Anti-Money Laundering Audit: 5 Steps to Conduct One

Introduction

An anti-money laundering (AML) audit is a structured, independent review of a financial institution's anti-money laundering program. For FinTech companies, crypto firms, and banks operating in the United States, it represents one of the four mandated pillars of a compliant BSA/AML program under 31 U.S.C. § 5318(h).

Most compliance teams know an AML audit is legally required. What they lack is a clear, repeatable process for actually conducting one. This gap carries real regulatory consequences: poorly executed audits invite enforcement actions, not just internal findings.

TD Bank's $1.3 billion FinCEN penalty in 2024 specifically cited an ineffective independent testing function that failed to ground audit scope in the bank's actual illicit finance risks.

This guide covers the five-step process for conducting a compliant, defensible AML audit, from scoping through remediation.

TL;DR

  • An AML audit evaluates whether your AML program is adequate and whether your firm actually follows it
  • Your AML Compliance Officer cannot audit their own program — independence is a regulatory requirement
  • Audit scope must cover policies, CIP, transaction monitoring, SARs, OFAC screening, training, and prior findings
  • Annual audits are standard for most regulated entities; frequency increases with risk
  • Most firms fail at post-audit remediation: unaddressed findings become regulatory liabilities

What Is an AML Audit?

An AML audit is an independent test of a firm's anti-money laundering program. It assesses three core questions:

  • Do written policies exist?
  • Do those policies meet regulatory requirements?
  • Are employees actually following them in practice?

The audit produces an objective, documented assessment of program adequacy and compliance gaps. That documentation gives senior management and regulators a clear, defensible record of how AML controls are operating.

How AML Audits Differ from Financial Audits

Confusing the two is common — but the scope, standards, and outputs are distinct in ways that matter for compliance planning:

Financial Audit AML Audit
Examines accuracy of financial statements Examines effectiveness of anti-money laundering controls
Conducted by CPAs under GAAS standards Conducted by AML specialists or qualified auditors
Produces opinion on financial statement accuracy Produces assessment of AML program adequacy
Required for public companies and many lenders Required for all BSA-regulated financial institutions

Financial audit versus AML audit side-by-side comparison key differences

According to the FFIEC BSA/AML Manual, "The purpose of independent testing (audit) is to assess the bank's compliance with BSA regulatory requirements, relative to its risk profile, and assess the overall adequacy of the BSA/AML compliance program."

Why AML Audits Matter in FinTech, Crypto, and Banking

The Regulatory Mandate

Independent testing requirements vary by entity type, but all covered financial institutions must conduct them:

Entity Type Regulation Independence Requirement
Banks 31 CFR 1020.210 Testing by bank personnel or outside party
Broker-Dealers 31 CFR 1023.210 Testing by personnel or qualified outside party
Money Services Businesses 31 CFR 1022.210 Reviewer cannot be the designated compliance officer
Loan/Finance Companies 31 CFR 1029.210 Testing by person other than compliance officer

FinCEN's risk-based standard means higher-risk products and services demand more frequent and deeper audits. MSB regulations state that scope and frequency must be "commensurate with the risk" posed by the business's products, services, customers, and geographic locations.

Enforcement Consequences of Audit Failures

The regulatory cost of inadequate audits is measured in hundreds of millions of dollars. In 2022, USAA Federal Savings Bank paid $140 million to FinCEN, with the consent order explicitly citing audit failures: "USAA FSB relied on an internal audit team to conduct enterprise-wide independent testing of its AML program... The 2016 report noted the Bank's failure to act on account closure recommendations, for example, but failed to recognize the numerous weaknesses identified during the same time period."

Similarly, Shinhan Bank America's $15 million penalty in 2023 highlighted repeat failures to remediate audit findings: "SHBA repeatedly failed to fully remediate these deficiencies to bring the Bank into compliance with the law... SHBA's recurrent failure to remedy its BSA violations demonstrates an inability during the Relevant Time Period to comply with the legal requirements."

