menucloseContact UsEventsNewssearchclose
Services
Industries
Insights
About Us
Careers
Contact UsEventsNews
searchclose

Q&A: Setting the approach for an internal AML audit

Jacob M. Rivkin, Simon Schneider, Kristina French
6/18/2024
Lady in business meeting discusses discusses setting the approach for an internal AML audit

The success of an internal AML audit starts with understanding the standards your organization should follow.

To keep up with consistent change and shifting regulatory focus, anti-money laundering (AML) internal audit programs need to allocate their resources wisely. One encouraging sign that many organizations are already taking a proactive approach is that our specialists receive numerous questions about how to prepare for an internal AML audit.

The more steps an organization can take to streamline processes and anticipate changes, the more likely that the results of an internal AML audit can be clear to regulators and actionable for the organization.

While no one solution can instantly make an internal AML audit more efficient, taking a practical approach from several angles can yield significant benefits.

Following, our specialists offer insight on several common questions about preparing for internal AML audits.

AML and sanctions testing
Our specialists can help you stay ahead of regulatory updates and new requirements.
Explore solutions
Internal auditor highlights charts on a paper while performing independent testing

Should only internal audit perform independent testing?

Qualified ongoing compliance testing can be performed by the second line of an organization. But if internal audit does not have qualified staff to complete an internal AML audit, the organization should outsource the audit.

Organizations must avoid conflicts of interest when choosing qualified staff for independent testing. Auditors should not be anyone who:

  • Executes the functions they are testing
  • Makes management decisions in the tested field
  • Reports to anyone involved in the tested field
  • Is part of a committee related to the tested field

Even when an organization has qualified internal staff, it might periodically outsource an audit to a third party for an outside perspective on whether its internal audit program is benchmarked to industry and regulatory expectations.

Consistent methodology is an important first consideration.

How important is consistency when approaching risk assessments across subject areas?

Risk factors might not be consistent across different subject areas, but maintaining consistency of language and ranges whenever appropriate can increase the clarity and repeatability of an organization’s assessments.

Consistent methodology is an important first consideration. Organizations should set guidelines for how to establish the inherent risk of subject areas, follow mitigating controls, and determine residual risk. A defined standard language that reaches horizontally across the organization can also increase visibility of risk factors among departments, even when dealing within different fields.

One way to think of the goal here is: If people from outside the organization had to repeat the methodology, would they have access to the means to understand what they were doing and why? Would an outside party also reach the same conclusion if it followed the methodology as stated?

Internal auditors meeting to discuss the best starting point to find Bank Secrecy Act (BSA), AML resources, and regulatory updates

What is the best starting point to find “Bank Secrecy Act” (BSA) and AML resources and regulatory updates?

The Federal Financial Institutions Examination Council Examination Manual is a good first stop for learning more about general examination procedures. The Office of Foreign Assets Control (OFAC) also has issued guidance, including a framework for compliance commitments.

Interpreting the guidance in the manuals can be challenging. Specialists who have studied the procedures can offer insight and help answer specific questions.

Regulatory updates require consistent attention, as some agencies don‘t adhere to a consistent schedule. One exception is the Office of the Comptroller of the Currency (OCC) Semiannual Risk Perspective.

Multiple sources offer email updates, including:

When planning an internal AML audit, it is important that organizations review the specific scope areas for new or proposed regulations, recent enforcement actions, and industry trends. Planners should also look internally for new products and services that might create new areas of risk.

Can a BSA audit be broken into units?

An end-to-end BSA audit can be challenging to manage. Breaking the full audit down into different areas of focus can provide more sensible coverage, especially in larger, more complex organizations.

Pillars to consider focusing on include:

  • Due diligence and high-risk customers
  • Transaction monitoring, including suspicious activity report filing
  • Currency transaction reporting
  • OFAC and sanctions compliance
  • Governance, board reporting, and policies and procedures
  • Training

Although dividing up a BSA audit can make it easier to manage, an organization must still be able to effectively discuss its BSA program holistically. Consistent language and methodologies are necessary across each section to help pull the entire audit together. Additionally, organizations should include audit areas specific to their risk to effectively assess their BSA programs.

Organizations also can compile a final wrap-up report to detail all the audit segments completed, results, and overall rating of effectiveness for their BSA compliance programs.

The higher the risk, the more sampling is necessary to form a reasonable conclusion on the effectiveness of controls.

What is an appropriate sampling size and methodology? 

Official guidance for sampling might seem somewhat nebulous.

In general, sampling size should be relative to risk. The higher the risk, the more sampling is necessary to form a reasonable conclusion on the effectiveness of controls. For example, operations that are used more frequently or rely on manual methods should have higher sample sizes.

In many cases, sample methodology depends on the organization, but it is crucial to document and explain all rationale. Organizations should record responses to questions including:

  • How is the test defined?
  • What are the expected outcomes?
  • What is the sampling approach (for example, statistical samples with random number generation or a judged selection of samples)?
  • Why is a specific sampling approach chosen?
  • What parameters are used for any judged samples?
  • How are populations determined for sampling?
  • How are the sampling populations confirmed complete?
  • What exceptions to the approved methodology might occur, if any, and why?

Sampling documentation should be clear and comprehensive. A third party should be able to reproduce the methodology and results directly from the documentation without skipping any values or steps.

Additional information for sampling methodologies can be found through the OCC guidance.

How can an internal AML audit include artificial intelligence (AI), predictive analytics, or robotic process automation?

AI and automated tools can be helpful, but they require an enterprisewide framework for approval and ongoing monitoring before they are integrated. In some instances, these tools are like models that require ongoing validation.

Once again, thorough documentation is crucial. Organizations should record how the tool functions, its applications, and how to mitigate risks. Teams should create a schedule to review and refresh the tools as necessary.

There is never a wrong time to ask questions

As AML compliance requirements change, so might the best approaches organizations can take to address them. Crowe consultants not only help answer any current questions clients might have, but also anticipate future needs. Earlier and more comprehensive information helps lead to more effective decisions.

Related insights 

Tap into experience for navigating internal AML audit complexities

Crowe specialists stay atop regulatory updates and are committed to helping organizations complete comprehensive internal AML audits. Schedule a consultation and let’s discuss your auditing needs.
Work with our team
Image - Jacob Rivkin at Crowe.
Jacob M. Rivkin
Principal, Consulting
+1 818 325 8659
Profile
people
Simon Schneider
Managing Director, Consulting 
+1 630 706 2080
people
Kristina French
Consulting
+1 415 536 7016
Work with our team