Follow-up on Findings and Corrective Action Plan: Responsibility of the Communication and Control Committee.

FINANCE AND BANKING / by Miguel Gallardo Guerra

The annual audit in Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) matters does not end with the issuance of the Audit Report. On the contrary, one of the most relevant elements from a regulatory standpoint is the effective follow-up on the findings and recommendations identified, as well as the timely implementation of corrective actions.

A technically sound audit loses value when its findings and recommendations are not translated into concrete and verifiable improvements within the organization.

The action plan as a central improvement tool.

Once the Audit Report has been issued, the Entity must structure a formal action plan to address the identified findings and recommendations. Such plan must include, at least:

• A clear description of each finding and, where applicable, the related recommendations.
  
  
• The specific corrective measure to be implemented.
  
  
• The area responsible for its execution.
  
  
• The committed timeline for remediation.
  
  
• Follow-up and verification mechanisms.
  
  

The action plan should not be conceived as a merely declaratory document. It must constitute an operational tool that enables the Entity to close compliance gaps, strengthen controls, and reduce risks identified during the audit.

 

Responsibility of the Communication and Control Committee.

From a corporate governance perspective, follow-up on findings and recommendations derived from the audit does not end with the issuance of the Audit Report, nor is it a responsibility exclusively vested in the Compliance Officer or operational areas. Such follow-up corresponds primarily to the Communication and Control Committee, as the competent body to review the results of the internal or external audit, analyze the identified deficiencies, and define the necessary corrective actions, in coordination with and with the support of the management body.

The formal receipt of the Audit Report, its analysis, as well as the approval and supervision of compliance with the action plan are part of the oversight and control functions entrusted to the Communication and Control Committee, without prejudice to the participation of the Chief Executive Officer or other operational officers in implementing corrective measures.

In the case of Entities that, pursuant to the applicable Provisions, are not required to establish and maintain a Communication and Control Committee because they have fewer than twenty-five persons in their service, the functions and obligations that would otherwise correspond to such Committee shall be exercised directly by the Compliance Officer, who must review the audit results, follow up on findings and recommendations, and sufficiently document the implementation and verification of the corrective actions adopted.

The lack of formal, documented, and verifiable follow-up may be interpreted as a weakness in the compliance culture and in internal oversight mechanisms, thereby increasing regulatory exposure in the event of supervisory proceedings.

 

 

Documentary evidence and traceability.

One of the aspects most frequently reviewed by the authority is whether the findings and recommendations resulting from previous audits were effectively addressed.

In this regard, the Entity must retain sufficient and traceable evidence to demonstrate:

• The actual implementation of corrective measures.
  
  
• The update of policies, manuals, or methodologies, when necessary.
  
  
• Staff training in connection with relevant changes.
  
  
• Subsequent verification of the effectiveness of adjusted controls.
  
  

The absence of documentary evidence often gives rise to additional questions and may trigger specific information requests.

 

 

Impact on supervisory processes.

In practice, unattended or recurring findings and recommendations are among the main factors that increase the likelihood of formal observations by the supervisory authority.

Conversely, when the Entity demonstrates that it has a structured follow-up system, with periodic reports to the Communication and Control Committee, as well as corrective actions implemented and verified within the established timelines, regulatory risk is significantly reduced.

An audit should not be viewed as an isolated event, but rather as part of a continuous cycle of assessment, improvement, and strengthening of the AML/CFT system, in which the Communication and Control Committee plays a central role as an oversight and decision-making body.

Conclusion.

The true value of an AML/CFT audit is materialized in the Entity’s ability to transform findings and recommendations into substantive improvements.

A well-structured action plan, known to and supervised by the Communication and Control Committee and properly documented, not only meets regulatory expectations, but also strengthens internal governance and consolidates a sustainable compliance culture.

Timely and effective follow-up on findings is not a mere formality; it is a strategic risk management decision that protects the Entity against future regulatory risks.