AML Internal Audit

1. Planning and Preparation

2. Documentation Review

  • Identify relevant regulations and guidelines.
  • Ensure policies align with regulatory requirements.
  • Check for updates in policies and procedures.
  • Evaluate the effectiveness of implementation.
  • Document any gaps or areas for improvement.
  • Verify the adequacy of CDD and EDD procedures.
  • Assess risk assessment methodologies used.
  • Evaluate documentation of customer identity verification.
  • Check for consistency in application across customers.
  • Identify any exceptions and their justifications.
  • Review system configuration and parameters set.
  • Evaluate the effectiveness of alerts generated.
  • Check for integration with other compliance systems.
  • Assess data accuracy and reporting capabilities.
  • Identify any system enhancements needed.
  • Review SAR filing procedures and timelines.
  • Assess documentation supporting each SAR.
  • Evaluate the follow-up actions taken on SARs.
  • Check for trends or patterns in SARs filed.
  • Identify any training needs based on SAR findings.
  • Assess the content of training materials for relevance.
  • Check for compliance with regulatory training requirements.
  • Verify attendance records for all relevant staff.
  • Evaluate the frequency of training sessions.
  • Identify gaps in training coverage or effectiveness.
  • Ensure all sections are filled out.
  • Confirm data is current and relevant.
  • Cross-reference with risk assessment methodologies.
  • Check for signatures or approvals from responsible parties.
  • Look for any updates or revisions made.
  • Review the scope and objectives of the audit.
  • Evaluate the independence of the audit team.
  • Check the implementation status of recommendations.
  • Analyze follow-up actions taken by management.
  • Determine if reports are timely and comprehensive.
  • Verify the audit schedule and frequency.
  • Ensure audits cover all relevant AML processes.
  • Check for documented findings and action plans.
  • Assess the qualifications of the audit team.
  • Review management's responses to audit findings.
  • Confirm the criteria used for identifying high-risk customers.
  • Review transaction monitoring reports for accuracy.
  • Check for documentation of alerts and investigations.
  • Ensure there are records of due diligence conducted.
  • Assess the frequency and thoroughness of reviews.
  • Review the reporting channels and procedures.
  • Check for training provided to staff on reporting.
  • Ensure there are clear guidelines for escalation.
  • Assess the timeliness of reported activities.
  • Verify documentation of all reported cases.
  • Check for records of all communications with regulators.
  • Ensure documentation includes responses and follow-ups.
  • Assess how communications are tracked and managed.
  • Verify the accuracy of information shared.
  • Look for evidence of compliance with regulatory requirements.
  • Review all regulatory findings for completeness.
  • Check the organization’s responses and corrective actions.
  • Ensure timelines for addressing findings are documented.
  • Evaluate the effectiveness of implemented changes.
  • Confirm follow-up audits or reviews were conducted.
  • Verify policies align with regulatory requirements.
  • Ensure procedures are clearly documented.
  • Check for training materials related to these policies.
  • Assess the implementation of identification procedures.
  • Review any updates or amendments made to policies.
  • Review documentation of software selection process.
  • Check for user training and support records.
  • Assess effectiveness through performance metrics.
  • Verify integration with existing AML processes.
  • Ensure documentation is current and reflects usage.
  • Review the internal control framework documentation.
  • Ensure risk mitigation strategies are clearly defined.
  • Check for regular updates to the controls.
  • Assess the effectiveness of controls through testing.
  • Confirm documentation includes roles and responsibilities.

