An independent AML audit isn’t just a regulatory “check-box” exercise; it’s a high-stakes health check for your firm. Whether you are a high street firm or a larger practice with multiple offices the goal is to identify gaps before the SRA or FCA does.
To ensure the process is smooth, efficient, and actually adds value, preparation is everything. Beyond just “having the files ready,” you need a strategic approach to manage the auditor’s expectations and your team’s time.
Here are 10 essential steps to prepare for your next independent AML audit:
1. Centralise the Evidence Library
Ensure all data is available for the auditor before they even step foot in the office (or log into your portal). This includes the AML Firm-Wide Risk Assessment, current AML policies, training logs, and suspicious activity reports. Digital “data rooms” are highly recommended to avoid last-minute searching.
2. Safeguard Internal Capacity
An Independent AML audit is a collaborative effort. Your MLRO, MLCO, and key compliance staff must have clear calendars. Ensure that fee earners and support staff selected for interviews are briefed on the schedule and have the “headspace” to provide clear, accurate answers without being rushed by their daily tasks.
3. Pre-Book Senior Management Reviews
The independent AML audit doesn’t end when the auditor leaves. Book time in advance for Senior Management to review the draft report. Adding the AML audit discussion to the agenda of the next Management Meeting ensures that findings are addressed with the necessary authority and urgency.
4. Share Your “Roadmap”
Transparency is your friend. Share any upcoming plans for the firm, such as entering new markets, launching new products, or changing your risk appetite with the auditor. This allows them to assess your controls against your future state, not just your past.
5. Perform a “Sanity Check” on Registers
Audit your own registers before the auditor does. Ensure your PEP (Politically Exposed Persons), Sanctions, and High-Risk Country registers are up to date. A common pitfall is having a policy that says “we review quarterly” while the register shows the last update was six months ago.
6. Review Previous AML Audit Findings
The easiest way to fail an audit is to repeat the same mistakes. Pull out your previous independent AML audit and your last SRA AML Audit outcomes letter. Be ready to show the auditor exactly how you remediated those specific issues.
7. Test Your Tech Stack
If you use automated onboarding or transaction monitoring software, ensure you can explain the logic and thresholds to the auditor. If you have a Technology Impact Assessment make it available. Have your IT or technical lead on standby to pull system reports or explain data flow if the auditor wants to “look under the hood.”
8. Document “Why,” Not Just “What”
Independent AML Auditors look for the rationale behind your decisions. Ensure your client matter risk assessments contain notes on why a certain client was deemed low risk or why a specific alert was cleared. A “clear” button without a supporting comment is a red flag for an auditor.
9. Conduct a “Mini” Mock Interview
Non-compliance staff often get nervous during interviews. Conduct a brief, informal walk-through with frontline staff to ensure they know where to find the AML policy and who the MLRO is. This builds confidence and ensures consistent messaging across the firm.
10. Clarify the Audit Scope
Before work begins, ensure there is a signed Terms of Reference (ToR). Knowing exactly which period is being tested and which branches or departments are included prevents “scope creep” and helps you focus your preparation on the areas that matter most.