Over a year ago, we already addressed the topic of the Wwft audit function in accounting firms, and our observations regarding the implementation of this function. This also included the SIRA. The recommendations we made at that time seamlessly align with the observations published by the AFM and the BFT in March 2024 following their thematic review.
In this article, we provide three additional recommendations for accounting firms, specifically focusing on the systematic integrity risk analysis (SIRA).
Integrity-related policies should logically result from a risk analysis. This is something most parties are aware of. Yet, the risk analysis is often limited in scope and often relies on generic and technically described scenarios that are often unrecognizable or misunderstood by SIRA users. But where should you start? Our advice is to begin with a description of the organisation. This description includes an overview of integrity-relevant aspects based on facts. For example: ‘How many customers have a bank account in a high-risk country from a money laundering perspective?‘ Or: ‘How many collaborations does the organisation have that could lead to a potential conflict of interest?‘ This description also provides insight into a (data-driven) substantiation of the estimation of gross risk, or in other words: how susceptible is the organisation to a certain risk?
We consider the discussion about risk tolerance to be one of the most valuable parts of the SIRA process. The discussion focuses not only on what the organisation finds unacceptable but also on which risks are inevitable or acceptable under certain conditions. For example: customers in a particular sector may be accepted, but under the condition of involving a specialist in the team and additional quality assurance on the file. Such a condition needs to be incorporated into the policy but also has implications for the organisation’s structure and in this case, the composition of the team. Quantifying risk tolerance is an important but challenging task. It provides the organisation with insight into what is desirable and what is not, and which indicators are important to monitor.
As also evidenced in the previously mentioned report by the AFM and the BFT, the SIRA is often a product developed by the compliance and/or risk departments. This often leads to a rather technical approach to the SIRA and scenario descriptions that are understandable to experts but less meaningful for users. Our advice is to involve users in the risk analysis. This increases awareness of integrity risks. Involving users also allows for testing whether the risk scenarios are clear, align with experiences, and whether the control is adequate. We recommend avoiding typical risk language. Discussions about the risk scoring model and the process from gross to net often divert from what it should really be about. What risks are identified, and is the control effective and efficient? Of course, compliance and/or risk still play an important role in the SIRA process, but in our opinion, this role should be limited to facilitating the SIRA, encouraging discussion, and documenting the outcomes in accordance with policy.
Our specialists not only have extensive experience in financial institutions but also have detailed knowledge of the SIRA and Wwft risk analyses in other types of institutions. We are happy to assist you in furthering the SIRA or Wwft risk analysis in a manner suitable for your organisation. Interested in learning more about the possibilities? Feel free to contact us without obligation.