3. Testing of Controls

  • Review sample customer files for completeness.
  • Check for proper documentation of identity verification.
  • Assess adherence to KYC policies and procedures.
  • Evaluate the frequency of KYC updates.
  • Test for compliance with relevant regulations.
  • Examine system parameters and thresholds for alerts.
  • Review a sample of flagged transactions for accuracy.
  • Test the system's ability to detect unusual patterns.
  • Evaluate the effectiveness of alerts generated.
  • Assess user training on system functionalities.
  • Review risk assessment methodologies used.
  • Test a sample of customer risk ratings for accuracy.
  • Evaluate the consistency of risk classification.
  • Assess documentation supporting risk decisions.
  • Check for updates based on changes in customer behavior.
  • Review the reporting procedure documentation.
  • Test a sample of reported cases for compliance.
  • Assess timeliness of escalations to relevant authorities.
  • Evaluate the training provided on reporting mechanisms.
  • Check for follow-up actions on reported activities.
  • Review internal policies for alignment with regulations.
  • Sample transactions to test adherence to legal requirements.
  • Evaluate employee training records on compliance.
  • Assess audit trails for documentation of compliance.
  • Check for regular updates to policies based on regulatory changes.
  • Collect training materials and schedules.
  • Verify the frequency of training sessions.
  • Assess employee attendance records.
  • Gather feedback from employees on training effectiveness.
  • Check for updates reflecting recent regulatory changes.
  • Review the criteria used for sanctions screening.
  • Test the accuracy of sanctions list updates.
  • Evaluate the frequency of screening processes.
  • Analyze false positive rates and handling procedures.
  • Confirm adherence to regulatory requirements.
  • Review risk assessment processes for high-risk customers.
  • Check the frequency of due diligence reviews.
  • Assess the documentation of risk factors.
  • Evaluate follow-up actions taken on identified risks.
  • Confirm compliance with regulatory expectations.
  • Review documentation procedures for AML activities.
  • Ensure records are maintained for required retention periods.
  • Assess the completeness and accuracy of records.
  • Check access controls to sensitive documents.
  • Evaluate the process for record retrieval.
  • Review patterns of flagged transactions.
  • Assess the timeliness of follow-up actions.
  • Evaluate the criteria for flagging accounts.
  • Document the outcomes of investigations.
  • Ensure compliance with internal policies.
  • Assess the functionality of automated systems.
  • Evaluate integration with existing processes.
  • Test system outputs for accuracy.
  • Review user access controls and permissions.
  • Confirm regular system updates and maintenance.
  • Review due diligence processes for third parties.
  • Assess ongoing monitoring mechanisms.
  • Evaluate documentation of compliance checks.
  • Check for risk assessments of third-party relationships.
  • Confirm adherence to contractual obligations.
  • Review exception handling procedures.
  • Assess documentation of exceptions.
  • Evaluate the process for reporting exceptions.
  • Check for follow-up actions taken on exceptions.
  • Confirm compliance with established guidelines.
  • Review data analytics tools and methodologies.
  • Evaluate the accuracy of analytics results.
  • Assess the frequency of analytics reviews.
  • Document outcomes of identified cases.
  • Confirm alignment with regulatory standards.
  • Verify the completeness of transaction logs.
  • Assess the accessibility of audit trails.
  • Evaluate time-stamping and user identification.
  • Check compliance with retention policies.
  • Confirm that audit trails are regularly reviewed.

4. Interviews and Observations

5. Reporting Findings

  • Use clear, unambiguous language.
  • Include relevant details and context.
  • Organize findings by category.
  • Ensure consistency in formatting.
  • Use bullet points for clarity.
  • Define criteria for risk classification.
  • Assess the impact of each finding.
  • Consider likelihood of occurrence.
  • Use a standardized risk matrix.
  • Document the rationale for classifications.
  • Ensure recommendations are practical.
  • Align suggestions with findings.
  • Prioritize based on risk level.
  • Include timelines for implementation.
  • Suggest responsible parties for actions.
  • Compile findings, classifications, and recommendations.
  • Format the report for readability.
  • Schedule a review meeting with management.
  • Incorporate feedback from management.
  • Ensure all key points are addressed.
  • Incorporate final edits and corrections.
  • Ensure all stakeholders' inputs are considered.
  • Format the report for distribution.
  • Identify key stakeholders and their contact details.
  • Send the report via appropriate channels.

6. Follow-Up and Monitoring

7. Continuous Improvement

Related Checklists