How to Effectively Transition

Into an AML Audit Role

Monica Salinas, CAMS

Disclaimer: The views expressed in this paper are those of the author. They do not represent the
views of any organization or institution.

Page 1 of 17
 Table of Contents
Preface..............................................................................................................................................3
Introduction ......................................................................................................................................3
The “Audit Pillar” ......................................................................................................................................... 4
Components of an AML Audit ........................................................................................................5
The AML Audit Team ..................................................................................................................... 6
The AML Audit Risk Assessment ............................................................................................ 6
The Development of the AML Audit Plan ................................................................................ 7
Structured Interviews With the AML Department ..................................................................... 7
Review of AML Policies, Procedures, and Processes ................................................................ 7
Execution of the AML Audit Plan............................................................................................ 8
Documentation, Documentation, Documentation ...................................................................... 8
The AML Audit Report and Reporting Issues ........................................................................... 9
AML Audit Issues Follow-up/Resolution ................................................................................. 9

General AML Audit Challenges ....................................................................................................10

The AML Audit Role .....................................................................................................................11
Transitioning From Audit to AML Audit ......................................................................................11
Transitioning From AML Operations to AML Audit ....................................................................14
Conclusion .................................................................................................................................................. 15
References ......................................................................................................................................16

Page 2 of 17
Preface
As an AML professional working in BSA/AML operations and management for over 12 years,
including developing an AML program from the ground up, implementing and managing an
AML transaction monitoring system, and managing the internal audits and regulatory
examinations of my operations area, when I first transitioned into AML auditing three years ago,
I thought the shift to the “other side” would be smooth and easy. However, despite my extensive
BSA/AML background, there were unforeseen challenges I had not prepared myself for, which
is the basis for this white paper.
The primary objective is to present the challenges and offer suggestions to individuals seeking a
career change into AML Audit. The white paper will examine the transition from general
auditing into AML Audit, and AML Operations into AML Audit, by presenting the challenges
individuals from each area may face, and provide some tools and resources to become effective
in the AML Audit role.
Introduction
Since 1970, the U.S. Congress has enacted multiple measures to hinder criminal money
laundering. At the foundation of it all is the Bank Secrecy Act (BSA), which requires traditional
banks, credit unions, and thrifts to perform anti-money laundering checks and to keep specific
records of events that could signal the occurrence of money laundering. The enactment in 2001
of the USA PATRIOT Act, among other things, expanded the AML program requirements to all
financial institutions, including non-bank financial institutions, securities dealers, and money
services businesses.
At the very basis of a BSA/AML compliance program are the five pillars, as outlined by the
Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act (BSA)/Anti-
Money Laundering (AML) Examination Manual, which provides guidance to examiners for
carrying out BSA/AML and Office of Foreign Assets Control (OFAC) examinations. Until
recently, there were four pillars; a fifth was added in May 2016. Every BSA/AML compliance
program must adhere to the following.
1. Internal Controls – Financial institutions are required to have board-approved policies,
procedures, and processes for all aspects of BSA/AML. However, since a BSA/AML
compliance program is based on risk, “the level of sophistication of the internal controls
should be commensurate with the size, structure, risks, and complexity of the bank. Large
complex banks are more likely to implement departmental internal controls for
BSA/AML compliance.”1

2. Training – The BSA/AML Officer is responsible for training, in a timely manner, the
whole enterprise of the institution on BSA: the board, lenders, front line, etc. Training
needs to be customized to each audience, including ensuring that staff knows how BSA

1
https://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2014_v2.pdf

Page 3 of 17
 applies to their role. It is critical that training is supported by the executive team and that
its importance is instilled from the top (the board) down.

3. Designated BSA Officer – Every institution must have a designated BSA/AML Officer
who is appointed by the board. The BSA/AML Officer must have the necessary
experience to carry out the role, which means appointing a higher-level individual with a
comprehensive understanding of BSA and who has the authority and resources to make
decisions and perform the job effectively, including having adequate and competent BSA
staff.

4. Independent Testing – Independent testing (audit) should be conducted by the internal

audit department, outside auditors, consultants, or other qualified independent parties.
The key here is “independent,” which means the party reports directly to the board, a
designated committee, or a member of the board. The audit will address the overall
adequacy and effectiveness of the program (e.g., policies, procedures, etc.), the risk
assessment (e.g., thoroughness, adequacy), reporting and record-keeping requirements
(e.g., SARs, CTRs, the five-year retention rule), transaction monitoring (whether manual
or automated), training, and so forth.