The Business Case Beyond Compliance

Those enforcement actions share a common thread: audits that existed but failed to drive remediation. A strong audit program doesn't just reduce penalty risk — it creates measurable operational value:

  • Protects sponsor bank relationships by demonstrating mature compliance infrastructure
  • Supports investor due diligence during funding rounds when AML program maturity is scrutinized
  • Validates control effectiveness to boards and executive leadership
  • Identifies operational inefficiencies in transaction monitoring and customer screening

Regulators now scrutinize the third line of defense (internal audit) directly, not just second-line compliance failures. When examiners review your AML program, they're evaluating whether your audit function identified weaknesses and whether leadership acted on them.

How to Conduct an AML Audit: 5 Steps

Step 1: Define Audit Objectives and Scope

Before any testing begins, the auditor must document what the audit is designed to assess. This includes determining whether the engagement will be a full program audit or a targeted review of a specific area—such as transaction monitoring calibration or SAR filing procedures.

Scope decisions must be documented because regulators evaluate whether scoping was reasonable given the firm's risk profile. According to the FFIEC Manual, "Risk-based independent testing focuses on the bank's risk assessment to tailor independent testing to the areas identified as being of greatest risk and concern."

Key scoping considerations:

  • Higher-risk products, geographies, or customer types (crypto wallets, high-volume cash transactions, politically exposed persons) warrant proportionally deeper testing
  • Areas with repeat deficiencies from prior audits demand expanded scope
  • Examination comments or consent order requirements may mandate specific coverage
  • New products, system implementations, or organizational restructures require immediate testing

AML audit risk-based scoping framework four key decision factors

FinCEN's MSB FAQ guidance states that scope should "depend on the money services business' risk assessment, which should take into account the business' products, services, customers, and geographic locations."

All scoping rationale and decisions should be documented in a formal audit plan. Unexplained scope limitations are treated as red flags during examination.

Step 2: Establish Independence and Select the Right Auditor

The designated AML Compliance Officer and anyone on their team cannot conduct the independent audit. This requirement is explicit, not advisory.

FINRA Rule 3310 explicitly states that "Independent testing may not be conducted by: (1) a person who performs the functions being tested, (2) the designated anti-money laundering compliance person, or (3) a person who reports to a person described in either subparagraphs (1) or (2) above."

Independence requirements by structure:

  • Large institutions can use internal audit departments, provided they report to the board or audit committee and maintain functional separation from compliance
  • Mid-size firms may qualify risk management personnel outside the compliance function, as long as they don't report to the AML officer
  • Early-stage FinTechs and crypto firms typically need external qualified parties when internal resources lack sufficient separation

For firms without a separate internal audit function, engaging a qualified external party—such as a fractional BSA Officer or CAMLO through a firm like Fraxtional—can satisfy the independence requirement while providing the subject matter expertise regulators expect.

Critical caveat: The institution remains responsible for audit quality even when outsourcing. Selecting auditors with demonstrated AML regulatory knowledge (not just general audit experience) is a regulatory expectation. The FFIEC Manual notes that "Banks engaging outside auditors or consultants should ensure that the persons conducting the BSA/AML independent testing are not involved in other BSA-related functions at the bank that may present a conflict of interest or lack of independence."

Step 3: Gather Documentation and Prepare the Audit Plan

A formal written audit plan must be prepared before fieldwork begins. The plan should describe:

  • Specific areas to be tested
  • Methodology (sample-based testing, walkthroughs, document review)
  • Timeline and milestones
  • Who is responsible for each component

Core documentation the auditor should collect:

  • AML program manual and written policies/procedures
  • Enterprise-wide risk assessment
  • Customer Identification Program (CIP) documentation
  • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) files
  • Transaction monitoring reports and alert dispositions
  • SAR and CTR filings (including filing logs and narrative quality review)
  • OFAC screening logs and sanctions hit documentation
  • Employee AML training records and training content
  • Prior audit reports with remediation status
  • Management reporting on AML program performance

Why prior audit reports matter:

Reviewing prior audit reports before fieldwork begins lets the auditor assess whether previously identified deficiencies have been genuinely remediated or only addressed on paper. Repeated findings are treated as evidence of systematic control failure—not isolated lapses.

