Anti-Money Laundering (AML) audits are different from financial audits. As such, AML auditors require specialised skills, knowledge, and experience. An AML audit is a test to determine the adequacy of an organisation's financial crime compliance programme or a specific aspect of the programme, and whether the programme is being followed as intended.

A full-scope audit involves evaluating all aspects of the compliance regime, including:

  • Governance, oversight, and structure;
  • Risk assessment;
  • Policies and procedures;
  • Customer due diligence and enhanced due diligence;
  • Transaction monitoring and list screening;
  • Suspicious activity reports and currency transaction reports;
  • Management information systems reporting;
  • Training;
  • Record retention;
  • Applicable legal and regulatory requirements.

Life cycle and phases of an AML audit

There are various phases throughout an AML Audit. The planning phase includes requesting the audit and agreeing on the audit date, subject, scope, and objectives. The fieldwork phase primarily involves testing key AML compliance controls against their agreed scope and objectives. The reporting phase includes the tasks of finalising the AML audit by preparing and disseminating written information. Remediation planning includes identifying the necessary steps to correct any identified deficiency gaps. The outcomes of the remedial actions are then monitored to ensure the desired results are achieved.

The AML audit programme must be commensurate with the organisation's risk. An adequate risk assessment is key. An effective AML audit programme depends on support from senior management and the board of directors. The audit scope and objectives must be clear to both the auditor and audited entity. Management and auditors' responsibilities must be clearly documented, and lines of communication must remain open. Both parties must maintain effective cooperation and collaboration throughout the process. Audit findings must be clearly documented in the audit report with an approved, effective, monitored, and measurable action plan to address deficiencies.

International AML authorities, such as the Financial Action Task Force and most regulators, recommend a risk-based approach to conducting AML audits. This approach ensures a focus on the higher risk areas of the AML compliance programme. It also ensures the allocation of sufficient time and resources for the audit of such areas. In most regions and jurisdictions, the commonly required frequency of AML independent audits is every 12 to 18 months.

Designing a risk-based approach audit plan

Audit plans should be designed using a risk-based approach. The specifics of the approach can vary depending on the organisation's risk exposure to financial crimes. The applicable laws and regulations in the jurisdictions of operation are factors as well. A risk-based AML audit approach takes into consideration the organisation's:

  • Business;
  • Customers;
  • Products and services;
  • Third-party service providers and vendors;
  • Distribution channels;
  • Jurisdictions of operation.

The auditor assesses the extent and nature of the Anti-Money Launder / Combating the Financing of Terrorism (AML/CFT) risk assessment and checks that all critical and high-risk areas are covered. Additionally, the auditor reviews the frequency with which the risk assessment is updated and the effectiveness of remedial actions taken when key risk indicators are identified. The documents and information used to perform the risk assessment must also be assessed to determine accuracy.

A review and update of the AML risk assessment should be undertaken whenever a major risk event occurs. The update must be timely, and the measures implemented to address the risk must be adequate and effective to ensure that a similar event will not recur. Reviewing policies, procedures, and major changes to the regulatory landscape is an important part of the audit process. As such, it requires a thorough approach and preparation.

One of the important goals of an audit is to see if the policies and procedures that are in place for an organisation are actually being followed. A lack of compliance indicates either that the policies and procedures need to be updated or additional operational training is needed for personnel.

AML governance

Independent monitoring and testing of the AML/CFT framework is an important component of AML/CFT governance. It needs to be part of an organisation's overall culture of compliance, starting with oversight by the board of directors. The board of directors is responsible for setting the appropriate tone from the top while enforcing a code of conduct and adherence to governance policies. A culture of compliance and risk reduction are crucial for the AML/CTF framework.

It is important to know who the stakeholders are and understand their roles in the organisation. Often a stakeholder's role indicates their expectations and goals associated with the AML audit. There can be multiple stakeholders in an AML audit, both individuals and groups. Examples include the organisation's board of directors, audit committees, senior management, and the head of risk and compliance. The roles and responsibilities of each position are different, so they will likely have different audit expectations. Auditors should understand these roles and responsibilities, and their associated expectations, when communicating with stakeholders.

Finally, the board of directors is responsible for ensuring the organisation complies with regulations, making legal responsibilities its main focus.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.