5. Customer Due Diligence (CDD) Requirements – The fifth pillar became effective May
2018 and aims to ensure that financial institutions understand the nature and purpose of
customer relationships, in part, through a “beneficial ownership” requirement for
information about business customers’ ownership structure and management control. It
also requires ongoing monitoring of transactions and maintenance of up-to-date customer
information.

The “Audit Pillar”

It is often presumed that an “independent” party conducting a BSA audit usually means an
external party such as a consulting firm; however, an “independent” party only needs to not
assist in the design of the controls or participate in the control activities. Therefore, many
financial institutions rely on their internal audit function to perform the independent reviews as
long as they meet the criteria of “independent.” Internal auditing is a critical component of
effective governance and organizational success. The internal audit’s role in governance is
essential because it provides objective assurance by assessing and reporting on the effectiveness
of governance, risk management, and control processes. In order for internal audit to achieve this
objective, “an AML Audit program should include a strong governance model that clearly
articulates the evaluation of the Auditors AML audit experience, governance committee
structure, required training, requirements of an internal risk assessment, tracking of key metrics,
responsibilities of the AML Officer and completion of a quality assurance program.”2 To expand

2
http://www.acams.org/wp-content/uploads/2015/08/How-Audit-Departments-Can-Develop-An-Effective-AML-Program-
Thomas-Alessandro.pdf

Page 4 of 17
on the AML audit governance model, the following key factors need to be incorporated in the
program.
 Expertise
Financial institutions should expect and ensure that the auditor is similarly and
specifically trained and credentialed to perform AML audits as the AML staff and AML
Officer; therefore, the AML auditor should allocate time in developing his or her
expertise using the funds allocated for internal audit department training by the financial
institution. For example, the Certified Public Accountant (CPA) designation is an
outstanding and well-respected credential, but it has no direct correlation with
BSA/AML. Similarly, continuing professional education only enhances BSA/AML
knowledge and skills if it is directly related to that specific subject matter.3
 Approach
All financial institutions are expected to implement and maintain a system of internal
controls that ensures ongoing BSA compliance; therefore, financial institutions should
approach the BSA audit as a risk-based operational audit. The auditor should document
the BSA/AML processes, identify the relevant “key” internal controls, evaluate the
design of those controls, and test internal controls for operating effectiveness.
 Ownership
The board of directors, acting through senior management, is ultimately responsible for
ensuring that the bank maintains an effective BSA/AML internal control structure. Given
that the BSA/AML compliance program is examined as a separate component of a safety
and soundness exam, financial institutions should ensure that the independent testing
performed by internal audit and its results are performed and documented by qualified
personnel.

Components of an AML Audit

Below is a general outline of steps that have been consistently identified in effective AML audit
programs.4

3
https://www.cricpa.com/bsa-aml-audit-revisited/

4
https://www.baesystems.com/en/cybersecurity/how-effective-is-your-aml-auditing#

Page 5 of 17
 2.
Comprehensive
review of AML
risk
assessment 5. AML policies,
procedures, and
processes review

1. Assemble 3. Audit plan 9. Track and

knowledgeable based 7. confirm
8. Results
on evaluation of Documentation via Audit resolution
AML audit stage of identified
team risk assessment Report
issues
6. Develop and
implement sufficient
testing plans for
4. Structured controls, processes,
interviews with and monitoring
AML Officer and
AML staff Track and
confirm
resolution of
identified
issues

The following is a high-level summary of some of the basic components of an AML audit.

1. The AML Audit Team

As mentioned in the previous section, financial institutions should expect and ensure that the
AML audit team comprises auditors specifically trained and credentialed to perform AML
audits. In order for management to identify gaps in staffing regarding AML knowledge that may
require additional resources and/or targeted training to address the gap, a staff analysis with
specific AML criteria should be performed to understand each auditor’s level of AML expertise.
A knowledgeable AML audit team will help ensure the execution of an effective AML audit
plan.
2. The AML Audit Risk Assessment
Once a strong AML audit governance model has been established, a standard testing program is
developed based on key topics and areas after an audit risk assessment is performed. The audit
risk assessment details the institution’s AML risk profile and drives the level of audit coverage,
including both scope and frequency. Additionally, a well-documented and thorough assessment
can supply the rationale for including or excluding a specific audit area. As per Jonathan
Estreich’s white paper titled “How to Build an Audit Risk Assessment Tool to Combat Money
Laundering and Terrorist Financing,”5 the AML audit risk assessment generally includes, but is
not limited to, identifying issues, metrics, key initiatives, significant changes, and audit and

