Skip to content

Principles for Auditing a Financial Crime Risk Management Programme for Effectiveness under the Wolfsberg Factors


The Wolfsberg Group (the Group) has encouraged Financial Institutions (FIs1 ) and regulators to focus on effective outcomes in Financial Crime Risk Management (FCRM) using the Wolfsberg Factors: 

  1. Complying with financial crime laws and regulations;
  2. Establishing a reasonable and risk-based set of controls to mitigate the risks of an FI being used to          facilitate illicit activity;
  3. Providing highly useful information to relevant government agencies in defined priority areas. 
The Group believes that Internal Audit (IA) can assist their FIs in the fight against financial crime by measuring FCRM outcomes using the Wolfsberg Factors and has developed these Principles, as a joint exercise between member banks’ second and third lines of defence, to provide FIs with a framework for such an assessment. IA, an independent function within an FI, constitutes the third line of defence and should conduct independent audits in an objective, thorough, and impartial manner in line with professional standards (e.g. Institute of Internal Auditors). IA should adopt a risk-based approach (RBA) that is informed by applicable laws and regulations and the risks identified in the FI’s risk assessment. IA plays an important role in assessing the comprehensiveness and effectiveness of the FCRM programme, validating that the programme is dynamic and covers all regulatory requirements in a thoroughly documented manner. 

IA should play an important role in confirming that an FI’s FCRM programme is focused on risk-relevant activities. IA is responsible for assessing the effectiveness of (key) controls over the FI’s activities and entities and may focus on any aspect of their operations without any restriction. Further, IA should adopt an RBA that includes internal and external requirements (e.g. local regulations may have defined requirements).

IA should assess the effectiveness of the FI’s FCRM programme notably ensuring that policies and procedures take into account applicable rules, regulations, best practices, and guidance to foster effective operations, appropriately managed levels of risk exposure and the relevance and sustainability of the control framework. IA should also assess the FI’s awareness of risk and provide its conclusions on compliance leveraging its established audit methodology and expectations of professional practices. In order to fulfil its mandate, IA should conduct a periodic6 risk assessment to determine audit priorities for annual and/or multi-year audit plans. Following the completion of their audits, IA should issue conclusions in line with their methodology, which should include a standardised process to report, track, and escalate identified control deficiencies. Separately, IA should validate remedial actions to address control deficiencies and/or mitigation of the identified risk, including where issues have been raised by parties outside of IA (e.g. regulatory or self-identified issues)