Anti-Money Laundering regimes have long had a codified component for independent testing. While many practitioners have always followed similar protocols for Sanctions Compliance Programs, it wasn't until OFAC issued A Framework for Compliance Commitments that this was a clear regulatory expectation for Sanctions Compliance Programs ("SCP").
ICRM has long viewed the necessary Independent Testing Program ("ITP") as more than a substantive review of outcomes, e.g. review of customer files for proper documentation or resolution of transaction monitoring or sanctions filtering alerts by the third line of defense. Rather, the independent test must have, as its foundation, an assessment of risk and an evaluation of the controls to mitigate those risks. That assessment could be based on the Compliance Risk Assessment ("CPA") performed by the first or second line of defense, however, such an assessment must be independently tested for completeness and accuracy by the third line of defense.
ICRM also recognizes that while the AML and or Sanctions ITP must be comprehensive it must also be risk based. And, while all products, services, systems, and lines of business should be considered, those presenting a higher degree of risk should be assessed more frequently.
ICRM can assist you by:
Identifying and documenting risks and controls including:
Key Risk Indicators ("KRI")
Key Performance Indicators ("KPI")
Evaluating your ITP
Performing walk-thrus and documenting process flows to include:
Identification of key controls
Classification of controls as either:
Preventive
Detective
Management
Automated
Semi-automated
Manual
Develop both control and substantive test steps
Performing and documenting test steps and results
Preparing report of results