5
http://www.acams.org/wp-content/uploads/2015/08/How-to-Build-an-Audit-Risk-Assessment-Tool-to-Combat-ML-and-TF-
Jonathan-Estreich.pdf

Page 6 of 17
regulatory findings in order to identify the high-risk areas that require priority coverage as well
as other areas that can be reviewed on a scheduled basis. Primary inherent AML risks that relate
to most financial institutions that must be assessed as part of the AML Audit Risk Assessment
include, but are not limited to (a) customers, (b) products and services, (c) transaction activity;
and (d) geographic presence. Additionally, during the assessment, the control environment
developed by the financial institution to mitigate the inherent risks must be reviewed to
determine the adequacy of the control. Additional reviews and assessments are performed during
the AML Audit Risk Assessment with the intent of developing an effective AML Audit Plan.
3. The Development of the AML Audit Plan
For an AML auditor to effectively perform these assessments, it will require the AML
department to provide certain evidence or reports to provide documentary support to their daily
operations. The information provided by the AML department prior to commencement of the
AML audit, coupled with a clear understanding of audit roles and responsibilities, are therefore
essential in achieving a productive and successful audit. Prepare a request list of all required
documents and potential supporting documentation to be able to perform a comprehensive audit,
and be sure this list is given to the AML department in advance to allow sufficient time to collate
the requested items.
An initial key step in the audit planning is to understand the objective, timing, and planned
approach for the audit. Conducting planning sessions involving essential audit members and
other relevant parties can help provide pertinent information that can help in the identification of
key risks and controls to assist in developing the audit. Another key step is to review previous
internal audit reports and regulatory examination reports for exceptions and responses to help
determine areas that need to be covered in the audit.
4. Structured Interviews With the AML Department
Holding preliminary meetings with the AML department is important in order to have an overall
understanding of the AML department’s program, procedures, operations, and daily activities. It
is also an opportunity to determine whether there have been any changes in the program or
operations since the last audit that may have an impact on the audit plan. It is important to come
prepared with a list of questions for AML personnel and specific questions for the AML Officer
to ensure that the internal auditor gets the most out of it.
5. Review of AML Policies, Procedures, and Processes
Policies, procedures, and processes are evidence of the AML department’s commitment to
effective risk management and ongoing regulatory compliance. Reviewing policies, procedures,
and processes, along with the interviews and walk-throughs with key process owners, will help
determine whether policies, procedures, and processes are sufficiently documented. It also offers
an opportunity to identify inherent risks and evaluate existing controls to determine whether the
risks are sufficiently mitigated. If policies and procedures do not provide the appropriate level of
granularity, there should be accompanying guidance to address how they should be applied.

Page 7 of 17
Review of the AML policies, procedures, and processes is a key factor in developing testing
plans. The testing plans should include key risks, controls, and audit test steps that define what
the internal auditor needs to test. In selecting controls for testing, consider the controls that AML
management routinely applies to monitor the achievement of the AML department’s objectives
and to mitigate the impact of risks. Identify the key controls by considering the following factors
related to the controls:
• address the most risks;
• degree of risk the control is designed to mitigate; and
• likelihood that the control will fail.
6. Execution of AML Audit Plan
Once the AML audit is planned, fieldwork is executed by the AML internal audit staff. The
testing plans developed from the policies and procedures are now tested for operational
application. Tests of operating effectiveness of controls are concerned with how the controls
were applied and the consistency with which they were applied during the audit period. Tests of
operations use sampling to test controls by looking for exceptions (e.g., deviations from
performance of a control) and, in this case, identified attributes are reviewed in each test. AML
testing criteria and sampling methodology guidelines should be established to help promote
consistency and comprehensive coverage. Re-performance of an operational control may be
required to ascertain that it was performed correctly. The AML department is kept informed of
the audit process through regular status meetings, audit observations, and potential findings;
recommendations are discussed with the AML department as they are identified.
7. Documentation, Documentation, Documentation
How do you get to Carnegie Hall? Practice, practice, practice. How do you get through a
BSA/AML regulatory examination? Document, document, document.
Internal auditors must document relevant information to support the testing of controls and to
support test results and conclusions. Effective workpapers contain information that is sufficient
and relevant to the engagement objectives, observations, conclusions, and recommendations,
which makes the information useful in helping the organization meet its goals. Ensure that the
workpapers and other supporting documents back up the AML audit plan, including mapping the
AML risk profile to the audit program and maintaining sufficient evidence of testing and results.
Additional support is warranted for higher-risk observations. At minimum, the workpapers’
documentation should include the following:
 Clearly identified objective, scope, and methodology of the audit
 Sampling criteria used
 Results, findings, conclusions, and recommendations of the audit
 Sufficient evidence of the work performed to adequately support the findings,
conclusions, and recommendations of the audit
 Documentation on whether the audit objectives were achieved
 Link of the fieldwork to the audit report

