Heinbro believes that auditing and monitoring are the twin peaks of continuity for any firm. The implementation of corporate governance standards is not an effective compliance strategy on its own. All too often, firms have standard policies and procedures, but fail to oversee its implementation, operation or measure its effectiveness.
The objective of any audit is to provide assurance to senior management on whether the current practices are compliant with the relevant law. The methodology used in conducting any audit will include, but not limited to, the following:
1. Onsite visit in order to interview department heads, senior management, compliance officers, responsible officers and review relevant documentation.
2. Review of internal control systems and procedures with reference to the relevant law or any codes and guidelines issued by the regulator;
3. Consider whether the operations are in accordance with the licensing conditions.
4. Perform sample review of internal records, which include, but not limited to, client/company files, personal trading accounts, financial resources returns, continuous professional training, operations, client agreement/mandates, distribution agreements, marketing, error reports, gifts and entertainment, internal audit reports, complaints, SFC communication, IT systems and management/board minutes; and
5. Assess exposure of (to) the companies’ cybersecurity and technology risk, with (the) particular focus on IT infrastructure and configuration, policy base, procedure and protocol, best common practice, regulatory compliance and minimization of both human and technical attack surfaces, malicious or otherwise. Key areas of assessment include ability of the network to adapt to threats, presence and relevance of defensive elements and control points, exposures related to identity and permissions,(an) effectiveness of threat intelligence capabilities and readiness to respond to systemic or targeted attacks.
Heinbro believes regulated entities should always be proactive and continually audit their compliance functions.