Managing an Effective
BSA/AML Audit Program
Presented by
Laura Goldzung, CAMS, CFE, CFCS, CCRP
AML Audit Services, LLC
June17, 2015
Key Drivers of
BSA/AML Compliance Program
AML Risk Assessment
 Qualifies and quantifies the money laundering risks
associated with the business lines-business entities,
products-services, customers and geographies
served, as well as other risk factors
 Establishes AML resources and program priorities
 Influences the nature, scope and frequency of
transaction monitoring
 Informs appropriate training
 Informs audit/testing
2
Key Controls of
BSA/AML Compliance Program








Management Oversight
Written Policies and Procedures
Internal Controls
Customer Identification Program (CIP)
Transaction Monitoring & BSA Reporting
Training for Appropriate Personnel
Independent Testing
OFAC Compliance
3
Independent Testing
 Can be performed by internal or external audit or
other independent qualified parties
 Should use a risk-based approach to cover all
aspects of the AML program
 Should report directly to the Board of Directors
or senior management
 All testing & audit documentation must be
available for review by the examiners (work
papers)
4
Regulatory Expectations for
Independent Testing
 Qualified & Independent
 Frequency – Dependent on
Regulator/SRO (12-18 mo.)
 Assessment of:
o Risk Assessment
o Training
o Monitoring Systems
o Reporting &
Recordkeeping
o Resolution of
deficiencies
 Risk-based transactions
testing of:
o Policies, procedures, and
processes
o Record keeping and
reporting
o MIS
o High-risk operations
 Reports to the board of
directors or senior
management
 Tracking & Resolution
5
Audit Program Minimum Requirements






Governance and oversight of the AML program
Written AML policies and procedures
AML risk assessment methodology
CIP/KYC policies and procedures
Training
Suspicious activity identification, escalation and
reporting
 Transaction monitoring
 BSA Reporting
 Recordkeeping and retention
6
Audit Considerations
 Ensure that proper documentation exists to
support the risk assessments that were
performed
 It must be clear how the risk assessment is
aligned with and drives the the AML program
 Ensure that proper documentation exists in the
KYC area, and that all necessary details are being
captured to support transaction monitoring
efforts
7
Elements of an
Effective Audit Program







Appropriate for the FI’s risk profile
Covers all applicable regulations and guidance
Effective discovery, scoping and planning
Ensures appropriate testing and sample size
Plan covers all appropriate areas
Work is properly documented
Work papers are well-organized
8
Elements of an
Effective Audit Program − Continued






Conclusions are well supported
Exceptions are communicated effectively
Violations are identified and risks explained
Includes appropriate corrective actions
Ensures previous corrective actions documented
Results are timely communicated to senior
management
9
Key Auditable Elements:
Policies & Procedures






Senior management approved program
Contains updated regulatory requirements
Contains and describes internal controls
Comprehensive & tailored to the business model
Stated AML Policy
Describes management oversight
10
Key Auditable Elements:
CIP/KYC
Identifies key risks and controls
 Written Customer Identification Program &
Verification procedures / implementation
 Sufficiently documented risk-based customer due
diligence and applicable enhanced due diligence
 Mitigation tactics and system for monitoring high
risk customers
 Past findings / corrective actions taken
 Systemic issues, if present
11
Key Auditable Elements:
Suspicious Activity Process






Clearly stated escalation processes
Timely SAR filings
Quality of SAR narratives
Actions taken following reporting
Rationale for non-filings with investigative files
Sufficient investigative due diligence and
documentation
 Experience of analysts
12
Key Auditable Elements:
Transaction Monitoring
 Verifying periodic system testing and
validation documentation
 Monitoring tools
 Process for disposition of alerts
 Documentation for the closing of alerts
 Sufficiency of resources
 Documentation of compliance monitoring
13
Key Auditable Elements:
AML Training









Comprehensiveness of training
Training mapped to regulations and business model
New hire vs. refresher training
Targeted to job function
Frequency / Methodology
Documented content
LMS / Tracking timeliness, record keeping
Attendance Records, Tracking
Senior Management & BoD Training
14
Key Auditable Elements:
Independent Testing






Qualified and Independent
Risk-based scope and plan
Transactions tested (transparent)
Quality reporting
Corrective actions / systemic issues identified
Action plan / risk-based timely resolution
15
Risk Assessment
Common Deficiencies
 Risk assessments not performed or documented
 Did not incorporate all lines of business or
entities
 Did not consider all major risk categories
 Policies did not specify frequency of updates
 No methodology for assigning risk rankings
 Policies and procedures not commensurate with
institution’s risk profile
16
Independent Audit
Common Deficiencies






Performed by unqualified professionals
Inadequate testing / sampling
Not conducted commensurate with risk profile
Deficient scoping / frequency
Insufficient documentation and workpapers
Lacking overall conclusion on adequacy of
program
17
QUESTIONS & ANSWERS
18
CONTACT INFORMATION
Laura Goldzung, CAMS, CFE, CFCS, CCRP
President & Founder
AML Audit Services, LLC
T: 800-870-8076| C: 973-229-4275
info@amlauditservices.com
AMLAuditservices.com
19