We specialize in compliance consultancy, due diligence, and audit services to help businesses meet regulatory standards with confidence. Our experienced team provides tailored solutions to identify and manage risks, ensuring you operate responsibly and securely in today’s complex landscape. We are committed to integrity, excellence, and empowering our clients with the insights they need for sustainable growth.
The first sign you are not ready for an AML audit is rarely a missing policy. It is the pause in a meeting when someone asks, “Where is the evidence for that decision?” If your AML framework depends on individual memory, inbox searches, or a few key people being available, an auditor will feel it quickly.
Preparing well is not about producing perfect documents. It is about proving that your programme works as designed, that risk is understood and owned, and that your controls are consistently applied across onboarding, monitoring, reporting and governance. The best audit outcomes come from disciplined preparation, not last-minute collation.
How to prepare for an aml audit with a risk-based plan
Start by treating the audit as a test of operational reality, not paperwork. Auditors typically work backwards from your stated risk profile and regulatory obligations to see whether controls are proportionate, implemented and evidenced. That means your first task is to align on what “good” looks like for your business.
If you operate in a higher-risk space (for example, cross-border payments, online wagering, corporate services, or complex ownership structures), your programme will be judged against that risk, not against a generic checklist. A risk-based approach is not a slogan – it is the logic that should connect your Business Risk Assessment (BRA), your customer risk scoring, the level of CDD/EDD you perform, and the intensity of ongoing monitoring.
Before you gather a single file, confirm three things internally: which regulations and guidance apply to you, which products and customer types drive your highest risks, and where you have changed your approach over the last 12-24 months. Changes matter because auditors will ask why you changed, how you approved it, and how you embedded it.
Understand what the audit will test (and what it will not)
Most AML audits focus on governance, risk assessment, the effectiveness of controls, and evidence of consistent decision-making. They are less interested in whether your policy reads well and more interested in whether it is lived.
Expect scrutiny across the full client lifecycle. That includes onboarding and verification, beneficial ownership and control, screening and adverse media, purpose and intended nature, source of funds and source of wealth where relevant, ongoing monitoring, and escalation processes including suspicious activity reporting.
It also includes the “plumbing” that is easy to overlook: data quality, case management, audit trails, system access and permissions, and how exceptions are handled. If your team can override risk ratings or close alerts without rationale being captured, that is not just a process gap – it is a defensibility gap.
Put governance and accountability in audit-ready shape
Auditors tend to start at the top. They want to see clear ownership, effective oversight, and evidence that senior management is informed and engaged. That does not mean board members must be AML experts, but it does mean they must be able to demonstrate informed challenge and support.
Check that your governance is coherent and current. Your MLRO (or equivalent) role, reporting lines, delegation of authority, and committee structures should match reality. If you rely on group policies, ensure the local application is explicit and approved.
Training is also a governance signal. Completion rates matter, but relevance matters more. A firm with 100% completion of generic training can still fail if frontline teams do not understand risk triggers, escalation thresholds, or how to document rationale. Auditors often test this through interviews, so prepare staff to explain how they apply controls, not to recite policy language.
Rebuild your evidence pack around the client journey
A common mistake is to prepare for an audit by dumping documents into a folder. A better approach is to build evidence as a narrative: for each key control, show what should happen, what did happen, and how you know.
Your evidence pack should map directly to your policies and procedures, and to the risks identified in your BRA. For example, if your BRA identifies higher risk from non-resident clients or certain jurisdictions, you should be able to show how that translates into enhanced measures, approval thresholds, monitoring frequency, and management information.
For file evidence, focus on completeness and decision quality. A file can have every document attached and still be weak if there is no clear rationale for risk rating, no explanation of the business relationship, or no evidence of ongoing monitoring after onboarding. Conversely, there are scenarios where documentation can be proportionate and still defensible, provided the rationale is clear and consistent with your risk-based approach.
Pay close attention to beneficial ownership. Auditors frequently test whether firms identify and verify ownership and control accurately, including complex corporate chains, trusts, nominees, and situations where control is exerted through means other than shareholding. If your process relies heavily on client-provided statements without independent corroboration, assess whether that is appropriate for your risk profile.
Test your controls before the auditor does
Preparation should include internal testing that mirrors what an auditor will do. This is where many firms either overreach or underdeliver.
Overreach happens when teams attempt to review every file, every alert, and every process. That is usually unrealistic and can create noise. Underdelivery happens when firms only check that documents exist, rather than testing whether controls are effective.