The FFIEC Manual explicitly requires that "Auditors should document the independent testing scope, procedures performed, transaction testing completed, and any findings. All independent testing documentation and supporting workpapers should be available for examiner review."

Step 4: Execute the Audit

Audit execution involves both procedural walkthroughs and substantive transaction testing. The auditor evaluates whether documented procedures exist, whether they're adequate, and whether they're actually being followed.

Core testing areas:

  • Confirm AML policies are comprehensive, current, and board-approved
  • Verify CIP procedures are properly implemented at onboarding
  • Assess whether customer risk scoring under CDD and EDD is accurate and consistently applied
  • Test transaction monitoring parameters, thresholds, and alert investigation quality against actual risk
  • Review SAR and CTR filings for accuracy, timeliness, and narrative quality
  • Confirm OFAC screening runs at onboarding and at defined ongoing intervals
  • Verify training completion rates and evaluate whether content meets regulatory expectations
  • Assess whether management reporting gives leadership meaningful visibility into AML program performance

AML audit execution eight core testing areas process checklist infographic

Sample-based testing methodology:

Auditors do not review every transaction or customer file. They select a representative sample, including targeted high-risk samples, and test whether procedures were applied correctly.

The OCC's 2020 Sampling Methodologies guidance raised expectations around sampling rigor, explaining "the differences between statistical and judgmental sampling, including the appropriate use of each." The updated handbook provides "a detailed discussion of the OCC's statistical sampling methodologies" and emphasizes that sampling should support "a reliable conclusion about a population of accounts, transactions or loans."

Scope flexibility during execution:

If significant deficiencies surface outside the original scope, the auditor should expand coverage accordingly. Regulators view unexplained scope limitations as red flags, particularly when known deficiencies exist.

Step 5: Report Findings and Drive Remediation

Effective audit reports:

  • Rate each finding by severity — critical, high, medium, or low — based on its potential impact on the AML program
  • Provide specific, actionable recommendations rather than generic "enhance controls" language
  • Present findings formally to senior management and the board, with sufficient detail for informed decision-making
  • Document a clear timeline for each remediation item, with named ownership

Post-audit action plan requirements:

Management must assign ownership, set remediation deadlines, and document corrective measures for each finding. Vague action plans are a common regulatory criticism.

The TD Bank consent order specifically criticized this gap: "Reports of independent testing to the Bank's Audit Committee generally failed to highlight BSA-related findings, which prevented the Audit Committee from properly overseeing the remediation of BSA-related deficiencies."

The auditor's follow-up role:

After remediation, the auditor (or a subsequent audit cycle) should verify that fixes were implemented in practice, not just updated in written procedures. Regulators expect evidence of sustainable controls, not paper compliance.

FINRA's 2024 Annual Regulatory Oversight Report highlights "Inadequate Testing" as a primary finding, specifically calling out "testing that fails to consider whether AML reports and systems are accurately and reasonably capturing suspicious transactions."

What Does an Independent AML Audit Actually Cover?

An independent AML audit covers the entire AML/CFT compliance program — not just transaction activity. Most firms are surprised by how far the scope reaches.

Comprehensive coverage areas:

  • AML program manual (policies, procedures, controls)
  • Enterprise-wide risk assessment methodology and outputs
  • Individual customer risk scoring and segmentation
  • Customer Identification Program (CIP) compliance
  • Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures
  • Ongoing monitoring processes and triggers
  • Transaction monitoring systems and back-testing of alert effectiveness
  • Sanctions and OFAC screening (system configuration, hit resolution)
  • SAR and CTR filing processes (timeliness, narrative quality, decision documentation)
  • AML training program (content adequacy, completion tracking)
  • Record-keeping and retention practices
  • Three-lines-of-defense framework (role clarity and escalation paths)
  • Management reporting and board oversight

Automated Systems Are Evaluated Too

Transaction monitoring rules, alert thresholds, and screening tools all fall within scope. Auditors assess whether these systems generate actionable alerts or produce excessive false positives that mask genuine risk — a common failure point in growing fintechs and crypto firms.

