The importance of an effective independent review, an original component of the BSA/AML Compliance Program, cannot be overstated.

• An effective audit is valued by regulators in identifying and monitoring a bank's specific risks and by assessing how those risks are managed and controlled. Effective audits will assist examiners in determining the BSA/AML examination scope and in identifying areas requiring less review.
• The FFIEC BSA/AML Examination Manual provides details regarding the BSA/AML Compliance Program, states minimum areas to be covered by the independent audit, and addresses limiting transaction testing to the independent review.
• Independent testing (audit) assists the bank's board of directors and senior management by identifying areas of weakness or matters requiring stronger controls. The audit should be risk-based and will vary depending on the bank's size, complexity, risk profile, quality of control functions, geographic diversity, and use of technology. By incorporating the bank's BSA/AML Risk Assessment into the independent testing process, the audit program can be more effectively tailored to cover all of the bank's activities.
  • Independent testing of the BSA/AML Compliance Program should be conducted by the internal audit department, outside auditors, consultants, or other qualified persons that are independent of the BSA/AML function.
  • If the audit is being performed by an outside party, a contract or engagement letter should be agreed upon that outlines responsibilities and duties. Contracts typically include provisions stating that audit reports are property of the bank, authorized employees will have reasonable and timely access to workpapers, and that the bank will be provided copies of related workpapers, as the bank deems necessary. Further, such agreements should grant examiners access to all workpapers and other materials prepared in the course of the audit.