top of page
  • Sj. (Sjoerd) Vredenberg

SIRA: accountants and a Drostebox

Author Sj. (Sjoerd) Vredenberg

They already had a gatekeeper function, one of the duties of the accountant under the Money Laundering and Terrorist Financing Prevention Act (Wwft). This also applies to other important access routes to money transfers: asset managers, lenders, trust offices, civil-law notaries and lawyers. And of course, the banks as the main artery. In the context of its supervision of proper fulfillment of that role by financial institutions, The Dutch Central Bank (De Nederlandsche Bank, DNB) has been assessing the performance of integrity risk analyses by these institutions for years…

Now the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, AFM) and the Financial Supervision Office (Bureau Financieel Toezicht, BFT) will also investigate (supervise) the correct performance of integrity risk analyses by accountants, according to the ‘Good practices’ SIRA.


In 2014, DNB examined 170 financial institutions. That study delivered the picture that eighty percent of those institutions did not have thorough integrity risk analyses at the time. As a result, in 2015 DNB published under the title ‘Good practices for integrity risk analysis’ as guidelines The Systematic Integrity Risk Analysis. Thus the concept of SIRA was born.


Also for an accountancy firm applies that, when conducting its integrity risk analysis, it is focused on the risk of damaging its reputation or threatening its capital/result due to inadequate compliance with laws and regulations.

One cause could be the failure to establish the integrity of its customers in accordance with laws and regulations; the gatekeeper function.

As a result, the external assessment by the accountancy firm of the business operations with integrity of its client is part of its own internal sound business operations. A repeating mechanism as part of the previous one. With the former Droste cocoa canister as a metaphor.

The SIRA is neither an exclusively inward-looking nor an exclusively externally-oriented analysis. One yardstick for the assessment of its own integrity and that of its customers.

Integrity in (all) its facets

The SIRA in its current form arose almost ten years ago from the expansion of customer integrity thinking, to which DNB is attaching paramount importance long since. By now Know your Customer (KYC) is the jargon for talking about that part of integrity in common language.

But the integrity of organizations, and therefore also the integrity of accountants, is now about much more than just ‘doing business with clients with integrity’. And therewith, about much more than just KYC. It is also about offering products and services with integrity, with employees and partners with integrity. And about processes with integrity that are not susceptible to fraud, undermining and corruption. Or about the way in which you handle personal data. Moreover, with the latest developments, the domain of integrity seems to be expanding with ethical standards that are set for behavior, social aspects, sustainability, climate and the environment.

SIRA is about more than ‘just’ KYC. Integrity requirements are also set for employees, processes, systems, data, collaboration, communication and more ethical aspects.

Integrity thinking and acting

The fact that the letter ‘A’ as the last one in in SIRA stands for ‘Analysis’ is actually a pity… There is a real danger that carrying out the analysis, irrespective how systematically and thoroughly conducted, will become the final destination. The insight obtained from the analysis should lead to defining, designing and implementing a workable control policy. If, through monitoring and adjustment, this results in the demonstrability of business operations with integrity, a recurring analysis will show a picture of improvement.

We have undeniably also learned from DNB’s supervision of banks, that simply developing standards and frameworks (again: no matter the importance) is not enough.

SIRA starts with awareness that the outcome of the analysis is not the established integrity policy, but (the demonstrability of) complying with it.

From outside inwards

For every accountancy firm, acting with integrity starts with analyzing and defining the firm’s risk profile: what does the current and desired client and assignment portfolio look like? What services does it provide? What does the staff structure look like? Who are suppliers? How is supervision arranged?

From the spectrum of laws and regulations that apply to the accountant, it is determined what the consequences are for the firm with its established risk profile.

This very important analysis is translated into an inventory of the integrity risks run by the firm. These are documented on the basis of ‘scenarios’ (described concretely with the circumstances applicable to the firm) and weighted (likelihood and impact).

Knowing the risk profile of one’s own accountancy firm and knowing which laws and regulations apply to what extent, determine the integrity risks that exist for the firm.

For each integrity risk described, concrete and workable actions and mechanisms are defined and documented to reduce the risk. As much as desired by the firm (risk appetite). A healthy balance between detective, preventive, reducing and corrective measures is important here.

Documented risks, together with concretely described control, form the Integrity Standards Framework.

Demonstrability (ascertainability)

If only the ‘A’ from SIRA stood for ‘Ascertainability’ [Aantoonbaarheid in Dutch] as the last letter… Because that’s where the real value of the approach is in. That is what the supervisor requires. But much more importantly: that is what the customer of the accountant’s service is increasingly demanding. And that is actually what every accountancy firm should expect of itself: to be able to ascertain ‘at any time’ that business operations are conducted with integrity.

This means that monitoring is set up for every control described in the Integrity Standards Framework. Monitoring aimed at determining the correct functioning of the control and linked to the associated action and improvement management.

The Integrity Standards Framework, which is tailored to the firm, exists ‘only’ as a yardstick against one’s own actions can be measured, with the aim of making adjustments and reporting.

And again from inside outwards

If the accountancy firm, with this systematic way in which it manages its own integrity risks internally, looks outside at the integrity of its clients, it must be based on the same method and yardstick.

But what we already discovered with the old can: The image is becoming less detailed. Because in all of this, the following applies:

More where required, less where possible!

For the print version of this article, click here.


bottom of page