CYPRUS Law and Practice Contributed by: Ioanna Solomou, Stephanos Ayiomamitis, Andria Kouloumi and Lefteris Eleftheriou, Michael Kyprianou & Co LLC
6. Audit, Risk and Internal Controls 6.1 External Auditors The Companies Law requires that all companies registered in Cyprus have their financial statements audited annually by a licensed auditor. The law does not provide for any exceptions to this requirement, and it applies to all companies registered in Cyprus irrespective of size. The auditors are appointed by the board of directors during the company’s first minutes upon incorpora - tion, and can then be renewed or changed at each AGM thereafter. The relationship of the company with its auditors is mainly contractual. This means that the responsibil - ity under the law for a company to have a complete set of financial statements prepared and audited in accordance with the IFRS and the provisions of the law remains with the company and the directors. 6.2 Risk Management and Internal Controls In Cyprus, there is no specific legal requirement that explicitly defines or regulates “geopolitical risk” as a standalone category; however, such risks are indi - rectly addressed within broader regulatory and corpo - rate governance frameworks, particularly for entities supervised by the Cyprus Securities and Exchange Commission and the Central Bank of Cyprus. In practice, geopolitical risk is treated as a part of wider risk categories, including economic, operational and compliance risk, and can be managed through enterprise risk management systems, internal con - trols and business continuity frameworks. The board of directors retains ultimate responsibility for oversee - ing these risks under the direction of the shareholders where any such risks may affect any matter that is reserved to the shareholders. Such risks are typically supported by risk, compliance and internal audit func - tions and, where established, dedicated board com - mittees. At the same time, compliance with international sanctions constitutes a key regulatory expectation in Cyprus, particularly in light of the country’s obliga - tions as a member state of the EU, whose sanctions
certain other professionals engaged in financial or transactional activities. Obliged entities are required to implement compre - hensive AML frameworks, including customer due diligence (CDD), ongoing monitoring of transactions, record-keeping, and the reporting of suspicious trans - actions to the Unit for Combating Money Launder - ing, known as MOKAS. Companies that fall within the scope of the Law must also establish and maintain internal policies and procedures that are proportionate to their risk profile, conduct regular risk assessments, and ensure appropriate staff training. Depending on the sector, additional regulatory requirements may be imposed by competent supervisory authorities such as the Cyprus Securities and Exchange Commission and the Central Bank of Cyprus. From a governance perspective, where a company qualifies as an obliged entity, the board of directors bears ultimate responsibility for ensuring the existence and effectiveness of the AML compliance framework. This includes approving AML policies, appointing a compliance officer and, where required, a money laundering compliance officer (MLCO), and ensuring adequate reporting lines and escalation mechanisms. Boards are expected to receive regular updates on AML risks, suspicious activity reporting, and the effec - tiveness of internal controls, often through audit or risk committees. While day-to-day implementation is delegated to management, ultimate accountability remains with the board. Directors of obliged entities may face significant per - sonal liability in cases of AML non-compliance. Under the applicable AML Law, directors and officers can incur criminal liability where offences are committed with their consent, connivance, or due to their neglect. Enforcement authorities, including MOKAS, and the relevant sectoral regulators, have broad investigatory and enforcement powers, including the imposition of administrative fines and other sanctions. As a result, directors are expected to exercise active and demon - strable oversight over AML systems, rather than rely - ing solely on delegation.
211 CHAMBERS.COM
Powered by FlippingBook