We specialize in compliance consultancy, due diligence, and audit services to help businesses meet regulatory standards with confidence. Our experienced team provides tailored solutions to identify and manage risks, ensuring you operate responsibly and securely in today’s complex landscape. We are committed to integrity, excellence, and empowering our clients with the insights they need for sustainable growth.
An AML audit rarely fails because a policy is missing. More often, it fails because the firm can show documented intent but not consistent execution. That is why the real answer to what should an AML audit cover goes beyond checking whether procedures exist. It should assess whether the AML framework is risk-based, operationally effective and capable of standing up to regulatory scrutiny.
For compliance officers, MLROs and senior management, that distinction matters. A technically complete policy set will not offset weak onboarding decisions, inconsistent monitoring or poor escalation records. An effective audit needs to test the parts of the programme where regulatory exposure and reputational damage actually arise.
What should an AML audit cover in practice?
At a practical level, an AML audit should cover governance, the business risk assessment, customer due diligence, transaction monitoring, suspicious activity reporting, screening, record-keeping, training and the quality of management information. Just as importantly, it should test whether these elements work together.
A narrow audit can create false comfort. For example, reviewing customer files without testing the risk methodology behind them may miss a deeper control weakness. Equally, checking alerts without understanding resourcing, escalation routes and quality assurance can overlook why issues are recurring. The strongest audits are structured around the end-to-end control environment, not isolated documents.
Governance and accountability
The starting point is governance. An AML audit should examine who owns the framework, how responsibilities are allocated and whether senior management receives enough information to exercise proper oversight.
This includes the role of the board, the MLRO, compliance, operations and the first line. In some firms, accountability appears clear on paper but becomes blurred in practice, particularly where onboarding, sanctions screening and ongoing monitoring sit across different teams or jurisdictions. An audit should assess whether decision-making authority is documented, understood and consistently applied.
It should also consider whether AML reporting to senior management is meaningful. Metrics that count completed reviews or training attendance have some value, but they do not necessarily show control effectiveness. More useful indicators include overdue reviews, alert backlogs, high-risk customer volumes, quality assurance results and themes emerging from internal escalations.
The business risk assessment
A credible AML audit must scrutinise the business risk assessment, because every downstream control depends on it. If the firm has misjudged its exposure by customer type, geography, products, delivery channels or counterparties, the rest of the programme may be built on weak assumptions.
The audit should examine whether the assessment reflects the actual business model and current client base. It should also test whether the stated risks drive practical outcomes. A business risk assessment that identifies elevated exposure in non-face-to-face onboarding, for instance, should be matched by stronger verification controls, enhanced review triggers and clear management oversight.
This is an area where many audits need more depth. It is not enough to confirm that the document exists and has been approved. The audit should challenge whether it is current, evidence-based and linked to the control framework. If not, firms can end up applying a nominally risk-based approach that is actually generic.
Customer due diligence and onboarding controls
CDD is usually where operational weaknesses become visible first. An AML audit should review how customers are classified, what evidence is collected, how beneficial ownership is verified and whether source of funds and source of wealth requirements are applied proportionately.
The key word is proportionately. A good audit does not expect enhanced due diligence on every customer, but it should test whether the rationale for standard, simplified or enhanced treatment is sound. It should also look at exceptions. Where files are approved with missing information, time-limited waivers or unresolved adverse media, the audit should assess whether these decisions are controlled and defensible.
Onboarding quality is not just about document completeness. It is about whether the firm can explain why the customer fits its risk appetite and whether the information gathered supports that judgement. In higher-risk sectors, an audit should also review go-no-go decision-making and whether commercial pressure is influencing control outcomes.
Screening, monitoring and ongoing review
Sanctions and PEP screening should form part of the audit scope, but not as a standalone technical exercise. The audit should examine list management, screening logic, false positive handling, escalation routes and evidence of resolution. Weaknesses here often sit in process design rather than software capability.
Ongoing monitoring deserves equal attention. This includes transaction monitoring where relevant, but also periodic reviews, trigger events and changes in customer behaviour. A firm may perform screening correctly at onboarding and still fail to detect material risk if ongoing controls are infrequent, poorly calibrated or operationally delayed.
It also matters whether review cycles reflect risk. If high-risk customers are not reviewed more frequently than low-risk ones, the framework may not be genuinely risk-based. Equally, if teams are closing alerts quickly but without enough investigation, headline productivity can conceal poor-quality control execution.
Suspicious activity reporting and escalation
Any answer to what should an AML audit cover must include internal suspicion reporting and external reporting obligations. This is one of the clearest indicators of AML maturity because it tests staff awareness, escalation discipline and the independence of the MLRO function.
The audit should review whether staff know when and how to escalate concerns, whether internal reports are documented properly and whether the MLRO’s decision-making is timely and reasoned. It should also assess confidentiality controls, record-keeping and whether the business can demonstrate that decisions not to report externally were justified.
Trade-offs matter here. A high number of internal reports is not always evidence of a healthy culture, and a low number is not always a weakness. Context is everything. The audit should consider the nature of the business, customer base, transaction profile and prior incidents before drawing conclusions.