Page 8 of 17
  Basis for audit findings and recommendations
 Demonstration of compliance with professional auditing standards
 No inclusion of preliminary notes or observations
 Review to ensure that no issues are left open at the conclusion of any fieldwork
8. The AML Audit Report and Reporting Issues
The final audit report is where the internal auditor expresses his or her opinions, presents the
audit findings, and discusses recommendations for improvements. A summary of the AML audit
findings, conclusions, and specific recommendations are officially communicated to the AML
department through a draft report. The AML department has the opportunity to respond to the
report and within the audit report response, the AML department should explain specifically how
report findings will be resolved and include an implementation timetable. These responses
become part of the final report, which is distributed to the appropriate level of administration.
Significant control breakdowns should be reported to the Audit Committee.
9. AML Audit Issues Follow-up/Resolution
Once the final audit report has been issued, AML internal auditors must follow up with the AML
management to ensure that it has taken appropriate and timely action on reported
recommendations and audit findings. In order to determine the adequacy, effectiveness, and
timeliness of actions taken by management on reported observations and recommendations,
AML internal auditors will need to validate the controls put in place to address the observations
and recommendations. Additional testing of the controls may be required to be able to provide
assurance that the reported issues have been rectified.
In summary, AML audits can only be as effective as the results they produce, and those results
are based on the audit operations themselves. Effective AML auditors ensure that they have
undertaken the following activities:
 Clearly define what the AML goals and objectives are for the AML audit.

 Assign an auditor who is knowledgeable in AML laws, regulations, and expectations.

Auditors who are not knowledgeable, or inexperienced, with AML can potentially miss
gaps or weaknesses in an AML program.

 Prepare a request list of all required documents and potential supporting documentation
to be able to perform a comprehensive audit and be sure the list is given to the AML
department in advance to allow sufficient time for collection of the requested items. Be
sure your workpapers and other supporting documents back up your audit plan, including
mapping the AML/BSA risk profile to the audit program and maintaining sufficient
evidence of testing and results. Additional support is warranted for higher-risk
observations.

 Prepare a list of AML interview questions in advance for AML personnel, including
specific questions for the AML Officer. AML auditors have to have an overall

Page 9 of 17
 understanding of the AML department’s program, procedures, operations, and daily
activities, which may not be easily accessible within the AML written program.

 Obtain operational and management reports from the AML department in advance.
Effective auditing also relies on the AML department’s ability to adequately and
efficiently produce its own operational and management reports.

 Make sure sample sizes are sufficient and representative of the population. Higher-risk
issues, such as MSBs or privately owned ATMs, should be more closely examined than
lower-risk activities.

General AML Audit Challenges

Financial institutions have been receiving a significant number of consent orders from regulators
with issues identified around banks including, among other things, weaknesses identified with
the AML audit program. Most recently, the Office of the Comptroller of the Currency (OCC)
assessed a $100 million civil money penalty against Capital One and Capital One Bank for
deficiencies in its Bank Secrecy Act/Anti-Money Laundering program. The deficiencies cited in
the OCC’s 2015 order against the bank included weaknesses in its compliance program and
related controls; deficiencies in its risk assessment, remote deposit capture, and correspondent
banking processes; and failing to file suspicious activity reports (SARs). The consent order also
states that “the bank has failed to adopt and implement a compliance program that adequately
covers the required BSA/AML program elements due to an inadequate system of internal
controls and ineffective independent testing....”6
As discussed earlier, several key factors need to be taken into account when establishing an
effective AML audit governance model. When one or more of the elements of the model is
compromised, the greater the risk of weakening the AML audit program. The following are some
AML audit hurdles to overcome:7
 Insufficient staffing levels, a lack of proper experience, and inadequate training to
effectively evaluate BSA/AML processes and controls