Single-area vs. full program audits:

Larger institutions often rotate focus areas annually while maintaining overall program coverage. For example:

  • Year 1: Full program audit
  • Year 2: Targeted transaction monitoring and SAR quality review
  • Year 3: Full program audit with expanded CDD/EDD testing

Smaller firms generally complete a full program audit each cycle due to their simpler structures and higher relative risk profiles.

What Auditors Do with Prior Audit Reports

Prior audit reports are always pulled and reviewed. Auditors check whether previous recommendations were actually implemented — and regulators treat repeated findings as evidence of systematic control failure, not isolated gaps.

Understanding what the audit covers is the foundation. The next section walks through exactly how to conduct one, step by step.

Common AML Audit Mistakes That Invite Regulatory Scrutiny

Independence Failures

The primary error is assigning the AML Compliance Officer or their direct reports to conduct or oversee the audit. Regulators treat this as invalidating the audit entirely.

Using auditors without AML expertise compounds the problem. General internal auditors can't effectively assess transaction monitoring calibration, SAR narrative quality, or sanctions screening effectiveness.

Planning and Scoping Failures

Common mistakes include:

  • Failing to document scope rationale and risk-based decisions in writing
  • Skipping areas because they seem lower risk without documenting that decision
  • Allowing audit frequency to slip beyond 18 months without risk-based justification

KPMG's 2024 analysis of regulatory challenges notes a trend of "strict enforcement and more stringent supervision of deficiencies across risk pillars and the whole of company, with potential for escalating consequences for repeat offenses."

Remediation Failures

Completing an audit, generating a findings report, and then missing corrective action deadlines is the most common path to enforcement action.

Regulators have sharpened their focus on timely remediation and sustainable controls. Repeat findings across audit cycles signal to examiners that the firm treats the audit as a checkbox rather than a genuine control improvement mechanism.

Three most common AML audit failures leading to regulatory enforcement actions

The Shinhan Bank America enforcement action demonstrates this: "SHBA's recurrent failure to remedy its BSA violations demonstrates an inability during the Relevant Time Period to comply with the legal requirements."

Frequently Asked Questions

What is an anti-money laundering (AML) audit and what does it involve?

An AML audit is an independent test of whether a firm's AML program is adequate and functioning. It covers policies, procedures, CIP, transaction monitoring, SAR filing, OFAC screening, training, and prior remediation—distinct from a financial audit.

How often is an AML audit required?

Frequency is risk-based — FinCEN requires testing proportionate to your products and services. FINRA requires annual audits for broker-dealers. The FFIEC suggests 12-18 month intervals as a general benchmark. Higher-risk firms should audit more frequently.

Should the AML Compliance Officer conduct the AML program audit?

No. The AML Compliance Officer and their staff cannot conduct the independent audit because they lack the required independence. The audit must be performed by someone outside the compliance function or a qualified third party.

What are the core pillars of an anti-money laundering (AML) program?

Under 31 U.S.C. § 5318(h), the four pillars are: (1) internal policies, procedures, and controls; (2) a designated compliance officer; (3) ongoing employee training; and (4) an independent audit function. The audit is the fourth pillar — it validates the other three.

What is an AML audit report?

An AML audit report is the formal output of the audit process. It documents findings, rates them by severity, provides specific recommendations for remediation, and is presented to senior management. It forms the basis for the post-audit action plan.

What is the difference between a single audit and a program audit?

A targeted audit focuses on one AML component — such as transaction monitoring or CDD — while a program audit reviews the entire framework. Larger institutions often rotate targeted audits annually; smaller firms typically run a full program audit each cycle.