Firms should do all they can to be proactive and be able to demonstrate a robust process and structure to manage different types of risks. An internal audit is definitely an area that deserves increasing attention.
 
The current position 
Law firms have traditionally been weak on internal audit, but, as we shall see, client pressures and new laws may force change. The PwC Law Firm Survey 2015 commented that ‘internal audit remains an area of underinvestment, particularly when benchmarked against corporate businesses of equivalent size, complexity and geographic reach’. Their 2014 survey stated that the general benchmark for expenditure on internal audit outside law firms was 0.05% of revenues.
 
Client requirements  
Even some of the largest firms are beginning to see clients, particularly in the public sector, looking for evidence of quality standards, and asking about independent third party verifications too. This started with information security requirements, but we are seeing far wider requests too.
 
Compliance with Statutory Requirements 
Locally, Members of the Malaysian Bar will have to comply with the provisions of the Personal Data Protection Act 2010 (“PDPA”). The PDPA regulates the processing of personal data for commercial transactions. Information is considered “personal data” if it can identify the person and includes any expression of opinion about him or her and may include names, addresses and NRIC number. When processing such data, firms must consider the protection principles under the PDPA which may include the General Principle (that any processing of the data subject’s requires his or her consent) as well as Notice and Choice Principle (that data users are required to notify the data subject the purpose the personal data is collected and the right to request access and correction thereof)[2].
 
Anti-money laundering 
On-site examinations conducted by Bank Negara Malaysia (“BNM”) found legal firms’ compliance with the Anti-Money Laundering and Anti-Terrorism Financing Act 2001 (“AMLATFA”) and the guidelines issued under it to be weak.
 
The Bar Council has formulated a checklist to assist its members to work their way through the “Know Your Client” guidelines issued by BNM pursuant to AMLATFA. Members have been advised to ask certain questions on the proposed transactions that their firms have been instructed to act upon. This list should be checked accordingly to ensure that the necessary information has been obtained and the checklist should be kept in the client’s file and shown to BNM should an onsite examination be carried out by BNM[3].
 
Early detection 
An effective internal audit would do well to detect and alert for weaknesses in compliance with these industry standards and statutory requirements.
 
Perhaps the most apparent benefit of having an internal audit system would be to detect mistakes or even fraudulent acts before these escalate to an unmanageable level. Nipping problems in the bud may only be possible if these problems can be detected early, and a systematic and periodical review of random files allows this to be done.
 
These file reviews can be carried out by persons within the firm who are not directly involved in the handling of the files that are being reviewed. How detailed should your checklists be for such internal audits? It is a matter of personal judgement. Longer lists can be difficult to use and divert attention from issues which may be of higher risks. Which files should you pick for the audit? Randomness is important but should not be sole factor. It is far better to take a risk-based approach and target your audit based on established risk criteria eg size of the transaction, client, and also the area of practice eg Banking, conveyancing, litigation etc.
 
An internal audit exercise may also uncover shortcomings such as poor management of files and general housekeeping which if rectified may reduce the risk of losses arising from a disorganized firm.