Tehmur Malik

Al Khaleej Takaful Insurance Internal Audit Assessment for AML/CFT November 13 , 2020 Table of Contents 1. Introduction of the Audit Team 2. Purpose & Scope 3. Internal Audit Approach and Methodology 4. Grade of the Report 5. Definition of risk level and priority classification 6. Summary of Significant matters 7. Caveats Introduction of the Audit Team Introduction of the Audit Team Audit team members Description Role Name Designation Reviewer Jabran Saroia Engagement Partner - Grant Thornton Audit team member Tehmur Malik Senior Associate Advisory – Grant Thornton Audit team member Ankita Harish Shah Senior Associate Advisory – Grant Thornton Internal Audit Assessment for AML/CFT Purpose & Scope Purpose and Scope  The Executive management of Al Khaleej Takaful Insurance (Q.P.S.C) has appointed Grant Thornton Qatar to perform the risk assessment and internal audit engagement in accordance with the agree terms and conditions as stated in the engagement letter Ref: GTQ/1607/2019. The details of our scope of work is stated as below.  Develop Internal Audit Charter;  Develop Policies and Procedures manual for Internal Audit Function;  Obtain comprehensive ‘as-is’ understanding of operating environment and scope areas of internal audit mandate;  Perform risk assessment;  Develop Risk based Internal Audit Plan;  Develop strategic plan to address audit objectives, audit areas, frequency of audits and assessment of resources to be deployed;  Develop periodic engagement plan to translate the strategic plan into schedule of internal audit assignments and define the purpose and duration of each audit assignment;  Develop Internal Audit Program for each Internal Audit Assignment;  Submit quarterly internal audit reports to audit committee;  Implement the traffic light rating system for audit observations;  Carryout follow up reviews every 3 months during the term of engagement on all recommendations / agreed actions included in audit reports; and  Attend periodic audit committee meeting  In the aforementioned context we undertake risk assessment at entity to ascertain the strategic and operational risk pertaining to Al Khaleej Takaful Insurance (Q.P.S.C) Q.P.S.C.  The risk assessment at entity level has been conducted in accordance with the 17 principles of COSO framework pertain to following five components.  Control Environment  Risk Assessment  Control Activities  Information & Communication  Monitoring Activities Internal Audit Approach and Methodology Internal Audit Approach Elements enabling our IA Methodology Our response is based upon the use of senior teams, dedicated internal audit professionals, application of technology , use of specialists and ownership by the core team of every aspect of the service. Involvement of Senior people in delivery of the engagements to ensure seamless delivery Trained Team on Audit software's like ACL and IDEA helps us to cover a wide population and give greater assurance Partner Led Delivery Audit Analytics & Tools Customer feedback Strong IA Methodology IIA Standards Cross functional We engage with our clients on an ongoing basis to ensure that we meet their expectations by having weekly status update meetings as well running a independent feedback mechanism Our cross functional team consisting of Accounting, IT, Management and Regulatory experts assist us in getting operational opinions Internal Audit Methodology • understand business goals • understand changes in organizational relationships and protocols • stakeholders mapping • evolve and issue rolling plan to all the concerned stakeholders Internal audit plan • issue sheets and report on root cause analysis are provided to the auditees to arrive at agreement over the issue identified • co- develop an action plan. Agree action plan, person responsible and due date for implementation On Field Review Audit closing meeting Issue Sheets • understand major processes and associated sub-processes • understand risks and control matrices for areas covered under review • assess areas and risks • assess tolerance limits and exceptions root cause analysis to be covered through physical audits • summary of key risks needing mitigation • advice on directional matters • summary of status of agreed action Deliverable : Audit Committee Presentation Implementation/ status follow up Presentation to management /audit committee • maintain dashboard of agreed action • periodically review/update status of implementation Issue reports • clarify points or issues with unit/management • resolve open items, if any • finalise process ratings • agree follow-up plan • report capturing in detail the root cause, risk /business impact and recommendations for the issues observed • executive summary of the leadership team Deliverable : Audit Report Grade of the Report Grade of the Report (Criteria) Reports are assigned an overall grade of Critical, Moderate or Low. The grading of the reports is based on the underlying issues within each report based on the residual risk after consideration of the adequacy / effectiveness of controls / risk mitigations in accordance with the organization’s risk assessment matrix (risk rating criteria). The following table provides the report grading: Critical Recommendations addressing fundamental control weaknesses which expose the entity to significant risk of material errors in financial information and is critical for the organization. These issues should be addressed immediately. Moderate Recommendations addressing moderate control weaknesses which, if left unchecked, may result in material errors in financial information. These should be addressed as