Services

Home Services Risk and Assurance

Risk and Assurance

In a challenging context where unpredictable events can have a direct impact on organizations, trust, transparency, and adaptability have become essential to business sustainability.

At PKF, we believe it is possible to prepare organizations to face the risks inherent to their activities—and even turn those risks into opportunities for growth.

Our people- and knowledge-centered approach combines independence and technical rigor with a strong focus on results. We operate within an integrated structure that enables us to work cohesively and effectively, bringing together multidisciplinary expertise in internal control, risk management, compliance, and information systems.

In the area of Internal Control, we support organizations by performing independent and systematic assessments of business processes. We assist in the development and execution of Internal Audit Plans, evaluate control culture, analyze internal control systems, conduct compliance testing, carry out internal audit assignments (including specific topics such as cybersecurity, ESG, or fraud), and support the creation or transformation of the Internal Audit Function.

In Risk Management, we help organizations turn uncertainty into competitive advantage. We design and implement practical risk management and internal control solutions tailored to each business’s reality and complexity. Our services include developing risk management policies, preparing risk matrices, and supporting the Risk Management Function in its monitoring activities. We also implement an integrated GRC solution, bringing together the risk matrix and monitoring activities into a single application.

In the area of Compliance, we assist organizations in identifying, implementing, and monitoring mechanisms that ensure adherence to legal, regulatory, and internal requirements. We carry out the assessment and implementation of compliance programs (including anti-money laundering and counter-terrorism financing), regulatory risk mapping and monitoring, policy and procedure review, third-party integrity analysis, awareness and training sessions, and support the creation or development of the Compliance Function. Our approach is pragmatic and informed by deep sector-specific regulatory knowledge, promoting a culture of integrity and organizational transparency.

Our Risk & Assurance Services team has extensive experience in projects developed for entities supervised by the Bank of Portugal (BdP), the Portuguese Securities Market Commission (CMVM), and the Insurance and Pension Funds Supervisory Authority (ASF), while also supporting organizations from other sectors and geographies. We benefit from strong local technical expertise and the support of the international PKF network, present in over 150 countries.

As trusted partners, we share knowledge, foster constructive challenge, and build close relationships based on mutual respect. Our goal is clear: to ensure that the services we deliver create sustainable value for our Clients.

In this regard, we offer a wide range of Audit and Advisory services, including the following:

  • Development and implementation of Internal Audit Policies, Manuals, and Regulations

  • Definition of the Annual Internal Audit Plan

  • Implementation and/or review of internal control frameworks

  • Execution of internal audit assignments

  • Review and optimisation of processes

  • Review of the internal control system (specific areas)

  • Assessment of the Internal Audit Function

Notice No. 3/2020 of the Bank of Portugal
Independent assessments provided for in Notice No. 3/2020 of the Bank of Portugal, which may be carried out by our team:

  • Assessment of the institution’s conduct and values, including those of the Management Body and its committees (Article 3(2) of Notice No. 3/2020 of the Bank of Portugal)

  • Assessment of the conduct and values of the Supervisory Body (Article 3(2) of Notice No. 3/2020 of the Bank of Portugal)

  • Assessment of the adequacy of the processes for obtaining, producing, and processing information implemented by the institution, as well as the control mechanisms in place to ensure that all information produced is reliable, accurate, consistent, complete, up to date, timely, accessible, and granular (Article 29(7) of Notice No. 3/2020)

  • Assessment of the compliance of information flows (Article 30(4) of Notice No. 3/2020)

  • Assessment of the adequacy and effectiveness of the Internal Audit Function (Article 32(8) of Notice No. 3/2020)

  • Issuance of a supporting report to assist the opinion of the Supervisory Body, as set out in Article 56(1) of Notice No. 3/2020, which includes:

    i. A clear, detailed, and well-substantiated positive opinion on the adequacy and effectiveness of the institution’s organisational culture and internal governance and control systems, within the scope of the legal responsibilities of the Supervisory Body, taking into account, as of the reporting date, the current or potential impacts of any unresolved deficiencies.

    ii. An assessment of the implementation status of measures defined during the reporting period to address identified deficiencies, including those relating to the internal financial control system and accounting system, as reported by the Statutory Auditor under Article 11(2)(j) of Regulation (EU) No. 537/2014, or resulting from other activities carried out by the auditor, or identified by other external entities, including supervisory authorities.

    iii. An opinion on the performance quality and independence of the internal control functions, including outsourced operational tasks, in accordance with Article 36.

    iv. A statement on the reliability of the processes for preparing prudential and financial reports, including those submitted under Commission Implementing Regulation (EU) No. 680/2014 of 16 April 2014, during the reporting period.

    v. A statement on the reliability of the processes for preparing public disclosures made by the institution under applicable laws and regulations, including financial and prudential information.

    vi. A statement on the institution’s compliance, during the reporting period, with all public disclosure obligations arising from applicable legislation and regulations, as set out in this Notice.

  • Outsourcing of Risk Management Function responsibilities

  • Development and support in the implementation of Risk Management Policies and Manuals

  • Definition of the Activity Plan

  • Comprehensive analysis of internal and external risks, including their identification, analysis, assessment, mitigation, monitoring, and communication

  • Preparation of the risk matrix and development of risk management strategies

  • Review of the governance model and internal control system

  • Implementation of a GRC (Governance, Risk, and Compliance) solution

  • Outsourcing of Compliance Function responsibilities

  • Development and support in the implementation of Compliance Policies and Manuals

  • Definition of the Activity Plan

  • Gap analysis to identify obligations and assess exposure to regulatory non-compliance risks

  • Preparation of a regulatory obligations checklist for the institution

  • Support in implementing the action plan to address outstanding deficiencies identified by the Compliance Function

Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT)

  • Development and implementation of AML/CFT Policies and Manuals

  • Testing in support of the Supervisory Body’s Opinion for the issuance of the Annual AML/CFT Report for entities supervised by the Bank of Portugal (BdP)

  • Effectiveness testing in accordance with Article 9 of BdP Notice No. 1/2022

  • Testing in support of the AML/CFT Report for entities supervised by the Portuguese Securities Market Commission (CMVM)

  • Effectiveness testing under Article 5 of CMVM Regulation No. 2/2020

  • Assessment of the compliance of internal Policies and Manuals with the legal provisions of Law No. 83/2017, BdP Notice No. 1/2022, and CMVM Regulation No. 2/2020

  • Audit of the implementation of recommendations resulting from special audits by the Bank of Portugal (e.g. Specific Determinations and Supervisory Measures)

  • Support in implementing the action plan to address outstanding AML/CFT deficiencies

  • Assessment of the AML/CFT Risk Management Model, regarding the adequacy and effectiveness of the internal control system in ensuring compliance with preventive obligations

 

Sénior Team

Rafael Nunes
Head of Risk and Assurance Services
rafael.nunes@pkf.pt
+351 925 324 810

Rafael Nunes is currently the Head of Risk & Assurance at PKF Portugal, bringing extensive experience in internal audit, risk management, and compliance. He is also particularly engaged in areas such as governance and anti-money laundering and counter-terrorist financing (AML/CFT), focusing on the implementation of internal control systems and fostering a culture of compliance within organizations.

He has also developed and delivered webinars and seminars on topics such as "Global Internal Audit Standards" and "Amendments to Bank of Portugal Notice No. 3/2020", highlighting regulatory changes and global best practices in internal audit and internal control.

Academically, he holds a degree from ISEG – Lisbon School of Economics & Management, where he built a strong foundation in management and internal control.