 A poorly designed audit approach and methodology with regard to the depth and scope of
BSA/AML and OFAC coverage, including an inadequacy in the assessment of staffing
needs and resource allocation

6
https://www.occ.gov/static/enforcement-actions/ea2015-081.pdf

7
https://www.treliant.com/Portals/0/New%20Coordinates/Treliant_Chisolm_Outlook2015_Web.pdf?ver=2015-07-20-102436-
623

Page 10 of 17
  A lack of adequate oversight and coverage of other lines of businesses required to
perform key BSA/AML and OFAC processes

 Ineffective testing of key systems designed to detect “know your customer” (KYC)
issues, suspicious transactions, and sanctions risks across the enterprise

 Inadequate communication between internal audit and the bank’s other control functions,
such as compliance, risk, operations, and information technology
When these challenges are not properly addressed, it makes it much more difficult to be able to
provide evidence to regulators through testing workpapers, documentation, and final reports, that
the internal audit appropriately validated the existence of a sufficiently defined and transparent
AML governance structure.8

The AML Audit Role

Once the AML audit challenges are identified, the next step is to address them. Given the topic
of the white paper, we will be focusing on the deficiencies pertaining to AML audit staff. To
adequately staff and hire an effective AML audit department, the financial institution needs to
adequately assess the BSA/AML risks associated with the financial institution in order to hire
audit staff who have the necessary skills to evaluate the financial institution’s BSA/AML
compliance program. Given the number of financial institutions that vary in offering different
products and services, some specializing in niche markets, there is great opportunity for auditors
and AML professionals to transition into an AML audit role.

Transitioning From Audit to AML Audit

“In the beginning, the audit professional was basically a historian who provided an opinion on
the truth and fairness of a set of financial statements covering a period of time in the past.”9
Many financial institutions struggle with how to effectively audit for AML. Unlike other audits,
AML audits require analytics and evaluations from a different perspective with different audit
methodologies; therefore, AML auditors are challenged differently compared with other auditors.
First, the auditor’s assessment is based on the financial institution’s AML program
documentation, tasks, processes, monitoring, and reporting. For an AML auditor to effectively
perform these assessments, it will require the department being audited to provide certain
evidence or reports for documentary support to their daily operations. But what is provided to an

8http://files.acams.org/pdfs/2017/How_to_Audit_an_Effective_AML_Governance_Committee_Structure_J.Johnston.pdf

9
http://www.acams.org/wp-content/uploads/2015/08/IT-Audit-Considerations-When-Designing-Audit-Coverage-For-AML-
Applications-Peter-Wil.pdf

Page 11 of 17
AML auditor initially may not be adequate or comprehensive enough to facilitate an effective
AML audit. This could be a result of the AML department not having a full understanding of
what is being requested, inexperienced auditors who are not adequately trained on AML rules
and regulations, or simply that the AML audit plan is not adequately scoped by the AML auditor.
Another challenge a general auditor may face is the shift of the auditor’s perspective. For
example, a financial audit is carried out by external auditors; therefore, they are not controlled by
the management. The financial auditor’s objective is to attest that the client’s financial statement
is accurate using a standard format focusing on accounting controls present in the general ledger
or subledger systems. The format doesn’t differ much when performing financial audits at
different institutions, and there is little room for subjectivity when reviewing financial
statements. However, when auditing an AML program, the scope of the AML audit is dependent
on the assessment of the financial institution’s product and service offerings and its risk
exposure. The general auditor would need to understand that there is no “one size fits all” AML
audit program.
Compliance auditors may adjust a little easier to an AML audit as compared to a financial
auditor because the basis of compliance audits is to review the level of compliance with internal
policies or external regulatory requirements, which is a major component of an AML audit. An
AML audit can consist of elements from an operational audit and information system audit,
making it an integrated audit. Even though, from a high-level perspective, the objective of the
AML audit is to review for compliance with the Bank Secrecy Act and AML regulations, given
that the BSA/AML program is an enterprise-wide program requiring coordinating regulatory
requirements throughout an organization, across affiliates, activities, business lines, or legal
entities inside a larger risk management framework, 10a complete AML audit program would
have to include an audit of the AML internal controls and operations and an audit of the
information systems like the suspicious activity monitoring system and customer filtering
systems. As per the article titled, “The Importance of BSA/AML Programs”: “an audit program
implemented solely on an enterprise-wide basis that does not conduct transaction testing at all
business lines and legal entities subject to the BSA would not be sufficient to meet regulatory
requirements for independent testing for those business lines or entities.” 11
One of the areas of the BSA/AML compliance program that may be most challenging for general
auditors is the review of the effectiveness of the suspicious activity monitoring and reporting
systems, which include five key components:
1. Identification or alert of unusual activity (which may include employee identification,
law enforcement inquiries, other referrals, and transaction and surveillance monitoring
system output)
2. Managing alerts
3. SAR decision making