resources permit, but at most, within the next two quarters. Low Recommendations addressing less significant weaknesses or those which represent deviations from best practice and may be inefficient. These weaknesses are unlikely to give rise to a material error in financial information generated. They should be addressed when practicable. Report grade Based on the criteria mentioned above, the grade of the report is ‘Moderate’ considering the following information. Number of observations rated as ‘High Risk’ Number of observations rated as ‘Moderate Risk’ Number of observations rated as ‘Low Risk’ Total number of observations reported 5 10 15 Definition of risk level and priority classification Risk level and Priority Classification The table below provides a definition of the risk level and priority classification used in our report. The observations identified as High and Medium should receive priority when implementing remediation plans. Risk Level Risk rating for internal audit review High Recommendations addressing fundamental control weaknesses which expose the entity to significant risk of material errors in occurrence of financial information. These issues should be addressed immediately. Moderate Recommendations addressing significant control weaknesses which, if left unchecked, may result in material errors in financial information. These should be addressed as resources permit, but at most, within the next two quarters. Low Recommendations addressing less significant weaknesses or those which represent deviations from best practice and may be inefficient. These weaknesses are unlikely to give rise to a material error in financial information generated. They should be addressed when practicable. Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Report – GL & Financial Reporting Process) (Period Covered : 01 Jan 2020 till 31 Aug 2020) Summary of significant matters Sr. No. Observation Title Risk Rating 1 Senior management in AML/CFT decision making 2 Enhanced Customer Due Diligence Moderate 3 Maker Checker Approver Control Moderate 4 KYC for third party vendors Moderate 5 Ongoing Customer Due Diligence Moderate 6 Transaction alert parameters and monitoring schedule Moderate 7 Customer account exit procedure Moderate High Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Report – GL & Financial Reporting Process) (Period Covered : 01 Jan 2020 till 31 Aug 2020) Summary of significant matters Sr. No. Observation Title Risk Rating 8 Service level agreement with third party administrator Moderate 9 Policy and procedure manual Moderate 10 Appointment of MLRO and DMLRO High 11 MLRO annual report to the board High 12 AML/CFT Training programs High 13 Quality and effectiveness review of training program for AML/CFT Moderate 14 Retention of training records Moderate 15 Risk Assessment High Summary of significant matters Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 1- Senior management involvement in AML/CFT decision making Observation We observed that BOD and senior management has not been involved in AML/CFT decision making on critical matters such as high risk clients, sanctions and politically exposed persons. Implication Non-involvement of BOD and senior management pertaining to AML/CFT decision making on critical matters may cause reputational and financial risk to the Company. Further, mere presence of approved policies and manual and appointing MLRO do not discharge management from their duties. Risk rating High Recommendation Committee at top level should be formed for periodic review of important decisions on high risk areas, discussing report from MLRO, status of training programmes on AML/CFT. Minutes of committee meeting should also be maintained. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 2- Enhanced Customer Due Diligence Observation Although the Customer due diligence (CDD) procedures are clearly defined in the manual. The manual does not contain Enhance due diligence (ECDD) requirements and no differentiation between CDD and ECDD is clearly mentioned. Implication In the absence of Enhanced Due Diligence (“EDD”) proper risk assessment of higher-risk customers may not be mitigated. Risk rating Moderate Recommendation Procedures regarding Enhance customer due diligence (ECDD) should be properly defined to mitigate the risks which may not be detected by CDD. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 3- Maker Checker Approver Control Observation We observed that there is no maker-checker-approval control in place for Customer Due Diligence (CDD) procedures. Implication Absence of maker-checker-approval control for customer due diligence may cause over/under risk rating assigned to the client and may ultimately lead to business risk to the Company. Risk rating Moderate Recommendation Maker-checker-approval control should be introduced in order to ensure effectiveness and accuracy of monitoring oversight on AML/CFT process. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 4- KYC for Vendors Observation Upon inquiry, we noted that KYC procedures relating to the vendors have not been documented. Implication In the absence of documentation, we are unable to gather required evidence about the application of KYC procedures for the vendors as per generally accepted best internal control procedures. Risk rating Moderate Recommendation Proper documentation regarding the KYC procedures of the vendors should be prepared, reviewed and approve as per generally accepted best internal control procedures. