AML Audit: What It Covers and How to Prepare

An AML audit, also called an independent test or independent review, is a systematic evaluation of an organization's anti-money laundering program to determine whether it is functioning effectively and meeting regulatory requirements. It is a required component of every AML program under the Bank Secrecy Act (BSA) in the United States and under equivalent regulations in jurisdictions worldwide.

The purpose of an AML audit is not to find blame but to provide an objective assessment of the program's strengths and weaknesses. Conducted by qualified independent parties, whether internal audit staff with appropriate expertise or external firms, the audit identifies control gaps, process deficiencies, and areas where the program falls short of regulatory expectations. Organizations that treat the AML audit as a valuable diagnostic tool rather than a compliance checkbox gain significant advantages in maintaining an effective program.

What an AML Audit Covers

Risk Assessment

Auditors evaluate whether the institution's BSA/AML risk assessment is comprehensive, current, and accurately reflects the organization's risk profile. This includes reviewing how risks are identified across customer types, products, services, and geographic exposure. A risk assessment that fails to capture significant risk areas undermines the entire program.

Policies and Procedures

The audit reviews whether the institution's written AML policies and procedures adequately address all regulatory requirements and are aligned with the risk assessment. Auditors check that policies cover customer due diligence, enhanced due diligence for higher-risk relationships, transaction monitoring, sanctions screening, suspicious activity reporting, currency transaction reporting, and record retention.

Customer Due Diligence and KYC

Auditors test whether the institution's KYC process is functioning as documented. This involves sampling customer files to verify that identification has been properly collected and verified, risk ratings are accurate and supported by documentation, enhanced due diligence has been applied where required (for example, with politically exposed persons and high-risk customers), and beneficial owners have been identified for entity accounts.

Transaction Monitoring

The audit assesses the effectiveness of the institution's transaction monitoring system, including the adequacy of monitoring rules and thresholds, the timeliness and quality of alert review, the disposition process for alerts including escalation procedures, and the ability of the system to detect suspicious activity consistent with the institution's risk profile.

Suspicious Activity Reporting

Auditors evaluate whether suspicious activity is being identified and reported in a timely manner. This includes reviewing the SAR decision-making process, the quality and completeness of filed SARs, the timeliness of filings relative to regulatory deadlines, and whether there are instances where suspicious activity was identified but not reported.

Sanctions Screening

The audit reviews the sanctions screening process, including the completeness and timeliness of list updates, the effectiveness of name-matching algorithms, the alert review and disposition process, and the handling of confirmed matches including blocking and reporting.

Training

Auditors assess whether the institution provides adequate AML training to relevant staff. Effective training should be tailored to the employee's role, cover current regulatory requirements and emerging threats, and be delivered at appropriate intervals with completion tracked and documented.

Governance and Oversight

The audit evaluates whether the board of directors and senior management provide adequate oversight of the AML program. This includes reviewing the reporting structure, the qualifications and authority of the BSA officer or compliance officer, and the allocation of resources to the compliance function.

How to Prepare for an AML Audit

Conduct a Self-Assessment

Before the formal audit, conduct an internal assessment of your program against the expected audit scope. Identify and address obvious gaps proactively. This demonstrates a commitment to continuous improvement and reduces the number of formal findings.

Organize Documentation

Ensure that all program documentation is current, organized, and accessible. This includes the risk assessment, policies and procedures, training records, monitoring system configuration documentation, SAR filings and supporting case files, and board and committee reports.

Review Previous Findings

Check the status of all findings and recommendations from previous audits and regulatory examinations. Auditors will specifically follow up on prior findings, and unresolved issues signal a lack of management attention to compliance.

Prepare Staff

Brief the compliance team and other relevant staff on the audit scope and process. Ensure they understand their roles during the audit and can articulate the controls for which they are responsible. Staff should be prepared to answer questions about their day-to-day processes and decision-making.

Test a Sample of Work

Pull a sample of customer files, transaction monitoring alerts, and SAR decisions and review them as an auditor would. Look for incomplete documentation, unsupported risk ratings, and delayed actions. Address any deficiencies before the audit begins.

Common AML Audit Findings

Incomplete or outdated risk assessments. The BSA/AML risk assessment does not reflect current products, services, customers, or geographic exposure. A risk assessment that was last updated two years ago or does not address new business lines is a frequent finding.

Inadequate transaction monitoring thresholds. Monitoring rules and thresholds are not calibrated to the institution's risk profile, resulting in either excessive false positives or failure to detect suspicious activity.

Weak documentation of SAR decisions. SAR filings lack sufficient narrative detail, or decisions not to file are inadequately documented. Regulators expect clear articulation of why activity was deemed suspicious and what investigation was conducted.

Insufficient enhanced due diligence. Higher-risk customers, including PEPs and customers from high-risk jurisdictions, are not receiving the level of due diligence required by the risk assessment and regulatory guidance.

Training gaps. Training is generic rather than role-specific, is not delivered at required intervals, or does not cover current threats and regulatory changes. Staff in customer-facing roles may not understand their responsibilities for identifying and escalating suspicious activity.

Failure to address prior findings. Previously identified deficiencies remain unresolved, indicating that the institution has not prioritized remediation.

Internal vs. External Auditors

The independent test can be performed by internal audit staff or by an external firm, provided the auditors have the required expertise and independence. Internal auditors must be independent of the compliance function they are testing. External firms bring specialized expertise and an outside perspective but are typically more expensive.

Many institutions use a hybrid approach: internal audit conducts the annual independent test and engages external specialists for targeted reviews of complex areas such as transaction monitoring model validation. The choice depends on the institution's size, complexity, and internal audit capabilities.

Automate this process: Our AML Risk Assessment Tool provides a structured framework for evaluating your AML program with automated gap analysis and risk scoring.

Frequently Asked Questions

What is an AML audit?

An AML audit, also known as an independent test, is an objective evaluation of an organization's anti-money laundering program. It assesses whether the program meets regulatory requirements and is functioning effectively at detecting and preventing financial crime.

How often is an AML audit required?

Regulatory guidance generally requires that the independent test be conducted at least every 12 to 18 months, with the frequency determined by the institution's risk profile and the complexity of its AML program. Higher-risk institutions may require more frequent testing.

Who can conduct an AML audit?

The audit must be conducted by parties who are independent of the AML compliance function and who possess the qualifications and expertise necessary to evaluate the program. This can include the institution's internal audit department or a qualified external firm.

What happens if the audit finds deficiencies?

Audit findings should be reported to the board of directors or a board-level committee. Management must develop and implement corrective action plans with specific timelines. The next audit will verify that the deficiencies have been remediated. Unresolved findings can lead to regulatory enforcement actions.

How does an AML audit differ from a regulatory examination?

An AML audit is an internal or externally contracted review conducted on behalf of the institution. A regulatory examination is conducted by the institution's supervisory authority (such as the OCC, FDIC, or state regulators). Both evaluate the same areas, but the regulatory examination carries direct enforcement authority and can result in formal enforcement actions.