“Effectiveness of Internal Controls”​ and How Do You Document It In One Hour Because You Have a Call With Auditors…

Published by Yana on

A client called and asked me: “WTF is internal control, how is it different from compliance and how do I document that my internal control is effective quickly because I have a call with auditors in 1 hour…”

Well, Internal Controls are a sum of all your compliance, risk, and similar activities, tools, and processes that help you to meet the regulatory requirements. Effectiveness of the Internal Controls means that you (or someone else) tested and reviewed what you do and confirmed that you do what you are supposed to do and that your processes are efficient. 

Well, it’s good that I have assembled so many templates for FinTech startups so that I don’t have to reinvent the wheel and create anything from scratch. I simply referred that customer to the Annual Compliance Report Template, which is a part of the FinTech Self-Starter Package.

Here is a sneak preview of what such a report may include:

The following activities have been performed by the company during the year 2020 to assess the efficiency of the internal controls:

  • An AML-focused audit has been performed by the audit firm [PWKPEY] and established that the AML program of the company has been efficient/has been efficient with the exception of XXX;
  • company XXX and has re-certified our compliance with the applicable governance and security standards (e.g. through the PCI DSS assessment);
  • The Internal Audit team has performed the following mandates covering the areas of [AML, complaints handling, segregation of funds processes, handling of high-risk accounts…] and concluded that the respective controls have been appropriately designed and operate efficiently;
  • The compliance team has performed the following testing (insider accounts, fraud monitoring rules, vendor approval processes…) and confirmed that the first line of defense has appropriately executed their respective functions.
  • The following findings have been identified by the internal/external auditors that have been rated as high risk and require remediation to be completed by [DATE]. At the time of preparing this report, the status of these items is XX% complete/resolved.

Do you see now how it starts making sense and can work for you, right? 🤩

>