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 5- Ongoing Customer Due Diligence Observation We observed that ongoing customer due diligence has not been performed. Implication AML/CFT program must include ongoing customer due diligence (OCDD) in order to further enhance the robustness of risk management and internal control system. Risk rating Moderate Recommendation We recommend that ongoing customer due diligence should be done on periodical basis. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 6- Transaction alert parameters and monitoring schedule Observation We observed that there is no transaction alert parameter defined by the management. Further there is also no monitoring schedule of suspected high risk transactions. Implication Absence of transaction alert parameters and monitoring schedule may trigger reputational, financial and regulatory risks for the Company. Risk rating Moderate Recommendation Company should develop transaction alert parameters and monitoring schedule to ensure design and operating effectiveness of internal controls over AML/CFT. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 7- Customer account exit procedure Observation We observed that customer account exit procedure have not been defined in manual which is contrary to generally accepted internal control practices in the area of AML/CFT. Implication Absence of Customer account exit procedure may trigger financial, reputational and regulatory risks for the Company. Risk rating Moderate Recommendation We recommend that Customer account exit procedure should be delineated and accordingly incorporated in the manual for AML/CFT. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 8- Service level agreement with third party administrator Observation The financial institution must, through a service level agreement or otherwise, ensure that the third party, and the officers, employees, agents and contractors of the third party must comply with AML/CFT law, instructions, policies, procedures, systems and controls pursuant to article 6.7(3) of AML and CFT instructions from QCB-FY2020. Upon inquiry, we noted that no such service level agreement was signed between the third party administrator and Company under article 6.7(3) of AML and CFT instructions from QCB-FY2020. Implication Non-compliance with the above mentioned provision of AML/CFT law may trigger reputation, financial and regulatory risk for the Company. Risk rating Moderate Recommendation We recommend that senior executive management of the Company must introduce system to ensure compliance with the article 6.7(3) of AML and CFT instructions from QCB-FY2020. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 9- Policy and procedure manual Observation As per article 6.7(4) of AML and CFT instructions from QCB for financial institutions FY 2020 “The financial institution’s AML/CFT policies, procedures, systems and controls must: (a) require the third party, and the officers, employees, agents and contractors of the third party, wherever they are, to provide the financial institution’s MLRO with STRs for transactions in, from or to this jurisdiction involving the financial institution. (b) provide timely, unrestricted access by the financial institution’s Board and MLRO, and to the QCB and FIU, to documents and information of the third party, wherever they are held, that relate directly or indirectly to the financial institution’s customers or accounts or to transactions in, from or to this jurisdiction involving the financial institution We observed that the abovementioned requirement of AML/CFT law has not been embedded in the policy and procedure manual of the Company. Implication Non-compliance with the above mentioned provision of AML/CFT law may trigger reputation, financial and regulatory risk for the company. Risk rating Moderate Recommendation Policies and procedures manual should be updated as per the abovementioned provisions of AML/CFT law. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 10- Appointment of MLRO and DMLRO Observation As per article 8.1 of AML and CFT instructions from QCB for financial institutions FY 2020 “A firm must ensure that there is at all times an MLRO and a deputy MLRO for the firm. The DMLRO functions and acts as the MLRO during the absence of the MLRO and while the position is vacant.” We observed that no MLRO was appointed until November 2020. Further deputy MLRO position is still vacant. Implication In the absence of MLRO and DMLRO, we were unable to ensure the proper compliance of AML/CFT and KYC procedures as per the relevant provisions of applicable law (law no. 20 of 2019) and the instructions issued in May 2020 by QCB under the aforementioned law. Risk rating High Recommendation A qualified and experienced Deputy MLRO should be appointed as per the law to perform duties in the absence of MLRO. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 11- MLRO annual report to the board Observation Implication As per article 8.5 of AML and CFT instructions from QCB for financial institutions FY 2020: a. At a minimum, the MLRO must give the Board an Annual Report for each fiscal year. b. The MLRO must keep a record of all reports submitted to the board and actions taken on these reports. We observed that no such report was issued to the board by the MLRO during the year. In the absence of reporting of AML/CFT, the board may be unaware of the following: a. The number of STR reports sent to the MLRO by the employees and further passed on to the QFIU; b. Contraventions made by the company of AML/CFT law, instructions and its polices and procedure manual; c. Areas of improvement to Company’s AML/CFT policies and procedures; d. Summary of training given by the Company to its employees regarding AML/CFT; e. Customer categorized as high risk; and f. Outcome of the audit review etc. Risk rating High Recommendation Annual report for AML/CFT should be prepared and presented to the board as per the article 8.5 and 8.6 of the instructions issued by QCB. