CORPORATE GOVERNANCE AND THE AUDIT FUNCTION (20%)
1.1 Roles and responsibilities of the third line of
defense (e.g., definition of assurance; conflicts
of interest in audit; delineation between the
third and second and first lines of defense/
independent testing vs. quality assurance;
relationship with regulators, management,
and the Board of Directors; independence and
aspects that can jeopardize independence)

1.2 International bodies, organizations, and key
documents related to AML audit (e.g., FATF,
OFAC, FFIEC, European Directive on AML,
UK JMLSG and Wolfsberg Principles on Risk
Assessment/Sanctions Screening)

1.3 AML program governance structure including,
but not limited to, reporting lines, committees,
training, oversight of outsourced functions
in-house, to other departments (e.g., Client
Onboarding), or to a third-party (e.g., a vendor
performing sanctions screening on behalf of the
institution)

1.4 Factors that trigger an audit (e.g., mandated
by legislation/regulator, cyclic, one-off,
implementation of a new AML system/solution;
new legislation; factors that trigger an audit vs.
factors that trigger an assurance review)

1.5 Stages of an AML audit process (e.g.,
preparation planning/scoping, fieldwork/testing,
recommendations, reporting, and post-report
tracking and validation)

1.6 Differences and similarities between internal and
external auditing (e.g., internal audit function
vs. external audit firm, relationship between the
external auditor and the institution, relationship
between the internal auditor and external
auditor)

1.7 Types of audit approaches (e.g., risk-based,
proportionate, continuous) and the execution
of horizontal, vertical, thematic and project/
program reviews

1.8 Audit documentation process (e.g., documenting
an audit work program/plan; identification
of relevant stakeholders; specifying audit
objectives; the risks and the mitigation)

1.9 Emerging risks from new typologies (e.g.,
FinTech, cyber, cryptocurrency), new regulatory
guidance/requirements, and new technologies/
practices (e.g., artificial intelligence, machine
learning)

1.10 Computer Assisted Audit Technologies (CAATS;
e.g. data warehouses, dashboards, management
information systems (MIS))

1.11 Continuous business monitoring as part of the
third line of defense’s assurance (e.g., regular
discussions with Compliance on AML trends and
horizon risks)

PLANNING AND SCOPING (25%)
2.1 Types of evidence supporting the testing
strategy (e.g., policies, procedures, client profile
documentation such as KYC/CDD/EDD),
identification of which units to audit, the audit
time-scope, and appropriate data gathering
techniques during the audit (e.g., interviews,
documentation, walkthroughs, process-maps,
surveys)

2.2 The role of policies and procedures in informing
the audit plan

2.3 Audit risk assessment, types of audit (e.g.,
Front Office, Compliance, IT (for systems,
data), Operations, Change Management), risk
assessment methodologies (top-down and
bottom-up), and procedures associated with
defining the scope

2.4 Role of the AML risk assessment (i.e., as
conducted by the second line) in informing
audit planning and scoping (e.g., key audit
considerations in AML risk assessment and
evaluation of its effectiveness in assessing the
risks and mitigating controls)

2.5 Financial crime risks associated with different
sectors/industries, products and services, policies
and procedures, and customer types and how to
assess them

2.6 Components of AML risk mitigation (i.e.,
Identification & Verification Risk, Detection &
Monitoring Risk, Compliance Risk, Regulatory/
Prior Audit Risk)

2.7 Types of sampling methodology (e.g.,
judgmental, risk-based, quantitative) and factors
to consider when selecting a sample (e.g., size/
nature of the population, number of newlyonboarded customers, PEPs, high-risk customers,
degree of control, risk level)

2.8 How to incorporate regulatory examination
findings, provisions from enforcement actions,
and other assessments (e.g., outcomes of past
audits, results of consulting engagements,
internal reports if conducting an external audit)
from the monitoring/validation process

2.9 Methodology used to determine the quantitative
and qualitative dimensions of risk appetite, how
metrics are monitored (e.g., KPI’s and KRI’s)
against Board-approved risk appetite thresholds,
and actions that can be taken to mitigate
financial crime risk

FIELDWORK AND EVALUATION (40%)
3.1 Definition of design effectiveness and operating
effectiveness

3.2 How to evaluate the design of the AML risk
assessment (e.g., methodology), and the results
of the AML risk assessment

3.3 How to evaluate the design effectiveness of AML program policies/procedures (i.e., gap analysis; currency and clarity of the policies/procedures)

3.4 How to evaluate the operating effectiveness of
each element of an AML program (e.g., CIP and
KYC/EDD, SAR/STR/CTR processes, Sanctions
screening, transaction monitoring, staff training,
staff qualifications)

3.5 How to assess the design and operating
effectiveness of the customer risk rating
methodology (e.g., whether customers are
accurately identified and appropriately riskrated)

3.6 Controls governing AML programs (e.g., the
characteristics of effective controls— the “who”,
“what”, and “when”), and procedures for testing/
assessing the design of a control and reviewing
the results of a control tested during the audit
scope period

3.7 Elements of model risk management (MRM; e.g., screening systems model, transaction monitoring model, customer risk rating), regulatory
expectations, their application to AML programs,
and how to assess relevant models

3.8 How to evaluate the design and development of
AML systems and solutions (e.g for transaction
monitoring, name/transaction screening),
including determinants/indicators of data quality
and lineage (e.g., how to assess data at rest and
in transit)

3.9 Record-keeping (e.g., CDD records, transaction
data and advices, and copies of traveler’s
checks, bank drafts, and cashier’s checks) and
record retention (e.g., what information needs to
be captured by an institution and for how long it
needs to be retained)

3.10 The steps to a root cause analysis for issues
identified, including repeat issues IV.

REPORTING, RECOMMENDATIONS, AND FOLLOW-UP (15%)
4.1 How to document the testing methodology
and results in the audit work papers (e.g., how
to ensure exceptions are properly identified,
retaining supporting evidence for the audit
planning and fieldwork)

4.2 How to determine the level of risk of findings,
including self-identified issues (i.e., low risk/
medium risk/high risk; severity and likelihood)
and distinguish between material and immaterial
findings to make recommendations addressing
root causes and the risk

4.3 Communicating audit results (e.g., relevant
stakeholders, what to communicate and when,
elements of an audit report, how to conduct an
exit/close meeting)

4.4 How to monitor the status of remedial actions,
and ensure completion of the committed
actions, including exception approval processes
for extensions of target dates

4.5 How to design and test a follow-up strategy to
ensure closure of committed actions based on
audit findings