10
http://www.bankingny.com/portal/Features/tabid/71/newsid413/455/Default.aspx

11
http://www.bankingny.com/portal/Features/tabid/71/newsid413/455/Default.aspx

Page 12 of 17
 4. SAR completion and filing
5. Monitoring and SAR filing on continuing activity
Policies, procedures, and processes describe the steps the bank takes to address each component
and indicate the person(s) or departments responsible for identifying or producing an alert of
unusual activity, managing the alert, deciding whether to file, completing and filing the SAR,
and monitoring and SAR filing on continuing activity12. However, in regard to the decision
whether an activity is identified as suspicious and possibly warranting a SAR, as per the FFIEC
BSA/AML Examination Manual (2014), “the decision to file a SAR is an inherently subjective
judgment.” Subjective judgment can be defined as coming to a conclusion based on your own
ideas and opinions. An auditor with limited to no AML background, especially in the suspicious
activity monitoring area, may find the review of dispositioned suspicious activity monitoring
alerts, cases, or reports very frustrating because the final decision is an opinion rather than a fact.
The suspicious activity decision-making skill is developed over time via ongoing training of case
studies or having hands-on training by sitting in on SAR decision committee meetings,
mentoring with AML managers in charge of the day-to-day operations of the suspicious activity
monitoring and reporting systems, or pairing up with AML audit staff with experience in this
area. Generally, the AML auditor should focus on whether the bank has an effective SAR
decision-making process, not on the individual SAR decisions; however, AML audit testing may
include reviewing individual SAR decisions as a means to test the effectiveness of the SAR
monitoring, reporting, and decision-making process. As per the FFIEC BSA/AML Examination
Manual (2014), “in those instances where the bank has an established SAR decision-making
process, has followed existing policies, procedures, and processes, and has determined not to file
a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is
significant or accompanied by evidence of bad faith.”
As per Jack Sonnenschein’s white paper titled, “AML Training: Preparing Auditors to
Adequately Assess AML Programs,”13 AML skills and expertise can be acquired through a
number of channels, including the following:
 Certifications demonstrating acquisition of AML knowledge (such as the Certified Anti-
Money Laundering Specialist, especially the advanced audit certification)
 Experience in AML areas such as KYC, suspicious activity surveillance and reporting,
OFAC, etc.; and acquired working in compliance, legal, technology, or operations
departments
o Working at consulting firms that offer AML services can further expand an
auditor’s knowledge due to the exposure of various products, services, and
customers, including interaction with non-bank financial institutions. It also

12
https://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2014_v2.pdf

13
http://www.acams.org/wp-content/uploads/2015/08/AML-Training-Preparing-Auditors-To-Adequately-Assess-AML-
Programs-Jack-Sonnenschein.pdf

Page 13 of 17
 reduces the risk of working in a silo (e.g., assigned to work on KYC only), which
limits the ability to develop an auditor’s AML knowledge.
 Performance of AML audit procedures and testing
 Supervision of AML auditors and/or reporting of AML issues
 Writing of papers or articles, or presenting on AML topics
There are several online resources that can assist in AML knowledge development, which are
listed below.
 FinCEN: https://www.fincen.gov/
 OFAC: https://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-
Foreign-Assets-Control.aspx
 FATF: http://www.fatf-gafi.org/
 Wolfsberg Principles: https://www.wolfsberg-principles.com/
 ACAMS: https://www.acams.org/ and https://www.acams.org/category/white-papers/

