Section 7 of the Regulation on Sound Operational Management relating to the Act on the Supervision of Trust Offices (Regeling integere bedrijfsvoering Wet toezicht trustkantoren – Rib) stipulates that trust offices must have an audit function in place. This is a new requirement. This Q&A document offers guidance for adequately organising the audit function.
Audit Function (internal)
Why should trust offices have an audit function in place?
The purpose of the audit function is to ensure that trust offices regularly check whether their organisational structure, their procedures and processes and their actions are effective. The audit function is an independent unit that is separate from the day-to-day business operations, which means that it is in a position to critically and independently assess the trust office's effectiveness.
What is the role of the audit function?
The audit function is the third line of defence in the Three Lines of Defence (3LOD) model for trust offices. The first line of defence is formed by the staff members responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis, for example the procedures for establishing a customer's or potential customer's identity. The second line of defence is the compliance function, which monitors compliance with the first line-of-defence controls, i.e. with the trust office's internal procedures, actions and agreements as well as with statutory regulations. The third line of defence is the audit function, which is tasked with periodical assessment of the effectiveness of the trust office's organisational structure and of the procedures and measures in place.
How is the audit function organised?
The audit function has three main responsibilities:
- It assesses the effectiveness of the organisational structure;
- It assesses the effectiveness of the operational procedures and measures;
- It assesses the effectiveness of the compliance function.
Contrary to the compliance function, the audit function is not involved on a day-to-day basis in the trust office's service provision and operational management. The audit function performs its duties periodically, and may either opt for one comprehensive annual audit or for multiple smaller subprocess audits, spread over the year.
Embedding in the organisation: independent
It is essential that the audit function is able to carry out its assessment activities independently and free from pressure. For this reason, the audit function must be separate from both the operational business units and activities, and from the compliance function. The management board must be able to fully rely on the control functions. This means that control functions must not be responsible for the activities they are required to monitor.
The Rib stipulates that the audit function should report its findings directly to the management board. If there is an internal supervision body in place, such as a supervisory board, the audit function should report directly to the supervisory board as well.
There are various models for organising an adequate audit function. The size and positioning of the audit function strongly depends on the nature, size, risks and complexity of the trust office's activities. In some cases the audit function may be fulfilled by a single officer, in others this needs to be a separate department. Under certain conditions, the function may also be outsourced to a third party.
Outsourcing the audit function
A trust office may outsource the audit function or part of it to an external auditor. In this case too, the statutory regulations continue to apply; the trust office remains responsible for compliance with these regulations.
Outsourcing requires clear agreements about the organisation of the audit function in order to guarantee its effective performance. A trust office which engages the services of an external auditor on paper but rarely or never meets with the auditor, or does not implement the external auditor's findings and recommendations, is considered not to have an effective audit function in place and may be in breach of the Rib.
Segregation of duties
Section 7(3) of the Rib stipulates that the audit function must be an independent function. This means that a staff member responsible for performing audit activities must not perform activities that are monitored by the audit function. It is also not permitted to 'cross-organise' the audit function at board level: one management board member may not monitor the other management board member's activities and vice versa.
If the trust office outsources the compliance function to a third party, it is not permitted to engage that same third party for the audit function at the trust office. This applies equally to natural persons and legal persons with the same effective owner. A third party performing the compliance function is never permitted to perform the audit function for the same organisation at the same time, not even when these activities are carried out by different members of staff.
It is essential that the staff members carrying out the audit function possess relevant and up-to-date knowledge. Regulations, internal agreements and procedures may change in the course of time, as do the ways in which risks materialise and money laundering and terrorist financing activities develop. Auditors must have up-to-date knowledge of the developments in their field in order to adequately perform their duties.
Neither the Supervision of Trust Offices Act (Wet toezicht trustkantoren – Wtt) nor the Rib stipulate any substantial requirements for auditors. There is no compulsory qualification or certification procedure. This means that the trust office itself must carefully consider whom to engage as an auditor and why this person is suitable for this position. The trust office should take the principles described above into account.