I have heard that the banks BSA officer cannot conduct the banks internal BSA Audit. Does anyone know where I can find this statement?

Unless you are an extremely small organization, it would be an extreme conflict of interest to do so. I do not have a cite for you, I can tell you a general recommendation for a small bank. The regulators (at least FDIC and the FED) will generally accept a review by the BSA officer IF you also retain your outside auditors to do an independent review of certain areas, such as your exemptions and other subjective areas such as perhaps risk assessments.

I have recently become a bank compliance consultant and I have a meeting with a bank that has a Auditor/Compliance Officer/BSA Officer all in one. To prove my point, i would like to have a citation for this. That is what I have heard from many Compliance Officers/BSA Officers about having an independent BSA audit. I appreciate your input.

Each agency has their own reg requiring BSA compliance, worded almost exactly the same as the FDIC's 12 CFR 326.8. An excerpt:

(c) Contents of compliance program. The compliance program shall, at a minimum:
(1) Provide for a system of internal controls to assure ongoing compliance;
(2) Provide for independent testing for compliance to be conducted by bank personnel or by an outside party;
(3) Designate an individual or individuals responsible for coordinating and monitoring day-to-day compliance; and
(4) Provide training for appropriate personnel.
( Approved by the Office of Management and Budget under control number 3064-0087)

[Codified to 12 C.F.R. § 326.8]

The regulation says the BSA compliance program has to provide for independent testing. The examiners have been applying that to mean the person(s) doing the testing cannot be involved in any way in implementing any other aspect of the program, such as writing the BSA policies/procedures, performing BSA training of personnel, performing any BSA-related tasks, etc.

This is an excerpt from the new BSA/AML Examination Manual the regulators are using:

"Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing at least annually. Banks that do not employ outside auditors or consultants or have internal audit departments may comply with this requirement by using qualified persons who are not involved in the function being tested. The persons conducting the BSA/AML testing should report directly to the board of directors or to a designated board committee comprised primarily or completely of outside directors.

Those persons responsible for conducting an objective independent evaluation of the written BSA/AML compliance program should perform testing for specific compliance with the BSA, and evaluate pertinent management information systems (MIS). The audit should be risk based30 and evaluate the quality of risk management for all banking operations, departments, and subsidiaries. Risk-based audit programs will vary depending on the bank's size, complexity, scope of activities, risk profile, quality of control functions, geographic diversity, and use of technology. An effective risk-based auditing program will cover all of the bank's activities. The frequency and depth of each activity's audit will vary according to the activity's risk assessment. Risk-based auditing enables the board of directors and auditors to use the bank's risk assessment to focus the audit scope on the areas of greatest concern. The testing should assist the board of directors and management in identifying areas of weakness or areas where there is a need for enhancements or stronger controls.

Independent testing should, at a minimum, include:

An evaluation of the overall integrity and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes.
A review of the bank's risk assessment for reasonableness given the bank's risk profile (products, services, customers, and geographic locations).
Appropriate transaction testing to verify the bank's adherence to the BSA recordkeeping and reporting requirements (e.g., CIP, SARs, CTRs, and CTR exemptions, information sharing requests).
An evaluation of management's efforts to resolve violations and deficiencies noted in previous audits and regulatory examinations, including progress in addressing outstanding supervisory actions, if applicable.
A review of staff training for adequacy, accuracy, and completeness.
A review of the effectiveness of the suspicious activity monitoring systems (manual, automated, or a combination) used for BSA/AML compliance. Related reports may include, but are not limited to:
Suspicious activity monitoring reports.
Large currency aggregation reports.
Monetary instrument records.
Funds transfer records.
Nonsufficient funds (NSF) reports.
Large balance fluctuation reports.
Account relationship reports.
An assessment of the overall process for identifying and reporting suspicious activity, including a review of filed or prepared SARs to determine their accuracy, timeliness, completeness, and effectiveness of the bank's policy.
Auditors should document the audit scope, procedures performed, transaction testing completed, and findings of the review. All audit documentation and workpapers should be available for examiner review. Any violations, policy or procedures exceptions, or other deficiencies noted during the audit should be included in an audit report and reported to the board of directors or a designated committee in a timely manner. The board or designated committee and the audit staff should track audit deficiencies and document corrective actions."

Finally, I must respectfully disagree with one aspect of joker's post above. I believe the regulators would take exception with anyone involved in BSA doing the independent testing, even in a very small bank. The regulators would expect a very small bank to outsource, if necessary, IMO.

Thank you for the advice. This really helps out a lot.