Transitioning From AML Operations to AML Audit

It is presumed that to qualify for an AML audit role, the candidate should have a traditional audit
background. However, as detailed in the previous section, the requirement of having AML
knowledge trumps the need of having auditing skills. As per Jonathan E. Kay’s CAMS-Audit
white paper, “Audit skills are an important facet of an AML audit role, but basic audit techniques
can be taught, and while one could argue that basic AML skills can be taught as well….the
complexities of the current AML world can take much longer to teach.”14
The transition into an AML audit role from an AML operational/management role can be a fairly
seamless process if the appropriate steps are taken to ensure that the right person is assigned the
right role. The AML professional needs to self-assess to determine what level of expertise one
has in order to understand which suitable areas in AML audit he or she is best equipped to
perform. For example, a BSA Analyst working in the suspicious activity monitoring and
reporting processes may have the background to assist in the auditing of the processes; however,
the BSA Analyst may not be able to adequately assess processes relating to currency transaction
reporting due to the lack of exposure in that area.
Training will be critical to help AML professionals acclimate quickly to the AML audit role; for
example, comprehensive training on audit topics and targeted AML training based on the AML
skills assessment are good starting points. General audit topics that should be addressed are audit
methodology, audit workpaper training, and effective audit interviewing training.15 Regarding

14
http://www.acams.org/wp-content/uploads/2015/08/The-Current-Trends-Challenges-of-Hiring-Developing-Retaining-Talent-
J-Kay.pdf

15
http://www.acams.org/wp-content/uploads/2015/08/The-Current-Trends-Challenges-of-Hiring-Developing-Retaining-
Talent-J-Kay.pdf

Page 14 of 17
audit methodology, one of the approaches to efficiently provide assurance that risks have been
properly managed is to apply the risk based internal auditing (RBIA) approach. The RBIA
approach is defined “as a methodology that links internal auditing to an organization’s overall
risk management framework. RBIA allows internal audit to provide assurance to the board that
risk management processes are managing risks effectively.”16 Given that the financial institution
undergoes an AML risk assessment to assess its risks, the AML auditor can take the same risk
assessment to design the AML audit program from a risk basis.
The audit methodology training should extend to cover sampling methodology to determine and
justify sample selections and workpaper documentation. The audit workpapers should include
sufficient detail to describe clearly the sampling objective and the sampling process used. The
workpapers should include the source of the population, population description details, the
sampling method used (including the method used for selecting sample items), items selected,
details of audit tests performed, and conclusions reached. Workpapers should clearly identify the
methodology used for selecting the sample and should include a justification for the sample size
selected.
The AML professional who is transitioning into the AML audit role already knows the
importance of good documentation given the regulatory scrutiny a financial institution’s AML
compliance program undergoes. The same requirements apply to audit documentation. The AML
auditor needs to be able to “tell the story” of his or her audit review, results of the audit review,
and rationale for escalation or non-escalation of issues to the regulatory examiner within his or
her workpaper documentation. Workpapers should stand on their own, ergo, the purpose, source
of information, and conclusion must be clearly evident, and all information should be
documented in a way that a reviewer will not need to ask additional questions in order to
understand what was tested or how an auditor arrived at the conclusions.17
Several online resources can assist in developing basic audit skills; for example, the Institute of
Internal Auditors of North America (https://na.theiia.org/Pages/IIAHome.aspx), ACAMS
(https://www.acams.org/ and https://www.acams.org/category/white-papers/), and regulatory
websites such as the Office of the Currency Comptroller (OCC) and the Federal Deposit
Insurance Corporation (FDIC).

Conclusion
Internal audit plays an important role in the enterprise-wide BSA program by assessing the level
of compliance with the enterprise-wide BSA/AML program across the entire organization. In
order for internal audit to achieve the objective of assurance by assessing and reporting on the
effectiveness of governance, risk management, and control processes, an AML Audit program
should include a strong governance model that clearly articulates the evaluation of several

16
https://global.theiia.org/standards-guidance/topics/Documents/201501GuidetoRBIA.pdf

17
https://na.theiia.org/periodicals/Member%20Documents/Global-KB-Effective-Workpapers-Learning-the-Basics.pdf

