What is the most appropriate audit observation?
Best Practice:
Financial institutions should establish an expected transaction profile for each customer and investigate transactions that significantly deviate from that profile.
Scenario:
A sole trader was onboarded with an expected monthly turnover of ₦3,000,000. In one month, the customer recorded transactions totalling ₦45,000,000. No alert was generated because the customer completed KYC at onboarding.
This situation represents a failure of which data protection principle?
Best Practice:
Organisations must clearly inform data subjects of the purpose and legal basis for processing their personal data through a privacy notice.
Scenario:
A company collects biometric data from employees for access control but its privacy notice does not mention biometric data or its purpose.
How should this be classified by an auditor?
Best Practice:
Policies should not only be approved by management but also communicated and embedded into daily operations through training and awareness.
Scenario:
An organisation has an approved AML policy, but staff interviewed during the audit are unaware of its existence or procedures.
Which key control is missing?
Best Practice:
Customer risk profiling should be documented, approved, and periodically reviewed to ensure appropriate monitoring.
Scenario:
An institution identifies high-risk customers but cannot produce documentation showing how risk ratings were assigned.
What is the most appropriate audit conclusion?
Best Practice:
Politically Exposed Persons (PEPs) require enhanced due diligence due to their increased exposure to corruption and financial crime risks.
Scenario:
A customer is identified as a PEP but is assigned a “medium risk” rating with no justification.
What is the primary compliance issue?
Best Practice:
Where personal data is shared with vendors, organisations must conduct vendor due diligence and execute a Data Processing Agreement (DPA).
Scenario:
A company shares customer data with a payroll vendor but has no DPA or vendor risk assessment on file.
Which key AML control is missing?
Best Practice:
AML compliance requires continuous monitoring of customer activity, not just checks at onboarding.
Scenario:
A company performs KYC only at customer onboarding and does not review customer profiles afterward.
How should the auditor treat this information?
Best Practice:
Audit conclusions should be supported by reliable, verifiable, and independent evidence.
Scenario:
An auditor is provided with verbal assurance from staff that controls are in place, but no documentation or system evidence is available.
How should this activity be assessed?
Best Practice:
Structuring transactions to avoid reporting thresholds is a known AML red flag.
Scenario:
A customer consistently makes cash deposits just below the regulatory reporting threshold.
What is the likely consequence of this gap?
Best Practice:
A Data Protection Impact Assessment (DPIA) should be conducted for processing activities that pose high risks to data subjects.
Scenario:
An organisation deploys facial recognition technology without conducting a DPIA.
What is the most appropriate audit conclusion?
Best Practice:
Controls should be documented to enable accountability, monitoring, and auditability.
Scenario:
Management claims a control exists, but there is no documentation or evidence to support this.
You have completed the assessment. Our team will reach out to you if successful.