Prepare for an AML audit

Why it matters

Failing to prepare properly for a compliance visit can create significant problems. If shortcomings are identified, your firm may need to implement a remediation plan under tight deadlines, diverting valuable time and resources. In more serious cases, it could lead to increased scrutiny, reputational damage, or financial penalties. Being well-prepared helps demonstrate to your supervisor that you take your responsibilities seriously and that AML is built into your firm’s day-to-day operations.

How to prepare

Know your supervisor. Your firm may be supervised by a professional accountancy body or HMRC. Supervisors are responsible for reviewing your AML practices and may request documentation at any time, including your firm-wide risk assessment (FWRA), client files, SARs, and training records.

Supervisors can legally require you to:

• Provide AML documents and data
  
• Attend interviews
  
• Share submitted SARs You should retain SARs securely and ensure documentation is accessible if requested.
  

Prepare the right documentation. The following are key areas of focus during an AML compliance visit:

• Firm-wide risk assessment (FWRA)
  Your FWRA must be current, well-documented, and linked clearly to your firm’s AML procedures. Some supervisors request it annually.
  
• Policies, procedures and controls
  These should be up to date, tailored to your firm, and accessible to all relevant staff. You’ll also need evidence that they’re actively followed in practice.
  
• CDD and ongoing monitoring
  Supervisors will expect to see:
  
  • Client ID verification records
    
  • Documented client risk assessments
    
  • Register discrepancy checks (e.g. PSC discrepancies)
    
  • Ongoing monitoring evidence where required
    
• Training records. All relevant employees must receive AML training. You’ll need to show what was delivered, when, and who attended. This may form part of CPD records.
  
• Approval of BOOMs (beneficial owners, officers, managers). You must ensure that any appointed BOOMs have been approved by your supervisory authority. Evidence of DBS checks may be required.
  
• SARs and internal suspicion handling. Supervisors may ask to review submitted SARs and understand how internal suspicions are raised and assessed. Keeping an internal record helps support your rationale.
  
• Internal compliance reviews. Regulation 19 requires regular internal reviews of your AML compliance. While smaller firms may not need an independent audit function, all firms must monitor how well their AML procedures are working.
  

Know what happens after the visit. Your firm will be graded (compliant, generally compliant, or non-compliant). If you’re asked to create a remediation plan:

• Respond within the timeframe set
  
• Be transparent about delays
  
• Share findings with staff
  
• Consider external help if necessary
  

Tips to prepare well

• Keep AML documentation up to date year-round
  
• Record decisions clearly, especially client risk assessments
  
• Store training records and SARs securely but accessibly
  
• Review and test your compliance procedures periodically
  

Summary

AML compliance visits are part of every firm’s supervisory cycle. The best preparation is to treat compliance as ongoing—not something to scramble for when a visit is scheduled. By maintaining strong documentation, monitoring your systems, and engaging positively with your supervisor, your firm can reduce the stress of an inspection and show it takes AML seriously.‍
This article was summarised by the Firmcheck content team. The original content was written by an independent AML expert and is available on our blog.

‍