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 12- AML/CFT Training programs Observation As per article 21.2 of AML and CFT instructions from QCB for financial institutions FY 2020 “A financial institution must identify, design, deliver and maintain an appropriate and adequate ongoing training programme on AML/CFT for its officers and employees at a minimum on an annual basis for all staff and whenever necessary.” Further article 17.3 of the Company’s manual says “The MLRO should design and supervise training programs that includes all employees of different job grades”. Upon inquiry, we observe that no such trainings was conducted due to non availability of MLRO during the year. Implication Employees would be unaware about the of the AML/CFT statute which may trigger reputational, financial and regulatory risks for the Company. Risk rating High Recommendation The MLRO should design and supervise AML/CFT training programs that includes all employees of different job grades as per the relevant provisions in the law. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 13- Quality and effectiveness review of training program for AML/CFT Observation As per article 21.3 (2) (3) of AML and CFT instructions from QCB for financial institutions FY 2020 “The financial institution must carry out a review of training needs at regular intervals in order to ensure that the objectives of the training are met. The Board of directors of the financial institution must consider the outcome of each such review. If the review identifies deficiencies in AML/CFT training requirements, the financial institution must prepare and approve an action plan to remedy the identified deficiencies promptly.” Upon inquiry, we noted that quality and effectiveness review of training program for AML/CFT have not been conducted during the period under review. Implication Absence of formal quality review of training program by governing body may trigger the risk of design and operating ineffectiveness of controls over AML/CFT. Risk rating Moderate Recommendation Reviews at regular intervals should be conducted by the governing body to ensure whether the training requirements have been met pursuant to the relevant provisions of the AML/CFT statute in the State of Qatar. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 14- Retention of training records Observation As per article 22.1(f) of AML and CFT instructions from QCB for financial institutions FY 2020 “Training records must be retained for a period of 10 years. We observed that proper records of AML/CFT trainings have not been maintained by the Company. Implication Absence of documentation for AML/CFT trainings may lead to compliance risk and may also cause financial penalties to the Company. Risk rating Moderate Recommendation Company should retain the records of AML/CFT trainings as per the relevant provisions of QCB instructions manual. Management Comments Al Khaleej Takaful Insurance (Q.P.S.C) (Internal Audit Assessment for AML/CFT) (Period Covered : For the year 2020) 15- Risk Assessment Observation As per article 9.1 of AML and CFT instructions from QCB for financial institutions FY 2020 “. A financial institution must conduct, at regular and appropriate intervals, and at least once a year, a business risk assessment of the ML/TF risks that it faces including risks identified in the National Risk assessment, sectorial risk assessment and those that may arise from: the types of customers, the products and services that it provides, the technologies that it uses and jurisdictions where the financial institution have or will conduct transactions with. Upon inquiry, we noted that risk assessment for AML/CFT have not been performed during the period under review. Implication Absence of formal risk assessment for AML/CFT reveals weak controls over identification, assessment, mapping, mitigation and reporting of related risks to the Company. Risk rating High Recommendation Annual risk assessment should be performed as per the methodology specified in article 9.1 and 9.2 of AML and CFT instructions manual of QCB. Management Comments Caveats Caveats  The procedures have been performed were limited to those detailed internal audit charter, internal audit plan and internal audit program and, as a consequence, this report may not necessarily disclose all significant matters about the company’s Corporate Governance or reveal errors or irregularities, if any, in the underlying information. We do not make any representations regarding the sufficiency of the procedures we have performed;  The procedures we have performed are limited to the information provided by the departments on the premise that information is correct; and  Further as per the mandate given to the Internal Audit department, Internal Audit function is solely responsible for reporting its findings to the Audit Committee. Dr.Sultan Al Dosari & Partners Chartered Accountants Member Firm of Grant Thornton International Ltd P.O,Box 206070 | Level 3| Building No 58 Al Muntaza | Doha | Qatar © 2020 Grant Thornton Qatar. All rights reserved. Grant Thornton” refers to the brand under which the Grant Thornton member firms provide Advisory, tax and assurance services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton Qatar is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. Please visit grantthornton.qa T- F-