|
|
All organisations will need to strengthen their practices, policies and documentation showing that they have properly assessed the risks of breaching the new rules. And, under the directive, internal audit teams, where necessary, must test internal policies, controls and procedures.
“Given the unique position of internal auditors to work across an organisation’s entire enterprise, they will have an important role to play in providing assurance to the board that their business is ready for the fourth directive,” Henrik Stein, ECIIA President, says. “In addition, auditors can recommend improvements to how the risk assessment is conducted so that it meets the new rigorous requirements.”
Organisations need to demonstrate and document that risk assessments are conducted and kept up to date, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels. In addition, organisations will require written money laundering policies and procedures that take their business’ risk assessment into consideration.