Training insights: Forbidden fruit – understanding sanctions risk

It should come as no surprise to internal auditors that sanctions have been much in the headlines over the past year. While they have been used as diplomatic tools to put pressure on many regimes in the past – notably North Korea and Iran – it was the imposition of sanctions on Russia after it invaded Ukraine last year that sent multiple shockwaves through the global economy.

Russian businesses and individuals were far more deeply and extensively integrated with global commerce and investment than those in most regimes previously placed under sanctions, so the repercussions have been more serious and far-reaching. The complexity of an increasingly global network means that some impacts are hidden deep in extended supply chains and customer contracts.

In the past, financial services organisations have been most likely to be affected and they were among the most obvious organisations that had to act fast when Russia was sanctioned. They were already on the sanctions frontline and ought to have well-established controls to ensure that sanctions rules are understood and mitigation updated regularly (although internal audit should check that these are sufficient given the rapid escalation of risks).

However, the sanctions imposed on Russia have also created a headache for internal audit teams with less experience of auditing sanction risks and controls – many may not even know whether they are exposed to sanctions risks, or in what areas. Ignorance is no defence and, wherever they originate, the costs of neglecting or misunderstanding sanctions rules can be high. Financial penalties can, and have, been dramatic over the years. Furthermore, there are reputational risks for those found to be breaching sanctions rules.

This is why the Chartered IIA is launching a new course aimed to give internal audit teams an overview of the risks that sanctions can create, the key areas where the internal audit function should investigate, questions they should ask and the controls that organisations can put in place to mitigate these risks.

“The situation has changed. The Chartered IIA’s Risk in Focus 2023 report found that compliance issues, geopolitical volatility and macro-economic uncertainty have all risen up the corporate risk agenda,” explains John Chesshire who will lead the new course. “Sanctions risk is related to all these categories and it’s clear that such risks are now affecting a much broader range of organisations beyond those in financial services. There is a clear remit for internal audit here.”

Internal audit leaders should also be taking a lead and telling their boards and audit committees that sanctions are, or may be, a risk for them and that internal audit should be investigating, he adds.

“Compliance is traditionally left to the second line, but this is a rapidly changing and emerging area that would benefit from independent third-line assurance,” he says. “Internal audit should be looking at the risk and at the framework and processes in place in the second line. We need to ask what are the legal and financial risks, and are they understood and being managed adequately?”

Internal audit teams should ask whether they have any experience in this area and whether their knowledge of sanctions risk is sufficient and up to date. “What updates do you get and where do you get them from, are you using technology to support you, and do you fully understand the ramifications?” Chesshire asks. “It’s not an easy or stable area.”

 

High-level overview

The new course offers a high-level overview of the issues for internal audit around sanctions – the types of sanctions that exist, questions to ask about compliance and how internal audit can work with the second line, controls that can help organisations to identify and mitigate sanctions risk (such as screening and due diligence), and internal audit’s role in offering assurance over sanctions risks. It will also suggest ways in which the function can work better and more collaboratively with others in the business and how it can raise the profile of sanctions risks with senior management.

“Sanctions risk is similar to geopolitical risk in that we know that internal audit should be getting more involved and not leaving it to the second line, but many internal auditors need guidance because they may not have experience in it,” Chesshire says. “We need to respond to the volatile world we are living in and it’s time to dust off preconceptions and look at what’s actually happening in the business.”

While the Russian invasion of Ukraine has brought sanctions risk to the fore, this course will not look at specific pieces of regulation or legislation. “It’s more about offering high-level insights into a policy tool that is likely to be used further and in more places in future,” Chesshire explains. “It’s part of auditing compliance at a deeper, more effective level and looking more closely at people, tools, technology and combined assurance.”

 

Building resilience

At just half a day, this course is intended to be a thought-provoking introduction to the issues and potential approaches, particularly for those new to the complexities of the subject. “As organisations look to diversify their suppliers and customers around the world, so they are likely to encounter more risks around third parties and extended supply chains, including sanctions,” Chesshire adds. “Understanding these risks and your organisation’s connections to other companies requires ever more transparency and due diligence.”

A better grasp of sanctions risks is therefore part of gaining a stronger understanding of a host of risks that are likely to become increasingly important and have a real impact on key issues such as corporate resilience in the future. A few hours discussing assurance and third-party relationships now will help to build understanding and awareness that may prove invaluable now and in years to come. 

This article was published in March 2023.