Policies, procedures and regulatory alignment
Policies still matter, but they should be reviewed as working documents rather than formalities. An AML audit should assess whether procedures reflect current legal and regulatory obligations, actual business operations and the firm’s own risk appetite.
The gap between policy and practice is often where findings arise. A procedure may require enhanced due diligence for specific scenarios, but file testing may show inconsistent interpretation by onboarding teams. Alternatively, the policy may be technically correct but too vague to support consistent decisions. In both cases, the issue is not merely documentation quality. It is control usability.
For firms operating in evolving regulatory environments, the audit should also consider how change is tracked and implemented. There should be a clear process for horizon scanning, impact assessment, policy updates and communication to relevant teams.
Training, competence and control culture
Training should not be treated as a tick-box exercise. An AML audit should examine whether training is role-specific, current and capable of improving judgement where staff make risk-based decisions.
Generic annual modules may satisfy a minimum requirement, but they rarely address the nuances that matter in practice. Front-line onboarding staff, investigators, relationship managers and senior management need different levels of detail. The audit should test whether training content reflects actual risks faced by the business and whether staff can apply it.
Culture is harder to audit, but not impossible. Escalation behaviour, quality assurance results, override patterns and management challenge all reveal whether compliance is embedded or simply documented. This is often where an experienced audit adds the most value, because surface-level testing can miss the operational signals of a control environment under strain.
Record-keeping, testing and audit evidence
A defensible AML framework depends on evidence. The audit should review whether records are complete, accessible and retained in line with legal requirements. That includes customer identification data, screening results, review notes, internal escalations, SAR-related documentation, approvals and rationale for risk decisions.
It should also look at quality assurance and prior remediation. If previous findings have been raised, were they addressed properly or merely closed administratively? Repeated issues often point to weak root-cause analysis, insufficient ownership or unrealistic implementation planning.
An effective AML audit does not stop at identifying gaps. It should distinguish between isolated file errors, process design flaws and governance weaknesses. Those are different problems, and they require different responses.
What good audit output looks like
The final report should give management a clear view of control effectiveness, not a dense inventory of observations. Findings should be prioritised by risk, tied to business impact and supported by practical recommendations.
That means explaining not only what is wrong, but why it matters and what improvement would look like. For some firms, the right recommendation is stronger documentation. For others, it is a redesign of workflows, ownership or risk methodology. The best audit reporting supports decision-making and strengthens accountability across the business.
For organisations looking to build audit-ready AML programmes, that is the standard worth aiming for. A well-scoped audit should leave you with more than assurance. It should leave you with a clearer, more resilient control framework and fewer unpleasant surprises when the regulator asks harder questions.
What Should an AML Audit Cover?
An AML audit rarely fails because a policy is missing. More often, it fails because the firm can show documented intent but not consistent execution. That is why the real answer to what should an AML audit cover goes beyond checking whether procedures exist. It should assess whether the AML framework is risk-based, operationally effective and capable of standing up to regulatory scrutiny.
For compliance officers, MLROs and senior management, that distinction matters. A technically complete policy set will not offset weak onboarding decisions, inconsistent monitoring or poor escalation records. An effective audit needs to test the parts of the programme where regulatory exposure and reputational damage actually arise.
What should an AML audit cover in practice?
At a practical level, an AML audit should cover governance, the business risk assessment, customer due diligence, transaction monitoring, suspicious activity reporting, screening, record-keeping, training and the quality of management information. Just as importantly, it should test whether these elements work together.
A narrow audit can create false comfort. For example, reviewing customer files without testing the risk methodology behind them may miss a deeper control weakness. Equally, checking alerts without understanding resourcing, escalation routes and quality assurance can overlook why issues are recurring. The strongest audits are structured around the end-to-end control environment, not isolated documents.
Governance and accountability
The starting point is governance. An AML audit should examine who owns the framework, how responsibilities are allocated and whether senior management receives enough information to exercise proper oversight.
This includes the role of the board, the MLRO, compliance, operations and the first line. In some firms, accountability appears clear on paper but becomes blurred in practice, particularly where onboarding, sanctions screening and ongoing monitoring sit across different teams or jurisdictions. An audit should assess whether decision-making authority is documented, understood and consistently applied.
It should also consider whether AML reporting to senior management is meaningful. Metrics that count completed reviews or training attendance have some value, but they do not necessarily show control effectiveness. More useful indicators include overdue reviews, alert backlogs, high-risk customer volumes, quality assurance results and themes emerging from internal escalations.
The business risk assessment
A credible AML audit must scrutinise the business risk assessment, because every downstream control depends on it. If the firm has misjudged its exposure by customer type, geography, products, delivery channels or counterparties, the rest of the programme may be built on weak assumptions.
The audit should examine whether the assessment reflects the actual business model and current client base. It should also test whether the stated risks drive practical outcomes. A business risk assessment that identifies elevated exposure in non-face-to-face onboarding, for instance, should be matched by stronger verification controls, enhanced review triggers and clear management oversight.
This is an area where many audits need more depth. It is not enough to confirm that the document exists and has been approved. The audit should challenge whether it is current, evidence-based and linked to the control framework. If not, firms can end up applying a nominally risk-based approach that is actually generic.
