This is the fourth article in a series on the topic of Quality Considerations for Financial Crime Teams.
- Click here for the first article which set out some high-level definitions for Quality Assurance (QA) and Quality Control (QC) and how they need to work together.
- Click here for the second article which went into a little more detail about QC in the first line.
- Click here for the third article which discussed QA
The previous article touched on the topics of planning for QA and management information. This article will explore those concepts in a little more detail.
How can you have confidence that your QA team will identify issues where the financial crime risk is not being sufficiently mitigated? Proper planning and the right methodology will get you off on the right foot and measuring what the team is doing will tell you how effective it is.
1. Planning and Methodology
A big part of QA planning is agreeing with an overall approach and methodology. It should all start with your firm’s financial crime risk assessment which sets out the key financial crime inherent and residual risks for the firm and how they will be mitigated.
If it hasn’t been already, this document should be subjected to quality assurance to ensure that it is complete, realistic and sufficiently detailed.
The QA function should then plan their work to review those key risks and the controls that have been put in place to mitigate them. This can help prioritise the work, particularly where QA resources are limited.
As mentioned in the previous article, the core activity of QA is to determine whether the controls are well designed and operating effectively. It is important to establish a detailed methodology for measuring the effectiveness of controls. Many firms adopt a three-tier model for the assessment of controls. The terms and their definitions vary but the concepts usually align to:
- Effective – the control is working effectively
- Needs Improvement – the control is operating moderately effectively but some improvements could be made to better mitigate the associated risk
- Ineffective – the control is not operating effectively and the associated risk is not being appropriately mitigated.
For both Ineffective and Needs Improvement controls, the QA should include identification of actions required for the control to be effective. Most firms will classify issues as low/medium/high/critical and the methodology will usually specify a relationship between the effectiveness ratings and issue types and numbers. For example:
- If a critical issue has been identified, the control must be rated as Ineffective or
- If 2 or more medium issues have been identified, the control must be rated as Needs Improvement, otherwise, it can be rated as Effective.
The QA plan should be updated regularly, taking into account the latest QA results. It is common for the frequency of review of a control would depend on its latest effectiveness status. For example:
- An Ineffective control might be reviewed 3 – 6 months after the last assessment to ensure that the actions identified in the previous review have taken place and that the issues have been remediated.
- A control that Needs Improvement might be reviewed 6 – 12 months after the last assessment on the basis that the issues identified are not critical.
- An effective control might be reviewed every 12 – 24 months to make sure it was still effective.
2. Management Information
Management Information (MI) should be produced regularly to show the results from the ongoing QA activities. The MI should show both the results of the QA itself and information on how delivery against the QA plan is going.
The following information, at a minimum, should be presented:
- Statistics showing the effectiveness of the overall control environment and how it has changed over time.
- The results of recent QA assessments including any themes identified.
- The status of the Business’s delivery against issues and actions identified by QA.
- The status of the QA team’s delivery against the QA plan.
This information will help management understand whether the business is effectively managing the firm’s financial crime risk and whether the QA team itself is delivering against its plan.
SQA Consulting helps organisations ensure their financial crime frameworks are effective. If you would like to hear more about our work, then please Contact us at SQA Consulting.