Page 15 of 17
components, including the auditor’s AML audit experience. Financial institutions need to make
sure staffing levels are adequate to assess the BSA/AML risks and that audit staff should possess
the requisite experience to evaluate the bank’s BSA/AML compliance program. Therefore, audit
staff should acquire and maintain advanced certifications (i.e., CAMS) and should complete
training that is tailored to and sufficient for the financial institution’s risk profile.
With the growing demands of financial institutions to ensure that internal audit staff have the
required knowledge and expertise to perform AML audits effectively and efficiently, it creates
opportunities for general auditors and AML professionals to transition into the AML audit field.
With the appropriate training, managerial support, and use of tools and resources, the new AML
audit professional will be able to succeed in the transition and also satisfy the financial
institution’s need to develop an internal AML audit team with qualified personnel.

References
Alessandro, T. (2015). How audit departments can develop an effective AML program. Retrieved
from the ACAMS website: http://www.acams.org/wp-content/uploads/2015/08/How-Audit-
Departments-Can-Develop-An-Effective-AML-Program-Thomas-Alessandro.pdf

Bae Systems (2016). How effective is your AML auditing? Retrieved from
https://www.baesystems.com/en/cybersecurity/how-effective-is-your-aml-auditing
Carr, Riggs, & Ingram, LLC. (2018, November 5). The bank secrecy act/anti-money laundering
(BSA/AML) audit revisited. Retrieved from https://www.cricpa.com/bsa-aml-audit-
revisited/

Chartered Institute of Internal Auditors. (2014). Risk based internal auditing. Retrieved from
https://global.theiia.org/standards-guidance/topics/Documents/201501GuidetoRBIA.pdf

Chisolm, J. (2015). Shoring up the internal audit function to enhance BSA/AML and OFAC
compliance testing. Retrieved from
https://www.treliant.com/Portals/0/New%20Coordinates/Treliant_Chisolm_Outlook2015_Web.
pdf?ver=2015-07-20-102436-623
Estreich, J. (2013). How to build an audit risk assessment tool to combat money laundering and
terrorist financing. Retrieved from the ACAMS website: http://www.acams.org/wp-
content/uploads/2015/08/How-to-Build-an-Audit-Risk-Assessment-Tool-to-Combat-ML-and-TF-Jonathan-
Estreich.pdf

Federal Financial Institutions Examination Council. (2004). Bank secrecy act/anti-money

laundering examination manual. Retrieved from
https://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2014_v2.pdf
Johnston, J. (2017). How to audit an effective AML governance committee structure and AML

Page 16 of 17
 issue escalation protocol. Retrieved from the ACAMS website:
http://files.acams.org/pdfs/2017/How_to_Audit_an_Effective_AML_Governance_Committee_S
tructure_J.Johnston.pdf

Kay, J. E. (2015). The current trends and challenges of hiring, developing and retaining talent in
AML audit and compliance. Retrieved from the ACAMS website:
http://www.acams.org/wp-content/uploads/2015/08/The-Current-Trends-Challenges-of-Hiring-
Developing-Retaining-Talent-J-Kay.pdf

Rudinsky, C. (2007, July). The importance of BSA/AML programs. Banking New York.
Retrieved from
http://www.bankingny.com/portal/Features/tabid/71/newsid413/455/Default.aspx
Sonnenschein, J. (2015). AML training: Preparing auditors to adequately assess AML programs.
Retrieved from the ACAMS website: http://www.acams.org/wp-
content/uploads/2015/08/AML-Training-Preparing-Auditors-To-Adequately-Assess-
AML-Programs-Jack-Sonnenschein.pdf
The Institute of Internal Auditors (2018). Effective workpapers. Retrieved from
https://na.theiia.org/periodicals/Member%20Documents/Global-KB-Effective-
Workpapers-Learning-the-Basics.pdf
United States of America, Department of the Treasury, Comptroller of the Currency, Consent
Order No. 2015-081, AA-EC-2015-48 (2018). Retrieved from
https://www.occ.gov/static/enforcement-actions/ea2015-081.pdf

Wild, P. D. (2015). Information technology audit considerations when designing audit coverage
for AML applications. Retrieved from the ACAMS website: http://www.acams.org/wp-
content/uploads/2015/08/IT-Audit-Considerations-When-Designing-Audit-Coverage-For-AML-
Applications-Peter-Wil.pdf

Page 17 of 17