits through different bank branches but to the same account. This is known as ‘smurfing’. Another way could be bringing the cash off shore into a country with strong secrecy laws. Cash can be hidden in funny places and then smuggled out. Domestic wire transfers are a type of means too. Gold is a method of laundering, and so are money service businesses (US Postal Service). Common money transfers are made through western union, Amex etc. For MSB, customer anonymity is usually maintained. However, MSBs are required to report suspicious transactions to the Treasury department recently. Records of wire transfers must be maintained for transactions above $3k. It is generally more difficult to track cash in a country with strong banking secrecy laws. SWIFT is the international message service that FIs use to send their messages for wire transfers. For SWIFT, you need to provide information like the International Bank Account Number (IBAN). SWIFT is the system that allows the transfer and transmits information signifying the transfer of funds. There are many fields of information required before a wire transfer can take place. Casinos are a way of laundering money. Casinos are required to file currency transaction reports. However, casinos have brushed up their AML programs in recent years. There are 3 methods of trade-based money laundering: 1) over and under-invoicing; 2) black market peso exchange (commonly used); 3) hawala (underground banking system). Hawala has no regulatory requirements and is ethnic in nature. In addition, there are no money trails available. Understand the red-flags of money laundering. Always ask for documentation, and use authentication when dealing with third parties. Cyber banking via the Internet is getting more common. Some cyber banks do exist. However, note that they do not have deposit protection and that once the bank folds, your funds are gone. A launderer can lease ATMs to other people and they will in-turn lease to others. This reduces the level of due diligence that is applied on them. Most pre-paid cards do not require identification and launderers can maintain anonymity. This is a viable way for launderers, although it is slow. Vehicles are often purchased in the integration phase of AML. It is difficult to launder money using credit cards. Laundering via purchase of real estates is getting more common. For LLC, it is difficult to determine who the beneficial owner is as an LLC can be owned by sub-LLCs, which in turn might be owned by sub-sub-LLCs. For a cash intense business, laundering can be easy as once the dirty money is comingled with clean money, it is difficult to trace. Life insurance products can be bought using dirty money and then cashed out prematurely. Digital currency is a big thing and can be manipulated by launderers. They are not regulated and depositors can maintain anonymity. There are a huge variety of ways in which money can be laundered. As long as there is crime, there is a need for AML personnel.

Federal Regulations – The Laws, Rules, and Guidelines to Fight the Good Fight. We need to stop bad guys from laundering money. The Bank Secrecy Act requires FIs to keep AML programs. There are many legal tools in the fight against AML nowadays. Any cash transaction via an FI exceeding $10,000 must be reported on a currency transaction report (CTR). This must be filed with the FinCEN. There is also a need to maintain a suspicious activity report. If the cash or bearer instruments are brought out of the US, a report needs to be filled as well. Wire transfers are not under the CTR scope. A CTR is important in the investigation. In some countries, their limit is $15,000. For non-FIs, cash transactions more than $10,000 need to be keyed into the 8300. It is a crime under the Money Laundering Control Act to further criminal activity, conceal ownership of property etc. The Financial Crimes Enforcement Network (FinCEN) was launched in 1990. The Annunzio-Wylie Act in 1992 requires banks to complete and report a suspicious activity report (SAR). Several high-risk geographical areas were identified as ‘high-intensity financial crime areas’. The Patriot Act in 2001 gives Treasure the power to deal with US FIs for foreign AM. Enhanced due diligence for correspondent accounts that are maintained for certain foreign banks must be instituted. Banks should share information on terrorism and money laundering with one another. For KYCs, comparisons must be made with known or suspected terrorist or terrorist organizations generated by government agencies. FATCA helps combat tax evasion by US taxpayers who have assets outside the US. The next chapter will discuss on how to build an AML program.

Build a Quality AML Program. Sometimes, AML falls under the Compliance Unit. FIs may hate regulators because of too much regulation. Regulators will say that there are not enough regulations and that FIs compliance unit must be beefed up. Regulators have power to sanction your organization if you are not performing well. Once something bad happens, heads will roll. Fines can be heavy and banks should never try to cut corners. Regulators can only conduct random inspections on the bank. Law enforcement can make recommendations. An AML systems need to achieve 1) prevent money laundering and terrorist financing; 2) to report suspicious activity; 3) to train all personnel on legal and internal procedures. Educate staff on the importance of AML. Compliance training is important and it should be on-going in nature. Internal procedures must document risk and the controls to mitigate risks. It should document due diligence checks. KYC guidelines must be established. Policies must be put in writing and cannot be documented in the head. Policies must also be approved by the board. Policies should be updated on a yearly basis and there should be documentation on what triggers alerts in transaction monitoring. An organization must have a designated compliance officer. There needs to be a process to update the regulations and the training programme must be addressed. An independent audit should be performed on the AML system. High-risk accounts must be reviewed thoroughly. All employees must be trained in AML. Training should be conducted annually. It should cover all pertinent regulations. Identify the risk, which can be customer related or issue-related risks. Risks analysis, management and risk review needs to be conducted. Risks can include product risk, legal entity, business type, country risk etc. For high risk clients, increased level of due diligence and monitoring needs to be instituted. High customer risks include foreign FIs, PEPs, foreign corporations, shell-companies etc. High product risks include trade finance, private banking, electronic funds transfer, lending etc. High geographic risks include any OFAC sanctioned country, jurisdictions of primary money-laundering concern, offshore financial centres etc.

