ACTION AUDIT

Auditing Your AML Program
Putting the program in place is only the beginning. Now you have to run it and audit it. Even though the program is new, it is already time to think about evaluating your performance. John Atkinson, BSA expert with the Federal Reserve Bank of Atlanta, gave ABA's Anti-Money Laundering conference attendees a blueprint for audits.

First, decide why you are auditing. In the context of risk management and the responsibility to develop a risk-based CIP, Atkinson recommends looking at anti-money laundering in the context of operational risk. You have looked at legal risk and other types of risk in the development of the program. Now make sure it works - the operational side.

Examiners, in using a risk-based process to evaluate your AML program, will look to the effectiveness of your audit, and the independence, to determine the extent to which they can rely on your internal controls.

Who should conduct the audit may depend on the appropriate scope of audit, complexity of the program and the organization, and available resources. Factors to consider in arranging the audit include recent changes in the organization and the nature of any problems or concerns.

Make sure your audit program avoids the weaknesses that examiners often see. These weaknesses often result from the institution placing insufficient resources in compliance and audit - two cost centers. Expansion and growth have a high correlation with audit and compliance weaknesses simply because the institution has not placed sufficient effort on these areas. BSA audits are detailed and time-consuming. However, they are the best way to identify weaknesses in the program. Atkinson is particularly concerned that audits give insufficient attention to transaction testing and a careful review of aggregation as possible structuring. This part of the audit is essential to know whether the BSA program is working.

Finally, be sure there are work papers that provide clear documentation of the audit. Examiners will ask to see them.

Your audit goals should be

to validate internal controls. The audit enables your institution to attest to the effectiveness of internal controls.
to detect weakness and vulnerabilities.
to validate the integrity of your MIS.
to ensure consistency across the organization.
to confirm the effectiveness of required elements of the AML program.

Key audit elements

independence of the auditors from the functions and decisions in the program.
competence of people doing the audit.
setting the scope and elements of the audit using risk analysis.
transaction testing - critical to determining whether policy is being followed.
full documentation and evaluation, including reports to management.
management response to demonstrate that the institution closes the loop on shortcomings.
follow-up, which is always key to any findings - yours or the examiners'.

Common audit weaknesses include

lack of independence
lack of qualified auditors
limited transaction testing
insufficient scope in the audit, failing to cover the entire organization or all types of transactions.
not using risk to focus the audit
limited, if any, evaluation of training
weak assessment of account monitoring and the SAR process
no OFAC coverage in the audit (and OFAC must be covered somewhere)
limited review of transaction structuring