The COSO Control Framework and AML Risk Assessment
FIBA AML Conference Miami
Alan Abel Friday February 21, 2014
© 2012 Crowe Horwath LLP 2 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
The COSO* Enterprise Risk Management Framework
*Committee of the Sponsoring Organizations of the Treadway Commission on Fraudulent Financial Reporting
© 2012 Crowe Horwath LLP 3 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
The COSO Risk Management Model and AML
The Treadway Commission asked the U.S. accounting profession to develop a universal framework of internal control.
Subsequently, other governments followed suit with their accounting societies.
Today, the AICPA, the International Federation of Accountants (IFAC), and 100+ other national societies have adapted and incorporated into their own professional authoritative and technical guidance.
The COSO model is a rosetta stone for understanding AML+ risk management programs of financial institutions and their integration.
Globally regulators have mandated that financial institutions have the capability and technology tools to effectively identify and assess their risks and to respond.
© 2012 Crowe Horwath LLP 4 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Universal to all regulatory risk frameworks – Basel, U.S., and other national systems around the globe, are a set of quantitative and qualitative risks:
Quantitative (e.g.)
Liquidity Interest rate Exchange rate Credit
AML risks are the Qualitative Legal / compliance Reputational Operational Strategic
© 2012 Crowe Horwath LLP 5 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Likelihood of occurrence Expected impact
Critical risk criteria
© 2012 Crowe Horwath LLP 6 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Risk appetite and risk tolerance
Risk Appetite The amount of risk an entity is willing to accept in pursuit of goals and value Risk appetite sets the policy framework, establishes guidelines, is qualitative How much risk is the Board willing to accept? For example -- what does “Know Your Customer” mean to us? What is our
policy, our guidelines? Where do we draw the line in the sand? What is our comfort level?
There is nothing inherently wrong with increasing risk – customers, third parties, products and services, geographies, distribution channels, and outsourcing processes as long as you can demonstrate that you: Understand the risks that you are assuming, and Are willing to invest in stronger processes and controls to monitor them
and manage them.
© 2012 Crowe Horwath LLP 7 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Risk appetite versus risk tolerance . . .
Risk Tolerance The willingness to take risk in order to achieve a pre-defined
specific objective Operational -- more granular than risk appetite Interpret policy into definable, measureable, business unit specific
policies and procedures. Do this in a manner that readily lends itself to risk assessment, risk response and to monitor compliance with policy.
Defining risk tolerance is management’s job – within the framework of the Board’s risk appetite.
© 2012 Crowe Horwath LLP 8 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Risk Assessment in AML in COSO context
Enterprise wide AML risk assessment Customer risk assessment
© 2012 Crowe Horwath LLP 9 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Appendix: Professional Guidance
© 2012 Crowe Horwath LLP 10 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Professional Guidance in the U.S.
Authoritative SAS 54 – Illegal Acts
Technical (for AML) SAS 82 and 99 – Consideration of Fraud in a Financial Statement Audit
SAS 78 Consideration of Internal Control in a Financial Statement Audit
COSO Enterprise Framework
General and Industry Audit Risk Alerts
Journal of Accountancy
International Federation of Accountants and member societies
© 2012 Crowe Horwath LLP 11 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Guidance for Managing Third Party Risk*
Risk Assessment
• Alignment with strategy
• Risk/reward analysis • Appropriate controls
and oversight
Due Diligence
• Financial condition • Experience • Compliance history • Reputation • Operations and
controls
Contract Structuring and Review
• Scope • Cost/compensation • reports • Audit • confidentiality and
security • Customer complaints • Business resumption • Default and
termination • Dispute resolution • Indemnification • Limits on liability
Oversight
• Formal roles and responsibilities
• Quality of service • Risk management • Financial condition • Appropriate controls
and reports
*Sound and leading practice guidance includes FDIC, OCC, and Federal Reserve bulletins and financial institution letters, FFIEC IT Examination Handbook and numerous private sector sources
© 2012 Crowe Horwath LLP 12 Audit | Tax | Advisory | Risk | Performance
The Unique Alternative to the Big Four®
Alan Abel, CPA/CFF, CFE Director and Global AML Practice Leader Regional Leader – Regulatory Compliance Risk FATCA Compliance Leader Crowe Horwath LLP Member Crowe Horwath International Fort Lauderdale – Miami – The Palm Beaches – San Juan
Phone: 1.202.257.9178 Link to subscribe to Crowe Insights: http://www.crowehorwath.com/member-login.aspx
Subscribe to our Risk newsletter: http://www.crowehorwath.com/emailsignup
Link to Regulatory Risk page: http://www.crowehorwath.com/services/risk/regulatory-risk.aspx Link to AML page: http://www.crowehorwath.com/industries/financial-services/aml.aspx
Link to Technology Risk page: http://www.crowehorwath.com/services/risk/technology-risk.aspx
Link to ABA Endorsement Overview: http://www.crowehorwath.com/industries/financial-services/aba-endorsement/ Link to ABA AML Endorsement: http://www.crowehorwath.com/folio-pdf/FI8422_ABAAML_lo.pdf?terms=ABA%20Endorsement