A practical middle ground is targeted testing based on risk. Sample higher-risk customers, recently onboarded customers, and cases with exceptions or escalations. Test a spread across teams and channels to detect inconsistency. Where you use automated tools for screening or transaction monitoring, test the configuration, thresholds, and governance over changes. Auditors will want to know who can change rules, how changes are approved, and whether effectiveness is periodically reviewed.
When testing reveals gaps, resist the urge to “patch the file” without recording what happened. Auditors can distinguish remediation from retrospective manufacturing. Fixing deficiencies is positive, but it should be tracked transparently with dates, owners, and reasons.
Make sure your risk assessments are usable, not theoretical
Your BRA and customer risk assessment methodology are often the backbone of the audit. Auditors will check whether your BRA is current, whether it covers relevant risk factors, and whether it drives controls.
If your BRA was last updated because an auditor asked for it, you are exposed. A BRA should be reviewed when business models change: new products, new delivery channels, new geographies, changes in payment rails, changes in customer mix, or regulatory updates. It is acceptable for a BRA to be stable over time, but you should be able to evidence that you reviewed it and concluded no material changes were needed.
The same applies to customer risk scoring. If your scoring produces results that do not match intuition (for example, obviously higher-risk profiles scoring as medium risk), that signals either poor calibration or inconsistent inputs. Auditors often test whether risk ratings are overridden, who approves overrides, and whether the override reasons are sensible and documented.
Check your suspicious activity workflow end-to-end
Audits often uncover issues in escalation and reporting, not because firms ignore suspicious activity, but because processes are unclear or inconsistently applied.
Ensure staff understand internal escalation routes and what “good” looks like when documenting concerns. The MLRO’s decision-making should be evidenced: what information was considered, what additional enquiries were made, whether the decision was to file a report or not, and why. Confidentiality requirements must be respected, but auditors still expect to see a controlled, documented process.
Also review how you manage ongoing monitoring follow-ups. If an alert is closed, can you demonstrate the rationale and the evidence reviewed? If a customer is offboarded for risk reasons, can you show governance approval, communications controls, and any associated reporting decisions?
Get your data, systems and record-keeping audit-ready
Even strong policy frameworks can fail in practice due to systems and record-keeping. Auditors will look for integrity of records, retention practices, and audit trails.
Confirm that you can retrieve complete customer files promptly, including historic versions where relevant. Check that timestamps and user actions are recorded in your systems, particularly for approvals, risk rating changes, and alert closures. If you use multiple systems (for example, one for onboarding, one for screening, and one for case management), ensure the hand-offs are controlled and that your teams can explain how information flows.
Permissions are a frequent weakness. If staff have broader access than needed, or if leavers retain access, that raises governance and data protection concerns. It also undermines confidence in the integrity of AML records.
Prepare your people for interviews and walkthroughs
Audits are not only document reviews. Auditors will ask staff to walk through processes and explain decisions. This can be where well-designed frameworks break down because teams apply workarounds or have conflicting interpretations.
Run internal walkthroughs with frontline onboarding, compliance operations, and management. Focus on common friction points: when CDD is incomplete, when a customer pushes back on documents, when beneficial ownership is unclear, when screening results are ambiguous, or when there is pressure to onboard quickly.
Be honest about trade-offs. A risk-based approach recognises that you are balancing customer experience, operational capacity and risk management. Auditors do not expect perfection, but they do expect you to know where you have residual risk and to manage it consciously.
Create a remediation plan that shows control, not panic
If you identify gaps during preparation, document them and respond in a structured way. Auditors are generally less concerned by the existence of issues than by weak ownership and slow remediation.
A credible remediation plan has clear priority based on risk, named owners, realistic timelines, and measurable outcomes. If you need interim controls while a system change is pending, record those interim measures and how you will monitor them.
Where remediation affects core controls, update procedures, train staff, and adjust MI so that management can see whether the fix is working. That “closed loop” is a signal of operational resilience.
If you want independent support to pressure-test your readiness, a pre-audit review can help identify gaps early and translate them into implementable actions. This is the type of work Complipal supports as part of broader AML compliance and internal audit engagements, particularly where firms need clarity on what will stand up to regulatory scrutiny.
A final thought to carry into the audit room
Treat the audit as an opportunity to prove that your programme makes consistent, defensible decisions under real-world pressure. When your people can explain the “why” behind controls, and your evidence shows those controls working across the client journey, the audit becomes a confirmation of maturity rather than a scramble for reassurance.