AML is not an income-generating component of the institution. An AML unit can be quite expensive, and, in and of itself, there is no return on investment. Hence, that alone is reason for some FIs to be hesitant to invest and develop a compliance unit any more than the bare minimum. – Kevin Sullivan

KYC and Customer Identification Program. The terms can be used interchangeably. It means identifying your customer, monitor his transactions and update his files. These pieces of information must be reviewed too. Customer identification is the first step, followed by KYC. KYC must be done at the onset of the customer relationship. The officer needs to verify the identity of the person and maintain records of his identity. Documentation as to what type of records will suffice should be written too. Account Opening documentation must be kept and maintained. Be wary of shell companies. OFAC maintains a free list of names, entities that have been sanctioned. The transaction monitoring unit will clear the alert and see if the risk can be accepted. A due diligence actually means a background investigation. Basic due diligence is needed in order to satisfy the regulations. EDD is usually needed for high risk customers. A checklist should be used for Due Diligence. Evidence must be collated. Documentation is important when it comes to an investigation. KPIs should not be set on how cases per day etc. Do not put a time clock on investigation. Never put time limits on AML investigation. If you outsource your DD, you should have thorough oversight on the vendor. Some banks might outsource this to third world countries. Sometimes, when there is a material change in customer information, an EDD is required. The good guy may not be able to catch the bad guy because the good guy only studies problems which are already known. Trust your gut. Cultivate an investigative mind by learning to ask why. When you sense something is not right, please ask why. Keep abreast with the latest industry developments. Make use of new sources and technology. Justify, articulate and define everything. Learn to create risk-based due diligence. It is very important to ask ‘where is the source of funds?’ Risk ratings might vary over time. If the customer is too high risk, it is advisable not to deal with him/her. Learn to allocate a risk scoring methodology. Gather intelligence sources and check against that. Obtain public records. You can even pay for certain databases. It is important to purchase good transaction monitoring software. If you clear it in the system, there needs to be a reason for it. Ensure that the system is not generating too many false positives. Understand your correspondent bank’s AML processes. You have to trust that they have performed the DD work. PEPs can be a senior political figure, a member of his immediate family, or a close associate. Understand some of the KYC red flags.

If you think it stinks, it probably does. You do this job every day, and you work with people who do this job every day. If for some reason the hair on the back of your neck stands up, then go with the feeling. – Kevin Sullivan

A Suspicious Activity Report (SAR) is born. Some banks file more than necessary to avoid being questioned by regulators. The FFIEC prescribes standards for supervision of financial institutions. Writing a complete SAR is very important. How do you identify what is suspicious? When should you file an SAR? Sometimes, the system can help you flag out suspicious cases based on set criteria. The amount of the transaction doesn’t really matter. There are 30/60/90 filings. SAR must be reviewed before they are sent to FinCEN. There is also a narrative that must be written when the SAR is filed. Be short and brief. Don’t leave blank boxes. Use language that people can understand. The auditor will hammer you if you are supposed to file but failed to. Law enforcement will pick particular SARs of interest for further checking. Law enforcements usually need subpoenas before they can request for information. FinCEN will compile statistics of SARs. It is useful to understand trend analysis.

Tips for Law Enforcement and Financial Crimes Investigators. Profit is an essential aspect of most crimes. This chapter is dedicated to the law enforcement investigator and the FI investigation team. An individual does not need a CPA to perform an investigation. Law enforcement personnel need to have the right training to perform their role well. The compliance unit of the bank will be involved. The investigator should talk to the law enforcement agency. There are numerous regulators for the different types of FIs. FIs take regulators seriously. Law enforcement look out for criminal activity while regulators look at whether the guidelines and standards are being adhered to. Some of the regulators are the SEC, Securities Exchange Commission, Federal Reserve bank etc. Not all law enforcement agencies have access to the FinCEN portal to view SARs. SARs help provide leads for law enforcement agencies. SARs are confidential and information should not be simply shared around unnecessarily. You may be able to obtain KYC documents from the bank. Most of us do not think like bad guys. Once a bad guy using a fictitious ID, it can foil your plans dramatically. Explore the internet for possible sources of new information. Use your instincts. Always learn to be suspicious. Discover the facts as best as possible. If your hair at the back of your neck stands, it probably means something is wrong. Consider different type of hypotheses. Read the Association of Certified Fraud Examiners (ACFE). Learn to invest in your career and develop your career. Don’t be afraid to spend money and time on educating yourself. Financial crimes are growing.

The Importance of a Global Approach to Money Laundering. Many crimes are transnational nowadays. Money laundering is an issue that affects everyone. The FATF consists of many member countries. There is also the Basel Committee on Banking Supervision. Wolfsberg helps to develop and shape guidelines for banks and regulators. The IMF has also been incorporating AML concepts into its procedures.

The New Financial Crime Model. You can contact law enforcement immediately after you file an SAR. There is an increasing trend of fraud and AML units combining and joining forces. Fraud and AML personnel should be cross-trained. However, do take note of the confidentiality requirement of the cases. 95% of all criminal activity is committed because of greed. There are various ways in which a fraud can be conducted. Please understand the red flags for AML cases.

handcuffs money