Customer due diligence and onboarding controls
CDD is usually where operational weaknesses become visible first. An AML audit should review how customers are classified, what evidence is collected, how beneficial ownership is verified and whether source of funds and source of wealth requirements are applied proportionately.
The key word is proportionately. A good audit does not expect enhanced due diligence on every customer, but it should test whether the rationale for standard, simplified or enhanced treatment is sound. It should also look at exceptions. Where files are approved with missing information, time-limited waivers or unresolved adverse media, the audit should assess whether these decisions are controlled and defensible.
Onboarding quality is not just about document completeness. It is about whether the firm can explain why the customer fits its risk appetite and whether the information gathered supports that judgement. In higher-risk sectors, an audit should also review go-no-go decision-making and whether commercial pressure is influencing control outcomes.
Screening, monitoring and ongoing review
Sanctions and PEP screening should form part of the audit scope, but not as a standalone technical exercise. The audit should examine list management, screening logic, false positive handling, escalation routes and evidence of resolution. Weaknesses here often sit in process design rather than software capability.
Ongoing monitoring deserves equal attention. This includes transaction monitoring where relevant, but also periodic reviews, trigger events and changes in customer behaviour. A firm may perform screening correctly at onboarding and still fail to detect material risk if ongoing controls are infrequent, poorly calibrated or operationally delayed.
It also matters whether review cycles reflect risk. If high-risk customers are not reviewed more frequently than low-risk ones, the framework may not be genuinely risk-based. Equally, if teams are closing alerts quickly but without enough investigation, headline productivity can conceal poor-quality control execution.
Suspicious activity reporting and escalation
Any answer to what should an AML audit cover must include internal suspicion reporting and external reporting obligations. This is one of the clearest indicators of AML maturity because it tests staff awareness, escalation discipline and the independence of the MLRO function.
The audit should review whether staff know when and how to escalate concerns, whether internal reports are documented properly and whether the MLRO’s decision-making is timely and reasoned. It should also assess confidentiality controls, record-keeping and whether the business can demonstrate that decisions not to report externally were justified.
Trade-offs matter here. A high number of internal reports is not always evidence of a healthy culture, and a low number is not always a weakness. Context is everything. The audit should consider the nature of the business, customer base, transaction profile and prior incidents before drawing conclusions.
Policies, procedures and regulatory alignment
Policies still matter, but they should be reviewed as working documents rather than formalities. An AML audit should assess whether procedures reflect current legal and regulatory obligations, actual business operations and the firm’s own risk appetite.
The gap between policy and practice is often where findings arise. A procedure may require enhanced due diligence for specific scenarios, but file testing may show inconsistent interpretation by onboarding teams. Alternatively, the policy may be technically correct but too vague to support consistent decisions. In both cases, the issue is not merely documentation quality. It is control usability.
For firms operating in evolving regulatory environments, the audit should also consider how change is tracked and implemented. There should be a clear process for horizon scanning, impact assessment, policy updates and communication to relevant teams.
Training, competence and control culture
Training should not be treated as a tick-box exercise. An AML audit should examine whether training is role-specific, current and capable of improving judgement where staff make risk-based decisions.
Generic annual modules may satisfy a minimum requirement, but they rarely address the nuances that matter in practice. Front-line onboarding staff, investigators, relationship managers and senior management need different levels of detail. The audit should test whether training content reflects actual risks faced by the business and whether staff can apply it.
Culture is harder to audit, but not impossible. Escalation behaviour, quality assurance results, override patterns and management challenge all reveal whether compliance is embedded or simply documented. This is often where an experienced audit adds the most value, because surface-level testing can miss the operational signals of a control environment under strain.
Record-keeping, testing and audit evidence
A defensible AML framework depends on evidence. The audit should review whether records are complete, accessible and retained in line with legal requirements. That includes customer identification data, screening results, review notes, internal escalations, SAR-related documentation, approvals and rationale for risk decisions.
It should also look at quality assurance and prior remediation. If previous findings have been raised, were they addressed properly or merely closed administratively? Repeated issues often point to weak root-cause analysis, insufficient ownership or unrealistic implementation planning.
An effective AML audit does not stop at identifying gaps. It should distinguish between isolated file errors, process design flaws and governance weaknesses. Those are different problems, and they require different responses.
What good audit output looks like
The final report should give management a clear view of control effectiveness, not a dense inventory of observations. Findings should be prioritised by risk, tied to business impact and supported by practical recommendations.
That means explaining not only what is wrong, but why it matters and what improvement would look like. For some firms, the right recommendation is stronger documentation. For others, it is a redesign of workflows, ownership or risk methodology. The best audit reporting supports decision-making and strengthens accountability across the business.
For organisations looking to build audit-ready AML programmes, that is the standard worth aiming for. A well-scoped audit should leave you with more than assurance. It should leave you with a clearer, more resilient control framework and fewer unpleasant surprises when the regulator asks harder questions.
Recent Post
What Should an AML Audit Cover?
June 6, 2026How to Review KYC Screening Tools for
June 4, 2026A Practical Guide to AML Control Testing
June 2, 2026Categories