AML Audit Prep: What Regulators Look For
The first sign you are not ready for an AML audit is rarely a missing policy. It is the pause in a meeting when someone asks, “Where is the evidence for that decision?” If your AML framework depends on individual memory, inbox searches, or a few key people being available, an auditor will feel it quickly.
Preparing well is not about producing perfect documents. It is about proving that your programme works as designed, that risk is understood and owned, and that your controls are consistently applied across onboarding, monitoring, reporting and governance. The best audit outcomes come from disciplined preparation, not last-minute collation.
How to prepare for an aml audit with a risk-based plan
Start by treating the audit as a test of operational reality, not paperwork. Auditors typically work backwards from your stated risk profile and regulatory obligations to see whether controls are proportionate, implemented and evidenced. That means your first task is to align on what “good” looks like for your business.
If you operate in a higher-risk space (for example, cross-border payments, online wagering, corporate services, or complex ownership structures), your programme will be judged against that risk, not against a generic checklist. A risk-based approach is not a slogan – it is the logic that should connect your Business Risk Assessment (BRA), your customer risk scoring, the level of CDD/EDD you perform, and the intensity of ongoing monitoring.
Before you gather a single file, confirm three things internally: which regulations and guidance apply to you, which products and customer types drive your highest risks, and where you have changed your approach over the last 12-24 months. Changes matter because auditors will ask why you changed, how you approved it, and how you embedded it.
Understand what the audit will test (and what it will not)
Most AML audits focus on governance, risk assessment, the effectiveness of controls, and evidence of consistent decision-making. They are less interested in whether your policy reads well and more interested in whether it is lived.
Expect scrutiny across the full client lifecycle. That includes onboarding and verification, beneficial ownership and control, screening and adverse media, purpose and intended nature, source of funds and source of wealth where relevant, ongoing monitoring, and escalation processes including suspicious activity reporting.
It also includes the “plumbing” that is easy to overlook: data quality, case management, audit trails, system access and permissions, and how exceptions are handled. If your team can override risk ratings or close alerts without rationale being captured, that is not just a process gap – it is a defensibility gap.
Put governance and accountability in audit-ready shape
Auditors tend to start at the top. They want to see clear ownership, effective oversight, and evidence that senior management is informed and engaged. That does not mean board members must be AML experts, but it does mean they must be able to demonstrate informed challenge and support.
Check that your governance is coherent and current. Your MLRO (or equivalent) role, reporting lines, delegation of authority, and committee structures should match reality. If you rely on group policies, ensure the local application is explicit and approved.
Training is also a governance signal. Completion rates matter, but relevance matters more. A firm with 100% completion of generic training can still fail if frontline teams do not understand risk triggers, escalation thresholds, or how to document rationale. Auditors often test this through interviews, so prepare staff to explain how they apply controls, not to recite policy language.
Rebuild your evidence pack around the client journey
A common mistake is to prepare for an audit by dumping documents into a folder. A better approach is to build evidence as a narrative: for each key control, show what should happen, what did happen, and how you know.
Your evidence pack should map directly to your policies and procedures, and to the risks identified in your BRA. For example, if your BRA identifies higher risk from non-resident clients or certain jurisdictions, you should be able to show how that translates into enhanced measures, approval thresholds, monitoring frequency, and management information.
For file evidence, focus on completeness and decision quality. A file can have every document attached and still be weak if there is no clear rationale for risk rating, no explanation of the business relationship, or no evidence of ongoing monitoring after onboarding. Conversely, there are scenarios where documentation can be proportionate and still defensible, provided the rationale is clear and consistent with your risk-based approach.
Pay close attention to beneficial ownership. Auditors frequently test whether firms identify and verify ownership and control accurately, including complex corporate chains, trusts, nominees, and situations where control is exerted through means other than shareholding. If your process relies heavily on client-provided statements without independent corroboration, assess whether that is appropriate for your risk profile.
Test your controls before the auditor does
Preparation should include internal testing that mirrors what an auditor will do. This is where many firms either overreach or underdeliver.
Overreach happens when teams attempt to review every file, every alert, and every process. That is usually unrealistic and can create noise. Underdelivery happens when firms only check that documents exist, rather than testing whether controls are effective.
A practical middle ground is targeted testing based on risk. Sample higher-risk customers, recently onboarded customers, and cases with exceptions or escalations. Test a spread across teams and channels to detect inconsistency. Where you use automated tools for screening or transaction monitoring, test the configuration, thresholds, and governance over changes. Auditors will want to know who can change rules, how changes are approved, and whether effectiveness is periodically reviewed.
When testing reveals gaps, resist the urge to “patch the file” without recording what happened. Auditors can distinguish remediation from retrospective manufacturing. Fixing deficiencies is positive, but it should be tracked transparently with dates, owners, and reasons.
Make sure your risk assessments are usable, not theoretical
Your BRA and customer risk assessment methodology are often the backbone of the audit. Auditors will check whether your BRA is current, whether it covers relevant risk factors, and whether it drives controls.
If your BRA was last updated because an auditor asked for it, you are exposed. A BRA should be reviewed when business models change: new products, new delivery channels, new geographies, changes in payment rails, changes in customer mix, or regulatory updates. It is acceptable for a BRA to be stable over time, but you should be able to evidence that you reviewed it and concluded no material changes were needed.
The same applies to customer risk scoring. If your scoring produces results that do not match intuition (for example, obviously higher-risk profiles scoring as medium risk), that signals either poor calibration or inconsistent inputs. Auditors often test whether risk ratings are overridden, who approves overrides, and whether the override reasons are sensible and documented.
Check your suspicious activity workflow end-to-end
Audits often uncover issues in escalation and reporting, not because firms ignore suspicious activity, but because processes are unclear or inconsistently applied.
Ensure staff understand internal escalation routes and what “good” looks like when documenting concerns. The MLRO’s decision-making should be evidenced: what information was considered, what additional enquiries were made, whether the decision was to file a report or not, and why. Confidentiality requirements must be respected, but auditors still expect to see a controlled, documented process.
Also review how you manage ongoing monitoring follow-ups. If an alert is closed, can you demonstrate the rationale and the evidence reviewed? If a customer is offboarded for risk reasons, can you show governance approval, communications controls, and any associated reporting decisions?
Get your data, systems and record-keeping audit-ready
Even strong policy frameworks can fail in practice due to systems and record-keeping. Auditors will look for integrity of records, retention practices, and audit trails.
Confirm that you can retrieve complete customer files promptly, including historic versions where relevant. Check that timestamps and user actions are recorded in your systems, particularly for approvals, risk rating changes, and alert closures. If you use multiple systems (for example, one for onboarding, one for screening, and one for case management), ensure the hand-offs are controlled and that your teams can explain how information flows.
Permissions are a frequent weakness. If staff have broader access than needed, or if leavers retain access, that raises governance and data protection concerns. It also undermines confidence in the integrity of AML records.
Prepare your people for interviews and walkthroughs
Audits are not only document reviews. Auditors will ask staff to walk through processes and explain decisions. This can be where well-designed frameworks break down because teams apply workarounds or have conflicting interpretations.
Run internal walkthroughs with frontline onboarding, compliance operations, and management. Focus on common friction points: when CDD is incomplete, when a customer pushes back on documents, when beneficial ownership is unclear, when screening results are ambiguous, or when there is pressure to onboard quickly.
Be honest about trade-offs. A risk-based approach recognises that you are balancing customer experience, operational capacity and risk management. Auditors do not expect perfection, but they do expect you to know where you have residual risk and to manage it consciously.
Create a remediation plan that shows control, not panic
If you identify gaps during preparation, document them and respond in a structured way. Auditors are generally less concerned by the existence of issues than by weak ownership and slow remediation.
A credible remediation plan has clear priority based on risk, named owners, realistic timelines, and measurable outcomes. If you need interim controls while a system change is pending, record those interim measures and how you will monitor them.
Where remediation affects core controls, update procedures, train staff, and adjust MI so that management can see whether the fix is working. That “closed loop” is a signal of operational resilience.
If you want independent support to pressure-test your readiness, a pre-audit review can help identify gaps early and translate them into implementable actions. This is the type of work Complipal supports as part of broader AML compliance and internal audit engagements, particularly where firms need clarity on what will stand up to regulatory scrutiny.
A final thought to carry into the audit room
Treat the audit as an opportunity to prove that your programme makes consistent, defensible decisions under real-world pressure. When your people can explain the “why” behind controls, and your evidence shows those controls working across the client journey, the audit becomes a confirmation of maturity rather than a scramble for reassurance.
Recent Post
AML Audit Prep: What Regulators Look For
February 13, 2026Third Party Due Diligence That Stands Up
February 12, 2026Enhanced Due Diligence Checklist That Holds Up
February 11, 2026Categories